[PATCH] esx: Change the default username when connecting to VCenter
by Michal Privoznik
While it's true that the default username is:
administrator@${SSO-Domain}
in majority of cases the ${SSO-Domain} is "vsphere.local". But
our code (and what virsh displays then) says it's just
"administrator".
This is wrong also from a different POV: the username must
contain the suffix no matter what and our default suggests
otherwise.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2181234
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
src/esx/esx_driver.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/esx/esx_driver.c b/src/esx/esx_driver.c
index 9dc5489411..2443e6e88a 100644
--- a/src/esx/esx_driver.c
+++ b/src/esx/esx_driver.c
@@ -701,7 +701,8 @@ esxConnectToVCenter(esxPrivate *priv,
if (conn->uri->user) {
username = g_strdup(conn->uri->user);
} else {
- if (!(username = virAuthGetUsername(conn, auth, "esx", "administrator",
+ if (!(username = virAuthGetUsername(conn, auth, "esx",
+ "administrator(a)vsphere.local",
hostname)))
return -1;
}
--
2.39.2
1 year, 8 months
Re: [PATCH] vfio/pci: Propagate ACPI notifications to the user-space
by Alex Williamson
[Cc +libvir-list]
On Wed, 8 Mar 2023 12:41:24 +0100
Grzegorz Jaszczyk <jaz(a)semihalf.com> wrote:
> śr., 8 mar 2023 o 00:42 Alex Williamson <alex.williamson(a)redhat.com> napisał(a):
> >
> > On Tue, 7 Mar 2023 22:05:53 +0000
> > Grzegorz Jaszczyk <jaz(a)semihalf.com> wrote:
> >
> > > From: Dominik Behr <dbehr(a)chromium.org>
> > >
> > > Hitherto there was no support for propagating ACPI notifications to the
> > > guest drivers. In order to provide such support, install a handler for
> > > notifications on an ACPI device during vfio-pci device registration. The
> > > handler role is to propagate such ACPI notifications to the user-space
> > > via acpi netlink events, which allows VMM to receive and propagate them
> > > further to the VMs.
> > >
> > > Thanks to the above, the actual driver for the pass-through device,
> > > which belongs to the guest, can receive and react to device specific
> > > notifications.
>
> > What consumes these events?
>
> Those events are consumed by the VMM, which can have a built-in ACPI
> event listener.
>
> > Has this been proposed to any VM management tools like libvirt?
>
> This patch was evaluated and tested with crosvm VMM (but since the
> kernel part is not in the tree the implementation is marked as WIP).
Adding libvirt folks. This intentionally designs the interface in a
way that requires a privileged intermediary to monitor netlink on the
host, associate messages to VMs based on an attached device, and
re-inject the event to the VMM. Why wouldn't we use a channel
associated with the device for such events, such that the VMM has
direct access? The netlink path seems like it has more moving pieces,
possibly scalability issues, and maybe security issues?
> > What sort of ACPI events are we expecting to see here and what does user space do with them?
>
> With this patch we are expecting to see and propagate any device
> specific notifications, which are aimed to notify the proper device
> (driver) which belongs to the guest.
>
> Here is the description how propagating such notification could be
> implemented by VMM:
>
> 1) VMM could upfront generate proper virtual ACPI description for
> guest per vfio-pci device (more precisely it could be e.g. ACPI GPE
> handler, which aim is only to notify relevant device):
The proposed interface really has no introspection, how does the VMM
know which devices need ACPI tables added "upfront"? How do these
events factor into hotplug device support, where we may not be able to
dynamically inject ACPI code into the VM?
>
> Scope (_GPE)
> {
> Method (_E00, 0, NotSerialized) // _Exx: Edge-Triggered
> GPE, xx=0x00-0xFF
> {
> Local0 = \_SB.PC00.PE08.NOTY
> Notify (\_SB.PC00.PE08, Local0)
> }
> }
>
> 2) Now, when the VMM receives ACPI netlink event (thanks to VMM
> builtin ACPI event listener, which is able to receive any event
> generated through acpi_bus_generate_netlink_event) VMM classifies it
> based on device_class ("vfio_pci" in this case) and parses it further
> to get device name and the notification value for it. This
> notification value is stored in a virtual register and VMM triggers
> GPE associated with the pci-vfio device.
Each VMM is listening for netlink events and sees all the netlink
traffic from the host, including events destined for other VMMs? This
doesn't seem terribly acceptable from a security perspective.
> 3) Guest kernel upon handling GPE, thanks to generated AML (ad 1.),
> triggers Notify on required pass-through device and therefore
> replicates the ACPI Notification on the guest side (Accessing
> \_SB.PC00.PE08.NOTY from above example, result with trap to VMM, which
> returns previously stored notify value).
The acpi_bus_generate_netlink_event() below really only seems to form a
u8 event type from the u32 event. Is this something that could be
provided directly from the vfio device uAPI with an ioeventfd, thus
providing introspection that a device supports ACPI event notifications
and the ability for the VMM to exclusively monitor those events, and
only those events for the device, without additional privileges?
Thanks,
Alex
> With above the ACPI notifications are actually replicated on the guest
> side and from a guest driver perspective they don't differ from native
> ones.
>
> >
> > > Signed-off-by: Dominik Behr <dbehr(a)chromium.org>
> > > Co-developed-by: Grzegorz Jaszczyk <jaz(a)semihalf.com>
> > > Signed-off-by: Grzegorz Jaszczyk <jaz(a)semihalf.com>
> > > ---
> > > drivers/vfio/pci/vfio_pci_core.c | 33 ++++++++++++++++++++++++++++++++
> > > 1 file changed, 33 insertions(+)
> > >
> > > diff --git a/drivers/vfio/pci/vfio_pci_core.c b/drivers/vfio/pci/vfio_pci_core.c
> > > index a5ab416cf476..92b8ed8d087c 100644
> > > --- a/drivers/vfio/pci/vfio_pci_core.c
> > > +++ b/drivers/vfio/pci/vfio_pci_core.c
> > > @@ -10,6 +10,7 @@
> > >
> > > #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
> > >
> > > +#include <linux/acpi.h>
> > > #include <linux/aperture.h>
> > > #include <linux/device.h>
> > > #include <linux/eventfd.h>
> > > @@ -2120,10 +2121,20 @@ void vfio_pci_core_release_dev(struct vfio_device *core_vdev)
> > > }
> > > EXPORT_SYMBOL_GPL(vfio_pci_core_release_dev);
> > >
> > > +static void vfio_pci_core_acpi_notify(acpi_handle handle, u32 event, void *data)
> > > +{
> > > + struct vfio_pci_core_device *vdev = (struct vfio_pci_core_device *)data;
> > > + struct device *dev = &vdev->pdev->dev;
> > > +
> > > + acpi_bus_generate_netlink_event("vfio_pci", dev_name(dev), event, 0);
> >
> > Who listens to this? Should there be an in-band means to provide
> > notifies related to the device? How does a userspace driver know to
> > look for netlink events for a particular device?
>
> VMM which has implemented logic responsible for listening on acpi
> netlink events. This netlink message already passes the device name so
> VMM will associate it with a particular device. I've elaborated a bit
> more in my previous answer.
>
> >
> > > +}
> > > +
> > > int vfio_pci_core_register_device(struct vfio_pci_core_device *vdev)
> > > {
> > > + acpi_status status;
> > > struct pci_dev *pdev = vdev->pdev;
> > > struct device *dev = &pdev->dev;
> > > + struct acpi_device *adev = ACPI_COMPANION(&pdev->dev);
> > > int ret;
> > >
> > > /* Drivers must set the vfio_pci_core_device to their drvdata */
> > > @@ -2201,8 +2212,24 @@ int vfio_pci_core_register_device(struct vfio_pci_core_device *vdev)
> > > ret = vfio_register_group_dev(&vdev->vdev);
> > > if (ret)
> > > goto out_power;
> > > +
> > > + if (!adev) {
> > > + pci_info(pdev, "No ACPI companion");
> >
> > This would be a log message generated for 99.99% of devices.
>
> Sure - I will remove that.
>
> >
> > > + return 0;
> > > + }
> > > +
> > > + status = acpi_install_notify_handler(adev->handle, ACPI_DEVICE_NOTIFY,
> > > + vfio_pci_core_acpi_notify, (void *)vdev);
> >
> > vfio-pci supports non-ACPI platforms, I don't see any !CONFIG_ACPI
> > prototypes for this function. Thanks,
>
> Good point, I will address this in the next version.
>
> Thank you,
> Grzegorz
>
> >
> > Alex
> >
> > > +
> > > + if (ACPI_FAILURE(status)) {
> > > + pci_err(pdev, "Failed to install notify handler");
> > > + goto out_group_register;
> > > + }
> > > +
> > > return 0;
> > >
> > > +out_group_register:
> > > + vfio_unregister_group_dev(&vdev->vdev);
> > > out_power:
> > > if (!disable_idle_d3)
> > > pm_runtime_get_noresume(dev);
> > > @@ -2216,6 +2243,12 @@ EXPORT_SYMBOL_GPL(vfio_pci_core_register_device);
> > >
> > > void vfio_pci_core_unregister_device(struct vfio_pci_core_device *vdev)
> > > {
> > > + struct acpi_device *adev = ACPI_COMPANION(&vdev->pdev->dev);
> > > +
> > > + if (adev)
> > > + acpi_remove_notify_handler(adev->handle, ACPI_DEVICE_NOTIFY,
> > > + vfio_pci_core_acpi_notify);
> > > +
> > > vfio_pci_core_sriov_configure(vdev, 0);
> > >
> > > vfio_unregister_group_dev(&vdev->vdev);
> >
>
1 year, 8 months
[PATCH] ci: Refresh CI files with current lcitool
by Martin Kletzander
This updates to FreeBSD 12.4 which has clang that supports
-fsemantic-interposition, plus of course updates the system.
Signed-off-by: Martin Kletzander <mkletzan(a)redhat.com>
---
ci/gitlab/builds.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ci/gitlab/builds.yml b/ci/gitlab/builds.yml
index d982824b65ad..545478d3516d 100644
--- a/ci/gitlab/builds.yml
+++ b/ci/gitlab/builds.yml
@@ -837,7 +837,7 @@ x86_64-freebsd-12:
needs: []
allow_failure: false
variables:
- CIRRUS_VM_IMAGE_NAME: freebsd-12-3
+ CIRRUS_VM_IMAGE_NAME: freebsd-12-4
CIRRUS_VM_IMAGE_SELECTOR: image_family
CIRRUS_VM_INSTANCE_TYPE: freebsd_instance
INSTALL_COMMAND: pkg install -y
--
2.40.0
1 year, 8 months
[PATCH] meson: Don't build tests when CLang lacks -fsemantic-interposition
by Michal Privoznik
There are some CLang versions that do not support
-fsemantic-interposition. If that's the case, the code is
optimized so much that our mocking no longer works.
Therefore, disable tests and produce a warning.
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
Technically, this is a v2 of:
https://listman.redhat.com/archives/libvir-list/2023-March/238943.html
but a different approach is implemented, so I'm sending it anew.
meson.build | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/meson.build b/meson.build
index a0682e8d0b..c15003ce02 100644
--- a/meson.build
+++ b/meson.build
@@ -2035,8 +2035,18 @@ subdir('src')
subdir('tools')
-build_tests = not get_option('tests').disabled()
-if build_tests
+build_tests = [ not get_option('tests').disabled() ]
+if build_tests[0] and \
+ cc.get_id() == 'clang' and \
+ not supported_cc_flags.contains('-fsemantic-interposition') \
+ and get_option('optimization') != '0'
+ # If CLang doesn't support -fsemantic-interposition then our
+ # mocking doesn't work. The best we can do is to not run the
+ # test suite.
+ build_tests = [ false, '!!! Forcibly disabling tests because CLang lacks -fsemantic-interposition. Update CLang or disable optimization !!!' ]
+endif
+
+if build_tests[0]
subdir('tests')
endif
--
2.39.2
1 year, 8 months
[PATCH] ci: Add OpenSUSE leap 15.4 job
by Peter Krempa
As a precursor to dropping the EOL OpenSUSE 15.3 job add first the
definitions for the replacement version.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
Posting this one separately so that we validate that the container
images can be built successfully before converting any jobs.
I've witnessed some failures in the libvirt-ci repo regarding building
the 15.4 container.
ci/buildenv/opensuse-leap-154.sh | 96 +++++++++++++++++++++
ci/containers/opensuse-leap-154.Dockerfile | 97 ++++++++++++++++++++++
ci/gitlab/builds.yml | 20 +++++
ci/gitlab/containers.yml | 7 ++
ci/manifest.yml | 6 ++
5 files changed, 226 insertions(+)
create mode 100644 ci/buildenv/opensuse-leap-154.sh
create mode 100644 ci/containers/opensuse-leap-154.Dockerfile
diff --git a/ci/buildenv/opensuse-leap-154.sh b/ci/buildenv/opensuse-leap-154.sh
new file mode 100644
index 0000000000..93cb99c83b
--- /dev/null
+++ b/ci/buildenv/opensuse-leap-154.sh
@@ -0,0 +1,96 @@
+# THIS FILE WAS AUTO-GENERATED
+#
+# $ lcitool manifest ci/manifest.yml
+#
+# https://gitlab.com/libvirt/libvirt-ci
+
+function install_buildenv() {
+ zypper update -y
+ zypper install -y \
+ audit-devel \
+ augeas \
+ augeas-lenses \
+ bash-completion \
+ ca-certificates \
+ ccache \
+ clang \
+ codespell \
+ cpp \
+ cppi \
+ cyrus-sasl-devel \
+ device-mapper-devel \
+ diffutils \
+ dwarves \
+ ebtables \
+ fuse-devel \
+ gcc \
+ gettext-runtime \
+ git \
+ glib2-devel \
+ glibc-devel \
+ glibc-locale \
+ glusterfs-devel \
+ grep \
+ iproute2 \
+ iptables \
+ kmod \
+ libacl-devel \
+ libapparmor-devel \
+ libattr-devel \
+ libblkid-devel \
+ libcap-ng-devel \
+ libcurl-devel \
+ libgnutls-devel \
+ libiscsi-devel \
+ libnl3-devel \
+ libnuma-devel \
+ libpcap-devel \
+ libpciaccess-devel \
+ librbd-devel \
+ libselinux-devel \
+ libssh-devel \
+ libssh2-devel \
+ libtirpc-devel \
+ libudev-devel \
+ libwsman-devel \
+ libxml2 \
+ libxml2-devel \
+ libxslt \
+ libyajl-devel \
+ lvm2 \
+ make \
+ meson \
+ nfs-utils \
+ ninja \
+ numad \
+ open-iscsi \
+ parted-devel \
+ perl-base \
+ pkgconfig \
+ polkit \
+ python3-base \
+ python3-docutils \
+ python3-flake8 \
+ qemu-tools \
+ readline-devel \
+ rpcgen \
+ rpm-build \
+ sanlock-devel \
+ scrub \
+ sed \
+ systemd-rpm-macros \
+ systemtap-sdt-devel \
+ wireshark-devel \
+ xen-devel
+ rpm -qa | sort > /packages.txt
+ mkdir -p /usr/libexec/ccache-wrappers
+ ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/cc
+ ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/clang
+ ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/gcc
+}
+
+export CCACHE_WRAPPERSDIR="/usr/libexec/ccache-wrappers"
+export LANG="en_US.UTF-8"
+export MAKE="/usr/bin/make"
+export NINJA="/usr/bin/ninja"
+export PYTHON="/usr/bin/python3"
diff --git a/ci/containers/opensuse-leap-154.Dockerfile b/ci/containers/opensuse-leap-154.Dockerfile
new file mode 100644
index 0000000000..ca11edf808
--- /dev/null
+++ b/ci/containers/opensuse-leap-154.Dockerfile
@@ -0,0 +1,97 @@
+# THIS FILE WAS AUTO-GENERATED
+#
+# $ lcitool manifest ci/manifest.yml
+#
+# https://gitlab.com/libvirt/libvirt-ci
+
+FROM registry.opensuse.org/opensuse/leap:15.4
+
+RUN zypper update -y && \
+ zypper install -y \
+ audit-devel \
+ augeas \
+ augeas-lenses \
+ bash-completion \
+ ca-certificates \
+ ccache \
+ clang \
+ codespell \
+ cpp \
+ cppi \
+ cyrus-sasl-devel \
+ device-mapper-devel \
+ diffutils \
+ dwarves \
+ ebtables \
+ fuse-devel \
+ gcc \
+ gettext-runtime \
+ git \
+ glib2-devel \
+ glibc-devel \
+ glibc-locale \
+ glusterfs-devel \
+ grep \
+ iproute2 \
+ iptables \
+ kmod \
+ libacl-devel \
+ libapparmor-devel \
+ libattr-devel \
+ libblkid-devel \
+ libcap-ng-devel \
+ libcurl-devel \
+ libgnutls-devel \
+ libiscsi-devel \
+ libnl3-devel \
+ libnuma-devel \
+ libpcap-devel \
+ libpciaccess-devel \
+ librbd-devel \
+ libselinux-devel \
+ libssh-devel \
+ libssh2-devel \
+ libtirpc-devel \
+ libudev-devel \
+ libwsman-devel \
+ libxml2 \
+ libxml2-devel \
+ libxslt \
+ libyajl-devel \
+ lvm2 \
+ make \
+ meson \
+ nfs-utils \
+ ninja \
+ numad \
+ open-iscsi \
+ parted-devel \
+ perl-base \
+ pkgconfig \
+ polkit \
+ python3-base \
+ python3-docutils \
+ python3-flake8 \
+ qemu-tools \
+ readline-devel \
+ rpcgen \
+ rpm-build \
+ sanlock-devel \
+ scrub \
+ sed \
+ systemd-rpm-macros \
+ systemtap-sdt-devel \
+ wireshark-devel \
+ xen-devel && \
+ zypper clean --all && \
+ rpm -qa | sort > /packages.txt && \
+ mkdir -p /usr/libexec/ccache-wrappers && \
+ ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/cc && \
+ ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/clang && \
+ ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/gcc
+
+ENV CCACHE_WRAPPERSDIR "/usr/libexec/ccache-wrappers"
+ENV LANG "en_US.UTF-8"
+ENV MAKE "/usr/bin/make"
+ENV NINJA "/usr/bin/ninja"
+ENV PYTHON "/usr/bin/python3"
diff --git a/ci/gitlab/builds.yml b/ci/gitlab/builds.yml
index 89c15fa28d..0f60ba89ce 100644
--- a/ci/gitlab/builds.yml
+++ b/ci/gitlab/builds.yml
@@ -305,6 +305,26 @@ x86_64-opensuse-leap-153-local-env:
RPM: skip
+x86_64-opensuse-leap-154-prebuilt-env:
+ extends: .native_build_job_prebuilt_env
+ needs:
+ - job: x86_64-opensuse-leap-154-container
+ optional: true
+ allow_failure: false
+ variables:
+ NAME: opensuse-leap-154
+ RPM: skip
+
+x86_64-opensuse-leap-154-local-env:
+ extends: .native_build_job_local_env
+ needs: []
+ allow_failure: false
+ variables:
+ IMAGE: registry.opensuse.org/opensuse/leap:15.4
+ NAME: opensuse-leap-154
+ RPM: skip
+
+
x86_64-opensuse-tumbleweed-prebuilt-env:
extends: .native_build_job_prebuilt_env
needs:
diff --git a/ci/gitlab/containers.yml b/ci/gitlab/containers.yml
index fa426bd3a6..241475b5e3 100644
--- a/ci/gitlab/containers.yml
+++ b/ci/gitlab/containers.yml
@@ -84,6 +84,13 @@ x86_64-opensuse-leap-153-container:
NAME: opensuse-leap-153
+x86_64-opensuse-leap-154-container:
+ extends: .container_job
+ allow_failure: false
+ variables:
+ NAME: opensuse-leap-154
+
+
x86_64-opensuse-tumbleweed-container:
extends: .container_job
allow_failure: true
diff --git a/ci/manifest.yml b/ci/manifest.yml
index 2aa9ce9952..3270be85fe 100644
--- a/ci/manifest.yml
+++ b/ci/manifest.yml
@@ -166,6 +166,12 @@ targets:
variables:
RPM: skip
+ opensuse-leap-154:
+ jobs:
+ - arch: x86_64
+ variables:
+ RPM: skip
+
opensuse-tumbleweed:
jobs:
- arch: x86_64
--
2.39.2
1 year, 8 months
[PATCH] ci: Switch to OpenSUSE leap 15.4
by Peter Krempa
The '15.3' version is EOL now:
https://get.opensuse.org/leap/15.3/
Also switch the 'codestyle' job to the appropriate container image.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
.gitlab-ci.yml | 8 ++++----
.../{opensuse-leap-153.sh => opensuse-leap-154.sh} | 5 +----
...p-153.Dockerfile => opensuse-leap-154.Dockerfile} | 8 ++------
ci/gitlab/builds.yml | 12 ++++++------
ci/gitlab/containers.yml | 4 ++--
ci/manifest.yml | 2 +-
6 files changed, 16 insertions(+), 23 deletions(-)
rename ci/buildenv/{opensuse-leap-153.sh => opensuse-leap-154.sh} (95%)
rename ci/containers/{opensuse-leap-153.Dockerfile => opensuse-leap-154.Dockerfile} (93%)
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 1b72ebc493..8bf6e5c6b0 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -118,18 +118,18 @@ codestyle_prebuilt_env:
- .codestyle_job
- .gitlab_native_build_job_prebuilt_env
needs:
- - job: x86_64-opensuse-leap-153-container
+ - job: x86_64-opensuse-leap-154-container
optional: true
variables:
- NAME: opensuse-leap-153
+ NAME: opensuse-leap-154
codestyle_local_env:
extends:
- .codestyle_job
- .gitlab_native_build_job_local_env
variables:
- IMAGE: registry.opensuse.org/opensuse/leap:15.3
- NAME: opensuse-leap-153
+ IMAGE: registry.opensuse.org/opensuse/leap:15.4
+ NAME: opensuse-leap-154
# This artifact published by this job is downloaded to push to Weblate
diff --git a/ci/buildenv/opensuse-leap-153.sh b/ci/buildenv/opensuse-leap-154.sh
similarity index 95%
rename from ci/buildenv/opensuse-leap-153.sh
rename to ci/buildenv/opensuse-leap-154.sh
index b78382470c..93cb99c83b 100644
--- a/ci/buildenv/opensuse-leap-153.sh
+++ b/ci/buildenv/opensuse-leap-154.sh
@@ -59,6 +59,7 @@ function install_buildenv() {
libyajl-devel \
lvm2 \
make \
+ meson \
nfs-utils \
ninja \
numad \
@@ -70,9 +71,6 @@ function install_buildenv() {
python3-base \
python3-docutils \
python3-flake8 \
- python3-pip \
- python3-setuptools \
- python3-wheel \
qemu-tools \
readline-devel \
rpcgen \
@@ -89,7 +87,6 @@ function install_buildenv() {
ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/cc
ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/clang
ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/gcc
- /usr/bin/pip3 install meson==0.56.0
}
export CCACHE_WRAPPERSDIR="/usr/libexec/ccache-wrappers"
diff --git a/ci/containers/opensuse-leap-153.Dockerfile b/ci/containers/opensuse-leap-154.Dockerfile
similarity index 93%
rename from ci/containers/opensuse-leap-153.Dockerfile
rename to ci/containers/opensuse-leap-154.Dockerfile
index 49e0c98c8a..ca11edf808 100644
--- a/ci/containers/opensuse-leap-153.Dockerfile
+++ b/ci/containers/opensuse-leap-154.Dockerfile
@@ -4,7 +4,7 @@
#
# https://gitlab.com/libvirt/libvirt-ci
-FROM registry.opensuse.org/opensuse/leap:15.3
+FROM registry.opensuse.org/opensuse/leap:15.4
RUN zypper update -y && \
zypper install -y \
@@ -60,6 +60,7 @@ RUN zypper update -y && \
libyajl-devel \
lvm2 \
make \
+ meson \
nfs-utils \
ninja \
numad \
@@ -71,9 +72,6 @@ RUN zypper update -y && \
python3-base \
python3-docutils \
python3-flake8 \
- python3-pip \
- python3-setuptools \
- python3-wheel \
qemu-tools \
readline-devel \
rpcgen \
@@ -92,8 +90,6 @@ RUN zypper update -y && \
ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/clang && \
ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/gcc
-RUN /usr/bin/pip3 install meson==0.56.0
-
ENV CCACHE_WRAPPERSDIR "/usr/libexec/ccache-wrappers"
ENV LANG "en_US.UTF-8"
ENV MAKE "/usr/bin/make"
diff --git a/ci/gitlab/builds.yml b/ci/gitlab/builds.yml
index 89c15fa28d..d982824b65 100644
--- a/ci/gitlab/builds.yml
+++ b/ci/gitlab/builds.yml
@@ -285,23 +285,23 @@ x86_64-fedora-rawhide-clang-local-env:
RPM: skip
-x86_64-opensuse-leap-153-prebuilt-env:
+x86_64-opensuse-leap-154-prebuilt-env:
extends: .native_build_job_prebuilt_env
needs:
- - job: x86_64-opensuse-leap-153-container
+ - job: x86_64-opensuse-leap-154-container
optional: true
allow_failure: false
variables:
- NAME: opensuse-leap-153
+ NAME: opensuse-leap-154
RPM: skip
-x86_64-opensuse-leap-153-local-env:
+x86_64-opensuse-leap-154-local-env:
extends: .native_build_job_local_env
needs: []
allow_failure: false
variables:
- IMAGE: registry.opensuse.org/opensuse/leap:15.3
- NAME: opensuse-leap-153
+ IMAGE: registry.opensuse.org/opensuse/leap:15.4
+ NAME: opensuse-leap-154
RPM: skip
diff --git a/ci/gitlab/containers.yml b/ci/gitlab/containers.yml
index fa426bd3a6..150df26519 100644
--- a/ci/gitlab/containers.yml
+++ b/ci/gitlab/containers.yml
@@ -77,11 +77,11 @@ x86_64-fedora-rawhide-container:
NAME: fedora-rawhide
-x86_64-opensuse-leap-153-container:
+x86_64-opensuse-leap-154-container:
extends: .container_job
allow_failure: false
variables:
- NAME: opensuse-leap-153
+ NAME: opensuse-leap-154
x86_64-opensuse-tumbleweed-container:
diff --git a/ci/manifest.yml b/ci/manifest.yml
index 2aa9ce9952..b68c7361ab 100644
--- a/ci/manifest.yml
+++ b/ci/manifest.yml
@@ -160,7 +160,7 @@ targets:
freebsd-13: x86_64
- opensuse-leap-153:
+ opensuse-leap-154:
jobs:
- arch: x86_64
variables:
--
2.39.2
1 year, 8 months
[PATCH] virnettlscontext: allow client/server cert chains
by matoro_mailinglist_libvirt@matoro.tk
From: matoro <11910244-matoro3(a)users.noreply.gitlab.com>
The existing implementation assumes that client/server certificates are
single individual certificates. If using publicly-issued certificates,
or internal CAs that use an intermediate issuer, this is unlikely to be
the case, and they will instead be certificate chains. While this can
be worked around by moving the intermediate certificates to the CA
certificate, which DOES currently support multiple certificates, this
instead allows the issued certificate chains to be used as-is, without
requiring the overhead of shuffling certificates around.
See: https://gitlab.com/libvirt/libvirt/-/merge_requests/222
Signed-off-by: matoro <matoro_github(a)matoro.tk>
---
src/rpc/virnettlscontext.c | 97 +++++++++++++-----------------------
tests/virnettlscontexttest.c | 72 +++++++++++++++++++++++++-
2 files changed, 104 insertions(+), 65 deletions(-)
diff --git a/src/rpc/virnettlscontext.c b/src/rpc/virnettlscontext.c
index cfd26f0701..78b4b0f187 100644
--- a/src/rpc/virnettlscontext.c
+++ b/src/rpc/virnettlscontext.c
@@ -424,7 +424,8 @@ static int virNetTLSContextCheckCert(gnutls_x509_crt_t cert,
}
-static int virNetTLSContextCheckCertPair(gnutls_x509_crt_t cert,
+static int virNetTLSContextCheckCertPair(gnutls_x509_crt_t *certs,
+ size_t ncerts,
const char *certFile,
gnutls_x509_crt_t *cacerts,
size_t ncacerts,
@@ -433,7 +434,7 @@ static int virNetTLSContextCheckCertPair(gnutls_x509_crt_t cert,
{
unsigned int status;
- if (gnutls_x509_crt_list_verify(&cert, 1,
+ if (gnutls_x509_crt_list_verify(certs, ncerts,
cacerts, ncacerts,
NULL, 0,
0, &status) < 0) {
@@ -469,57 +470,18 @@ static int virNetTLSContextCheckCertPair(gnutls_x509_crt_t cert,
}
-static gnutls_x509_crt_t virNetTLSContextLoadCertFromFile(const char *certFile,
- bool isServer)
-{
- gnutls_datum_t data;
- gnutls_x509_crt_t cert = NULL;
- g_autofree char *buf = NULL;
- int ret = -1;
-
- VIR_DEBUG("isServer %d certFile %s",
- isServer, certFile);
-
- if (gnutls_x509_crt_init(&cert) < 0) {
- virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
- _("Unable to initialize certificate"));
- goto cleanup;
- }
-
- if (virFileReadAll(certFile, (1<<16), &buf) < 0)
- goto cleanup;
-
- data.data = (unsigned char *)buf;
- data.size = strlen(buf);
-
- if (gnutls_x509_crt_import(cert, &data, GNUTLS_X509_FMT_PEM) < 0) {
- virReportError(VIR_ERR_SYSTEM_ERROR, isServer ?
- _("Unable to import server certificate %s") :
- _("Unable to import client certificate %s"),
- certFile);
- goto cleanup;
- }
-
- ret = 0;
-
- cleanup:
- if (ret != 0) {
- g_clear_pointer(&cert, gnutls_x509_crt_deinit);
- }
- return cert;
-}
-
-
-static int virNetTLSContextLoadCACertListFromFile(const char *certFile,
- gnutls_x509_crt_t *certs,
- unsigned int certMax,
- size_t *ncerts)
+static int virNetTLSContextLoadCertListFromFile(const char *certFile,
+ gnutls_x509_crt_t *certs,
+ unsigned int certMax,
+ size_t *ncerts,
+ bool isServer,
+ bool isCA)
{
gnutls_datum_t data;
g_autofree char *buf = NULL;
*ncerts = 0;
- VIR_DEBUG("certFile %s", certFile);
+ VIR_DEBUG("isCA %d isServer %d certFile %s", isCA, isServer, certFile);
if (virFileReadAll(certFile, (1<<16), &buf) < 0)
return -1;
@@ -527,9 +489,13 @@ static int virNetTLSContextLoadCACertListFromFile(const char *certFile,
data.data = (unsigned char *)buf;
data.size = strlen(buf);
- if (gnutls_x509_crt_list_import(certs, &certMax, &data, GNUTLS_X509_FMT_PEM, 0) < 0) {
+ if (gnutls_x509_crt_list_import(certs, &certMax, &data, GNUTLS_X509_FMT_PEM,
+ isCA ? GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED :
+ GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED | GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED) < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR,
- _("Unable to import CA certificate list %s"),
+ isCA ? _("Unable to import CA certificate list %s") :
+ (isServer ? _("Unable to import server certificate %s") :
+ _("Unable to import client certificate %s")),
certFile);
return -1;
}
@@ -539,44 +505,49 @@ static int virNetTLSContextLoadCACertListFromFile(const char *certFile,
}
-#define MAX_CERTS 16
+// Limited by frame size of 4096 bytes.
+// Typical system CA bundle contains 140-ish CAs.
+#define MAX_CERTS 200
static int virNetTLSContextSanityCheckCredentials(bool isServer,
const char *cacertFile,
const char *certFile)
{
- gnutls_x509_crt_t cert = NULL;
+ gnutls_x509_crt_t certs[MAX_CERTS];
gnutls_x509_crt_t cacerts[MAX_CERTS];
- size_t ncacerts = 0;
+ size_t ncerts = 0, ncacerts = 0;
size_t i;
int ret = -1;
+ memset(certs, 0, sizeof(certs));
memset(cacerts, 0, sizeof(cacerts));
if ((access(certFile, R_OK) == 0) &&
- !(cert = virNetTLSContextLoadCertFromFile(certFile, isServer)))
+ virNetTLSContextLoadCertListFromFile(certFile, certs,
+ MAX_CERTS, &ncerts, isServer, false) < 0)
goto cleanup;
if ((access(cacertFile, R_OK) == 0) &&
- virNetTLSContextLoadCACertListFromFile(cacertFile, cacerts,
- MAX_CERTS, &ncacerts) < 0)
+ virNetTLSContextLoadCertListFromFile(cacertFile, cacerts,
+ MAX_CERTS, &ncacerts, isServer, true) < 0)
goto cleanup;
- if (cert &&
- virNetTLSContextCheckCert(cert, certFile, isServer, false) < 0)
- goto cleanup;
+ for (i = 0; i < ncerts; i++) {
+ if (virNetTLSContextCheckCert(certs[i], certFile, isServer, (i != 0)) < 0)
+ goto cleanup;
+ }
for (i = 0; i < ncacerts; i++) {
if (virNetTLSContextCheckCert(cacerts[i], cacertFile, isServer, true) < 0)
goto cleanup;
}
- if (cert && ncacerts &&
- virNetTLSContextCheckCertPair(cert, certFile, cacerts, ncacerts, cacertFile, isServer) < 0)
+ if (ncerts && ncacerts &&
+ virNetTLSContextCheckCertPair(certs, ncerts, certFile, cacerts, ncacerts, cacertFile, isServer) < 0)
goto cleanup;
ret = 0;
cleanup:
- if (cert)
- gnutls_x509_crt_deinit(cert);
+ for (i = 0; i < ncerts; i++)
+ gnutls_x509_crt_deinit(certs[i]);
for (i = 0; i < ncacerts; i++)
gnutls_x509_crt_deinit(cacerts[i]);
return ret;
diff --git a/tests/virnettlscontexttest.c b/tests/virnettlscontexttest.c
index 2311524db8..918ff04134 100644
--- a/tests/virnettlscontexttest.c
+++ b/tests/virnettlscontexttest.c
@@ -517,6 +517,12 @@ mymain(void)
true, true, GNUTLS_KEY_KEY_CERT_SIGN,
false, false, NULL, NULL,
0, 0);
+ TLS_ROOT_REQ(someotherrootreq,
+ "UK", "some other random CA", NULL, NULL, NULL, NULL,
+ true, true, true,
+ true, true, GNUTLS_KEY_KEY_CERT_SIGN,
+ false, false, NULL, NULL,
+ 0, 0);
TLS_CERT_REQ(cacertlevel1areq, cacertrootreq,
"UK", "libvirt level 1a", NULL, NULL, NULL, NULL,
true, true, true,
@@ -555,15 +561,72 @@ mymain(void)
cacertlevel2areq.crt,
};
+ gnutls_x509_crt_t cabundle[] = {
+ someotherrootreq.crt,
+ cacertrootreq.crt,
+ };
+
+ gnutls_x509_crt_t servercertchain[] = {
+ servercertlevel3areq.crt,
+ cacertlevel2areq.crt,
+ cacertlevel1areq.crt,
+ };
+
+ gnutls_x509_crt_t servercertchain_incomplete[] = {
+ servercertlevel3areq.crt,
+ cacertlevel2areq.crt,
+ };
+
+ gnutls_x509_crt_t servercertchain_unsorted[] = {
+ servercertlevel3areq.crt,
+ cacertlevel1areq.crt,
+ cacertlevel2areq.crt,
+ };
+
+ gnutls_x509_crt_t clientcertchain[] = {
+ clientcertlevel2breq.crt,
+ cacertlevel1breq.crt,
+ };
+
testTLSWriteCertChain("cacertchain-ctx.pem",
certchain,
G_N_ELEMENTS(certchain));
- VIR_WARNINGS_RESET
-
DO_CTX_TEST(true, "cacertchain-ctx.pem", servercertlevel3areq.filename, false);
DO_CTX_TEST(false, "cacertchain-ctx.pem", clientcertlevel2breq.filename, false);
+ testTLSWriteCertChain("servercertchain-ctx.pem",
+ servercertchain,
+ G_N_ELEMENTS(servercertchain));
+
+ DO_CTX_TEST(true, cacertrootreq.filename, "servercertchain-ctx.pem", false);
+
+ testTLSWriteCertChain("cabundle-ctx.pem",
+ cabundle,
+ G_N_ELEMENTS(cabundle));
+
+ DO_CTX_TEST(true, "cabundle-ctx.pem", "servercertchain-ctx.pem", false);
+
+ testTLSWriteCertChain("servercertchain_incomplete-ctx.pem",
+ servercertchain_incomplete,
+ G_N_ELEMENTS(servercertchain_incomplete));
+
+ DO_CTX_TEST(true, cacertrootreq.filename, "servercertchain_incomplete-ctx.pem", true);
+
+ testTLSWriteCertChain("servercertchain_unsorted-ctx.pem",
+ servercertchain_unsorted,
+ G_N_ELEMENTS(servercertchain_unsorted));
+
+ DO_CTX_TEST(true, cacertrootreq.filename, "servercertchain_unsorted-ctx.pem", true);
+
+ testTLSWriteCertChain("clientcertchain-ctx.pem",
+ clientcertchain,
+ G_N_ELEMENTS(clientcertchain));
+
+ VIR_WARNINGS_RESET
+
+ DO_CTX_TEST(false, cacertrootreq.filename, "clientcertchain-ctx.pem", false);
+
DO_CTX_TEST(false, "cacertdoesnotexist.pem", "servercertdoesnotexist.pem", true);
testTLSDiscardCert(&cacertreq);
@@ -620,7 +683,12 @@ mymain(void)
testTLSDiscardCert(&cacertlevel2areq);
testTLSDiscardCert(&servercertlevel3areq);
testTLSDiscardCert(&clientcertlevel2breq);
+ testTLSDiscardCert(&someotherrootreq);
unlink("cacertchain-ctx.pem");
+ unlink("servercertchain-ctx.pem");
+ unlink("servercertchain_incomplete-ctx.pem");
+ unlink("servercertchain_unsorted-ctx.pem");
+ unlink("clientcertchain.pem");
testTLSCleanup(KEYFILE);
--
2.39.1
1 year, 8 months
[PATCH] qemu_domain: Drop ATTRIBUTE_NONNULL() for non-existent arguments
by Michal Privoznik
After cleanup done in v8.2.0-rc1~47 the
qemuDomainObjExitMonitor() and after v8.7.0-rc1~176 the
qemuDomainObjEnterMonitor() lost the @driver argument. But
corresponding ATTRIBUTE_NONNULL() annotation was not removed and
both functions are still annotated as ATTRIBUTE_NONNULL(2) even
though they accept just one argument (@obj).
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
src/qemu/qemu_domain.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h
index c716e64ccc..eaa75de3e5 100644
--- a/src/qemu/qemu_domain.h
+++ b/src/qemu/qemu_domain.h
@@ -579,9 +579,9 @@ void qemuDomainEventFlush(int timer, void *opaque);
qemuMonitor *qemuDomainGetMonitor(virDomainObj *vm)
ATTRIBUTE_NONNULL(1);
void qemuDomainObjEnterMonitor(virDomainObj *obj)
- ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2);
+ ATTRIBUTE_NONNULL(1);
void qemuDomainObjExitMonitor(virDomainObj *obj)
- ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2);
+ ATTRIBUTE_NONNULL(1);
int qemuDomainObjEnterMonitorAsync(virDomainObj *obj,
virDomainAsyncJob asyncJob)
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) G_GNUC_WARN_UNUSED_RESULT;
--
2.39.2
1 year, 8 months
[PATCH] qemu_shim: Require absolute path for root directory
by Michal Privoznik
The virConnectOpen(), well virConnectOpenInternal() reports an
error if embed root is not an absolute path. This is a fair
requirement, but our qemu_shim doesn't check this requirement and
instead mkdir()-s passed path only to fail later on, leaving the
empty directory behind:
$ ls -d asd
ls: cannot access 'asd': No such file or directory
$ virt-qemu-run -r asd whatever.xml
virt-qemu-run: cannot open qemu:///embed?root=asd: unsupported configuration: root path must be absolute
$ ls -d asd
asd
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
src/qemu/qemu_shim.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/src/qemu/qemu_shim.c b/src/qemu/qemu_shim.c
index 7b58583074..33a6aa7d94 100644
--- a/src/qemu/qemu_shim.c
+++ b/src/qemu/qemu_shim.c
@@ -209,10 +209,18 @@ int main(int argc, char **argv)
}
tmproot = true;
- } else if (g_mkdir_with_parents(root, 0755) < 0) {
- g_printerr("%s: cannot create dir: %s\n",
- argv[0], g_strerror(errno));
- goto cleanup;
+ } else {
+ if (!g_path_is_absolute(root)) {
+ g_printerr("%s: the root directory must be an absolute path\n",
+ argv[0]);
+ goto cleanup;
+ }
+
+ if (g_mkdir_with_parents(root, 0755) < 0) {
+ g_printerr("%s: cannot create dir: %s\n",
+ argv[0], g_strerror(errno));
+ goto cleanup;
+ }
}
if (chmod(root, 0755) < 0) {
--
2.39.2
1 year, 8 months
[libvirt PATCH] qemu_shim: set system identity
by Ján Tomko
Otherwise looking up a secret fails when we try to elevate the identity
in qemuDomainSecretInfoSetupFromSecret.
https://bugzilla.redhat.com/show_bug.cgi?id=2000410
Signed-off-by: Ján Tomko <jtomko(a)redhat.com>
---
src/qemu/qemu_shim.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/qemu/qemu_shim.c b/src/qemu/qemu_shim.c
index 7b58583074..b642f6175a 100644
--- a/src/qemu/qemu_shim.c
+++ b/src/qemu/qemu_shim.c
@@ -26,6 +26,7 @@
#include "virfile.h"
#include "virgettext.h"
+#include "viridentity.h"
#include "virthread.h"
#define VIR_FROM_THIS VIR_FROM_QEMU
@@ -133,6 +134,7 @@ qemuShimQuench(void *userData G_GNUC_UNUSED,
int main(int argc, char **argv)
{
+ g_autoptr(virIdentity) sysident = NULL;
GThread *eventLoopThread = NULL;
virConnectPtr conn = NULL;
virConnectPtr sconn = NULL;
@@ -191,6 +193,9 @@ int main(int argc, char **argv)
virSetErrorFunc(NULL, qemuShimQuench);
+ sysident = virIdentityGetSystem();
+ virIdentitySetCurrent(sysident);
+
if (verbose)
g_printerr("%s: %lld: initializing signal handlers\n",
argv[0], deltams());
--
2.39.2
1 year, 8 months
