July 2021 - Devel - libvirt List Archives

[PATCH v2 0/3] Do not erase duplicate devices from namespace
by Kristina Hanicova 15 Jul '21

15 Jul '21

This is v2 of: https://listman.redhat.com/archives/libvir-list/2021-July/msg00129.html Changes since v1 (suggested by Michal and Jano): * change of int variable to one-word bool * isolate changes outside of qemu to separate patch * rewritten assignment of return value * slight change of documentation * extension of use to all devices, not just input * @created variable is set in one core function instead of setting it in each device function separately Kristina Hanicova (3): qemu: Check for existing file in namespace virprocess: Return retval of the child on success, not 0 qemu: Do not erase duplicate devices from namespace if error occurs src/qemu/qemu_domain.c | 4 +-- src/qemu/qemu_hotplug.c | 27 +++++---------- src/qemu/qemu_namespace.c | 71 +++++++++++++++++++++++++-------------- src/qemu/qemu_namespace.h | 18 ++++++---- src/qemu/qemu_process.c | 2 +- src/util/virprocess.c | 12 ++++--- 6 files changed, 75 insertions(+), 59 deletions(-) -- 2.31.1

2 6

[libvirt][PATCH v5 0/6] Support query and use SGX
by Haibin Huang 15 Jul '21

15 Jul '21

This patch series provides support for enabling Intel's Software Guard Extensions (SGX) feature in guest VM. Giving the SGX support in QEMU is still pending for reviewing, this patch series is not submmited for code review, but only describe the SGX enabling solution design that contains changes to virConnectGetDomainCapabilities API response and domain definition. All comments/suggestions would be highly appreciated. Intel Software Guard Extensions (Intel® SGX) is a set of instructions that increases the security of application code and data, giving them more protection from disclosure or modification. Developers can partition sensitive information into enclaves, which are areas of execution in memory with more security protection. The typical flow looks below at very high level: 1. Calls virConnectGetDomainCapabilities API to domain capabilities that includes the following SGX information. <feature> ... <sgx supported='yes'> <epc_size unit=’KiB’>N</epc_size> </sgx> </feature> 2. User requests to start a guest calling virCreateXML() with SGX requirement. It should contain <launchSecurity type='sgx'> <epc_size unit='KiB'>N</epc_size> </launchSecurity> Haibin Huang (4): Support to query SGX capability Add guest use sgx document Add create guest unit test Add get qemu and domain capabilities unit test Lin Yang (2): conf: Introduce SGX related element into domain xml qemu: Add command-line to generate SGX EPC memory backend docs/formatdomain.rst | 28 +- docs/schemas/domaincaps.rng | 20 + docs/schemas/domaincommon.rng | 62 +- src/conf/domain_capabilities.c | 29 + src/conf/domain_capabilities.h | 13 + src/conf/domain_conf.c | 128 +- src/conf/domain_conf.h | 10 + src/conf/virconftypes.h | 3 + src/libvirt_private.syms | 1 + src/qemu/qemu_capabilities.c | 139 + src/qemu/qemu_capabilities.h | 6 + src/qemu/qemu_command.c | 23 + src/qemu/qemu_monitor.c | 10 + src/qemu/qemu_monitor.h | 3 + src/qemu/qemu_monitor_json.c | 87 + src/qemu/qemu_monitor_json.h | 3 + tests/domaincapsdata/bhyve_basic.x86_64.xml | 1 + tests/domaincapsdata/bhyve_fbuf.x86_64.xml | 1 + tests/domaincapsdata/bhyve_uefi.x86_64.xml | 1 + tests/domaincapsdata/empty.xml | 1 + tests/domaincapsdata/libxl-xenfv.xml | 1 + tests/domaincapsdata/libxl-xenpv.xml | 1 + .../domaincapsdata/qemu_1.5.3-q35.x86_64.xml | 1 + .../domaincapsdata/qemu_1.5.3-tcg.x86_64.xml | 1 + tests/domaincapsdata/qemu_1.5.3.x86_64.xml | 1 + .../domaincapsdata/qemu_1.6.0-q35.x86_64.xml | 1 + .../domaincapsdata/qemu_1.6.0-tcg.x86_64.xml | 1 + tests/domaincapsdata/qemu_1.6.0.x86_64.xml | 1 + .../domaincapsdata/qemu_1.7.0-q35.x86_64.xml | 1 + .../domaincapsdata/qemu_1.7.0-tcg.x86_64.xml | 1 + tests/domaincapsdata/qemu_1.7.0.x86_64.xml | 1 + .../domaincapsdata/qemu_2.1.1-q35.x86_64.xml | 1 + .../domaincapsdata/qemu_2.1.1-tcg.x86_64.xml | 1 + tests/domaincapsdata/qemu_2.1.1.x86_64.xml | 1 + .../domaincapsdata/qemu_2.10.0-q35.x86_64.xml | 1 + .../domaincapsdata/qemu_2.10.0-tcg.x86_64.xml | 1 + .../qemu_2.10.0-virt.aarch64.xml | 1 + tests/domaincapsdata/qemu_2.10.0.aarch64.xml | 1 + tests/domaincapsdata/qemu_2.10.0.ppc64.xml | 1 + tests/domaincapsdata/qemu_2.10.0.s390x.xml | 1 + tests/domaincapsdata/qemu_2.10.0.x86_64.xml | 1 + .../domaincapsdata/qemu_2.11.0-q35.x86_64.xml | 1 + .../domaincapsdata/qemu_2.11.0-tcg.x86_64.xml | 1 + tests/domaincapsdata/qemu_2.11.0.s390x.xml | 1 + tests/domaincapsdata/qemu_2.11.0.x86_64.xml | 1 + .../domaincapsdata/qemu_2.12.0-q35.x86_64.xml | 1 + .../domaincapsdata/qemu_2.12.0-tcg.x86_64.xml | 1 + .../qemu_2.12.0-virt.aarch64.xml | 1 + tests/domaincapsdata/qemu_2.12.0.aarch64.xml | 1 + tests/domaincapsdata/qemu_2.12.0.ppc64.xml | 1 + tests/domaincapsdata/qemu_2.12.0.s390x.xml | 1 + tests/domaincapsdata/qemu_2.12.0.x86_64.xml | 1 + .../domaincapsdata/qemu_2.4.0-q35.x86_64.xml | 1 + .../domaincapsdata/qemu_2.4.0-tcg.x86_64.xml | 1 + tests/domaincapsdata/qemu_2.4.0.x86_64.xml | 1 + .../domaincapsdata/qemu_2.5.0-q35.x86_64.xml | 1 + .../domaincapsdata/qemu_2.5.0-tcg.x86_64.xml | 1 + tests/domaincapsdata/qemu_2.5.0.x86_64.xml | 1 + .../domaincapsdata/qemu_2.6.0-q35.x86_64.xml | 1 + .../domaincapsdata/qemu_2.6.0-tcg.x86_64.xml | 1 + .../qemu_2.6.0-virt.aarch64.xml | 1 + tests/domaincapsdata/qemu_2.6.0.aarch64.xml | 1 + tests/domaincapsdata/qemu_2.6.0.ppc64.xml | 1 + tests/domaincapsdata/qemu_2.6.0.x86_64.xml | 1 + .../domaincapsdata/qemu_2.7.0-q35.x86_64.xml | 1 + .../domaincapsdata/qemu_2.7.0-tcg.x86_64.xml | 1 + tests/domaincapsdata/qemu_2.7.0.s390x.xml | 1 + tests/domaincapsdata/qemu_2.7.0.x86_64.xml | 1 + .../domaincapsdata/qemu_2.8.0-q35.x86_64.xml | 1 + .../domaincapsdata/qemu_2.8.0-tcg.x86_64.xml | 1 + tests/domaincapsdata/qemu_2.8.0.s390x.xml | 1 + tests/domaincapsdata/qemu_2.8.0.x86_64.xml | 1 + .../domaincapsdata/qemu_2.9.0-q35.x86_64.xml | 1 + .../domaincapsdata/qemu_2.9.0-tcg.x86_64.xml | 1 + tests/domaincapsdata/qemu_2.9.0.ppc64.xml | 1 + tests/domaincapsdata/qemu_2.9.0.s390x.xml | 1 + tests/domaincapsdata/qemu_2.9.0.x86_64.xml | 1 + .../domaincapsdata/qemu_3.0.0-q35.x86_64.xml | 1 + .../domaincapsdata/qemu_3.0.0-tcg.x86_64.xml | 1 + tests/domaincapsdata/qemu_3.0.0.ppc64.xml | 1 + tests/domaincapsdata/qemu_3.0.0.s390x.xml | 1 + tests/domaincapsdata/qemu_3.0.0.x86_64.xml | 1 + .../domaincapsdata/qemu_3.1.0-q35.x86_64.xml | 1 + .../domaincapsdata/qemu_3.1.0-tcg.x86_64.xml | 1 + tests/domaincapsdata/qemu_3.1.0.ppc64.xml | 1 + tests/domaincapsdata/qemu_3.1.0.x86_64.xml | 1 + .../domaincapsdata/qemu_4.0.0-q35.x86_64.xml | 1 + .../domaincapsdata/qemu_4.0.0-tcg.x86_64.xml | 1 + .../qemu_4.0.0-virt.aarch64.xml | 1 + tests/domaincapsdata/qemu_4.0.0.aarch64.xml | 1 + tests/domaincapsdata/qemu_4.0.0.ppc64.xml | 1 + tests/domaincapsdata/qemu_4.0.0.s390x.xml | 1 + tests/domaincapsdata/qemu_4.0.0.x86_64.xml | 1 + .../domaincapsdata/qemu_4.1.0-q35.x86_64.xml | 1 + .../domaincapsdata/qemu_4.1.0-tcg.x86_64.xml | 1 + tests/domaincapsdata/qemu_4.1.0.x86_64.xml | 1 + .../domaincapsdata/qemu_4.2.0-q35.x86_64.xml | 1 + .../domaincapsdata/qemu_4.2.0-tcg.x86_64.xml | 1 + .../qemu_4.2.0-virt.aarch64.xml | 1 + tests/domaincapsdata/qemu_4.2.0.aarch64.xml | 1 + tests/domaincapsdata/qemu_4.2.0.ppc64.xml | 1 + tests/domaincapsdata/qemu_4.2.0.s390x.xml | 1 + tests/domaincapsdata/qemu_4.2.0.x86_64.xml | 1 + .../domaincapsdata/qemu_5.0.0-q35.x86_64.xml | 1 + .../domaincapsdata/qemu_5.0.0-tcg.x86_64.xml | 1 + .../qemu_5.0.0-virt.aarch64.xml | 1 + tests/domaincapsdata/qemu_5.0.0.aarch64.xml | 1 + tests/domaincapsdata/qemu_5.0.0.ppc64.xml | 1 + tests/domaincapsdata/qemu_5.0.0.x86_64.xml | 1 + .../domaincapsdata/qemu_5.1.0-q35.x86_64.xml | 1 + .../domaincapsdata/qemu_5.1.0-tcg.x86_64.xml | 1 + tests/domaincapsdata/qemu_5.1.0.x86_64.xml | 1 + .../domaincapsdata/qemu_5.2.0-q35.x86_64.xml | 210 + .../domaincapsdata/qemu_5.2.0-tcg.x86_64.xml | 204 + tests/domaincapsdata/qemu_5.2.0.x86_64.xml | 210 + .../launch-security-sgx.xml | 20 + tests/genericxml2xmltest.c | 1 + .../caps_5.2.0.x86_64.replies | 29694 ++++++++++++++++ .../caps_5.2.0.x86_64.xml | 3194 ++ .../launch-security-sgx.x86_64-5.1.0.args | 40 + .../qemuxml2argvdata/launch-security-sgx.xml | 34 + tests/qemuxml2argvtest.c | 1 + 122 files changed, 34214 insertions(+), 55 deletions(-) create mode 100644 tests/domaincapsdata/qemu_5.2.0-q35.x86_64.xml create mode 100644 tests/domaincapsdata/qemu_5.2.0-tcg.x86_64.xml create mode 100644 tests/domaincapsdata/qemu_5.2.0.x86_64.xml create mode 100644 tests/genericxml2xmlindata/launch-security-sgx.xml create mode 100644 tests/qemucapabilitiesdata/caps_5.2.0.x86_64.replies create mode 100644 tests/qemucapabilitiesdata/caps_5.2.0.x86_64.xml create mode 100644 tests/qemuxml2argvdata/launch-security-sgx.x86_64-5.1.0.args create mode 100644 tests/qemuxml2argvdata/launch-security-sgx.xml -- 2.17.1

1 6

[PATCH v2 0/9] ch: Add Console support
by William Douglas 15 Jul '21

15 Jul '21

This series enables console support in the cloud-hypervisor driver. Cloud-hypervisor only supports a single console or serial device at a time, hence the checks to ensure the domain configuration is only passing one or the other. Changes since v1: * Added missing patch to add the virChrdev device * Added handling for multiple curl WRITEFUNCTION call backs * Added missing free for data.content * Removed redundant console configuration check * Improved handling of pty JSON data to make use of g_autoptr * Squashed two patches William Douglas (9): ch_domain: Add virChrdevs for console support ch_monitor: Make unused function static ch_monitor: Update virCHMonitorGet to handle accept a response ch_monitor: Use virCHMonitorGet to access cloud-hypervisor API ch_monitor: Add pty json builder function ch_process: Handle enabled console devices ch_process: Update the domain with console path information ch_domain: Allow controller and chr devices ch_driver: Add handler for console API src/ch/ch_domain.c | 11 ++++- src/ch/ch_domain.h | 3 ++ src/ch/ch_driver.c | 78 +++++++++++++++++++++++++++++ src/ch/ch_monitor.c | 118 ++++++++++++++++++++++++++++++++++++++++++-- src/ch/ch_monitor.h | 3 ++ src/ch/ch_process.c | 67 +++++++++++++++++++++++++ 6 files changed, 274 insertions(+), 6 deletions(-) -- 2.31.1

1 9

[libvirt PATCH v2 0/1] Prevent expanding worker pool by zero
by Tim Wiederhake 15 Jul '21

15 Jul '21

V1: https://listman.redhat.com/archives/libvir-list/2021-July/msg00217.html Changes since V1: * Fix this not in virThreadPoolExpand, but in virThreadPoolNewFull. * Expanded the commit message. Tim Wiederhake (1): virThreadPoolNewFull: Prevent expanding worker pool by zero src/util/virthreadpool.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -- 2.31.1

2 2

[PATCH v1] apparmor: Allow /usr/libexec for private xen-tools binaries
by Olaf Hering 15 Jul '21

15 Jul '21

This is a followup for commit e906c4d02bdcddf141b4d124afd68c8ee10134fe ("apparmor: Allow /usr/libexec for libxl-save-helper and pygrub"): In recent rpm versions --libexecdir changed from /usr/lib64 to /usr/libexec. A plain rpmbuild %configure in xen.git will install all files, including the private copies of qemu, into /usr/libexec/xen/bin. Expand the existing pattern to cover also this libexecdir variant. Signed-off-by: Olaf Hering <olaf(a)aepfle.de> --- src/security/apparmor/usr.sbin.libvirtd.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in index 928782b709..f2ab6ff2aa 100644 --- a/src/security/apparmor/usr.sbin.libvirtd.in +++ b/src/security/apparmor/usr.sbin.libvirtd.in @@ -88,7 +88,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) { @sbindir@/* PUx, /{usr/,}lib/udev/scsi_id PUx, /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, - /usr/{lib,lib64}/xen/bin/* Ux, + /usr/{lib,lib64,libexec}/xen/bin/* Ux, /usr/{lib,libexec}/xen-*/bin/libxl-save-helper PUx, /usr/{lib,libexec}/xen-*/bin/pygrub PUx, /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx,

3 2

[PATCH 0/2] virDir* related cleanups
by Michal Privoznik 15 Jul '21

15 Jul '21

*** BLURB HERE *** Michal Prívozník (2): syntax-check: s/VIR_DIR_CLOSE/g_autoptr(DIR)/ virfile: Update example use of virDirRead() build-aux/syntax-check.mk | 2 +- src/util/virfile.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) -- 2.31.1

2 3

[libvirt PATCH 00/10] virHashNew refactorings - part IV
by Tim Wiederhake 14 Jul '21

14 Jul '21

"virHashNew" cannot return NULL, yet we check for NULL in various places. See https://listman.redhat.com/archives/libvir-list/2021-July/msg00074.html. Tim Wiederhake (10): conf: Add AUTOPTR_CLEANUP_FUNC for virNWFilterBindingDef virNWFilterBindingDefCopy: `virHashNew` cannot return NULL virNWFilterBindingDefCopy: Use automatic memory management virNWFilterBindingDefCopy: Remove superfluous `goto`s virNWFilterBindingDefForNet: `virHashNew` cannot return NULL virNWFilterBindingDefForNet: Use automatic memory management virNWFilterBindingDefForNet: Remove superfluous `goto`s virNWFilterBindingObjListNew: `virHashNew` cannot return NULL virNWFilterBuildAll: `virHashNew` cannot return NULL virNWFilterDHCPSnoopInit: `virHashNew` cannot return NULL src/conf/domain_nwfilter.c | 15 ++++----------- src/conf/virnwfilterbindingdef.c | 15 ++++----------- src/conf/virnwfilterbindingdef.h | 2 ++ src/conf/virnwfilterbindingobjlist.c | 5 +---- src/nwfilter/nwfilter_dhcpsnoop.c | 17 ----------------- src/nwfilter/nwfilter_gentech_driver.c | 3 +-- 6 files changed, 12 insertions(+), 45 deletions(-) -- 2.31.1

2 11

[PATCH V3 0/2] Apparmor: Add profiles for hypervisor daemons
by Jim Fehlig 14 Jul '21

14 Jul '21

V2: https://listman.redhat.com/archives/libvir-list/2021-June/msg00676.html V1: https://listman.redhat.com/archives/libvir-list/2021-June/msg00456.html Changes since V2: Patches 3 and 4 ACKed and pushed since they are bug fixes independent of modular vs monolithic daemons. The qemu_bridge_helper subprofile in patch 1 was adjusted for communication with virtqemud instead of libvirtd. After snooping through git history, I found a few capabilities explicitly added for xen that have been added back to the virtxend profile. Note: The profile for virtlxcd will have to wait until the following issue is fixed https://gitlab.com/libvirt/libvirt/-/issues/181 Jim Fehlig (2): Apparmor: Add profile for virtqemud Apparmor: Add profile for virtxend src/security/apparmor/libvirt-qemu | 3 + src/security/apparmor/meson.build | 2 + src/security/apparmor/usr.sbin.virtqemud.in | 134 ++++++++++++++++++++ src/security/apparmor/usr.sbin.virtxend.in | 55 ++++++++ 4 files changed, 194 insertions(+) create mode 100644 src/security/apparmor/usr.sbin.virtqemud.in create mode 100644 src/security/apparmor/usr.sbin.virtxend.in -- 2.31.1

4 7

[libvirt PATCH v2 00/10] virHashNew refactorings - part II
by Tim Wiederhake 14 Jul '21

14 Jul '21

"virHashNew" cannot return NULL, yet we check for NULL in various places. V1: https://listman.redhat.com/archives/libvir-list/2021-July/msg00188.html Changes since V1: * Moved the inversion of the `if` condition in patch #9 to patch #8 * Only patches #8 and #9 are missing review Tim Wiederhake (10): virNWFilterCreateVarsFrom: `virHashNew` cannot return NULL virNWFilterCreateVarsFrom: Use automatic memory management virNWFilterCreateVarsFrom: Remove superfluous `goto`s virNWFilterRuleDefToRuleInst: `virHashNew` cannot return NULL iptablesPrivateChainCreate: `virHashNew` cannot return NULL iptablesPrivateChainCreate: Use automatic memory management iptablesPrivateChainCreate: Remove superfluous `goto`s qemuMonitorGetMemoryDeviceInfo: Assign hash table only on success qemuMonitorGetMemoryDeviceInfo: Use automatic memory management qemuMonitorGetMemoryDeviceInfo: `virHashNew` cannot return NULL src/qemu/qemu_monitor.c | 10 +++------- src/util/viriptables.c | 20 +++++--------------- tests/nwfilterxml2firewalltest.c | 18 ++++++------------ 3 files changed, 14 insertions(+), 34 deletions(-) -- 2.31.1

2 12

[PATCH] virt-aa-helper: Allow swtpm to fsync on dir
by Stefan Berger 14 Jul '21

14 Jul '21

Allow swtpm (0.7.0 or later) to fsync on the directory where it writes its state files into so that "the entry in the directory containing the file has also reached disk" (fsync(2)). Signed-off-by: Stefan Berger <stefanb(a)linux.ibm.com> --- src/security/virt-aa-helper.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 52cfebf6e0..e21557c810 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1250,8 +1250,11 @@ get_files(vahControl * ctl) " \"%s/libvirt/qemu/swtpm/%s-swtpm.sock\" rw,\n", RUNSTATEDIR, shortName); /* Paths for swtpm to use: give it access to its state - * directory, log, and PID files. + * directory (state files and fsync on dir), log, and PID files. */ + virBufferAsprintf(&buf, + " \"%s/lib/libvirt/swtpm/%s/%s/\" r,\n", + LOCALSTATEDIR, uuidstr, tpmpath); virBufferAsprintf(&buf, " \"%s/lib/libvirt/swtpm/%s/%s/**\" rwk,\n", LOCALSTATEDIR, uuidstr, tpmpath); -- 2.31.1

4 4