GUESTFSD_EXT_CMD was used by OpenSUSE to track which external commands
are run by the daemon and package those commands into the appliance.
It is no longer used by recent SUSE builds, so remove it.
Thanks: Pino Toscano, Olaf Hering.
Declare most of the stringsbuf as CLEANUP_FREE_STRINGSBUF, so they are
freed completely on stack unwind: use take_stringsbuf() in return
places to take away from the stringsbuf its content, and remove all the
manual calls to free_stringslen (no more needed now).
This requires to not use free_stringslen anymore on failure in the
helper functions of stringsbuf, which now leave the content as-is (might
be still useful even on error).
This allows us to simplify the memory management of stringsbuf's, which
are not properly fully freed, fixing memory leaks in some error paths
(which were not calling free_stringslen).
GCC has two warnings related to large stack frames. We were already
using the -Wframe-larger-than warning, but this reduces the threshold
from 10000 to 5000 bytes.
However that warning only covers the static part of frames (not
alloca). So this change also enables -Wstack-usage=10000 which covers
both the static and dynamic usage (alloca and variable length arrays).
Multiple changes are made throughout the code to reduce frames to fit
within these new limits.
Note that stack allocation of large strings can be a security issue.
For example, we had code like:
size_t len = strlen (fs->windows_systemroot) + 64;
char software[len];
snprintf (software, len, "%s/system32/config/software",
fs->windows_systemroot);
where fs->windows_systemroot is guest controlled. It's not clear what
the effects might be of allowing the guest to allocate potentially
very large stack frames, but at best it allows the guest to cause
libguestfs to segfault. It turns out we are very lucky that
fs->windows_systemroot cannot be set arbitrarily large (see checks in
is_systemroot).
This commit changes those to large heap allocations instead.
Refactor the internal_feature_available to return the result for just
one group, so it is easier to know on the library side what was the
actual error, and which group refers to; drop internal_available, as no
more needed after this.
On the library side, implement in available and feature_available the
real logic to iterate through the requested group, and error out or
return whether the groups are available. This also introduces caching
for the features, so each needs to be queried just once in each
appliance run.
The result of this is that there should be much less communication with
the daemon to know about available features; the downside is that
queries for more than one group at once, not already cached, will be
cause more queries to the daemon.
Rename the current available and feature_available into internal daemon
functions, and provide non-daemon functions wrapping them at library
side. This will make it possible to e.g. add caching for them.
Should be only refactoring, no actual behaviour change.
This API is an easier to use version of the existing guestfs_available,
because the new API returns true/false instead of throwing an error
when a feature from the list is not available.
In truth we've had this implementation internally in the library
and several tools and in Sys::Guestfs::Lib for a long time. This
change just turns it into a publicly consumable API.
guestfsd calls many different tools. Keeping track of all of them is
error prone. This patch introduces a new helper macro to put the command
string into its own ELF section:
GUESTFSD_EXT_CMD(C_variable, command_name);
This syntax makes it still possible to grep for used command names.
The actual usage of the collected list could be like this:
objcopy -j .guestfsd_ext_cmds -O binary daemon/guestfsd /dev/stdout |
tr '\0' '\n' | sort -u
The resulting output will be used to tell mkinitrd which programs to
copy into the initrd.
Signed-off-by: Olaf Hering <olaf@aepfle.de>
RWMJ:
- Move str_vgchange at request of author.
- Fix snprintf call in daemon/debug.c
Previously a lot of daemon code used three variables (a string list,
'int size' and 'int alloc') to track growable strings buffers. This
commit implements a simple struct containing the same variables, but
using size_t instead of int:
struct stringsbuf {
char **argv;
size_t size;
size_t alloc;
};
Use it like this:
DECLARE_STRINGSBUF (ret);
//...
if (add_string (&ret, str) == -1)
return NULL;
//...
if (end_stringsbuf (&ret) == -1)
return NULL;
return ret.argv;
The current groups are defined very conservatively using the
following criteria:
(a) Would be impossible to implement on Windows because of
sheer architectural differences (eg: mknod).
(b) Already optional (augeas, inotify).
(c) Not currently optional but not implemented on older RHEL and
Debian releases (ntfs-3g.probe, scrub, zerofree).
The optional groups I've defined according to these criteria are:
. augeas
. inotify
. linuxfsuuid
. linuxmodules
. linuxxattrs
. lvm2
. mknod
. ntfs3g
. scrub
. selinux
. zerofree
(Note that these choices don't prevent us from adding more
optional groups in future. On the other hand to avoid breaking
ABIs we would not wish to change the above groups).
The rest of this large commit is really just implementation:
Each optional function is classified using Optional "group"
flag in the generator.
The daemon has to implement a function
int optgroup_<name>_available (void);
for each optional group. Some of these functions are fixed at
compile time, and some do simple run-time tests.
The do_available implementation in the daemon looks up the correct
function in a table and runs it.
We document the optional groups in the guestfs(3) man page.
Also: I added a NOT_AVAILABLE macro in order to unify all the
existing places where we had a message equivalent to
"function __func__ is not available".
Start a new API allowing groups of functions to be tested for
availability.
There are two reasons for this:
(1) If libguestfs is built with missing dependencies (eg. no Augeas lib)
then the corresponding functions are disabled in the appliance. Up till
now there has been no way to test for this except to speculatively
issue commands and check for errors.
(2) When we port the daemon to Win32 it is likely that major pieces of
functionality won't be available (eg. LVM support). This API gives
a way to test for that.
There is no change for existing clients: you still have to check for
errors from individual API calls.
For new clients, you will be able to test for availability of particular
APIs.
Usage scenario (A): An LVM editing tool which requires
both the LVM API and inotify in order to function at all:
char *apis[] = { "inotify", "lvm2", NULL };
r = guestfs_available (g, apis);
if (r == -1) {
/* print an error and exit */
}
Usage scenario (B): A general purpose tool which optionally provides
configuration file editing, but this can be disabled, the result
merely being reduced functionality:
char *apis[] = { "augeas", NULL };
r = guestfs_available (g, apis);
enable_config_edit_menus = r == 0;
