February 2019 - Devel - libvirt List Archives

[libvirt] [PATCH] conf: make virPCIDeviceAddressFormat void
by Daniel P. Berrangé 15 Feb '19

15 Feb '19

Only one of the three callers of virPCIDeviceAddressFormat correctly handles an error return status. Fortunately it can't fail so can be made void. Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com> --- src/conf/device_conf.c | 3 +-- src/conf/device_conf.h | 6 +++--- src/conf/domain_conf.c | 6 ++---- src/conf/network_conf.c | 7 +++---- src/conf/storage_adapter_conf.c | 4 ++-- 5 files changed, 11 insertions(+), 15 deletions(-) diff --git a/src/conf/device_conf.c b/src/conf/device_conf.c index 32628c6448..cd994057c5 100644 --- a/src/conf/device_conf.c +++ b/src/conf/device_conf.c @@ -308,7 +308,7 @@ virPCIDeviceAddressParseXML(xmlNodePtr node, return ret; } -int +void virPCIDeviceAddressFormat(virBufferPtr buf, virPCIDeviceAddress addr, bool includeTypeInAddr) @@ -320,7 +320,6 @@ virPCIDeviceAddressFormat(virBufferPtr buf, addr.bus, addr.slot, addr.function); - return 0; } bool diff --git a/src/conf/device_conf.h b/src/conf/device_conf.h index 56745707d9..7a3455f99f 100644 --- a/src/conf/device_conf.h +++ b/src/conf/device_conf.h @@ -202,9 +202,9 @@ bool virDeviceInfoPCIAddressExtensionIsPresent(const virDomainDeviceInfo *info); int virPCIDeviceAddressParseXML(xmlNodePtr node, virPCIDeviceAddressPtr addr); -int virPCIDeviceAddressFormat(virBufferPtr buf, - virPCIDeviceAddress addr, - bool includeTypeInAddr); +void virPCIDeviceAddressFormat(virBufferPtr buf, + virPCIDeviceAddress addr, + bool includeTypeInAddr); bool virDomainDeviceCCWAddressIsValid(virDomainDeviceCCWAddressPtr addr); int virDomainDeviceCCWAddressParseXML(xmlNodePtr node, diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index cd69323f28..95510a5157 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -25136,10 +25136,8 @@ virDomainHostdevDefFormatSubsys(virBufferPtr buf, } break; case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI: - if (virPCIDeviceAddressFormat(buf, pcisrc->addr, - includeTypeInAddr) != 0) - virReportError(VIR_ERR_INTERNAL_ERROR, "%s", - _("PCI address Formatting failed")); + virPCIDeviceAddressFormat(buf, pcisrc->addr, + includeTypeInAddr); if ((flags & VIR_DOMAIN_DEF_FORMAT_PCI_ORIG_STATES) && (def->origstates.states.pci.unbind_from_stub || diff --git a/src/conf/network_conf.c b/src/conf/network_conf.c index ac0069cbec..87bf158049 100644 --- a/src/conf/network_conf.c +++ b/src/conf/network_conf.c @@ -2485,10 +2485,9 @@ virNetworkDefFormatBuf(virBufferPtr buf, virBufferAddLit(buf, "/>\n"); } else { if (def->forward.ifs[i].type == VIR_NETWORK_FORWARD_HOSTDEV_DEVICE_PCI) { - if (virPCIDeviceAddressFormat(buf, - def->forward.ifs[i].device.pci, - true) < 0) - goto error; + virPCIDeviceAddressFormat(buf, + def->forward.ifs[i].device.pci, + true); } } } diff --git a/src/conf/storage_adapter_conf.c b/src/conf/storage_adapter_conf.c index 3118b1a310..18bcb5eb9e 100644 --- a/src/conf/storage_adapter_conf.c +++ b/src/conf/storage_adapter_conf.c @@ -326,8 +326,8 @@ virStorageAdapterFormatSCSIHost(virBufferPtr buf, virBufferAsprintf(buf, "<parentaddr unique_id='%d'>\n", scsi_host->unique_id); virBufferAdjustIndent(buf, 2); - ignore_value(virPCIDeviceAddressFormat(buf, scsi_host->parentaddr, - false)); + virPCIDeviceAddressFormat(buf, scsi_host->parentaddr, + false); virBufferAdjustIndent(buf, -2); virBufferAddLit(buf, "</parentaddr>\n"); virBufferAdjustIndent(buf, -2); -- 2.20.1

2 1

[libvirt] [tck PATCH 0/4] A few libvirt-tck patches to fix false failures
by Laine Stump 15 Feb '19

15 Feb '19

I found these when I ran the tck on RHEL8 beta. Laine Stump (4): storage: skip qcow1 tests when qcow1 isn't supported by qemu-img storage: fix/improve diagnostic messages networks: remove stray use of brctl command nwfilter: allow for ebtables *not* removing leading 0 from mac addresses scripts/networks/340-guest-network-bridge.t | 4 +- scripts/nwfilter/100-ping-still-working.t | 4 +- scripts/nwfilter/210-no-mac-spoofing.t | 4 +- scripts/storage/100-create-vol-dir.t | 36 +++++++++------- scripts/storage/200-clone-vol-dir.t | 48 ++++++++++++--------- 5 files changed, 54 insertions(+), 42 deletions(-) -- 2.20.1

3 22

[libvirt] [PATCH v4 0/6] Add authorization support to all network services
by Daniel P. Berrangé 15 Feb '19

15 Feb '19

v1: https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg04482.html v2: https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg05727.html v3: https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg01639.html This series builds on the core authorization framework: v8: https://lists.gnu.org/archive/html/qemu-devel/2019-02/msg04253.html enabling its use with the VNC, chardev, NBD and migration network servers. In combination with TLS x509 client certificates, this allows these services to whitelist specific clients, which avoids the need to setup restricted child certificate authorities. In VNC it also allows whitelisting based on SASL user names. Changed in v4: - Update deprecation versions to 4.0 - Rebased to latest git Changed in v3: - Rebased to latest git master Changed in v2: - Document that authz objects are resolved at time of use, not time of network service activation - Improve docs for tls-authz parameters on services - Fix 2.13 -> 3.0 version tags - Remove redundant conditionals around g_strdup - Fix arg syntax for qemu-nbd s/-/--/ - Remove QAPI (optional) annotation - Fix some outdated usage example Based-on: <20190215155709.15777-1-berrange(a)redhat.com> Daniel P. Berrangé (6): qemu-nbd: add support for authorization of TLS clients nbd: allow authorization with nbd-server-start QMP command migration: add support for a "tls-authz" migration parameter chardev: add support for authorization for TLS clients vnc: allow specifying a custom authorization object name monitor: deprecate acl_show, acl_reset, acl_policy, acl_add, acl_remove blockdev-nbd.c | 11 ++++++-- chardev/char-socket.c | 12 +++++++- chardev/char.c | 3 ++ hmp.c | 11 +++++++- include/block/nbd.h | 4 +-- migration/migration.c | 8 ++++++ migration/tls.c | 2 +- monitor.c | 23 +++++++++++++++ nbd/server.c | 10 +++---- qapi/block.json | 8 +++++- qapi/char.json | 6 ++++ qapi/migration.json | 14 ++++++++- qemu-deprecated.texi | 11 ++++++++ qemu-nbd.c | 14 ++++++++- qemu-nbd.texi | 4 +++ qemu-options.hx | 44 +++++++++++++++++++++-------- tests/qemu-iotests/233 | 31 ++++++++++++++++++-- tests/qemu-iotests/233.out | 11 ++++++++ ui/vnc.c | 58 ++++++++++++++++++++++++++++++++------ 19 files changed, 245 insertions(+), 40 deletions(-) -- 2.20.1

1 6

[libvirt] [PATCH] network: explicitly allow icmp/icmpv6 in libvirt zonefile
by Laine Stump 15 Feb '19

15 Feb '19

The libvirt zonefile for firewalld (added in commit 3b71f2e4) does the following: 1) lists specific services it wants to allow, then 2) uses a lower priority <reject/> rule to block all other services to the host, and then finally, 3) relies on the zone's default "accept" policy to, accept all forwarded traffic (since forwarded traffic is ignored by the slightly higher priority <reject/> rule in (2)). I had assumed that icmp traffic was either being allowed at the top of the rules, or that it would be ignored by the <reject/> rule and passed by the default accept policy (similar to forwarded traffic), but this assumption was incorrect; the <reject/> rule does block icmp traffic. This became apparent when DHCPv6 which requires ICMPv6 in addition to udp/dhcpv6) failed to work. This all means that in order to achieve our original goal of "similar behavior to a default reject policy, but also allowing forwarded traffic", we need to add rules to allow all icmp and icmpv6 traffic to the libvirt zone, and that's what this patch does. This is a further refinement of the resolution to https://bugzilla.redhat.com/1650320 Signed-off-by: Laine Stump <laine(a)laine.org> --- src/network/libvirt.zone | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/network/libvirt.zone b/src/network/libvirt.zone index bf81db1b6e..b1e84b52ec 100644 --- a/src/network/libvirt.zone +++ b/src/network/libvirt.zone @@ -15,6 +15,8 @@ <rule priority='32767'> <reject/> </rule> +<protocol value='icmp'/> +<protocol value='ipv6-icmp'/> <service name='dhcp'/> <service name='dhcpv6'/> <service name='dns'/> -- 2.20.1

3 2

Re: [libvirt] [Qemu-devel] [PULL 00/14] Trivial branch patches
by Peter Maydell 14 Feb '19

14 Feb '19

On Thu, 14 Feb 2019 at 10:58, Laurent Vivier <laurent(a)vivier.eu> wrote: > > The following changes since commit 0b5e750bea635b167eb03d86c3d9a09bbd43bc06: > > Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' into staging (2019-02-12 10:53:37 +0000) > > are available in the Git repository at: > > git://github.com/vivier/qemu.git tags/trivial-branch-pull-request > > for you to fetch changes up to 96566d09aa105ee04cbc1c9539cf8a9a40e8e422: > > configure: improve usbfs check (2019-02-14 11:46:30 +0100) > > ---------------------------------------------------------------- > - some configure updates (HAX/NetBSD, remove "wav", -Waddress-of-packed-member) > - remove deprecated options > - some trace and error cleanup > - typo fixes > Applied, thanks. Please update the changelog at https://wiki.qemu.org/ChangeLog/4.0 for any user-visible changes. -- PMM

1 0

[libvirt] [dockerfiles PATCH] Refresh after installing modprobe for libvirt
by Andrea Bolognani 14 Feb '19

14 Feb '19

The corresponding libvirt-jenkins-ci commit is bb67e0969566. Signed-off-by: Andrea Bolognani <abologna(a)redhat.com> --- Pushed under the Dockerfiles refresh rule. buildenv-centos-7.Dockerfile | 1 + buildenv-debian-8.Dockerfile | 1 + buildenv-debian-9.Dockerfile | 1 + buildenv-debian-sid.Dockerfile | 1 + buildenv-fedora-28.Dockerfile | 1 + buildenv-fedora-29.Dockerfile | 1 + buildenv-fedora-rawhide.Dockerfile | 1 + buildenv-ubuntu-16.Dockerfile | 1 + buildenv-ubuntu-18.Dockerfile | 1 + 9 files changed, 9 insertions(+) diff --git a/buildenv-centos-7.Dockerfile b/buildenv-centos-7.Dockerfile index ab6f2c5..e85d132 100644 --- a/buildenv-centos-7.Dockerfile +++ b/buildenv-centos-7.Dockerfile @@ -25,6 +25,7 @@ RUN yum update -y && \ gnutls-devel \ iproute \ iscsi-initiator-utils \ + kmod \ libacl-devel \ libattr-devel \ libblkid-devel \ diff --git a/buildenv-debian-8.Dockerfile b/buildenv-debian-8.Dockerfile index 587b06f..fa92347 100644 --- a/buildenv-debian-8.Dockerfile +++ b/buildenv-debian-8.Dockerfile @@ -20,6 +20,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \ git \ glusterfs-common \ iproute2 \ + kmod \ libacl1-dev \ libapparmor-dev \ libattr1-dev \ diff --git a/buildenv-debian-9.Dockerfile b/buildenv-debian-9.Dockerfile index 359d9c4..9d81f03 100644 --- a/buildenv-debian-9.Dockerfile +++ b/buildenv-debian-9.Dockerfile @@ -20,6 +20,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \ git \ glusterfs-common \ iproute2 \ + kmod \ libacl1-dev \ libapparmor-dev \ libattr1-dev \ diff --git a/buildenv-debian-sid.Dockerfile b/buildenv-debian-sid.Dockerfile index 8e49c0c..3be8a9f 100644 --- a/buildenv-debian-sid.Dockerfile +++ b/buildenv-debian-sid.Dockerfile @@ -19,6 +19,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \ gettext \ git \ iproute2 \ + kmod \ libacl1-dev \ libapparmor-dev \ libattr1-dev \ diff --git a/buildenv-fedora-28.Dockerfile b/buildenv-fedora-28.Dockerfile index fe96282..447304e 100644 --- a/buildenv-fedora-28.Dockerfile +++ b/buildenv-fedora-28.Dockerfile @@ -28,6 +28,7 @@ RUN yum update -y && \ iproute \ iproute-tc \ iscsi-initiator-utils \ + kmod \ libacl-devel \ libattr-devel \ libblkid-devel \ diff --git a/buildenv-fedora-29.Dockerfile b/buildenv-fedora-29.Dockerfile index 1d10a5f..81879ae 100644 --- a/buildenv-fedora-29.Dockerfile +++ b/buildenv-fedora-29.Dockerfile @@ -28,6 +28,7 @@ RUN yum update -y && \ iproute \ iproute-tc \ iscsi-initiator-utils \ + kmod \ libacl-devel \ libattr-devel \ libblkid-devel \ diff --git a/buildenv-fedora-rawhide.Dockerfile b/buildenv-fedora-rawhide.Dockerfile index f6e427c..e5996ec 100644 --- a/buildenv-fedora-rawhide.Dockerfile +++ b/buildenv-fedora-rawhide.Dockerfile @@ -29,6 +29,7 @@ RUN yum update -y --nogpgcheck fedora-gpg-keys && \ iproute \ iproute-tc \ iscsi-initiator-utils \ + kmod \ libacl-devel \ libattr-devel \ libblkid-devel \ diff --git a/buildenv-ubuntu-16.Dockerfile b/buildenv-ubuntu-16.Dockerfile index 1d49b1f..dc1b16f 100644 --- a/buildenv-ubuntu-16.Dockerfile +++ b/buildenv-ubuntu-16.Dockerfile @@ -20,6 +20,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \ git \ glusterfs-common \ iproute2 \ + kmod \ libacl1-dev \ libapparmor-dev \ libattr1-dev \ diff --git a/buildenv-ubuntu-18.Dockerfile b/buildenv-ubuntu-18.Dockerfile index 7ab5686..3e4c48f 100644 --- a/buildenv-ubuntu-18.Dockerfile +++ b/buildenv-ubuntu-18.Dockerfile @@ -20,6 +20,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \ git \ glusterfs-common \ iproute2 \ + kmod \ libacl1-dev \ libapparmor-dev \ libattr1-dev \ -- 2.20.1

1 0

[libvirt] [PATCH] virkmodtest: Don't fail if modprobe doesn't exist
by Michal Privoznik 14 Feb '19

14 Feb '19

On some very basic installations (e.g. some container images) the modprobe binary might be missing. If that is the case, don't fail virkmodtest. Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com> --- tests/virkmodtest.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/tests/virkmodtest.c b/tests/virkmodtest.c index c90830a23c..80029244ff 100644 --- a/tests/virkmodtest.c +++ b/tests/virkmodtest.c @@ -46,7 +46,12 @@ testKModConfig(const void *args ATTRIBUTE_UNUSED) */ outbuf = virKModConfig(); if (!outbuf) { - fprintf(stderr, "Failed to get config\n"); + if (virFileIsExecutable(MODPROBE)) { + fprintf(stderr, "Failed to get config\n"); + } else { + /* modprobe doesn't exist, do not claim error. */ + ret = 0; + } goto cleanup; } ret = 0; -- 2.19.2

2 1

[libvirt] [jenkins-ci PATCH 0/2] guests: Install modprobe for libvirt
by Andrea Bolognani 14 Feb '19

14 Feb '19

Turns out some Docker base images (eg. ubuntu:18.04) don't include it, so we have to drag it in manually. It's a crazy world we live in these days :) Andrea Bolognani (2): guests: Add mapping for modprobe guests: Install modprobe for libvirt guests/vars/mappings.yml | 4 ++++ guests/vars/projects/libvirt.yml | 1 + 2 files changed, 5 insertions(+) -- 2.20.1

2 4

[libvirt] [jenkins-ci PATCH v2 0/9] Add support for cross compiling libvirt via Debian
by Daniel P. Berrangé 14 Feb '19

14 Feb '19

Changed in v2: - Fix multiple package name mistakes - Modify lcitool to generate cross-arch docker files - Add --no-install-recommended flag to apt-get - Add DEBIAN_FRONTEND=noninteractive env to apt-get - Improve error reporting in lcitool - Add make rule for generating dockerfiles locally Daniel P. Berrangé (9): guests: use libpcap0.8-dev package on Debian guests: add xfsprogs development package for libvirt guests: fix glusterfs package name on Debian lcitool: include root cause when failing to load facts lcitool: force non-interactive apt-get frontend lcitool: avoid installing recommended packages lcitool: avoid using an env var to store package list lcitool: support generating cross compiler dockerfiles docker: add a makefile for building docker images locally .gitignore | 1 + dockerfiles/Makefile | 33 +++++ guests/host_vars/libvirt-debian-9/docker.yml | 57 ++++++++ .../host_vars/libvirt-debian-sid/docker.yml | 62 +++++++++ guests/lcitool | 123 ++++++++++++++---- guests/vars/mappings.yml | 9 +- guests/vars/projects/libvirt.yml | 1 + 7 files changed, 257 insertions(+), 29 deletions(-) create mode 100644 dockerfiles/Makefile -- 2.20.1

3 27

[libvirt] [PATCH] virsh: fix snapshot list --parent
by Ján Tomko 14 Feb '19

14 Feb '19

The root snapshot does not have a parent. Use NULLSTR_EMPTY to pass an empty string instead of putting too few columns in the table. https://bugzilla.redhat.com/show_bug.cgi?id=1662849 Signed-off-by: Ján Tomko <jtomko(a)redhat.com> --- tools/virsh-snapshot.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/virsh-snapshot.c b/tools/virsh-snapshot.c index 90000ef1aa..6cadb2b0d6 100644 --- a/tools/virsh-snapshot.c +++ b/tools/virsh-snapshot.c @@ -1608,7 +1608,8 @@ cmdSnapshotList(vshControl *ctl, const vshCmd *cmd) &time_info); if (parent) { - if (vshTableRowAppend(table, snap_name, timestr, state, parent_snap, + if (vshTableRowAppend(table, snap_name, timestr, state, + NULLSTR_EMPTY(parent_snap), NULL) < 0) goto cleanup; } else { -- 2.19.2

2 1