[libvirt PATCH 0/2] Addendum to hyperv-passthrough
by Tim Wiederhake
Spotted by Daniel. Patches were already merged though, hence this addendum.
Tim Wiederhake (2):
docs: domain: Clarify on the dangers of migrating with
hyperv-passthrough enabled
virDomainFeaturesHyperVDefParse: Compare hyperv mode
docs/formatdomain.rst | 9 ++++++++-
src/conf/domain_conf.c | 9 +++++++++
2 files changed, 17 insertions(+), 1 deletion(-)
--
2.31.1
3 years, 6 months
[libvirt PATCH 00/17] Bump minimum dnsmasq version
by Ján Tomko
This bumps the minimum dnsmasq version to the point where we do not need
capability probing, reducing it to a version check (which I will be
happy to remove on request).
Unless I missed something, this also means we no longer need to spawn
radvd manually.
Note that DNSMASQ_CAPS_BINDTODEVICE was the indication of a downstream
mitigation of a CVE that should no longer be needed if we have
--bind-dynamic
Ján Tomko (17):
util: dnsmasqCapsSetFromBuffer: use error label
tests: do not test dnsmasq older than 2.67
util: dnsmasq: mandate at least version 2.67
network: assume DNSMASQ_DHCPv6_SUPPORT
network: assume DNSMASQ_RA_SUPPORT
util: remove DNSMASQ_RA_SUPPORT
network: assume DNSMASQ_CAPS_BIND_DYNAMIC
network: assume DNSMASQ_CAPS_RA_PARAM
util: dnsmasq: delete assumed capability flags
network: remove any code dealing with radvd
network: driver: remove unused radvdStateDir variable
conf: remove radvdPid from virNetworkObj
build: do not search for radvd binary
spec: do not require radvd
util: remove dnsmasqCapsGetVersion
util: dnsmasq: remove caps completely
network: remove unused 'driver' parameter
libvirt.spec.in | 2 -
meson.build | 1 -
src/conf/virnetworkobj.c | 16 -
src/conf/virnetworkobj.h | 7 -
src/libvirt_private.syms | 4 -
src/network/bridge_driver.c | 459 ++----------------
src/network/bridge_driver_platform.h | 1 -
src/util/virdnsmasq.c | 69 +--
src/util/virdnsmasq.h | 24 -
.../networkxml2confdata/isolated-network.conf | 5 +-
.../nat-network-dns-srv-record-minimal.conf | 10 +-
.../nat-network-dns-srv-record.conf | 2 +
.../nat-network-dns-txt-record.conf | 2 +
.../nat-network-name-with-quotes.conf | 10 +-
.../networkxml2confdata/netboot-network.conf | 4 +-
.../netboot-proxy-network.conf | 4 +-
tests/networkxml2conftest.c | 32 +-
17 files changed, 83 insertions(+), 569 deletions(-)
--
2.31.1
3 years, 6 months
[libvirt PATCH] Fix some typos
by Tim Wiederhake
Signed-off-by: Tim Wiederhake <twiederh(a)redhat.com>
---
docs/manpages/virsh.rst | 2 +-
src/qemu/qemu_domain.h | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/docs/manpages/virsh.rst b/docs/manpages/virsh.rst
index 275f416090..265725d214 100644
--- a/docs/manpages/virsh.rst
+++ b/docs/manpages/virsh.rst
@@ -3203,7 +3203,7 @@ host. By default only non-shared non-readonly images are transferred. Use
*--migrate-disks* to explicitly specify a list of disk targets to
transfer via the comma separated ``disk-list`` argument.
With *--copy-storage-synchronous-writes* flag used the disk data migration will
-synchronously handle guest disk writes to both the original soure and the
+synchronously handle guest disk writes to both the original source and the
destination to ensure that the disk migration converges at the price of possibly
decreased burst performance.
diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h
index 5474d1dccc..6586411919 100644
--- a/src/qemu/qemu_domain.h
+++ b/src/qemu/qemu_domain.h
@@ -344,7 +344,7 @@ struct _qemuDomainChrSourcePrivate {
int fd; /* file descriptor of the chardev source */
int logfd; /* file descriptor of the logging source */
- bool wait; /* wait for incomming connections on chardev */
+ bool wait; /* wait for incoming connections on chardev */
char *tlsCertPath; /* path to certificates if TLS is requested */
bool tlsVerify; /* whether server should verify client certificates */
--
2.31.1
3 years, 6 months
[libvirt PATCH 0/2] qemu: Add support for return-path migration capability
by Jiri Denemark
See 2/2 for more details about the capability.
Jiri Denemark (2):
qemu: Support enabling migration caps unless a flag is used
qemu: Add support for return-path migration capability
src/qemu/qemu_migration_params.c | 39 ++++++++++++++++++++++++--------
src/qemu/qemu_migration_params.h | 1 +
2 files changed, 31 insertions(+), 9 deletions(-)
--
2.34.1
3 years, 6 months
[PATCH] rpm: don't start/stop -ro.socket units for virtlockd/virtlogd
by Daniel P. Berrangé
These daemons do not have any support for unprivileged readonly
access, so we must not reference -ro.socket units in scripts.
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
libvirt.spec.in | 18 +++++++++++-------
1 file changed, 11 insertions(+), 7 deletions(-)
diff --git a/libvirt.spec.in b/libvirt.spec.in
index 97030be407..e672fcc3a5 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -1279,14 +1279,18 @@ then \
fi \
%libvirt_daemon_finish_restart %1
+# For daemons with only UNIX sockets
%define libvirt_daemon_systemd_post() %systemd_post %1.socket %1-ro.socket %1-admin.socket %1.service
-
-%define libvirt_daemon_systemd_post_inet() %systemd_post %1.socket %1-ro.socket %1-admin.socket %1-tls.socket %1-tcp.socket %1.service
-
%define libvirt_daemon_systemd_preun() %systemd_preun %1.service %1-ro.socket %1-admin.socket %1.socket
+# For daemons with UNIX and INET sockets
+%define libvirt_daemon_systemd_post_inet() %systemd_post %1.socket %1-ro.socket %1-admin.socket %1-tls.socket %1-tcp.socket %1.service
%define libvirt_daemon_systemd_preun_inet() %systemd_preun %1.service %1-ro.socket %1-admin.socket %1-tls.socket %1-tcp.socket %1.socket
+# For daemons with only UNIX sockets and no unprivileged read-only access
+%define libvirt_daemon_systemd_post_priv() %systemd_post %1.socket %1-admin.socket %1.service
+%define libvirt_daemon_systemd_preun_priv() %systemd_preun %1.service %1-admin.socket %1.socket
+
%pre daemon
# 'libvirt' group is just to allow password-less polkit access to
# libvirtd. The uid number is irrelevant, so we use dynamic allocation
@@ -1296,8 +1300,8 @@ getent group libvirt >/dev/null || groupadd -r libvirt
exit 0
%post daemon
-%libvirt_daemon_systemd_post virtlogd
-%libvirt_daemon_systemd_post virtlockd
+%libvirt_daemon_systemd_post_priv virtlogd
+%libvirt_daemon_systemd_post_priv virtlockd
%if %{with_modular_daemons}
%libvirt_daemon_systemd_post_inet virtproxyd
%else
@@ -1313,8 +1317,8 @@ exit 0
%libvirt_daemon_systemd_preun_inet libvirtd
%libvirt_daemon_systemd_preun_inet virtproxyd
-%libvirt_daemon_systemd_preun virtlogd
-%libvirt_daemon_systemd_preun virtlockd
+%libvirt_daemon_systemd_preun_priv virtlogd
+%libvirt_daemon_systemd_preun_priv virtlockd
%postun daemon
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
--
2.33.1
3 years, 6 months
[PATCH] rpm: fix typo in daemon name in %post/%preun scripts
by Daniel P. Berrangé
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
libvirt.spec.in | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libvirt.spec.in b/libvirt.spec.in
index 32b4243d0a..97030be407 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -1297,7 +1297,7 @@ exit 0
%post daemon
%libvirt_daemon_systemd_post virtlogd
-%libvirt_daemon_systemd_post virtlockdd
+%libvirt_daemon_systemd_post virtlockd
%if %{with_modular_daemons}
%libvirt_daemon_systemd_post_inet virtproxyd
%else
@@ -1314,7 +1314,7 @@ exit 0
%libvirt_daemon_systemd_preun_inet libvirtd
%libvirt_daemon_systemd_preun_inet virtproxyd
%libvirt_daemon_systemd_preun virtlogd
-%libvirt_daemon_systemd_preun virtlockdd
+%libvirt_daemon_systemd_preun virtlockd
%postun daemon
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
--
2.33.1
3 years, 6 months
[libvirt PATCH 00/10] Enable hyperv-passthrough
by Tim Wiederhake
This series enables "hv-passthrough" in libvirt.
See https://bugzilla.redhat.com/show_bug.cgi?id=1851249.
Example usage in VM definition:
<features>
<hyperv mode='passthrough'/>
</features>
Tim Wiederhake (10):
schema: Wrap hyperv element in choice and group
schema: Add optional "mode" attribute to hyperv
conf: domain: Define enum for HyperV mode
virDomainFeaturesHyperVDefParse: Read attribute "mode" of element
"hyperv"
virDomainDefFormatFeatures: Write attribute "mode" of element "hyperv"
docs: domain: Add documentation for "hyperv"'s new "mode" attribute
conf: domain: Add hyperv passthrough mode
schema: hyperv: Add mode "passthrough"
tests: Add tests for hyperv-passthrough
docs: domain: Add documentation for hyperv passthrough mode
docs/formatdomain.rst | 13 +-
docs/schemas/domaincommon.rng | 172 ++++++++++--------
src/conf/domain_conf.c | 23 ++-
src/conf/domain_conf.h | 8 +
src/qemu/qemu_command.c | 18 +-
src/qemu/qemu_validate.c | 2 +-
.../hyperv-passthrough.x86_64-6.1.0.args | 32 ++++
.../hyperv-passthrough.x86_64-latest.args | 32 ++++
tests/qemuxml2argvdata/hyperv-passthrough.xml | 27 +++
tests/qemuxml2argvtest.c | 2 +
tests/qemuxml2xmloutdata/hyperv-off.xml | 2 +-
.../qemuxml2xmloutdata/hyperv-passthrough.xml | 31 ++++
.../hyperv-stimer-direct.xml | 2 +-
tests/qemuxml2xmloutdata/hyperv.xml | 2 +-
tests/qemuxml2xmltest.c | 1 +
15 files changed, 277 insertions(+), 90 deletions(-)
create mode 100644 tests/qemuxml2argvdata/hyperv-passthrough.x86_64-6.1.0.args
create mode 100644 tests/qemuxml2argvdata/hyperv-passthrough.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/hyperv-passthrough.xml
create mode 100644 tests/qemuxml2xmloutdata/hyperv-passthrough.xml
--
2.31.1
3 years, 6 months
[libvirt PATCH 0/5] use g_auto for virCommand (Episode II.V: Goodbye, Galaxy!)
by Ján Tomko
Fear not, the end is near.
Ján Tomko (5):
docs: use g_auto in virCommand example
util: dnsmasq: refactor CapsRefresh
util: iscsi: use two vars in CreateIfaceIQN
util: refactor virNodeSuspendSetNodeWakeup
util: use g_auto in virNodeSuspendHelper
docs/internals/command.html.in | 12 +++--------
src/util/virdnsmasq.c | 37 +++++++++++++++-------------------
src/util/viriscsi.c | 34 +++++++++++++++----------------
src/util/virnodesuspend.c | 16 +++------------
4 files changed, 39 insertions(+), 60 deletions(-)
--
2.31.1
3 years, 6 months
[PATCH] libxl: Implement domainGetMessages API
by Jim Fehlig
Since commit 46783e6307a, the 'virsh dominfo' command calls
virDomainGetMessages to report any messages from the domain.
Hypervisors not implementing the API now get the following
log message when clients invoke 'virsh dominfo'
this function is not supported by the connection driver: virDomainGetMessages
Although libxl currently does not support any tainting or
deprecation messages, provide an implementation to squelch
the previously unseen error message when collecting dominfo.
Signed-off-by: Jim Fehlig <jfehlig(a)suse.com>
---
src/libxl/libxl_driver.c | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/src/libxl/libxl_driver.c b/src/libxl/libxl_driver.c
index bc8598ea96..2d9385654c 100644
--- a/src/libxl/libxl_driver.c
+++ b/src/libxl/libxl_driver.c
@@ -6385,6 +6385,29 @@ libxlDomainGetMetadata(virDomainPtr dom,
return ret;
}
+static int
+libxlDomainGetMessages(virDomainPtr dom,
+ char ***msgs,
+ unsigned int flags)
+{
+ virDomainObj *vm = NULL;
+ int ret = -1;
+
+ virCheckFlags(0, -1);
+
+ if (!(vm = libxlDomObjFromDomain(dom)))
+ return -1;
+
+ if (virDomainGetMessagesEnsureACL(dom->conn, vm->def) < 0)
+ goto cleanup;
+
+ ret = virDomainObjGetMessages(vm, msgs, flags);
+
+ cleanup:
+ virDomainObjEndAPI(&vm);
+ return ret;
+}
+
static virHypervisorDriver libxlHypervisorDriver = {
.name = LIBXL_DRIVER_EXTERNAL_NAME,
.connectURIProbe = libxlConnectURIProbe,
@@ -6498,6 +6521,7 @@ static virHypervisorDriver libxlHypervisorDriver = {
.connectBaselineCPU = libxlConnectBaselineCPU, /* 2.3.0 */
.domainSetMetadata = libxlDomainSetMetadata, /* 5.7.0 */
.domainGetMetadata = libxlDomainGetMetadata, /* 5.7.0 */
+ .domainGetMessages = libxlDomainGetMessages, /* 8.0.0 */
};
--
2.34.1
3 years, 6 months
[libvirt PATCH v3 00/13] Improve AMD SEV support
by Daniel P. Berrangé
This addresses a few issues in the AMD SEV support
- Neither host or domain level SEV metadata is
exposed in virsh commands
- The domain launch security parameters don't expose
enough info to validate the measurement
- Support verified direct kernel boot
- Report max SEV/SEV-ES guest counts
The second point was the initial purpose of my work. Per the
SEV API guide to calculate the measurement we need
measurement = HMAC(0x04 || API_MAJOR || API_MINOR || BUILD ||
GCTX.POLICY || GCTX.LD || MNONCE; GCTX.TIK)
The API_MINOR, API_MAJOR, BUILD values are things that are
available from 'query-sev' QMP command and libvirt does
not expose this info. This patch series adds them to
virDomainGetLaunchSecurityParams alongside the measurement
that we already report.
So now the client can fetch this info and calculate an expected
measurement to compare with the actual measurement they got.
They will thus know if the guest is safe to inject secrets into,
which is where Jim's recent patches come into play.
In v3:
- Refactor CPUID code so and mock it in test suite
Daniel P. Berrangé (13):
include: add new launch security parameters
qemu: report error querying launch params for inactive guest
qemu: add monitor APIs for query-sev
qemu: report new launch security parameters
tools: add 'domlaunchsecinfo' virsh command
tools: add 'nodesevinfo' virsh command
conf: extend domain capabilities for max SEV guest count
include: define parameters for reporting SEV guest limits
util: pull CPUID helper function out of CPU driver
qemu: report max number of SEV guests
conf: add support for setting SEV kernel hashes
qemu: probe for sev-guest.kernel-hashes property
qemu: format sev-guest.kernel-hashes property
docs/formatdomain.rst | 7 +-
docs/formatdomaincaps.html.in | 6 +
docs/manpages/virsh.rst | 31 +++++
docs/schemas/domaincaps.rng | 6 +
docs/schemas/domaincommon.rng | 5 +
include/libvirt/libvirt-domain.h | 32 +++++
include/libvirt/libvirt-host.h | 16 +++
src/conf/domain_capabilities.c | 4 +
src/conf/domain_capabilities.h | 2 +
src/conf/domain_conf.c | 8 ++
src/conf/domain_conf.h | 1 +
src/cpu/cpu_x86.c | 34 +-----
src/libvirt_private.syms | 1 +
src/qemu/qemu_capabilities.c | 47 ++++++++
src/qemu/qemu_capabilities.h | 1 +
src/qemu/qemu_command.c | 1 +
src/qemu/qemu_driver.c | 59 ++++++++--
src/qemu/qemu_monitor.c | 13 +++
src/qemu/qemu_monitor.h | 9 ++
src/qemu/qemu_monitor_json.c | 46 ++++++++
src/qemu/qemu_monitor_json.h | 9 ++
src/qemu/qemu_validate.c | 7 ++
src/util/virhostcpu.c | 58 ++++++++++
src/util/virhostcpu.h | 7 ++
.../domaincapsdata/qemu_2.12.0-q35.x86_64.xml | 2 +
.../domaincapsdata/qemu_2.12.0-tcg.x86_64.xml | 2 +
tests/domaincapsdata/qemu_2.12.0.x86_64.xml | 2 +
.../domaincapsdata/qemu_6.0.0-q35.x86_64.xml | 2 +
.../domaincapsdata/qemu_6.0.0-tcg.x86_64.xml | 2 +
tests/domaincapsdata/qemu_6.0.0.x86_64.xml | 2 +
.../domaincapsdata/qemu_6.2.0-q35.x86_64.xml | 7 +-
.../domaincapsdata/qemu_6.2.0-tcg.x86_64.xml | 7 +-
tests/domaincapsdata/qemu_6.2.0.x86_64.xml | 7 +-
.../caps_2.12.0.x86_64.replies | 97 ++++++++++++----
.../caps_3.0.0.x86_64.replies | 97 ++++++++++++----
.../caps_3.1.0.x86_64.replies | 97 ++++++++++++----
.../caps_4.0.0.x86_64.replies | 97 ++++++++++++----
.../caps_4.1.0.x86_64.replies | 89 ++++++++++----
.../caps_4.2.0.x86_64.replies | 89 ++++++++++----
.../caps_5.0.0.x86_64.replies | 89 ++++++++++----
.../caps_5.1.0.x86_64.replies | 89 ++++++++++----
.../caps_5.2.0.x86_64.replies | 89 ++++++++++----
.../caps_6.0.0.x86_64.replies | 89 ++++++++++----
.../caps_6.1.0.x86_64.replies | 89 ++++++++++----
.../caps_6.2.0.x86_64.replies | 109 ++++++++++++++----
.../caps_6.2.0.x86_64.xml | 8 ++
tests/qemumonitorjsontest.c | 43 +++++++
...unch-security-sev-direct.x86_64-6.2.0.args | 40 +++++++
.../launch-security-sev-direct.xml | 39 +++++++
tests/qemuxml2argvtest.c | 1 +
tests/testutilsqemu.c | 21 ++++
tools/virsh-domain.c | 53 +++++++++
tools/virsh-host.c | 45 ++++++++
53 files changed, 1514 insertions(+), 299 deletions(-)
create mode 100644 tests/qemuxml2argvdata/launch-security-sev-direct.x86_64-6.2.0.args
create mode 100644 tests/qemuxml2argvdata/launch-security-sev-direct.xml
--
2.33.1
3 years, 6 months
