[libvirt] New Feature: Intel MKTME Support
by Carvalho, Larkins L
Hello Team,
Greetings.
We want to add Intel MKTME support to the Libvirt.
Intel MKTME is a capability to encrypt entirety of physical memory of a system similar to AMD SEV.
Please let us know what are the expectations from us to initiate the design and development of the feature.
Regards,
Larkins Carvalho
Intel Corporation
5 years, 11 months
[libvirt] [PATCH v2 00/11] conf: partial net model enum conversion
by Cole Robinson
v1 here:
https://www.redhat.com/archives/libvir-list/2019-January/msg00763.html
Changes since v1:
- patch #7, case insensitive model input comparison
- Add xml2xml testing
- compile tested on freebsd12.0
This series partially converts the net->model value from a string
to an enum. We wrap the existing ->model string in accessor functions,
rename it to ->modelstr, add a ->model enum, and convert internal
driver usage bit by bit. At the end, all driver code that is acting
on specific network model values is comparing against an enum, not
a string.
This is only partial because of xen/libxl/xm and qemu drivers, which
if they don't know anything particular about the model string will
just place it on the qemu command line/xen config and see what happens.
So basically if I were to pass in
<model type='idontexist'/>
qemu would turn that into
-device idontexist,...
That behavior is untouched by this series, as fully unwinding that
will take some more work:
* Figuring out all reasonable qemu + xen values that could actually
result in a working VM config, and adding them to the enum
* Figuring out a long term plan for disabling passthrough entirely.
There's some discussion in the v1 thread about this.
Some caveats:
* vz driver is not compile tested. What's the sdk magic to actually
get this building?
* net model enum lookup is done case insensitive. this is to maintain
the behavior of the vmx and virtualbox drivers, but it's different
than all our other enum usage.
Cole Robinson (11):
tests: Add several net model passthrough tests
conf: net: Add wrapper functions for <model> value
conf: net: Rename 'model' to 'modelstr'
conf: net: Add model enum, and netfront value
vz: convert to net model enum
bhyve: convert to net model enum
qemu: Partially convert to net model enum
conf: Make net model enum compare case insensitive
vmx: convert to net model enum
vbox: Convert to net enum model
conf: Add VIR_DOMAIN_DEF_FEATURE_NET_MODEL_STRING
src/bhyve/bhyve_command.c | 15 +--
src/bhyve/bhyve_parse_command.c | 10 +-
src/conf/domain_conf.c | 111 ++++++++++++++----
src/conf/domain_conf.h | 35 +++++-
src/libvirt_private.syms | 4 +
src/libxl/libxl_conf.c | 8 +-
src/libxl/libxl_domain.c | 1 +
src/qemu/qemu_command.c | 13 +-
src/qemu/qemu_domain.c | 32 +++--
src/qemu/qemu_domain_address.c | 13 +-
src/qemu/qemu_driver.c | 14 ++-
src/qemu/qemu_hotplug.c | 15 ++-
src/qemu/qemu_parse_command.c | 5 +-
src/security/virt-aa-helper.c | 3 +-
src/vbox/vbox_common.c | 29 ++---
src/vmx/vmx.c | 55 ++++-----
src/vz/vz_driver.c | 7 +-
src/vz/vz_sdk.c | 17 ++-
src/xenconfig/xen_common.c | 31 ++---
src/xenconfig/xen_sxpr.c | 30 ++---
tests/qemuxml2argvdata/net-many-models.args | 39 ++++++
tests/qemuxml2argvdata/net-many-models.xml | 38 ++++++
tests/qemuxml2argvtest.c | 1 +
tests/qemuxml2xmloutdata/net-many-models.xml | 53 +++++++++
tests/qemuxml2xmltest.c | 1 +
tests/xlconfigdata/test-net-fakemodel.cfg | 24 ++++
tests/xlconfigdata/test-net-fakemodel.xml | 39 ++++++
tests/xlconfigtest.c | 1 +
.../test-paravirt-net-fakemodel.cfg | 13 ++
.../test-paravirt-net-fakemodel.xml | 40 +++++++
.../test-paravirt-net-modelstr.cfg | 13 ++
tests/xmconfigtest.c | 1 +
.../xml2sexpr-fv-net-many-models.sexpr | 1 +
.../xml2sexpr-fv-net-many-models.xml | 43 +++++++
tests/xml2sexprtest.c | 1 +
35 files changed, 586 insertions(+), 170 deletions(-)
create mode 100644 tests/qemuxml2argvdata/net-many-models.args
create mode 100644 tests/qemuxml2argvdata/net-many-models.xml
create mode 100644 tests/qemuxml2xmloutdata/net-many-models.xml
create mode 100644 tests/xlconfigdata/test-net-fakemodel.cfg
create mode 100644 tests/xlconfigdata/test-net-fakemodel.xml
create mode 100644 tests/xmconfigdata/test-paravirt-net-fakemodel.cfg
create mode 100644 tests/xmconfigdata/test-paravirt-net-fakemodel.xml
create mode 100644 tests/xmconfigdata/test-paravirt-net-modelstr.cfg
create mode 100644 tests/xml2sexprdata/xml2sexpr-fv-net-many-models.sexpr
create mode 100644 tests/xml2sexprdata/xml2sexpr-fv-net-many-models.xml
--
2.20.1
5 years, 12 months
[libvirt] [PATCH 0/2] rpc: client: stream bugfix and improvement
by Nikolay Shirokovskiy
Nikolay Shirokovskiy (2):
rpc: client: fix race on stream error and stream creation
rpc: client: stream: notify streams of closing connection
src/rpc/virnetclient.c | 13 ++++++++++---
src/rpc/virnetclientstream.c | 30 ++++++++++++++++++++++++++++--
src/rpc/virnetclientstream.h | 2 ++
3 files changed, 40 insertions(+), 5 deletions(-)
--
1.8.3.1
6 years
[libvirt] [PATCH for v5.3.0 00/17] Fix and enable owner remembering
by Michal Privoznik
The basic owner remembering is already merged but was turned off because
there were some issues. Well, this is my first attempt to fix those and
then enable the feature. Yay!
Michal Prívozník (17):
tools: Slightly rework libvirt_recover_xattrs.sh
virSecuritySELinuxRestoreAllLabel: Print @migrated in the debug
message too
virfile: Make virFileGetXAttr report errors
virFileSetXAttr: Report error on failure
virFileRemoveXAttr: Report error on failure
security: Don't skip label restore on file systems lacking XATTRs
security: Document @restore member of transaction list
security_dac: Allow caller to suppress owner remembering
security_selinux: Allow caller to suppress owner remembering
security: Remember owner only for top level image
security: Introduce virSecurityManagerMoveImageMetadata
security_util: Introduce virSecurityMoveRememberedLabel
security_dac: Implement virSecurityManagerMoveImageMetadata
security_selinux: Implement virSecurityManagerMoveImageMetadata
qemu_security: Implement qemuSecurityMoveImageMetadata
qemu: Move image security metadata on snapshot activity
Revert "qemu: Temporary disable owner remembering"
docs/news.xml | 21 +++
src/libvirt_private.syms | 2 +
src/qemu/libvirtd_qemu.aug | 1 +
src/qemu/qemu.conf | 5 +
src/qemu/qemu_blockjob.c | 6 +
src/qemu/qemu_conf.c | 4 +
src/qemu/qemu_driver.c | 17 +-
src/qemu/qemu_security.c | 19 +++
src/qemu/qemu_security.h | 5 +
src/qemu/test_libvirtd_qemu.aug.in | 1 +
src/security/security_dac.c | 149 +++++++++++++----
src/security/security_driver.h | 5 +
src/security/security_manager.c | 39 +++++
src/security/security_manager.h | 4 +
src/security/security_nop.c | 10 ++
src/security/security_selinux.c | 249 ++++++++++++++++++++---------
src/security/security_stack.c | 20 +++
src/security/security_util.c | 85 +++++++++-
src/security/security_util.h | 5 +
src/util/virfile.c | 78 +++++++--
src/util/virfile.h | 5 +
tests/qemusecuritymock.c | 6 +-
tools/libvirt_recover_xattrs.sh | 49 +++---
23 files changed, 626 insertions(+), 159 deletions(-)
--
2.19.2
6 years
[libvirt] vcpupin reports bogus vcpu affinities
by Allen, John
For pinned vcpus, vcpupin will report inaccurate affinity values on machines
with high core counts (256 cores in my case). The problem is produced as
follows:
$ virsh vcpupin myguest 0 4
$ virsh vcpupin myguest 0
VCPU CPU Affinity
---------------------------
0 4,192,194,196-197
Running taskset on the qemu threads shows the correct affinity, so this seems
to be a reporting problem. Strangely, the value "192" is significant. If I pin
a cpu greater than 192, the problem no longer appears.
I believe the cause of the problem in my case is that in this case in
src/conf/domain_conf.c:virDomainDefGetVcpuPinInfoHelper:
...
if (vcpu && vcpu->cpumask)
bitmap = vcpu->cpumask;
...
vcpu->cpumask is "shortened" in that it is only long enough to contain the last
set bit in the mask. However, when we go to copy the mask to the buffer that is
returned, we use the masklen passed to the function which is the "full"
masklen with a bit for each cpu. So it seems virBitmapToDataBuf copies some
extra data past the end of the bitmask. Why the "192" value is always set and I
typically see similar bogus bits set is still unknown.
What is the function meant to assume in this case? Is it sane to assume that
the bitmask is the full length of the buffer here and it's the responsibility
of the setter of vcpu->cpumask to provide the length of the bitmap we're
expecting? Or should we assume that we may receive a shortened bitmask here and
expand the bitmask before copying to the buffer?
-John
6 years
[libvirt] [PATCH] security: apparmor: make vhost-net access a static rule
by Christian Ehrhardt
So far we were detecting at guest start if any devices needed vhost net
and only if that was true added a rule for /dev/vhost-net.
It turns out that it is an absolutely valid case to start a guest
without any vhost-net networking but later on wanting to hotplug such a
device which then would be denied by apparmor.
Unfortunately there also is no security labeling callback involved other
than the one to /dev/net/tun. But on the other hand vhost-net is no more
new and considered rather safe. Therefore drop the old detection and
just add it as a static rule.
Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1815910
Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
---
src/security/apparmor/libvirt-qemu | 1 +
src/security/virt-aa-helper.c | 17 +----------------
2 files changed, 2 insertions(+), 16 deletions(-)
diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
index eaa5167525..a71f34c175 100644
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -21,6 +21,7 @@
signal (receive) peer=/usr/sbin/libvirtd,
/dev/net/tun rw,
+ /dev/vhost-net rw,
/dev/kvm rw,
/dev/ptmx rw,
/dev/kqemu rw,
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 8e22e9978a..ebc4feac77 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -937,7 +937,7 @@ get_files(vahControl * ctl)
size_t i;
char *uuid;
char uuidstr[VIR_UUID_STRING_BUFLEN];
- bool needsVfio = false, needsvhost = false;
+ bool needsVfio = false;
/* verify uuid is same as what we were given on the command line */
virUUIDFormat(ctl->def->uuid, uuidstr);
@@ -1248,21 +1248,6 @@ get_files(vahControl * ctl)
}
}
- if (ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) {
- for (i = 0; i < ctl->def->nnets; i++) {
- virDomainNetDefPtr net = ctl->def->nets[i];
- if (net && net->model) {
- if (net->driver.virtio.name == VIR_DOMAIN_NET_BACKEND_TYPE_QEMU)
- continue;
- if (!virDomainNetIsVirtioModel(net))
- continue;
- }
- needsvhost = true;
- }
- }
- if (needsvhost)
- virBufferAddLit(&buf, " \"/dev/vhost-net\" rw,\n");
-
if (needsVfio) {
virBufferAddLit(&buf, " \"/dev/vfio/vfio\" rw,\n");
virBufferAddLit(&buf, " \"/dev/vfio/[0-9]*\" rw,\n");
--
2.17.1
6 years
[libvirt] [PATCH 0/3] Replace vmware/esx argv string to VMX_CONFIG_FORMAT_ARGV
by Han Han
Han Han (3):
vmx: Define macro VMX_CONFIG_FORMAT_ARGV for vmware-vmx
esx: Use VMX_CONFIG_FORMAT_ARGV for esx naive argv
vmware: Use VMX_CONFIG_FORMAT_ARGV for vmware naive argv
src/esx/esx_driver.c | 4 ++--
src/vmware/vmware_conf.c | 2 +-
src/vmware/vmware_driver.c | 2 +-
src/vmx/vmx.h | 2 ++
4 files changed, 6 insertions(+), 4 deletions(-)
--
2.20.1
6 years
[libvirt] [PATCH 0/5] snapshot coverage in 'make check'
by Eric Blake
Given that my recent snapshot changes introduced two separate bugs,
both of which were fairly easy to reproduce with the test:///default
driver, but neither of which caused 'make check' to alert me to the
problems, it's high time I submit a test, including enhancing virsh to
give me the functionality the test needs.
Eric Blake (5):
snapshot: Avoid infloop during REDEFINE
virsh: Parse # comments in batch mode
virsh: Treat any command name starting with # as comment
virsh: Add 'echo --err' option
snapshot: Add tests of virsh -c test:///default snapshot*
src/conf/snapshot_conf.c | 1 +
tests/Makefile.am | 3 +-
tests/virsh-snapshot | 212 +++++++++++++++++++++++++++++++++++++++
tests/virshtest.c | 7 ++
tools/virsh.pod | 10 +-
tools/virt-admin.pod | 7 +-
tools/vsh.c | 34 ++++++-
7 files changed, 263 insertions(+), 11 deletions(-)
create mode 100755 tests/virsh-snapshot
--
2.20.1
6 years
