August 2024 - Devel - libvirt List Archives

[PATCH] network: fix crashing "modify" option for hostname
by Adam Julis 08 Aug '24

08 Aug '24

The original condition caused (after adding modify option) possibly access to not allocated memory. For consistency added new check for multiple same records. Resolves: https://gitlab.com/libvirt/libvirt/-/issues/654 Signed-off-by: Adam Julis <ajulis(a)redhat.com> --- src/conf/network_conf.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/conf/network_conf.c b/src/conf/network_conf.c index c23b0e4400..5cf419acf1 100644 --- a/src/conf/network_conf.c +++ b/src/conf/network_conf.c @@ -3167,7 +3167,7 @@ virNetworkDefUpdateDNSHost(virNetworkDef *def, /* when adding we want to only check duplicates of address since having * multiple addresses with the same hostname is a legitimate configuration */ - if (!isAdd) { + if (command == VIR_NETWORK_UPDATE_COMMAND_DELETE) { for (j = 0; j < host.nnames && !foundThisTime; j++) { for (k = 0; k < dns->hosts[i].nnames && !foundThisTime; k++) { if (STREQ(host.names[j], dns->hosts[i].names[k])) @@ -3224,6 +3224,13 @@ virNetworkDefUpdateDNSHost(virNetworkDef *def, goto cleanup; } + if (foundCt > 1) { + virReportError(VIR_ERR_OPERATION_INVALID, + _("multiple matching DNS HOST records were found in network %1$s"), + def->name); + goto cleanup; + } + virNetworkDNSHostDefClear(&dns->hosts[foundIdxModify]); memcpy(&dns->hosts[foundIdxModify], &host, sizeof(virNetworkDNSHostDef)); -- 2.45.2

2 1

[PATCH] network: NULL check for "modify" DNS-txt records
by Adam Julis 08 Aug '24

08 Aug '24

The "modify" command allowed to replace an existing record, now checks for the NULL string in the new value and throw error if found. Resolves: https://gitlab.com/libvirt/libvirt/-/issues/655 Signed-off-by: Adam Julis <ajulis(a)redhat.com> --- src/conf/network_conf.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/conf/network_conf.c b/src/conf/network_conf.c index 3af4e1d036..c23b0e4400 100644 --- a/src/conf/network_conf.c +++ b/src/conf/network_conf.c @@ -3385,6 +3385,13 @@ virNetworkDefUpdateDNSTxt(virNetworkDef *def, goto cleanup; } + if (!txt.value) { + virReportError(VIR_ERR_OPERATION_INVALID, + _("missing value of modifying DNS TXT record in network %1$s"), + def->name); + goto cleanup; + } + VIR_FREE(dns->txts[foundIdx].value); dns->txts[foundIdx].value = g_steal_pointer(&txt.value); -- 2.45.2

2 1

[PATCH] util: open XML files before calling libxml2
by Daniel P. Berrangé 08 Aug '24

08 Aug '24

Libxml2 has awful error reporting behaviour when reading files. When we fail to load a file from the test driver we see: $ virsh -c test:///wibble.xml I/O warning : failed to load external entity "/wibble.xml" error: failed to connect to the hypervisor error: XML error: failed to parse xml document '/wibble.xml' where the I/O warning line is something printed by libxml2 itself, which also lacks any useful detail. Switching to our own file reading code we can massively improve things: $ ./build/tools/virsh -c test:///wibble.xml error: failed to connect to the hypervisor error: Failed to open file '/wibble.xml': No such file or directory Using 10 MB as an upper limit on XML file size ought to be sufficient for any XML files libvirt is reading. Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com> --- src/util/virxml.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/util/virxml.c b/src/util/virxml.c index a7b75fd7b3..f6b937b277 100644 --- a/src/util/virxml.c +++ b/src/util/virxml.c @@ -1133,6 +1133,7 @@ virXMLParseHelper(int domcode, xmlNodePtr rootnode; const char *docname; int parseFlags = XML_PARSE_NONET | XML_PARSE_NOWARNING; + g_autofree char *xmlStrPtr = NULL; if (filename) docname = filename; @@ -1155,10 +1156,11 @@ virXMLParseHelper(int domcode, } if (filename) { - xml = xmlCtxtReadFile(pctxt, filename, NULL, parseFlags); - } else { - xml = xmlCtxtReadDoc(pctxt, BAD_CAST xmlStr, url, NULL, parseFlags); + if (virFileReadAll(filename, 1024*1024*10, &xmlStrPtr) < 0) + return NULL; + xmlStr = xmlStrPtr; } + xml = xmlCtxtReadDoc(pctxt, BAD_CAST xmlStr, url, NULL, parseFlags); if (!xml) { if (virGetLastErrorCode() == VIR_ERR_OK) { -- 2.45.2

3 3

[PATCH] apparmor: Allow more paths for qemu-bridge-helper
by Andrea Bolognani 07 Aug '24

07 Aug '24

The QEMU package in Debian has recently moved the qemu-bridge-helper binary under /usr/libexec/qemu. Update the AppArmor profile accordingly. https://bugs.debian.org/1077915 Signed-off-by: Andrea Bolognani <abologna(a)redhat.com> --- src/security/apparmor/usr.sbin.libvirtd.in | 4 ++-- src/security/apparmor/usr.sbin.virtqemud.in | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in index 1601d73d47..5fa5c7842c 100644 --- a/src/security/apparmor/usr.sbin.libvirtd.in +++ b/src/security/apparmor/usr.sbin.libvirtd.in @@ -116,7 +116,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) { # allow changing to our UUID-based named profiles change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*, - /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper, + /usr/{lib,lib64,lib/qemu,libexec,libexec/qemu}/qemu-bridge-helper Cx -> qemu_bridge_helper, # child profile for bridge helper process profile qemu_bridge_helper { #include <abstractions/base> @@ -137,7 +137,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) { /etc/qemu/** r, owner @{PROC}/*/status r, - /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix, + /usr/{lib,lib64,lib/qemu,libexec,libexec/qemu}/qemu-bridge-helper rmix, } @BEGIN_APPARMOR_3@ diff --git a/src/security/apparmor/usr.sbin.virtqemud.in b/src/security/apparmor/usr.sbin.virtqemud.in index 6b9c5d32d9..ff2967c6eb 100644 --- a/src/security/apparmor/usr.sbin.virtqemud.in +++ b/src/security/apparmor/usr.sbin.virtqemud.in @@ -110,7 +110,7 @@ profile virtqemud @sbindir@/virtqemud flags=(attach_disconnected) { # allow changing to our UUID-based named profiles change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*, - /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper, + /usr/{lib,lib64,lib/qemu,libexec,libexec/qemu}/qemu-bridge-helper Cx -> qemu_bridge_helper, # child profile for bridge helper process profile qemu_bridge_helper { #include <abstractions/base> @@ -130,7 +130,7 @@ profile virtqemud @sbindir@/virtqemud flags=(attach_disconnected) { /etc/qemu/** r, owner @{PROC}/*/status r, - /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix, + /usr/{lib,lib64,lib/qemu,libexec,libexec/qemu}/qemu-bridge-helper rmix, } @BEGIN_APPARMOR_3@ -- 2.45.2

2 1

[PATCH RESEND v2 0/4] multiple memory backend support for CPR Live Updates
by mgalaxy＠akamai.com 07 Aug '24

07 Aug '24

From: Michael Galaxy <mgalaxy(a)akamai.com> CPR-based support for whole-hypervisor kexec-based live updates is now finally merged into QEMU. In support of this, we need NUMA to be supported in these kinds of environments. To do this we use a technology called PMEM (persistent memory) in Linux, which underpins the ability for CPR Live Updates to work so that QEMU memory can remain in RAM and be recovered after a kexec operationg has completed. Our systems are highly NUMA-aware, and so this patch series enables NUMA awareness for live updates. Further, we make a small change that allows live migrations to work between *non* PMEM-based systems and PMEM-based systems (and vice-versa). This allows for seemless upgrades from non-live-compatible systems to live-update-compatible sytems without any downtime. Michael Galaxy (4): qemu.conf changes to support multiple memory backend Support live migration between file-backed memory and anonymous memory. Update unit test to support multiple memory backends Update documentation to reflect memory_backing_dir change in qemu.conf NEWS.rst | 7 ++ docs/kbase/virtiofs.rst | 2 + src/qemu/qemu.conf.in | 2 + src/qemu/qemu_command.c | 8 ++- src/qemu/qemu_conf.c | 141 +++++++++++++++++++++++++++++++++++----- src/qemu/qemu_conf.h | 14 ++-- src/qemu/qemu_domain.c | 24 +++++-- src/qemu/qemu_driver.c | 29 +++++---- src/qemu/qemu_hotplug.c | 6 +- src/qemu/qemu_process.c | 44 +++++++------ src/qemu/qemu_process.h | 7 +- tests/testutilsqemu.c | 5 +- 12 files changed, 221 insertions(+), 68 deletions(-) -- 2.34.1

2 5

[PATCH v2 0/2] qemu: Strip <acpi/> from configs on s390
by Peter Krempa 06 Aug '24

06 Aug '24

See 1/2 for rationale: Changes: - replace masive switch statement by a comment - don't strip the <acpi/> feature when _ABI_UPDATE is asserted (effectively on 'define'/'create' of a new config) to preserve errors - improve testing: - add less redundant tests - add comment about which other cases are testing relevant bits - add also a case for _ABI_UPDATE - fix comment and name in negative 'aarch64' test Peter Krempa (2): qemu_domain: Strip <acpi/> from s390(x) definitions qemuxmlconftest: Add tests for the ACPI stripping hack on s390 src/qemu/qemu_domain.c | 47 +++++++++++++++++++ .../aarch64-noacpi-acpi.aarch64-latest.err | 1 + tests/qemuxmlconfdata/aarch64-noacpi-acpi.xml | 18 +++++++ .../misc-acpi.x86_64-latest.args | 34 -------------- .../misc-acpi.x86_64-latest.xml | 41 ---------------- tests/qemuxmlconfdata/misc-acpi.xml | 33 ------------- .../riscv64-virt-acpi.riscv64-latest.args | 33 +++++++++++++ .../riscv64-virt-acpi.riscv64-latest.xml | 36 ++++++++++++++ tests/qemuxmlconfdata/riscv64-virt-acpi.xml | 15 ++++++ ...s390x-ccw-acpi.s390x-latest.abi-update.err | 1 + .../s390x-ccw-acpi.s390x-latest.args | 32 +++++++++++++ .../s390x-ccw-acpi.s390x-latest.xml | 27 +++++++++++ tests/qemuxmlconfdata/s390x-ccw-acpi.xml | 15 ++++++ tests/qemuxmlconftest.c | 18 ++++++- 14 files changed, 242 insertions(+), 109 deletions(-) create mode 100644 tests/qemuxmlconfdata/aarch64-noacpi-acpi.aarch64-latest.err create mode 100644 tests/qemuxmlconfdata/aarch64-noacpi-acpi.xml delete mode 100644 tests/qemuxmlconfdata/misc-acpi.x86_64-latest.args delete mode 100644 tests/qemuxmlconfdata/misc-acpi.x86_64-latest.xml delete mode 100644 tests/qemuxmlconfdata/misc-acpi.xml create mode 100644 tests/qemuxmlconfdata/riscv64-virt-acpi.riscv64-latest.args create mode 100644 tests/qemuxmlconfdata/riscv64-virt-acpi.riscv64-latest.xml create mode 100644 tests/qemuxmlconfdata/riscv64-virt-acpi.xml create mode 100644 tests/qemuxmlconfdata/s390x-ccw-acpi.s390x-latest.abi-update.err create mode 100644 tests/qemuxmlconfdata/s390x-ccw-acpi.s390x-latest.args create mode 100644 tests/qemuxmlconfdata/s390x-ccw-acpi.s390x-latest.xml create mode 100644 tests/qemuxmlconfdata/s390x-ccw-acpi.xml -- 2.45.2

3 7

libvirt-python: three patches on Makefile, tox.ini, and domstart.py
by Ariel Otilibili 06 Aug '24

06 Aug '24

Hello, I have been using libvirt for some years, and this is my first ever contribution; your feedback is more than welcome. This is a set of patches about changes done in Makefile, tox.ini, and domstart.py. Regards, Ariel

3 5

[PATCH v2 0/8] New changes in v2:
by Purna Pavan Chandra 05 Aug '24

05 Aug '24

* Add version checks in save/restore validations * Add use_timeout in chSocketRecv * Address Praveen Paladugu's comments v1: https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/PT77… ch: support restore with network devices Current ch driver supports restore only for domains without any network configuration defined. This was because libvirt explicitly passes network fds and CH did not had support to restore with new net FDS. This support has been added recently, https://github.com/cloud-hypervisor/cloud-hypervisor/pull/6402 The changes in this patch series includes moving to socket communication for restore api, create new net fds and pass them via SCM_RIGHTS to CH. Purna Pavan Chandra (8): ch: report response message instead of just code ch: Pass net ids explicitly during vm creation ch: refactor chProcessAddNetworkDevices ch: support poll with -1 in chSocketRecv ch: use monitor socket fd to send restore request ch: refactor virCHMonitorSaveVM ch: support restore with net devices ch: kill CH process if restore fails src/ch/ch_capabilities.c | 6 + src/ch/ch_capabilities.h | 1 + src/ch/ch_driver.c | 29 +++-- src/ch/ch_monitor.c | 62 +++++++---- src/ch/ch_monitor.h | 6 +- src/ch/ch_process.c | 233 +++++++++++++++++++++++++++++++-------- 6 files changed, 254 insertions(+), 83 deletions(-) -- 2.34.1

3 12

Release of libvirt-10.6.0
by Jiri Denemark 05 Aug '24

05 Aug '24

The 10.6.0 release of both libvirt and libvirt-python is tagged and signed tarballs are available at https://download.libvirt.org/ https://download.libvirt.org/python/ Thanks everybody who helped with this release by sending patches, reviewing, testing, or providing feedback. Your work is greatly appreciated. * Removed features * qemu: Require QEMU-5.2.0 or newer The minimal required version of QEMU was bumped to 5.2.0. * New features * qemu: Add support for the 'pauth' Arm CPU feature * Introduce pstore device The aim of pstore device is to provide a bit of NVRAM storage for guest kernel to record oops/panic logs just before it crashes. Typical usage includes usage in combination with a watchdog so that the logs can be inspected after the watchdog rebooted the machine. * Improvements * qemu: Set 'passt' net backend if 'default' is unsupported If QEMU is compiled without SLIRP support, and if domain XML allows it, starting from this release libvirt will use passt as the default backend instead. Also, supported backends are now reported in the domain capabilities XML. * qemu: add a monitor to /proc/$pid when killing times out In cases when a QEMU process takes longer to be killed, libvirt might have skipped cleaning up after it. But now a /proc/$pid watch is installed so this does not happen ever again. * Bug fixes * virt-aa-helper: Allow RO access to /usr/share/edk2-ovmf When binary version of edk2 is distributed, the files reside under /usr/share/edk2-ovmf. Allow virt-aa-helper to generate paths under that directory. * virt-host-validate: Allow longer list of CPU flags During its run, virt-host-validate parses /proc/cpuinfo to learn about CPU flags. But due to a bug it parsed only the first 1024 bytes worth of CPU flags leading to unexpected results. The file is now parsed properly. * capabilities: Be more forgiving when decoding OEM strings On some systems, OEM strings are scattered in multiple sections. This confused libvirt when generating capabilities XML. Not anymore. Enjoy. Jirka

1 0

[PATCH] Revert "network: allow "modify" option for DNS-Srv records"
by Adam Julis 05 Aug '24

05 Aug '24

This reverts commit cf934c87cca32149675020ea595712aad25978e6. The matching logic is flawed and it would complicate support of this command. Signed-off-by: Adam Julis <ajulis(a)redhat.com> --- See discussion: https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/6VV… src/conf/network_conf.c | 27 +++++-------------- .../srv-not-existing.xml | 1 - .../srv-record-modify-few.xml | 1 - .../nat-network-dns-srv-modify-few.xml | 26 ------------------ tests/networkxml2xmlupdatetest.c | 10 +------ 5 files changed, 7 insertions(+), 58 deletions(-) delete mode 100644 tests/networkxml2xmlupdatein/srv-not-existing.xml delete mode 100644 tests/networkxml2xmlupdatein/srv-record-modify-few.xml delete mode 100644 tests/networkxml2xmlupdateout/nat-network-dns-srv-modify-few.xml diff --git a/src/conf/network_conf.c b/src/conf/network_conf.c index 68eee367c4..3af4e1d036 100644 --- a/src/conf/network_conf.c +++ b/src/conf/network_conf.c @@ -3257,6 +3257,12 @@ virNetworkDefUpdateDNSSrv(virNetworkDef *def, command == VIR_NETWORK_UPDATE_COMMAND_ADD_LAST); int foundCt = 0; + if (command == VIR_NETWORK_UPDATE_COMMAND_MODIFY) { + virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s", + _("DNS SRV records cannot be modified, only added or deleted")); + goto cleanup; + } + if (virNetworkDefUpdateCheckElementName(def, ctxt->node, "srv") < 0) goto cleanup; @@ -3306,27 +3312,6 @@ virNetworkDefUpdateDNSSrv(virNetworkDef *def, virNetworkDNSSrvDefClear(&dns->srvs[foundIdx]); VIR_DELETE_ELEMENT(dns->srvs, foundIdx, dns->nsrvs); - } else if (command == VIR_NETWORK_UPDATE_COMMAND_MODIFY) { - - if (foundCt == 0) { - virReportError(VIR_ERR_OPERATION_INVALID, - _("couldn't locate a matching DNS SRV record in network %1$s"), - def->name); - goto cleanup; - } - - if (foundCt > 1) { - virReportError(VIR_ERR_OPERATION_INVALID, - _("multiple DNS SRV records matching all specified fields were found in network %1$s"), - def->name); - goto cleanup; - } - - virNetworkDNSSrvDefClear(&dns->srvs[foundIdx]); - - memcpy(&dns->srvs[foundIdx], &srv, sizeof(virNetworkDNSSrvDef)); - memset(&srv, 0, sizeof(virNetworkDNSSrvDef)); - } else { virNetworkDefUpdateUnknownCommand(command); goto cleanup; diff --git a/tests/networkxml2xmlupdatein/srv-not-existing.xml b/tests/networkxml2xmlupdatein/srv-not-existing.xml deleted file mode 100644 index 401e14c616..0000000000 --- a/tests/networkxml2xmlupdatein/srv-not-existing.xml +++ /dev/null @@ -1 +0,0 @@ -<srv service='name' protocol='tcp' domain='unknown-domain' target='.' port='666' priority='99' weight='10'/> diff --git a/tests/networkxml2xmlupdatein/srv-record-modify-few.xml b/tests/networkxml2xmlupdatein/srv-record-modify-few.xml deleted file mode 100644 index 88ec1b97d9..0000000000 --- a/tests/networkxml2xmlupdatein/srv-record-modify-few.xml +++ /dev/null @@ -1 +0,0 @@ -<srv service='name' protocol='tcp' domain='test-domain-name' target='.' port='1221' priority='42' weight='69'/> diff --git a/tests/networkxml2xmlupdateout/nat-network-dns-srv-modify-few.xml b/tests/networkxml2xmlupdateout/nat-network-dns-srv-modify-few.xml deleted file mode 100644 index a7e5fcffa6..0000000000 --- a/tests/networkxml2xmlupdateout/nat-network-dns-srv-modify-few.xml +++ /dev/null @@ -1,26 +0,0 @@ -<network> - <name>default</name> - <uuid>81ff0d90-c91e-6742-64da-4a736edb9a9b</uuid> - <forward dev='eth1' mode='nat'> - <interface dev='eth1'/> - </forward> - <bridge name='virbr0' stp='on' delay='0'/> - <dns> - <srv service='name' protocol='tcp' domain='test-domain-name' target='.' port='1221' priority='42' weight='69'/> - </dns> - <ip address='192.168.122.1' netmask='255.255.255.0'> - <dhcp> - <range start='192.168.122.2' end='192.168.122.254'/> - <host mac='00:16:3e:77:e2:ed' name='a.example.com' ip='192.168.122.10'/> - <host mac='00:16:3e:3e:a9:1a' name='b.example.com' ip='192.168.122.11'/> - </dhcp> - </ip> - <ip family='ipv4' address='192.168.123.1' netmask='255.255.255.0'> - </ip> - <ip family='ipv6' address='2001:db8:ac10:fe01::1' prefix='64'> - </ip> - <ip family='ipv6' address='2001:db8:ac10:fd01::1' prefix='64'> - </ip> - <ip family='ipv4' address='10.24.10.1'> - </ip> -</network> diff --git a/tests/networkxml2xmlupdatetest.c b/tests/networkxml2xmlupdatetest.c index 875cede035..60931a2eba 100644 --- a/tests/networkxml2xmlupdatetest.c +++ b/tests/networkxml2xmlupdatetest.c @@ -337,6 +337,7 @@ mymain(void) "nat-network-dns-srv-record", "nat-network-dns-srv-records", VIR_NETWORK_UPDATE_COMMAND_ADD_LAST); + DO_TEST_FAIL("delete-missing-srv-record-service", "srv-record-service", "nat-network", @@ -359,15 +360,6 @@ mymain(void) "nat-network-dns-srv-record", "nat-network", VIR_NETWORK_UPDATE_COMMAND_DELETE); - DO_TEST("modify-srv-record-protocol", - "srv-record-modify-few", - "nat-network-dns-srv-record", - "nat-network-dns-srv-modify-few", - VIR_NETWORK_UPDATE_COMMAND_MODIFY); - DO_TEST_FAIL("modify-not-existing-srv-record", - "srv-not-existing", - "nat-network-dns-srv-record", - VIR_NETWORK_UPDATE_COMMAND_MODIFY); return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE; -- 2.45.2

2 1