[libvirt] [PATCH] news: Update for 4.0.0
by Andrea Bolognani
As usual, a bunch of changes slipped through the cracks during the
development cycle. Update the release notes to include at least the
most notable.
Signed-off-by: Andrea Bolognani <abologna(a)redhat.com>
---
I'll push this tomorrow morning under the "can't possibly be worse
than leaving it alone" rule, so that it makes it into the release,
unless I get feedback earlier.
docs/news.xml | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 50 insertions(+)
diff --git a/docs/news.xml b/docs/news.xml
index 064b9ae83..d034be99a 100644
--- a/docs/news.xml
+++ b/docs/news.xml
@@ -35,8 +35,48 @@
<libvirt>
<release version="v4.0.0" date="unreleased">
<section title="New features">
+ <change>
+ <summary>
+ tools: Provide bash completion support
+ </summary>
+ <description>
+ Both <code>virsh</code> and <code>virt-admin</code> now implement
+ basic bash completion support.
+ </description>
+ </change>
+ <change>
+ <summary>
+ qemu: Refresh capabilities on host microcode update
+ </summary>
+ <description>
+ A microcode update can cause the CPUID bits to change; therefore,
+ the capabilities cache should be rebuilt when such an update is
+ detected on the host.
+ </description>
+ </change>
+ <change>
+ <summary>
+ lxc: Set hostname based on container name
+ </summary>
+ </change>
</section>
<section title="Improvements">
+ <change>
+ <summary>
+ CPU frequency reporting improvements
+ </summary>
+ <description>
+ The CPU frequency will now be reported by <code>virsh nodeinfo</code>
+ and other tools for s390 hosts; at the same time; CPU frequency has
+ been disabled on aarch64 hosts because there's no way to detect it
+ reliably.
+ </description>
+ </change>
+ <change>
+ <summary>
+ libxl: Mark domain0 as persistent
+ </summary>
+ </change>
<change>
<summary>
Xen: Add support for multiple IP addresses on interface devices
@@ -49,6 +89,16 @@
</change>
</section>
<section title="Bug fixes">
+ <change>
+ <summary>
+ qemu: Enforce vCPU hotplug granularity constraints
+ </summary>
+ <description>
+ QEMU 2.7 and newer don't allow guests to start unless the initial
+ vCPUs count is a multiple of the vCPU hotplug granularity, so
+ validate it and report an error if needed.
+ </description>
+ </change>
</section>
</release>
<release version="v3.10.0" date="2017-12-04">
--
2.14.3
6 years, 10 months
[libvirt] [PATCH] qemu: avoid denial of service reading from QEMU monitor (CVE-2018-xxxx)
by Daniel P. Berrange
We read from QEMU until seeing a \r\n pair to indicate a completed reply
or event. To avoid memory denial-of-service though, we must have a size
limit on amount of data we buffer. 10 MB is large enough that it ought
to cope with normal QEMU replies, and small enough that we're not
consuming unreasonable mem.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/qemu/qemu_monitor.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/src/qemu/qemu_monitor.c b/src/qemu/qemu_monitor.c
index 046caf001c..85c7d68a13 100644
--- a/src/qemu/qemu_monitor.c
+++ b/src/qemu/qemu_monitor.c
@@ -55,6 +55,15 @@ VIR_LOG_INIT("qemu.qemu_monitor");
#define DEBUG_IO 0
#define DEBUG_RAW_IO 0
+/* We read from QEMU until seeing a \r\n pair to indicate a
+ * completed reply or event. To avoid memory denial-of-service
+ * though, we must have a size limit on amount of data we
+ * buffer. 10 MB is large enough that it ought to cope with
+ * normal QEMU replies, and small enough that we're not
+ * consuming unreasonable mem.
+ */
+#define QEMU_MONITOR_MAX_RESPONSE (10 * 1024 * 1024)
+
struct _qemuMonitor {
virObjectLockable parent;
@@ -575,6 +584,12 @@ qemuMonitorIORead(qemuMonitorPtr mon)
int ret = 0;
if (avail < 1024) {
+ if (mon->bufferLength >= QEMU_MONITOR_MAX_RESPONSE) {
+ virReportSystemError(ERANGE,
+ _("No complete monitor response found in %d bytes"),
+ QEMU_MONITOR_MAX_RESPONSE);
+ return -1;
+ }
if (VIR_REALLOC_N(mon->buffer,
mon->bufferLength + 1024) < 0)
return -1;
--
2.14.3
6 years, 10 months
[libvirt] [PATCH] qemu: qemuDomainNamespaceUnlinkPaths: Return 0 in case of success
by Marc Hartmayer
Commit 7a931a4204af refactored the code and probably forgot to add
this line.
Signed-off-by: Marc Hartmayer <mhartmay(a)linux.vnet.ibm.com>
Reviewed-by: Boris Fiuczynski <fiuczy(a)linux.vnet.ibm.com>
---
src/qemu/qemu_domain.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index 5c171e4cbd6c..441bf5935b14 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -10212,7 +10212,7 @@ qemuDomainNamespaceUnlinkPaths(virDomainObjPtr vm,
goto cleanup;
}
-
+ ret = 0;
cleanup:
virStringListFreeCount(devMountsPath, ndevMountsPath);
virObjectUnref(cfg);
--
2.13.4
6 years, 10 months
[libvirt] [PATCH] AppArmor: Allow libvirtd to kill unconfined processes
by intrigeri+libvirt@boum.org
From: intrigeri <intrigeri+libvirt(a)boum.org>
On startup libvirtd runs a number of QEMU processes unconfined such as:
/usr/bin/qemu-system-x86_64 -S -no-user-config -nodefaults -nographic -machine none,accel=kvm:tcg -qmp unix:/var/lib/libvirt/qemu/capabilities.monitor.sock,server,nowait -pidfile /var/lib/libvirt/qemu/capabilities.pidfile -daemonize
libvirtd needs to be allowed to kill these processes, otherwise they
remain running.
---
examples/apparmor/usr.sbin.libvirtd | 1 +
1 file changed, 1 insertion(+)
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
index a1083b0410..0ddec3f6e2 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -63,6 +63,7 @@
signal (send) peer=/usr/sbin/dnsmasq,
signal (read, send) peer=libvirt-*,
+ signal (send) set=("kill") peer=unconfined,
# Very lenient profile for libvirtd since we want to first focus on confining
# the guests. Guests will have a very restricted profile.
--
2.15.1
6 years, 10 months
[libvirt] [PATCH libvirt] qemu: Fix segmentation fault when attaching a non iSCSI host device
by Marc Hartmayer
Add a check if it's a iSCSI hostdev and if it's not then don't use the
union member 'iscsi'. The segmentation fault occured when accessing
secinfo->type, but this can vary from case to case.
Signed-off-by: Marc Hartmayer <mhartmay(a)linux.vnet.ibm.com>
Reviewed-by: Bjoern Walk <bwalk(a)linux.vnet.ibm.com>
Reviewed-by: Boris Fiuczynski <fiuczy(a)linux.vnet.ibm.com>
---
src/qemu/qemu_hotplug.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c
index 6dc16a1054af..83d0e1c71a8e 100644
--- a/src/qemu/qemu_hotplug.c
+++ b/src/qemu/qemu_hotplug.c
@@ -2343,8 +2343,7 @@ qemuDomainAttachHostSCSIDevice(virConnectPtr conn,
bool secobjAdded = false;
virJSONValuePtr secobjProps = NULL;
virDomainHostdevSubsysSCSIPtr scsisrc = &hostdev->source.subsys.u.scsi;
- virDomainHostdevSubsysSCSIiSCSIPtr iscsisrc = &scsisrc->u.iscsi;
- qemuDomainStorageSourcePrivatePtr srcPriv;
+ qemuDomainStorageSourcePrivatePtr srcPriv = NULL;
qemuDomainSecretInfoPtr secinfo = NULL;
if (!virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_DEVICE_SCSI_GENERIC)) {
@@ -2386,7 +2385,8 @@ qemuDomainAttachHostSCSIDevice(virConnectPtr conn,
if (qemuDomainSecretHostdevPrepare(conn, priv, hostdev) < 0)
goto cleanup;
- srcPriv = QEMU_DOMAIN_STORAGE_SOURCE_PRIVATE(iscsisrc->src);
+ if (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
+ srcPriv = QEMU_DOMAIN_STORAGE_SOURCE_PRIVATE(scsisrc->u.iscsi.src);
if (srcPriv)
secinfo = srcPriv->secinfo;
if (secinfo && secinfo->type == VIR_DOMAIN_SECRET_INFO_TYPE_AES) {
--
2.13.4
6 years, 10 months
[libvirt] [PATCH] remove bogus casts of arg to g_object_ref
by Daniel P. Berrange
Latest version of glib uses typeof() magic to cast the
return value of g_object_ref to match its argument,
instead of returning a 'void *'. A few places in the
code were casting the arg to G_OBJECT() which was then
incompatible with the variable we assigned the result
to. The parameter casts were always redundant so just
remove them.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
libvirt-gconfig/libvirt-gconfig-object.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libvirt-gconfig/libvirt-gconfig-object.c b/libvirt-gconfig/libvirt-gconfig-object.c
index 851e35c..ca2c6e6 100644
--- a/libvirt-gconfig/libvirt-gconfig-object.c
+++ b/libvirt-gconfig/libvirt-gconfig-object.c
@@ -572,7 +572,7 @@ gvir_config_object_set_node_content(GVirConfigObject *object,
node = gvir_config_object_replace_child(object, node_name);
g_return_if_fail(node != NULL);
} else {
- node = g_object_ref(G_OBJECT(object));
+ node = g_object_ref(object);
}
encoded_data = xmlEncodeEntitiesReentrant(node->priv->node->doc,
(xmlChar *)value);
@@ -896,7 +896,7 @@ gvir_config_object_attach(GVirConfigObject *parent, GVirConfigObject *child, gbo
child->priv->doc = NULL;
}
if (parent->priv->doc != NULL) {
- child->priv->doc = g_object_ref(G_OBJECT(parent->priv->doc));
+ child->priv->doc = g_object_ref(parent->priv->doc);
}
}
--
2.14.3
6 years, 10 months
[libvirt] [PATCH] rpm: updates wrt min required fedora version
by Daniel P. Berrange
Update the min fedora to 25. Use a macro to record the min versions so that the
later error message is always in sync with the earlier version check. Clarify
the comment that refers to guessing of dist which does not actually happen.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
libvirt.spec.in | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/libvirt.spec.in b/libvirt.spec.in
index 7e1b6a27d3..713961573a 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -1,10 +1,12 @@
# -*- rpm-spec -*-
# This spec file assumes you are building on a Fedora or RHEL version
-# that's still supported by the vendor: that means Fedora 23 or newer,
-# or RHEL 6 or newer. It may need some tweaks for other distros.
-# If neither fedora nor rhel was defined, try to guess them from dist
-%if (0%{?fedora} && 0%{?fedora} >= 23) || (0%{?rhel} && 0%{?rhel} >= 6)
+# that's still supported by the vendor. It may work on other distros
+# or versions, but no effort will be made to ensure that going forward.
+%define min_rhel 6
+%define min_fedora 25
+
+%if (0%{?fedora} && 0%{?fedora} >= %{min_fedora}) || (0%{?rhel} && 0%{?rhel} >= %{min_rhel})
%define supported_platform 1
%else
%define supported_platform 0
@@ -1132,7 +1134,7 @@ rm -rf .git
%build
%if ! %{supported_platform}
-echo "This RPM requires either Fedora >= 20 or RHEL >= 6"
+echo "This RPM requires either Fedora >= %{min_fedora} or RHEL >= %{min_rhel}"
exit 1
%endif
--
2.14.3
6 years, 10 months
[libvirt] [PATCH] spec: enable bash completion only on new enough distros
by Pavel Hrdina
RHEL-6 doesn't have bash-completion package by default, it has to be
installed from EPEL.
Signed-off-by: Pavel Hrdina <phrdina(a)redhat.com>
---
libvirt.spec.in | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/libvirt.spec.in b/libvirt.spec.in
index d4ef116b2d..ef96888d09 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -87,6 +87,7 @@
%define with_libssh2 0%{!?_without_libssh2:0}
%define with_wireshark 0%{!?_without_wireshark:0}
%define with_libssh 0%{!?_without_libssh:0}
+%define with_bash_completion 0%{!?_without_bash_completion:0}
%define with_pm_utils 1
# Finally set the OS / architecture specific special cases
@@ -190,6 +191,11 @@
%define with_libssh 0%{!?_without_libssh:1}
%endif
+# Enable bash-completion for new enough distros
+%if 0%{?fedora} || 0%{?rhel} >= 7
+ %define with_bash_completion 0%{!?_without_bash_completion:1}
+%endif
+
%if %{with_qemu} || %{with_lxc} || %{with_uml}
# numad is used to manage the CPU and memory placement dynamically,
@@ -306,7 +312,9 @@ BuildRequires: xen-devel
BuildRequires: libxml2-devel
BuildRequires: libxslt
BuildRequires: readline-devel
+%if %{with_bash_completion}
BuildRequires: bash-completion >= 2.0
+%endif
BuildRequires: ncurses-devel
BuildRequires: gettext
BuildRequires: libtasn1-devel
@@ -2048,7 +2056,9 @@ exit 0
%{_datadir}/systemtap/tapset/libvirt_qemu_probes*.stp
%{_datadir}/systemtap/tapset/libvirt_functions.stp
+%if %{with_bash_completion}
%{_datadir}/bash-completion/completions/vsh
+%endif
%if %{with_systemd}
--
2.14.3
6 years, 10 months
[libvirt] [jenkins-ci PATCH] guests: install bash-completion when building libvirt
by Pavel Hrdina
Libvirt recently added bash-completion support. On CentOS6 the
package is available only from EPEL repositories.
Signed-off-by: Pavel Hrdina <phrdina(a)redhat.com>
---
guests/vars/mappings.yml | 4 ++++
guests/vars/projects/libvirt.yml | 1 +
2 files changed, 5 insertions(+)
diff --git a/guests/vars/mappings.yml b/guests/vars/mappings.yml
index e669b6c..440123c 100644
--- a/guests/vars/mappings.yml
+++ b/guests/vars/mappings.yml
@@ -53,6 +53,10 @@ mappings:
pkg: avahi
rpm: avahi-devel
+ bash-completion:
+ default: bash-completion
+ CentOS6:
+
ccache:
default: ccache
CentOS:
diff --git a/guests/vars/projects/libvirt.yml b/guests/vars/projects/libvirt.yml
index 598dfc4..9f027f8 100644
--- a/guests/vars/projects/libvirt.yml
+++ b/guests/vars/projects/libvirt.yml
@@ -3,6 +3,7 @@ packages:
- apparmor
- augeas
- avahi
+ - bash-completion
- cyrus-sasl
- device-mapper
- dnsmasq
--
2.14.3
6 years, 10 months