May 2018 - Devel - libvirt List Archives

Re: [libvirt] [PATCH v2 0/3] adding virGetLastErrorCode/Domain to paritally replace virGetLastError
by Ramy Elkest 24 May '18

24 May '18

Patch looks good, many thanks Eric. Ramy On Wed, May 9, 2018 at 12:58 PM, Erik Skultety <eskultet(a)redhat.com> wrote: > On Sat, May 05, 2018 at 01:04:18PM +0100, ramyelkest wrote: >> Changes from v1[1]: >> >> * removed virHasLastError() and s/virHasLastError/virGetLastErrorCode/g >> * replaced in missed files: virmodule.c and virnetlibsshsession.c >> * better split of patches >> >> [1] https://www.redhat.com/archives/libvir-list/2018-May/msg00259.html >> >> ramyelkest (3): >> util: cleanup: using virGetLastErrorMessage instead of err->message >> util: added virGetLastErrorCode/Domain >> all: replacing virGetLastError with virGetLastErrorCode where we can > > I suggested some minor adjustments to your patches without the need for a v3, > so let me know if you agree and I'll merge the series. > > Erik

1 0

[libvirt] [PATCH v2] Fix indentation of virshAllocpagesPagesizeCompleter arguments.
by Roland Schulz 24 May '18

24 May '18

Signed-off-by: Roland Schulz <schullzroll(a)gmail.com> --- tools/virsh-completer.c | 4 ++-- tools/virsh-completer.h | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tools/virsh-completer.c b/tools/virsh-completer.c index cbd5326d0..1df4d55af 100644 --- a/tools/virsh-completer.c +++ b/tools/virsh-completer.c @@ -568,8 +568,8 @@ virshSnapshotNameCompleter(vshControl *ctl, char ** virshAllocpagesPagesizeCompleter(vshControl *ctl, - const vshCmd *cmd ATTRIBUTE_UNUSED, - unsigned int flags) + const vshCmd *cmd ATTRIBUTE_UNUSED, + unsigned int flags) { unsigned long long byteval = 0; xmlXPathContextPtr ctxt = NULL; diff --git a/tools/virsh-completer.h b/tools/virsh-completer.h index c7b181879..8e4d46394 100644 --- a/tools/virsh-completer.h +++ b/tools/virsh-completer.h @@ -75,7 +75,7 @@ char ** virshSnapshotNameCompleter(vshControl *ctl, unsigned int flags); char ** virshAllocpagesPagesizeCompleter(vshControl *ctl, - const vshCmd *cmd, - unsigned int flags); + const vshCmd *cmd, + unsigned int flags); #endif -- 2.17.0

2 3

[libvirt] [PATCH v7 00/12] Add support for TPM emulator
by Stefan Berger 24 May '18

24 May '18

This series of patches adds support for the TPM emulator backend that is available in QEMU and based on swtpm + libtpms. It allows to attach a TPM 1.2 or 2 to a QEMU VM. sVirt labels are used for labeling the swtpm process, its Unix socket, and log file with the same label that the QEMU process gets. Besides that swtpm is added to the emulator cgroup to restrict its CPU usage. The device XML can be changed from a TPM 1.2 to a TPM 2 and back to a TPM 1.2. The device state is not removed during those changes but only when the domain is undefined. The swtpm needs persistent storage to store its state. For that I am using the uuid of the VM as part of the path since the name of the VM can be changed. Logfiles, PID files, and socket names are based on the name of the VM, though. Stefan v6->v7: - followed Jan Tomko's suggestion with resulting changing to patch 10/12. - re-added missing parts related to swtpm_setup and TPM that got lost in v4 v5->v6: - Addressed John Ferlan's comments - rebased on latest tip - Added patch 12. v4->v5: - Addressed John Ferlan's, Boris Fiuczysnki's and Marc Hartmayer's comments - rebased on latest tip v3->v4: - Addressed John Ferlan's comments - Fixed bugs I found while testing - rebased on latest tip Stefan Berger (12): conf: Add support for external swtpm TPM emulator to domain XML qemu: Extend QEMU capabilities with 'tpm-emulator' util: Implement virFileChownFiles() security: Add DAC and SELinux security for tpm-emulator qemu: Extend qemu_conf with tpm-emulator support qemu: Extend QEMU with external TPM support qemu: Add support for external swtpm TPM emulator tests: Add test cases for external swtpm TPM emulator security: Label the external swtpm with SELinux labels conf: Add support for choosing emulation of a TPM 2 qemu: Add swtpm to emulator cgroup news: Update news with new TPM emulator feature docs/formatdomain.html.in | 43 + docs/news.xml | 9 + docs/schemas/domaincommon.rng | 17 + libvirt.spec.in | 2 + src/conf/domain_audit.c | 2 + src/conf/domain_conf.c | 64 +- src/conf/domain_conf.h | 15 + src/libvirt_private.syms | 3 + src/qemu/Makefile.inc.am | 10 + src/qemu/libvirtd_qemu.aug | 5 + src/qemu/qemu.conf | 8 + src/qemu/qemu_capabilities.c | 5 + src/qemu/qemu_capabilities.h | 1 + src/qemu/qemu_cgroup.c | 36 + src/qemu/qemu_cgroup.h | 2 + src/qemu/qemu_command.c | 34 +- src/qemu/qemu_conf.c | 43 + src/qemu/qemu_conf.h | 6 + src/qemu/qemu_domain.c | 3 + src/qemu/qemu_extdevice.c | 180 ++++ src/qemu/qemu_extdevice.h | 59 ++ src/qemu/qemu_process.c | 16 + src/qemu/qemu_security.c | 69 ++ src/qemu/qemu_security.h | 11 + src/qemu/qemu_tpm.c | 922 +++++++++++++++++++++ src/qemu/qemu_tpm.h | 56 ++ src/qemu/test_libvirtd_qemu.aug.in | 2 + src/security/security_dac.c | 7 + src/security/security_driver.h | 7 + src/security/security_manager.c | 36 + src/security/security_manager.h | 6 + src/security/security_selinux.c | 172 ++++ src/security/security_stack.c | 40 + src/util/virfile.c | 55 ++ src/util/virfile.h | 3 + tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml | 1 + .../tpm-emulator-tpm2.x86_64-latest.args | 33 + tests/qemuxml2argvdata/tpm-emulator-tpm2.xml | 30 + .../tpm-emulator.x86_64-latest.args | 33 + tests/qemuxml2argvdata/tpm-emulator.xml | 30 + tests/qemuxml2argvtest.c | 16 +- tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml | 34 + tests/qemuxml2xmloutdata/tpm-emulator.xml | 34 + tests/qemuxml2xmltest.c | 1 + 48 files changed, 2154 insertions(+), 11 deletions(-) create mode 100644 src/qemu/qemu_extdevice.c create mode 100644 src/qemu/qemu_extdevice.h create mode 100644 src/qemu/qemu_tpm.c create mode 100644 src/qemu/qemu_tpm.h create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.x86_64-latest.args create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.xml create mode 100644 tests/qemuxml2argvdata/tpm-emulator.x86_64-latest.args create mode 100644 tests/qemuxml2argvdata/tpm-emulator.xml create mode 100644 tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml create mode 100644 tests/qemuxml2xmloutdata/tpm-emulator.xml -- 2.14.3

2 14

[libvirt] [PATCH] Fix indentation of virshAllocpagesPagesizeCompleter arguments.
by Roland Schulz 24 May '18

24 May '18

--- tools/virsh-completer.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/virsh-completer.c b/tools/virsh-completer.c index cbd5326d0..1df4d55af 100644 --- a/tools/virsh-completer.c +++ b/tools/virsh-completer.c @@ -568,8 +568,8 @@ virshSnapshotNameCompleter(vshControl *ctl, char ** virshAllocpagesPagesizeCompleter(vshControl *ctl, - const vshCmd *cmd ATTRIBUTE_UNUSED, - unsigned int flags) + const vshCmd *cmd ATTRIBUTE_UNUSED, + unsigned int flags) { unsigned long long byteval = 0; xmlXPathContextPtr ctxt = NULL; -- 2.17.0

2 2

[libvirt] [PATCH] Add virshAllocpagesPagesizeCompleter to opts_freepages.
by Roland Schulz 24 May '18

24 May '18

Signed-off-by: Roland Schulz <schullzroll(a)gmail.com> --- For the time being virshAllocpagesPagesizeCompleter can be used with other commands that use --pagesize option. tools/virsh-host.c | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/virsh-host.c b/tools/virsh-host.c index dfe58de30..991c0f50a 100644 --- a/tools/virsh-host.c +++ b/tools/virsh-host.c @@ -280,6 +280,7 @@ static const vshCmdOptDef opts_freepages[] = { }, {.name = "pagesize", .type = VSH_OT_INT, + .completer = virshAllocpagesPagesizeCompleter, .help = N_("page size (in kibibytes)") }, {.name = "all", -- 2.17.0

2 1

[libvirt] [ [PATCH v3 0/8] virsh completion for event, secret-event, pool-event and nodedev-event
by Lin Ma 24 May '18

24 May '18

v2 -> v3: Most of patches in original v2 patchset were pushed, only 2 patches left, So create a new patchset for including the 2 patches and 6 new completion patches which about secret-event, pool-event and nodedev-event. (Borrowed code & idea from Michal Privoznik for these patches design) Lin Ma (8): virsh-secret: Rename vshEventCallback to vshSecretEventCallback virsh: Add event name completion to 'secret-event' command virsh: Move vshEventCallback structure definition to virsh-domain.h virsh: Add event name completion to 'event' command virsh-pool: Rename vshEventCallback to vshPoolEventCallback virsh: Add event name completion to 'pool-event' command virsh-nodedev: Rename vshEventCallback to vshNodedevEventCallback virsh: Add event name completion to 'nodedev-event' command tools/virsh-completer.c | 119 ++++++++++++++++++++++++++++++++++++++++++++++++ tools/virsh-completer.h | 15 ++++++ tools/virsh-domain.c | 9 +--- tools/virsh-domain.h | 8 ++++ tools/virsh-nodedev.c | 19 +++----- tools/virsh-nodedev.h | 8 ++++ tools/virsh-pool.c | 19 +++----- tools/virsh-pool.h | 8 ++++ tools/virsh-secret.c | 18 +++----- tools/virsh-secret.h | 8 ++++ 10 files changed, 189 insertions(+), 42 deletions(-) -- 2.16.2

2 12

[libvirt] [PATCH 00/12] Add support for TPM emulator
by Stefan Berger 24 May '18

24 May '18

This series of patches adds support for the TPM emulator backend that is available in QEMU and based on swtpm + libtpms. It allows to attach a TPM 1.2 or 2 to a QEMU VM. sVirt labels are used for labeling the swtpm process, its Unix socket, and log file with the same label that the QEMU process gets. Besides that swtpm is added to the emulator cgroup to restrict its CPU usage. The device XML can be changed from a TPM 1.2 to a TPM 2 and back to a TPM 1.2. The device state is not removed during those changes but only when the domain is undefined. The swtpm needs persistent storage to store its state. For that I am using the uuid of the VM as part of the path since the name of the VM can be changed. Logfiles, PID files, and socket names are based on the name of the VM, though. Stefan v5->v6: - Addressed John Ferlan's comments - rebased on latest tip - Added patch 12. v4->v5: - Addressed John Ferlan's, Boris Fiuczysnki's and Marc Hartmayer's comments - rebased on latest tip v3->v4: - Addressed John Ferlan's comments - Fixed bugs I found while testing - rebased on latest tip Stefan Berger (12): conf: Add support for external swtpm TPM emulator to domain XML qemu: Extend QEMU capabilities with 'tpm-emulator' util: Implement virFileChownFiles() security: Add DAC and SELinux security for tpm-emulator qemu: Extend qemu_conf with tpm-emulator support qemu: Extend QEMU with external TPM support qemu: Add support for external swtpm TPM emulator tests: Add test cases for external swtpm TPM emulator security: Label the external swtpm with SELinux labels conf: Add support for choosing emulation of a TPM 2 qemu: Add swtpm to emulator cgroup news: Update news with new TPM emulator feature docs/formatdomain.html.in | 43 + docs/news.xml | 9 + docs/schemas/domaincommon.rng | 17 + libvirt.spec.in | 2 + src/conf/domain_audit.c | 2 + src/conf/domain_conf.c | 53 +- src/conf/domain_conf.h | 12 + src/libvirt_private.syms | 3 + src/qemu/Makefile.inc.am | 10 + src/qemu/libvirtd_qemu.aug | 5 + src/qemu/qemu.conf | 8 + src/qemu/qemu_capabilities.c | 5 + src/qemu/qemu_capabilities.h | 1 + src/qemu/qemu_cgroup.c | 36 + src/qemu/qemu_cgroup.h | 2 + src/qemu/qemu_command.c | 34 +- src/qemu/qemu_conf.c | 43 + src/qemu/qemu_conf.h | 6 + src/qemu/qemu_domain.c | 3 + src/qemu/qemu_extdevice.c | 180 ++++ src/qemu/qemu_extdevice.h | 59 ++ src/qemu/qemu_process.c | 16 + src/qemu/qemu_security.c | 69 ++ src/qemu/qemu_security.h | 11 + src/qemu/qemu_tpm.c | 946 +++++++++++++++++++++ src/qemu/qemu_tpm.h | 56 ++ src/qemu/test_libvirtd_qemu.aug.in | 2 + src/security/security_dac.c | 7 + src/security/security_driver.h | 7 + src/security/security_manager.c | 36 + src/security/security_manager.h | 6 + src/security/security_selinux.c | 172 ++++ src/security/security_stack.c | 40 + src/util/virfile.c | 55 ++ src/util/virfile.h | 3 + tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml | 1 + .../tpm-emulator-tpm2.x86_64-latest.args | 33 + tests/qemuxml2argvdata/tpm-emulator-tpm2.xml | 30 + .../tpm-emulator.x86_64-latest.args | 33 + tests/qemuxml2argvdata/tpm-emulator.xml | 30 + tests/qemuxml2argvtest.c | 16 +- tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml | 34 + tests/qemuxml2xmloutdata/tpm-emulator.xml | 34 + tests/qemuxml2xmltest.c | 1 + 48 files changed, 2165 insertions(+), 10 deletions(-) create mode 100644 src/qemu/qemu_extdevice.c create mode 100644 src/qemu/qemu_extdevice.h create mode 100644 src/qemu/qemu_tpm.c create mode 100644 src/qemu/qemu_tpm.h create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.x86_64-latest.args create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2.xml create mode 100644 tests/qemuxml2argvdata/tpm-emulator.x86_64-latest.args create mode 100644 tests/qemuxml2argvdata/tpm-emulator.xml create mode 100644 tests/qemuxml2xmloutdata/tpm-emulator-tpm2.xml create mode 100644 tests/qemuxml2xmloutdata/tpm-emulator.xml -- 2.14.3

4 29

[libvirt] [REPOSTv3 PATCHv3 0/6] Add support for VM Generation ID (vmgenid)
by John Ferlan 24 May '18

24 May '18

This is the 3rd reposting because of qemu capabilities conflicts, maybe the 3rd time will be the charm. Previous, e.g. REPOSTv2 posting: https://www.redhat.com/archives/libvir-list/2018-May/msg01332.html Cover from the PATCHv3 posting: v2: https://www.redhat.com/archives/libvir-list/2018-April/msg02234.html Changes since v2: * Essentially handle comments from code review of original series from comments received for patch 6: https://www.redhat.com/archives/libvir-list/2018-April/msg02240.html It's a somewhat simplified approach removing the ABI checks and the adjustment to the genid value as part of domain def copy. * (NEW) Patch 5 - add a 'genid' domain capability (similar to how Cole added support for vmcoreinfo). Since the apps need a way to determine whether this is enabled, this seems to be the best way. John Ferlan (6): conf: Add VM Generation ID parse/format support qemu: Add VM Generation ID device capability qemu: Alter VM Generation ID for specific startup/launch transitions qemu: Add VM Generation ID to qemu command line domcaps: Add 'genid' to domain capabilities docs: Add news article for VM Generation ID docs/formatdomain.html.in | 27 +++++++++++ docs/formatdomaincaps.html.in | 7 ++- docs/news.xml | 13 ++++++ docs/schemas/domaincaps.rng | 7 +++ docs/schemas/domaincommon.rng | 8 ++++ src/conf/domain_capabilities.c | 3 ++ src/conf/domain_capabilities.h | 1 + src/conf/domain_conf.c | 54 ++++++++++++++++++++++ src/conf/domain_conf.h | 5 ++ src/qemu/qemu_capabilities.c | 4 ++ src/qemu/qemu_capabilities.h | 1 + src/qemu/qemu_command.c | 24 ++++++++++ src/qemu/qemu_driver.c | 17 +++++-- src/qemu/qemu_process.c | 46 +++++++++++++++++- src/qemu/qemu_process.h | 1 + tests/domaincapsschemadata/basic.xml | 1 + tests/domaincapsschemadata/bhyve_basic.x86_64.xml | 1 + tests/domaincapsschemadata/bhyve_fbuf.x86_64.xml | 1 + tests/domaincapsschemadata/bhyve_uefi.x86_64.xml | 1 + tests/domaincapsschemadata/full.xml | 1 + tests/domaincapsschemadata/libxl-xenfv-usb.xml | 1 + tests/domaincapsschemadata/libxl-xenfv.xml | 1 + tests/domaincapsschemadata/libxl-xenpv-usb.xml | 1 + tests/domaincapsschemadata/libxl-xenpv.xml | 1 + tests/domaincapsschemadata/qemu_1.7.0.x86_64.xml | 1 + .../qemu_2.12.0-virt.aarch64.xml | 1 + tests/domaincapsschemadata/qemu_2.12.0.ppc64.xml | 1 + tests/domaincapsschemadata/qemu_2.12.0.s390x.xml | 1 + tests/domaincapsschemadata/qemu_2.12.0.x86_64.xml | 1 + .../qemu_2.6.0-virt.aarch64.xml | 1 + tests/domaincapsschemadata/qemu_2.6.0.aarch64.xml | 1 + tests/domaincapsschemadata/qemu_2.6.0.ppc64.xml | 1 + tests/domaincapsschemadata/qemu_2.6.0.x86_64.xml | 1 + tests/domaincapsschemadata/qemu_2.7.0.s390x.xml | 1 + .../domaincapsschemadata/qemu_2.8.0-tcg.x86_64.xml | 1 + tests/domaincapsschemadata/qemu_2.8.0.s390x.xml | 1 + tests/domaincapsschemadata/qemu_2.8.0.x86_64.xml | 1 + .../domaincapsschemadata/qemu_2.9.0-q35.x86_64.xml | 1 + .../domaincapsschemadata/qemu_2.9.0-tcg.x86_64.xml | 1 + tests/domaincapsschemadata/qemu_2.9.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_2.10.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml | 1 + .../qemuxml2argvdata/genid-auto.x86_64-latest.args | 30 ++++++++++++ tests/qemuxml2argvdata/genid-auto.xml | 32 +++++++++++++ tests/qemuxml2argvdata/genid.x86_64-latest.args | 30 ++++++++++++ tests/qemuxml2argvdata/genid.xml | 32 +++++++++++++ tests/qemuxml2argvtest.c | 4 ++ tests/qemuxml2xmloutdata/genid-active.xml | 32 +++++++++++++ tests/qemuxml2xmloutdata/genid-auto-active.xml | 32 +++++++++++++ tests/qemuxml2xmloutdata/genid-auto-inactive.xml | 32 +++++++++++++ tests/qemuxml2xmloutdata/genid-inactive.xml | 32 +++++++++++++ tests/qemuxml2xmltest.c | 5 +- 53 files changed, 500 insertions(+), 7 deletions(-) create mode 100644 tests/qemuxml2argvdata/genid-auto.x86_64-latest.args create mode 100644 tests/qemuxml2argvdata/genid-auto.xml create mode 100644 tests/qemuxml2argvdata/genid.x86_64-latest.args create mode 100644 tests/qemuxml2argvdata/genid.xml create mode 100644 tests/qemuxml2xmloutdata/genid-active.xml create mode 100644 tests/qemuxml2xmloutdata/genid-auto-active.xml create mode 100644 tests/qemuxml2xmloutdata/genid-auto-inactive.xml create mode 100644 tests/qemuxml2xmloutdata/genid-inactive.xml -- 2.14.3

1 6

[libvirt] [PATCH 0/2] cpu: speculative store buffer bypass mitigation (CVE-2018-3639)
by Daniel P. Berrangé 24 May '18

24 May '18

This provides the libvirt part of the mitigations for the speculative store buffer bypass vulnerabilities on the x86 platform[1], and is the companion of the kernel patches merged in: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… And QEMU patches posted at https://lists.gnu.org/archive/html/qemu-devel/2018-05/msg04795.html [1] https://bugs.chromium.org/p/project-zero/issues/detail?id=1528 https://access.redhat.com/security/vulnerabilities/ssbd Daniel P. Berrangé (2): cpu: define the 'ssbd' CPUID feature bit (CVE-2018-3639) cpu: define the 'virt-ssbd' CPUID feature bit (CVE-2018-3639) src/cpu/cpu_map.xml | 6 ++++++ 1 file changed, 6 insertions(+) -- 2.17.0

3 4

[libvirt] [PATCH] news: Add TLS non-shared storage migration
by Peter Krempa 24 May '18

24 May '18

Signed-off-by: Peter Krempa <pkrempa(a)redhat.com> --- docs/news.xml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/docs/news.xml b/docs/news.xml index 8f2c7d5dff..329b1c7129 100644 --- a/docs/news.xml +++ b/docs/news.xml @@ -54,6 +54,16 @@ a QEMU virtual machine. </description> </change> + <change> + <summary> + Add support for migration of QEMU VMs with non-shared storage over TLS + </summary> + <description> + It's now possible to use the VIR_MIGRATE_TLS flag together with + VIR_MIGRATE_NON_SHARED_DISK. The connection is then secured using the + TLS environment which is setup for the migration connection. + </description> + </change> </section> <section title="Improvements"> <change> -- 2.16.2

2 3