[PATCH 0/2] network: support NAT networking for FreeBSD/pf
by Roman Bogorodskiy
This series implements NAT networks support for FreeBSD using the Packet
Filter (pf) firewall.
The commit messages provide high-level details and limitations of the
current implementation, and I'll use this cover letter to provide some
more technical details and describe testing I have performed for this
change.
Libvirt FreeBSD/pf NAT testing
For two networks:
virsh # net-dumpxml default
<network>
<name>default</name>
<uuid>68cd5419-9fda-4cf0-9ac6-2eb9c1ba41ed</uuid>
<forward mode='nat'>
<nat>
<port start='1024' end='65535'/>
</nat>
</forward>
<bridge name='virbr0' stp='on' delay='0'/>
<mac address='52:54:00:db:0e:e5'/>
<ip address='192.168.122.1' netmask='255.255.255.0'>
<dhcp>
<range start='192.168.122.2' end='192.168.122.254'/>
</dhcp>
</ip>
</network>
virsh # net-dumpxml natnet
<network>
<name>natnet</name>
<uuid>d3c59659-3ceb-4482-a625-1f839a54429c</uuid>
<forward mode='nat'>
<nat>
<port start='1024' end='65535'/>
</nat>
</forward>
<bridge name='virbr1' stp='on' delay='0'/>
<mac address='52:54:00:0a:fc:1d'/>
<ip address='10.0.100.1' netmask='255.255.255.0'>
<dhcp>
<range start='10.0.100.2' end='10.0.100.254'/>
</dhcp>
</ip>
</network>
virsh #
The following rules are generated:
$ sudo pfctl -a '*' -sn
nat-anchor "libvirt/*" all {
nat-anchor "default" all {
nat pass on re0 inet from 192.168.122.0/24 to <natdst> -> (re0) port
1024:65535 round-robin
}
nat-anchor "natnet" all {
nat pass on re0 inet from 10.0.100.0/24 to <natdst> -> (re0) port
1024:65535 round-robin
}
}
$
$ sudo pfctl -a 'libvirt/default' -t natdst -T show
0.0.0.0/0
!192.168.122.0/24
!224.0.0.0/24
!255.255.255.255
$ sudo pfctl -a 'libvirt/natnet' -t natdst -T show
0.0.0.0/0
!10.0.100.0/24
!224.0.0.0/24
!255.255.255.255
$
$ sudo pfctl -a '*' -sr
scrub all fragment reassemble
anchor "libvirt/*" all {
anchor "default" all {
pass quick on virbr0 inet from 192.168.122.0/24 to 192.168.122.0/24
flags S/SA keep state
pass quick on virbr0 inet from 192.168.122.0/24 to 224.0.0.0/24
flags S/SA keep state
pass quick on virbr0 inet from 192.168.122.0/24 to 255.255.255.255
flags S/SA keep state
block drop on virbr0 all
}
anchor "natnet" all {
pass quick on virbr1 inet from 10.0.100.0/24 to 10.0.100.0/24 flags
S/SA keep state
pass quick on virbr1 inet from 10.0.100.0/24 to 224.0.0.0/24 flags
S/SA keep state
pass quick on virbr1 inet from 10.0.100.0/24 to 255.255.255.255
flags S/SA keep state
block drop on virbr1 all
}
}
pass all flags S/SA keep state
$
Create two guests attached to the "default" network, vmA and vmB.
vmA $ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: enp0s4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 52:54:00:67:eb:de brd ff:ff:ff:ff:ff:ff
inet 192.168.122.92/24 brd 192.168.122.255 scope global dynamic noprefixroute enp0s4
valid_lft 1082sec preferred_lft 1082sec
inet6 fe80::5054:ff:fe67:ebde/64 scope link noprefixroute
valid_lft forever preferred_lft forever
vmA $
vmB $ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: enp0s4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 52:54:00:d2:8b:41 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.154/24 metric 100 brd 192.168.122.255 scope global dynamic enp0s4
valid_lft 1040sec preferred_lft 1040sec
inet6 fe80::5054:ff:fed2:8b41/64 scope link
valid_lft forever preferred_lft forever
vmB $
Test NAT rules:
vmA $ ping -c 3 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=57 time=14.7 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=57 time=10.7 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=57 time=10.1 ms
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2006ms
rtt min/avg/max/mdev = 10.099/11.835/14.710/2.047 ms
vmA $
vmB $ ping -c 3 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=57 time=15.1 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=57 time=11.0 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=57 time=10.4 ms
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2006ms
rtt min/avg/max/mdev = 10.434/12.198/15.113/2.075 ms
vmB $
vmA $ curl wttr.in/?0Q
Fog
_ - _ - _ - +4(1) °C
_ - _ - _ ↙ 11 km/h
_ - _ - _ - 0 km
0.0 mm
vmA $
vmB $ curl wttr.in/?0Q
Fog
_ - _ - _ - +4(1) °C
_ - _ - _ ↙ 11 km/h
_ - _ - _ - 0 km
0.0 mm
vmB $
Inter-VM connectivity:
vmA $ ping -c 3 192.168.122.154
PING 192.168.122.154 (192.168.122.154) 56(84) bytes of data.
64 bytes from 192.168.122.154: icmp_seq=1 ttl=64 time=0.253 ms
64 bytes from 192.168.122.154: icmp_seq=2 ttl=64 time=0.226 ms
64 bytes from 192.168.122.154: icmp_seq=3 ttl=64 time=0.269 ms
--- 192.168.122.154 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2042ms
rtt min/avg/max/mdev = 0.226/0.249/0.269/0.017 ms
vmA $
vmA $ ssh 192.168.122.154 uname
novel(a)192.168.122.154's password:
Linux
vmA $
Multicast test:
vmA $ iperf -s -u -B 224.0.0.1 -i 1
------------------------------------------------------------
Server listening on UDP port 5001
Joining multicast group 224.0.0.1
Server set to single client traffic mode (per multicast receive)
UDP buffer size: 208 KByte (default)
------------------------------------------------------------
[ 1] local 224.0.0.1 port 5001 connected with 192.168.122.154 port
36963
[ ID] Interval Transfer Bandwidth Jitter Lost/Total
Datagrams
[ 1] 0.00-1.00 sec 131 KBytes 1.07 Mbits/sec 0.030 ms 0/91 (0%)
[ 1] 1.00-2.00 sec 128 KBytes 1.05 Mbits/sec 0.022 ms 0/89 (0%)
[ 1] 2.00-3.00 sec 128 KBytes 1.05 Mbits/sec 0.021 ms 0/89 (0%)
[ 1] 0.00-3.02 sec 389 KBytes 1.06 Mbits/sec 0.026 ms 0/271 (0%)
vmB $ iperf -c 224.0.0.1 -u -T 32 -t 3 -i 1
------------------------------------------------------------
Client connecting to 224.0.0.1, UDP port 5001
Sending 1470 byte datagrams, IPG target: 11215.21 us (kalman adjust)
UDP buffer size: 208 KByte (default)
------------------------------------------------------------
[ 1] local 192.168.122.154 port 36963 connected with 224.0.0.1 port
5001
[ ID] Interval Transfer Bandwidth
[ 1] 0.0000-1.0000 sec 131 KBytes 1.07 Mbits/sec
[ 1] 1.0000-2.0000 sec 128 KBytes 1.05 Mbits/sec
[ 1] 2.0000-3.0000 sec 128 KBytes 1.05 Mbits/sec
[ 1] 0.0000-3.0173 sec 389 KBytes 1.06 Mbits/sec
[ 1] Sent 272 datagrams
vmB $
Broadcast test:
vmA $ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=0
net.ipv4.icmp_echo_ignore_broadcasts = 0
vmA $
vmB $ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=0
net.ipv4.icmp_echo_ignore_broadcasts = 0
vmB $
host $ ping 192.168.122.255
PING 192.168.122.255 (192.168.122.255): 56 data bytes
64 bytes from 192.168.122.154: icmp_seq=0 ttl=64 time=0.199 ms
64 bytes from 192.168.122.92: icmp_seq=0 ttl=64 time=0.227 ms (DUP!)
64 bytes from 192.168.122.154: icmp_seq=1 ttl=64 time=0.209 ms
64 bytes from 192.168.122.92: icmp_seq=1 ttl=64 time=0.235 ms (DUP!)
^C
--- 192.168.122.255 ping statistics ---
2 packets transmitted, 2 packets received, +2 duplicates, 0.0% packet
loss
round-trip min/avg/max/stddev = 0.199/0.218/0.235/0.014 ms
This testing does not cover any negative scenarios which are probably
not that important at this point.
Roman Bogorodskiy (2):
network: bridge_driver: add BSD implementation
network: introduce Packet Filter firewall backend
meson.build | 2 +
po/POTFILES | 2 +
src/network/bridge_driver_bsd.c | 107 +++++++++
src/network/bridge_driver_conf.c | 8 +
src/network/bridge_driver_linux.c | 2 +
src/network/bridge_driver_platform.c | 2 +
src/network/meson.build | 1 +
src/network/network_pf.c | 327 +++++++++++++++++++++++++++
src/network/network_pf.h | 26 +++
src/util/virfirewall.c | 4 +-
src/util/virfirewall.h | 2 +
11 files changed, 482 insertions(+), 1 deletion(-)
create mode 100644 src/network/bridge_driver_bsd.c
create mode 100644 src/network/network_pf.c
create mode 100644 src/network/network_pf.h
--
2.49.0
3 weeks, 2 days
[libvirt PATCH] docs: clarify how to build without -Werror
by Ján Tomko
From: Ján Tomko <jtomko(a)redhat.com>
--werror does not accept any arguments for me and setting
git_werror was also needed to disable it with git.
Signed-off-by: Ján Tomko <jtomko(a)redhat.com>
---
docs/compiling.rst | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/docs/compiling.rst b/docs/compiling.rst
index 0a47a50569..06a2d53c3a 100644
--- a/docs/compiling.rst
+++ b/docs/compiling.rst
@@ -105,8 +105,8 @@ Notes:
~~~~~~
By default when the ``meson`` is run from within a GIT checkout, it will turn
-on -Werror for builds. This can be disabled with --werror=false, but this is
-not recommended.
+on -Werror for builds. This can be disabled with
+`-Dwerror=false -Dgit_werror=false`, but this is not recommended.
Please ensure that you have the appropriate minimal ``meson`` version installed
in your build environment. The minimal version for a specific package can be
--
2.49.0
3 weeks, 2 days
[PATCH 00/15] virt-aa-helper: Misc improvements
by Michal Privoznik
Inspired by a patchset against virt-aa-helper that I reviewed recently:
https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/QQ...
Green pipeline:
https://gitlab.com/MichalPrivoznik/libvirt/-/pipelines/1866451277
Michal Prívozník (15):
log_cleaner: Use virFileCanonicalizePath()
virt-aa-helper: Use virFileCanonicalizePath()
virpcimock: Automatically invent fakerootdir, if not provided
virpcimock: Strip fakerootdir prefix in virFileCanonicalizePath()
tests: Fix mocking of open()
virt-aa-helper-test: Print errors to stderr
virt-aa-helper-test: Silence ls
virt-aa-helper-test: Test hostdevs unconditionally
virt-aa-helper: Rework USB hostdev handling
virt-aa-helper: Simplify paths collection
virt-aa-helper: Decrease scope of @mem_path in get_files()
virt-aa-helper: Use automatic memory freeing
virt-aa-helper: Check retval of vah_add_file()
virt-aa-helper: Drop cleanup label from get_files()
virt-aa-helper-test: Switch to getopts
src/logging/log_cleaner.c | 2 +-
src/security/virt-aa-helper.c | 474 +++++++++++++++++-----------------
tests/nssmock.c | 4 +
tests/qemusecuritymock.c | 4 +
tests/vircgroupmock.c | 4 +
tests/virfilewrapper.c | 4 +
tests/virpcimock.c | 41 ++-
tests/virt-aa-helper-test | 77 +++---
tests/virtestmock.c | 4 +
tests/virusbmock.c | 4 +
10 files changed, 353 insertions(+), 265 deletions(-)
--
2.49.0
3 weeks, 2 days
[PATCH 00/10] Unify argument name of migration APIs
by Michal Privoznik
Some of our APIs have 'bandwidth' argument but then, at internal impl
level it's renamed to 'resource', inconsistently. Since it's really
describing bandwidth that the migration can use, let's rename it.
Michal Prívozník (10):
src: Unify argument name of virDomainMigratePrepare()
src: Unify argument name of virDomainMigratePerform()
src: Unify argument name of virDomainMigratePrepare2()
src: Unify argument name of virDomainMigratePrepareTunnel()
src: Unify argument name of virDomainMigratePrepare3()
src: Unify argument name of virDomainMigratePrepareTunnel3()
src: Unify argument name of virDomainMigrateBegin3()
src: Unify argument name of virDomainMigratePerform3()
qemu: Finish argument rename
gendispatch: Finish rename of the migration argument
src/driver-hypervisor.h | 16 +++----
src/esx/esx_driver.c | 2 +-
src/libvirt_internal.h | 16 +++----
src/qemu/qemu_driver.c | 18 ++++----
src/qemu/qemu_migration.c | 72 ++++++++++++++---------------
src/remote/remote_daemon_dispatch.c | 10 ++--
src/remote/remote_driver.c | 24 +++++-----
src/remote/remote_protocol.x | 16 +++----
src/remote_protocol-structs | 16 +++----
src/rpc/gendispatch.pl | 36 +++++++--------
10 files changed, 113 insertions(+), 113 deletions(-)
--
2.49.0
3 weeks, 3 days
[PATCH v2 0/3] tls: Remove all traces of key encipherment usage
by Peter Krempa
v2:
- [1/3] removed also GNUTLS_KEY_KEY_ENCIPHERMENT use in fallback code
- [2/3 new] removed 'encryption_key' usage from kbase examples
- [3/3 new] removed GNUTLS_KEY_KEY_ENCIPHERMENT use in testsuite
Peter Krempa (3):
tls: Don't require 'keyEncipherment' to be enabled altoghther
kbase: tlscerts: Drop 'encryption_key' feature request
tests: virnettls*test: Drop use of GNUTLS_KEY_KEY_ENCIPHERMENT
docs/kbase/tlscerts.rst | 2 --
src/rpc/virnettlscert.c | 34 ++++------------------------------
tests/virnettlscontexttest.c | 36 ++++++++++++++++++------------------
tests/virnettlssessiontest.c | 14 +++++++-------
4 files changed, 29 insertions(+), 57 deletions(-)
--
2.49.0
3 weeks, 3 days
[PATCH] tests: validate an XML config with USB vendor/product set
by Daniel P. Berrangé
From: Daniel P. Berrangé <berrange(a)redhat.com>
The USB vendor/product is usually translated into a device/bus at
startup using the hostdev logic. We don't run the latter in the
unit test suite, but we can fake it by hardcoding a translation.
This demonstrates that we format the command line with the normal
device/bus properties, even when vendor/product is set.
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
...tdev-usb-vendor-product.x86_64-latest.args | 35 +++++++++++++++
...stdev-usb-vendor-product.x86_64-latest.xml | 44 +++++++++++++++++++
.../hostdev-usb-vendor-product.xml | 36 +++++++++++++++
tests/qemuxmlconftest.c | 18 ++++++++
4 files changed, 133 insertions(+)
create mode 100644 tests/qemuxmlconfdata/hostdev-usb-vendor-product.x86_64-latest.args
create mode 100644 tests/qemuxmlconfdata/hostdev-usb-vendor-product.x86_64-latest.xml
create mode 100644 tests/qemuxmlconfdata/hostdev-usb-vendor-product.xml
diff --git a/tests/qemuxmlconfdata/hostdev-usb-vendor-product.x86_64-latest.args b/tests/qemuxmlconfdata/hostdev-usb-vendor-product.x86_64-latest.args
new file mode 100644
index 0000000000..62338db872
--- /dev/null
+++ b/tests/qemuxmlconfdata/hostdev-usb-vendor-product.x86_64-latest.args
@@ -0,0 +1,35 @@
+LC_ALL=C \
+PATH=/bin \
+HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1 \
+USER=test \
+LOGNAME=test \
+XDG_DATA_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.local/share \
+XDG_CACHE_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.cache \
+XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \
+/usr/bin/qemu-system-x86_64 \
+-name guest=QEMUGuest1,debug-threads=on \
+-S \
+-object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/var/lib/libvirt/qemu/domain--1-QEMUGuest1/master-key.aes"}' \
+-machine pc,usb=off,dump-guest-core=off,memory-backend=pc.ram,acpi=off \
+-accel tcg \
+-cpu qemu64 \
+-m size=219136k \
+-object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":224395264}' \
+-overcommit mem-lock=off \
+-smp 1,sockets=1,cores=1,threads=1 \
+-uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \
+-display none \
+-no-user-config \
+-nodefaults \
+-chardev socket,id=charmonitor,fd=1729,server=on,wait=off \
+-mon chardev=charmonitor,id=monitor,mode=control \
+-rtc base=utc \
+-no-shutdown \
+-boot strict=on \
+-device '{"driver":"piix3-usb-uhci","id":"usb","bus":"pci.0","addr":"0x1.0x2"}' \
+-blockdev '{"driver":"host_device","filename":"/dev/HostVG/QEMUGuest1","node-name":"libvirt-1-storage","read-only":false}' \
+-device '{"driver":"ide-hd","bus":"ide.0","unit":0,"drive":"libvirt-1-storage","id":"ide0-0-0","bootindex":1}' \
+-audiodev '{"id":"audio1","driver":"none"}' \
+-device '{"driver":"usb-host","hostdevice":"/dev/bus/usb/042/4660","id":"hostdev0","guest-reset":true,"guest-resets-all":false,"bus":"usb.0","port":"1"}' \
+-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \
+-msg timestamp=on
diff --git a/tests/qemuxmlconfdata/hostdev-usb-vendor-product.x86_64-latest.xml b/tests/qemuxmlconfdata/hostdev-usb-vendor-product.x86_64-latest.xml
new file mode 100644
index 0000000000..340df80263
--- /dev/null
+++ b/tests/qemuxmlconfdata/hostdev-usb-vendor-product.x86_64-latest.xml
@@ -0,0 +1,44 @@
+<domain type='qemu'>
+ <name>QEMUGuest1</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+ <memory unit='KiB'>219136</memory>
+ <currentMemory unit='KiB'>219136</currentMemory>
+ <vcpu placement='static'>1</vcpu>
+ <os>
+ <type arch='i686' machine='pc'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <cpu mode='custom' match='exact' check='none'>
+ <model fallback='forbid'>qemu64</model>
+ </cpu>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu-system-x86_64</emulator>
+ <disk type='block' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source dev='/dev/HostVG/QEMUGuest1'/>
+ <target dev='hda' bus='ide'/>
+ <address type='drive' controller='0' bus='0' target='0' unit='0'/>
+ </disk>
+ <controller type='usb' index='0' model='piix3-uhci'>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
+ </controller>
+ <controller type='ide' index='0'>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
+ </controller>
+ <controller type='pci' index='0' model='pci-root'/>
+ <input type='mouse' bus='ps2'/>
+ <input type='keyboard' bus='ps2'/>
+ <audio id='1' type='none'/>
+ <hostdev mode='subsystem' type='usb' managed='no'>
+ <source guestReset='uninitialized'>
+ <vendor id='0x1234'/>
+ <product id='0x4321'/>
+ </source>
+ </hostdev>
+ <memballoon model='none'/>
+ </devices>
+</domain>
diff --git a/tests/qemuxmlconfdata/hostdev-usb-vendor-product.xml b/tests/qemuxmlconfdata/hostdev-usb-vendor-product.xml
new file mode 100644
index 0000000000..dfb668f208
--- /dev/null
+++ b/tests/qemuxmlconfdata/hostdev-usb-vendor-product.xml
@@ -0,0 +1,36 @@
+<domain type='qemu'>
+ <name>QEMUGuest1</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+ <memory unit='KiB'>219136</memory>
+ <currentMemory unit='KiB'>219136</currentMemory>
+ <vcpu placement='static'>1</vcpu>
+ <os>
+ <type arch='i686' machine='pc'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu-system-x86_64</emulator>
+ <disk type='block' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source dev='/dev/HostVG/QEMUGuest1'/>
+ <target dev='hda' bus='ide'/>
+ <address type='drive' controller='0' bus='0' target='0' unit='0'/>
+ </disk>
+ <controller type='usb' index='0'/>
+ <controller type='ide' index='0'/>
+ <controller type='pci' index='0' model='pci-root'/>
+ <input type='mouse' bus='ps2'/>
+ <input type='keyboard' bus='ps2'/>
+ <hostdev mode='subsystem' type='usb' managed='no'>
+ <source guestReset='uninitialized'>
+ <vendor id='0x1234'/>
+ <product id='0x4321'/>
+ </source>
+ </hostdev>
+ <memballoon model='none'/>
+ </devices>
+</domain>
diff --git a/tests/qemuxmlconftest.c b/tests/qemuxmlconftest.c
index f74bd2bb7a..fe90f029d9 100644
--- a/tests/qemuxmlconftest.c
+++ b/tests/qemuxmlconftest.c
@@ -474,6 +474,23 @@ testCompareXMLToArgvCreateArgs(virQEMUDriver *drv,
}
}
+ for (i = 0; i < vm->def->nhostdevs; i++) {
+ virDomainHostdevDef *hostdev = vm->def->hostdevs[i];
+
+ if (hostdev->mode == VIR_DOMAIN_HOSTDEV_MODE_SUBSYS &&
+ hostdev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB) {
+ virDomainHostdevSubsysUSB *usb = &hostdev->source.subsys.u.usb;
+ if (!usb->device && !usb->bus) {
+ if (usb->vendor == 0x1234 && usb->product == 0x4321) {
+ usb->bus = 42;
+ usb->device = 0x1234;
+ } else {
+ g_assert_not_reached();
+ }
+ }
+ }
+ }
+
if (flags & FLAG_SLIRP_HELPER) {
for (i = 0; i < vm->def->nnets; i++) {
virDomainNetDef *net = vm->def->nets[i];
@@ -2118,6 +2135,7 @@ mymain(void)
DO_TEST_CAPS_LATEST("hostdev-usb-address-device");
DO_TEST_CAPS_LATEST("hostdev-usb-address-device-boot");
DO_TEST_CAPS_LATEST_PARSE_ERROR("hostdev-usb-duplicate");
+ DO_TEST_CAPS_LATEST("hostdev-usb-vendor-product");
DO_TEST_CAPS_LATEST("hostdev-pci-address");
DO_TEST_CAPS_LATEST("hostdev-pci-address-device");
DO_TEST_CAPS_LATEST_PARSE_ERROR("hostdev-pci-duplicate");
--
2.49.0
3 weeks, 3 days
[PATCH] tls: Don't require 'keyEncipherment' to be enabled altoghther
by Peter Krempa
From: Peter Krempa <pkrempa(a)redhat.com>
Key encipherment is required only for RSA key exchange algorithm. With
TLS 1.3 this is not even used as RSA is used only for authentication.
Since we can't really check when it's required ahead of time drop the
check completely. GnuTLS will moan if it will not be able to use RSA
key exchange.
In commit 11867b0224a2 I tried to relax the check for some eliptic
curve algorithm that explicitly forbid it. Based on the above the proper
solution is to completely remove it.
Resolves: https://issues.redhat.com/browse/RHEL-100711
Fixes: 11867b0224a2b8dc34755ff0ace446b6842df1c1
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/rpc/virnettlscert.c | 28 ----------------------------
1 file changed, 28 deletions(-)
diff --git a/src/rpc/virnettlscert.c b/src/rpc/virnettlscert.c
index f197995633..7024e858f0 100644
--- a/src/rpc/virnettlscert.c
+++ b/src/rpc/virnettlscert.c
@@ -162,34 +162,6 @@ static int virNetTLSCertCheckKeyUsage(gnutls_x509_crt_t cert,
certFile);
}
}
- if (!(usage & GNUTLS_KEY_KEY_ENCIPHERMENT)) {
- int alg = gnutls_x509_crt_get_pk_algorithm(cert, NULL);
-
- /* Per RFC8813 [1] which amends RFC5580 [2] ECDSA, ECDH, and ECMQV
- * algorithms must not have 'keyEncipherment' present.
- *
- * [1] https://datatracker.ietf.org/doc/rfc8813/
- * [2] https://datatracker.ietf.org/doc/rfc5480
- */
-
- switch (alg) {
- case GNUTLS_PK_ECDSA:
- case GNUTLS_PK_ECDH_X25519:
- case GNUTLS_PK_ECDH_X448:
- break;
-
- default:
- if (critical) {
- virReportError(VIR_ERR_SYSTEM_ERROR,
- _("Certificate %1$s usage does not permit key encipherment"),
- certFile);
- return -1;
- } else {
- VIR_WARN("Certificate %s usage does not permit key encipherment",
- certFile);
- }
- }
- }
}
return 0;
--
2.49.0
3 weeks, 3 days
Release of libvirt-11.5.0
by Jiri Denemark
The 11.5.0 release of both libvirt and libvirt-python is tagged and
signed tarballs are available at
https://download.libvirt.org/
https://download.libvirt.org/python/
Thanks everybody who helped with this release by sending patches,
reviewing, testing, or providing feedback. Your work is greatly
appreciated.
* Removed features
* qemu: Don't accept VIR_DUMP_LIVE flag in virDomainCoreDumpWithFormat()
Unfortunately, QEMU always pauses vCPUs when doing a core dump. Therefore,
there is no way for Libvirt to honor VIR_DUMP_LIVE flag semantics. Instead
of silently pretending the flag works, an appropriate error is now
reported.
* New features
* vmx: Add support for reporting NVMe disks in the domain XML
* qemu: Add support for NVMe disks
NVMe disks can now be emulated by using an ``nvme`` bus, but require a
serial due to the hypervisor::
<target dev='nvme0n1' bus='nvme'/>
<serial>qwertyuiop</serial>
Multiple disks can be represented as different namespaces on the same
controller, but they cannot have a different serial number due to the fact
that it is the controller which ultimately has the serial number attached to
it, but for ease of use it is automatically copied from the disk serial.
* esx: Add support for specifying alternative CA bundle for remote peer verification
Users can now use ``cacert`` parameter in the URI to specify a file path
with CA certificate(s) that will be used for remote peer certificate
validation.
* qemu: add support for AMD IOMMU device
The ``amd`` model for the ``<iommu>`` device is now supported.
New attributes ``passtrhough`` and ``xtsup`` are also supported for this
model.
* Improvements
* Include supported console types in domain capabilities
Domain capabilities now include information about supported console types, such as::
<console supported='yes'>
<enum name='type'>
<value>pty</value>
<value>tcp</value>
</enum>
</console>
* virsh: Add waiting for domain state via ``virsh await``
The new helper command ``virsh await`` simplifies waiting on domain state
which is normally announced via events. Currently two waiting conditions are
implemented: ``domain-inactive``, and ``guest-agent-available``.
* Bug fixes
* qemu: Be more forgiving when acquiring QUERY job when formatting domain XML
Since ``libvirt-11.0.0`` the ``virDomainGetXMLDesc()`` API used to format
domain XML acquires QUERY job. But this caused a regression when the API
might timeout for incoming migration. This is now fixed.
* qemu: Fix shared filesystem detection on nonexistent paths
Since ``libvirt-11.1.0`` nonexistent paths within directories marked as
shared filesystem (via the ``shared_filesystems`` option in ``qemu.conf``
would not be properly detected as being on a shared filesystem.
* qemu: Properly emulate USB cdrom device
CD-ROM devices on USB bus are now properly emulated as such which was not
the case since libvirt switched to the modern qemu commandline sytnax for
storage backends.
Enjoy.
Jirka
3 weeks, 3 days
[PATCH v2 18/24] qapi/migration: Deprecate capabilities commands
by Fabiano Rosas
The concept of capabilities is being merged into the concept of
parameters. From now on, the commands that handle capabilities are
deprecated in favor of the commands that handle parameters.
Affected commands:
- migrate-set-capabilities
- query-migrate-capabilities
Signed-off-by: Fabiano Rosas <farosas(a)suse.de>
---
docs/about/deprecated.rst | 12 ++++++++++++
migration/migration-hmp-cmds.c | 6 ++++++
qapi/migration.json | 16 ++++++++++++++--
3 files changed, 32 insertions(+), 2 deletions(-)
diff --git a/docs/about/deprecated.rst b/docs/about/deprecated.rst
index 42037131de..15474833ea 100644
--- a/docs/about/deprecated.rst
+++ b/docs/about/deprecated.rst
@@ -605,3 +605,15 @@ command documentation for details on the ``fdset`` usage.
The ``zero-blocks`` capability was part of the block migration which
doesn't exist anymore since it was removed in QEMU v9.1.
+
+``migrate-set-capabilities`` command (since 10.1)
+'''''''''''''''''''''''''''''''''''''''''''''''''
+
+This command was deprecated. Use ``migrate-set-parameters`` instead
+which now supports setting capabilities.
+
+``query-migrate-capabilities`` command (since 10.1)
+'''''''''''''''''''''''''''''''''''''''''''''''''''
+
+This command was deprecated. Use ``query-migrate-parameters`` instead
+which now supports querying capabilities.
diff --git a/migration/migration-hmp-cmds.c b/migration/migration-hmp-cmds.c
index 8615340a6b..7f234d5aa8 100644
--- a/migration/migration-hmp-cmds.c
+++ b/migration/migration-hmp-cmds.c
@@ -229,6 +229,9 @@ void hmp_info_migrate_capabilities(Monitor *mon, const QDict *qdict)
{
MigrationCapabilityStatusList *caps, *cap;
+ warn_report("info migrate_capabilities is deprecated;"
+ " use info migrate_parameters instead");
+
caps = qmp_query_migrate_capabilities(NULL);
if (caps) {
@@ -616,6 +619,9 @@ void hmp_migrate_set_capability(Monitor *mon, const QDict *qdict)
MigrationCapabilityStatus *value;
int val;
+ warn_report("migrate_set_capability is deprecated;"
+ " use migrate_set_parameter instead");
+
val = qapi_enum_parse(&MigrationCapability_lookup, cap, -1, &err);
if (val < 0) {
goto end;
diff --git a/qapi/migration.json b/qapi/migration.json
index 3d3f5624c5..c5e6ea1a2d 100644
--- a/qapi/migration.json
+++ b/qapi/migration.json
@@ -521,6 +521,11 @@
#
# @capabilities: json array of capability modifications to make
#
+# Features:
+#
+# @deprecated: This command is deprecated in favor of
+# migrate-set-parameters.
+#
# Since: 1.2
#
# .. qmp-example::
@@ -530,7 +535,8 @@
# <- { "return": {} }
##
{ 'command': 'migrate-set-capabilities',
- 'data': { 'capabilities': ['MigrationCapabilityStatus'] } }
+ 'data': { 'capabilities': ['MigrationCapabilityStatus'] },
+ 'features': ['deprecated'] }
##
# @query-migrate-capabilities:
@@ -539,6 +545,11 @@
#
# Returns: @MigrationCapabilityStatus
#
+# Features:
+#
+# @deprecated: This command is deprecated in favor of
+# query-migrate-parameters.
+#
# Since: 1.2
#
# .. qmp-example::
@@ -554,7 +565,8 @@
# {"state": false, "capability": "x-colo"}
# ]}
##
-{ 'command': 'query-migrate-capabilities', 'returns': ['MigrationCapabilityStatus']}
+{ 'command': 'query-migrate-capabilities', 'returns': ['MigrationCapabilityStatus'],
+ 'features': ['deprecated'] }
##
# @MultiFDCompression:
--
2.35.3
3 weeks, 3 days
