[libvirt PATCH v2 00/12] Improve AMD SEV support
by Daniel P. Berrangé
This addresses a few issues in the AMD SEV support
- Neither host or domain level SEV metadata is
exposed in virsh commands
- The domain launch security parameters don't expose
enough info to validate the measurement
- Support verified direct kernel boot
- Report max SEV/SEV-ES guest counts
The second point was the initial purpose of my work. Per the
SEV API guide to calculate the measurement we need
measurement = HMAC(0x04 || API_MAJOR || API_MINOR || BUILD ||
GCTX.POLICY || GCTX.LD || MNONCE; GCTX.TIK)
The API_MINOR, API_MAJOR, BUILD values are things that are
available from 'query-sev' QMP command and libvirt does
not expose this info. This patch series adds them to
virDomainGetLaunchSecurityParams alongside the measurement
that we already report.
So now the client can fetch this info and calculate an expected
measurement to compare with the actual measurement they got.
They will thus know if the guest is safe to inject secrets into,
which is where Jim's recent patches come into play.
Daniel P. Berrangé (12):
include: add new launch security parameters
qemu: report error querying launch params for inactive guest
qemu: add monitor APIs for query-sev
qemu: report new launch security parameters
tools: add 'domlaunchsecinfo' virsh command
tools: add 'nodesevinfo' virsh command
conf: extend domain capabilities for max SEV guest count
include: define parameters for reporting SEV guest limits
qemu: report max number of SEV guests
conf: add support for setting SEV kernel hashes
qemu: probe for sev-guest.kernel-hashes property
qemu: format sev-guest.kernel-hashes property
docs/formatdomain.rst | 7 +-
docs/formatdomaincaps.html.in | 6 +
docs/manpages/virsh.rst | 31 +++++
docs/schemas/domaincaps.rng | 6 +
docs/schemas/domaincommon.rng | 5 +
include/libvirt/libvirt-domain.h | 32 +++++
include/libvirt/libvirt-host.h | 16 +++
src/conf/domain_capabilities.c | 4 +
src/conf/domain_capabilities.h | 2 +
src/conf/domain_conf.c | 8 ++
src/conf/domain_conf.h | 1 +
src/qemu/qemu_capabilities.c | 46 ++++++++
src/qemu/qemu_capabilities.h | 1 +
src/qemu/qemu_command.c | 7 ++
src/qemu/qemu_driver.c | 59 ++++++++--
src/qemu/qemu_monitor.c | 13 +++
src/qemu/qemu_monitor.h | 9 ++
src/qemu/qemu_monitor_json.c | 46 ++++++++
src/qemu/qemu_monitor_json.h | 9 ++
src/qemu/qemu_validate.c | 8 ++
.../domaincapsdata/qemu_2.12.0-q35.x86_64.xml | 2 +
.../domaincapsdata/qemu_2.12.0-tcg.x86_64.xml | 2 +
tests/domaincapsdata/qemu_2.12.0.x86_64.xml | 2 +
.../domaincapsdata/qemu_6.0.0-q35.x86_64.xml | 2 +
.../domaincapsdata/qemu_6.0.0-tcg.x86_64.xml | 2 +
tests/domaincapsdata/qemu_6.0.0.x86_64.xml | 2 +
.../domaincapsdata/qemu_6.2.0-q35.x86_64.xml | 7 +-
.../domaincapsdata/qemu_6.2.0-tcg.x86_64.xml | 7 +-
tests/domaincapsdata/qemu_6.2.0.x86_64.xml | 7 +-
.../caps_2.12.0.x86_64.replies | 97 ++++++++++++----
.../caps_3.0.0.x86_64.replies | 97 ++++++++++++----
.../caps_3.1.0.x86_64.replies | 97 ++++++++++++----
.../caps_4.0.0.x86_64.replies | 97 ++++++++++++----
.../caps_4.1.0.x86_64.replies | 89 ++++++++++----
.../caps_4.2.0.x86_64.replies | 89 ++++++++++----
.../caps_5.0.0.x86_64.replies | 89 ++++++++++----
.../caps_5.1.0.x86_64.replies | 89 ++++++++++----
.../caps_5.2.0.x86_64.replies | 89 ++++++++++----
.../caps_6.0.0.x86_64.replies | 89 ++++++++++----
.../caps_6.1.0.x86_64.replies | 89 ++++++++++----
.../caps_6.2.0.x86_64.replies | 109 ++++++++++++++----
.../caps_6.2.0.x86_64.xml | 8 ++
tests/qemumonitorjsontest.c | 43 +++++++
...unch-security-sev-direct.x86_64-6.2.0.args | 40 +++++++
.../launch-security-sev-direct.xml | 39 +++++++
tests/qemuxml2argvtest.c | 1 +
tools/virsh-domain.c | 53 +++++++++
tools/virsh-host.c | 45 ++++++++
48 files changed, 1427 insertions(+), 271 deletions(-)
create mode 100644 tests/qemuxml2argvdata/launch-security-sev-direct.x86_64-6.2.0.args
create mode 100644 tests/qemuxml2argvdata/launch-security-sev-direct.xml
--
2.33.1
3 years, 6 months
[PATCH] qemuProcessPrepareHost: Create domain private dirs as early as possible
by Michal Privoznik
As of ff024b60cc3 we are opening chardevs before starting QEMU.
However, we also doing that before domain private directories are
created. This leaves us impossible to create guest agent socket
which lives under priv->channelTargetDir.
While creating the dirs can be moved just before
qemuProcessPrepareHostBackendChardev() it's better to do it as
the very first step so that this kind of error is prevented in
future.
Fixes: ff024b60cc39d5d41b1e68728a00a47e103ec4dd
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
src/qemu/qemu_process.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 4963ce383f..82d0af5549 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -7024,6 +7024,14 @@ qemuProcessPrepareHost(virQEMUDriver *driver,
qemuDomainObjPrivate *priv = vm->privateData;
g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
+ /*
+ * Create all per-domain directories in order to make sure domain
+ * with any possible seclabels can access it.
+ */
+ if (qemuProcessMakeDir(driver, vm, priv->libDir) < 0 ||
+ qemuProcessMakeDir(driver, vm, priv->channelTargetDir) < 0)
+ return -1;
+
if (qemuPrepareNVRAM(driver, vm) < 0)
return -1;
@@ -7085,14 +7093,6 @@ qemuProcessPrepareHost(virQEMUDriver *driver,
return -1;
}
- /*
- * Create all per-domain directories in order to make sure domain
- * with any possible seclabels can access it.
- */
- if (qemuProcessMakeDir(driver, vm, priv->libDir) < 0 ||
- qemuProcessMakeDir(driver, vm, priv->channelTargetDir) < 0)
- return -1;
-
VIR_DEBUG("Write domain masterKey");
if (qemuDomainWriteMasterKeyFile(driver, vm) < 0)
return -1;
--
2.32.0
3 years, 6 months
[libvirt PATCH] nss: Use shared_library() for nss_libvirt_lib
by Andrea Bolognani
shared_module() is intended for shared objects that are
loaded at runtime using dlopen() whereas NSS plugins need to
be full-fledged shared libraries with, among other things, a
proper SONAME.
Meson seems to have become more strict about this recently,
because libnss_libvirt.so.2 gets a SONAME when I build it with
Meson 0.59.4 on Fedora 34 but doesn't when I use Meson 0.60.2
on Debian testing instead.
Either way, shared_library() was always the right function
to use for NSS plugins.
Fixes: 36780c931900555706fd6db9fc2ce2b4cabf9045
Signed-off-by: Andrea Bolognani <abologna(a)redhat.com>
---
tools/nss/meson.build | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/nss/meson.build b/tools/nss/meson.build
index 198936f3d4..f77309ebca 100644
--- a/tools/nss/meson.build
+++ b/tools/nss/meson.build
@@ -59,7 +59,7 @@ nss_libvirt_guest_syms = '@0@@1@'.format(
meson.current_source_dir() / nss_guest_sym_file,
)
-nss_libvirt_lib = shared_module(
+nss_libvirt_lib = shared_library(
'nss_libvirt',
name_prefix: nss_prefix,
name_suffix: 'so.@0@'.format(nss_so_ver),
--
2.31.1
3 years, 6 months
[PATCH 00/24] chardev handling cleanups (chardev refactors part 2)
by Peter Krempa
In this part I'm cleaning up the command line generators and unifying
them. Until now there were multiple custom -chardev generators in places
where it was simpler to use it than the common code. This series fixes
the common code to have sane API and refactors virtiofs, vhost-user-blk
vhost-user-gpu and TPM code to use it.
After this series we are left with 3 distinct generators for chardev
properties:
- commandline
- commandline for capabilties probing
- QMP
After the refactors here we can finally also add DO_TEST_CAPS_LATEST
of chardev tests without actually touching the host as part of the
testsuite which was impossible before.
In further parts the generators will be put into one place and prepared
for upcoming qemu refactors.
Peter Krempa (24):
virDomainDeviceInfoIterateFlags: Export the symbol
qemu: domain: Introduce helpers for initializing chardev backend of
devices
qemu: Move creation and opening of chardev backend FDs to host prepare
step
qemu: command: Remove unused QEMU_BUILD_CHARDEV_FILE_LOGD and
QEMU_BUILD_CHARDEV_UNIX_FD_PASS
qemu: command: remove the unused 'chardevStdioLogd' argument/variable
qemu: domain: Refactor chardev definition preparing
qemu: Store chardev 'wait' flag in chardev source private data
qemuBuildChrChardevStr: Remove 'cdevflags' argument
qemuBuildChrChardevStr: Remove unused arguments and clean up callers
qemuxml2argvtest: Add DO_TEST_CAPS_LATEST versions for all character
device tests
qemuxml2argvtest: Add _LATEST version for 'name-escape' case
qemuBuildConsoleCommandLine: Remove identical code
qemuBuildChrChardevStr: Directly generate command line
qemuBuildChardevCommand: Move earlier
qemuBuildChardevCommand: Don't prefix alias
qemuBuildChardevCommand: Split creation of the command and setup of
other objects
qemu: Store TLS config options for chardevs in
qemuDomainChrSourcePrivate
qemuBuildChardevCommand: Remove unused 'cfg' parameter
qemu: Implement chardev source setup for disk
qemu: Use qemuBuildChrChardevCommand for vhost-user disk backend
qemu: Use qemuBuildChrChardevCommand for virtiofs backend chardev
qemu: Use qemuBuildChrChardevCommand for vhost-user-gpu backend
chardev
qemu: Implement chardev source setup for tpm
qemu: command: Use 'qemuBuildChrChardevCommand' to build TPM backend
src/libvirt_private.syms | 1 +
src/qemu/qemu_block.c | 1 -
src/qemu/qemu_block.h | 1 -
src/qemu/qemu_command.c | 1095 +++++++----------
src/qemu/qemu_command.h | 2 -
src/qemu/qemu_domain.c | 258 +++-
src/qemu/qemu_domain.h | 38 +-
src/qemu/qemu_driver.c | 8 +
src/qemu/qemu_hotplug.c | 3 -
src/qemu/qemu_process.c | 264 +++-
.../aarch64-tpm.aarch64-latest.args | 2 +-
.../console-compat-auto.x86_64-latest.args | 39 +
.../console-compat-chardev.x86_64-latest.args | 39 +
.../console-compat.x86_64-latest.args | 38 +
.../name-escape.x86_64-latest.args | 51 +
...arallel-parport-chardev.x86_64-latest.args | 39 +
.../parallel-tcp-chardev.x86_64-latest.args | 39 +
.../pci-serial-dev-chardev.x86_64-latest.args | 39 +
.../ppc64-tpmproxy-with-tpm.ppc64-latest.args | 2 +-
...rial-dev-chardev-iobase.x86_64-latest.args | 39 +
.../serial-dev-chardev.x86_64-latest.args | 39 +
.../serial-file-chardev.x86_64-latest.args | 40 +
.../serial-file-log.x86_64-latest.args | 40 +
.../serial-many-chardev.x86_64-latest.args | 42 +
.../serial-pty-chardev.x86_64-latest.args | 39 +
...erial-spiceport-nospice.x86_64-latest.args | 37 +
.../serial-spiceport.x86_64-latest.args | 41 +
.../serial-tcp-chardev.x86_64-latest.args | 39 +
...rial-tcp-telnet-chardev.x86_64-latest.args | 39 +
...p-tlsx509-chardev-notls.x86_64-latest.args | 41 +
...-tlsx509-chardev-verify.x86_64-latest.args | 42 +
...ial-tcp-tlsx509-chardev.x86_64-latest.args | 42 +
...-tlsx509-secret-chardev.x86_64-latest.args | 43 +
.../serial-udp-chardev.x86_64-latest.args | 41 +
...rial-unix-missing-source.x86_64-latest.err | 1 +
.../serial-vc-chardev.x86_64-latest.args | 39 +
.../tpm-emulator-spapr.ppc64-latest.args | 2 +-
.../tpm-emulator-tpm2-enc.x86_64-latest.args | 2 +-
...pm-emulator-tpm2-pstate.x86_64-latest.args | 2 +-
.../tpm-emulator-tpm2.x86_64-latest.args | 2 +-
.../tpm-emulator.x86_64-latest.args | 2 +-
...host-user-gpu-secondary.x86_64-latest.args | 2 +-
...irtio-options-video-ats.x86_64-latest.args | 2 +-
...tio-options-video-iommu.x86_64-latest.args | 2 +-
...io-options-video-packed.x86_64-latest.args | 2 +-
tests/qemuxml2argvtest.c | 114 ++
46 files changed, 1959 insertions(+), 776 deletions(-)
create mode 100644 tests/qemuxml2argvdata/console-compat-auto.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/console-compat-chardev.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/console-compat.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/name-escape.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/parallel-parport-chardev.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/parallel-tcp-chardev.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/pci-serial-dev-chardev.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/serial-dev-chardev-iobase.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/serial-dev-chardev.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/serial-file-chardev.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/serial-file-log.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/serial-many-chardev.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/serial-pty-chardev.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/serial-spiceport-nospice.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/serial-spiceport.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/serial-tcp-chardev.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/serial-tcp-telnet-chardev.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/serial-tcp-tlsx509-chardev-notls.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/serial-tcp-tlsx509-chardev-verify.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/serial-tcp-tlsx509-chardev.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/serial-tcp-tlsx509-secret-chardev.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/serial-udp-chardev.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/serial-unix-missing-source.x86_64-latest.err
create mode 100644 tests/qemuxml2argvdata/serial-vc-chardev.x86_64-latest.args
--
2.31.1
3 years, 6 months
[libvirt PATCH 00/12] Clean up cruft in firewall/iptables code (in preparation for nftables)
by Laine Stump
These patches make no functional change, they just remove a bunch of
cruft that accumulated over the years and is no longer needed.
This is all in advance of adding support for native nftable support,
but there is nothing nftables-specific being added here; I just wanted
to get these cleanups out of way now so that the eventual nftables
support patchset is smaller and less complicated.
(NB: the concept of a "firewall backend" is being removed here,
implying that it will no longer exist. This is not true, but the way
that it will exist in the future will be different (per-firewall
object rather than per-process) so almost all of the existing code
won't be applicable anyway.)
Laine Stump (12):
network: eliminate code that uses default iptables chains
util: rename/move iptablesFormatNetwork to
virSocketAddrFormatWithPrefix
util: rename iptables operators to something less generic
tests: remove firewalld backend tests from virfirewalltest.c
tests: remove unnecessary ret variables and cleanup labels
tests: document why virgdbus must be mocked in
networkxml2firewalltest.c
util: eliminate pointless switch in virFirewallApplyRule
util: simplify virFirewallBackendSynchronize()
util: move and rename virFirewallBackendSynchronize()
util: remove check for iptables binary during virFirewallInit
util: remove currentBackend from virfirewall.c
util: remove virFirewallOnceInit()
src/libvirt_private.syms | 5 +-
src/network/bridge_driver_linux.c | 37 +--
src/util/virfirewall.c | 143 +----------
src/util/virfirewall.h | 2 -
src/util/virfirewalld.c | 43 ++++
src/util/virfirewalld.h | 2 +
src/util/virfirewallpriv.h | 37 ---
src/util/viriptables.c | 207 +++++++---------
src/util/viriptables.h | 2 -
src/util/virsocketaddr.c | 44 ++++
src/util/virsocketaddr.h | 3 +
tests/networkxml2firewalltest.c | 14 +-
tests/nwfilterebiptablestest.c | 7 -
tests/nwfilterxml2firewalltest.c | 8 +-
tests/virfirewalltest.c | 390 ++++--------------------------
15 files changed, 247 insertions(+), 697 deletions(-)
delete mode 100644 src/util/virfirewallpriv.h
--
2.33.1
3 years, 6 months
[PATCH] Fixes: #253
by JorhsonDeng
To resolve the bug: #253.
The restore method should call the qemuProcessRefreshState method
to refreash the state of the devices.
---
src/qemu/qemu_process.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 6b83a571b9..ebd60a7b84 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -7703,14 +7703,11 @@ qemuProcessStart(virConnectPtr conn,
if (incoming->deferredURI &&
qemuMigrationDstRun(driver, vm, incoming->deferredURI, asyncJob) < 0)
goto stop;
- } else {
- /* Refresh state of devices from QEMU. During migration this happens
- * in qemuMigrationDstFinish to ensure that state information is fully
- * transferred. */
- if (qemuProcessRefreshState(driver, vm, asyncJob) < 0)
- goto stop;
}
+ if (qemuProcessRefreshState(driver, vm, asyncJob) < 0)
+ goto stop;
+
if (qemuProcessFinishStartup(driver, vm, asyncJob,
!(flags & VIR_QEMU_PROCESS_START_PAUSED),
incoming ?
--
2.27.0
3 years, 6 months
[libvirt PATCH 0/6] Improve usage information and manual pages
by Andrea Bolognani
Each of the tools we ship as part of libvirt should display
reasonable usage information when called without arguments and have
an associated manual page.
Andrea Bolognani (6):
virt-ssh-helper: Don't use optind
virt-ssh-helper: Improve usage information
virt-ssh-helper: Add manual page
virt-qemu-run: Improve usage information
virt-qemu-run: Improve manual page
virt-pki-query-dn: Add manual page
docs/manpages/meson.build | 2 +
docs/manpages/virt-pki-query-dn.rst | 91 +++++++++++++++++++++++++++
docs/manpages/virt-qemu-run.rst | 53 +++++++++-------
docs/manpages/virt-ssh-helper.rst | 96 +++++++++++++++++++++++++++++
libvirt.spec.in | 2 +
src/qemu/qemu_shim.c | 2 +-
src/remote/remote_ssh_helper.c | 18 +++---
7 files changed, 234 insertions(+), 30 deletions(-)
create mode 100644 docs/manpages/virt-pki-query-dn.rst
create mode 100644 docs/manpages/virt-ssh-helper.rst
--
2.31.1
3 years, 6 months
[libvirt PATCH v2 00/17] cgroup and thread management in ch driver
by Praveen K Paladugu
I addressed all the open comments on the v1 patch set.
In places where indentaion was hard to manage, I created explicit commits to
apply correct indentation on files.
Compared to v1, this version applies 2 code refactors:
1) some cgroup methods in src/qemu/qemu_cgroup.c were moved to src/hypervisor
and shared with ch driver.
2) virProcessGetStatInfo, virProcessGetSchedInfo which were copied from qemu
driver are moved to util and shared between qemu and ch drviers.
Praveen K Paladugu (9):
util: fix indentation in virprocess.c
util: Helper functions to get process info
ch_domain: fix indentation in ch_domain
ch_driver: fix indentation in ch_driver
ch_driver,ch_domain: vcpu info getter callbacks
ch_monitor: fix indentation in ch_monitor.c
qemu,hypervisor: refactor some cgroup mgmt methods
ch_process: Setup emulator and iothread settings
ch_driver: emulator threadinfo & pinning callbacks
Vineeth Pillai (8):
ch_domain: add virCHDomainGetMonitor helper method
ch_domain: add methods to manage private vcpu data
ch_driver: domainGetVcpuPinInfo and nodeGetCPUMap
ch_monitor: Get nicindexes in prep for cgroup mgmt
ch: methods for cgroup mgmt in ch driver
ch_driver,ch_domain: vcpupin callback in ch driver
ch_driver: enable typed param string for numatune
ch_driver: add numatune callbacks for CH driver
src/ch/ch_conf.c | 2 +
src/ch/ch_conf.h | 6 +-
src/ch/ch_domain.c | 302 ++++++---
src/ch/ch_domain.h | 32 +-
src/ch/ch_driver.c | 1045 ++++++++++++++++++++++++++++----
src/ch/ch_monitor.c | 533 +++++++++++-----
src/ch/ch_monitor.h | 60 +-
src/ch/ch_process.c | 386 +++++++++++-
src/ch/ch_process.h | 3 +
src/ch/meson.build | 1 +
src/hypervisor/domain_cgroup.c | 426 ++++++++++++-
src/hypervisor/domain_cgroup.h | 52 ++
src/libvirt_private.syms | 12 +
src/qemu/qemu_cgroup.c | 410 +------------
src/qemu/qemu_cgroup.h | 11 -
src/qemu/qemu_driver.c | 130 +---
src/qemu/qemu_hotplug.c | 4 +-
src/qemu/qemu_process.c | 17 +-
src/util/virprocess.c | 609 +++++++++++--------
src/util/virprocess.h | 5 +
20 files changed, 2905 insertions(+), 1141 deletions(-)
--
2.27.0
3 years, 6 months
[libvirt PATCH v3] qemu: Enable unprivileged userfaultfd for post-copy migration
by Jiri Denemark
Userfaultfd is by default allowed only for privileged processes. Since
libvirt runs QEMU unprivileged, we need to enable unprivileged access to
userfaultfd to enable post-copy migration.
https://bugzilla.redhat.com/show_bug.cgi?id=1945420
Signed-off-by: Jiri Denemark <jdenemar(a)redhat.com>
---
Notes:
If you wonder about the 60-* prefix of the installed sysctl file, we already
install 60-libvirtd.conf so I think it makes sense to use the same prefix for
all sysctl configuration installed by libvirt.
Version 2:
- setting unprivileged_userfaultfd only when it is not already enabled
- virReportSystemError replaced with VIR_WARN
Version 3:
- set the knob via a sysctl conf file instead
libvirt.spec.in | 1 +
src/qemu/meson.build | 8 ++++++++
src/qemu/postcopy-migration.sysctl | 6 ++++++
3 files changed, 15 insertions(+)
create mode 100644 src/qemu/postcopy-migration.sysctl
diff --git a/libvirt.spec.in b/libvirt.spec.in
index 5a079cdaf3..3aa4cc75b5 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -1859,6 +1859,7 @@ exit 0
%files daemon-driver-qemu
%config(noreplace) %{_sysconfdir}/sysconfig/virtqemud
%config(noreplace) %{_sysconfdir}/libvirt/virtqemud.conf
+%config(noreplace) %{_prefix}/lib/sysctl.d/60-qemu-postcopy-migration.conf
%{_datadir}/augeas/lenses/virtqemud.aug
%{_datadir}/augeas/lenses/tests/test_virtqemud.aug
%{_unitdir}/virtqemud.service
diff --git a/src/qemu/meson.build b/src/qemu/meson.build
index 3898d23877..66ef594006 100644
--- a/src/qemu/meson.build
+++ b/src/qemu/meson.build
@@ -170,6 +170,14 @@ if conf.has('WITH_QEMU')
'file': files('virtqemud.sysconf'),
}
+ if conf.has('WITH_SYSCTL')
+ install_data(
+ 'postcopy-migration.sysctl',
+ install_dir: prefix / 'lib' / 'sysctl.d',
+ rename: [ '60-qemu-postcopy-migration.conf' ],
+ )
+ endif
+
virt_install_dirs += [
localstatedir / 'lib' / 'libvirt' / 'qemu',
runstatedir / 'libvirt' / 'qemu',
diff --git a/src/qemu/postcopy-migration.sysctl b/src/qemu/postcopy-migration.sysctl
new file mode 100644
index 0000000000..aa8f015ae0
--- /dev/null
+++ b/src/qemu/postcopy-migration.sysctl
@@ -0,0 +1,6 @@
+# This is needed to support post-copy migration for QEMU run by libvirt,
+# i.e., unprivileged, as userfaultfd is by default only available to
+# privileged processes.
+# It can be safely overridden by a file in /etc/sysctl.d/ in case post-copy
+# migration is not used on the host.
+vm.unprivileged_userfaultfd = 1
--
2.34.1
3 years, 6 months
[libvirt PATCH] remote: Avoid crash in remoteSplitURIScheme()
by Andrea Bolognani
We need to make sure the URI scheme is present before passing
it to strchr(), otherwise we're going to get
$ virt-ssh-helper foo
Segmentation fault (core dumped)
Signed-off-by: Andrea Bolognani <abologna(a)redhat.com>
---
src/remote/remote_sockets.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/src/remote/remote_sockets.c b/src/remote/remote_sockets.c
index 2979576680..c315b24d30 100644
--- a/src/remote/remote_sockets.c
+++ b/src/remote/remote_sockets.c
@@ -69,7 +69,15 @@ remoteSplitURIScheme(virURI *uri,
char **driver,
remoteDriverTransport *transport)
{
- char *p = strchr(uri->scheme, '+');
+ char *p = NULL;
+
+ if (!uri->scheme) {
+ virReportError(VIR_ERR_INVALID_ARG, "%s",
+ _("missing scheme for URI"));
+ return -1;
+ }
+
+ p = strchr(uri->scheme, '+');
if (p)
*driver = g_strndup(uri->scheme, p - uri->scheme);
--
2.31.1
3 years, 6 months