[PATCH 00/12] Introduce SEV-SNP support
by Michal Privoznik
SEV-SNP support just landed in QEMU. Here is the first round of patches
to incorporate support into libvirt.
TODOs (aka problems of future me):
- Teach tools/virt-qemu-sev-validate how to deal with SEV-SNP
- Try to find a SEV-SNP machine a test these patches in real worl
- Write a kbase article on attestation with SEV-SNP
Michal Prívozník (12):
qemu_monitor_json: Report error in error paths in SEV related code
conf: Move some members of virDomainSEVDef into virDomainSEVCommonDef
conf: Separate SEV formatting into a function
Drop needless typecast to virDomainLaunchSecurity
src: Convert some _virDomainSecDef::sectype checks to switch()
qemu_monitor: Allow querying SEV-SNP state in 'query-sev'
qemu: Report snp-policy in virDomainGetLaunchSecurityInfo()
qemu_capabilities: Introduce QEMU_CAPS_SEV_SNP_GUEST
conf: Introduce SEV-SNP support
qemu: Build cmd line for SEV-SNP
qemu: Allow setting launch security for SEV-SNP
qemu_firmware: Pick the right firmware for SEV-SNP guests
docs/formatdomain.rst | 108 ++++++++++++
include/libvirt/libvirt-domain.h | 10 ++
src/conf/domain_conf.c | 156 ++++++++++++++----
src/conf/domain_conf.h | 28 +++-
src/conf/domain_validate.c | 44 +++++
src/conf/schemas/domaincommon.rng | 73 ++++++--
src/conf/virconftypes.h | 4 +
src/qemu/qemu_capabilities.c | 4 +
src/qemu/qemu_capabilities.h | 3 +
src/qemu/qemu_cgroup.c | 19 ++-
src/qemu/qemu_command.c | 56 ++++++-
src/qemu/qemu_driver.c | 60 +++++--
src/qemu/qemu_firmware.c | 20 ++-
src/qemu/qemu_monitor.c | 7 +-
src/qemu/qemu_monitor.h | 41 ++++-
src/qemu/qemu_monitor_json.c | 67 ++++++--
src/qemu/qemu_monitor_json.h | 8 +-
src/qemu/qemu_namespace.c | 3 +-
src/qemu/qemu_process.c | 34 ++--
src/qemu/qemu_validate.c | 13 +-
src/security/security_dac.c | 34 +++-
.../caps_9.1.0_x86_64.xml | 1 +
.../firmware/60-edk2-ovmf-x64-amdsev.json | 1 +
tests/qemumonitorjsontest.c | 65 +++++++-
...launch-security-sev-snp.x86_64-latest.args | 35 ++++
.../launch-security-sev-snp.x86_64-latest.xml | 1 +
.../launch-security-sev-snp.xml | 47 ++++++
tests/qemuxmlconftest.c | 2 +
28 files changed, 817 insertions(+), 127 deletions(-)
create mode 100644 tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest.args
create mode 120000 tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest.xml
create mode 100644 tests/qemuxmlconfdata/launch-security-sev-snp.xml
--
2.44.2
2 months, 3 weeks
[PATCH v2 0/8] New changes in v2:
by Purna Pavan Chandra
* Add version checks in save/restore validations
* Add use_timeout in chSocketRecv
* Address Praveen Paladugu's comments
v1: https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/PT...
ch: support restore with network devices
Current ch driver supports restore only for domains without any network
configuration defined. This was because libvirt explicitly passes network fds
and CH did not had support to restore with new net FDS. This support has been
added recently, https://github.com/cloud-hypervisor/cloud-hypervisor/pull/6402
The changes in this patch series includes moving to socket communication for
restore api, create new net fds and pass them via SCM_RIGHTS to CH.
Purna Pavan Chandra (8):
ch: report response message instead of just code
ch: Pass net ids explicitly during vm creation
ch: refactor chProcessAddNetworkDevices
ch: support poll with -1 in chSocketRecv
ch: use monitor socket fd to send restore request
ch: refactor virCHMonitorSaveVM
ch: support restore with net devices
ch: kill CH process if restore fails
src/ch/ch_capabilities.c | 6 +
src/ch/ch_capabilities.h | 1 +
src/ch/ch_driver.c | 29 +++--
src/ch/ch_monitor.c | 62 +++++++----
src/ch/ch_monitor.h | 6 +-
src/ch/ch_process.c | 233 +++++++++++++++++++++++++++++++--------
6 files changed, 254 insertions(+), 83 deletions(-)
--
2.34.1
2 months, 3 weeks
Release of libvirt-10.6.0
by Jiri Denemark
The 10.6.0 release of both libvirt and libvirt-python is tagged and
signed tarballs are available at
https://download.libvirt.org/
https://download.libvirt.org/python/
Thanks everybody who helped with this release by sending patches,
reviewing, testing, or providing feedback. Your work is greatly
appreciated.
* Removed features
* qemu: Require QEMU-5.2.0 or newer
The minimal required version of QEMU was bumped to 5.2.0.
* New features
* qemu: Add support for the 'pauth' Arm CPU feature
* Introduce pstore device
The aim of pstore device is to provide a bit of NVRAM storage for guest
kernel to record oops/panic logs just before it crashes. Typical usage
includes usage in combination with a watchdog so that the logs can be
inspected after the watchdog rebooted the machine.
* Improvements
* qemu: Set 'passt' net backend if 'default' is unsupported
If QEMU is compiled without SLIRP support, and if domain XML allows it,
starting from this release libvirt will use passt as the default backend
instead. Also, supported backends are now reported in the domain
capabilities XML.
* qemu: add a monitor to /proc/$pid when killing times out
In cases when a QEMU process takes longer to be killed, libvirt might have
skipped cleaning up after it. But now a /proc/$pid watch is installed so
this does not happen ever again.
* Bug fixes
* virt-aa-helper: Allow RO access to /usr/share/edk2-ovmf
When binary version of edk2 is distributed, the files reside under
/usr/share/edk2-ovmf. Allow virt-aa-helper to generate paths under that
directory.
* virt-host-validate: Allow longer list of CPU flags
During its run, virt-host-validate parses /proc/cpuinfo to learn about CPU
flags. But due to a bug it parsed only the first 1024 bytes worth of CPU
flags leading to unexpected results. The file is now parsed properly.
* capabilities: Be more forgiving when decoding OEM strings
On some systems, OEM strings are scattered in multiple sections. This
confused libvirt when generating capabilities XML. Not anymore.
Enjoy.
Jirka
2 months, 3 weeks
[PATCH] Revert "network: allow "modify" option for DNS-Srv records"
by Adam Julis
This reverts commit cf934c87cca32149675020ea595712aad25978e6.
The matching logic is flawed and it would complicate support of
this command.
Signed-off-by: Adam Julis <ajulis(a)redhat.com>
---
See discussion:
https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/6...
src/conf/network_conf.c | 27 +++++--------------
.../srv-not-existing.xml | 1 -
.../srv-record-modify-few.xml | 1 -
.../nat-network-dns-srv-modify-few.xml | 26 ------------------
tests/networkxml2xmlupdatetest.c | 10 +------
5 files changed, 7 insertions(+), 58 deletions(-)
delete mode 100644 tests/networkxml2xmlupdatein/srv-not-existing.xml
delete mode 100644 tests/networkxml2xmlupdatein/srv-record-modify-few.xml
delete mode 100644 tests/networkxml2xmlupdateout/nat-network-dns-srv-modify-few.xml
diff --git a/src/conf/network_conf.c b/src/conf/network_conf.c
index 68eee367c4..3af4e1d036 100644
--- a/src/conf/network_conf.c
+++ b/src/conf/network_conf.c
@@ -3257,6 +3257,12 @@ virNetworkDefUpdateDNSSrv(virNetworkDef *def,
command == VIR_NETWORK_UPDATE_COMMAND_ADD_LAST);
int foundCt = 0;
+ if (command == VIR_NETWORK_UPDATE_COMMAND_MODIFY) {
+ virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s",
+ _("DNS SRV records cannot be modified, only added or deleted"));
+ goto cleanup;
+ }
+
if (virNetworkDefUpdateCheckElementName(def, ctxt->node, "srv") < 0)
goto cleanup;
@@ -3306,27 +3312,6 @@ virNetworkDefUpdateDNSSrv(virNetworkDef *def,
virNetworkDNSSrvDefClear(&dns->srvs[foundIdx]);
VIR_DELETE_ELEMENT(dns->srvs, foundIdx, dns->nsrvs);
- } else if (command == VIR_NETWORK_UPDATE_COMMAND_MODIFY) {
-
- if (foundCt == 0) {
- virReportError(VIR_ERR_OPERATION_INVALID,
- _("couldn't locate a matching DNS SRV record in network %1$s"),
- def->name);
- goto cleanup;
- }
-
- if (foundCt > 1) {
- virReportError(VIR_ERR_OPERATION_INVALID,
- _("multiple DNS SRV records matching all specified fields were found in network %1$s"),
- def->name);
- goto cleanup;
- }
-
- virNetworkDNSSrvDefClear(&dns->srvs[foundIdx]);
-
- memcpy(&dns->srvs[foundIdx], &srv, sizeof(virNetworkDNSSrvDef));
- memset(&srv, 0, sizeof(virNetworkDNSSrvDef));
-
} else {
virNetworkDefUpdateUnknownCommand(command);
goto cleanup;
diff --git a/tests/networkxml2xmlupdatein/srv-not-existing.xml b/tests/networkxml2xmlupdatein/srv-not-existing.xml
deleted file mode 100644
index 401e14c616..0000000000
--- a/tests/networkxml2xmlupdatein/srv-not-existing.xml
+++ /dev/null
@@ -1 +0,0 @@
-<srv service='name' protocol='tcp' domain='unknown-domain' target='.' port='666' priority='99' weight='10'/>
diff --git a/tests/networkxml2xmlupdatein/srv-record-modify-few.xml b/tests/networkxml2xmlupdatein/srv-record-modify-few.xml
deleted file mode 100644
index 88ec1b97d9..0000000000
--- a/tests/networkxml2xmlupdatein/srv-record-modify-few.xml
+++ /dev/null
@@ -1 +0,0 @@
-<srv service='name' protocol='tcp' domain='test-domain-name' target='.' port='1221' priority='42' weight='69'/>
diff --git a/tests/networkxml2xmlupdateout/nat-network-dns-srv-modify-few.xml b/tests/networkxml2xmlupdateout/nat-network-dns-srv-modify-few.xml
deleted file mode 100644
index a7e5fcffa6..0000000000
--- a/tests/networkxml2xmlupdateout/nat-network-dns-srv-modify-few.xml
+++ /dev/null
@@ -1,26 +0,0 @@
-<network>
- <name>default</name>
- <uuid>81ff0d90-c91e-6742-64da-4a736edb9a9b</uuid>
- <forward dev='eth1' mode='nat'>
- <interface dev='eth1'/>
- </forward>
- <bridge name='virbr0' stp='on' delay='0'/>
- <dns>
- <srv service='name' protocol='tcp' domain='test-domain-name' target='.' port='1221' priority='42' weight='69'/>
- </dns>
- <ip address='192.168.122.1' netmask='255.255.255.0'>
- <dhcp>
- <range start='192.168.122.2' end='192.168.122.254'/>
- <host mac='00:16:3e:77:e2:ed' name='a.example.com' ip='192.168.122.10'/>
- <host mac='00:16:3e:3e:a9:1a' name='b.example.com' ip='192.168.122.11'/>
- </dhcp>
- </ip>
- <ip family='ipv4' address='192.168.123.1' netmask='255.255.255.0'>
- </ip>
- <ip family='ipv6' address='2001:db8:ac10:fe01::1' prefix='64'>
- </ip>
- <ip family='ipv6' address='2001:db8:ac10:fd01::1' prefix='64'>
- </ip>
- <ip family='ipv4' address='10.24.10.1'>
- </ip>
-</network>
diff --git a/tests/networkxml2xmlupdatetest.c b/tests/networkxml2xmlupdatetest.c
index 875cede035..60931a2eba 100644
--- a/tests/networkxml2xmlupdatetest.c
+++ b/tests/networkxml2xmlupdatetest.c
@@ -337,6 +337,7 @@ mymain(void)
"nat-network-dns-srv-record",
"nat-network-dns-srv-records",
VIR_NETWORK_UPDATE_COMMAND_ADD_LAST);
+
DO_TEST_FAIL("delete-missing-srv-record-service",
"srv-record-service",
"nat-network",
@@ -359,15 +360,6 @@ mymain(void)
"nat-network-dns-srv-record",
"nat-network",
VIR_NETWORK_UPDATE_COMMAND_DELETE);
- DO_TEST("modify-srv-record-protocol",
- "srv-record-modify-few",
- "nat-network-dns-srv-record",
- "nat-network-dns-srv-modify-few",
- VIR_NETWORK_UPDATE_COMMAND_MODIFY);
- DO_TEST_FAIL("modify-not-existing-srv-record",
- "srv-not-existing",
- "nat-network-dns-srv-record",
- VIR_NETWORK_UPDATE_COMMAND_MODIFY);
return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
--
2.45.2
2 months, 3 weeks
[PATCH] network: allow "modify" option for DNS-Srv records
by Adam Julis
The "modify" command allows to replace an existing Srv record
(some of its elements respectively: port, priority and weight).
The primary key used to choose the modify record is the remaining
parameters, only one of them is required. Not using some of these
parameters may cause duplicate records and error message. This
logic is there because of the previous implementation (Add and
Delete options) in the function.
Tests in networkxml2xmlupdatetest.c contain replacements of an
existing DNS-Srv record and failure due to non-existing record.
Resolves: https://gitlab.com/libvirt/libvirt/-/issues/639
Signed-off-by: Adam Julis <ajulis(a)redhat.com>
---
src/conf/network_conf.c | 27 ++++++++++++++-----
.../srv-not-existing.xml | 1 +
.../srv-record-modify-few.xml | 1 +
.../nat-network-dns-srv-modify-few.xml | 26 ++++++++++++++++++
tests/networkxml2xmlupdatetest.c | 10 ++++++-
5 files changed, 58 insertions(+), 7 deletions(-)
create mode 100644 tests/networkxml2xmlupdatein/srv-not-existing.xml
create mode 100644 tests/networkxml2xmlupdatein/srv-record-modify-few.xml
create mode 100644 tests/networkxml2xmlupdateout/nat-network-dns-srv-modify-few.xml
diff --git a/src/conf/network_conf.c b/src/conf/network_conf.c
index 2a541cd5b0..fc387f9566 100644
--- a/src/conf/network_conf.c
+++ b/src/conf/network_conf.c
@@ -3255,12 +3255,6 @@ virNetworkDefUpdateDNSSrv(virNetworkDef *def,
command == VIR_NETWORK_UPDATE_COMMAND_ADD_LAST);
int foundCt = 0;
- if (command == VIR_NETWORK_UPDATE_COMMAND_MODIFY) {
- virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s",
- _("DNS SRV records cannot be modified, only added or deleted"));
- goto cleanup;
- }
-
if (virNetworkDefUpdateCheckElementName(def, ctxt->node, "srv") < 0)
goto cleanup;
@@ -3310,6 +3304,27 @@ virNetworkDefUpdateDNSSrv(virNetworkDef *def,
virNetworkDNSSrvDefClear(&dns->srvs[foundIdx]);
VIR_DELETE_ELEMENT(dns->srvs, foundIdx, dns->nsrvs);
+ } else if (command == VIR_NETWORK_UPDATE_COMMAND_MODIFY) {
+
+ if (foundCt == 0) {
+ virReportError(VIR_ERR_OPERATION_INVALID,
+ _("couldn't locate a matching DNS SRV record in network %1$s"),
+ def->name);
+ goto cleanup;
+ }
+
+ if (foundCt > 1) {
+ virReportError(VIR_ERR_OPERATION_INVALID,
+ _("multiple DNS SRV records matching all specified fields were found in network %1$s"),
+ def->name);
+ goto cleanup;
+ }
+
+ virNetworkDNSSrvDefClear(&dns->srvs[foundIdx]);
+
+ memcpy(&dns->srvs[foundIdx], &srv, sizeof(virNetworkDNSSrvDef));
+ memset(&srv, 0, sizeof(virNetworkDNSSrvDef));
+
} else {
virNetworkDefUpdateUnknownCommand(command);
goto cleanup;
diff --git a/tests/networkxml2xmlupdatein/srv-not-existing.xml b/tests/networkxml2xmlupdatein/srv-not-existing.xml
new file mode 100644
index 0000000000..401e14c616
--- /dev/null
+++ b/tests/networkxml2xmlupdatein/srv-not-existing.xml
@@ -0,0 +1 @@
+<srv service='name' protocol='tcp' domain='unknown-domain' target='.' port='666' priority='99' weight='10'/>
diff --git a/tests/networkxml2xmlupdatein/srv-record-modify-few.xml b/tests/networkxml2xmlupdatein/srv-record-modify-few.xml
new file mode 100644
index 0000000000..88ec1b97d9
--- /dev/null
+++ b/tests/networkxml2xmlupdatein/srv-record-modify-few.xml
@@ -0,0 +1 @@
+<srv service='name' protocol='tcp' domain='test-domain-name' target='.' port='1221' priority='42' weight='69'/>
diff --git a/tests/networkxml2xmlupdateout/nat-network-dns-srv-modify-few.xml b/tests/networkxml2xmlupdateout/nat-network-dns-srv-modify-few.xml
new file mode 100644
index 0000000000..a7e5fcffa6
--- /dev/null
+++ b/tests/networkxml2xmlupdateout/nat-network-dns-srv-modify-few.xml
@@ -0,0 +1,26 @@
+<network>
+ <name>default</name>
+ <uuid>81ff0d90-c91e-6742-64da-4a736edb9a9b</uuid>
+ <forward dev='eth1' mode='nat'>
+ <interface dev='eth1'/>
+ </forward>
+ <bridge name='virbr0' stp='on' delay='0'/>
+ <dns>
+ <srv service='name' protocol='tcp' domain='test-domain-name' target='.' port='1221' priority='42' weight='69'/>
+ </dns>
+ <ip address='192.168.122.1' netmask='255.255.255.0'>
+ <dhcp>
+ <range start='192.168.122.2' end='192.168.122.254'/>
+ <host mac='00:16:3e:77:e2:ed' name='a.example.com' ip='192.168.122.10'/>
+ <host mac='00:16:3e:3e:a9:1a' name='b.example.com' ip='192.168.122.11'/>
+ </dhcp>
+ </ip>
+ <ip family='ipv4' address='192.168.123.1' netmask='255.255.255.0'>
+ </ip>
+ <ip family='ipv6' address='2001:db8:ac10:fe01::1' prefix='64'>
+ </ip>
+ <ip family='ipv6' address='2001:db8:ac10:fd01::1' prefix='64'>
+ </ip>
+ <ip family='ipv4' address='10.24.10.1'>
+ </ip>
+</network>
diff --git a/tests/networkxml2xmlupdatetest.c b/tests/networkxml2xmlupdatetest.c
index 383cbf85ce..59e6ce98e5 100644
--- a/tests/networkxml2xmlupdatetest.c
+++ b/tests/networkxml2xmlupdatetest.c
@@ -328,7 +328,6 @@ mymain(void)
"nat-network-dns-srv-record",
"nat-network-dns-srv-records",
VIR_NETWORK_UPDATE_COMMAND_ADD_LAST);
-
DO_TEST_FAIL("delete-missing-srv-record-service",
"srv-record-service",
"nat-network",
@@ -351,6 +350,15 @@ mymain(void)
"nat-network-dns-srv-record",
"nat-network",
VIR_NETWORK_UPDATE_COMMAND_DELETE);
+ DO_TEST("modify-srv-record-protocol",
+ "srv-record-modify-few",
+ "nat-network-dns-srv-record",
+ "nat-network-dns-srv-modify-few",
+ VIR_NETWORK_UPDATE_COMMAND_MODIFY);
+ DO_TEST_FAIL("modify-not-existing-srv-record",
+ "srv-not-existing",
+ "nat-network-dns-srv-record",
+ VIR_NETWORK_UPDATE_COMMAND_MODIFY);
return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
--
2.45.2
2 months, 3 weeks
[PATCH v2 0/7] introduce job-change qmp command
by Vladimir Sementsov-Ogievskiy
Hi all!
This is an updated first part of my "[RFC 00/15] block job API"
Supersedes: <20240313150907.623462-1-vsementsov(a)yandex-team.ru>
v2:
- only job-change for now, as a first step
- drop "type-based unions", and keep type parameter as is for now (I now
doubt that this was good idea, as it makes QAPI protocol dependent on
context)
03: improve documentation
06: deprecated only block-job-change for now
07: new
Vladimir Sementsov-Ogievskiy (7):
qapi: rename BlockJobChangeOptions to JobChangeOptions
blockjob: block_job_change_locked(): check job type
qapi: block-job-change: make copy-mode parameter optional
blockjob: move change action implementation to job from block-job
qapi: add job-change
qapi/block-core: derpecate block-job-change
iotests/mirror-change-copy-mode: switch to job-change command
block/mirror.c | 13 +++++---
blockdev.c | 4 +--
blockjob.c | 20 ------------
docs/about/deprecated.rst | 5 +++
include/block/blockjob.h | 11 -------
include/block/blockjob_int.h | 7 -----
include/qemu/job.h | 12 +++++++
job-qmp.c | 15 +++++++++
job.c | 23 ++++++++++++++
qapi/block-core.json | 31 ++++++++++++++-----
.../tests/mirror-change-copy-mode | 2 +-
11 files changed, 90 insertions(+), 53 deletions(-)
--
2.34.1
2 months, 4 weeks
[PATCH v5 00/11] qemu: Introduce shared_filesystems configuration option
by Peter Krempa
v4: https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/F...
For justification see v3:
https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/P...
This version includes patches that deal with seclabel remembering
without instructing users to disable it.
Diff to v4:
- added patch 7 cleaning up a helper function (noticed just while
reading the code)
- added patch 8 properly unrefing security labels in dac/selinux
drivers on outgoing migration
- patch 11: added handling of the 'nvram' image file (and refactored
the function to
allow reuse)
Tested migrating both ways including uefi nvram image. Didn't test TPM
though.
Diff to v3 (numbering fixed):
- Patch 2/8 was modified to change the docs for the new option.
- Patches 1-5 will get an R-b by me as I've adopted them.
- Patches 6, 9-11 are new.
- Patches 7, 8 were not part of v3
Andrea Bolognani (5):
security: Fix alignment
qemu: Introduce shared_filesystems configuration option
qemu: Propagate shared_filesystems
utils: Use overrides in virFileIsSharedFS()
qemu: Always set labels for TPM state
Peter Krempa (6):
virFileIsSharedFSOverride: Export
virParseOwnershipIds: Refactor
virSecuritySELinuxRestoreImageLabelInt: Move FD image relabeling after
'migrated' check
security_(dac|selinux): Unref remebered security labels on outgoing
migration
storage_source: Add field for skipping seclabel remembering
qemu: migration: Don't remember seclabel for images shared from
current host
src/conf/storage_source_conf.c | 3 +
src/conf/storage_source_conf.h | 9 +++
src/libvirt_private.syms | 1 +
src/lxc/lxc_controller.c | 3 +-
src/lxc/lxc_driver.c | 2 +-
src/lxc/lxc_process.c | 4 +-
src/qemu/libvirtd_qemu.aug | 3 +
src/qemu/qemu.conf.in | 26 +++++++++
src/qemu/qemu_conf.c | 31 ++++++++++
src/qemu/qemu_conf.h | 2 +
src/qemu/qemu_domain.c | 7 ++-
src/qemu/qemu_extdevice.c | 2 +-
src/qemu/qemu_migration.c | 86 +++++++++++++++++++++++----
src/qemu/qemu_security.c | 85 ++++++++++++++++++++-------
src/qemu/qemu_tpm.c | 38 ++++++------
src/qemu/qemu_tpm.h | 10 ++--
src/qemu/test_libvirtd_qemu.aug.in | 5 ++
src/security/security_apparmor.c | 8 ++-
src/security/security_dac.c | 53 +++++++++++++----
src/security/security_driver.h | 8 ++-
src/security/security_manager.c | 33 ++++++++---
src/security/security_manager.h | 9 ++-
src/security/security_nop.c | 5 ++
src/security/security_selinux.c | 94 +++++++++++++++++++++---------
src/security/security_stack.c | 32 +++++++---
src/util/virfile.c | 63 +++++++++++++++++++-
src/util/virfile.h | 5 +-
src/util/virutil.c | 20 +++----
tests/securityselinuxlabeltest.c | 2 +-
tests/virfiletest.c | 2 +-
30 files changed, 517 insertions(+), 134 deletions(-)
--
2.45.2
2 months, 4 weeks
[PATCH v4 0/8] qemu: Introduce shared_filesystems configuration option
by Peter Krempa
For justification see v3:
https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/P...
This version includes patches that deal with seclabel remembering
without instructing users to disable it.
Patch 2/8 was modified to change the docs for the new option.
Patches 1-5 will get an R-b by me as I've adopted them.
Patches 6-8 are new.
Andrea Bolognani (5):
security: Fix alignment
qemu: Introduce shared_filesystems configuration option
qemu: Propagate shared_filesystems
utils: Use overrides in virFileIsSharedFS()
qemu: Always set labels for TPM state
Peter Krempa (3):
virFileIsSharedFSOverride: Export
storage_source: Add field for skipping seclabel remembering
qemu: migration: Don't remember seclabel for images shared from
current host
src/conf/storage_source_conf.c | 3 ++
src/conf/storage_source_conf.h | 9 ++++
src/libvirt_private.syms | 1 +
src/lxc/lxc_controller.c | 3 +-
src/lxc/lxc_driver.c | 2 +-
src/lxc/lxc_process.c | 4 +-
src/qemu/libvirtd_qemu.aug | 3 ++
src/qemu/qemu.conf.in | 26 +++++++++
src/qemu/qemu_conf.c | 31 +++++++++++
src/qemu/qemu_conf.h | 2 +
src/qemu/qemu_domain.c | 7 ++-
src/qemu/qemu_extdevice.c | 2 +-
src/qemu/qemu_migration.c | 72 +++++++++++++++++++++----
src/qemu/qemu_security.c | 85 +++++++++++++++++++++++-------
src/qemu/qemu_tpm.c | 38 +++++++------
src/qemu/qemu_tpm.h | 10 ++--
src/qemu/test_libvirtd_qemu.aug.in | 5 ++
src/security/security_apparmor.c | 8 ++-
src/security/security_dac.c | 50 ++++++++++++++----
src/security/security_driver.h | 8 ++-
src/security/security_manager.c | 33 +++++++++---
src/security/security_manager.h | 9 +++-
src/security/security_nop.c | 5 ++
src/security/security_selinux.c | 59 ++++++++++++++++-----
src/security/security_stack.c | 32 ++++++++---
src/util/virfile.c | 63 ++++++++++++++++++++--
src/util/virfile.h | 5 +-
tests/securityselinuxlabeltest.c | 2 +-
tests/virfiletest.c | 2 +-
29 files changed, 472 insertions(+), 107 deletions(-)
--
2.45.2
3 months
[PATCH 0/2] qemu: Strip <acpi/> from configs on s390
by Peter Krempa
See patch 1 for the rationale.
Peter Krempa (2):
qemu_domain: Strip <acpi/> from s390(x) definitions
qemuxmlconftest: Add tests for the ACPI stripping hack on s390
src/qemu/qemu_domain.c | 94 +++++++++++++++++++
.../aarch64-nousb-acpi.aarch64-latest.err | 1 +
tests/qemuxmlconfdata/aarch64-nousb-acpi.xml | 18 ++++
...ngarch64-virt-acpi.loongarch64-latest.args | 31 ++++++
...ongarch64-virt-acpi.loongarch64-latest.xml | 26 +++++
.../qemuxmlconfdata/loongarch64-virt-acpi.xml | 15 +++
.../misc-acpi.x86_64-latest.args | 34 -------
.../misc-acpi.x86_64-latest.xml | 41 --------
tests/qemuxmlconfdata/misc-acpi.xml | 33 -------
.../riscv64-virt-acpi.riscv64-latest.args | 33 +++++++
.../riscv64-virt-acpi.riscv64-latest.xml | 36 +++++++
tests/qemuxmlconfdata/riscv64-virt-acpi.xml | 15 +++
.../s390x-ccw-acpi.s390x-latest.args | 32 +++++++
.../s390x-ccw-acpi.s390x-latest.xml | 27 ++++++
tests/qemuxmlconfdata/s390x-ccw-acpi.xml | 15 +++
.../x86_64-q35-acpi.x86_64-latest.args | 38 ++++++++
.../x86_64-q35-acpi.x86_64-latest.xml | 53 +++++++++++
tests/qemuxmlconfdata/x86_64-q35-acpi.xml | 15 +++
tests/qemuxmlconftest.c | 13 ++-
19 files changed, 461 insertions(+), 109 deletions(-)
create mode 100644 tests/qemuxmlconfdata/aarch64-nousb-acpi.aarch64-latest.err
create mode 100644 tests/qemuxmlconfdata/aarch64-nousb-acpi.xml
create mode 100644 tests/qemuxmlconfdata/loongarch64-virt-acpi.loongarch64-latest.args
create mode 100644 tests/qemuxmlconfdata/loongarch64-virt-acpi.loongarch64-latest.xml
create mode 100644 tests/qemuxmlconfdata/loongarch64-virt-acpi.xml
delete mode 100644 tests/qemuxmlconfdata/misc-acpi.x86_64-latest.args
delete mode 100644 tests/qemuxmlconfdata/misc-acpi.x86_64-latest.xml
delete mode 100644 tests/qemuxmlconfdata/misc-acpi.xml
create mode 100644 tests/qemuxmlconfdata/riscv64-virt-acpi.riscv64-latest.args
create mode 100644 tests/qemuxmlconfdata/riscv64-virt-acpi.riscv64-latest.xml
create mode 100644 tests/qemuxmlconfdata/riscv64-virt-acpi.xml
create mode 100644 tests/qemuxmlconfdata/s390x-ccw-acpi.s390x-latest.args
create mode 100644 tests/qemuxmlconfdata/s390x-ccw-acpi.s390x-latest.xml
create mode 100644 tests/qemuxmlconfdata/s390x-ccw-acpi.xml
create mode 100644 tests/qemuxmlconfdata/x86_64-q35-acpi.x86_64-latest.args
create mode 100644 tests/qemuxmlconfdata/x86_64-q35-acpi.x86_64-latest.xml
create mode 100644 tests/qemuxmlconfdata/x86_64-q35-acpi.xml
--
2.45.2
3 months