[PATCH v2 0/4] Add TPM emulator <source file=''/>
by marcandre.lureau@redhat.com
From: Marc-André Lureau <marcandre.lureau(a)redhat.com>
Hi,
When swtpm capabilities reports "nvram-backend-dir", it can accepts a single
file or block device where TPM state will be stored.
--tpmstate must be backend-uri=file://.
v2:
- add <source dir='..'/> support as well (Daniel)
Related: https://issues.redhat.com/browse/CNV-35250
Marc-André Lureau (4):
util: check swtpm nvram-backend-dir capability
schema: add TPM emulator <source file='..'>
schema: add TPM emulator <source dir='..'>
qemu_tpm: handle file/block storage source
docs/formatdomain.rst | 18 +++++
src/conf/domain_conf.c | 28 +++++++
src/conf/domain_conf.h | 7 ++
src/conf/schemas/domaincommon.rng | 20 +++++
src/qemu/qemu_tpm.c | 76 +++++++++++++++----
src/util/virtpm.c | 1 +
src/util/virtpm.h | 1 +
.../qemuxmlconfdata/tpm-emulator-tpm2-enc.xml | 1 +
tests/qemuxmlconfdata/tpm-emulator-tpm2.xml | 1 +
9 files changed, 140 insertions(+), 13 deletions(-)
--
2.45.2.827.g557ae147e6
1 month, 2 weeks
[PATCH V2 0/4] Rework qemu internal active snapshots to use QMP
by Nikolai Barybin
Den, Peter, Daniel thank you for your comments!
I'm sending v2 of this patchset.
Changes since last revision:
- dropped [PATCH 4/4] qemu monitor: reap qemu_monitor_text
- added new patch: qemu capabilities: add QEMU_CAPS_SNAPSHOT_SAVE/_DELETE
- preserved old-style snapshotting (HMP savevm) in case we have QEMU < 6.0
- enhanced requirements for allowing snapshotting. All writable disks
should be qcow2, non-shared. If such disks exist and we have qcow2
NVRAM, add NVRAM device to the list of wrdevs. But never save vmstate
to NVRAM
- make char** wrdevs list allocation inside
qemuSnapshotActiveInternalGetWrdevListHelper()
Nikolai Barybin (4):
qemu monitor: add snaphot-save/delete QMP commands
qemu blockjob: add snapshot-save/delete job types
qemu capabilities: add QEMU_CAPS_SNAPSHOT_SAVE/_DELETE
qemu snapshot: use QMP snapshot-save/delete for internal snapshots
src/qemu/qemu_block.c | 2 +
src/qemu/qemu_blockjob.c | 6 +-
src/qemu/qemu_blockjob.h | 2 +
src/qemu/qemu_capabilities.c | 4 +
src/qemu/qemu_capabilities.h | 2 +
src/qemu/qemu_domain.c | 4 +
src/qemu/qemu_monitor.c | 30 +++
src/qemu/qemu_monitor.h | 13 ++
src/qemu/qemu_monitor_json.c | 66 ++++++
src/qemu/qemu_monitor_json.h | 13 ++
src/qemu/qemu_snapshot.c | 207 ++++++++++++++++--
.../caps_6.0.0_aarch64.xml | 2 +
.../qemucapabilitiesdata/caps_6.0.0_s390x.xml | 2 +
.../caps_6.0.0_x86_64.xml | 2 +
.../caps_6.1.0_x86_64.xml | 2 +
.../caps_6.2.0_aarch64.xml | 2 +
.../qemucapabilitiesdata/caps_6.2.0_ppc64.xml | 2 +
.../caps_6.2.0_x86_64.xml | 2 +
.../caps_7.0.0_aarch64+hvf.xml | 2 +
.../caps_7.0.0_aarch64.xml | 2 +
.../qemucapabilitiesdata/caps_7.0.0_ppc64.xml | 2 +
.../caps_7.0.0_x86_64.xml | 2 +
.../qemucapabilitiesdata/caps_7.1.0_ppc64.xml | 2 +
.../caps_7.1.0_x86_64.xml | 2 +
tests/qemucapabilitiesdata/caps_7.2.0_ppc.xml | 2 +
.../caps_7.2.0_x86_64+hvf.xml | 2 +
.../caps_7.2.0_x86_64.xml | 2 +
.../caps_8.0.0_riscv64.xml | 2 +
.../caps_8.0.0_x86_64.xml | 2 +
.../qemucapabilitiesdata/caps_8.1.0_s390x.xml | 2 +
.../caps_8.1.0_x86_64.xml | 2 +
.../caps_8.2.0_aarch64.xml | 2 +
.../caps_8.2.0_armv7l.xml | 2 +
.../caps_8.2.0_loongarch64.xml | 2 +
.../qemucapabilitiesdata/caps_8.2.0_s390x.xml | 2 +
.../caps_8.2.0_x86_64.xml | 2 +
.../qemucapabilitiesdata/caps_9.0.0_sparc.xml | 2 +
.../caps_9.0.0_x86_64.xml | 2 +
.../caps_9.1.0_x86_64.xml | 2 +
39 files changed, 391 insertions(+), 14 deletions(-)
--
2.43.5
1 month, 2 weeks
[PATCH 0/2] add NIC hotplug support to test hypervisor
by John Levon
These two patches add basic support for NIC hot[un]plug to the test hypervisor,
based on the qemu driver; only ethernet and bridge type VNICS are currently
supported.
John Levon (2):
test_driver: provide basic NIC hotplug support
test_driver: provide basic NIC hotunplug support
src/test/test_driver.c | 305 ++++++++++++++++++++++++++++++++++++++---
1 file changed, 283 insertions(+), 22 deletions(-)
--
2.34.1
1 month, 2 weeks
[PATCH v6 00/13] qemu: Introduce shared_filesystems configuration option
by Andrea Bolognani
The need to have something like this in the first place is driven by
KubeVirt (see [1] and [2]). A draft version of this series has been
integrated into KubeVirt and it has been confirmed that it was
effective in removing the need to use LD_PRELOAD hacks in the storage
provider.
Changes from [v5]:
* make migration of domains with TPM work (patches 12 and 13);
* fixed all typos for "remember";
* added R-bs for Peter's patches.
Changes from [v4] (v5 was posted by Peter):
* added patch 7 cleaning up a helper function (noticed just while
reading the code)
* added patch 8 properly unrefing security labels in dac/selinux
drivers on outgoing migration
* patch 11: added handling of the 'nvram' image file (and refactored
the function to
allow reuse)
Changes from [v3] (v4 was posted by Peter):
* patch 2/8 was modified to change the docs for the new option.
* patches 1-5 will get an R-b by me as I've adopted them.
* patches 6, 9-11 are new.
* patches 7, 8 were not part of v3
Changes from [v2]:
* added canonicalization for user-provided paths;
* fixed compilation issues when AppArmor support is enabled.
Changes from [v1]:
* documented more explicitly that the newly introduced option is
intended for very specific scenarios and not general usage; as
part of this, the NEWS update has been dropped too;
* made a few tweaks and addressed a few oversight based on review
feedback;
* several preparatory cleanup patches have been pushed.
Changes from [v0]:
* reworked approach.
[v5] https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/H...
[v4] https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/F...
[v3] https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/P...
[v2] https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/XP...
[v1] https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/XE...
[v0] https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/MM...
[1] https://issues.redhat.com/browse/CNV-34322
[2] https://issues.redhat.com/browse/CNV-39370
Andrea Bolognani (7):
security: Fix alignment
qemu: Introduce shared_filesystems configuration option
qemu: Propagate shared_filesystems
utils: Use overrides in virFileIsSharedFS()
qemu: Always set labels for TPM state
security: Always forget labels for TPM state directory
qemu: Don't lock TPM state directory for incoming migration
Peter Krempa (6):
virFileIsSharedFSOverride: Export
virParseOwnershipIds: Refactor
virSecuritySELinuxRestoreImageLabelInt: Move FD image relabeling after
'migrated' check
security_(dac|selinux): Unref remembered security labels on outgoing
migration
storage_source: Add field for skipping seclabel remembering
qemu: migration: Don't remember seclabel for images shared from
current host
src/conf/storage_source_conf.c | 3 +
src/conf/storage_source_conf.h | 9 ++
src/libvirt_private.syms | 1 +
src/lxc/lxc_controller.c | 3 +-
src/lxc/lxc_driver.c | 2 +-
src/lxc/lxc_process.c | 4 +-
src/qemu/libvirtd_qemu.aug | 3 +
src/qemu/qemu.conf.in | 26 +++++
src/qemu/qemu_conf.c | 31 ++++++
src/qemu/qemu_conf.h | 2 +
src/qemu/qemu_domain.c | 7 +-
src/qemu/qemu_extdevice.c | 2 +-
src/qemu/qemu_migration.c | 86 ++++++++++++++---
src/qemu/qemu_security.c | 95 +++++++++++++-----
src/qemu/qemu_security.h | 6 +-
src/qemu/qemu_tpm.c | 50 ++++++----
src/qemu/qemu_tpm.h | 10 +-
src/qemu/test_libvirtd_qemu.aug.in | 5 +
src/security/security_apparmor.c | 8 +-
src/security/security_dac.c | 53 +++++++++--
src/security/security_driver.h | 8 +-
src/security/security_manager.c | 33 +++++--
src/security/security_manager.h | 9 +-
src/security/security_nop.c | 5 +
src/security/security_selinux.c | 148 +++++++++++++++++++++++------
src/security/security_stack.c | 32 +++++--
src/util/virfile.c | 63 +++++++++++-
src/util/virfile.h | 5 +-
src/util/virutil.c | 20 ++--
tests/securityselinuxlabeltest.c | 2 +-
tests/virfiletest.c | 2 +-
31 files changed, 594 insertions(+), 139 deletions(-)
--
2.46.0
1 month, 2 weeks
[PATCH v2] domain_validate: Validate dma_translation for iommu models
by Han Han
The attribute dma_translation is only supported by intel-iommu device.
Report an error when it is used for the other iommu devices.
Fixes: 6866f958c1
Signed-off-by: Han Han <hhan(a)redhat.com>
---
v2: update the tests
v1: https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/6C...
src/conf/domain_validate.c | 3 ++-
...io-iommu-dma-translation.x86_64-latest.err | 1 +
.../virtio-iommu-dma-translation.xml | 20 +++++++++++++++++++
tests/qemuxmlconftest.c | 1 +
4 files changed, 24 insertions(+), 1 deletion(-)
create mode 100644 tests/qemuxmlconfdata/virtio-iommu-dma-translation.x86_64-latest.err
create mode 100644 tests/qemuxmlconfdata/virtio-iommu-dma-translation.xml
diff --git a/src/conf/domain_validate.c b/src/conf/domain_validate.c
index eddb4a5e74..b8ae9ed79d 100644
--- a/src/conf/domain_validate.c
+++ b/src/conf/domain_validate.c
@@ -2980,7 +2980,8 @@ virDomainIOMMUDefValidate(const virDomainIOMMUDef *iommu)
iommu->caching_mode != VIR_TRISTATE_SWITCH_ABSENT ||
iommu->eim != VIR_TRISTATE_SWITCH_ABSENT ||
iommu->iotlb != VIR_TRISTATE_SWITCH_ABSENT ||
- iommu->aw_bits != 0) {
+ iommu->aw_bits != 0 ||
+ iommu->dma_translation != VIR_TRISTATE_SWITCH_ABSENT) {
virReportError(VIR_ERR_XML_ERROR,
_("iommu model '%1$s' doesn't support additional attributes"),
virDomainIOMMUModelTypeToString(iommu->model));
diff --git a/tests/qemuxmlconfdata/virtio-iommu-dma-translation.x86_64-latest.err b/tests/qemuxmlconfdata/virtio-iommu-dma-translation.x86_64-latest.err
new file mode 100644
index 0000000000..2c3a272725
--- /dev/null
+++ b/tests/qemuxmlconfdata/virtio-iommu-dma-translation.x86_64-latest.err
@@ -0,0 +1 @@
+XML error: iommu model 'virtio' doesn't support additional attributes
diff --git a/tests/qemuxmlconfdata/virtio-iommu-dma-translation.xml b/tests/qemuxmlconfdata/virtio-iommu-dma-translation.xml
new file mode 100644
index 0000000000..a3723f266b
--- /dev/null
+++ b/tests/qemuxmlconfdata/virtio-iommu-dma-translation.xml
@@ -0,0 +1,20 @@
+<domain type='qemu'>
+ <name>QEMUGuest1</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+ <memory unit='KiB'>219100</memory>
+ <vcpu placement='static'>1</vcpu>
+ <os>
+ <type arch='x86_64' machine='q35'>hvm</type>
+ </os>
+ <features>
+ <acpi/>
+ </features>
+ <devices>
+ <emulator>/usr/bin/qemu-system-x86_64</emulator>
+ <controller type='usb' model='none'/>
+ <memballoon model='none'/>
+ <iommu model='virtio'>
+ <driver dma_translation='on'/>
+ </iommu>
+ </devices>
+</domain>
diff --git a/tests/qemuxmlconftest.c b/tests/qemuxmlconftest.c
index 61eb4cda75..dfcf67d2d0 100644
--- a/tests/qemuxmlconftest.c
+++ b/tests/qemuxmlconftest.c
@@ -2766,6 +2766,7 @@ mymain(void)
DO_TEST_CAPS_LATEST_PARSE_ERROR("virtio-iommu-no-acpi");
DO_TEST_CAPS_LATEST_PARSE_ERROR("virtio-iommu-invalid-address-type");
DO_TEST_CAPS_LATEST_PARSE_ERROR("virtio-iommu-invalid-address");
+ DO_TEST_CAPS_LATEST_PARSE_ERROR("virtio-iommu-dma-translation");
DO_TEST_CAPS_LATEST("cpu-hotplug-startup");
DO_TEST_CAPS_ARCH_LATEST_PARSE_ERROR("cpu-hotplug-granularity", "ppc64");
--
2.46.1
1 month, 2 weeks
[PATCH 0/2] libxl_conf: Fix crashes in libxl config generation
by Rayhan Faizel
This patch series includes fixes for config generation of multiple serial
devices and handling of unsupported graphics types. Both of these
were discovered some time back using fuzzing techniques.
Rayhan Faizel (2):
libxl_conf: Fix config generation for multiple serial devices
libxl_conf: Add check for unsupported graphics type
src/libxl/libxl_conf.c | 15 +++--
.../multiple-serial.json | 63 +++++++++++++++++++
.../multiple-serial.xml | 47 ++++++++++++++
.../libxlxml2domconfigdata/single-serial.json | 52 +++++++++++++++
.../libxlxml2domconfigdata/single-serial.xml | 25 ++++++++
tests/libxlxml2domconfigtest.c | 3 +
6 files changed, 200 insertions(+), 5 deletions(-)
create mode 100644 tests/libxlxml2domconfigdata/multiple-serial.json
create mode 100644 tests/libxlxml2domconfigdata/multiple-serial.xml
create mode 100644 tests/libxlxml2domconfigdata/single-serial.json
create mode 100644 tests/libxlxml2domconfigdata/single-serial.xml
--
2.34.1
1 month, 2 weeks
[libvirt PATCH 0/6] scripts: group-qemu-caps: improve readability
by Ján Tomko
Even though it still stays a Perl script at heart.
Ján Tomko (6):
scripts: group-qemu-caps: use read
scripts: group-qemu-caps: remove cryptic bool
scripts: group-qemu-caps: remove unecessary regex
scripts: group-qemu-caps: separate file loading
scripts: group-qemu-caps: regroup_caps: operate on split lines
scripts: group-qemu-caps: separate file operations from the check
scripts/group-qemu-caps.py | 120 +++++++++++++++++++++----------------
1 file changed, 68 insertions(+), 52 deletions(-)
--
2.45.2
1 month, 2 weeks
[PATCH] vmx: support HPET timers configuration
by João Sena Ribeiro
All VMs are being created with no hpet timer defined. Check if the
VM definition XML file enables HPET and reflect that on the VMX
file.
Signed-off-by: João Sena Ribeiro <joao.ribeiro(a)identity.pt>
---
src/vmx/vmx.c | 31 ++++++++++++++++++++++++++++++-
1 file changed, 30 insertions(+), 1 deletion(-)
diff --git a/src/vmx/vmx.c b/src/vmx/vmx.c
index de16c1f634..d7e116dd07 100644
--- a/src/vmx/vmx.c
+++ b/src/vmx/vmx.c
@@ -65,7 +65,7 @@ def->maxvcpus = <value> <=> numvcpus = "<value>"
def->cpumask = <uint list> <=> sched.cpu.affinity = "<uint list>"
def->cputune.shares = <value> <=> sched.cpu.shares = "<value>" # with handling for special values
# "high", "normal", "low"
-
+def->ntimers <=> hpet.present = "<value>" # "true", "false"
################################################################################
@@ -3496,6 +3496,35 @@ virVMXFormatConfig(virVMXContext *ctx, virDomainXMLOption *xmlopt, virDomainDef
}
}
+ /* def:clock.ntimers */
+ for (i = 0; i < def->clock.ntimers; i++) {
+ switch ((virDomainTimerNameType)def->clock.timers[i]->name) {
+ case VIR_DOMAIN_TIMER_NAME_HPET:
+ if (def->clock.timers[i]->present == VIR_TRISTATE_BOOL_YES) {
+ virBufferAddLit(&buffer, "hpet0.present = \"true\"\n");
+ } else if (def->clock.timers[i]->present == VIR_TRISTATE_BOOL_NO) {
+ virBufferAddLit(&buffer, "hpet0.present = \"false\"\n");
+ }
+ break;
+
+ case VIR_DOMAIN_TIMER_NAME_TSC:
+ case VIR_DOMAIN_TIMER_NAME_PLATFORM:
+ case VIR_DOMAIN_TIMER_NAME_KVMCLOCK:
+ case VIR_DOMAIN_TIMER_NAME_HYPERVCLOCK:
+ case VIR_DOMAIN_TIMER_NAME_RTC:
+ case VIR_DOMAIN_TIMER_NAME_PIT:
+ case VIR_DOMAIN_TIMER_NAME_ARMVTIMER:
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+ _("unsupported timer type (name) '%1$s'"),
+ virDomainTimerNameTypeToString(def->clock.timers[i]->name));
+ goto cleanup;
+
+ case VIR_DOMAIN_TIMER_NAME_LAST:
+ break;
+
+ }
+ }
+
/* def:graphics */
for (i = 0; i < def->ngraphics; ++i) {
switch (def->graphics[i]->type) {
--
2.34.1
1 month, 2 weeks
[PATCH] qemu: add hook script event "stop"
by Adam Julis
The "stop" hook is called when the process of stopping a guest
started and it is known that the process can be completed
(e.g. the guest is still active).
Resolves: https://gitlab.com/libvirt/libvirt/-/issues/647
Signed-off-by: Adam Julis <ajulis(a)redhat.com>
---
docs/hooks.rst | 14 +++++++++++---
src/qemu/qemu_process.c | 10 ++++++++++
src/util/virhook.c | 1 +
src/util/virhook.h | 1 +
4 files changed, 23 insertions(+), 3 deletions(-)
diff --git a/docs/hooks.rst b/docs/hooks.rst
index 48128ba3d8..508d5afc4e 100644
--- a/docs/hooks.rst
+++ b/docs/hooks.rst
@@ -202,9 +202,17 @@ operation. There is no specific operation to indicate a "restart" is occurring.
/etc/libvirt/hooks/qemu guest_name started begin -
-- When a QEMU guest is stopped, the qemu hook script is called in two
- locations, to match the startup. First, :since:`since 0.8.0`, the hook is
- called before libvirt restores any labels:
+- Before a QEMU guest is stopped, the qemu hook script is called in three
+ locations, to match the startup. First, :since:`since 10.8.0`, the hook is
+ called after libvirt checks that guest is still active and whole stopping
+ procedure should be run:
+
+ ::
+
+ /etc/libvirt/hooks/qemu guest_name stop begin -
+
+ The second location, :since:`since 0.8.0`, the hook is called before libvirt
+ restores any labels:
::
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 2e4ee9e305..f12c4a97a6 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -8615,6 +8615,7 @@ qemuProcessBeginStopJob(virDomainObj *vm,
* is supposed to call qemuProcessStop (which will reset it after
* 'vm->def->id' is set to -1) and/or qemuProcessEndStopJob to do proper
* cleanup. */
+
return 0;
error:
@@ -8676,6 +8677,15 @@ void qemuProcessStop(virQEMUDriver *driver,
goto endjob;
}
+ if (virHookPresent(VIR_HOOK_DRIVER_QEMU)) {
+ g_autofree char *xml = qemuDomainDefFormatXML(driver, NULL, vm->def, 0);
+
+ /* we can't stop the operation even if the script raised an error */
+ ignore_value(virHookCall(VIR_HOOK_DRIVER_QEMU, vm->def->name,
+ VIR_HOOK_QEMU_OP_STOP, VIR_HOOK_SUBOP_BEGIN,
+ NULL, xml, NULL));
+ }
+
/* BEWARE: At this point 'vm->def->id' is not cleared yet. Any code that
* requires the id (e.g. to call virDomainDefGetShortName()) must be placed
* between here (after the VM is killed) and the statement clearing the id.
diff --git a/src/util/virhook.c b/src/util/virhook.c
index d012bb1825..01ba17e406 100644
--- a/src/util/virhook.c
+++ b/src/util/virhook.c
@@ -76,6 +76,7 @@ VIR_ENUM_IMPL(virHookSubop,
VIR_ENUM_IMPL(virHookQemuOp,
VIR_HOOK_QEMU_OP_LAST,
"start",
+ "stop",
"stopped",
"prepare",
"release",
diff --git a/src/util/virhook.h b/src/util/virhook.h
index d8237c837e..ea8c540c3f 100644
--- a/src/util/virhook.h
+++ b/src/util/virhook.h
@@ -52,6 +52,7 @@ typedef enum {
typedef enum {
VIR_HOOK_QEMU_OP_START, /* domain is about to start */
+ VIR_HOOK_QEMU_OP_STOP, /* domain is about to stop */
VIR_HOOK_QEMU_OP_STOPPED, /* domain has stopped */
VIR_HOOK_QEMU_OP_PREPARE, /* domain startup initiated */
VIR_HOOK_QEMU_OP_RELEASE, /* domain destruction is over */
--
2.45.2
1 month, 2 weeks
[PATCH 0/6] ch: handle events from cloud-hypervisor
by Purna Pavan Chandra Aekkaladevi
cloud-hypervisor raises various events, including VM lifecylce operations
such as boot, shutdown, pause, resume, etc. Libvirt will now read these
events and take the necessary actions, such as correctly updating the
domain state. A FIFO file is passed to `--event-monitor` option of
cloud-hypervisor. Libvirt creates a new thread that acts as the reader
of the fifo file and continuously monitors for new events. Currently,
shutdown events are handled by updating the domain state appropriately.
Purna Pavan Chandra Aekkaladevi (6):
utils: Implement virFileIsNamedPipe
ch: pass --event-monitor option to cloud-hypervisor
ch: start a new thread for handling ch events
ch: events: Read and parse cloud-hypervisor events
ch: events: facilitate lifecycle events handling
NEWS: Mention event handling support in ch driver
NEWS.rst | 7 +
po/POTFILES | 1 +
src/ch/ch_events.c | 337 +++++++++++++++++++++++++++++++++++++++
src/ch/ch_events.h | 54 +++++++
src/ch/ch_monitor.c | 48 +++++-
src/ch/ch_monitor.h | 11 ++
src/ch/meson.build | 2 +
src/libvirt_private.syms | 1 +
src/util/virfile.c | 8 +
src/util/virfile.h | 1 +
10 files changed, 466 insertions(+), 4 deletions(-)
create mode 100644 src/ch/ch_events.c
create mode 100644 src/ch/ch_events.h
--
2.34.1
1 month, 3 weeks
