[PATCH v2] meson: Add back prefix path for runstatedir
by Zhenzhong Duan
Currently libvirt favors /run instead of /var/run, but for local build
run test, a prefix path is still needed to avoid interoperating with OS
vendor provided binaries.
When 'system' option is specified, fixed path /run is honored.
Fixes: e5299ddf86121d3c792ca271ffcb54900eb19dc3
Signed-off-by: Zhenzhong Duan <zhenzhong.duan(a)intel.com>
---
v2: Take option `system` into consideration (Pavel)
meson.build | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/meson.build b/meson.build
index bf4a245dd3..2762236f37 100644
--- a/meson.build
+++ b/meson.build
@@ -62,11 +62,16 @@ if get_option('system')
endif
localstatedir = '/var'
sysconfdir = '/etc'
+ runstatedir = '/run'
else
prefix = get_option('prefix')
libdir = prefix / get_option('libdir')
localstatedir = prefix / get_option('localstatedir')
sysconfdir = prefix / get_option('sysconfdir')
+ runstatedir = get_option('runstatedir')
+ if runstatedir == ''
+ runstatedir = prefix / 'run'
+ endif
endif
# if --prefix is /usr, don't use /usr/var for localstatedir or /usr/etc for
@@ -80,11 +85,6 @@ if prefix == '/usr'
endif
endif
-runstatedir = get_option('runstatedir')
-if runstatedir == ''
- runstatedir = '/run'
-endif
-
initconfdir = get_option('initconfdir')
if initconfdir == ''
if (os_release.contains('alpine') or
--
2.34.1
1 day, 5 hours
[PATCH 0/6] qemu: Remove last HMP commands
by Peter Krempa
RIP HMP use in libvirt:
2007-02-14 [1] - 2025-04-02
[1] 23ad665cb05ef9ce7d298cc34bff5efb95ef6948
Peter Krempa (6):
qemu: domain: Don't check return value of 'virCPUDefCopy'
qemuSnapshotCreateActiveInternal: Fix error logic
qemu: snapshot: Always assume support for
QEMU_CAPS_SNAPSHOT_INTERNAL_QMP
qemu: Always revert internal snapshots via QMP rather than '-loadvm'
qemu: monitor: Remove HMP monitor code
qemu: capabilities: Retire QEMU_CAPS_SNAPSHOT_INTERNAL_QMP
po/POTFILES | 1 -
src/qemu/meson.build | 1 -
src/qemu/qemu_capabilities.c | 3 +-
src/qemu/qemu_capabilities.h | 2 +-
src/qemu/qemu_command.c | 6 --
src/qemu/qemu_domain.c | 7 +-
src/qemu/qemu_monitor.c | 25 ------
src/qemu/qemu_monitor.h | 3 -
src/qemu/qemu_monitor_text.c | 88 -------------------
src/qemu/qemu_monitor_text.h | 29 ------
src/qemu/qemu_process.c | 3 +-
src/qemu/qemu_snapshot.c | 49 ++---------
.../caps_10.0.0_s390x.xml | 1 -
.../caps_10.0.0_x86_64+amdsev.xml | 1 -
.../caps_10.0.0_x86_64.xml | 1 -
.../qemucapabilitiesdata/caps_6.2.0_ppc64.xml | 1 -
.../caps_6.2.0_x86_64.xml | 1 -
.../qemucapabilitiesdata/caps_7.0.0_ppc64.xml | 1 -
.../caps_7.0.0_x86_64.xml | 1 -
.../qemucapabilitiesdata/caps_7.1.0_ppc64.xml | 1 -
.../caps_7.1.0_x86_64.xml | 1 -
tests/qemucapabilitiesdata/caps_7.2.0_ppc.xml | 1 -
.../caps_7.2.0_x86_64+hvf.xml | 1 -
.../caps_7.2.0_x86_64.xml | 1 -
.../caps_8.0.0_x86_64.xml | 1 -
.../qemucapabilitiesdata/caps_8.1.0_s390x.xml | 1 -
.../caps_8.1.0_x86_64.xml | 1 -
.../caps_8.2.0_aarch64.xml | 1 -
.../caps_8.2.0_armv7l.xml | 1 -
.../caps_8.2.0_loongarch64.xml | 1 -
.../qemucapabilitiesdata/caps_8.2.0_s390x.xml | 1 -
.../caps_8.2.0_x86_64.xml | 1 -
.../qemucapabilitiesdata/caps_9.0.0_sparc.xml | 1 -
.../caps_9.0.0_x86_64.xml | 1 -
.../caps_9.1.0_riscv64.xml | 1 -
.../qemucapabilitiesdata/caps_9.1.0_s390x.xml | 1 -
.../caps_9.1.0_x86_64.xml | 1 -
.../caps_9.2.0_aarch64+hvf.xml | 1 -
.../qemucapabilitiesdata/caps_9.2.0_s390x.xml | 1 -
.../caps_9.2.0_x86_64+amdsev.xml | 1 -
.../caps_9.2.0_x86_64.xml | 1 -
41 files changed, 15 insertions(+), 231 deletions(-)
delete mode 100644 src/qemu/qemu_monitor_text.c
delete mode 100644 src/qemu/qemu_monitor_text.h
--
2.49.0
1 day, 5 hours
[PATCH] meson: Add back prefix path for runstatedir
by Zhenzhong Duan
Currently libvirt favors /run instead of /var/run, but for local build
run test, a prefix path is still needed to avoid interoperating with OS
vendor provided binaries.
Signed-off-by: Zhenzhong Duan <zhenzhong.duan(a)intel.com>
---
meson.build | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meson.build b/meson.build
index bf4a245dd3..84c9796c2f 100644
--- a/meson.build
+++ b/meson.build
@@ -82,7 +82,7 @@ endif
runstatedir = get_option('runstatedir')
if runstatedir == ''
- runstatedir = '/run'
+ runstatedir = prefix / 'run'
endif
initconfdir = get_option('initconfdir')
--
2.34.1
1 day, 5 hours
[PATCH v3 0/6] qemu: acpi-generic-initiator support
by Andrea Righi
= Overview =
This patch set introduces support for acpi-generic-initiator devices,
supported by QEMU [1].
The acpi-generic-initiator object is required to support Multi-Instance GPU
(MIG) configurations on NVIDIA GPUs [2]. MIG enables partitioning of GPU
resources into multiple isolated instances, each requiring a dedicated NUMA
node definition.
= Implementation =
This patch set implements the libvirt counterpart to the QEMU feature,
enabling users to configure acpi-generic-initiator objects within libvirt
domain XML.
This includes:
- adding XML syntax to define acpi-generic-initiator objects,
- resolving the acpi-generic-initiator definitions into the proper QEMU
command-line arguments,
- ensuring compatibility with existing NUMA configuration.
= Example =
- Domain XML:
```
...
<cpu mode='host-passthrough' check='none'>
<numa>
<cell id='0' cpus='0-15' memory='8388608' unit='KiB'/>
<cell id='1' memory='0' unit='KiB'/>
<cell id='2' memory='0' unit='KiB'/>
<cell id='3' memory='0' unit='KiB'/>
<cell id='4' memory='0' unit='KiB'/>
<cell id='5' memory='0' unit='KiB'/>
<cell id='6' memory='0' unit='KiB'/>
<cell id='7' memory='0' unit='KiB'/>
<cell id='8' memory='0' unit='KiB'/>
</numa>
</cpu>
...
<devices>
...
<hostdev mode='subsystem' type='pci' managed='no'>
<source>
<address domain='0x0009' bus='0x01' slot='0x00' function='0x0'/>
</source>
<address type='pci' domain='0x0000' bus='0x03' slot='0x00' function='0x0'/>
</hostdev>
<acpi-generic-initiator>
<alias name="gi1"/>
<pci-dev>hostdev0</pci-dev>
<numa-node>1</numa-node>
</acpi-generic-initiator>
<acpi-generic-initiator>
<alias name="gi2"/>
<pci-dev>hostdev0</pci-dev>
<numa-node>2</numa-node>
</acpi-generic-initiator>
<acpi-generic-initiator>
<alias name="gi3"/>
<pci-dev>hostdev0</pci-dev>
<numa-node>3</numa-node>
</acpi-generic-initiator>
<acpi-generic-initiator>
<alias name="gi4"/>
<pci-dev>hostdev0</pci-dev>
<numa-node>4</numa-node>
</acpi-generic-initiator>
<acpi-generic-initiator>
<alias name="gi5"/>
<pci-dev>hostdev0</pci-dev>
<numa-node>5</numa-node>
</acpi-generic-initiator>
<acpi-generic-initiator>
<alias name="gi6"/>
<pci-dev>hostdev0</pci-dev>
<numa-node>6</numa-node>
</acpi-generic-initiator>
<acpi-generic-initiator>
<alias name="gi7"/>
<pci-dev>hostdev0</pci-dev>
<numa-node>7</numa-node>
</acpi-generic-initiator>
<acpi-generic-initiator>
<alias name="gi8"/>
<pci-dev>hostdev0</pci-dev>
<numa-node>8</numa-node>
</acpi-generic-initiator>
</devices>
```
- Generated QEMU command line options:
```
... /usr/bin/qemu-system-aarch64 \
...
-object '{"qom-type":"memory-backend-ram","id":"ram-node0","size":8589934592}' \
-numa node,nodeid=0,cpus=0-15,memdev=ram-node0 \
-numa node,nodeid=1 \
-numa node,nodeid=2 \
-numa node,nodeid=3 \
-numa node,nodeid=4 \
-numa node,nodeid=5 \
-numa node,nodeid=6 \
-numa node,nodeid=7 \
-numa node,nodeid=8 \
...
-device '{"driver":"vfio-pci","host":"0009:01:00.0","id":"hostdev0","bus":"pci.3","addr":"0x0"}'
...
-object acpi-generic-initiator,id=gi1,pci-dev=hostdev0,node=1 \
-object acpi-generic-initiator,id=gi2,pci-dev=hostdev0,node=2 \
-object acpi-generic-initiator,id=gi3,pci-dev=hostdev0,node=3 \
-object acpi-generic-initiator,id=gi4,pci-dev=hostdev0,node=4 \
-object acpi-generic-initiator,id=gi5,pci-dev=hostdev0,node=5 \
-object acpi-generic-initiator,id=gi6,pci-dev=hostdev0,node=6 \
-object acpi-generic-initiator,id=gi7,pci-dev=hostdev0,node=7 \
-object acpi-generic-initiator,id=gi8,pci-dev=hostdev0,node=8
```
= References =
[1] https://lore.kernel.org/all/20231225045603.7654-2-ankita@nvidia.com/
[2] https://www.nvidia.com/en-in/technologies/multi-instance-gpu/
ChangeLog v2 -> v3:
- replaced <text/> with proper types in the XML schema
- avoid mixing g_free() and VIR_FREE()
- use virXMLPropString() instead of looping all XML nodes
- report proper errors with virReportError()
- use virBufferEscapeString() to process strings passed by the user
- fix broken formatting of function headers
- misc coding style fixes
ChangeLog v1 -> v2:
- split parser and driver changes in separate patches
- introduce a new qemu capability flag
- introduce test in qemuxmlconftest
Andrea Righi (6):
schema: Introduce acpi-generic-initiator definition
conf: Introduce acpi-generic-initiator device
qemu: Allow to define NUMA nodes without memory or CPUs assigned
qemu: capabilies: Introduce QEMU_CAPS_ACPI_GENERIC_INITIATOR
qemu: support acpi-generic-initiator
qemu: Add test case for acpi-generic-initiator
src/ch/ch_domain.c | 1 +
src/conf/domain_conf.c | 159 +++++++++++++++++++++
src/conf/domain_conf.h | 14 ++
src/conf/domain_postparse.c | 1 +
src/conf/domain_validate.c | 37 +++++
src/conf/numa_conf.c | 3 +
src/conf/schemas/domaincommon.rng | 19 +++
src/conf/virconftypes.h | 2 +
src/libxl/libxl_driver.c | 6 +
src/lxc/lxc_driver.c | 6 +
src/qemu/qemu_capabilities.c | 2 +
src/qemu/qemu_capabilities.h | 1 +
src/qemu/qemu_command.c | 49 ++++++-
src/qemu/qemu_domain.c | 2 +
src/qemu/qemu_domain_address.c | 4 +
src/qemu/qemu_driver.c | 3 +
src/qemu/qemu_hotplug.c | 5 +
src/qemu/qemu_postparse.c | 1 +
src/qemu/qemu_validate.c | 1 +
src/test/test_driver.c | 4 +
.../caps_10.0.0_x86_64+amdsev.xml | 1 +
tests/qemucapabilitiesdata/caps_10.0.0_x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_9.0.0_x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_9.1.0_riscv64.xml | 1 +
tests/qemucapabilitiesdata/caps_9.1.0_x86_64.xml | 1 +
.../caps_9.2.0_aarch64+hvf.xml | 1 +
.../caps_9.2.0_x86_64+amdsev.xml | 1 +
tests/qemucapabilitiesdata/caps_9.2.0_x86_64.xml | 1 +
.../acpi-generic-initiator.x86_64-latest.args | 55 +++++++
.../acpi-generic-initiator.x86_64-latest.xml | 102 +++++++++++++
tests/qemuxmlconfdata/acpi-generic-initiator.xml | 102 +++++++++++++
tests/qemuxmlconftest.c | 1 +
32 files changed, 581 insertions(+), 7 deletions(-)
create mode 100644 tests/qemuxmlconfdata/acpi-generic-initiator.x86_64-latest.args
create mode 100644 tests/qemuxmlconfdata/acpi-generic-initiator.x86_64-latest.xml
create mode 100644 tests/qemuxmlconfdata/acpi-generic-initiator.xml
1 day, 6 hours
Report a build issue
by Duan, Zhenzhong
Hi,
When -Dlibnl=disabled, build failed as below:
../src/util/virnetdevbridge.c: In function 'virNetDevBridgeSetupVlans':
../src/util/virnetdevbridge.c:326:9: error: implicit declaration of function 'virNetlinkBridgeVlanFilterSet'; did you mean 'virNetDevBridgeGetVlanFiltering'? [-Werror=implicit-function-declaration]
326 | if (virNetlinkBridgeVlanFilterSet(ifname, RTM_DELLINK, 0, 1, &error) < 0) {
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| virNetDevBridgeGetVlanFiltering
../src/util/virnetdevbridge.c:326:9: error: nested extern declaration of 'virNetlinkBridgeVlanFilterSet' [-Werror=nested-externs]
../src/util/virnetdevbridge.c:326:47: error: 'RTM_DELLINK' undeclared (first use in this function)
326 | if (virNetlinkBridgeVlanFilterSet(ifname, RTM_DELLINK, 0, 1, &error) < 0) {
| ^~~~~~~~~~~
../src/util/virnetdevbridge.c:326:47: note: each undeclared identifier is reported only once for each function it appears in
../src/util/virnetdevbridge.c:346:55: error: 'RTM_SETLINK' undeclared (first use in this function)
346 | if (virNetlinkBridgeVlanFilterSet(ifname, RTM_SETLINK, flags,
| ^~~~~~~~~~~
cc1: all warnings being treated as errors
Thanks
Zhenzhong
1 day, 6 hours
[PATCH rfcv4 00/13] LIBVIRT: X86: TDX support
by Zhenzhong Duan
Hi,
This series brings libvirt the x86 TDX support.
* What's TDX?
TDX stands for Trust Domain Extensions which isolates VMs from
the virtual-machine manager (VMM)/hypervisor and any other software on
the platform.
To support TDX, multiple software components, not only KVM but also QEMU,
guest Linux and virtual bios, need to be updated. For more details, please
check link[1].
This patchset is another software component to extend libvirt to support TDX,
with which one can start a TDX guest from high level rather than running qemu
directly.
* Misc
As QEMU use a software emulated way to reset guest which isn't supported by TDX
guest for security reason. We simulate reboot for TDX guest by kill and create a
new one in FakeReboot framework.
Complete code can be found at [2], matching qemu code can be found at [3].
There is a 'debug' property for tdx-guest object which isn't in matching qemu[3]
yet. I keep them intentionally as they will be implemented in qemu as extention
series of [3].
* Test
start/stop/reboot with virsh
stop/reboot trigger in guest
stop with on_poweroff=destroy/restart
reboot with on_reboot=destroy/restart
* Patch organization
- patch 1-4: Support query of TDX capabilities.
- patch 5-8: Add TDX type to launchsecurity framework.
- patch 9-11: Add reboot support to TDX guest
- patch 12-13: Add test and docs
TODO:
- update QEMU capabilities data in tests, depending on qemu TDX merged beforehand
- add reconnect logic in virsh command
[1] https://lore.kernel.org/kvm/cover.1708933498.git.isaku.yamahata@intel.com
[2] https://github.com/intel/libvirt-tdx/commits/tdx_for_upstream_rfcv4
[3] https://github.com/intel/qemu-tdx/tree/tdx-qemu-upstream-v5
Thanks
Zhenzhong
Changelog:
rfcv4:
- add a check to tools/virt-host-validate-qemu.c (Daniel)
- remove check of q35 (Daniel)
- model 'SocktetAddress' QAPI in xml schema (Daniel)
- s/Quote-Generation-Service/quoteGenerationService/ (Daniel)
- define bits in tdx->policy and add validating logic (Daniel)
- presume QEMU choose split kernel irqchip for TDX guest by default (Daniel)
- utilize existing FakeReboot framework to do reboot for TDX guest (Daniel)
- drop patch11 'conf: Add support to keep same domid for hard reboot' (Daniel)
- add test in tests/ to validate parsing and formatting logic (Daniel)
- add doc in docs/formatdomain.rst (Daniel)
- add R-B
rfcv3:
- Change to generate qemu cmdline with -bios
- drop firmware auto match as -bios is used
- add a hard reboot method to reboot TDX guest
rfcv3: https://www.mail-archive.com/devel@lists.libvirt.org/msg00385.html
rfcv2:
- give up using qmp cmd and check TDX directly on host for TDX capabilities.
- use launchsecurity framework to support TDX
- use <os>.<loader> for general loader
- add auto firmware match feature for TDX
A example TDVF fimware description file 70-edk2-x86_64-tdx.json:
{
"description": "UEFI firmware for x86_64, supporting Intel TDX",
"interface-types": [
"uefi"
],
"mapping": {
"device": "generic",
"filename": "/usr/share/OVMF/OVMF_CODE-tdx.fd"
},
"targets": [
{
"architecture": "x86_64",
"machines": [
"pc-q35-*"
]
}
],
"features": [
"intel-tdx",
"verbose-dynamic"
],
"tags": [
]
}
rfcv2: https://www.mail-archive.com/libvir-list@redhat.com/msg219378.html
Zhenzhong Duan (13):
tools: Secure guest check for Intel in virt-host-validate
qemu: Check if INTEL Trust Domain Extention support is enabled
qemu: Add TDX capability
conf: expose TDX feature in domain capabilities
conf: add tdx as launch security type
qemu: Add command line and validation for TDX type
qemu: force special parameters enabled for TDX guest
Add Intel TDX Quote Generation Service(QGS) support
qemu: add FakeReboot support for TDX guest
qemu: Support reboot command in guest
qemu: Avoid duplicate FakeReboot for secure guest
Add test cases for Intel TDX
docs: domain: Add documentation for Intel TDX guest
docs/formatdomain.rst | 68 ++++
docs/formatdomaincaps.rst | 1 +
src/conf/domain_capabilities.c | 1 +
src/conf/domain_capabilities.h | 1 +
src/conf/domain_conf.c | 312 ++++++++++++++++++
src/conf/domain_conf.h | 75 +++++
src/conf/schemas/domaincaps.rng | 9 +
src/conf/schemas/domaincommon.rng | 135 ++++++++
src/conf/virconftypes.h | 2 +
src/qemu/qemu_capabilities.c | 36 +-
src/qemu/qemu_capabilities.h | 1 +
src/qemu/qemu_command.c | 139 ++++++++
src/qemu/qemu_firmware.c | 1 +
src/qemu/qemu_monitor.c | 28 +-
src/qemu/qemu_monitor.h | 2 +-
src/qemu/qemu_monitor_json.c | 6 +-
src/qemu/qemu_namespace.c | 1 +
src/qemu/qemu_process.c | 75 +++++
src/qemu/qemu_validate.c | 44 +++
...unch-security-tdx-qgs-fd.x86_64-latest.xml | 77 +++++
.../launch-security-tdx-qgs-fd.xml | 30 ++
...ch-security-tdx-qgs-inet.x86_64-latest.xml | 77 +++++
.../launch-security-tdx-qgs-inet.xml | 30 ++
...ch-security-tdx-qgs-unix.x86_64-latest.xml | 77 +++++
.../launch-security-tdx-qgs-unix.xml | 30 ++
...h-security-tdx-qgs-vsock.x86_64-latest.xml | 77 +++++
.../launch-security-tdx-qgs-vsock.xml | 30 ++
tests/qemuxmlconftest.c | 24 ++
tools/virt-host-validate-common.c | 22 +-
tools/virt-host-validate-common.h | 1 +
30 files changed, 1407 insertions(+), 5 deletions(-)
create mode 100644 tests/qemuxmlconfdata/launch-security-tdx-qgs-fd.x86_64-latest.xml
create mode 100644 tests/qemuxmlconfdata/launch-security-tdx-qgs-fd.xml
create mode 100644 tests/qemuxmlconfdata/launch-security-tdx-qgs-inet.x86_64-latest.xml
create mode 100644 tests/qemuxmlconfdata/launch-security-tdx-qgs-inet.xml
create mode 100644 tests/qemuxmlconfdata/launch-security-tdx-qgs-unix.x86_64-latest.xml
create mode 100644 tests/qemuxmlconfdata/launch-security-tdx-qgs-unix.xml
create mode 100644 tests/qemuxmlconfdata/launch-security-tdx-qgs-vsock.x86_64-latest.xml
create mode 100644 tests/qemuxmlconfdata/launch-security-tdx-qgs-vsock.xml
--
2.34.1
1 day, 8 hours
[PATCH] [for-10.1] qapi/block-core: derpecate some block-job- APIs
by Vladimir Sementsov-Ogievskiy
For change, pause, resume, complete, dismiss and finalize actions
corresponding job- and block-job commands are almost equal. The
difference is in find_block_job_locked() vs find_job_locked()
functions. What's different?
1. find_block_job_locked() do check, is found job a block-job. This OK
when moving to more generic API, no needs to document this change.
2. find_block_job_locked() reports DeviceNotActive on failure, when
find_job_locked() reports GenericError. So, lets document this
difference in deprecated.txt. Still, for dismiss and finalize errors
are not documented at all, so be silent in deprecated.txt as well.
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov(a)yandex-team.ru>
---
Hi all!
That's a continuation of my "[RFC 00/15] block job API"[1], exactly, the
simplest part of it - deprecating block-job-* commands which simply
duplicate job-* ones.
Note that the old series was started with trying to introduce job-change
command as substitution to both block-job-change (which only can change
mirror copy-mode parameter), and block-job-set-speed. It was rather
complicated and controversial attempt, which latest implemenation was
"[PATCH v3 0/7] introduce job-change qmp command"[2].
In [2] Kevin noted, that we'd better follow existing blockdev-reopen
approach of changing options (i.e. specify all options) than introduce a
new one. But, on the other hand, now I'm afraid, that rewriting in
third tools simple call to (old good) block-job-set-speed into
job-change(_all_options_ + changed speed) is too much work just for
"having nice interface". And too much for the only two options we want
to change.
So, let's just start from something more obvious. Finally,
we can simple keep block-job-set-speed and block-job-change as is,
as they (unlike other block-job-* commands) are not duplicated by
similar job-* commands.
[1] https://patchew.org/QEMU/20240313150907.623462-1-vsementsov@yandex-team.ru/
[2] https://patchew.org/QEMU/20241002140616.561652-1-vsementsov@yandex-team.ru/
docs/about/deprecated.rst | 31 +++++++++++++++++++++++++++++++
qapi/block-core.json | 30 ++++++++++++++++++++++++++++++
2 files changed, 61 insertions(+)
diff --git a/docs/about/deprecated.rst b/docs/about/deprecated.rst
index e2b4f077d4..eed3356359 100644
--- a/docs/about/deprecated.rst
+++ b/docs/about/deprecated.rst
@@ -148,6 +148,37 @@ options are removed in favor of using explicit ``blockdev-create`` and
``blockdev-add`` calls. See :doc:`/interop/live-block-operations` for
details.
+``block-job-pause`` (since 10.1)
+'''''''''''''''''''''''''''''''
+
+Use ``job-pause`` instead. The only difference is that ``job-pause``
+always reports GenericError on failure when ``block-job-pause`` reports
+DeviceNotActive when block-job is not found.
+
+``block-job-resume`` (since 10.1)
+''''''''''''''''''''''''''''''''
+
+Use ``job-resume`` instead. The only difference is that ``job-resume``
+always reports GenericError on failure when ``block-job-resume`` reports
+DeviceNotActive when block-job is not found.
+
+``block-job-complete`` (since 10.1)
+''''''''''''''''''''''''''''''''''
+
+Use ``job-complete`` instead. The only difference is that ``job-complete``
+always reports GenericError on failure when ``block-job-complete`` reports
+DeviceNotActive when block-job is not found.
+
+``block-job-dismiss`` (since 10.1)
+'''''''''''''''''''''''''''''''''
+
+Use ``job-dismiss`` instead.
+
+``block-job-finalize`` (since 10.1)
+''''''''''''''''''''''''''''''''''
+
+Use ``job-finalize`` instead.
+
``query-migrationthreads`` (since 9.2)
''''''''''''''''''''''''''''''''''''''
diff --git a/qapi/block-core.json b/qapi/block-core.json
index b1937780e1..264be8413b 100644
--- a/qapi/block-core.json
+++ b/qapi/block-core.json
@@ -2968,6 +2968,11 @@
# the name of the parameter), but since QEMU 2.7 it can have other
# values.
#
+# Features:
+#
+# @deprecated: This command is deprecated. Use @job-pause
+# instead.
+#
# Errors:
# - If no background operation is active on this device,
# DeviceNotActive
@@ -2975,6 +2980,7 @@
# Since: 1.3
##
{ 'command': 'block-job-pause', 'data': { 'device': 'str' },
+ 'features': ['deprecated'],
'allow-preconfig': true }
##
@@ -2992,6 +2998,11 @@
# the name of the parameter), but since QEMU 2.7 it can have other
# values.
#
+# Features:
+#
+# @deprecated: This command is deprecated. Use @job-resume
+# instead.
+#
# Errors:
# - If no background operation is active on this device,
# DeviceNotActive
@@ -2999,6 +3010,7 @@
# Since: 1.3
##
{ 'command': 'block-job-resume', 'data': { 'device': 'str' },
+ 'features': ['deprecated'],
'allow-preconfig': true }
##
@@ -3023,6 +3035,11 @@
# the name of the parameter), but since QEMU 2.7 it can have other
# values.
#
+# Features:
+#
+# @deprecated: This command is deprecated. Use @job-complete
+# instead.
+#
# Errors:
# - If no background operation is active on this device,
# DeviceNotActive
@@ -3030,6 +3047,7 @@
# Since: 1.3
##
{ 'command': 'block-job-complete', 'data': { 'device': 'str' },
+ 'features': ['deprecated'],
'allow-preconfig': true }
##
@@ -3047,9 +3065,15 @@
#
# @id: The job identifier.
#
+# Features:
+#
+# @deprecated: This command is deprecated. Use @job-dismiss
+# instead.
+#
# Since: 2.12
##
{ 'command': 'block-job-dismiss', 'data': { 'id': 'str' },
+ 'features': ['deprecated'],
'allow-preconfig': true }
##
@@ -3064,9 +3088,15 @@
#
# @id: The job identifier.
#
+# Features:
+#
+# @deprecated: This command is deprecated. Use @job-finalize
+# instead.
+#
# Since: 2.12
##
{ 'command': 'block-job-finalize', 'data': { 'id': 'str' },
+ 'features': ['deprecated'],
'allow-preconfig': true }
##
--
2.48.1
1 day, 21 hours
[PATCH] virt-aa-helper: delete dynamic files
by Alessandro
We attempted multiple ways to clean up dynamic files; however, we must
preserve user overrides, which requires keeping the file
/etc/apparmor.d/libvirt/libvirt-uuid
This commit proposes to move user overrides into
/etc/apparmor.d/libvirt/libvirt-uuid.local and include it, if present,
unconditionally. When we stop the domain, we remove libvirt.uuid and
libvirt-uuid.files, whereas we preserve libvirt-uuid.local if present.
Applying the patch, it produces the following:
root@virt-hv-lab002:/etc/apparmor.d/libvirt# ls -1 libvirt-e7424556-ffc1-4f6e-bafa-84e66c4dc033*
libvirt-e7424556-ffc1-4f6e-bafa-84e66c4dc033
libvirt-e7424556-ffc1-4f6e-bafa-84e66c4dc033.files
root@virt-hv-lab002:/etc/apparmor.d/libvirt# cat libvirt-e7424556-ffc1-4f6e-bafa-84e66c4dc033
profile libvirt-e7424556-ffc1-4f6e-bafa-84e66c4dc033 flags=(attach_disconnected) {
#include <abstractions/libvirt-qemu>
#include if exists <libvirt/libvirt-e7424556-ffc1-4f6e-bafa-84e66c4dc033.files>
#include if exists <libvirt/libvirt-e7424556-ffc1-4f6e-bafa-84e66c4dc033.local>
}
root@virt-hv-lab002:/etc/apparmor.d/libvirt# cat libvirt-e7424556-ffc1-4f6e-bafa-84e66c4dc033.files
"/var/log/libvirt/**/testing-9a4be628.log" w,
"/var/lib/libvirt/qemu/domain-testing-9a4be628/monitor.sock" rw,
"/var/lib/libvirt/qemu/domain-4-testing-9a4be628/*" rw,
"/var/run/libvirt/**/testing-9a4be628.pid" rwk,
"/var/run/libvirt/**/*.tunnelmigrate.dest.testing-9a4be628" rw,
"/var/lib/libvirt/images/testing-9a4be628.qcow2" rwk,
"/var/lib/libvirt/images/noble-server-cloudimg-amd64.img" rk,
# don't audit writes to readonly files
deny "/var/lib/libvirt/images/noble-server-cloudimg-amd64.img" w,
"/var/lib/libvirt/images/testing-9a4be628-ds.qcow2" rwk,
"/usr/share/OVMF/OVMF_CODE_4M.fd" rk,
# don't audit writes to readonly files
deny "/usr/share/OVMF/OVMF_CODE_4M.fd" w,
"/var/lib/libvirt/qemu/nvram/testing-9a4be628_VARS.fd" rwk,
"/dev/vhost-net" rw,
"/var/lib/libvirt/qemu/domain-4-testing-9a4be628/{,**}" rwk,
"/run/libvirt/qemu/channel/4-testing-9a4be628/{,**}" rwk,
"/var/lib/libvirt/qemu/domain-4-testing-9a4be628/master-key.aes" rwk,
"/dev/net/tun" rwk,
"/dev/userfaultfd" rwk,
Fixes: https://gitlab.com/libvirt/libvirt/-/issues/451
Signed-off-by: Alessandro <alessandro(a)0x65c.net>
---
src/security/virt-aa-helper.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 034c042..6a1fb85 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1495,8 +1495,10 @@ main(int argc, char **argv)
rc = parserLoad(ctl->uuid);
} else if (ctl->cmd == 'R' || ctl->cmd == 'D') {
rc = parserRemove(ctl->uuid);
- if (ctl->cmd == 'D')
+ if (ctl->cmd == 'D') {
unlink(include_file);
+ unlink(profile);
+ }
} else if (ctl->cmd == 'c' || ctl->cmd == 'r') {
g_autofree char *included_files = NULL;
g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
@@ -1561,12 +1563,18 @@ main(int argc, char **argv)
/* create the profile from TEMPLATE */
if (ctl->cmd == 'c' || purged) {
g_autofree char *tmp = NULL;
+ g_autofree char *tmp_local = NULL;
+ char *new_tmp = NULL;
#if defined(WITH_APPARMOR_3)
const char *ifexists = "if exists ";
#else
const char *ifexists = "";
#endif
tmp = g_strdup_printf(" #include %s<libvirt/%s.files>\n", ifexists, ctl->uuid);
+ tmp_local = g_strdup_printf(" #include %s<libvirt/%s.local>\n", ifexists, ctl->uuid);
+ new_tmp = g_strconcat(tmp, tmp_local, NULL);
+ g_free(tmp);
+ tmp = g_steal_pointer(&new_tmp);
if (ctl->dryrun) {
vah_info(profile);
--
2.49.0
1 day, 23 hours
[PATCH] news: document dropping apparmor < 3.0.0
by Daniel P. Berrangé
From: Daniel P. Berrangé <berrange(a)redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
NEWS.rst | 2 ++
1 file changed, 2 insertions(+)
diff --git a/NEWS.rst b/NEWS.rst
index 0cb11313cd..d359bc5a32 100644
--- a/NEWS.rst
+++ b/NEWS.rst
@@ -15,6 +15,8 @@ v11.3.0 (unreleased)
* **Removed features**
+ * Support for AppArmor versions prior to 3.0.0 has been dropped
+
* **New features**
* **Improvements**
--
2.48.1
2 days, 2 hours
Release of libvirt-11.2.0
by Jiri Denemark
The 11.2.0 release of both libvirt and libvirt-python is tagged and
signed tarballs are available at
https://download.libvirt.org/
https://download.libvirt.org/python/
Thanks everybody who helped with this release by sending patches,
reviewing, testing, or providing feedback. Your work is greatly
appreciated.
* Removed features
* Remove support for qemu-6.1 and older
Libvirt now requires *qemu-6.2* or newer based on our platform support
policy.
* New features
* qemu: Add new 'image_format' parameter to virDomainSaveParams
``virDomainSaveParams`` now supports an ``image_format`` parameter for
specifying the save image format on a per-domain basis. The parameter
accepts the same values as the driver-wide ``save_image_format`` setting
in ``qemu.conf``. An image format specified via ``virDomainSaveParams``
takes precedence over the driver-wide setting.
* qemu: Added guest load averages to the output of virDomainGetGuestInfo
This feature will be available with qemu guest agent 10.0 onwards.
* qemu: Add support for multiple iothreads for ``virtio-scsi`` controller
It's now possible to map multiple iothreads to the ``virtio-scsi`` controller
or even map them to specific virtqueues similarly to the ``virtio-blk``
device allowing for better performance in certain scenarios.
* qemu: integrate support for VM shutdown on host shutdown
It is now possible to instruct the QEMU driver to automatically perform
managed save, graceful shutdown, or hard poweroff on running VMs, when a
host shutdown is requested. This feature is intended to eventually replace
usage of the libvirt-guests script. The new approach improves on the
libvirt-guests script, by proactively monitoring logind for a signal that
a host shutdown has been requested. It will initiate the chosen action on
running guests immediately, allowing shutdown inhibitors to be released
sooner. The new solution is also able to iteratively try multiple actions
until one of them succeeds in shutting down the VM.
Since it must be mutually exclusive with the libvirt-guests script, this
feature currently requires a manual opt-in through editing of the
/etc/libvirt/qemu.conf configuration file. The libvirt-guests script must
be disabled before doing this.
* qemu: Add 'sparse' as a new save image format
QEMU's ``file`` migration has been supplemented with the new stream format
``mapped-ram``, where RAM pages are mapped directly to offsets in the
migration file. ``mapped-ram`` is now supported by augmenting the existing
save image formats with the ``sparse`` format.
* qemu: Add support for parallel save/restore
The ``sparse`` image format can support reading and writing by multiple
channels. ``virDomainSaveParams`` and ``virDomainRestoreParams`` now
support specifying the number of IO channels used for parallel save and
restore. Using multiple channels can reduce the time required to save
and restore domains.
* virsh: Introduce new hypervisor-cpu-models command
Added a new virsh command ``hypervisor-cpu-models``. The command pulls from
the existing domcapabilities XML and uses xpath to parse CPU model strings.
By default, only models reported as usable by the hypervisor on the host
system are printed. A user may specify ``--all`` to also print models which
are not supported on the host.
* qemu: Introduce os/shim element
For secure boot environments where ``<loader/>`` is signed, it may be
unfeasible to keep the binary up to date (esp. when revoking certificates
contained within). To address that, new ``<shim/>`` element is introduced
which allows hypervisor to side load another UEFI binary, which can then
contain new certification authorities and/or list of revocations.
* ch: Enable SEV SNP support
Cloud Hypervisor guests can be now started with SEV SNP enabled.
* qemu: Support for Block Disk Along with Throttle Filters
Introduce support for multiple throttle groups per block disk in QEMU,
enhancing I/O control and performance optimization. This update builds
on the existing throttling functionality by allowing more granular control
with the ability to assign different throttle groups to multiple block
devices, improving shared throttling across devices.
* Improvements
* qemu: Improved guest agent corner case error reporting
The APIs using the guest agent now report two specific error codes aimed at
helping management applications/users to differentiate between timeout
while libvirt was synchronizing with the guest agent and timeout after a
command was already sent.
The new error codes are ``VIR_ERR_AGENT_COMMAND_TIMEOUT`` and
``VIR_ERR_AGENT_COMMAND_FAILED``.
* qemu: Use common check for shared memory use for ``vhost-user`` network devices
Historically libvirt printed only a warning if the ``vhost-user`` network
was misconfigured. Since we enforce proper configuration for other device
types using ``vhost-user`` it is now enforced also for network devices and
prints an actual error on misconfiguration.
* Introduce constants for discoverability of entries in bulk stats APIs
Libvirt introduced constants exposed by our API description XML which allows
discoverability of new entries in typed parameter names returned by
``virConnectGetAllDomainStats``, ``virDomainListGetStats``, and
``virDomainGetGuestInfo``.
* qemu: Reflect MAC address change in live domain XML
When a guest changes MAC address on one of its vNICs the new MAC address is
now visible in the live XML under ``currentAddress`` attribute of
``<mac/>`` element. At the same time,
``VIR_DOMAIN_EVENT_ID_NIC_MAC_CHANGE`` event is emitted so that management
applications can update their internal state.
* Bug fixes
* qemu: attach virtio-mem with CCW address
Attaching a virtio-mem device on s390 without an address type now gets a
default type CCW address assigned. A specified CCW address is now used for
the virtio-mem device instead of getting overwritten by a PCI address.
* ch: Various memory leak fixes
There were some memory leaks identified in the Cloud Hypervisor driver.
They are fixed now.
Enjoy.
Jirka
2 days, 4 hours
