[PATCH] news: document new crypto TLS priority string settings
by Daniel P. Berrangé
From: Daniel P. Berrangé <berrange(a)redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
NEWS.rst | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/NEWS.rst b/NEWS.rst
index c7885f01a0..e5e8626729 100644
--- a/NEWS.rst
+++ b/NEWS.rst
@@ -24,6 +24,14 @@ v11.6.0 (unreleased)
flag the baseline API would return reasonable output only when run on one of
the hosts that the input CPU definitions were collected from.
+ * Allow control over QEMU TLS priority strings
+
+ The qemu.conf file now has multiple settings allowing control over the
+ QEMU TLS priority strings, for the different subsystems in QEMU that
+ can support TLS. This can be used to workaround a current bug in GNUTLS
+ that is liable to cause crashes of the source QEMU when performing long
+ running live migration operations with TLS enabled.
+
* **Improvements**
* qemu: Change default SCSI controller model to ``virtio-scsi`` for ARM and RISC-V
--
2.50.1
3 days, 17 hours
[PATCH 00/19] security_selinux: Refactor temporary variable cleanup
by Peter Krempa
Some cleanups resutling from analyzing some selinux code.
Peter Krempa (19):
security/security_driver.c/h: Fix function header formatting
virSecuritySELinuxTransactionRun: Refactor cleanup
virSecuritySELinuxMCSFind: Refactor variable clearing
virSecuritySELinuxRestoreFileLabel: Refactor cleanup
virSecuritySELinux(Set|Restore)TPMFileLabel: Automatically free
'cancel_path'
virSecuritySELinuxRestoreFileLabels: Refactor variable freeing
virSecuritySELinux(Set|Restore)HostdevCapsLabel: Refactor cleanup
virSecuritySELinux(Set|Restore)ChardevLabel: Refactor cleanup
virSecuritySELinuxSet(Daemon)SocketLabel: Refactor cleanup
virSecuritySELinuxSetTapFDLabel: Refactor cleanup
security_selinux: Declare internal autoptr cleanup helper for
'context_t'
virSecuritySELinuxContextAddRange: Refactor cleanup of 'context_t'
virSecuritySELinuxGenNewContext: Refactor cleanup
virSecuritySELinuxReserveLabel: Refactor cleanup
virSecuritySELinuxGetProcessLabel: Automatically free 'ctx' temp
variable
virSecuritySELinuxSetFilecon: Automatically free 'econ' temp variable
virSecuritySELinuxRestoreInputLabel: Return values directly
virSecuritySELinuxGenImageLabel: Refactor cleanup
virSecuritySELinuxGetSecurityMountOptions: refactor printing
src/security/security_driver.c | 5 +-
src/security/security_driver.h | 5 +-
src/security/security_selinux.c | 347 +++++++++++++-------------------
3 files changed, 149 insertions(+), 208 deletions(-)
--
2.50.0
3 days, 17 hours
[PATCH v2 0/1] nwfilter: Check before removing and reinserting iptable base chains
by Dion Bosschieter
Thanks for the feedback. I've applied the iptables -L with a callback
handler. The callback handler then decides whether or not to create the
base chains.
I changed the commit message from
"nwfilter: Avoid firewall hole during VM startup by checking rule presence" to
"nwfilter: Check before removing and reinserting iptable base chains".
I also edited nwfilterxml2firewalltest, so it pretends that currently there are
no chains and I changed the expected order of the commonRules.
Dion Bosschieter (1):
nwfilter: Check before removing and reinserting iptable base chains
src/nwfilter/nwfilter_ebiptables_driver.c | 203 +++++++++++++---------
tests/nwfilterxml2firewalltest.c | 58 +++++--
2 files changed, 163 insertions(+), 98 deletions(-)
--
2.43.0
3 days, 20 hours
[PATCH] qemu: driver: Reformat function headers for block job APIs
by Peter Krempa
From: Peter Krempa <pkrempa(a)redhat.com>
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/qemu_driver.c | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 7c203e32fe..a0f770b053 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -14552,8 +14552,11 @@ qemuDomainBlockCopyCommon(virDomainObj *vm,
}
static int
-qemuDomainBlockRebase(virDomainPtr dom, const char *path, const char *base,
- unsigned long bandwidth, unsigned int flags)
+qemuDomainBlockRebase(virDomainPtr dom,
+ const char *path,
+ const char *base,
+ unsigned long bandwidth,
+ unsigned int flags)
{
virDomainObj *vm;
int ret = -1;
@@ -14625,8 +14628,11 @@ qemuDomainBlockRebase(virDomainPtr dom, const char *path, const char *base,
static int
-qemuDomainBlockCopy(virDomainPtr dom, const char *disk, const char *destxml,
- virTypedParameterPtr params, int nparams,
+qemuDomainBlockCopy(virDomainPtr dom,
+ const char *disk,
+ const char *destxml,
+ virTypedParameterPtr params,
+ int nparams,
unsigned int flags)
{
virQEMUDriver *driver = dom->conn->privateData;
@@ -14703,7 +14709,9 @@ qemuDomainBlockCopy(virDomainPtr dom, const char *disk, const char *destxml,
static int
-qemuDomainBlockPull(virDomainPtr dom, const char *path, unsigned long bandwidth,
+qemuDomainBlockPull(virDomainPtr dom,
+ const char *path,
+ unsigned long bandwidth,
unsigned int flags)
{
virDomainObj *vm;
--
2.50.0
3 days, 20 hours
[PATCH v2 0/1] network: introduce Packet Filter firewall backend
by Roman Bogorodskiy
Changes since v1:
- Left only firewall backend changes
- Build network_pf.c only on FreeBSD
- pfAddIPSpecificFirewallRules: error message for lack of IPv6 support
I have also added a basic docs/drvnetwork.rst, but I think it would make
more sense to include it in the follow up series with the bridge driver
changes as with this patch alone pf backend cannot be used just yet.
Roman Bogorodskiy (1):
network: introduce Packet Filter firewall backend
meson.build | 2 +
po/POTFILES | 1 +
src/network/bridge_driver_conf.c | 4 +
src/network/bridge_driver_linux.c | 2 +
src/network/meson.build | 4 +
src/network/network_pf.c | 326 ++++++++++++++++++++++++++++++
src/network/network_pf.h | 26 +++
src/util/virfirewall.c | 4 +-
src/util/virfirewall.h | 2 +
9 files changed, 370 insertions(+), 1 deletion(-)
create mode 100644 src/network/network_pf.c
create mode 100644 src/network/network_pf.h
--
2.49.0
3 days, 21 hours
[PATCH] bhyve: implement timeout for bhyveload
by Roman Bogorodskiy
The bhyveload(8) command does not have a native non-interactive mode.
It means that in case of errors, e.g. invalid boot media, it
just drops into a loader prompt and waits for user input. This behaviour
makes it tricky for users to understand what's going on.
To address that, run it with the timeout(1) tool which sends SIGTERM
after a certain timeout, and then optionally sends SIGKILL if the
command keeps hanging.
These timeout values could be configured in the bhyve.conf. Setting
timeout to 0 mean that bhyveload(8) will be executed directly, without
timeout(1).
Signed-off-by: Roman Bogorodskiy <bogorodskiy(a)gmail.com>
---
src/bhyve/bhyve.conf | 9 +++++++
src/bhyve/bhyve_command.c | 25 ++++++++++++++++---
src/bhyve/bhyve_conf.c | 12 +++++++++
src/bhyve/bhyve_utils.h | 3 +++
src/bhyve/libvirtd_bhyve.aug | 4 ++-
src/bhyve/test_libvirtd_bhyve.aug.in | 2 ++
.../bhyvexml2argv-bhyveload-timeout.args | 10 ++++++++
.../bhyvexml2argv-bhyveload-timeout.ldargs | 7 ++++++
.../bhyvexml2argv-bhyveload-timeout.xml | 23 +++++++++++++++++
tests/bhyvexml2argvtest.c | 6 +++++
10 files changed, 96 insertions(+), 5 deletions(-)
create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-bhyveload-timeout.args
create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-bhyveload-timeout.ldargs
create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-bhyveload-timeout.xml
diff --git a/src/bhyve/bhyve.conf b/src/bhyve/bhyve.conf
index 2a8baacff3..dc8d3d8fd8 100644
--- a/src/bhyve/bhyve.conf
+++ b/src/bhyve/bhyve.conf
@@ -5,3 +5,12 @@
# Path to a directory with firmware files. By default it's pointing
# to the directory that sysutils/bhyve-firmware installs files into.
#firmware_dir = "/usr/local/share/uefi-firmware"
+
+# Set timeout for the bhyveload(8) command. This might be necessary
+# because in case of errors bhyveload(8) drops to an interactive
+# loader and hangs indefinitely. These timeout values are passed
+# to the timeout(1) command. Please refer to its manual page for more
+# details. When timeout is 0, bhyveload is executed directly.
+# Units are seconds.
+#bhyveload_timeout = 300
+#bhyveload_timeout_kill = 15
diff --git a/src/bhyve/bhyve_command.c b/src/bhyve/bhyve_command.c
index 5757a41e7e..ab6d6e92e4 100644
--- a/src/bhyve/bhyve_command.c
+++ b/src/bhyve/bhyve_command.c
@@ -921,11 +921,28 @@ virAppendBootloaderArgs(virCommand *cmd, virDomainDef *def)
}
static virCommand *
-virBhyveProcessBuildBhyveloadCmd(virDomainDef *def, virDomainDiskDef *disk)
+virBhyveProcessBuildBhyveloadCmd(virDomainDef *def,
+ struct _bhyveConn *driver,
+ virDomainDiskDef *disk)
{
virCommand *cmd;
-
- cmd = virCommandNew("bhyveload");
+ g_autoptr(virBhyveDriverConfig) cfg = virBhyveDriverGetConfig(driver);
+
+ if (cfg->bhyveloadTimeout > 0) {
+ /* TODO: update bhyve_process.c to interpret timeout(1) exit
+ * codes 124-127 to produce more meaningful error messages */
+ cmd = virCommandNew("timeout");
+ virCommandAddArg(cmd, "--foreground");
+ virCommandAddArg(cmd, "--verbose");
+ if (cfg->bhyveloadTimeoutKill > 0) {
+ virCommandAddArg(cmd, "-k");
+ virCommandAddArgFormat(cmd, "%ds", cfg->bhyveloadTimeoutKill);
+ }
+ virCommandAddArgFormat(cmd, "%ds", cfg->bhyveloadTimeout);
+ virCommandAddArg(cmd, "bhyveload");
+ } else {
+ cmd = virCommandNew("bhyveload");
+ }
if (def->os.bootloaderArgs == NULL) {
VIR_DEBUG("bhyveload with default arguments");
@@ -1212,7 +1229,7 @@ virBhyveProcessBuildLoadCmd(struct _bhyveConn *driver, virDomainDef *def,
if (disk == NULL)
return NULL;
- return virBhyveProcessBuildBhyveloadCmd(def, disk);
+ return virBhyveProcessBuildBhyveloadCmd(def, driver, disk);
} else if (strstr(def->os.bootloader, "grub-bhyve") != NULL) {
return virBhyveProcessBuildGrubbhyveCmd(def, driver, devmap_file,
devicesmap_out);
diff --git a/src/bhyve/bhyve_conf.c b/src/bhyve/bhyve_conf.c
index f18b24f91d..182e00ee1d 100644
--- a/src/bhyve/bhyve_conf.c
+++ b/src/bhyve/bhyve_conf.c
@@ -2,6 +2,7 @@
* bhyve_conf.c: bhyve config file
*
* Copyright (C) 2017 Roman Bogorodskiy
+ * Copyright (C) 2025 The FreeBSD Foundation
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -60,6 +61,9 @@ virBhyveDriverConfigNew(void)
cfg->libDir = g_strdup_printf("%s/lib/libvirt/bhyve", LOCALSTATEDIR);
cfg->nvramDir = g_strdup_printf("%s/nvram", cfg->libDir);
+ cfg->bhyveloadTimeout = 300;
+ cfg->bhyveloadTimeoutKill = 15;
+
return cfg;
}
@@ -81,6 +85,14 @@ virBhyveLoadDriverConfig(struct _virBhyveDriverConfig *cfg,
&cfg->firmwareDir) < 0)
return -1;
+ if (virConfGetValueInt(conf, "bhyveload_timeout",
+ &cfg->bhyveloadTimeout) < 0)
+ return -1;
+
+ if (virConfGetValueInt(conf, "bhyveload_timeout_kill",
+ &cfg->bhyveloadTimeoutKill) < 0)
+ return -1;
+
return 0;
}
diff --git a/src/bhyve/bhyve_utils.h b/src/bhyve/bhyve_utils.h
index 9c9ea0a01a..8ed1fa5509 100644
--- a/src/bhyve/bhyve_utils.h
+++ b/src/bhyve/bhyve_utils.h
@@ -41,6 +41,9 @@ struct _virBhyveDriverConfig {
char *firmwareDir;
char *libDir;
char *nvramDir;
+
+ int bhyveloadTimeout;
+ int bhyveloadTimeoutKill;
};
G_DEFINE_AUTOPTR_CLEANUP_FUNC(virBhyveDriverConfig, virObjectUnref);
diff --git a/src/bhyve/libvirtd_bhyve.aug b/src/bhyve/libvirtd_bhyve.aug
index b6bee261a6..0fd74d4bb3 100644
--- a/src/bhyve/libvirtd_bhyve.aug
+++ b/src/bhyve/libvirtd_bhyve.aug
@@ -23,9 +23,11 @@ module Libvirtd_bhyve =
let str_array_entry (kw:string) = [ key kw . value_sep . str_array_val ]
let log_entry = str_entry "firmware_dir"
+ let bhyveload_timeout = int_entry "bhyveload_timeout"
+ let bhyveload_timeout_kill = int_entry "bhyveload_timeout_kill"
(* Each entry in the config is one of the following three ... *)
- let entry = log_entry
+ let entry = log_entry | bhyveload_timeout | bhyveload_timeout_kill
let comment = [ label "#comment" . del /#[ \t]*/ "# " . store /([^ \t\n][^\n]*)?/ . del /\n/ "\n" ]
let empty = [ label "#empty" . eol ]
diff --git a/src/bhyve/test_libvirtd_bhyve.aug.in b/src/bhyve/test_libvirtd_bhyve.aug.in
index ec932b4b11..391648e71f 100644
--- a/src/bhyve/test_libvirtd_bhyve.aug.in
+++ b/src/bhyve/test_libvirtd_bhyve.aug.in
@@ -3,3 +3,5 @@ module Test_libvirtd_bhyve =
test Libvirtd_bhyve.lns get conf =
{ "firmware_dir" = "/usr/local/share/uefi-firmware" }
+{ "bhyveload_timeout" = "300" }
+{ "bhyveload_timeout_kill" = "15" }
diff --git a/tests/bhyvexml2argvdata/bhyvexml2argv-bhyveload-timeout.args b/tests/bhyvexml2argvdata/bhyvexml2argv-bhyveload-timeout.args
new file mode 100644
index 0000000000..153a1d5035
--- /dev/null
+++ b/tests/bhyvexml2argvdata/bhyvexml2argv-bhyveload-timeout.args
@@ -0,0 +1,10 @@
+bhyve \
+-c 1 \
+-m 214 \
+-u \
+-H \
+-P \
+-s 0:0,hostbridge \
+-s 2:0,ahci-hd,/tmp/freebsd.img \
+-s 3:0,virtio-net,faketapdev,mac=52:54:00:b9:94:02 \
+bhyve
diff --git a/tests/bhyvexml2argvdata/bhyvexml2argv-bhyveload-timeout.ldargs b/tests/bhyvexml2argvdata/bhyvexml2argv-bhyveload-timeout.ldargs
new file mode 100644
index 0000000000..264ae48441
--- /dev/null
+++ b/tests/bhyvexml2argvdata/bhyvexml2argv-bhyveload-timeout.ldargs
@@ -0,0 +1,7 @@
+timeout \
+--foreground \
+--verbose \
+-k 20s 300s bhyveload \
+-m 214 \
+-d /tmp/freebsd.img \
+bhyve
diff --git a/tests/bhyvexml2argvdata/bhyvexml2argv-bhyveload-timeout.xml b/tests/bhyvexml2argvdata/bhyvexml2argv-bhyveload-timeout.xml
new file mode 100644
index 0000000000..0b8066733d
--- /dev/null
+++ b/tests/bhyvexml2argvdata/bhyvexml2argv-bhyveload-timeout.xml
@@ -0,0 +1,23 @@
+<domain type='bhyve'>
+ <name>bhyve</name>
+ <uuid>df3be7e7-a104-11e3-aeb0-50e5492bd3dc</uuid>
+ <memory>219136</memory>
+ <vcpu>1</vcpu>
+ <os>
+ <type>hvm</type>
+ </os>
+ <devices>
+ <disk type='file'>
+ <driver name='file' type='raw'/>
+ <source file='/tmp/freebsd.img'/>
+ <target dev='hda' bus='sata'/>
+ <address type='drive' controller='0' bus='0' target='2' unit='0'/>
+ </disk>
+ <interface type='bridge'>
+ <mac address='52:54:00:b9:94:02'/>
+ <model type='virtio'/>
+ <source bridge="virbr0"/>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
+ </interface>
+ </devices>
+</domain>
diff --git a/tests/bhyvexml2argvtest.c b/tests/bhyvexml2argvtest.c
index 2838b20c29..cc6b17233d 100644
--- a/tests/bhyvexml2argvtest.c
+++ b/tests/bhyvexml2argvtest.c
@@ -165,6 +165,8 @@ mymain(void)
driver.config->firmwareDir = fakefirmwaredir;
driver.config->nvramDir = fakenvramdir;
+ driver.config->bhyveloadTimeout = 0;
+ driver.config->bhyveloadTimeoutKill = 0;
# define DO_TEST_FULL(name, flags) \
do { \
@@ -305,6 +307,10 @@ mymain(void)
driver.bhyvecaps &= ~BHYVE_CAP_VNC_PASSWORD;
DO_TEST_FAILURE("vnc-password");
+ driver.config->bhyveloadTimeout = 300;
+ driver.config->bhyveloadTimeoutKill = 20;
+ DO_TEST("bhyveload-timeout");
+
virObjectUnref(driver.caps);
virObjectUnref(driver.xmlopt);
virPortAllocatorRangeFree(driver.remotePorts);
--
2.49.0
4 days, 22 hours
[PATCH] bhyve: don't reset domain autostart flag on destroy
by Roman Bogorodskiy
Currently, virBhyveProcessStop() uses the virDomainDeleteConfig()
helper to clean up domain status. It passes BHYVE_STATE_DIR as
a configuration dir and NULL as autostart dir, so the helper does its
job, even though it has a different purpose. However, the issue is that
it also resets the autostart (and autostartOnce) property.
This results in a situation that when a persistent domain with autostart
enabled gets destroyed, its autostart state is reported as disabled,
which is not correct.
To fix that, implement the bhyveProcessRemoveDomainStatus() which
removes the status file without side effects on the virDomainObj object.
Signed-off-by: Roman Bogorodskiy <bogorodskiy(a)gmail.com>
---
src/bhyve/bhyve_process.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/src/bhyve/bhyve_process.c b/src/bhyve/bhyve_process.c
index 5e77a9c4d6..79be6f7aba 100644
--- a/src/bhyve/bhyve_process.c
+++ b/src/bhyve/bhyve_process.c
@@ -427,6 +427,17 @@ virBhyveProcessStart(bhyveConn *driver,
return virBhyveProcessStartImpl(driver, vm, reason);
}
+static void
+bhyveProcessRemoveDomainStatus(const char *statusDir,
+ const char *name)
+{
+ g_autofree char *file = virDomainConfigFile(statusDir, name);
+
+ if (unlink(file) < 0 && errno != ENOENT && errno != ENOTDIR)
+ VIR_WARN("Failed to remove domain XML for %s: %s",
+ name, g_strerror(errno));
+}
+
int
virBhyveProcessStop(struct _bhyveConn *driver,
virDomainObj *vm,
@@ -483,7 +494,7 @@ virBhyveProcessStop(struct _bhyveConn *driver,
cleanup:
virPidFileDelete(BHYVE_STATE_DIR, vm->def->name);
- virDomainDeleteConfig(BHYVE_STATE_DIR, NULL, vm);
+ bhyveProcessRemoveDomainStatus(BHYVE_STATE_DIR, vm->def->name);
return ret;
}
--
2.49.0
4 days, 22 hours
[PATCH] qemu_tpm: Do not use persistent definition during pre-start checks
by Martin Kletzander
From: Martin Kletzander <mkletzan(a)redhat.com>
Commit 3451987fca7c used the persistent TPM Definition in both calls to
qemuTPMVirCommandSwtpmAddTPMState() but in one of the two cases it
might've been NULL and what's more, it is not the right definition which
should've been used. Change that to @tpm which is the current
definition. The other call does not have access to the current
definition and is only called during updating the profile. But for the
sake of fewer future mistakes, keep the other one as is because there is
no issue with calling it that way and adding logic that just skips the
extra check on NULL could mistake someone in the future.
Signed-off-by: Martin Kletzander <mkletzan(a)redhat.com>
---
src/qemu/qemu_tpm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
index 5cb678df0eee..4c9445d72c39 100644
--- a/src/qemu/qemu_tpm.c
+++ b/src/qemu/qemu_tpm.c
@@ -852,7 +852,7 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDef *tpm,
virCommandAddArgFormat(cmd, "type=unixio,path=%s,mode=0600",
tpm->data.emulator.source->data.nix.path);
- qemuTPMVirCommandSwtpmAddTPMState(cmd, &tpm->data.emulator, persistentTPMDef, cfg);
+ qemuTPMVirCommandSwtpmAddTPMState(cmd, &tpm->data.emulator, tpm, cfg);
virCommandAddArg(cmd, "--log");
if (tpm->data.emulator.debug != 0)
--
2.50.1
1 week
[PATCH 0/6] nss: Rework debugging
by Michal Privoznik
I've been debugging a problem with NSS plugin recently [1] and the fact
that I had to recompile libvirt just to enable debugging printings for
the NSS plugin turned out very inconvenient. Make the debug printings
env var dependant and add a few more printings.
1: https://bugzilla.redhat.com/show_bug.cgi?id=2364285
Michal Prívozník (6):
nss: Promote debug message to proper error when time() fails
nss: Move logging into a separate file and turn it temporarily on
nss: Make logging conditional on an envvar
nss: Include filename in debug printings
nss: Print module name
nss: Debug print JSON files as they are parsed
build-aux/syntax-check.mk | 2 +-
docs/nss.rst | 13 ++++++
tools/nss/libvirt_nss.c | 8 +++-
tools/nss/libvirt_nss.h | 30 +-----------
tools/nss/libvirt_nss_leases.c | 12 +++--
tools/nss/libvirt_nss_log.c | 85 ++++++++++++++++++++++++++++++++++
tools/nss/libvirt_nss_log.h | 41 ++++++++++++++++
tools/nss/meson.build | 1 +
8 files changed, 158 insertions(+), 34 deletions(-)
create mode 100644 tools/nss/libvirt_nss_log.c
create mode 100644 tools/nss/libvirt_nss_log.h
--
2.49.0
1 week
