[PATCH V2 0/4] Apparmor: Add profiles for hypervisor daemons
by Jim Fehlig
and other improvements. V2 of
https://listman.redhat.com/archives/libvir-list/2021-June/msg00456.html
Changes since V1:
Removed many unneeded capabilities. I used the 'audit' qualifier as suggested
by cboltz to verify which capabilities were actually used. It's a difficult
task though, as it is nearly impossible for one person to exercise a driver
in all the ways thousands of users will push it :-). I was able to whittle
the virtxend profile quite a bit since xen doesn't need a lot in the way of
host capabilities.
Removed patch containing the virtlxcd profile since I'm unable to start any
lxc domains with virtlxcd.
Added patches to squelch denial messages from the virt-aa-helper profile.
Jim Fehlig (4):
Apparmor: Add profile for virtqemud
Apparmor: Add profile for virtxend
Apparmor: Allow reading libnl's classid file
Apparmor: Allow reading /etc/ssl/openssl.cnf
src/security/apparmor/libvirt-qemu | 5 +
src/security/apparmor/meson.build | 2 +
.../usr.lib.libvirt.virt-aa-helper.in | 4 +-
src/security/apparmor/usr.sbin.virtqemud.in | 135 ++++++++++++++++++
src/security/apparmor/usr.sbin.virtxend.in | 53 +++++++
5 files changed, 198 insertions(+), 1 deletion(-)
create mode 100644 src/security/apparmor/usr.sbin.virtqemud.in
create mode 100644 src/security/apparmor/usr.sbin.virtxend.in
--
2.31.1
3 years, 4 months
[PATCH] tests: qemucapabilities: Bump test data for qemu-6.1 on x86_64
by Peter Krempa
Update the caps data for the upcoming qemu version.
Notable changes are:
- 'query-sev-attestation-report' command added
- 'sample-pages' members for dirty rate calculation added
- 'qtest' device added
- 'share' member added to query-memdev and 'reserve' members added to
query-memdev/memory-backend-[file,memfd,ram]
- 'qemu-vdagent' chardev added
- 'mptcp' toggle added to inet servers
- 'zstd' compression for qcow2
- new cpu models: - "Snowridge-v3"
- "Skylake-Server-v5"
- "Skylake-Client-v4"
- "Icelake-Server-v5"
- "Icelake-Client-v3"
- "Dhyana-v2"
- "Denverton-v3"
- "Cooperlake-v2"
- "Cascadelake-Server-v5"
- 'avx-vnni' added to some existing cpu models
- 'model-id' is now being reported as the host cpu again rather than
QEMU TCG as I've noted in previous bump
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
.../caps_6.1.0.x86_64.replies | 3663 ++++++++++-------
.../caps_6.1.0.x86_64.xml | 366 +-
2 files changed, 2525 insertions(+), 1504 deletions(-)
diff --git a/tests/qemucapabilitiesdata/caps_6.1.0.x86_64.replies b/tests/qemucapabilitiesdata/caps_6.1.0.x86_64.replies
index 9291840bd2..2217e1331c 100644
--- a/tests/qemucapabilitiesdata/caps_6.1.0.x86_64.replies
+++ b/tests/qemucapabilitiesdata/caps_6.1.0.x86_64.replies
@@ -21,7 +21,7 @@
"minor": 0,
"major": 6
},
- "package": "v6.0.0-540-g6005ee07c3"
+ "package": "v6.0.0-1820-g0add99ea3e"
},
"id": "libvirt-2"
}
[...]
Trimmed for brevity. Full version:
https://gitlab.com/pipo.sk/libvirt/-/commit/9fd3bc550ff91d6340d1c0316b46f...
diff --git a/tests/qemucapabilitiesdata/caps_6.1.0.x86_64.xml b/tests/qemucapabilitiesdata/caps_6.1.0.x86_64.xml
index 1937b88a4d..f173daf788 100644
--- a/tests/qemucapabilitiesdata/caps_6.1.0.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_6.1.0.x86_64.xml
@@ -263,7 +263,7 @@
<version>6000050</version>
<kvmVersion>0</kvmVersion>
<microcodeVersion>43100243</microcodeVersion>
- <package>v6.0.0-540-g6005ee07c3</package>
+ <package>v6.0.0-1820-g0add99ea3e</package>
<arch>x86_64</arch>
<hostCPU type='kvm' model='base' migratability='yes'>
<property name='vmx-entry-load-rtit-ctl' type='boolean' value='false'/>
@@ -297,7 +297,7 @@
<property name='vmx-exit-load-efer' type='boolean' value='false'/>
<property name='vmx-exit-clear-bndcfgs' type='boolean' value='false'/>
<property name='sse4.1' type='boolean' value='true' migratable='yes'/>
- <property name='family' type='number' value='6'/>
+ <property name='family' type='number' value='23'/>
<property name='intel-pt-lip' type='boolean' value='false'/>
<property name='vmx-vmwrite-vmexit-fields' type='boolean' value='false'/>
<property name='kvm-asyncpf-int' type='boolean' value='true' migratable='yes'/>
@@ -314,7 +314,7 @@
<property name='xcrypt' type='boolean' value='false'/>
<property name='vmx-exit-load-pat' type='boolean' value='false'/>
<property name='vmx-intr-exit' type='boolean' value='false'/>
- <property name='min-level' type='number' value='13'/>
+ <property name='min-level' type='number' value='16'/>
<property name='vmx-flexpriority' type='boolean' value='false'/>
<property name='xgetbv1' type='boolean' value='true' migratable='yes'/>
<property name='cid' type='boolean' value='false'/>
@@ -359,6 +359,7 @@
<property name='avx512-4fmaps' type='boolean' value='false'/>
<property name='vmcb-clean' type='boolean' value='false'/>
<property name='hle' type='boolean' value='false'/>
+ <property name='avx-vnni' type='boolean' value='false'/>
<property name='3dnowext' type='boolean' value='false'/>
<property name='amd-no-ssb' type='boolean' value='false'/>
<property name='npt' type='boolean' value='false'/>
@@ -427,7 +428,7 @@
<property name='pdcm' type='boolean' value='false'/>
<property name='vmx-entry-load-bndcfgs' type='boolean' value='false'/>
<property name='vmx-exit-clear-rtit-ctl' type='boolean' value='false'/>
- <property name='model' type='number' value='6'/>
+ <property name='model' type='number' value='113'/>
<property name='movbe' type='boolean' value='true' migratable='yes'/>
<property name='nrip-save' type='boolean' value='false'/>
<property name='ssse3' type='boolean' value='true' migratable='yes'/>
@@ -442,7 +443,7 @@
<property name='fma' type='boolean' value='true' migratable='yes'/>
<property name='cx16' type='boolean' value='true' migratable='yes'/>
<property name='de' type='boolean' value='true' migratable='yes'/>
- <property name='stepping' type='number' value='3'/>
+ <property name='stepping' type='number' value='0'/>
<property name='xsave' type='boolean' value='true' migratable='yes'/>
<property name='clflush' type='boolean' value='true' migratable='yes'/>
<property name='skinit' type='boolean' value='false'/>
@@ -516,7 +517,7 @@
<property name='md-clear' type='boolean' value='false'/>
<property name='misalignsse' type='boolean' value='true' migratable='yes'/>
<property name='split-lock-detect' type='boolean' value='false'/>
- <property name='min-xlevel' type='number' value='2147483656'/>
+ <property name='min-xlevel' type='number' value='2147483679'/>
<property name='bmi1' type='boolean' value='true' migratable='yes'/>
<property name='bmi2' type='boolean' value='true' migratable='yes'/>
<property name='kvm-pv-unhalt' type='boolean' value='true' migratable='yes'/>
@@ -568,7 +569,7 @@
<property name='vmx-rdpmc-exit' type='boolean' value='false'/>
<property name='vmx-mtf' type='boolean' value='false'/>
<property name='vmx-entry-load-efer' type='boolean' value='false'/>
- <property name='model-id' type='string' value='QEMU TCG CPU version 2.5+'/>
+ <property name='model-id' type='string' value='AMD Ryzen 9 3900X 12-Core Processor '/>
<property name='sha-ni' type='boolean' value='true' migratable='yes'/>
<property name='vmx-exit-load-pkrs' type='boolean' value='false'/>
<property name='abm' type='boolean' value='true' migratable='yes'/>
@@ -636,6 +637,16 @@
<blocker name='spec-ctrl'/>
</cpu>
<cpu type='kvm' name='Westmere' typename='Westmere-x86_64-cpu' usable='yes'/>
+ <cpu type='kvm' name='Snowridge-v3' typename='Snowridge-v3-x86_64-cpu' usable='no'>
+ <blocker name='erms'/>
+ <blocker name='gfni'/>
+ <blocker name='cldemote'/>
+ <blocker name='movdiri'/>
+ <blocker name='movdir64b'/>
+ <blocker name='spec-ctrl'/>
+ <blocker name='core-capability'/>
+ <blocker name='split-lock-detect'/>
+ </cpu>
<cpu type='kvm' name='Snowridge-v2' typename='Snowridge-v2-x86_64-cpu' usable='no'>
<blocker name='erms'/>
<blocker name='gfni'/>
@@ -672,6 +683,22 @@
<blocker name='mpx'/>
<blocker name='split-lock-detect'/>
</cpu>
+ <cpu type='kvm' name='Skylake-Server-v5' typename='Skylake-Server-v5-x86_64-cpu' usable='no'>
+ <blocker name='pcid'/>
+ <blocker name='erms'/>
+ <blocker name='invpcid'/>
+ <blocker name='avx512f'/>
+ <blocker name='avx512dq'/>
+ <blocker name='avx512cd'/>
+ <blocker name='avx512bw'/>
+ <blocker name='avx512vl'/>
+ <blocker name='pku'/>
+ <blocker name='spec-ctrl'/>
+ <blocker name='avx512f'/>
+ <blocker name='avx512f'/>
+ <blocker name='avx512f'/>
+ <blocker name='pku'/>
+ </cpu>
<cpu type='kvm' name='Skylake-Server-v4' typename='Skylake-Server-v4-x86_64-cpu' usable='no'>
<blocker name='pcid'/>
<blocker name='erms'/>
@@ -790,6 +817,12 @@
<blocker name='avx512f'/>
<blocker name='pku'/>
</cpu>
+ <cpu type='kvm' name='Skylake-Client-v4' typename='Skylake-Client-v4-x86_64-cpu' usable='no'>
+ <blocker name='pcid'/>
+ <blocker name='erms'/>
+ <blocker name='invpcid'/>
+ <blocker name='spec-ctrl'/>
+ </cpu>
<cpu type='kvm' name='Skylake-Client-v3' typename='Skylake-Client-v3-x86_64-cpu' usable='no'>
<blocker name='pcid'/>
<blocker name='erms'/>
@@ -916,6 +949,35 @@
<cpu type='kvm' name='IvyBridge' typename='IvyBridge-x86_64-cpu' usable='no'>
<blocker name='erms'/>
</cpu>
+ <cpu type='kvm' name='Icelake-Server-v5' typename='Icelake-Server-v5-x86_64-cpu' usable='no'>
+ <blocker name='pcid'/>
+ <blocker name='erms'/>
+ <blocker name='invpcid'/>
+ <blocker name='avx512f'/>
+ <blocker name='avx512dq'/>
+ <blocker name='avx512ifma'/>
+ <blocker name='avx512cd'/>
+ <blocker name='avx512bw'/>
+ <blocker name='avx512vl'/>
+ <blocker name='avx512vbmi'/>
+ <blocker name='pku'/>
+ <blocker name='avx512vbmi2'/>
+ <blocker name='gfni'/>
+ <blocker name='vaes'/>
+ <blocker name='vpclmulqdq'/>
+ <blocker name='avx512vnni'/>
+ <blocker name='avx512bitalg'/>
+ <blocker name='avx512-vpopcntdq'/>
+ <blocker name='la57'/>
+ <blocker name='fsrm'/>
+ <blocker name='spec-ctrl'/>
+ <blocker name='avx512f'/>
+ <blocker name='avx512f'/>
+ <blocker name='avx512f'/>
+ <blocker name='pku'/>
+ <blocker name='ibrs-all'/>
+ <blocker name='taa-no'/>
+ </cpu>
<cpu type='kvm' name='Icelake-Server-v4' typename='Icelake-Server-v4-x86_64-cpu' usable='no'>
<blocker name='pcid'/>
<blocker name='erms'/>
@@ -1076,6 +1138,22 @@
<blocker name='avx512f'/>
<blocker name='pku'/>
</cpu>
+ <cpu type='kvm' name='Icelake-Client-v3' typename='Icelake-Client-v3-x86_64-cpu' usable='no' deprecated='yes'>
+ <blocker name='pcid'/>
+ <blocker name='erms'/>
+ <blocker name='invpcid'/>
+ <blocker name='avx512vbmi'/>
+ <blocker name='pku'/>
+ <blocker name='avx512vbmi2'/>
+ <blocker name='gfni'/>
+ <blocker name='vaes'/>
+ <blocker name='vpclmulqdq'/>
+ <blocker name='avx512vnni'/>
+ <blocker name='avx512bitalg'/>
+ <blocker name='avx512-vpopcntdq'/>
+ <blocker name='spec-ctrl'/>
+ <blocker name='pku'/>
+ </cpu>
<cpu type='kvm' name='Icelake-Client-v2' typename='Icelake-Client-v2-x86_64-cpu' usable='no' deprecated='yes'>
<blocker name='pcid'/>
<blocker name='erms'/>
@@ -1224,8 +1302,13 @@
</cpu>
<cpu type='kvm' name='EPYC-IBPB' typename='EPYC-IBPB-x86_64-cpu' usable='yes'/>
<cpu type='kvm' name='EPYC' typename='EPYC-x86_64-cpu' usable='yes'/>
+ <cpu type='kvm' name='Dhyana-v2' typename='Dhyana-v2-x86_64-cpu' usable='yes'/>
<cpu type='kvm' name='Dhyana-v1' typename='Dhyana-v1-x86_64-cpu' usable='yes'/>
<cpu type='kvm' name='Dhyana' typename='Dhyana-x86_64-cpu' usable='yes'/>
+ <cpu type='kvm' name='Denverton-v3' typename='Denverton-v3-x86_64-cpu' usable='no'>
+ <blocker name='erms'/>
+ <blocker name='spec-ctrl'/>
+ </cpu>
<cpu type='kvm' name='Denverton-v2' typename='Denverton-v2-x86_64-cpu' usable='no'>
<blocker name='erms'/>
<blocker name='spec-ctrl'/>
@@ -1244,6 +1327,29 @@
<blocker name='mpx'/>
<blocker name='mpx'/>
</cpu>
+ <cpu type='kvm' name='Cooperlake-v2' typename='Cooperlake-v2-x86_64-cpu' usable='no'>
+ <blocker name='pcid'/>
+ <blocker name='hle'/>
+ <blocker name='erms'/>
+ <blocker name='invpcid'/>
+ <blocker name='rtm'/>
+ <blocker name='avx512f'/>
+ <blocker name='avx512dq'/>
+ <blocker name='avx512cd'/>
+ <blocker name='avx512bw'/>
+ <blocker name='avx512vl'/>
+ <blocker name='pku'/>
+ <blocker name='avx512vnni'/>
+ <blocker name='spec-ctrl'/>
+ <blocker name='avx-vnni'/>
+ <blocker name='avx512-bf16'/>
+ <blocker name='avx512f'/>
+ <blocker name='avx512f'/>
+ <blocker name='avx512f'/>
+ <blocker name='pku'/>
+ <blocker name='ibrs-all'/>
+ <blocker name='taa-no'/>
+ </cpu>
<cpu type='kvm' name='Cooperlake-v1' typename='Cooperlake-v1-x86_64-cpu' usable='no'>
<blocker name='pcid'/>
<blocker name='hle'/>
@@ -1258,6 +1364,7 @@
<blocker name='pku'/>
<blocker name='avx512vnni'/>
<blocker name='spec-ctrl'/>
+ <blocker name='avx-vnni'/>
<blocker name='avx512-bf16'/>
<blocker name='avx512f'/>
<blocker name='avx512f'/>
@@ -1280,6 +1387,7 @@
<blocker name='pku'/>
<blocker name='avx512vnni'/>
<blocker name='spec-ctrl'/>
+ <blocker name='avx-vnni'/>
<blocker name='avx512-bf16'/>
<blocker name='avx512f'/>
<blocker name='avx512f'/>
@@ -1290,6 +1398,24 @@
</cpu>
<cpu type='kvm' name='Conroe-v1' typename='Conroe-v1-x86_64-cpu' usable='yes'/>
<cpu type='kvm' name='Conroe' typename='Conroe-x86_64-cpu' usable='yes'/>
+ <cpu type='kvm' name='Cascadelake-Server-v5' typename='Cascadelake-Server-v5-x86_64-cpu' usable='no'>
+ <blocker name='pcid'/>
+ <blocker name='erms'/>
+ <blocker name='invpcid'/>
+ <blocker name='avx512f'/>
+ <blocker name='avx512dq'/>
+ <blocker name='avx512cd'/>
+ <blocker name='avx512bw'/>
+ <blocker name='avx512vl'/>
+ <blocker name='pku'/>
+ <blocker name='avx512vnni'/>
+ <blocker name='spec-ctrl'/>
+ <blocker name='avx512f'/>
+ <blocker name='avx512f'/>
+ <blocker name='avx512f'/>
+ <blocker name='pku'/>
+ <blocker name='ibrs-all'/>
+ </cpu>
<cpu type='kvm' name='Cascadelake-Server-v4' typename='Cascadelake-Server-v4-x86_64-cpu' usable='no'>
<blocker name='pcid'/>
<blocker name='erms'/>
@@ -1472,9 +1598,9 @@
<machine type='kvm' name='pc-q35-2.4' hotplugCpus='yes' maxCpus='255' defaultCPU='qemu64-x86_64-cpu' numaMemSupported='yes' defaultRAMid='pc.ram'/>
<machine type='kvm' name='pc-q35-2.10' hotplugCpus='yes' maxCpus='288' defaultCPU='qemu64-x86_64-cpu' numaMemSupported='yes' defaultRAMid='pc.ram'/>
<machine type='kvm' name='x-remote' maxCpus='1'/>
+ <machine type='kvm' name='pc-i440fx-1.7' hotplugCpus='yes' maxCpus='255' defaultCPU='qemu64-x86_64-cpu' numaMemSupported='yes' defaultRAMid='pc.ram'/>
<machine type='kvm' name='pc-q35-5.1' hotplugCpus='yes' maxCpus='288' defaultCPU='qemu64-x86_64-cpu' defaultRAMid='pc.ram'/>
<machine type='kvm' name='pc-q35-2.9' hotplugCpus='yes' maxCpus='288' defaultCPU='qemu64-x86_64-cpu' numaMemSupported='yes' defaultRAMid='pc.ram'/>
- <machine type='kvm' name='pc-i440fx-1.7' hotplugCpus='yes' maxCpus='255' defaultCPU='qemu64-x86_64-cpu' numaMemSupported='yes' defaultRAMid='pc.ram'/>
<machine type='kvm' name='pc-i440fx-2.11' hotplugCpus='yes' maxCpus='255' defaultCPU='qemu64-x86_64-cpu' numaMemSupported='yes' defaultRAMid='pc.ram'/>
<machine type='kvm' name='pc-q35-3.1' hotplugCpus='yes' maxCpus='288' defaultCPU='qemu64-x86_64-cpu' numaMemSupported='yes' defaultRAMid='pc.ram'/>
<machine type='kvm' name='pc-q35-4.1' hotplugCpus='yes' maxCpus='288' defaultCPU='qemu64-x86_64-cpu' numaMemSupported='yes' defaultRAMid='pc.ram'/>
@@ -1538,7 +1664,7 @@
<property name='vmx-exit-load-efer' type='boolean' value='false'/>
<property name='vmx-exit-clear-bndcfgs' type='boolean' value='false'/>
<property name='sse4.1' type='boolean' value='true' migratable='yes'/>
- <property name='family' type='number' value='6'/>
+ <property name='family' type='number' value='15'/>
<property name='intel-pt-lip' type='boolean' value='false'/>
<property name='vmx-vmwrite-vmexit-fields' type='boolean' value='false'/>
<property name='kvm-asyncpf-int' type='boolean' value='false'/>
@@ -1600,6 +1726,7 @@
<property name='avx512-4fmaps' type='boolean' value='false'/>
<property name='vmcb-clean' type='boolean' value='false'/>
<property name='hle' type='boolean' value='false'/>
+ <property name='avx-vnni' type='boolean' value='false'/>
<property name='3dnowext' type='boolean' value='true' migratable='yes'/>
<property name='amd-no-ssb' type='boolean' value='false'/>
<property name='npt' type='boolean' value='true' migratable='yes'/>
@@ -1668,7 +1795,7 @@
<property name='pdcm' type='boolean' value='false'/>
<property name='vmx-entry-load-bndcfgs' type='boolean' value='false'/>
<property name='vmx-exit-clear-rtit-ctl' type='boolean' value='false'/>
- <property name='model' type='number' value='6'/>
+ <property name='model' type='number' value='107'/>
<property name='movbe' type='boolean' value='true' migratable='yes'/>
<property name='nrip-save' type='boolean' value='false'/>
<property name='ssse3' type='boolean' value='true' migratable='yes'/>
@@ -1683,7 +1810,7 @@
<property name='fma' type='boolean' value='false'/>
<property name='cx16' type='boolean' value='true' migratable='yes'/>
<property name='de' type='boolean' value='true' migratable='yes'/>
- <property name='stepping' type='number' value='3'/>
+ <property name='stepping' type='number' value='1'/>
<property name='xsave' type='boolean' value='true' migratable='yes'/>
<property name='clflush' type='boolean' value='true' migratable='yes'/>
<property name='skinit' type='boolean' value='false'/>
@@ -1859,6 +1986,25 @@
<blocker name='spec-ctrl'/>
</cpu>
<cpu type='tcg' name='Westmere' typename='Westmere-x86_64-cpu' usable='yes'/>
+ <cpu type='tcg' name='Snowridge-v3' typename='Snowridge-v3-x86_64-cpu' usable='no'>
+ <blocker name='x2apic'/>
+ <blocker name='tsc-deadline'/>
+ <blocker name='rdseed'/>
+ <blocker name='sha-ni'/>
+ <blocker name='umip'/>
+ <blocker name='gfni'/>
+ <blocker name='cldemote'/>
+ <blocker name='movdiri'/>
+ <blocker name='movdir64b'/>
+ <blocker name='spec-ctrl'/>
+ <blocker name='arch-capabilities'/>
+ <blocker name='core-capability'/>
+ <blocker name='ssbd'/>
+ <blocker name='3dnowprefetch'/>
+ <blocker name='xsavec'/>
+ <blocker name='xsaves'/>
+ <blocker name='split-lock-detect'/>
+ </cpu>
<cpu type='tcg' name='Snowridge-v2' typename='Snowridge-v2-x86_64-cpu' usable='no'>
<blocker name='x2apic'/>
<blocker name='tsc-deadline'/>
@@ -1913,6 +2059,26 @@
<blocker name='xsavec'/>
<blocker name='split-lock-detect'/>
</cpu>
+ <cpu type='tcg' name='Skylake-Server-v5' typename='Skylake-Server-v5-x86_64-cpu' usable='no'>
+ <blocker name='fma'/>
+ <blocker name='pcid'/>
+ <blocker name='x2apic'/>
+ <blocker name='tsc-deadline'/>
+ <blocker name='avx'/>
+ <blocker name='f16c'/>
+ <blocker name='avx2'/>
+ <blocker name='invpcid'/>
+ <blocker name='avx512f'/>
+ <blocker name='avx512dq'/>
+ <blocker name='rdseed'/>
+ <blocker name='avx512cd'/>
+ <blocker name='avx512bw'/>
+ <blocker name='avx512vl'/>
+ <blocker name='spec-ctrl'/>
+ <blocker name='3dnowprefetch'/>
+ <blocker name='xsavec'/>
+ <blocker name='xsaves'/>
+ </cpu>
<cpu type='tcg' name='Skylake-Server-v4' typename='Skylake-Server-v4-x86_64-cpu' usable='no'>
<blocker name='fma'/>
<blocker name='pcid'/>
@@ -2052,6 +2218,21 @@
<blocker name='3dnowprefetch'/>
<blocker name='xsavec'/>
</cpu>
+ <cpu type='tcg' name='Skylake-Client-v4' typename='Skylake-Client-v4-x86_64-cpu' usable='no'>
+ <blocker name='fma'/>
+ <blocker name='pcid'/>
+ <blocker name='x2apic'/>
+ <blocker name='tsc-deadline'/>
+ <blocker name='avx'/>
+ <blocker name='f16c'/>
+ <blocker name='avx2'/>
+ <blocker name='invpcid'/>
+ <blocker name='rdseed'/>
+ <blocker name='spec-ctrl'/>
+ <blocker name='3dnowprefetch'/>
+ <blocker name='xsavec'/>
+ <blocker name='xsaves'/>
+ </cpu>
<cpu type='tcg' name='Skylake-Client-v3' typename='Skylake-Client-v3-x86_64-cpu' usable='no'>
<blocker name='fma'/>
<blocker name='pcid'/>
@@ -2282,6 +2463,48 @@
<blocker name='avx'/>
<blocker name='f16c'/>
</cpu>
+ <cpu type='tcg' name='Icelake-Server-v5' typename='Icelake-Server-v5-x86_64-cpu' usable='no'>
+ <blocker name='fma'/>
+ <blocker name='pcid'/>
+ <blocker name='x2apic'/>
+ <blocker name='tsc-deadline'/>
+ <blocker name='avx'/>
+ <blocker name='f16c'/>
+ <blocker name='avx2'/>
+ <blocker name='invpcid'/>
+ <blocker name='avx512f'/>
+ <blocker name='avx512dq'/>
+ <blocker name='rdseed'/>
+ <blocker name='avx512ifma'/>
+ <blocker name='avx512cd'/>
+ <blocker name='sha-ni'/>
+ <blocker name='avx512bw'/>
+ <blocker name='avx512vl'/>
+ <blocker name='avx512vbmi'/>
+ <blocker name='umip'/>
+ <blocker name='avx512vbmi2'/>
+ <blocker name='gfni'/>
+ <blocker name='vaes'/>
+ <blocker name='vpclmulqdq'/>
+ <blocker name='avx512vnni'/>
+ <blocker name='avx512bitalg'/>
+ <blocker name='avx512-vpopcntdq'/>
+ <blocker name='rdpid'/>
+ <blocker name='fsrm'/>
+ <blocker name='spec-ctrl'/>
+ <blocker name='arch-capabilities'/>
+ <blocker name='ssbd'/>
+ <blocker name='3dnowprefetch'/>
+ <blocker name='wbnoinvd'/>
+ <blocker name='xsavec'/>
+ <blocker name='xsaves'/>
+ <blocker name='rdctl-no'/>
+ <blocker name='ibrs-all'/>
+ <blocker name='skip-l1dfl-vmentry'/>
+ <blocker name='mds-no'/>
+ <blocker name='pschange-mc-no'/>
+ <blocker name='taa-no'/>
+ </cpu>
<cpu type='tcg' name='Icelake-Server-v4' typename='Icelake-Server-v4-x86_64-cpu' usable='no'>
<blocker name='fma'/>
<blocker name='pcid'/>
@@ -2484,6 +2707,32 @@
<blocker name='wbnoinvd'/>
<blocker name='xsavec'/>
</cpu>
+ <cpu type='tcg' name='Icelake-Client-v3' typename='Icelake-Client-v3-x86_64-cpu' usable='no' deprecated='yes'>
+ <blocker name='fma'/>
+ <blocker name='pcid'/>
+ <blocker name='x2apic'/>
+ <blocker name='tsc-deadline'/>
+ <blocker name='avx'/>
+ <blocker name='f16c'/>
+ <blocker name='avx2'/>
+ <blocker name='invpcid'/>
+ <blocker name='rdseed'/>
+ <blocker name='avx512vbmi'/>
+ <blocker name='umip'/>
+ <blocker name='avx512vbmi2'/>
+ <blocker name='gfni'/>
+ <blocker name='vaes'/>
+ <blocker name='vpclmulqdq'/>
+ <blocker name='avx512vnni'/>
+ <blocker name='avx512bitalg'/>
+ <blocker name='avx512-vpopcntdq'/>
+ <blocker name='spec-ctrl'/>
+ <blocker name='ssbd'/>
+ <blocker name='3dnowprefetch'/>
+ <blocker name='wbnoinvd'/>
+ <blocker name='xsavec'/>
+ <blocker name='xsaves'/>
+ </cpu>
<cpu type='tcg' name='Icelake-Client-v2' typename='Icelake-Client-v2-x86_64-cpu' usable='no' deprecated='yes'>
<blocker name='fma'/>
<blocker name='pcid'/>
@@ -2896,6 +3145,22 @@
<blocker name='nrip-save'/>
<blocker name='xsavec'/>
</cpu>
+ <cpu type='tcg' name='Dhyana-v2' typename='Dhyana-v2-x86_64-cpu' usable='no'>
+ <blocker name='fma'/>
+ <blocker name='avx'/>
+ <blocker name='f16c'/>
+ <blocker name='avx2'/>
+ <blocker name='rdseed'/>
+ <blocker name='fxsr-opt'/>
+ <blocker name='misalignsse'/>
+ <blocker name='3dnowprefetch'/>
+ <blocker name='osvw'/>
+ <blocker name='topoext'/>
+ <blocker name='ibpb'/>
+ <blocker name='nrip-save'/>
+ <blocker name='xsavec'/>
+ <blocker name='xsaves'/>
+ </cpu>
<cpu type='tcg' name='Dhyana-v1' typename='Dhyana-v1-x86_64-cpu' usable='no'>
<blocker name='fma'/>
<blocker name='avx'/>
@@ -2926,6 +3191,20 @@
<blocker name='nrip-save'/>
<blocker name='xsavec'/>
</cpu>
+ <cpu type='tcg' name='Denverton-v3' typename='Denverton-v3-x86_64-cpu' usable='no'>
+ <blocker name='x2apic'/>
+ <blocker name='tsc-deadline'/>
+ <blocker name='rdseed'/>
+ <blocker name='sha-ni'/>
+ <blocker name='spec-ctrl'/>
+ <blocker name='arch-capabilities'/>
+ <blocker name='ssbd'/>
+ <blocker name='3dnowprefetch'/>
+ <blocker name='xsavec'/>
+ <blocker name='xsaves'/>
+ <blocker name='rdctl-no'/>
+ <blocker name='skip-l1dfl-vmentry'/>
+ </cpu>
<cpu type='tcg' name='Denverton-v2' typename='Denverton-v2-x86_64-cpu' usable='no'>
<blocker name='x2apic'/>
<blocker name='tsc-deadline'/>
@@ -2965,6 +3244,40 @@
<blocker name='rdctl-no'/>
<blocker name='skip-l1dfl-vmentry'/>
</cpu>
+ <cpu type='tcg' name='Cooperlake-v2' typename='Cooperlake-v2-x86_64-cpu' usable='no'>
+ <blocker name='fma'/>
+ <blocker name='pcid'/>
+ <blocker name='x2apic'/>
+ <blocker name='tsc-deadline'/>
+ <blocker name='avx'/>
+ <blocker name='f16c'/>
+ <blocker name='hle'/>
+ <blocker name='avx2'/>
+ <blocker name='invpcid'/>
+ <blocker name='rtm'/>
+ <blocker name='avx512f'/>
+ <blocker name='avx512dq'/>
+ <blocker name='rdseed'/>
+ <blocker name='avx512cd'/>
+ <blocker name='avx512bw'/>
+ <blocker name='avx512vl'/>
+ <blocker name='avx512vnni'/>
+ <blocker name='spec-ctrl'/>
+ <blocker name='stibp'/>
+ <blocker name='arch-capabilities'/>
+ <blocker name='ssbd'/>
+ <blocker name='avx-vnni'/>
+ <blocker name='avx512-bf16'/>
+ <blocker name='3dnowprefetch'/>
+ <blocker name='xsavec'/>
+ <blocker name='xsaves'/>
+ <blocker name='rdctl-no'/>
+ <blocker name='ibrs-all'/>
+ <blocker name='skip-l1dfl-vmentry'/>
+ <blocker name='mds-no'/>
+ <blocker name='pschange-mc-no'/>
+ <blocker name='taa-no'/>
+ </cpu>
<cpu type='tcg' name='Cooperlake-v1' typename='Cooperlake-v1-x86_64-cpu' usable='no'>
<blocker name='fma'/>
<blocker name='pcid'/>
@@ -2987,6 +3300,7 @@
<blocker name='stibp'/>
<blocker name='arch-capabilities'/>
<blocker name='ssbd'/>
+ <blocker name='avx-vnni'/>
<blocker name='avx512-bf16'/>
<blocker name='3dnowprefetch'/>
<blocker name='xsavec'/>
@@ -3019,6 +3333,7 @@
<blocker name='stibp'/>
<blocker name='arch-capabilities'/>
<blocker name='ssbd'/>
+ <blocker name='avx-vnni'/>
<blocker name='avx512-bf16'/>
<blocker name='3dnowprefetch'/>
<blocker name='xsavec'/>
@@ -3031,6 +3346,33 @@
</cpu>
<cpu type='tcg' name='Conroe-v1' typename='Conroe-v1-x86_64-cpu' usable='yes'/>
<cpu type='tcg' name='Conroe' typename='Conroe-x86_64-cpu' usable='yes'/>
+ <cpu type='tcg' name='Cascadelake-Server-v5' typename='Cascadelake-Server-v5-x86_64-cpu' usable='no'>
+ <blocker name='fma'/>
+ <blocker name='pcid'/>
+ <blocker name='x2apic'/>
+ <blocker name='tsc-deadline'/>
+ <blocker name='avx'/>
+ <blocker name='f16c'/>
+ <blocker name='avx2'/>
+ <blocker name='invpcid'/>
+ <blocker name='avx512f'/>
+ <blocker name='avx512dq'/>
+ <blocker name='rdseed'/>
+ <blocker name='avx512cd'/>
+ <blocker name='avx512bw'/>
+ <blocker name='avx512vl'/>
+ <blocker name='avx512vnni'/>
+ <blocker name='spec-ctrl'/>
+ <blocker name='arch-capabilities'/>
+ <blocker name='ssbd'/>
+ <blocker name='3dnowprefetch'/>
+ <blocker name='xsavec'/>
+ <blocker name='xsaves'/>
+ <blocker name='rdctl-no'/>
+ <blocker name='ibrs-all'/>
+ <blocker name='skip-l1dfl-vmentry'/>
+ <blocker name='mds-no'/>
+ </cpu>
<cpu type='tcg' name='Cascadelake-Server-v4' typename='Cascadelake-Server-v4-x86_64-cpu' usable='no'>
<blocker name='fma'/>
<blocker name='pcid'/>
@@ -3309,9 +3651,9 @@
<machine type='tcg' name='pc-q35-2.4' hotplugCpus='yes' maxCpus='255' defaultCPU='qemu64-x86_64-cpu' numaMemSupported='yes' defaultRAMid='pc.ram'/>
<machine type='tcg' name='pc-q35-2.10' hotplugCpus='yes' maxCpus='288' defaultCPU='qemu64-x86_64-cpu' numaMemSupported='yes' defaultRAMid='pc.ram'/>
<machine type='tcg' name='x-remote' maxCpus='1'/>
+ <machine type='tcg' name='pc-i440fx-1.7' hotplugCpus='yes' maxCpus='255' defaultCPU='qemu64-x86_64-cpu' numaMemSupported='yes' defaultRAMid='pc.ram'/>
<machine type='tcg' name='pc-q35-5.1' hotplugCpus='yes' maxCpus='288' defaultCPU='qemu64-x86_64-cpu' defaultRAMid='pc.ram'/>
<machine type='tcg' name='pc-q35-2.9' hotplugCpus='yes' maxCpus='288' defaultCPU='qemu64-x86_64-cpu' numaMemSupported='yes' defaultRAMid='pc.ram'/>
- <machine type='tcg' name='pc-i440fx-1.7' hotplugCpus='yes' maxCpus='255' defaultCPU='qemu64-x86_64-cpu' numaMemSupported='yes' defaultRAMid='pc.ram'/>
<machine type='tcg' name='pc-i440fx-2.11' hotplugCpus='yes' maxCpus='255' defaultCPU='qemu64-x86_64-cpu' numaMemSupported='yes' defaultRAMid='pc.ram'/>
<machine type='tcg' name='pc-q35-3.1' hotplugCpus='yes' maxCpus='288' defaultCPU='qemu64-x86_64-cpu' numaMemSupported='yes' defaultRAMid='pc.ram'/>
<machine type='tcg' name='pc-q35-4.1' hotplugCpus='yes' maxCpus='288' defaultCPU='qemu64-x86_64-cpu' numaMemSupported='yes' defaultRAMid='pc.ram'/>
--
2.31.1
3 years, 4 months
[PATCH] test_driver: Implement virDomainGetSecurityLabelList
by Luke Yue
Signed-off-by: Luke Yue <lukedyue(a)gmail.com>
---
src/test/test_driver.c | 41 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 41 insertions(+)
diff --git a/src/test/test_driver.c b/src/test/test_driver.c
index 611ec6d7ec..ae1b8ebc23 100644
--- a/src/test/test_driver.c
+++ b/src/test/test_driver.c
@@ -136,6 +136,7 @@ VIR_ONCE_GLOBAL_INIT(testDriver);
#define TEST_MODEL "i686"
#define TEST_EMULATOR "/usr/bin/test-hv"
+#define TEST_SECURITY_LABEL_LIST_LENGTH 2
static const virNodeInfo defaultNodeInfo = {
TEST_MODEL,
@@ -5037,6 +5038,45 @@ testDomainGetSecurityLabel(virDomainPtr dom,
return ret;
}
+static int
+testDomainGetSecurityLabelList(virDomainPtr dom,
+ virSecurityLabelPtr* seclabels)
+{
+ virDomainObj *vm;
+ size_t i;
+ int ret = -1;
+
+ if (!(vm = testDomObjFromDomain(dom)))
+ return -1;
+
+ if (!virDomainObjIsActive(vm)) {
+ /* No seclabels */
+ *seclabels = NULL;
+ ret = 0;
+ } else {
+ int len = TEST_SECURITY_LABEL_LIST_LENGTH;
+
+ (*seclabels) = g_new0(virSecurityLabel, len);
+ memset(*seclabels, 0, sizeof(**seclabels) * len);
+
+ /* Fill the array */
+ for (i = 0; i < len; i++) {
+ if (virStrcpyStatic(seclabels[i]->label, "libvirt-test") < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("security label exceeds maximum: %zu"),
+ sizeof(seclabels[i]->label) - 1);
+ VIR_FREE(*seclabels);
+ goto cleanup;
+ }
+ }
+ ret = len;
+ }
+
+ cleanup:
+ virDomainObjEndAPI(&vm);
+ return ret;
+}
+
static int
testNodeGetSecurityModel(virConnectPtr conn,
virSecurityModelPtr secmodel)
@@ -9357,6 +9397,7 @@ static virHypervisorDriver testHypervisorDriver = {
.domainGetVcpuPinInfo = testDomainGetVcpuPinInfo, /* 1.2.18 */
.domainGetMaxVcpus = testDomainGetMaxVcpus, /* 0.7.3 */
.domainGetSecurityLabel = testDomainGetSecurityLabel, /* 7.5.0 */
+ .domainGetSecurityLabelList = testDomainGetSecurityLabelList, /* 7.5.0 */
.nodeGetSecurityModel = testNodeGetSecurityModel, /* 7.5.0 */
.domainGetXMLDesc = testDomainGetXMLDesc, /* 0.1.4 */
.domainSetMemoryParameters = testDomainSetMemoryParameters, /* 5.6.0 */
--
2.32.0
3 years, 4 months
[PATCH] test_driver: Implement virDomainGetMessages
by Luke Yue
Signed-off-by: Luke Yue <lukedyue(a)gmail.com>
---
src/test/test_driver.c | 53 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 53 insertions(+)
diff --git a/src/test/test_driver.c b/src/test/test_driver.c
index ae1b8ebc23..a7ea05464d 100644
--- a/src/test/test_driver.c
+++ b/src/test/test_driver.c
@@ -9331,6 +9331,58 @@ testDomainCheckpointDelete(virDomainCheckpointPtr checkpoint,
return ret;
}
+static int
+testDomainGetMessages(virDomainPtr dom,
+ char ***msgs,
+ unsigned int flags)
+{
+ virDomainObj *vm = NULL;
+ int rv = -1;
+ size_t i, n;
+ int nmsgs;
+
+ virCheckFlags(VIR_DOMAIN_MESSAGE_DEPRECATION |
+ VIR_DOMAIN_MESSAGE_TAINTING, -1);
+
+ if (!(vm = testDomObjFromDomain(dom)))
+ return -1;
+
+ *msgs = NULL;
+ nmsgs = 0;
+ n = 0;
+
+ if (!flags || (flags & VIR_DOMAIN_MESSAGE_TAINTING)) {
+ nmsgs += __builtin_popcount(vm->taint);
+ *msgs = g_renew(char *, *msgs, nmsgs+1);
+
+ for (i = 0; i < VIR_DOMAIN_TAINT_LAST; i++) {
+ if (vm->taint & (1 << i)) {
+ (*msgs)[n++] = g_strdup_printf(
+ _("tainted: %s"),
+ _(virDomainTaintMessageTypeToString(i)));
+ }
+ }
+ }
+
+ if (!flags || (flags & VIR_DOMAIN_MESSAGE_DEPRECATION)) {
+ nmsgs += vm->ndeprecations;
+ *msgs = g_renew(char *, *msgs, nmsgs+1);
+
+ for (i = 0; i < vm->ndeprecations; i++) {
+ (*msgs)[n++] = g_strdup_printf(
+ _("deprecated configuration: %s"),
+ vm->deprecations[i]);
+ }
+ }
+
+ (*msgs)[nmsgs] = NULL;
+
+ rv = nmsgs;
+
+ virDomainObjEndAPI(&vm);
+ return rv;
+}
+
/*
* Test driver
*/
@@ -9489,6 +9541,7 @@ static virHypervisorDriver testHypervisorDriver = {
.domainCheckpointLookupByName = testDomainCheckpointLookupByName, /* 5.6.0 */
.domainCheckpointGetParent = testDomainCheckpointGetParent, /* 5.6.0 */
.domainCheckpointDelete = testDomainCheckpointDelete, /* 5.6.0 */
+ .domainGetMessages = testDomainGetMessages, /* 7.5.0 */
};
static virNetworkDriver testNetworkDriver = {
--
2.32.0
3 years, 4 months
[libvirt PATCH] spec: Drop libiscsi support in RHEL-9
by Jiri Denemark
https://bugzilla.redhat.com/show_bug.cgi?id=1975677
Signed-off-by: Jiri Denemark <jdenemar(a)redhat.com>
---
libvirt.spec.in | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/libvirt.spec.in b/libvirt.spec.in
index b8a698e81e..c1ccd2f74e 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -85,6 +85,10 @@
%endif
%define with_storage_iscsi_direct 0%{!?_without_storage_iscsi_direct:1}
+# libiscsi has been dropped in RHEL-9
+%if 0%{?rhel} > 8
+ %define with_storage_iscsi_direct 0
+%endif
# Other optional features
%define with_numactl 0%{!?_without_numactl:1}
--
2.32.0
3 years, 4 months
[libvirt PATCH 0/7] Enable autostarting mediated devices
by Jonathon Jongsma
This series replaces the initial patch that was recently reverted. It
implements the autostart feature using a new virNodeDeviceGet/SetAutostart()
API that is consistent with how other libvirt objects handle autostart. It also
adds a counterpart virsh command nodedev-autostart.
In order to easily check the 'autostart' status of the device (since it is no
longer part of the device xml), a new virsh command is introduced:
nodedev-info. This also presents a few more basic bits of information about the
device, including 'active' and 'persistent' status, which requires exposing new
APIs on the node device: IsActive() and IsPersistent(). These APIs are
consistent with existing libvirt objects.
Jonathon Jongsma (7):
api: add virNodeDevice(Get|Set)Autostart()
nodedev: implement virNodeDevice(Get|Set)Autostart()
nodedev: Add tests for mdevctl autostart command
virsh: add nodedev-autostart
api: add virNodeDeviceIsPersistent()/IsActive()
nodedev: Implement virNodeDeviceIsPersistent()/IsActive()
virsh: add nodedev-info
docs/manpages/virsh.rst | 27 +++
include/libvirt/libvirt-nodedev.h | 10 ++
src/conf/virnodedeviceobj.c | 16 ++
src/conf/virnodedeviceobj.h | 6 +
src/driver-nodedev.h | 18 ++
src/libvirt-nodedev.c | 141 +++++++++++++++
src/libvirt_private.syms | 2 +
src/libvirt_public.syms | 6 +
src/node_device/node_device_driver.c | 166 ++++++++++++++++++
src/node_device/node_device_driver.h | 19 ++
src/node_device/node_device_udev.c | 30 +++-
src/remote/remote_driver.c | 6 +-
src/remote/remote_protocol.x | 59 ++++++-
src/remote_protocol-structs | 26 +++
.../nodedevmdevctldata/mdevctl-autostart.argv | 8 +
tests/nodedevmdevctltest.c | 54 ++++++
tools/virsh-nodedev.c | 139 +++++++++++++++
17 files changed, 727 insertions(+), 6 deletions(-)
create mode 100644 tests/nodedevmdevctldata/mdevctl-autostart.argv
--
2.31.1
3 years, 4 months
[PATCH v2 0/4] Ring support (Libvirt)
by huangy81@chinatelecom.cn
From: Hyman Huang(黄勇) <huangy81(a)chinatelecom.cn>
v2
- split patchset into 4 patches
- leave out the tcg case when building commandline.
- handle the VIR_DOMAIN_KVM_DIRTY_RING case independently in ,
virDomainFeatureDefParse and virDomainDefFeaturesCheckABIStability,
do not integrate it with other cases...
- add dirty ring size check in virDomainDefFeaturesCheckABIStability
- modify zero checks on integers of dirty ring size in a explicit way.
- set the default value of dirty ring size in a post-parser callback.
- check the absence of kvm_feature in a explicit way.
- code clean of virTristateSwitchTypeToString function.
this version's modification base on Peter's advices mostly, thanks
a lot, please review !
Best Regards !
Hyman Huang(黄勇)
v1
since qemu has introduced a dirty ring feature in 6.1.0, may be it's
the right time to introduce dirty ring in libvirt meanwhile.
this patch add feature named 'dirty-ring', which enable dirty ring
feature when starting vm. to try this out, three things has done
in this patchset:
- introduce QEMU_CAPS_ACCEL so the the libvirt can use it to select
the right option when specifying the accelerator type.
- switch the option "-machine accel=xxx" to "-accel xxx" when specifying
accelerator type once libvirt build QEMU command line, so that
dirty-ring-size property can be passed to qemu when start vm.
- introduce dirty_ring_size to hold the ring size configured by user
and pass dirty_ring_size when building qemu commandline if dirty
ring feature enabled.
though dirty ring is per-cpu logically, the size of dirty ring is
registered by 'struct kvm' in QEMU. so we would like to place the
dirty_ring_size as a property of vm in Libvirt as the QEMU do.
the dirty ring feature is disabled by default, and if enabled, the
default value of ring size if 4096 if size not configured.
for more details about dirty ring and "-accel" option, please refer to:
https://lore.kernel.org/qemu-devel/20210108165050.406906-10-peterx@redhat...
https://lore.kernel.org/qemu-devel/3aa73987-40e8-3619-0723-9f17f73850bd@r...
please review, Thanks!
Best Regards !
Hyman Huang(黄勇) (4):
qemu_capabilities: introduce QEMU_CAPS_ACCEL
qemu_command: switch accelerator option to new style
conf: introduce dirty_ring_size in struct "_virDomainDef"
qemu: support dirty ring feature
docs/formatdomain.rst | 16 +++---
docs/schemas/domaincommon.rng | 10 ++++
src/conf/domain_conf.c | 66 ++++++++++++++++++++++
src/conf/domain_conf.h | 4 ++
src/qemu/qemu_capabilities.c | 2 +
src/qemu/qemu_capabilities.h | 1 +
src/qemu/qemu_command.c | 42 +++++++++++++-
tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_2.11.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_3.0.0.ppc64.xml | 1 +
tests/qemucapabilitiesdata/caps_3.0.0.riscv32.xml | 1 +
tests/qemucapabilitiesdata/caps_3.0.0.riscv64.xml | 1 +
tests/qemucapabilitiesdata/caps_3.0.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_3.0.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_3.1.0.ppc64.xml | 1 +
tests/qemucapabilitiesdata/caps_3.1.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_4.0.0.aarch64.xml | 1 +
tests/qemucapabilitiesdata/caps_4.0.0.ppc64.xml | 1 +
tests/qemucapabilitiesdata/caps_4.0.0.riscv32.xml | 1 +
tests/qemucapabilitiesdata/caps_4.0.0.riscv64.xml | 1 +
tests/qemucapabilitiesdata/caps_4.0.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_4.0.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_4.1.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_4.2.0.aarch64.xml | 1 +
tests/qemucapabilitiesdata/caps_4.2.0.ppc64.xml | 1 +
tests/qemucapabilitiesdata/caps_4.2.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_4.2.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_5.0.0.aarch64.xml | 1 +
tests/qemucapabilitiesdata/caps_5.0.0.ppc64.xml | 1 +
tests/qemucapabilitiesdata/caps_5.0.0.riscv64.xml | 1 +
tests/qemucapabilitiesdata/caps_5.0.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_5.1.0.sparc.xml | 1 +
tests/qemucapabilitiesdata/caps_5.1.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_5.2.0.aarch64.xml | 1 +
tests/qemucapabilitiesdata/caps_5.2.0.ppc64.xml | 1 +
tests/qemucapabilitiesdata/caps_5.2.0.riscv64.xml | 1 +
tests/qemucapabilitiesdata/caps_5.2.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_5.2.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_6.0.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_6.0.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_6.1.0.x86_64.xml | 1 +
...64-default-cpu-kvm-virt-4.2.aarch64-latest.args | 3 +-
.../aarch64-features-sve.aarch64-latest.args | 3 +-
.../channel-unix-guestfwd.x86_64-latest.args | 3 +-
.../clock-timer-armvtimer.aarch64-latest.args | 3 +-
.../console-virtio-unix.x86_64-latest.args | 3 +-
.../cpu-Icelake-Server-pconfig.x86_64-3.1.0.args | 3 +-
.../cpu-Icelake-Server-pconfig.x86_64-latest.args | 3 +-
.../cpu-tsc-frequency.x86_64-4.0.0.args | 3 +-
.../cpu-tsc-high-frequency.x86_64-latest.args | 3 +-
.../default-video-type-aarch64.aarch64-latest.args | 3 +-
.../default-video-type-ppc64.ppc64-latest.args | 3 +-
.../default-video-type-s390x.s390x-latest.args | 3 +-
.../disk-cdrom-network.x86_64-2.12.0.args | 3 +-
.../disk-cdrom-network.x86_64-latest.args | 3 +-
.../disk-network-http.x86_64-latest.args | 3 +-
.../hugepages-memaccess3.x86_64-latest.args | 3 +-
.../intel-iommu-aw-bits.x86_64-latest.args | 3 +-
.../intel-iommu-caching-mode.x86_64-latest.args | 3 +-
.../intel-iommu-device-iotlb.x86_64-latest.args | 3 +-
.../intel-iommu-eim.x86_64-latest.args | 3 +-
...ty-sev-missing-platform-info.x86_64-2.12.0.args | 3 +-
.../launch-security-sev.x86_64-2.12.0.args | 3 +-
.../launch-security-sev.x86_64-6.0.0.args | 3 +-
...emfd-memory-default-hugepage.x86_64-latest.args | 3 +-
.../memfd-memory-numa.x86_64-latest.args | 3 +-
.../memory-hotplug-virtio-pmem.x86_64-5.2.0.args | 3 +-
.../memory-hotplug-virtio-pmem.x86_64-latest.args | 3 +-
.../os-firmware-bios.x86_64-latest.args | 3 +-
...irmware-efi-no-enrolled-keys.x86_64-latest.args | 3 +-
.../os-firmware-efi-secboot.x86_64-latest.args | 3 +-
.../os-firmware-efi.x86_64-latest.args | 3 +-
.../parallel-unix-chardev.x86_64-latest.args | 3 +-
...4-default-cpu-kvm-pseries-2.7.ppc64-latest.args | 3 +-
...4-default-cpu-kvm-pseries-3.1.ppc64-latest.args | 3 +-
...4-default-cpu-kvm-pseries-4.2.ppc64-latest.args | 3 +-
...efault-cpu-kvm-ccw-virtio-2.7.s390x-latest.args | 3 +-
...efault-cpu-kvm-ccw-virtio-4.2.s390x-latest.args | 3 +-
.../smartcard-passthrough-unix.x86_64-latest.args | 3 +-
.../usb-redir-unix.x86_64-latest.args | 3 +-
.../vhost-user-fs-fd-memory.x86_64-latest.args | 3 +-
.../virtio-rng-builtin.x86_64-5.2.0.args | 3 +-
.../virtio-rng-builtin.x86_64-latest.args | 3 +-
.../virtio-rng-egd-unix.x86_64-5.2.0.args | 3 +-
.../virtio-rng-egd-unix.x86_64-latest.args | 3 +-
...86_64-default-cpu-kvm-pc-4.2.x86_64-latest.args | 3 +-
...6_64-default-cpu-kvm-q35-4.2.x86_64-latest.args | 3 +-
91 files changed, 263 insertions(+), 54 deletions(-)
--
1.8.3.1
3 years, 4 months
[PATCH] build: fix logic for enabling libssh/libssh2 checks
by Daniel P. Berrangé
When 'driver_remote' is 'auto', the 'enabled()' method does not
evaluate to true, causing the libssh/libssh2 checks to be skipped.
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
meson.build | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/meson.build b/meson.build
index 9caae5521b..1fab424fde 100644
--- a/meson.build
+++ b/meson.build
@@ -1005,7 +1005,7 @@ else
endif
libssh_version = '0.7'
-if get_option('driver_remote').enabled()
+if not get_option('driver_remote').disabled()
libssh_dep = dependency('libssh', version: '>=' + libssh_version, required: get_option('libssh'))
if libssh_dep.found()
conf.set('WITH_LIBSSH', 1)
@@ -1028,7 +1028,7 @@ else
endif
libssh2_version = '1.3'
-if get_option('driver_remote').enabled()
+if not get_option('driver_remote').disabled()
libssh2_dep = dependency('libssh2', version: '>=' + libssh2_version, required: get_option('libssh2'))
if libssh2_dep.found()
conf.set('WITH_SSH2', 1)
--
2.31.1
3 years, 4 months
[PATCH] rpc: prefer SHA256 host key fingerprint with new libssh
by Daniel P. Berrangé
The host key fingerprint for SSH servers is used in a scenario where
cryptographic strength is important. We should thus be defaulting to
use of SHA256 where available. We only need SHA1 for Ubuntu 18.04
which does not have libssh >= 0.8.1
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/rpc/virnetlibsshsession.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/src/rpc/virnetlibsshsession.c b/src/rpc/virnetlibsshsession.c
index 50ace5f41d..22d54c99be 100644
--- a/src/rpc/virnetlibsshsession.c
+++ b/src/rpc/virnetlibsshsession.c
@@ -39,6 +39,12 @@ VIR_LOG_INIT("rpc.netlibsshsession");
#define VIR_NET_LIBSSH_BUFFER_SIZE 1024
+#if LIBSSH_VERSION_INT < SSH_VERSION_INT(0, 8, 1)
+# define VIR_SSH_HOSTKEY_HASH SSH_PUBLICKEY_HASH_SHA1
+#else
+# define VIR_SSH_HOSTKEY_HASH SSH_PUBLICKEY_HASH_SHA256
+#endif
+
/* TRACE_LIBSSH=<level> enables tracing in libssh itself.
* The meaning of <level> is described here:
* https://api.libssh.org/master/group__libssh__log.html
@@ -203,9 +209,10 @@ virLibsshServerKeyAsString(virNetLibsshSession *sess)
return NULL;
}
- /* calculate remote key hash, using SHA1 algorithm that is
- * usual in OpenSSH. The returned value must be freed */
- ret = ssh_get_publickey_hash(key, SSH_PUBLICKEY_HASH_SHA1,
+ /* calculate remote key hash, using SHA256 algorithm that is
+ * the default in modern OpenSSH, fallback to SHA1 for older
+ * libssh. The returned value must be freed */
+ ret = ssh_get_publickey_hash(key, VIR_SSH_HOSTKEY_HASH,
&keyhash, &keyhashlen);
ssh_key_free(key);
if (ret < 0) {
--
2.31.1
3 years, 4 months
[PATCH v2] ci: Also perform package upgrades on macOS and FreeBSD
by Martin Kletzander
The base OS image might include outdated contents, and we don't
want to get spurious failures caused by bugs that have already been
fixed in the respective packages.
This is particularly important on macOS, because 'brew install foo'
will fail if 'foo' is already installed but outdated: upgrading all
packages first ensures we never run into this scenario.
Signed-off-by: Martin Kletzander <mkletzan(a)redhat.com>
---
.gitlab-ci.yml | 4 ++++
ci/cirrus/build.yml | 1 +
2 files changed, 5 insertions(+)
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 3fa616261e93..3cb6ff5e6b26 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -115,6 +115,7 @@ stages:
-e "s|[@]CIRRUS_VM_IMAGE_SELECTOR@|$CIRRUS_VM_IMAGE_SELECTOR|g"
-e "s|[@]CIRRUS_VM_IMAGE_NAME@|$CIRRUS_VM_IMAGE_NAME|g"
-e "s|[@]UPDATE_COMMAND@|$UPDATE_COMMAND|g"
+ -e "s|[@]UPGRADE_COMMAND@|$UPGRADE_COMMAND|g"
-e "s|[@]INSTALL_COMMAND@|$INSTALL_COMMAND|g"
-e "s|[@]PATH@|$PATH_EXTRA${PATH_EXTRA:+:}\$PATH|g"
-e "s|[@]PKG_CONFIG_PATH@|$PKG_CONFIG_PATH|g"
@@ -423,6 +424,7 @@ x64-freebsd-12-build:
CIRRUS_VM_IMAGE_SELECTOR: image_family
CIRRUS_VM_IMAGE_NAME: freebsd-12-2
UPDATE_COMMAND: pkg update
+ UPGRADE_COMMAND: pkg upgrade -y
INSTALL_COMMAND: pkg install -y
x64-freebsd-13-build:
@@ -433,6 +435,7 @@ x64-freebsd-13-build:
CIRRUS_VM_IMAGE_SELECTOR: image_family
CIRRUS_VM_IMAGE_NAME: freebsd-13-0
UPDATE_COMMAND: pkg update
+ UPGRADE_COMMAND: pkg upgrade -y
INSTALL_COMMAND: pkg install -y
x64-macos-11-build:
@@ -443,6 +446,7 @@ x64-macos-11-build:
CIRRUS_VM_IMAGE_SELECTOR: image
CIRRUS_VM_IMAGE_NAME: big-sur-base
UPDATE_COMMAND: brew update
+ UPGRADE_COMMAND: brew upgrade
INSTALL_COMMAND: brew install
PATH_EXTRA: /usr/local/opt/ccache/libexec:/usr/local/opt/gettext/bin:/usr/local/opt/libpcap/bin:/usr/local/opt/libxslt/bin:/usr/local/opt/rpcgen/bin
PKG_CONFIG_PATH: /usr/local/opt/curl/lib/pkgconfig:/usr/local/opt/libpcap/lib/pkgconfig:/usr/local/opt/libxml2/lib/pkgconfig:/usr/local/opt/ncurses/lib/pkgconfig:/usr/local/opt/readline/lib/pkgconfig
diff --git a/ci/cirrus/build.yml b/ci/cirrus/build.yml
index 39c17dc08a43..867d5f297b7e 100644
--- a/ci/cirrus/build.yml
+++ b/ci/cirrus/build.yml
@@ -15,6 +15,7 @@ env:
build_task:
install_script:
- @UPDATE_COMMAND@
+ - @UPGRADE_COMMAND@
- @INSTALL_COMMAND@ @PKGS@
- if test -n "@PYPI_PKGS@" ; then @PIP3@ install @PYPI_PKGS@ ; fi
clone_script:
--
2.32.0
3 years, 4 months