Re: [libvirt] [PATCH v2 1/1] IDE: deprecate ide-drive
by Peter Krempa
On Thu, Oct 10, 2019 at 13:22:37 +0200, Philippe Mathieu-Daudé wrote:
> On 10/10/19 12:43 AM, John Snow wrote:
> > It's an old compatibility shim that just delegates to ide-cd or ide-hd.
> > I'd like to refactor these some day, and getting rid of the super-object
> > will make that easier.
> >
> > Either way, we don't need this.
> >
> > Libvirt-checked-by: Peter Krempa <pkrempa(a)redhat.com>
>
> Peter made a comment regarding Laszlo's Regression-tested-by tag:
>
> [...] nobody else is using
> this convention (there are exactly 0 instances of
> "Regression-tested-by" in the project git log as far as
> I can see), and so in practice people reading the commits
> won't really know what you meant by it. Everybody else
> on the project uses "Tested-by" to mean either of the
> two cases you describe above, without distinction...
>
> It probably applies to 'Libvirt-checked-by' too.
I certainly didn't test it. So feel free to drop that line altogether.
5 years, 2 months
Re: [libvirt] [PATCH 0/4] PCI multifunction partial assignment support
by Abdulla Bubshait
On Mon, 7 Oct 2019 18:11:32 -0300
Daniel Henrique Barboza <danielhb413 gmail com> wrote:
> These series tries to solve the partial assignment of multifunction
> hostdev PCI devices by introducing a new hostdev attribute called
> 'assigned'. This is how it works:
>
> - it is a boolean value that will be efffective just for
> multifunction hostdev PCI devices, since there's no other
> occurrence for this kind of use in Libvirt. Trying to
> declare assign='yes|no' in any other PCI hostdev device
> will cause parse errors;
I think this functionality should be available to all hostdev PCI
devices and not just multifunction ones. You might have several
devices that are part of the same IOMMU group that you don't mind
giving up from the host, but don't want to supply all of them to the
guest. This would be an alternative to using ACS patch in these
situations.
One example is having two nvme drives in a single IOMMU group, you
will be able to pass a single one to the guest rather than being
forced to pass both.
5 years, 2 months
[libvirt] [PATCH 0/3] security: Don't remember labels for TPM
by Michal Privoznik
As it turns out, /dev/tpm0 can't be opened more than once. This doesn't
fit into our seclabel remembering approach and thus disable it for TPM
devices.
There's also another type of files which can't be opened more than once
- /dev/vfio/N. Usually, this won't be a problem unless users try to
attach/detach some devices from the same IOMMU group. This will require
more treatment though because it's broken on more levels.
1) we remove /dev/vfio/N in private devtmpfs on device detach, even
though there is another device still attached to domain from the
same IOMMU group,
2) we remove the IOMMU group from CGroups, i.e. we effectively deny
access to qemu
3) we restore seclabels (regardless of seclabel remembering)
Therefore, I'm only addressing TPM issue here and will continue work on
hostdevs.
Michal Prívozník (3):
security: Try to lock only paths with remember == true
security_dac: Allow selective remember/recall for chardevs
security: Don't remember labels for TPM
src/security/security_dac.c | 91 ++++++++++++++++++++++-----------
src/security/security_selinux.c | 16 +++---
2 files changed, 71 insertions(+), 36 deletions(-)
--
2.21.0
5 years, 2 months
[libvirt] [PATCH] security: apparmor: Allow RO /usr/share/edk2/
by Cole Robinson
On Fedora, already whitelisted paths to AAVMF and OVMF binaries
are symlinks to binaries under /usr/share/edk2/. Add that directory
to the RO whitelist so virt-aa-helper-test passes
Signed-off-by: Cole Robinson <crobinso(a)redhat.com>
---
I don't know if anyone is actually using apparmor on Fedora, but
I have the libs installed now for testing. I think the better thing
to do would be to adjust virt-aa-helper-test to not touch host
state
src/security/virt-aa-helper.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index d9f6b5638b..509187ac36 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -505,6 +505,7 @@ valid_path(const char *path, const bool readonly)
"/vmlinuz",
"/initrd",
"/initrd.img",
+ "/usr/share/edk2/",
"/usr/share/OVMF/", /* for OVMF images */
"/usr/share/ovmf/", /* for OVMF images */
"/usr/share/AAVMF/", /* for AAVMF images */
--
2.23.0
5 years, 2 months
[libvirt] [PATCH 0/2] tests: Add capabilities for QEMU 4.2.0 on ppc64 and aarch64
by Andrea Bolognani
This will be useful to test Jirka's changes to how we handle default
CPU models on more architectures.
The version posted to the list is heavily snipped, but you can grab
the full one with
$ git fetch https://gitlab.com/abologna/libvirt caps-4.2.0
Andrea Bolognani (2):
tests: Add capabilitie for QEMU 4.2.0 on ppc64
tests: Add capabilitie for QEMU 4.2.0 on aarch64
.../caps_4.2.0.aarch64.replies | 20684 +++++++++++++
.../caps_4.2.0.aarch64.xml | 321 +
.../caps_4.2.0.ppc64.replies | 24406 ++++++++++++++++
.../qemucapabilitiesdata/caps_4.2.0.ppc64.xml | 1087 +
4 files changed, 46498 insertions(+)
create mode 100644 tests/qemucapabilitiesdata/caps_4.2.0.aarch64.replies
create mode 100644 tests/qemucapabilitiesdata/caps_4.2.0.aarch64.xml
create mode 100644 tests/qemucapabilitiesdata/caps_4.2.0.ppc64.replies
create mode 100644 tests/qemucapabilitiesdata/caps_4.2.0.ppc64.xml
--
2.21.0
5 years, 2 months
[libvirt] [jenkins-ci PATCH] lcitool: Force LANG=en_US.UTF-8 for the containers
by Fabiano Fidêncio
As we cannot and should not rely on how the containers were generated,
let's force the container LANG to be en_US.UTF-8 otherwise some
containers (Debian 9, Ubuntu 16, and Ubuntu 18) would simply bail when
dealing with environment variables inherited from Gitlab CI which
contains non-POSIX characteres, such as "Fidêncio".
Unfortunately, there's no standard way to do this accross different
distros, leaving us with this "happy little accident" of setting up LANG
in the way it's done right now.
Signed-off-by: Fabiano Fidêncio <fidencio(a)redhat.com>
---
guests/lcitool | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/guests/lcitool b/guests/lcitool
index 49bb50b..a630971 100755
--- a/guests/lcitool
+++ b/guests/lcitool
@@ -735,6 +735,10 @@ class Application:
RUN pip3 install {pip_pkgs}
""").format(**varmap))
+ sys.stdout.write(textwrap.dedent("""
+ ENV LANG "en_US.UTF-8"
+ """).format(**varmap))
+
if args.cross_arch:
sys.stdout.write(textwrap.dedent("""
ENV ABI "{cross_abi}"
--
2.23.0
5 years, 2 months
[libvirt] [PATCH v2 1/3] libxl: add acpi slic table support
by Marek Marczykowski-Górecki
From: Ivan Kardykov <kardykov(a)tabit.pro>
Libxl driver did not support setup additional acpi firmware to xen
guest. It is necessary to activate OEM Windows installs. This patch
allow to define in OS section acpi table param (which supported domain
common schema).
Signed-off-by: Ivan Kardykov <kardykov(a)tabit.pro>
[added info to docs/formatdomain.html.in]
Signed-off-by: Marek Marczykowski-Górecki <marmarek(a)invisiblethingslab.com>
---
docs/formatdomain.html.in | 3 ++-
src/libxl/libxl_conf.c | 5 +++++
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index 86a5261..c80f09a 100644
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -363,7 +363,8 @@
<dd>The <code>table</code> element contains a fully-qualified path
to the ACPI table. The <code>type</code> attribute contains the
ACPI table type (currently only <code>slic</code> is supported)
- <span class="since">Since 1.3.5 (QEMU only)</span></dd>
+ <span class="since">Since 1.3.5 (QEMU)</span>
+ <span class="since">Since 5.8.0 (Xen)</span></dd>
</dl>
<h4><a id="elementsOSContainer">Container boot</a></h4>
diff --git a/src/libxl/libxl_conf.c b/src/libxl/libxl_conf.c
index c76704a..c0d4861 100644
--- a/src/libxl/libxl_conf.c
+++ b/src/libxl/libxl_conf.c
@@ -506,6 +506,11 @@ libxlMakeDomBuildInfo(virDomainDefPtr def,
def->features[VIR_DOMAIN_FEATURE_ACPI] ==
VIR_TRISTATE_SWITCH_ON);
+ /* copy SLIC table path to acpi_firmware */
+ if (def->os.slic_table &&
+ VIR_STRDUP(b_info->u.hvm.acpi_firmware, def->os.slic_table) < 0)
+ return -1;
+
if (def->nsounds > 0) {
/*
* Use first sound device. man xl.cfg(5) describes soundhw as
base-commit: 281a7f1d400aeb0d4d53dd3b628b7275f49854d0
--
git-series 0.9.1
5 years, 2 months
[libvirt] [PATCH 0/5] security_stack: Perform rollback if one of stacked drivers fails
by Michal Privoznik
See 5/5 for explanation.
Michal Prívozník (5):
security: Pass @migrated to virSecurityManagerSetAllLabel
security: Rename virSecurityManagerGetDriver() to
virSecurityManagerGetVirtDriver()
security: Introduce virSecurityManagerGetDriver()
security_stack: Turn list of nested drivers into a doubly linked list
security_stack: Perform rollback if one of stacked drivers fails
src/lxc/lxc_process.c | 2 +-
src/qemu/qemu_process.c | 3 +-
src/qemu/qemu_security.c | 6 +-
src/qemu/qemu_security.h | 3 +-
src/security/security_apparmor.c | 3 +-
src/security/security_dac.c | 3 +-
src/security/security_driver.h | 3 +-
src/security/security_manager.c | 17 ++-
src/security/security_manager.h | 4 +-
src/security/security_nop.c | 3 +-
src/security/security_selinux.c | 9 +-
src/security/security_stack.c | 220 +++++++++++++++++++++++++------
tests/qemusecuritytest.c | 2 +-
tests/securityselinuxlabeltest.c | 2 +-
14 files changed, 222 insertions(+), 58 deletions(-)
--
2.21.0
5 years, 2 months