live migration is not using secondary interface
by Olaf Hering
A naive 'virsh migrate --live domU xen+tcp://cross-over-ip' uses the ordinary uplink instead of the requested IP address. According to the documentation an additional option has to be specified to really use the other network interface. However, neither 'tcp://cross-over-ip' nor 'xenmigr:cross-over-ip/' works, the migration does not start.
'xenmigr' was removed with 1dac5fbbbb06a0341e8087dc33af75c8352d77a4 and 7ed598438687feaddaf0a653d7cbb8a1c1ad4933, but the docs were not updated.
This leaves 'tcp://ip'. What change needs to be done in the driver to support a secondary interface?
Olaf
3 years, 10 months
[RFC PATCH 0/3] Fix "virsh domfsinfo" on s390x (again)
by Thomas Huth
My previous attempts to fix "virsh domfsinfo" on s390x were unfortunately
wrong due to some misunderstandings on my side.
To correctly list the "Target" device in the output of "virsh domfsinfo",
we need to search through the available devices using their CCW address
on s390x.
For this the QEMU guest agent will be enhanced to also send the CCW
address of devices in the guest (see the following URL for details:
https://lore.kernel.org/qemu-devel/20201125105417.380317-1-thuth@redhat.com/
... but it has just been posted and will take some time to get merged,
since QEMU is still in hard freeze, that's why I've labed this libvirt
series here as RFC only). Using this CCW address, we then can look up
the correct target devices on the libvirt side, too.
See also https://bugzilla.redhat.com/show_bug.cgi?id=1858771 for some
more information.
Thomas Huth (3):
qemu: agent: Store CCW address in qemuAgentDiskInfo if provided by the
guest
domain_conf: Allow to look up virtio-block devices by their CCW
address
domain_conf: Allow to look up scsi disks when controller uses a CCW
address
src/conf/domain_conf.c | 33 ++++++++++++++++++++++++++++++++-
src/conf/domain_conf.h | 4 ++++
src/qemu/qemu_agent.c | 11 +++++++++++
src/qemu/qemu_agent.h | 2 ++
src/qemu/qemu_driver.c | 8 +++++---
5 files changed, 54 insertions(+), 4 deletions(-)
--
2.18.4
3 years, 10 months
[PATCH] virt-aa-helper: disallow graphics socket read permissions
by Simon Arlott
The VM does not need read permission for its own sockets to create(),
bind(), accept() connections or to recv(), send(), etc. on connections.
This was fixed in ab9569e5460d1e4737fe8b625c67687dc2204665
(virt-aa-helper: disallow VNC socket read permissions),
but then b6465e1aa49397367a9cd0f27110b9c2280a7385
(graphics: introduce new listen type 'socket')
and acc83afe333bfadd3f7f79091d38ca3d7da1eeb2
(acc83afe333bfadd3f7f79091d38ca3d7da1eeb2) reverted it.
Unless the read permission is omitted, VMs can connect to each other's
VNC/graphics sockets.
Signed-off-by: Simon Arlott <libvirt(a)octiron.net>
---
src/security/virt-aa-helper.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 6e6dd1b1db..fddbdafc41 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1053,7 +1053,7 @@ get_files(vahControl * ctl)
if (listenObj.type == VIR_DOMAIN_GRAPHICS_LISTEN_TYPE_SOCKET &&
listenObj.socket &&
- vah_add_file(&buf, listenObj.socket, "rw"))
+ vah_add_file(&buf, listenObj.socket, "w"))
goto cleanup;
}
}
--
2.17.1
--
Simon Arlott
3 years, 10 months
[PATCH] Deprecate pmem=on with non-DAX capable backend file
by Igor Mammedov
It is not safe to pretend that emulated NVDIMM supports
persistence while backend actually failed to enable it
and used non-persistent mapping as fall back.
Instead of falling-back, QEMU should be more strict and
error out with clear message that it's not supported.
So if user asks for persistence (pmem=on), they should
store backing file on NVDIMM.
Signed-off-by: Igor Mammedov <imammedo(a)redhat.com>
---
docs/system/deprecated.rst | 14 ++++++++++++++
util/mmap-alloc.c | 3 +++
2 files changed, 17 insertions(+)
diff --git a/docs/system/deprecated.rst b/docs/system/deprecated.rst
index bacd76d7a5..ba4f6ed2fe 100644
--- a/docs/system/deprecated.rst
+++ b/docs/system/deprecated.rst
@@ -327,6 +327,20 @@ The Raspberry Pi machines come in various models (A, A+, B, B+). To be able
to distinguish which model QEMU is implementing, the ``raspi2`` and ``raspi3``
machines have been renamed ``raspi2b`` and ``raspi3b``.
+Backend options
+---------------
+
+Using non-persistent backing file with pmem=on (since 6.0)
+''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
+
+This option is used when ``memory-backend-file`` is consumed by emulated NVDIMM
+device. However enabling ``memory-backend-file.pmem`` option, when backing file
+is not DAX capable or not on a filesystem that support direct mapping of persistent
+memory, is not safe and may lead to data loss or corruption in case of host crash.
+Using pmem=on option with such file will return error, instead of a warning.
+Options are to move backing file to NVDIMM storage or modify VM configuration
+to set ``pmem=off`` to continue using fake NVDIMM without persistence guaranties.
+
Device options
--------------
diff --git a/util/mmap-alloc.c b/util/mmap-alloc.c
index 27dcccd8ec..d226273a98 100644
--- a/util/mmap-alloc.c
+++ b/util/mmap-alloc.c
@@ -20,6 +20,7 @@
#include "qemu/osdep.h"
#include "qemu/mmap-alloc.h"
#include "qemu/host-utils.h"
+#include "qemu/error-report.h"
#define HUGETLBFS_MAGIC 0x958458f6
@@ -166,6 +167,8 @@ void *qemu_ram_mmap(int fd,
"crash.\n", file_name);
g_free(proc_link);
g_free(file_name);
+ warn_report("Deprecated using non DAX backing file with"
+ " pmem=on option");
}
/*
* if map failed with MAP_SHARED_VALIDATE | MAP_SYNC,
--
2.27.0
3 years, 10 months
RFC PATCH: Issue 90 (Test Clarification)
by Ryan Gahagan
We addressed the feedback from our previous RFC patch for the most part.
Under src/util/virstoragefile.c, we left a cast to an integer pointer
that Peter mentioned because we were unable to provide a better
solution. We've written some tests for our code but our testing
environment is not working locally (meson doesn't even recognize the
project as a meson build project) and so we can't regenerate output or
test our tests.
It's probably bad practice but the only solution we could think of that
would allow us to check our tests was just to email you what we've got.
Sorry if it's not up to standard, but please let us know if there's a
better way to do it or if you spot any problems in these tests.
Under tests/qemuxml2xmltest.c:
DO_TEST_CAPS_LATEST("disk-network-nfs");
The same line would be in tests/qemuxml2argvtest.c
We created the file tests/qemuxml2argvdata/disk-network-nfs.xml:
<domain type='qemu'>
<name>QEMUGuest1</name>
<uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
<memory unit='KiB'>219136</memory>
<currentMemory unit='KiB'>219136</currentMemory>
<vcpu placement='static'>1</vcpu>
<os>
<type arch='i686' machine='pc'>hvm</type>
<boot dev='hd'/>
</os>
<clock offset='utc'/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>destroy</on_crash>
<devices>
<emulator>/usr/bin/qemu-system-x86_64</emulator>
<disk type='network' device='disk'>
<driver name='qemu' type='raw' cache='none'/>
<source protocol='nfs' name='/foo/bar/baz'>
<host name='example.com' port='2049'/>
<nfs user='nfs-user' group='nfs-group'/>
</source>
<target dev='vda' bus='virtio'/>
<serial>eb90327c-8302-4725-9e1b-4e85ed4dc251</serial>
<address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
</disk>
<controller type='usb' index='0'/>
<controller type='pci' index='0' model='pci-root'/>
<input type='mouse' bus='ps2'/>
<input type='keyboard' bus='ps2'/>
<memballoon model='none'/>
</devices>
</domain>
We have under tests/qemublocktest.c:
TEST_JSON_FORMAT_NET(“<source protocol=’nfs’ name=’/foo/bar/baz’>\n”
“ <host name=’example.com’ port=’2049’/>\n”
“ <nfs user=’USER’ group=’GROUP’/>\n”
"</source>\n”);
and
TEST_IMAGE_CREATE(“network-nfs-qcow2”, NULL);
And finally under tests/virstoragetest.c:
TEST_BACKING_PARSE(“json:{\”file\”:{\”driver\”:\”nfs\”,”
“\”user\”:\”USER\”,”
“\”group\”:\”GROUP\”,”
“\”server\”: { \”host\”:\”example.com\”,”
“\”port\”:\”2049\””
”}”
“}”
“}”,
“<source protocol=’nfs’ name=’/foo/bar/baz’>\n”
“ <host name=’example.com’ port=’2049’/>\n”
“ <nfs user=’USER’ group=’GROUP’/>\n”
“</source>\n”);
Again, sorry if this looks awful. Please let us know if there's a more
practical way to do this because submitting a commit with these tests
would guarantee that the tests fail and the commit wouldn't be mergeable
due to our environment issues, or if you see anything wrong with these
tests.
3 years, 10 months
Re: [RFC PATCH] conf: Add support for keeping TPM emulator state
by Stefan Berger
On 12/22/20 7:12 PM, Eiichi Tsukata wrote:
> Currently, swtpm TPM state file is removed when the transient domain is
> powered off or the domain is undefined. When we store TPM state on a
> shared storage such as NFS and use transient domain, TPM states should
> be kept as it is.
>
> Add per-TPM emulator option `persistent_sate` for keeping TPM state.
> This option only works for the emulator type backend and looks as follows:
>
> <tpm model='tpm-tis'>
> <backend type='emulator' persistent_state='yes'/>
> </tpm>
>
> Signed-off-by: Eiichi Tsukata <eiichi.tsukata(a)nutanix.com>
> ---
> docs/formatdomain.rst | 7 ++++
> docs/schemas/domaincommon.rng | 12 ++++++
> src/conf/domain_conf.c | 21 ++++++++++
> src/conf/domain_conf.h | 1 +
> src/qemu/qemu_tpm.c | 3 +-
> ...pm-emulator-tpm2-pstate.x86_64-latest.args | 38 +++++++++++++++++++
> .../tpm-emulator-tpm2-pstate.xml | 30 +++++++++++++++
> tests/qemuxml2argvtest.c | 1 +
> ...tpm-emulator-tpm2-pstate.x86_64-latest.xml | 37 ++++++++++++++++++
> tests/qemuxml2xmltest.c | 1 +
> 10 files changed, 150 insertions(+), 1 deletion(-)
> create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2-pstate.x86_64-latest.args
> create mode 100644 tests/qemuxml2argvdata/tpm-emulator-tpm2-pstate.xml
> create mode 100644 tests/qemuxml2xmloutdata/tpm-emulator-tpm2-pstate.x86_64-latest.xml
>
> diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst
> index 512939679b..9e5f6340fb 100644
> --- a/docs/formatdomain.rst
> +++ b/docs/formatdomain.rst
> @@ -6986,6 +6986,13 @@ Example: usage of the TPM Emulator
> - '1.2' : creates a TPM 1.2
> - '2.0' : creates a TPM 2.0
>
> +``persistent_state``
> + The ``persistent_state`` attribute indicates whether 'swtpm' TPM state is
> + kept or not when the transient domain is powered off or undefined. This
Nit: the transient domain -> a transient domain
> + option can be used for storing TPM state on shared storage. By default the
Nit: storing -> preserving
But this is not only related to shared storage, is it? Can we remove 'on
shared storage'?
> + value is ``no``. This attribute only works with the ``emulator`` backend.
> + The accepted values are ``yes`` and ``no``.
> +
> ``encryption``
> The ``encryption`` element allows the state of a TPM emulator to be
> encrypted. The ``secret`` must reference a secret object that holds the
> diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
> index 795b654feb..d7cedc014c 100644
> --- a/docs/schemas/domaincommon.rng
> +++ b/docs/schemas/domaincommon.rng
> @@ -4780,6 +4780,18 @@
> </optional>
> </group>
> </choice>
> + <choice>
> + <group>
> + <optional>
> + <attribute name="persistent_state">
> + <choice>
> + <value>yes</value>
> + <value>no</value>
> + </choice>
> + </attribute>
> + </optional>
> + </group>
> + </choice>
> </element>
> </define>
>
> diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
> index 23415b323c..82c3a68347 100644
> --- a/src/conf/domain_conf.c
> +++ b/src/conf/domain_conf.c
> @@ -13178,6 +13178,12 @@ virDomainSmartcardDefParseXML(virDomainXMLOptionPtr xmlopt,
> * <encryption secret='32ee7e76-2178-47a1-ab7b-269e6e348015'/>
> * </backend>
> * </tpm>
> + *
> + * Emulator persistent_state is supported with the following:
> + *
> + * <tpm model='tpm-tis'>
> + * <backend type='emulator' version='2.0' persistent_state='yes'>
> + * </tpm>
> */
> static virDomainTPMDefPtr
> virDomainTPMDefParseXML(virDomainXMLOptionPtr xmlopt,
> @@ -13193,6 +13199,7 @@ virDomainTPMDefParseXML(virDomainXMLOptionPtr xmlopt,
> g_autofree char *backend = NULL;
> g_autofree char *version = NULL;
> g_autofree char *secretuuid = NULL;
> + g_autofree char *persistent_state = NULL;
> g_autofree xmlNodePtr *backends = NULL;
>
> def = g_new0(virDomainTPMDef, 1);
> @@ -13265,6 +13272,18 @@ virDomainTPMDefParseXML(virDomainXMLOptionPtr xmlopt,
> }
> def->data.emulator.hassecretuuid = true;
> }
> +
> + persistent_state = virXMLPropString(backends[0], "persistent_state");
> + if (persistent_state) {
> + if (virStringParseYesNo(persistent_state,
> + &def->data.emulator.persistent_state) < 0) {
> + virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
> + _("Invalid persistent_state value, either 'yes' or 'no'"));
> + goto error;
> + }
> + } else {
> + def->data.emulator.persistent_state = false;
> + }
> break;
> case VIR_DOMAIN_TPM_TYPE_LAST:
> goto error;
> @@ -26952,6 +26971,8 @@ virDomainTPMDefFormat(virBufferPtr buf,
> case VIR_DOMAIN_TPM_TYPE_EMULATOR:
> virBufferAsprintf(buf, " version='%s'",
> virDomainTPMVersionTypeToString(def->version));
> + if (def->data.emulator.persistent_state)
> + virBufferAddLit(buf, " persistent_state='yes'");
> if (def->data.emulator.hassecretuuid) {
> char uuidstr[VIR_UUID_STRING_BUFLEN];
> virBufferAddLit(buf, ">\n");
> diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
> index 72771c46b9..109625828a 100644
> --- a/src/conf/domain_conf.h
> +++ b/src/conf/domain_conf.h
> @@ -1362,6 +1362,7 @@ struct _virDomainTPMDef {
> char *logfile;
> unsigned char secretuuid[VIR_UUID_BUFLEN];
> bool hassecretuuid;
> + bool persistent_state;
> } emulator;
> } data;
> };
> diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
> index 872be16570..532e0912bd 100644
> --- a/src/qemu/qemu_tpm.c
> +++ b/src/qemu/qemu_tpm.c
> @@ -729,7 +729,8 @@ qemuExtTPMCleanupHost(virDomainDefPtr def)
> if (def->tpms[i]->type != VIR_DOMAIN_TPM_TYPE_EMULATOR)
> continue;
>
> - qemuTPMDeleteEmulatorStorage(def->tpms[i]);
> + if (!def->tpms[i]->data.emulator.persistent_state)
> + qemuTPMDeleteEmulatorStorage(def->tpms[i]);
> }
> }
>
> diff --git a/tests/qemuxml2argvdata/tpm-emulator-tpm2-pstate.x86_64-latest.args b/tests/qemuxml2argvdata/tpm-emulator-tpm2-pstate.x86_64-latest.args
> new file mode 100644
> index 0000000000..90505c7a76
> --- /dev/null
> +++ b/tests/qemuxml2argvdata/tpm-emulator-tpm2-pstate.x86_64-latest.args
> @@ -0,0 +1,38 @@
> +LC_ALL=C \
> +PATH=/bin \
> +HOME=/tmp/lib/domain--1-TPM-VM \
> +USER=test \
> +LOGNAME=test \
> +XDG_DATA_HOME=/tmp/lib/domain--1-TPM-VM/.local/share \
> +XDG_CACHE_HOME=/tmp/lib/domain--1-TPM-VM/.cache \
> +XDG_CONFIG_HOME=/tmp/lib/domain--1-TPM-VM/.config \
> +QEMU_AUDIO_DRV=none \
> +/usr/bin/qemu-system-x86_64 \
> +-name guest=TPM-VM,debug-threads=on \
> +-S \
> +-object secret,id=masterKey0,format=raw,\
> +file=/tmp/lib/domain--1-TPM-VM/master-key.aes \
> +-machine pc-i440fx-2.12,accel=tcg,usb=off,dump-guest-core=off,\
> +memory-backend=pc.ram \
> +-cpu qemu64 \
> +-m 2048 \
> +-object memory-backend-ram,id=pc.ram,size=2147483648 \
> +-overcommit mem-lock=off \
> +-smp 1,sockets=1,cores=1,threads=1 \
> +-uuid 11d7cd22-da89-3094-6212-079a48a309a1 \
> +-display none \
> +-no-user-config \
> +-nodefaults \
> +-chardev socket,id=charmonitor,fd=1729,server,nowait \
> +-mon chardev=charmonitor,id=monitor,mode=control \
> +-rtc base=utc \
> +-no-shutdown \
> +-boot menu=on,strict=on \
> +-device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 \
> +-tpmdev emulator,id=tpm-tpm0,chardev=chrtpm \
> +-chardev socket,id=chrtpm,path=/dev/test \
> +-device tpm-tis,tpmdev=tpm-tpm0,id=tpm0 \
> +-device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x2 \
> +-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,\
> +resourcecontrol=deny \
> +-msg timestamp=on
> diff --git a/tests/qemuxml2argvdata/tpm-emulator-tpm2-pstate.xml b/tests/qemuxml2argvdata/tpm-emulator-tpm2-pstate.xml
> new file mode 100644
> index 0000000000..45fc4c0e1a
> --- /dev/null
> +++ b/tests/qemuxml2argvdata/tpm-emulator-tpm2-pstate.xml
> @@ -0,0 +1,30 @@
> +<domain type='qemu'>
> + <name>TPM-VM</name>
> + <uuid>11d7cd22-da89-3094-6212-079a48a309a1</uuid>
> + <memory unit='KiB'>2097152</memory>
> + <currentMemory unit='KiB'>512288</currentMemory>
> + <vcpu placement='static'>1</vcpu>
> + <os>
> + <type arch='x86_64' machine='pc-i440fx-2.12'>hvm</type>
> + <boot dev='hd'/>
> + <bootmenu enable='yes'/>
> + </os>
> + <features>
> + <acpi/>
> + </features>
> + <clock offset='utc'/>
> + <on_poweroff>destroy</on_poweroff>
> + <on_reboot>restart</on_reboot>
> + <on_crash>destroy</on_crash>
> + <devices>
> + <emulator>/usr/bin/qemu-system-x86_64</emulator>
> + <controller type='usb' index='0'/>
> + <controller type='pci' index='0' model='pci-root'/>
> + <input type='mouse' bus='ps2'/>
> + <input type='keyboard' bus='ps2'/>
> + <tpm model='tpm-tis'>
> + <backend type='emulator' version='2.0' persistent_state='yes'/>
> + </tpm>
> + <memballoon model='virtio'/>
> + </devices>
> +</domain>
> diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
> index 9b853c6d59..e96a51d18b 100644
> --- a/tests/qemuxml2argvtest.c
> +++ b/tests/qemuxml2argvtest.c
> @@ -2460,6 +2460,7 @@ mymain(void)
> DO_TEST_CAPS_LATEST("tpm-emulator");
> DO_TEST_CAPS_LATEST("tpm-emulator-tpm2");
> DO_TEST_CAPS_LATEST("tpm-emulator-tpm2-enc");
> + DO_TEST_CAPS_LATEST("tpm-emulator-tpm2-pstate");
> DO_TEST_CAPS_LATEST_PPC64("tpm-emulator-spapr");
>
> DO_TEST_PARSE_ERROR("pci-domain-invalid", NONE);
> diff --git a/tests/qemuxml2xmloutdata/tpm-emulator-tpm2-pstate.x86_64-latest.xml b/tests/qemuxml2xmloutdata/tpm-emulator-tpm2-pstate.x86_64-latest.xml
> new file mode 100644
> index 0000000000..08bc8d690c
> --- /dev/null
> +++ b/tests/qemuxml2xmloutdata/tpm-emulator-tpm2-pstate.x86_64-latest.xml
> @@ -0,0 +1,37 @@
> +<domain type='qemu'>
> + <name>TPM-VM</name>
> + <uuid>11d7cd22-da89-3094-6212-079a48a309a1</uuid>
> + <memory unit='KiB'>2097152</memory>
> + <currentMemory unit='KiB'>512288</currentMemory>
> + <vcpu placement='static'>1</vcpu>
> + <os>
> + <type arch='x86_64' machine='pc-i440fx-2.12'>hvm</type>
> + <boot dev='hd'/>
> + <bootmenu enable='yes'/>
> + </os>
> + <features>
> + <acpi/>
> + </features>
> + <cpu mode='custom' match='exact' check='none'>
> + <model fallback='forbid'>qemu64</model>
> + </cpu>
> + <clock offset='utc'/>
> + <on_poweroff>destroy</on_poweroff>
> + <on_reboot>restart</on_reboot>
> + <on_crash>destroy</on_crash>
> + <devices>
> + <emulator>/usr/bin/qemu-system-x86_64</emulator>
> + <controller type='usb' index='0' model='piix3-uhci'>
> + <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
> + </controller>
> + <controller type='pci' index='0' model='pci-root'/>
> + <input type='mouse' bus='ps2'/>
> + <input type='keyboard' bus='ps2'/>
> + <tpm model='tpm-tis'>
> + <backend type='emulator' version='2.0' persistent_state='yes'/>
> + </tpm>
> + <memballoon model='virtio'>
> + <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
> + </memballoon>
> + </devices>
> +</domain>
> diff --git a/tests/qemuxml2xmltest.c b/tests/qemuxml2xmltest.c
> index 1968be6782..f8bca9f559 100644
> --- a/tests/qemuxml2xmltest.c
> +++ b/tests/qemuxml2xmltest.c
> @@ -761,6 +761,7 @@ mymain(void)
> DO_TEST_CAPS_LATEST("tpm-emulator");
> DO_TEST_CAPS_LATEST("tpm-emulator-tpm2");
> DO_TEST_CAPS_LATEST("tpm-emulator-tpm2-enc");
> + DO_TEST_CAPS_LATEST("tpm-emulator-tpm2-pstate");
>
> DO_TEST("metadata", NONE);
> DO_TEST("metadata-duplicate", NONE);
Otherwise looks good to me.
Reviewed-by: Stefan Berger <stefanb(a)linux.ibm.com>
3 years, 11 months
Re: libvirt-lxc: Permission issue of /proc/net
by John Hurnett
Hi Daniel,
My XML has an <interface> section. According to documentation
https://libvirt.org/drvlxc.html#securenetworking I have also tried with and
without <privnet/> parameter, but still files under /proc/net is owned by
user: nobody.
As might be expected there is no such problem in privileged containers, as
root user is same as on host and files in /proc/net is then owned by root,
but to follow best practices I would like to use unprivileged containers.
I've used Fedora 33 as host and container. Could you check if this is
reproducible on your setup?
BR,
John
On Thu, Dec 24, 2020 at 12:21 PM Daniel P. Berrange <dan(a)berrange.com>
wrote:
> On Tue, Dec 22, 2020 at 07:14:23PM +0200, John Hurnett wrote:
> > Hi,
> > I've encountered a problem that some of /proc/net/ files can't be
> accessed
> > in unprivileged containers, because it is owned by nobody:nogroup (-1:-1)
> > and have 440 permissions.
> > This exact issue was solved in LXC project by unsharing netns:
> >
> https://github.com/lxc/lxc/commit/5b1e83cbc498cd3edeaf13afa987d530299a35a7
> > . Maybe it could be similarly fixed on libvirt-lxc?
>
> We already unshare netns when there is an <interface> in your XML
> config for the container. Is that still leaving the permissions
> issues ? If so maybe its an ordering issue for the unshare.
>
> Regards,
> Daniel
> --
> |: https://berrange.com -o-
> https://www.flickr.com/photos/dberrange :|
> |: https://libvirt.org -o-
> https://fstop138.berrange.com :|
> |: https://entangle-photo.org -o-
> https://www.instagram.com/dberrange :|
>
>
3 years, 11 months
[PATCH] docs/formatstorageencryption.html.in: support qcow2 format in luks encryption volume
by Meina Li
Signed-off-by: Meina Li <meili(a)redhat.com>
---
docs/formatstorageencryption.html.in | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/docs/formatstorageencryption.html.in b/docs/formatstorageencryption.html.in
index ea80a87cfb..7215c307d7 100644
--- a/docs/formatstorageencryption.html.in
+++ b/docs/formatstorageencryption.html.in
@@ -128,7 +128,9 @@
<p>
Here is an example specifying use of the <code>luks</code> format for
- a specific cipher algorithm for volume creation:
+ a specific cipher algorithm for volume creation.
+ <span class="since">Since 6.10.0,</span> the <code>target</code> format
+ can also support <code>qcow2</code> type with <code>luks</code> encryption.
</p>
<pre>
<volume>
--
2.27.0
3 years, 11 months
[RFC 3/5] pci: introduce apci-index property for PCI device
by Igor Mammedov
In x86/ACPI world, since systemd v197, linux distros are
using predictable network interface naming since systemd
v197. Which on QEMU based VMs results into path based
naming scheme, that names network interfaces based on PCI
topology.
With this one has to plug NIC in exacly the same bus/slot,
which was used when disk image was first provisioned/configured
or one risks to loose network configuration due to NIC being
renamed to actually used topology.
That also restricts freedom reshape PCI configuration of
VM without need to reconfigure used guest image.
systemd also offers "onboard" naming scheme which is
preffered over PCI slot/topology one, provided that
firmware implements:
"
PCI Firmware Specification 3.1
4.6.7. DSM for Naming a PCI or PCI Express Device Under
Operating Systems
"
that allows to assign user defined index to PCI device,
which systemd will use to name NIC. For example, using
-device e1000,acpi-index=100
guest will rename NIC to 'eno100', where 'eno' is default
prefix for "onboard" naming scheme. This doesn't reqiure
any advance configuration on guest side.
Hope is that 'acpi-index' will be easier to consume by
mangment layer, compared to forcing specic PCI topology
and/or having several disk image templates for different
topologies and will help to simplify process of spawning
VM from the same template without need to reconfigure
guest network configuration.
this patch adds, 'acpi-index'* property and wires up
(abuses) unused pci hotplug registers to pass index
value to AML code at runtime.
Following patch will add corresponding _DSM code and
wire it up to PCI devices described in ACPI.
*) name comes from linux kernel terminology
Signed-off-by: Igor Mammedov <imammedo(a)redhat.com>
---
CC: libvir-list(a)redhat.com
include/hw/acpi/pcihp.h | 7 ++++++-
include/hw/pci/pci.h | 1 +
hw/acpi/pci.c | 6 ++++++
hw/acpi/pcihp.c | 25 ++++++++++++++++++++++++-
hw/i386/acpi-build.c | 10 ++++++++++
hw/pci/pci.c | 1 +
6 files changed, 48 insertions(+), 2 deletions(-)
diff --git a/include/hw/acpi/pcihp.h b/include/hw/acpi/pcihp.h
index dfd375820f..72d1773ca1 100644
--- a/include/hw/acpi/pcihp.h
+++ b/include/hw/acpi/pcihp.h
@@ -46,6 +46,7 @@ typedef struct AcpiPciHpPciStatus {
typedef struct AcpiPciHpState {
AcpiPciHpPciStatus acpi_pcihp_pci_status[ACPI_PCIHP_MAX_HOTPLUG_BUS];
uint32_t hotplug_select;
+ uint32_t acpi_index;
PCIBus *root;
MemoryRegion io;
bool legacy_piix;
@@ -71,6 +72,8 @@ void acpi_pcihp_reset(AcpiPciHpState *s, bool acpihp_root_off);
extern const VMStateDescription vmstate_acpi_pcihp_pci_status;
+bool vmstate_acpi_pcihp_use_acpi_index(void *opaque, int version_id);
+
#define VMSTATE_PCI_HOTPLUG(pcihp, state, test_pcihp) \
VMSTATE_UINT32_TEST(pcihp.hotplug_select, state, \
test_pcihp), \
@@ -78,6 +81,8 @@ extern const VMStateDescription vmstate_acpi_pcihp_pci_status;
ACPI_PCIHP_MAX_HOTPLUG_BUS, \
test_pcihp, 1, \
vmstate_acpi_pcihp_pci_status, \
- AcpiPciHpPciStatus)
+ AcpiPciHpPciStatus), \
+ VMSTATE_UINT32_TEST(pcihp.acpi_index, state, \
+ vmstate_acpi_pcihp_use_acpi_index)
#endif
diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h
index 259f9c992d..e592532558 100644
--- a/include/hw/pci/pci.h
+++ b/include/hw/pci/pci.h
@@ -357,6 +357,7 @@ struct PCIDevice {
/* ID of standby device in net_failover pair */
char *failover_pair_id;
+ uint32_t acpi_index;
};
void pci_register_bar(PCIDevice *pci_dev, int region_num,
diff --git a/hw/acpi/pci.c b/hw/acpi/pci.c
index 9510597a19..07d5101d83 100644
--- a/hw/acpi/pci.c
+++ b/hw/acpi/pci.c
@@ -27,6 +27,7 @@
#include "hw/acpi/aml-build.h"
#include "hw/acpi/pci.h"
#include "hw/pci/pcie_host.h"
+#include "hw/acpi/pcihp.h"
void build_mcfg(GArray *table_data, BIOSLinker *linker, AcpiMcfgInfo *info)
{
@@ -59,3 +60,8 @@ void build_mcfg(GArray *table_data, BIOSLinker *linker, AcpiMcfgInfo *info)
"MCFG", table_data->len - mcfg_start, 1, NULL, NULL);
}
+bool vmstate_acpi_pcihp_use_acpi_index(void *opaque, int version_id)
+{
+ AcpiPciHpState *s = opaque;
+ return s->acpi_index;
+}
diff --git a/hw/acpi/pcihp.c b/hw/acpi/pcihp.c
index 9dc4d3e2db..9634567e3a 100644
--- a/hw/acpi/pcihp.c
+++ b/hw/acpi/pcihp.c
@@ -347,7 +347,8 @@ static uint64_t pci_read(void *opaque, hwaddr addr, unsigned int size)
trace_acpi_pci_down_read(val);
break;
case PCI_EJ_BASE:
- /* No feature defined yet */
+ val = s->acpi_index;
+ s->acpi_index = 0;
trace_acpi_pci_features_read(val);
break;
case PCI_RMV_BASE:
@@ -367,8 +368,30 @@ static uint64_t pci_read(void *opaque, hwaddr addr, unsigned int size)
static void pci_write(void *opaque, hwaddr addr, uint64_t data,
unsigned int size)
{
+ int slot;
+ PCIBus *bus;
+ BusChild *kid, *next;
AcpiPciHpState *s = opaque;
+
+ s->acpi_index = 0;
switch (addr) {
+ case PCI_UP_BASE:
+ slot = ctz32(data);
+
+ if (s->hotplug_select >= ACPI_PCIHP_MAX_HOTPLUG_BUS) {
+ break;
+ }
+
+ bus = acpi_pcihp_find_hotplug_bus(s, s->hotplug_select);
+ QTAILQ_FOREACH_SAFE(kid, &bus->qbus.children, sibling, next) {
+ Object *o = OBJECT(kid->child);
+ PCIDevice *dev = PCI_DEVICE(o);
+ if (PCI_SLOT(dev->devfn) == slot) {
+ s->acpi_index = object_property_get_uint(o, "acpi-index", NULL);
+ break;
+ }
+ }
+ break;
case PCI_EJ_BASE:
if (s->hotplug_select >= ACPI_PCIHP_MAX_HOTPLUG_BUS) {
break;
diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
index f18b71dea9..27d2958e25 100644
--- a/hw/i386/acpi-build.c
+++ b/hw/i386/acpi-build.c
@@ -1132,6 +1132,16 @@ static void build_piix4_pci_hotplug(Aml *table)
aml_append(method, aml_return(aml_int(0)));
aml_append(scope, method);
+ method = aml_method("AIDX", 2, AML_NOTSERIALIZED);
+ aml_append(method, aml_acquire(aml_name("BLCK"), 0xFFFF));
+ aml_append(method, aml_store(aml_arg(0), aml_name("BNUM")));
+ aml_append(method,
+ aml_store(aml_shiftleft(aml_int(1), aml_arg(1)), aml_name("PCIU")));
+ aml_append(method, aml_store(aml_name("B0EJ"), aml_local(0)));
+ aml_append(method, aml_release(aml_name("BLCK")));
+ aml_append(method, aml_return(aml_local(0)));
+ aml_append(scope, method);
+
aml_append(table, scope);
}
diff --git a/hw/pci/pci.c b/hw/pci/pci.c
index d4349ea577..617f48ff3b 100644
--- a/hw/pci/pci.c
+++ b/hw/pci/pci.c
@@ -76,6 +76,7 @@ static Property pci_props[] = {
QEMU_PCIE_EXTCAP_INIT_BITNR, true),
DEFINE_PROP_STRING("failover_pair_id", PCIDevice,
failover_pair_id),
+ DEFINE_PROP_UINT32("acpi-index", PCIDevice, acpi_index, -1),
DEFINE_PROP_END_OF_LIST()
};
--
2.27.0
3 years, 11 months
