January 2019 - Devel - libvirt List Archives

[libvirt] [PATCH 0/4] Couple of apparmor related fixes
by Michal Privoznik 23 Jan '19

23 Jan '19

Firstly, the virt-aa-helper was never installed under /usr/lib or /usr/lib64. Since it's introduction it lives under /usr/libexec and therefore the profile name should reflect that. Secondly, the profile misses some binaries we use. And lastly, some other internal binaries are misplaced in the profile. Michal Prívozník (4): apparmor: Fix parthelper, iohelper and virt-aa-helper paths in profiles apparmor: Allow libvirt to spawn virt-aa-helper and libvirt_lxc docs: Fix virt-aa-helper location apparmor: Rename virt-aa-helper profile docs/drvqemu.html.in | 2 +- src/security/Makefile.inc.am | 10 +++++----- ...bvirt.virt-aa-helper => usr.libexec.virt-aa-helper} | 6 +++--- src/security/apparmor/usr.sbin.libvirtd | 6 ++++-- 4 files changed, 13 insertions(+), 11 deletions(-) rename src/security/apparmor/{usr.lib.libvirt.virt-aa-helper => usr.libexec.virt-aa-helper} (90%) -- 2.19.2

3 11

[libvirt] [PATCH 00/10] RFC: conf: partially net model enum conversion
by Cole Robinson 23 Jan '19

23 Jan '19

This series is base on my virtio-transitional work, since it touches a lot of the same code: https://www.redhat.com/archives/libvir-list/2019-January/msg00593.html This series partially converts the net->model value from a string to an enum. We wrap the existing ->model string in accessor functions, rename it to ->modelstr, add a ->model enum, and convert internal driver usage bit by bit. At the end, all driver code that is acting on specific network model values is comparing against an enum, not a string. This is only partial because of xen/libxl/xm and qemu drivers, which if they don't know anything particular about the model string will just place it on the qemu command line/xen config and see what happens. So basically if I were to pass in <model type='idontexist'/> qemu would turn that into -device idontexist,... That behavior is untouched by this series. Unwinding it will take some thought. For starters would be populating the enum with any qemu/xen network model that a user could realistically have a working config with. Then maybe tainting the VM if modelstr is used. Then after some time the final round could be causing domains to fail to start, but not fail to parse, so they don't disappear on upgrade but still break in an obvious way that will generate complaints/bugreports. But we should agree on a plan for it. Other caveats: * vz and bhyve drivers are not compile tested * vmx and virtualbox drivers previously would do a case insensitive compare on the model value passed in via the user XML. Current patches don't preserve that. I don't know how much it matters for these drivers for reading fresh XML vs roundtrip XML from converted native formats (which _will_ correct the case issue). If we want to fix this we will need to tolower() the modelstr value in the XML parser. I think there's a gnulib function for it but I haven't explored it deeply Cole Robinson (10): tests: Add several net model passthrough tests conf: net: Add wrapper functions for <model> value conf: net: Rename 'model' to 'modelstr' conf: net: Add model enum, and netfront value vz: convert to net model enum bhyve: convert to net model enum qemu: Partially convert to net model enum vmx: convert to net model enum vbox: Convert to net enum model conf: Add VIR_DOMAIN_DEF_FEATURE_NET_MODEL_STRING src/bhyve/bhyve_command.c | 15 +-- src/bhyve/bhyve_parse_command.c | 10 +- src/conf/domain_conf.c | 105 ++++++++++++++---- src/conf/domain_conf.h | 35 +++++- src/libvirt_private.syms | 4 + src/libxl/libxl_conf.c | 8 +- src/libxl/libxl_domain.c | 1 + src/qemu/qemu_command.c | 33 +++--- src/qemu/qemu_domain.c | 32 +++--- src/qemu/qemu_domain_address.c | 14 +-- src/qemu/qemu_driver.c | 14 ++- src/qemu/qemu_hotplug.c | 15 ++- src/qemu/qemu_parse_command.c | 5 +- src/security/virt-aa-helper.c | 3 +- src/vbox/vbox_common.c | 29 +++-- src/vmx/vmx.c | 55 ++++----- src/vz/vz_driver.c | 7 +- src/vz/vz_sdk.c | 17 ++- src/xenconfig/xen_common.c | 31 +++--- src/xenconfig/xen_sxpr.c | 30 ++--- tests/qemuxml2argvdata/net-many-models.args | 39 +++++++ tests/qemuxml2argvdata/net-many-models.xml | 37 ++++++ tests/qemuxml2argvtest.c | 1 + tests/xlconfigdata/test-net-fakemodel.cfg | 24 ++++ tests/xlconfigdata/test-net-fakemodel.xml | 39 +++++++ tests/xlconfigtest.c | 1 + .../test-paravirt-net-fakemodel.cfg | 13 +++ .../test-paravirt-net-fakemodel.xml | 40 +++++++ .../test-paravirt-net-modelstr.cfg | 13 +++ tests/xmconfigtest.c | 1 + .../xml2sexpr-fv-net-many-models.sexpr | 1 + .../xml2sexpr-fv-net-many-models.xml | 43 +++++++ tests/xml2sexprtest.c | 1 + 33 files changed, 534 insertions(+), 182 deletions(-) create mode 100644 tests/qemuxml2argvdata/net-many-models.args create mode 100644 tests/qemuxml2argvdata/net-many-models.xml create mode 100644 tests/xlconfigdata/test-net-fakemodel.cfg create mode 100644 tests/xlconfigdata/test-net-fakemodel.xml create mode 100644 tests/xmconfigdata/test-paravirt-net-fakemodel.cfg create mode 100644 tests/xmconfigdata/test-paravirt-net-fakemodel.xml create mode 100644 tests/xmconfigdata/test-paravirt-net-modelstr.cfg create mode 100644 tests/xml2sexprdata/xml2sexpr-fv-net-many-models.sexpr create mode 100644 tests/xml2sexprdata/xml2sexpr-fv-net-many-models.xml -- 2.20.1

2 13

[libvirt] [PATCH 0/2] qemu: Improve and document states handled in qemuProcessHandleAcpiOstInfo
by Peter Krempa 22 Jan '19

22 Jan '19

We did not handle all the possible error states of memory unplug. Add more ACPI table documentation and fix the code to conform to it. Peter Krempa (2): qemu: process: Improve documentation of values handled by qemuProcessHandleAcpiOstInfo qemu: process: Handle all failure values for dimms in qemuProcessHandleAcpiOstInfo src/qemu/qemu_process.c | 44 +++++++++++++++++++++++++++++++++-------- 1 file changed, 36 insertions(+), 8 deletions(-) -- 2.20.1

3 4

[libvirt] [PATCH] rpm spec: remove %{extra_release} from spec
by Daniel P. Berrangé 22 Jan '19

22 Jan '19

The %{extra_release} field was previously populated by data from the old autobuild.sh file but is no longer used. Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com> --- libvirt.spec.in | 2 +- mingw-libvirt.spec.in | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/libvirt.spec.in b/libvirt.spec.in index 567721f424..2e572e2a01 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -214,7 +214,7 @@ Summary: Library providing a simple virtualization API Name: libvirt Version: @VERSION@ -Release: 1%{?dist}%{?extra_release} +Release: 1%{?dist} License: LGPLv2+ URL: https://libvirt.org/ diff --git a/mingw-libvirt.spec.in b/mingw-libvirt.spec.in index 7c7ab4146d..249abb8475 100644 --- a/mingw-libvirt.spec.in +++ b/mingw-libvirt.spec.in @@ -35,7 +35,7 @@ Name: mingw-libvirt Version: @VERSION@ -Release: 1%{?dist}%{?extra_release} +Release: 1%{?dist} Summary: MinGW Windows libvirt virtualization library License: LGPLv2+ -- 2.20.1

2 3

[libvirt] [PATCH] virt-aa-helper: generate rules for gl enabled graphics devices
by Christian Ehrhardt 22 Jan '19

22 Jan '19

This adds the virt-aa-helper support for gl enabled graphics devices to generate rules for the needed rendernode paths. Example in domain xml: <graphics type='spice'> <gl enable='yes' rendernode='/dev/dri/bar'/> </graphics> results in: "/dev/dri" r, "/dev/dri/bar" rw, Special cases are: - multiple devices with rendernodes -> all are added - non explicit rendernodes -> follow recently added virHostGetDRMRenderNode - rendernode without opengl (in egl-headless for example) -> still add the node Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1757085 Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com> --- src/security/virt-aa-helper.c | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 64a425671d..327a8a0202 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -938,7 +938,7 @@ get_files(vahControl * ctl) size_t i; char *uuid; char uuidstr[VIR_UUID_STRING_BUFLEN]; - bool needsVfio = false, needsvhost = false; + bool needsVfio = false, needsvhost = false, needDefaultRenderNode = false; /* verify uuid is same as what we were given on the command line */ virUUIDFormat(ctl->def->uuid, uuidstr); @@ -1062,6 +1062,10 @@ get_files(vahControl * ctl) for (i = 0; i < ctl->def->ngraphics; i++) { virDomainGraphicsDefPtr graphics = ctl->def->graphics[i]; size_t n; + const char *rendernode = virDomainGraphicsGetRenderNode(graphics); + + if (rendernode) + vah_add_file(&buf, rendernode, "rw"); for (n = 0; n < graphics->nListens; n++) { virDomainGraphicsListenDef listenObj = graphics->listens[n]; @@ -1071,6 +1075,20 @@ get_files(vahControl * ctl) vah_add_file(&buf, listenObj.socket, "rw")) goto cleanup; } + + if (graphics->data.spice.gl == VIR_TRISTATE_BOOL_YES) { + if (!rendernode) + needDefaultRenderNode = true; + } + } + + if (virDomainGraphicsDefHasOpenGL(ctl->def)) + vah_add_file(&buf, "/dev/dri", "r"); + + if (needDefaultRenderNode) { + const char *rendernode = virHostGetDRMRenderNode(); + if (rendernode) + vah_add_file(&buf, virHostGetDRMRenderNode(), "rw"); } if (ctl->def->ngraphics == 1 && -- 2.17.1

3 4

[libvirt] [PATCHv2 0/8]
by Ján Tomko 22 Jan '19

22 Jan '19

For: https://bugzilla.redhat.com/show_bug.cgi?id=1602418 v1: https://www.redhat.com/archives/libvir-list/2019-January/msg00490.html v2: * fixed memory leaks pointed out by John in v1 Patches without R-b: [4/8] cowardly refused to unref the private data in Secret.*Destroy [8/8] fixed the logic to include checking whether the domain actually has a VNC graphics and amended the commit message Ján Tomko (8): conf: introduce virDomainGraphicsNew conf: add privateData to virDomainGraphicsDef qemu: add qemuDomainGraphicsPrivate data with a tlsAlias qemu: prepare secret for the graphics upfront qemu_process: fix debug message qemu.conf: add vnc_tls_x509_secret_uuid qemu: add support for encrypted VNC TLS keys qemu: error out when vnc vncTLSx509secretUUID is unsupported src/conf/domain_conf.c | 30 ++++- src/conf/domain_conf.h | 5 + src/qemu/libvirtd_qemu.aug | 1 + src/qemu/qemu.conf | 6 + src/qemu/qemu_command.c | 19 +++- src/qemu/qemu_conf.c | 4 + src/qemu/qemu_conf.h | 1 + src/qemu/qemu_domain.c | 107 ++++++++++++++++++ src/qemu/qemu_domain.h | 13 +++ src/qemu/qemu_process.c | 2 +- src/qemu/test_libvirtd_qemu.aug.in | 1 + ...graphics-vnc-tls-secret.x86_64-latest.args | 36 ++++++ .../graphics-vnc-tls-secret.xml | 30 +++++ tests/qemuxml2argvtest.c | 5 + 14 files changed, 250 insertions(+), 10 deletions(-) create mode 100644 tests/qemuxml2argvdata/graphics-vnc-tls-secret.x86_64-latest.args create mode 100644 tests/qemuxml2argvdata/graphics-vnc-tls-secret.xml -- 2.20.1

2 10

[libvirt] [PATCH] docs: use JavaScript based PolicyKit .rules files
by Mark McLoughlin 22 Jan '19

22 Jan '19

PolicyKit authentication rules have switched to a JavaScript based format quite some time ago. See: http://davidz25.blogspot.com/2012/06/authorization-rules-in-polkit.html While backwards compat for the old .pkla format is still available, it makes sense to point people first at the new format. The SSHPolicyKitSetup wiki page seems pretty stale, so remove the reference to it. Signed-off-by: Mark McLoughlin <markmc(a)redhat.com> --- docs/auth.html.in | 32 +++++++++++++++++++++----------- 1 file changed, 21 insertions(+), 11 deletions(-) diff --git a/docs/auth.html.in b/docs/auth.html.in index afd6cd7f9b..33afe0a8ad 100644 --- a/docs/auth.html.in +++ b/docs/auth.html.in @@ -184,15 +184,29 @@ Default policy will still allow any application to connect to the RO socket. The default policy can be overridden by creating a new policy file in the -local override directory <code>/etc/polkit-1/localauthority/50-local.d/</code>. -Policy files should have a unique name ending with .pkla. Using reverse DNS -naming works well. Information on the options available can be found by -reading the pklocalauthority man page. The two libvirt daemon actions -available are named <code>org.libvirt.unix.manage</code> for full management -access, and <code>org.libvirt.unix.monitor</code> for read-only access. +<code>/etc/polkit-1/rules.d</code> directory. Information on the options +available can be found by reading the <code>polkit(8)</code> man page. The +two libvirt actions are named <code>org.libvirt.unix.manage</code> for full +management access, and <code>org.libvirt.unix.monitor</code> for read-only +access. + + +As an example, creating <code>/etc/polkit-1/rules.d/80-libvirt-manage.rules</code> +with the following gives the user <code>fred</code> full management access +when accessing from an active local session: +<pre>polkit.addRule(function(action, subject) { + if (action.id == "org.libvirt.unix.manage" && + subject.local && subject.active && subject.user == "fred") { + return polkit.Result.YES; + } +});</pre> -As an example, this gives the user <code>fred</code> full management access: +Older versions of PolicyKit used policy files ending with .pkla in the +local override directory <code>/etc/polkit-1/localauthority/50-local.d/</code>. +Compatibility with this older format is provided by <a +href="https://pagure.io/polkit-pkla-compat">polkit-pkla-compat</a>. As an +example, this gives the user <code>fred</code> full management access: <pre>[Allow fred libvirt management permissions] Identity=unix-user:fred @@ -200,10 +214,6 @@ Action=org.libvirt.unix.manage ResultAny=yes ResultInactive=yes ResultActive=yes</pre> - -Further examples of PolicyKit setup can be found on the -<a href="http://wiki.libvirt.org/page/SSHPolicyKitSetup">wiki page</a>. - <h2><a id="ACL_server_sasl">SASL pluggable authentication</a></h2> -- 2.20.1

2 1

[libvirt] [PATCH 0/2] qemu: Don't format 'cache' for empty cdroms
by Peter Krempa 22 Jan '19

22 Jan '19

See patch 2/2 for explanation. Peter Krempa (2): tests: qemuxml2argv: Add test case for empty CDROM with cache mode qemu: command: Don't format image properties for empty -drive src/qemu/qemu_command.c | 47 ++++++++++--------- tests/qemuxml2argvdata/disk-cdrom.args | 6 ++- .../disk-cdrom.x86_64-2.12.0.args | 9 ++-- .../disk-cdrom.x86_64-latest.args | 9 ++-- tests/qemuxml2argvdata/disk-cdrom.xml | 6 +++ tests/qemuxml2xmloutdata/disk-cdrom.xml | 6 +++ 6 files changed, 52 insertions(+), 31 deletions(-) -- 2.20.1

3 9

[libvirt] [PATCH 0/4] qemu_conf: use VIR_AUTOFREE in the recently created
by Ján Tomko 21 Jan '19

21 Jan '19

Ján Tomko (4): virQEMUDriverConfigLoadProcessEntry: use VIR_AUTOFREE virQEMUDriverConfigLoadNVRAMEntry: use VIR_AUTOFREE virQEMUDriverConfigLoadSecurityEntry: use VIR_AUTOFREE virQEMUDriverConfigLoadSWTPMEntry: use VIR_AUTOFREE src/qemu/qemu_conf.c | 131 +++++++++++++++++++++------------------------------ 1 file changed, 55 insertions(+), 76 deletions(-) -- 2.16.4

2 8

[libvirt] [PATCH] rpm spec: don't assume %{fedora} exists as a macro
by Daniel P. Berrangé 21 Jan '19

21 Jan '19

Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com> --- Pushed under the "fix the previous build breaker fix" rule :-( Sorry. libvirt.spec.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libvirt.spec.in b/libvirt.spec.in index 567721f424..823f0753ae 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -110,7 +110,7 @@ %endif # Ceph dropping support for 32-bit hosts -%if 0%{fedora} >= 30 +%if 0%{?fedora} >= 30 %ifarch %{arm} %{ix86} %define with_storage_rbd 0 %endif -- 2.20.1

2 1