[PATCH 0/3] qemu_tpm: Do not pollute logs with unnecessary warning
by Martin Kletzander
https://issues.redhat.com/browse/RHEL-80155
Martin Kletzander (3):
qemu_tpm: Rename qemuTPMHasSharedStorage ->
qemuTPMDomainHasSharedStorage
qemu_tpm: Extract per-TPM functionality from
qemuTPMDomainHasSharedStorage
qemu_tpm: Only warn about missing locking feature on shared
filesystems
src/qemu/qemu_migration.c | 2 +-
src/qemu/qemu_tpm.c | 75 +++++++++++++++++++++++----------------
src/qemu/qemu_tpm.h | 4 +--
3 files changed, 47 insertions(+), 34 deletions(-)
--
2.50.1
1 week
[PATCH 0/3] qemu: workaround for GNUTLS bug hitting live migration
by Daniel P. Berrangé
This is a workaround for existing running QEMU processes which
are susceptible to a GNUTLS crasher bug with non-multifd live
migration:
https://gitlab.com/qemu-project/qemu/-/issues/1937
which in turn is caused by a gnutls regression
https://gitlab.com/gnutls/gnutls/-/issues/1717
Even if gnutls is fixed, running QEMU processes are still at
risk until restarted, and that can't be done without live
migrating workloads off, which triggers the bug we're trying
to avoid. The only way to avoid this for running QEMU
processes is to change the crypto priority string. On Fedora
/ RHEL distros we can do this on the target QEMU using
/etc/crypto-policies configs, but many other distros have
now adopted this - hint: this is a very useful thing to adopt.
This series gives a more targetted workaround that is compatible
with all distros and can be configured on either the source or
dst hosts and whose impact is limited just to live migration.
Daniel P. Berrangé (3):
qemu: fix order of VNC TLS config entries
qemu: sanitize blank lines in config file
qemu: add ability to set TLS priority string with QEMU
src/conf/storage_source_conf.c | 2 +
src/conf/storage_source_conf.h | 1 +
src/qemu/libvirtd_qemu.aug | 8 +-
src/qemu/qemu.conf.in | 99 +++++++++++++++++--
src/qemu/qemu_backup.c | 5 +-
src/qemu/qemu_blockjob.c | 1 +
src/qemu/qemu_command.c | 15 ++-
src/qemu/qemu_command.h | 1 +
src/qemu/qemu_conf.c | 22 +++++
src/qemu/qemu_conf.h | 6 ++
src/qemu/qemu_domain.c | 3 +
src/qemu/qemu_domain.h | 1 +
src/qemu/qemu_hotplug.c | 4 +-
src/qemu/qemu_hotplug.h | 1 +
src/qemu/qemu_migration_params.c | 1 +
src/qemu/test_libvirtd_qemu.aug.in | 8 +-
...rk-tlsx509-nbd-hostname.x86_64-latest.args | 2 +-
...graphics-vnc-tls-secret.x86_64-latest.args | 2 +-
...-tlsx509-secret-chardev.x86_64-latest.args | 2 +-
tests/qemuxmlconftest.c | 6 ++
20 files changed, 170 insertions(+), 20 deletions(-)
--
2.50.1
1 week
Plans for 11.6.0 release (freeze on 2025-07-28)
by Jiri Denemark
We are getting close to 11.6.0 release of libvirt. To aim for the
release on Friday 01 Aug I suggest entering the freeze on Monday 28 Jul
and tagging RC2 on Wednesday 30 Jul.
I hope this works for everyone.
Jirka
1 week
Re: download.libvirt.org HTTPS certificate expired causing download
failures
by Daniel P. Berrangé
On Fri, Jul 18, 2025 at 10:36:53AM +0000, Song, Jiaying (CN) wrote:
> Hello libvirt team,
>
> I am a user trying to fetch packages from https://download.libvirt.org/, but I encountered an issue where the HTTPS certificate issued by Let's Encrypt (CN=R10) appears to have expired.
>
> This causes download failures in automated builds and package fetching processes. For example, wget reports:
>
> wget https://download.libvirt.org/python/libvirt-python-11.1.0.tar.gz
> ERROR: cannot verify download.libvirt.org's certificate, issued by 'CN=R10,O=Let's Encrypt,C=US':
> Issued certificate has expired.
>
> Could you please update or renew the TLS certificate for download.libvirt.org at your earliest convenience to avoid further disruptions?
>
> Thank you very much for your help!
FYI, we connected on IRC and I got this sorted out.
It was a result of us having to move to a new physical server on short
notice a few weeks ago, combined with an OS upgrade from RHEL 7 to 9.
We copied the certs, but failed to setup acme-tiny again on the new
machine to renew them.
In 3 months time we'll find out if I got the acme-tiny config correct,
so if anyone notices problems at that time let me know....
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
1 week
[PATCH 0/7] tls: Improve validation of certificates if multiple certs are concatenated in one file
by Peter Krempa
Our code handled properly only multiple CA certs in one file. This patch
extends the validation also to multiple client/server certs in one file.
Peter Krempa (7):
rpc: virnettlscontext: Fix formatting of function definitions
virNetTLSContextNewPath: Refactor temporary variable usage
virNetTLSCertCheckPair: Fix function definition formatting
rpc: virnettlscert: Rename virNetTLSCertLoadCAListFromFile to
virNetTLSCertLoadListFromFile
virPKIValidateIdentity: Validate all concatenated certificates
virNetTLSCertSanityCheck: Validate all concatenated certs
Remove unused 'virNetTLSCertLoadFromFile'
src/rpc/virnettlscert.c | 94 ++++++++++++--------------------------
src/rpc/virnettlscert.h | 6 ++-
src/rpc/virnettlscontext.c | 89 +++++++++++++++++-------------------
tools/virt-pki-validate.c | 20 ++++++--
4 files changed, 90 insertions(+), 119 deletions(-)
--
2.50.0
1 week
[PATCH 0/6] Make virConnectBaselineHypervisorCPU a bit more sane
by Jiri Denemark
See 2/6 for description of the issue this series is trying to deal with.
Jiri Denemark (6):
cpu: Show input CPU model names in debug log
Clarify documentation of virConnectBaselineHypervisorCPU
Change documentation style of virConnectBaselineCPUFlags
Introduce VIR_CONNECT_BASELINE_CPU_IGNORE_HOST flag
qemu: Implement VIR_CONNECT_BASELINE_CPU_IGNORE_HOST
virsh: Add support for VIR_CONNECT_BASELINE_CPU_IGNORE_HOST flag
docs/manpages/virsh.rst | 20 +++++++++++++++-----
include/libvirt/libvirt-host.h | 9 +++++++--
src/cpu/cpu.c | 2 +-
src/libvirt-host.c | 30 +++++++++++++++++++++---------
src/qemu/qemu_driver.c | 30 +++++++++++++++++++++---------
tools/virsh-host.c | 8 ++++++++
6 files changed, 73 insertions(+), 26 deletions(-)
--
2.50.0
1 week
[PATCH v2 0/2] Introduce hardware UUID (hwuuid) element
by Mark Cave-Ayland
Following on from the discussions at [1] and more recently [2], this series
introduces a new hardware UUID (hwuuid) element that allows an external
UUID to be provided to the guest, as opposed to the libvirt domain UUID.
The use case for this feature is to allow a domain to cloned and then
restarted without changing its guest-visible UUID e.g. via dmidecode.
Patch 1 introduces the new hardware UUID (hwuuid) element along with an
implementation for the QEMU driver, whilst patch 2 adds additional tests
to ensure the hwuuid functionality is working as expected.
Note that from reading the source it doesn't appear as if all virtualisation
platforms will support this feature: I've included the relevant changes for
the QEMU driver since that is what we use here at Nutanix.
Signed-off-by: Mark Cave-Ayland <mark.caveayland(a)nutanix.com>
[1] https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/YX...
[2] https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/HG...
v2:
- Rebase onto master
- Rework if() logic in virSysinfoSystemParseXML() in patch 1 as suggested by Daniel
- Add R-B tag from Daniel to patch 2
Mark Cave-Ayland (2):
conf: introduce hardware UUID (hwuuid) element
qemuxmlconftest: add tests for new hardware UUID (hwuuid) element
docs/formatdomain.rst | 7 +++
src/conf/domain_conf.c | 43 ++++++++++++++++---
src/conf/domain_conf.h | 1 +
src/conf/schemas/domaincommon.rng | 5 +++
src/qemu/qemu_command.c | 6 ++-
...hwuuid-smbios-uuid-match.x86_64-latest.err | 1 +
.../hwuuid-smbios-uuid-match.xml | 36 ++++++++++++++++
.../qemuxmlconfdata/hwuuid.x86_64-latest.args | 35 +++++++++++++++
.../qemuxmlconfdata/hwuuid.x86_64-latest.xml | 41 ++++++++++++++++++
tests/qemuxmlconfdata/hwuuid.xml | 30 +++++++++++++
tests/qemuxmlconftest.c | 3 ++
11 files changed, 202 insertions(+), 6 deletions(-)
create mode 100644 tests/qemuxmlconfdata/hwuuid-smbios-uuid-match.x86_64-latest.err
create mode 100644 tests/qemuxmlconfdata/hwuuid-smbios-uuid-match.xml
create mode 100644 tests/qemuxmlconfdata/hwuuid.x86_64-latest.args
create mode 100644 tests/qemuxmlconfdata/hwuuid.x86_64-latest.xml
create mode 100644 tests/qemuxmlconfdata/hwuuid.xml
--
2.43.0
1 week
[PATCH] src: fix typo in fixup_name()
by Elizaveta Tereshkina
Similar branches in the if-else structure look like bad copy-paste.
Fix the typo.
Fixes: a559ffec44 (src: rewrite ACL rule checker in Python)
Signed-off-by: Elizaveta Tereshkina <etereshkina(a)astralinux.ru>
---
scripts/check-aclrules.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/check-aclrules.py b/scripts/check-aclrules.py
index ed6805058b..13aed99243 100755
--- a/scripts/check-aclrules.py
+++ b/scripts/check-aclrules.py
@@ -88,7 +88,7 @@ def fixup_name(name):
elif name.endswith("Mac"):
name = name[:-3] + "MAC"
elif name.endswith("Cpu"):
- name = name[:-3] + "MAC"
+ name = name[:-3] + "CPU"
elif name.endswith("Os"):
name = name[:-2] + "OS"
elif name.endswith("Nmi"):
--
2.39.2
1 week, 1 day
[PATCH v2 0/5] bhyve: TCP console support
by Roman Bogorodskiy
Changes since v1:
I misunderstood semantics of the 'mode' attribute of the <source>
element, and used 'connect' while I should have used 'bind', because
bhyve listens on the TCP socket and client connects to using using
netcat (or any other similar tool). Now it's using the 'bind' value.
Other changes: added validation to bhyve_domain.c, and unified error
messages used in bhyve_command.c and bhyve_domain.c
Roman Bogorodskiy (5):
bhyve: support serial type 'tcp'
bhyve: increase number of supported consoles to 4
docs: drvbhyve: document TCP console support
bhyve: validate serial devices validation
bhyve: sync error messages
docs/drvbhyve.rst | 19 ++++++
src/bhyve/bhyve_capabilities.c | 3 +-
src/bhyve/bhyve_command.c | 42 +++++++++-----
src/bhyve/bhyve_domain.c | 27 +++++++++
.../bhyvexml2argv-4-consoles.args | 15 +++++
.../bhyvexml2argv-4-consoles.ldargs | 4 ++
.../bhyvexml2argv-4-consoles.xml | 35 +++++++++++
.../bhyvexml2argv-serial-invalid-port.args | 12 ++++
.../bhyvexml2argv-serial-invalid-port.ldargs | 4 ++
.../bhyvexml2argv-serial-invalid-port.xml | 28 +++++++++
.../bhyvexml2argv-serial-tcp.args | 12 ++++
.../bhyvexml2argv-serial-tcp.ldargs | 4 ++
.../bhyvexml2argv-serial-tcp.xml | 27 +++++++++
tests/bhyvexml2argvtest.c | 3 +
.../bhyvexml2xmlout-4-consoles.xml | 58 +++++++++++++++++++
.../bhyvexml2xmlout-serial-tcp.xml | 46 +++++++++++++++
tests/bhyvexml2xmltest.c | 2 +
tests/domaincapsdata/bhyve_basic.x86_64.xml | 1 +
tests/domaincapsdata/bhyve_fbuf.x86_64.xml | 1 +
tests/domaincapsdata/bhyve_uefi.x86_64.xml | 1 +
20 files changed, 328 insertions(+), 16 deletions(-)
create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-4-consoles.args
create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-4-consoles.ldargs
create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-4-consoles.xml
create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-serial-invalid-port.args
create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-serial-invalid-port.ldargs
create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-serial-invalid-port.xml
create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-serial-tcp.args
create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-serial-tcp.ldargs
create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-serial-tcp.xml
create mode 100644 tests/bhyvexml2xmloutdata/bhyvexml2xmlout-4-consoles.xml
create mode 100644 tests/bhyvexml2xmloutdata/bhyvexml2xmlout-serial-tcp.xml
--
2.49.0
1 week, 1 day
