Plans for the next release
by Jiri Denemark
We are getting close to the next release of libvirt. To aim for the
release on May 02 I suggest entering the freeze on Tuesday Apr 26 and
tagging RC2 on Friday Apr 29.
I hope this works for everyone.
Jirka
2 years, 7 months
[PATCH] apparmor: Allow swtpm to use its own apparmor profile
by Daniel P. Berrangé
From: Lena Voytek <lena.voytek(a)canonical.com>
Signed-off-by: Lena Voytek <lena.voytek(a)canonical.com>
---
src/security/apparmor/libvirt-qemu | 3 ++-
src/security/apparmor/usr.sbin.libvirtd.in | 1 +
2 files changed, 3 insertions(+), 1 deletion(-)
FYI this was merged via gitlab
diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
index 250ba4ea58..c29168da27 100644
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -180,7 +180,7 @@
audit deny /{var/,}run/qemu/*/*.so w,
# swtpm
- /{usr/,}bin/swtpm rmix,
+ /{usr/,}bin/swtpm rmpix,
/usr/{lib,lib64}/libswtpm_libtpms.so mr,
/usr/lib/(a){multiarch}/libswtpm_libtpms.so mr,
@@ -226,6 +226,7 @@
unix (send, receive) type=stream addr=none peer=(label=libvirtd),
unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
unix (send, receive) type=stream addr=none peer=(label=virtqemud),
+ unix (send, receive) type=stream addr=none peer=(label=swtpm),
# for gathering information about available host resources
/sys/devices/system/cpu/ r,
diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
index f2ab6ff2aa..886f1ad518 100644
--- a/src/security/apparmor/usr.sbin.libvirtd.in
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
@@ -58,6 +58,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
ptrace (read,trace) peer=dnsmasq,
ptrace (read,trace) peer=/usr/sbin/dnsmasq,
ptrace (read,trace) peer=libvirt-*,
+ ptrace (read,trace) peer=swtpm,
signal (send) peer=dnsmasq,
signal (send) peer=/usr/sbin/dnsmasq,
--
2.35.1
2 years, 7 months
virThread: why no return values permitted in thread API?
by Claudio Fontana
Hi,
I noticed that in the virThread API return values from threads are explicitly excluded from the API.
The "virThreadHelper" sits in the middle between the caller of virThreadCreate and pthread, making it impossible to return a value from the thread,
to check after joining the thread.
I'd need to know if the thread execution is successful or not then I join the thread,
so what is the reason for this choice?
Should I use pthread directly instead?
Thanks,
Claudio
--
Claudio Fontana
Engineering Manager Virtualization, SUSE Labs Core
SUSE Software Solutions Italy Srl
2 years, 7 months
Network disks and replacing qemu-block-curl|ssh with nbdkit
by Jonathon Jongsma
As mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=2016527,
RHEL is planning to remove dependencies on the qemu-block-curl and
qemu-block-ssh plugins from the main qemu package. This creates issues
for libvirt for supporting network disk sources. So I've been looking
into using nbdkit from libvirt to proxy these network disks to qemu as
NBD disks.
The basic idea is that libvirt will spin up an nbdkit instance for e.g.
an https network disk source, and will provide the resulting unix socket
to qemu as an nbd disk. This allows libvirt to continue supporting
http/ftp/ssh disk sources regardless of whether the qemu block plugins
are installed or not.
However, there are a couple of issues and feature gaps that I've run
into that I'd like to discuss.
1. secrets
There is some code in libvirt[1] which seems to expect that it is
possible for http(s) disk sources to have a username and password
specified. However, I can't find any valid xml schema for specifying an
http username and password, and my reading of the code suggests that
there shouldn't be any way for these to be set for http(s)/ftp(s) disk
sources either since auth is only supported for ISCSI and RBD protocols
[2]. Am I missing something?
[1]
https://gitlab.com/libvirt/libvirt/-/blob/6be7beb3bdb9ad611a5598dad7edfbd...
[2]
https://gitlab.com/libvirt/libvirt/-/blob/6be7beb3bdb9ad611a5598dad7edfbd...
If it *is* possible for the username/password to be set for these disks,
then we have the issue that these sensitive pieces of data have so far
been passed as encrypted data to qemu using qemu secrets. But if nbdkit
is handling the http requests, we need to pass this data to nbdkit
rather than qemu and so we can no longer use qemu secrets. The same
issue applies to http cookies, which could potentially include
security-sensitive data such as login credentials, etc.
Fortunately, nbdkit provides a method for reading cookies and passwords
from a file, which should be secure if the file has permissions set
properly. So I'm currently planning to write a file containing the
cookies and pass them to nbdkit by specifying the filename. But I'm
still confused about the username/password possibility.
2. readahead
The libvirt xml format allows to specify a readahead size for disks that
are handled by the qemu-block-curl plugin. Unfortunately, nbdkit doesn't
currently support any readahead configuration. In nbdkit, readahead is
handled by an nbkit "filter" that takes no configuration options
(`nbdkit --filter=readahead ...`). In theory, this filter tries to
adaptively read ahead. But when I discussed it with Rich, he suggested
that he had stopped using it in virt-v2v because it was causing more
trouble than it was worth. He also suggested that this readahead filter
might need a complete rewrite, and presumably the rewrite could include
the ability to configure a readahead buffer size. But I'm not sure what
the timeframe might be for that.
3. blockdev-create
There is support in libvirt[3] for creating ssh network disks by sending
a 'blockdev-create' command to qemu. If qemu is no longer handling ssh
network disk sources directly, this feature becomes significantly more
complicated. I don't yet know enough about this part of the libvirt code
to know what further complications might pop up here. From my reading of
the code, this is mostly triggered by things like `virsh blockcopy`
`virsh backup-begin`, etc. But nbdkit cannot currently do this. Rich
pointed me to a recent commit[4] where he added disk creation to the
nbdkit vddk plugin, and suggested that something similar could be added
for the nbdkit ssh plugin.
[3]
https://gitlab.com/libvirt/libvirt/-/blob/6be7beb3bdb9ad611a5598dad7edfbd...
[4]
https://gitlab.com/nbdkit/nbdkit/-/commit/a39d5773afc3ebab7e5768118a2bccb...
It seems to me that it's essential that we resolve #3 before we can move
forward with nbdkit support in libvirt. (Although I admit that I have no
idea how common it is for people to use ssh disks so I suppose there's a
slim possibility that we could just disable the 'create disk' feature
for ssh disks without any practical loss of functionality?) But it's
less obvious to me whether we could move ahead despite missing readahead
size configuration, etc.
Thoughts?
Jonathon
2 years, 7 months
[PATCH v2 00/34] Add 'version' to other exported types
by Victor Toso
Hi,
The goal of this patch series is to provide 'since' version to all
exported types.
This is the non lazy version of the v1. In this series, we do
change the docstrings of all exported types, to add the version
metadata, in order to have scripts/apibuild.py to fetch it and add
it to the appropriated XML API. This patch series also enforces
that every new exported types requires a docstring with version
with the proper format.
v1: https://listman.redhat.com/archives/libvir-list/2022-April/229881.html
I've created a script that helped me out and it covered a good
amound of cases. I hand fixes all the missing docstrings and
corner cases that my script missed.
As mentioned in v1, I've used:
git grep -rq $symbol $tag $includedir
This is used to find if a given $symbol exists in a given $tag or
not. $tag starts with v1.0.0 and I have ignored any $tag that does
not start with 'v' or has '-rc' in the name.
To help review this not so small changeset, the changes were split
in the following order:
* docs: generated: 98% work from the script. I've split it
further, by module + group type.
* docs: manual: -> 30% manual labor, 70% vim's macro. It was also
split where it seems reasonable.
* docs: (...) -> Some fixes needed in the docs.
* scripts: -> Improvements to apibuild script.
* syms: -> Some fixes found with the found mismatch between
docstring and sym files.
Other than that, I only caught two false positives, that is, a $symbol
was present in a $tag but it was exported only at a latter $tag.
Branch : https://gitlab.com/victortoso/libvirt/-/commits/add-since-version
Green CI: https://gitlab.com/victortoso/libvirt/-/pipelines/517262280
Cheers,
Victor
Victor Toso (34):
docs: Fix generated documentation of virConnectListAllNodeDeviceFlags
docs: variable: Move docstring from source to header file
docs: generated: enums: libvirt: append 'Since version' metadata
docs: generated: enums: qemu: append 'Since version' metadata
docs: generated: enums: admin: append 'Since version' metadata
docs: generated: macros: libvirt: append 'Since version' metadata
docs: generated: macros: admin: append 'Since version' metadata
docs: generated: typedefs: libvirt: append 'Since version' metadata
docs: generated: typedefs: qemu: append 'Since version' metadata
docs: generated: typedefs: admin: append 'Since version' metadata
docs: generated: functions: libvirt: append 'Since version' metadata
docs: generated: functions: qemu: append 'Since version' metadata
docs: generated: functions: lxc: append 'Since version' metadata
docs: generated: functions: admin: append 'Since version' metadata
docs: manual: typedef: add docstring and Since metadata
docs: manual: functions: add Since metadata
docs: manual: enums: add docstring and Since metadata
docs: manual: macros: add docstring and Since metadata
docs: manual: libvirt-common: add docstring and Since metadata
docs: Fix generated documentation of virStorageVolInfoFlags
docs: Fix and append Since to virConnectListAllStoragePoolsFlags
docs: Fix and append Since to virDomainDeviceModifyFlags
docs: Fix and append Since to virDomainMemoryModFlags
docs: Fix and append Since to virDomainVcpuFlags
scripts: apibuild: parse 'Since' version for enums
scripts: apibuild: fix parsing block comments from typedef enum
scripts: apibuild: parse 'Since' for typedefs
scripts: apibuild: parse 'Since' for macros
scripts: apibuild: parse 'Since' for functions
scripts: apibuild: factor out comment cleaning
scripts: apibuild: add parsing variable's comments
syms: admin: Add sections to match when API was introduced
syms: libvirt: move virDomainSetBlockThreshold to 3.2.0
syntax-check: sc_prohibit_nonreentrant: skip comments
build-aux/syntax-check.mk | 2 +-
include/libvirt/libvirt-admin.h | 95 +-
include/libvirt/libvirt-common.h.in | 54 +-
include/libvirt/libvirt-domain-checkpoint.h | 62 +-
include/libvirt/libvirt-domain-snapshot.h | 100 +-
include/libvirt/libvirt-domain.h | 2665 +++++++++++++++----
include/libvirt/libvirt-event.h | 35 +-
include/libvirt/libvirt-host.h | 320 ++-
include/libvirt/libvirt-interface.h | 33 +-
include/libvirt/libvirt-network.h | 195 +-
include/libvirt/libvirt-nodedev.h | 100 +-
include/libvirt/libvirt-nwfilter.h | 29 +-
include/libvirt/libvirt-qemu.h | 39 +-
include/libvirt/libvirt-secret.h | 81 +-
include/libvirt/libvirt-storage.h | 316 ++-
include/libvirt/libvirt-stream.h | 48 +-
include/libvirt/virterror.h | 428 +--
scripts/apibuild.py | 136 +-
src/admin/libvirt-admin.c | 93 +
src/admin/libvirt_admin_public.syms | 58 +-
src/libvirt-domain-checkpoint.c | 36 +
src/libvirt-domain-snapshot.c | 63 +
src/libvirt-domain.c | 557 +++-
src/libvirt-host.c | 102 +
src/libvirt-interface.c | 63 +
src/libvirt-lxc.c | 12 +
src/libvirt-network.c | 135 +
src/libvirt-nodedev.c | 81 +
src/libvirt-nwfilter.c | 72 +
src/libvirt-qemu.c | 18 +
src/libvirt-secret.c | 60 +
src/libvirt-storage.c | 171 ++
src/libvirt-stream.c | 51 +
src/libvirt.c | 29 +-
src/libvirt_public.syms | 8 +-
src/util/virerror.c | 45 +
src/util/virevent.c | 27 +
src/util/virtypedparam-public.c | 57 +
38 files changed, 5317 insertions(+), 1159 deletions(-)
--
2.35.1
2 years, 7 months
[PATCH] domain_cgroup: Fix a condition in virDomainCgroupConnectCgroup()
by Michal Privoznik
While parts of QEMU's CGroup code were moved under hypervisor
agnostic location (src/hypervisor/) a typo sneaked in. The
inspiration for virDomainCgroupConnectCgroup() comes from
qemuConnectCgroup(). The former is called upon reconnecting to a
running domain (after daemon restart). While the latter returned
early if the daemon was running unprivileged, the former returns
early if the daemon runs privileged. This is obviously wrong,
because root can set up CGroups.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2075765
Fixes: 788e2b58cb1896f1c25ebbdbde4bafddc5ed4dc9
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
src/hypervisor/domain_cgroup.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/hypervisor/domain_cgroup.c b/src/hypervisor/domain_cgroup.c
index 5af88155bc..8072465615 100644
--- a/src/hypervisor/domain_cgroup.c
+++ b/src/hypervisor/domain_cgroup.c
@@ -485,7 +485,7 @@ virDomainCgroupConnectCgroup(const char *prefix,
bool privileged,
char *machineName)
{
- if (privileged)
+ if (!privileged)
return 0;
if (!virCgroupAvailable())
--
2.35.1
2 years, 7 months
[libvirt PATCH] Fix copy-paste error in virNetServerSetClientAuthenticated
by Tim Wiederhake
Fixes: db16792aa90cab5c9886fc2990ec13fbb20a3fb5
Signed-off-by: Tim Wiederhake <twiederh(a)redhat.com>
---
src/rpc/virnetserver.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/rpc/virnetserver.c b/src/rpc/virnetserver.c
index 9b333f1a6c..371b72c8d6 100644
--- a/src/rpc/virnetserver.c
+++ b/src/rpc/virnetserver.c
@@ -827,7 +827,7 @@ virNetServerSetClientAuthenticated(virNetServer *srv,
virNetServerClient *client)
{
VIR_LOCK_GUARD server_lock = virObjectLockGuard(srv);
- VIR_LOCK_GUARD client_lock = virObjectLockGuard(srv);
+ VIR_LOCK_GUARD client_lock = virObjectLockGuard(client);
virNetServerClientSetAuthLocked(client, VIR_NET_SERVER_SERVICE_AUTH_NONE);
virNetServerSetClientAuthCompletedLocked(srv, client);
--
2.31.1
2 years, 7 months
[libvirt PATCH 0/7] qemu: Retire two ppc64-specific capabilities
by Andrea Bolognani
All QEMU versions we support have the corresponding features.
Andrea Bolognani (7):
tests: Drop pseries-machine-max-cpu-compat
qemu: Assume QEMU_CAPS_MACHINE_PSERIES_MAX_CPU_COMPAT
qemu: Stop setting QEMU_CAPS_MACHINE_PSERIES_MAX_CPU_COMPAT
qemu: Retire QEMU_CAPS_MACHINE_PSERIES_MAX_CPU_COMPAT
qemu: Assume QEMU_CAPS_MACHINE_PSERIES_RESIZE_HPT
qemu: Stop setting QEMU_CAPS_MACHINE_PSERIES_RESIZE_HPT
qemu: Retire QEMU_CAPS_MACHINE_PSERIES_RESIZE_HPT
src/qemu/qemu_capabilities.c | 12 +++-----
src/qemu/qemu_capabilities.h | 4 +--
src/qemu/qemu_command.c | 8 +----
src/qemu/qemu_validate.c | 8 -----
.../qemucapabilitiesdata/caps_3.1.0.ppc64.xml | 2 --
.../qemucapabilitiesdata/caps_4.0.0.ppc64.xml | 2 --
.../qemucapabilitiesdata/caps_4.2.0.ppc64.xml | 2 --
.../qemucapabilitiesdata/caps_5.0.0.ppc64.xml | 2 --
.../qemucapabilitiesdata/caps_5.2.0.ppc64.xml | 2 --
.../qemucapabilitiesdata/caps_6.2.0.ppc64.xml | 2 --
.../qemucapabilitiesdata/caps_7.0.0.ppc64.xml | 2 --
.../pseries-machine-max-cpu-compat.args | 29 -------------------
.../pseries-machine-max-cpu-compat.xml | 17 -----------
tests/qemuxml2argvtest.c | 22 ++++----------
tests/qemuxml2xmltest.c | 1 -
15 files changed, 12 insertions(+), 103 deletions(-)
delete mode 100644 tests/qemuxml2argvdata/pseries-machine-max-cpu-compat.args
delete mode 100644 tests/qemuxml2argvdata/pseries-machine-max-cpu-compat.xml
--
2.35.1
2 years, 7 months
[libvirt PATCH] qemu: Shorten domain name in virtiofsd log path
by Martin Kletzander
This helps when starting domains with long names which could possibly end up
creating too long of a name for the filesystem.
The path is not being saved in the domain config, so there is no need for
backwards compatibility. User aliases will always start with "ua-" and the only
way paths could collide is to:
1) create a domain named e.g. "asdf-ua"
2) start the domain with virtiofsd debug logs
3) destroy the domain
4) restart libvirt daemon for domain IDs to start from 1 again
5) create a domain named "asdf"
6) add user alias for the virtiofs that is the same as was generated for the
first domain, with the required "ua-" prefix
7) start the "asdf" domain
at which point the logs for the two domains would end up in the same logfile.
Since this is still better than what we had before I think it is not worth
fixing this peculiar scenario in this patch.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1817401
Signed-off-by: Martin Kletzander <mkletzan(a)redhat.com>
---
src/qemu/qemu_virtiofs.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/qemu/qemu_virtiofs.c b/src/qemu/qemu_virtiofs.c
index 7e3324b017ce..67df8b3890b6 100644
--- a/src/qemu/qemu_virtiofs.c
+++ b/src/qemu/qemu_virtiofs.c
@@ -81,8 +81,9 @@ qemuVirtioFSCreateLogFilename(virQEMUDriverConfig *cfg,
const char *alias)
{
g_autofree char *name = NULL;
+ g_autofree char *shortname = virDomainDefGetShortName(def);
- name = g_strdup_printf("%s-%s", def->name, alias);
+ name = g_strdup_printf("%s-%s", shortname, alias);
return virFileBuildPath(cfg->logDir, name, "-virtiofsd.log");
}
--
2.35.1
2 years, 7 months
what is virtunixd ? Is there such a daemon?
by Claudio Fontana
Hello,
as I experiment with virsh migration commands (and probably I do things that don't make sense),
I got an error I could not understand:
# virsh migrate centos7 unix:///tmp/netcat.sock
error: Failed to connect socket to '/var/run/libvirt/virtunixd-sock': No such file or directory
What is "/var/run/libvirt/virtunixd-sock" ?
Should I have a "virtunixd" process running?
I am building with non-modularized libvirtd currently, but I could not find a virtunixd module either...
Thanks,
Claudio
2 years, 7 months
