January 2018 - Devel - libvirt List Archives

[libvirt] [[RFC] 0/8] Implement async QEMU event handling in libvirtd.
by Prerna Saxena 28 Mar '18

28 Mar '18

As noted in https://www.redhat.com/archives/libvir-list/2017-May/msg00016.html libvirt-QEMU driver handles all async events from the main loop. Each event handling needs the per-VM lock to make forward progress. In the case where an async event is received for the same VM which has an RPC running, the main loop is held up contending for the same lock. This impacts scalability, and should be addressed on priority. Note that libvirt does have a 2-step deferred handling for a few event categories, but (1) That is insufficient since blockign happens before the handler could disambiguate which one needs to be posted to this other queue. (2) There needs to be homogeniety. The current series builds a framework for recording and handling VM events. It initializes per-VM event queue, and a global event queue pointing to events from all the VMs. Event handling is staggered in 2 stages: - When an event is received, it is enqueued in the per-VM queue as well as the global queues. - The global queue is built into the QEMU Driver as a threadpool (currently with a single thread). - Enqueuing of a new event triggers the global event worker thread, which then attempts to take a lock for this event's VM. - If the lock is available, the event worker runs the function handling this event type. Once done, it dequeues this event from the global as well as per-VM queues. - If the lock is unavailable(ie taken by RPC thread), the event worker thread leaves this as-is and picks up the next event. - Once the RPC thread completes, it looks for events pertaining to the VM in the per-VM event queue. It then processes the events serially (holding the VM lock) until there are no more events remaining for this VM. At this point, the per-VM lock is relinquished. Patch Series status: Strictly RFC only. No compilation issues. I have not had a chance to (stress) test it after rebase to latest master. Note that documentation and test coverage is TBD, since a few open points remain. Known issues/ caveats: - RPC handling time will become non-deterministic. - An event will only be "notified" to a client once the RPC for same VM completes. - Needs careful consideration in all cases where a QMP event is used to "signal" an RPC thread, else will deadlock. Will be happy to drive more discussion in the community and completely implement it. Prerna Saxena (8): Introduce virObjectTrylock() QEMU Event handling: Introduce async event helpers in qemu_event.[ch] Setup global and per-VM event queues. Also initialize per-VM queues when libvirt reconnects to an existing VM. Events: Allow monitor to "enqueue" events to a queue. Also introduce a framework of handlers for each event type, that can be called when the handler is running an event. Events: Plumb event handling calls before a domain's APIs complete. Code refactor: Move helper functions of doCoreDump*, syncNicRxFilter*, and qemuOpenFile* to qemu_process.[ch] Fold back the 2-stage event implementation for a few events : Watchdog, Monitor EOF, Serial changed, Guest panic, Nic RX filter changed .. into single level. Initialize the per-VM event queues in context of domain init. src/Makefile.am | 1 + src/conf/domain_conf.h | 3 + src/libvirt_private.syms | 1 + src/qemu/qemu_conf.h | 4 + src/qemu/qemu_driver.c | 1710 +++++++---------------------------- src/qemu/qemu_event.c | 317 +++++++ src/qemu/qemu_event.h | 231 +++++ src/qemu/qemu_monitor.c | 592 ++++++++++-- src/qemu/qemu_monitor.h | 80 +- src/qemu/qemu_monitor_json.c | 291 +++--- src/qemu/qemu_process.c | 2031 ++++++++++++++++++++++++++++++++++-------- src/qemu/qemu_process.h | 88 ++ src/util/virobject.c | 26 + src/util/virobject.h | 4 + src/util/virthread.c | 5 + src/util/virthread.h | 1 + tests/qemumonitortestutils.c | 2 +- 17 files changed, 3411 insertions(+), 1976 deletions(-) create mode 100644 src/qemu/qemu_event.c create mode 100644 src/qemu/qemu_event.h -- 2.9.5

6 19

[libvirt] [PATCH] tools: avoid text spilling into variables
by Dariusz Gadomski 23 Feb '18

23 Feb '18

From: Christian Ehrhardt <christian.ehrhardt(a)canonical.com> While libvirt-guests.sh is running cases can let guest_is_on fail which causes check_guests_shutdown to print output. That output shall not spill into the users of function check_guests_shutdown which is therefore now returning values in a variable like guest_is_on already did. Original-Author: Christian Ehrhardt <christian.ehrhardt(a)canonical.com> Modified-By: Jorge Niedbalski <niedbalski(a)ubuntu.com> --- tools/libvirt-guests.sh.in | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/tools/libvirt-guests.sh.in b/tools/libvirt-guests.sh.in index 8a158cca4..91a2f3283 100644 --- a/tools/libvirt-guests.sh.in +++ b/tools/libvirt-guests.sh.in @@ -329,12 +329,13 @@ guest_count() # check_guests_shutdown URI GUESTS # check if shutdown is complete on guests in "GUESTS" and returns only # guests that are still shutting down +# Result is returned in "guests_shutting_down" check_guests_shutdown() { uri=$1 guests=$2 - guests_up= + guests_shutting_down= for guest in $guests; do if ! guest_is_on "$uri" "$guest" >/dev/null 2>&1; then eval_gettext "Failed to determine state of guest: \$guest. Not tracking it anymore." @@ -342,10 +343,9 @@ check_guests_shutdown() continue fi if "$guest_running"; then - guests_up="$guests_up $guest" + guests_shutting_down="$guests_shutting_down $guest" fi done - echo "$guests_up" } # print_guests_shutdown URI BEFORE AFTER @@ -392,8 +392,10 @@ shutdown_guests_parallel() guest=$1 shift guests=$* - shutdown_guest_async "$uri" "$guest" - on_shutdown="$on_shutdown $guest" + if [ -z "$(echo $on_shutdown | grep $guest)" -a -n "$(guest_name "$uri" "$guest")" ]; then + shutdown_guest_async "$uri" "$guest" + on_shutdown="$on_shutdown $guest" + fi done sleep 1 @@ -420,7 +422,8 @@ shutdown_guests_parallel() fi on_shutdown_prev=$on_shutdown - on_shutdown=$(check_guests_shutdown "$uri" "$on_shutdown") + check_guests_shutdown "$uri" "$on_shutdown" + on_shutdown="$guests_shutting_down" print_guests_shutdown "$uri" "$on_shutdown_prev" "$on_shutdown" done } -- 2.14.1

2 1

[libvirt] Should we switch to a different JSON library?
by Martin Kletzander 14 Feb '18

14 Feb '18

Hi everyone, so we are using yajl for parsing JSON. However there are some reasons why we might consider switching to another one: 1) It is basically dead upstream 2) We're just using the lexer part of it 3) We only use it for parsing 4) The are workarounds for it in the code So I looked at some options and found few other libraries, I only took those that are widely available (read: I checked if some random downstream distro has them), however most of them were not very much usable. Except one. But here's the list of few others that didn't look that bad either. All are MIT-licensed, try to be thread-safe and support pkg-config: - libfastjson [1] - from rsyslog community, optimized for working with logs, used almost only by rsyslog, it's supposed to have doxygen docs, they switched to libfastjson from json-c due to some problems with it (performance, ref counting bug, ...) - json-c [2] - looked abandoned until I looked at the proper github page, "documentation" in doxygen - Jansson [3] - I really like this one. The API seems very intuitive, it has nice documentation [4] in readthedocs (and I'm not talking about the visual style, but how easy is to find information), it can be used for formatting JSON in a similar way we are doing it. It has json_auto_t (optional) type that uses the attribute cleanup for automatic scope dereference (just in case we want to use it), it has iterators... did I tell you I like this one a lot? What do you (others) think of switching the JSON library? Do you know about any other projects that could be used considering license, platform support, etc.? Also feel free to fix any mistakes I might have posted. I double-checked it, but you know, "trust, but verify". Have a nice day, Martin [1] https://github.com/rsyslog/libfastjson [2] https://github.com/json-c/json-c [3] http://www.digip.org/jansson/ [4] https://jansson.readthedocs.io/

7 9

[libvirt] [PATCH 00/14] Basic implementation of persistent reservations
by Michal Privoznik 12 Feb '18

12 Feb '18

QEMU added support for SCSI persistent reservations. The way QEMU implemented that makes it slightly harder for libvirt to adapt to - it's a small binary that needs to start before qemu so that it can connect to it. Basically, what libvirt does is: 1) start qemu-pr-helper (the small binary from above), 2) records its PID for tracking purposes 3) start qemu and when shutting down a domain the process is reversed: 1) shut down qemu process, 2) kill qemu-pr-helper (PID was saved earlier). Now, here also lies the last missing piece to he puzzle - what if qemu-pr-helper dies while qemu is running? After some discussion with Paolo it was agreed that qemu will emit an event for libvirt so that we can respawn the process. Anyway, that shouldn't be a show stopper for these patches (if it was the patch set might get too big). Please test, review and comment. As usual, you can find the patches on my github too: https://github.com/zippy2/libvirt/tree/pr Michal Privoznik (14): virstoragefile: Introduce virStoragePRDef qemuDomainDiskChangeSupported: Deny changing reservations qemu: Introduce pr-manager-helper capability qemu_domain: Introduce qemuDomainDiskPRObject qemu: Generate alias for pr-helper qemu: Store prAlias and prPath in status XML qemu: Generate cmd line at startup qemu: Introduce pr_helper to qemu.conf qemu: Start PR daemons on domain startup qemu: Track PR daemons PIDs in status XML qemu_domain: Introduce qemuDomainGetPRUsageCount qemu_process.c: Introduce qemuProcessSetupPRDaemon qemu_hotplug: Hotplug of reservations qemu_hotplug: Hotunplug of reservations docs/formatdomain.html.in | 25 +- docs/schemas/domaincommon.rng | 19 +- docs/schemas/storagecommon.rng | 34 ++ m4/virt-driver-qemu.m4 | 5 + src/conf/domain_conf.c | 36 ++ src/libvirt_private.syms | 4 + src/qemu/libvirtd_qemu.aug | 1 + src/qemu/qemu.conf | 4 + src/qemu/qemu_capabilities.c | 2 + src/qemu/qemu_capabilities.h | 1 + src/qemu/qemu_command.c | 59 +++ src/qemu/qemu_conf.c | 7 +- src/qemu/qemu_conf.h | 1 + src/qemu/qemu_domain.c | 435 ++++++++++++++++++++- src/qemu/qemu_domain.h | 29 ++ src/qemu/qemu_hotplug.c | 110 ++++++ src/qemu/qemu_process.c | 160 ++++++++ src/qemu/qemu_process.h | 4 + src/qemu/test_libvirtd_qemu.aug.in | 1 + src/util/virstoragefile.c | 166 ++++++++ src/util/virstoragefile.h | 17 + .../disk-virtio-scsi-reservations-not-managed.args | 28 ++ .../disk-virtio-scsi-reservations-not-managed.xml | 40 ++ .../disk-virtio-scsi-reservations.args | 29 ++ .../disk-virtio-scsi-reservations.xml | 38 ++ tests/qemuxml2argvtest.c | 8 + .../disk-virtio-scsi-reservations-not-managed.xml | 1 + .../disk-virtio-scsi-reservations.xml | 1 + tests/qemuxml2xmltest.c | 4 + 29 files changed, 1250 insertions(+), 19 deletions(-) create mode 100644 tests/qemuxml2argvdata/disk-virtio-scsi-reservations-not-managed.args create mode 100644 tests/qemuxml2argvdata/disk-virtio-scsi-reservations-not-managed.xml create mode 100644 tests/qemuxml2argvdata/disk-virtio-scsi-reservations.args create mode 100644 tests/qemuxml2argvdata/disk-virtio-scsi-reservations.xml create mode 120000 tests/qemuxml2xmloutdata/disk-virtio-scsi-reservations-not-managed.xml create mode 120000 tests/qemuxml2xmloutdata/disk-virtio-scsi-reservations.xml -- 2.13.6

6 34

[libvirt] [PATCH] fix regex to check CN from server certificate
by Tiago M. Vieira 08 Feb '18

08 Feb '18

Currently when the script validates the PKI files and the certificate 'Subject:' field contains RDNs after the Common Name (CN), these values are also included, creating a false result that the CN is not correct. A small change to the sed regex fixes this issue, by extracting only the value for CN and nothing else. The regex is replaced with the exact same regex used to extract the CN value from the client certificate. --- tools/virt-pki-validate.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/virt-pki-validate.in b/tools/virt-pki-validate.in index 206637abf..b04680dde 100755 --- a/tools/virt-pki-validate.in +++ b/tools/virt-pki-validate.in @@ -255,7 +255,7 @@ then echo CA organization: $ORG echo Server organization: $S_ORG fi - S_HOST=`"$CERTOOL" -i --infile "$LIBVIRT/servercert.pem" | grep Subject: | sed 's+.*CN=$[a-zA-Z\. _-]*$+\1+'` + S_HOST=`"$CERTOOL" -i --infile "$LIBVIRT/servercert.pem" | grep Subject: | sed 's+.*CN=$.[a-zA-Z \._-]*$.*+\1+'` if test "$S_HOST" != "`hostname -s`" && test "$S_HOST" != "`hostname`" then echo The server certificate does not seem to match the host name -- 2.14.3

2 1

[libvirt] [PATCH] qemu: report a nicer error when USB is disabled
by Ján Tomko 08 Feb '18

08 Feb '18

If the user tries to define a domain that has <controller type='usb' model='none'/> and also some USB devices, we report an error: error: internal error: No free USB ports Which is technically still correct for a domain with no USB ports. Change it to: USB is disabled for this domain, but USB devices are present in the domain XML https://bugzilla.redhat.com/show_bug.cgi?id=1347550 --- src/conf/domain_conf.c | 2 +- src/conf/domain_conf.h | 2 ++ src/libvirt_private.syms | 1 + src/qemu/qemu_domain_address.c | 7 +++++++ 4 files changed, 11 insertions(+), 1 deletion(-) diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index f3b4dd33d..028fcb5be 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -5116,7 +5116,7 @@ virDomainDiskDefValidate(const virDomainDiskDef *disk) return 0; } -static bool +bool virDomainDefHasUSB(const virDomainDef *def) { size_t i; diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h index bb3b6f0c3..32e191e0a 100644 --- a/src/conf/domain_conf.h +++ b/src/conf/domain_conf.h @@ -2656,6 +2656,8 @@ int virDomainDefPostParse(virDomainDefPtr def, unsigned int parseFlags, virDomainXMLOptionPtr xmlopt, void *parseOpaque); +bool +virDomainDefHasUSB(const virDomainDef *def); int virDomainDefValidate(virDomainDefPtr def, virCapsPtr caps, diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 5b1bc5e4f..21f226258 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -267,6 +267,7 @@ virDomainDefGetVcpusTopology; virDomainDefHasDeviceAddress; virDomainDefHasMemballoon; virDomainDefHasMemoryHotplug; +virDomainDefHasUSB; virDomainDefHasVcpusOffline; virDomainDefMaybeAddController; virDomainDefMaybeAddInput; diff --git a/src/qemu/qemu_domain_address.c b/src/qemu/qemu_domain_address.c index 69c0c8bf2..0d565b3ea 100644 --- a/src/qemu/qemu_domain_address.c +++ b/src/qemu/qemu_domain_address.c @@ -2644,6 +2644,13 @@ qemuDomainUSBAddressAddHubs(virDomainDefPtr def) &data, false)); + if (data.count && !virDomainDefHasUSB(def)) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + _("USB is disabled for this domain, but USB devices " + "are present in the domain XML")); + return -1; + } + if (data.count > available_ports) hubs_needed = VIR_DIV_UP(data.count - available_ports + 1, VIR_DOMAIN_USB_HUB_PORTS - 1); -- 2.13.0

2 1

[libvirt] [PATCH] Migration: Preserve the failed job in case migration job is terminated beyond the perform phase.
by Prerna Saxena 08 Feb '18

08 Feb '18

In case of non-p2p migration, in case libvirt client gets disconnected from source libvirt after PERFORM phase is over, the daemon just resets the current migration job. However, the VM could be left paused on both source and destination in such case. In case the client reconnects and queries migration status, the job has been blanked out from source libvirt, and this reconnected client has no clear way of figuring out if an unclean migration had previously been aborted. This patch calls out a "potentially" incomplete migration as a failed job, so that a client may be able to watch previously failed jobs for this VM and take corrective actions as needed. Signed-off-by: Prerna Saxena <saxenap.ltc(a)gmail.com> --- src/qemu/qemu_domain.c | 16 ++++++++++++++++ src/qemu/qemu_domain.h | 2 ++ src/qemu/qemu_migration.c | 4 ++-- 3 files changed, 20 insertions(+), 2 deletions(-) diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index e8e0313..7c60d17 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -4564,6 +4564,22 @@ qemuDomainObjDiscardAsyncJob(virQEMUDriverPtr driver, virDomainObjPtr obj) qemuDomainObjSaveJob(driver, obj); } + +void +qemuDomainObjFailAsyncJob(virQEMUDriverPtr driver, virDomainObjPtr obj) +{ + qemuDomainObjPrivatePtr priv = obj->privateData; + VIR_FREE(priv->job.completed); + if (VIR_ALLOC(priv->job.completed) == 0) { + priv->job.current->type = VIR_DOMAIN_JOB_FAILED; + priv->job.completed = priv->job.current; + } else { + VIR_WARN("Unable to allocate job.completed for VM %s", obj->def->name); + } + qemuDomainObjResetAsyncJob(priv); + qemuDomainObjEndJob(driver, obj); +} + void qemuDomainObjReleaseAsyncJob(virDomainObjPtr obj) { diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h index c33af36..6465603 100644 --- a/src/qemu/qemu_domain.h +++ b/src/qemu/qemu_domain.h @@ -497,6 +497,8 @@ void qemuDomainObjRestoreJob(virDomainObjPtr obj, struct qemuDomainJobObj *job); void qemuDomainObjDiscardAsyncJob(virQEMUDriverPtr driver, virDomainObjPtr obj); +void qemuDomainObjFailAsyncJob(virQEMUDriverPtr driver, + virDomainObjPtr obj); void qemuDomainObjReleaseAsyncJob(virDomainObjPtr obj); qemuMonitorPtr qemuDomainGetMonitor(virDomainObjPtr vm) diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c index 69eb231..fd8950e 100644 --- a/src/qemu/qemu_migration.c +++ b/src/qemu/qemu_migration.c @@ -1911,8 +1911,8 @@ qemuMigrationCleanup(virDomainObjPtr vm, VIR_WARN("Migration of domain %s finished but we don't know if the" " domain was successfully started on destination or not", vm->def->name); - /* clear the job and let higher levels decide what to do */ - qemuDomainObjDiscardAsyncJob(driver, vm); + /* clearly "fail" the job and let higher levels decide what to do */ + qemuDomainObjFailAsyncJob(driver, vm); break; case QEMU_MIGRATION_PHASE_PERFORM3: -- 1.7.1

3 3

[libvirt] [PATCH 0/7] Keep non-persistent changes alive in snapshot
by Kothapally Madhu Pavan 08 Feb '18

08 Feb '18

Restoring to a snapshot should not overwrite the persistent XML configuration of a snapshot as a side effect. This patchset fixes the same. Currently, virDomainSnapshotDef only saves active domain definition of the guest. And on restore the active domain definition is used as both active and inactive domain definitions. This will make the non-persistent changes persistent in snapshot image. This patchset allows to save inactive domain definition as well and on snapshot-revert non-persistent configuration is restored as is. Currently, snapshot-revert is making non-presistent changes as persistent. Here are the steps to reproduce. Step1: virsh define $dom Step2: virsh attach-device $dom $memory-device.xml --live Step3: virsh snapshot-create $dom Step4: virsh destroy $dom Step5: virsh snapshot-revert $dom $snapshot-name Step6: virsh destroy $dom Step7: virsh start $dom Here we still have $memory-device attached in Step2. This patchset is attempting to solve this issue. This patchset will also allow user to dump and edit inactive XML configuration of a snapshot. Dumping inactive domain definition of a snapshot is important as --redefine uses snapshot-dumpxml output to redefine a snapshot. Kothapally Madhu Pavan (7): qemu: Store inactive domain configuration in snapshot qemu: Use active and inactive snapshot configuration on restore conf: Allow editing inactive snapshot configuration virsh: Dump inactive XML configuration of snapshot using snapshot-dumpxml virsh: Edit inactive XML configuration of snapshot using snapshot-edit virsh: Allow restoring snapshot with non-persistent configuration tests: docs: Add schema and testcase for domainsnapshot docs/schemas/domainsnapshot.rng | 19 +++++ include/libvirt/libvirt-domain-snapshot.h | 10 ++- include/libvirt/libvirt-domain.h | 1 + src/conf/domain_conf.c | 6 +- src/conf/domain_conf.h | 2 + src/conf/snapshot_conf.c | 48 ++++++++++++- src/conf/snapshot_conf.h | 1 + src/qemu/qemu_driver.c | 33 ++++++++- .../full_domain_withinactive.xml | 83 ++++++++++++++++++++++ tests/domainsnapshotxml2xmltest.c | 1 + tools/virsh-snapshot.c | 20 ++++++ tools/virsh.pod | 37 +++++++++- 12 files changed, 251 insertions(+), 10 deletions(-) create mode 100644 tests/domainsnapshotxml2xmlout/full_domain_withinactive.xml -- 1.8.3.1

4 16

[libvirt] [PATCH python 1/1] Fix type extracting from PyDict
by Edgar Kaziakhmedov 08 Feb '18

08 Feb '18

PyInt_Check returns value whether or not an input object is the integer type. The existing implementation of extracting leads to the wrong type interpretation in the following code: params = {libvirt.VIR_MIGRATE_PARAM_DISKS_PORT : 50123} ... dom.migrate3(%option1, params, %option3) where libvirt reports: libvirt.libvirtError: invalid argument: invalid type 'ullong' for parameter 'disks_port', expected 'int' So, this patch fixes that bug and allows casting to the VIR_TYPED_PARAM_INT type. Signed-off-by: Edgar Kaziakhmedov <edgar.kaziakhmedov(a)virtuozzo.com> --- libvirt-utils.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/libvirt-utils.c b/libvirt-utils.c index f7b4478..3a00e9f 100644 --- a/libvirt-utils.c +++ b/libvirt-utils.c @@ -434,10 +434,7 @@ virPyDictToTypedParamOne(virTypedParameterPtr *params, type = VIR_TYPED_PARAM_ULLONG; #if PY_MAJOR_VERSION < 3 } else if (PyInt_Check(value)) { - if (PyInt_AS_LONG(value) < 0) - type = VIR_TYPED_PARAM_LLONG; - else - type = VIR_TYPED_PARAM_ULLONG; + type = VIR_TYPED_PARAM_INT; #endif } else if (PyFloat_Check(value)) { type = VIR_TYPED_PARAM_DOUBLE; -- 2.11.0

2 6

[libvirt] [PATCH] apparmor: allow libvirt to send term signal to unconfined
by Guido Günther 08 Feb '18

08 Feb '18

Otherwise stopping domains with qemu://session fails like [164012.338157] audit: type=1400 audit(1516202208.784:99): apparmor="DENIED" operation="signal" profile="/usr/sbin/libvirtd" pid=18835 comm="libvirtd" requested_mask="send" denied_mask="send" signal=term peer="unconfined" --- examples/apparmor/usr.sbin.libvirtd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd index 0ddec3f6e2..be4fabf905 100644 --- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -63,7 +63,7 @@ signal (send) peer=/usr/sbin/dnsmasq, signal (read, send) peer=libvirt-*, - signal (send) set=("kill") peer=unconfined, + signal (send) set=("kill", "term") peer=unconfined, # Very lenient profile for libvirtd since we want to first focus on confining # the guests. Guests will have a very restricted profile. -- 2.15.1

8 8