[PATCH 0/5] Deduplicate some of validation code
by Michal Privoznik
These stemmed from Cole's comment on my patches:
https://www.redhat.com/archives/libvir-list/2020-November/msg00888.html
The approach might not be that obvious at first because domCaps do
qemuCaps to device model translation and during validation we want
the exact opposite - we have parsed device model and want to check
whether qemuCaps has corresponding capability.
But what we can do, is let domCaps code fill a bitmap of supported
device models and then check if the bit that corresponds to parsed
device model is set.
In this series I'm fixing RNG and video models, which were checked
this way until very recently (until I touched the code). And also
I'm introducing graphics check (which is new) because that one
looked the most sane from virQEMUCapsFillDomainCaps(). The rest
there not that much.
Michal Prívozník (5):
domain_capabilities: Introduce VIR_DOMAIN_CAPS_ENUM_IS_SET
qemu_validate: Deduplicate code for video model check
qemu_validate: Deduplicate code for RNG model check
domcaps: Report egl-headless graphics type
qemu_validate: Deduplicate code for graphics type check
src/conf/domain_capabilities.c | 2 +-
src/conf/domain_capabilities.h | 2 +
src/qemu/qemu_capabilities.c | 8 +-
src/qemu/qemu_capabilities.h | 9 ++
src/qemu/qemu_validate.c | 107 ++++--------------
.../domaincapsdata/qemu_2.10.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.10.0-tcg.x86_64.xml | 1 +
.../qemu_2.10.0-virt.aarch64.xml | 1 +
tests/domaincapsdata/qemu_2.10.0.aarch64.xml | 1 +
tests/domaincapsdata/qemu_2.10.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_2.10.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_2.10.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.11.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.11.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_2.11.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_2.11.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.12.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_2.12.0-tcg.x86_64.xml | 1 +
.../qemu_2.12.0-virt.aarch64.xml | 1 +
tests/domaincapsdata/qemu_2.12.0.aarch64.xml | 1 +
tests/domaincapsdata/qemu_2.12.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_2.12.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_2.12.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_3.0.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_3.0.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_3.0.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_3.0.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_3.0.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_3.1.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_3.1.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_3.1.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_3.1.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_4.0.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_4.0.0-tcg.x86_64.xml | 1 +
.../qemu_4.0.0-virt.aarch64.xml | 1 +
tests/domaincapsdata/qemu_4.0.0.aarch64.xml | 1 +
tests/domaincapsdata/qemu_4.0.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_4.0.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_4.0.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_4.1.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_4.1.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_4.1.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_4.2.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_4.2.0-tcg.x86_64.xml | 1 +
.../qemu_4.2.0-virt.aarch64.xml | 1 +
tests/domaincapsdata/qemu_4.2.0.aarch64.xml | 1 +
tests/domaincapsdata/qemu_4.2.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_4.2.0.s390x.xml | 1 +
tests/domaincapsdata/qemu_4.2.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_5.0.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_5.0.0-tcg.x86_64.xml | 1 +
.../qemu_5.0.0-virt.aarch64.xml | 1 +
tests/domaincapsdata/qemu_5.0.0.aarch64.xml | 1 +
tests/domaincapsdata/qemu_5.0.0.ppc64.xml | 1 +
tests/domaincapsdata/qemu_5.0.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_5.1.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_5.1.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_5.1.0.x86_64.xml | 1 +
.../domaincapsdata/qemu_5.2.0-q35.x86_64.xml | 1 +
.../domaincapsdata/qemu_5.2.0-tcg.x86_64.xml | 1 +
tests/domaincapsdata/qemu_5.2.0.x86_64.xml | 1 +
61 files changed, 97 insertions(+), 87 deletions(-)
--
2.26.2
3 years, 10 months
[PATCH] virsh: Added attach-disk support for network disk
by Ryan Gahagan
Related issue: https://gitlab.com/libvirt/libvirt/-/issues/16
Added in support for the following parameters in attach-disk:
--source-protocol
--source-host-name
--source-host-socket
--source-host-transport
Added documentation to virsh.rst specifying usage.
Signed-off-by: Ryan Gahagan <rgahagan(a)cs.utexas.edu>
---
docs/manpages/virsh.rst | 26 ++++++++++---
tools/virsh-domain.c | 85 ++++++++++++++++++++++++++++++++++++++---
2 files changed, 100 insertions(+), 11 deletions(-)
diff --git a/docs/manpages/virsh.rst b/docs/manpages/virsh.rst
index bfd26e3120..a4d70e9211 100644
--- a/docs/manpages/virsh.rst
+++ b/docs/manpages/virsh.rst
@@ -4500,14 +4500,18 @@ attach-disk
[--current]] | [--persistent]] [--targetbus bus]
[--driver driver] [--subdriver subdriver] [--iothread iothread]
[--cache cache] [--io io] [--type type] [--alias alias]
- [--mode mode] [--sourcetype sourcetype] [--serial serial]
- [--wwn wwn] [--rawio] [--address address] [--multifunction]
- [--print-xml]
+ [--mode mode] [--sourcetype sourcetype]
+ [--source-protocol protocol] [--source-host-name hostname:port]
+ [--source-host-transport transport] [--source-host-socket socket]
+ [--serial serial] [--wwn wwn] [--rawio] [--address address]
+ [--multifunction] [--print-xml]
Attach a new disk device to the domain.
-*source* is path for the files and devices. *target* controls the bus or
-device under which the disk is exposed to the guest OS. It indicates the
-"logical" device name; the optional *targetbus* attribute specifies the type
+*source* is path for the files and devices unless *--source-protocol*
+is specified, in which case *source* is the name of a network disk.
+*target* controls the bus or device under which the disk is exposed
+to the guest OS. It indicates the "logical" device name;
+the optional *targetbus* attribute specifies the type
of disk device to emulate; possible values are driver specific, with typical
values being *ide*, *scsi*, *virtio*, *xen*, *usb*, *sata*, or *sd*, if
omitted, the bus type is inferred from the style of the device name (e.g. a
@@ -4541,6 +4545,16 @@ ccw:cssid.ssid.devno. Virtio-ccw devices must have their cssid set to 0xfe.
*multifunction* indicates specified pci address is a multifunction pci device
address.
+There is also support for using a network disk. As specified, the user can
+provide a *--source-protocol* in which case the *source* parameter will
+be interpreted as the source name. *--source-protocol* must be provided
+if the user also wishes to provide host information.
+Host information can be provided using any of the tags
+*--source-host-name*, *--source-host-transport*, and *--source-host-socket*,
+which respectively denote the name of the host, the host's transport method,
+and the socket that the host uses. The *--source-host-name* parameter
+supports host:port syntax if the user wants to provide a port as well.
+
If *--print-xml* is specified, then the XML of the disk that would be attached
is printed instead.
diff --git a/tools/virsh-domain.c b/tools/virsh-domain.c
index 12b35c037d..4c43da7a2c 100644
--- a/tools/virsh-domain.c
+++ b/tools/virsh-domain.c
@@ -222,7 +222,7 @@ static const vshCmdOptDef opts_attach_disk[] = {
{.name = "source",
.type = VSH_OT_DATA,
.flags = VSH_OFLAG_REQ | VSH_OFLAG_EMPTY_OK,
- .help = N_("source of disk device")
+ .help = N_("source of disk device or name of network disk")
},
{.name = "target",
.type = VSH_OT_DATA,
@@ -298,6 +298,22 @@ static const vshCmdOptDef opts_attach_disk[] = {
.type = VSH_OT_BOOL,
.help = N_("print XML document rather than attach the disk")
},
+ {.name = "source-protocol",
+ .type = VSH_OT_STRING,
+ .help = N_("protocol used by disk device source")
+ },
+ {.name = "source-host-name",
+ .type = VSH_OT_STRING,
+ .help = N_("host name for source of disk device")
+ },
+ {.name = "source-host-transport",
+ .type = VSH_OT_STRING,
+ .help = N_("host transport for source of disk device")
+ },
+ {.name = "source-host-socket",
+ .type = VSH_OT_STRING,
+ .help = N_("host socket for source of disk device")
+ },
VIRSH_COMMON_OPT_DOMAIN_PERSISTENT,
VIRSH_COMMON_OPT_DOMAIN_CONFIG,
VIRSH_COMMON_OPT_DOMAIN_LIVE,
@@ -567,6 +583,12 @@ cmdAttachDisk(vshControl *ctl, const vshCmd *cmd)
*iothread = NULL, *cache = NULL, *io = NULL,
*serial = NULL, *straddr = NULL, *wwn = NULL,
*targetbus = NULL, *alias = NULL;
+ const char *source_protocol = NULL;
+ const char *host_name = NULL;
+ const char *host_transport = NULL;
+ const char *host_socket = NULL;
+ char *host_name_copy = NULL;
+ char *host_port = NULL;
struct DiskAddress diskAddr;
bool isFile = false, functionReturn = false;
int ret;
@@ -604,7 +626,11 @@ cmdAttachDisk(vshControl *ctl, const vshCmd *cmd)
vshCommandOptStringReq(ctl, cmd, "address", &straddr) < 0 ||
vshCommandOptStringReq(ctl, cmd, "targetbus", &targetbus) < 0 ||
vshCommandOptStringReq(ctl, cmd, "alias", &alias) < 0 ||
- vshCommandOptStringReq(ctl, cmd, "sourcetype", &stype) < 0)
+ vshCommandOptStringReq(ctl, cmd, "sourcetype", &stype) < 0 ||
+ vshCommandOptStringReq(ctl, cmd, "source-protocol", &source_protocol) < 0 ||
+ vshCommandOptStringReq(ctl, cmd, "source-host-name", &host_name) < 0 ||
+ vshCommandOptStringReq(ctl, cmd, "source-host-transport", &host_transport) < 0 ||
+ vshCommandOptStringReq(ctl, cmd, "source-host-socket", &host_socket) < 0)
goto cleanup;
if (!stype) {
@@ -632,6 +658,13 @@ cmdAttachDisk(vshControl *ctl, const vshCmd *cmd)
if (wwn && !virValidateWWN(wwn))
goto cleanup;
+ if (!source_protocol && (host_name || host_socket || host_transport)) {
+ /* Error: cannot use network host without a source protocol */
+ vshError(ctl, "%s",
+ _("Cannot use --source-host-* parameters without a --source-protocol"));
+ goto cleanup;
+ }
+
/* Make XML of disk */
virBufferAsprintf(&buf, "<disk type='%s'",
isFile ? "file" : "block");
@@ -659,9 +692,51 @@ cmdAttachDisk(vshControl *ctl, const vshCmd *cmd)
virBufferAddLit(&buf, "/>\n");
}
- if (source)
- virBufferAsprintf(&buf, "<source %s='%s'/>\n",
- isFile ? "file" : "dev", source);
+ if (source || source_protocol) {
+ virBufferAddLit(&buf, "<source");
+ if (source_protocol) {
+ /* Using a network disk; source is --source-name */
+ virBufferAsprintf(&buf, " protocol='%s'", source_protocol);
+ if (source)
+ virBufferAsprintf(&buf, " name='%s'", source);
+
+ if (host_name || host_socket || host_transport) {
+ /* Host information provided, add a <host> tag */
+ virBufferAddLit(&buf, ">\n");
+ virBufferAdjustIndent(&buf, 2);
+ virBufferAddLit(&buf, "<host");
+
+ if (host_name) {
+ /* Logic for host:port syntax */
+ host_name_copy = g_strdup(host_name);
+ host_port = strchr(host_name_copy, ':');
+
+ if (host_port) {
+ host_name_copy[(int)(host_port - host_name_copy)] = '\0';
+ virBufferAsprintf(&buf,
+ " name='%s' port='%s'",
+ host_name_copy, host_port);
+ } else {
+ virBufferAsprintf(&buf, " name='%s'", host_name);
+ }
+ }
+
+ if (host_transport)
+ virBufferAsprintf(&buf, " transport='%s'", host_transport);
+ if (host_socket)
+ virBufferAsprintf(&buf, " socket='%s'", host_socket);
+ virBufferAddLit(&buf, "/>\n");
+ virBufferAdjustIndent(&buf, -2);
+ virBufferAddLit(&buf, "</source>\n");
+ }
+ } else {
+ /* Using a local disk; source is file or dev */
+ virBufferAsprintf(&buf, " %s='%s'",
+ isFile ? "file" : "dev", source);
+ virBufferAddLit(&buf, "/>\n");
+ }
+ }
+
virBufferAsprintf(&buf, "<target dev='%s'", target);
if (targetbus)
virBufferAsprintf(&buf, " bus='%s'", targetbus);
--
2.29.0
3 years, 10 months
[PATCH for-5.2] docs: Fix some typos (found by codespell)
by Stefan Weil
Fix also a similar typo in a code comment.
Signed-off-by: Stefan Weil <sw(a)weilnetz.de>
---
docs/can.txt | 8 ++++----
docs/interop/vhost-user.rst | 2 +-
docs/replay.txt | 2 +-
docs/specs/ppc-spapr-numa.rst | 2 +-
docs/system/deprecated.rst | 4 ++--
docs/tools/virtiofsd.rst | 2 +-
hw/vfio/igd.c | 2 +-
7 files changed, 11 insertions(+), 11 deletions(-)
diff --git a/docs/can.txt b/docs/can.txt
index 5838f6620c..0d310237df 100644
--- a/docs/can.txt
+++ b/docs/can.txt
@@ -19,7 +19,7 @@ interface to implement because such device can be easily connected
to systems with different CPU architectures (x86, PowerPC, Arm, etc.).
In 2020, CTU CAN FD controller model has been added as part
-of the bachelor theses of Jan Charvat. This controller is complete
+of the bachelor thesis of Jan Charvat. This controller is complete
open-source/design/hardware solution. The core designer
of the project is Ondrej Ille, the financial support has been
provided by CTU, and more companies including Volkswagen subsidiaries.
@@ -31,7 +31,7 @@ testing lead to goal change to provide environment which provides complete
emulated environment for testing and RTEMS GSoC slot has been donated
to work on CAN hardware emulation on QEMU.
-Examples how to use CAN emulation for SJA1000 based borads
+Examples how to use CAN emulation for SJA1000 based boards
==========================================================
When QEMU with CAN PCI support is compiled then one of the next
@@ -106,8 +106,8 @@ This open-source core provides CAN FD support. CAN FD drames are
delivered even to the host systems when SocketCAN interface is found
CAN FD capable.
-The PCIe borad emulation is provided for now (the device identifier is
-ctucan_pci). The defauld build defines two CTU CAN FD cores
+The PCIe board emulation is provided for now (the device identifier is
+ctucan_pci). The default build defines two CTU CAN FD cores
on the board.
Example how to connect the canbus0-bus (virtual wire) to the host
diff --git a/docs/interop/vhost-user.rst b/docs/interop/vhost-user.rst
index 988f154144..72b2e8c7ba 100644
--- a/docs/interop/vhost-user.rst
+++ b/docs/interop/vhost-user.rst
@@ -513,7 +513,7 @@ descriptor table (split virtqueue) or descriptor ring (packed
virtqueue). However, it can't work when we process descriptors
out-of-order because some entries which store the information of
inflight descriptors in available ring (split virtqueue) or descriptor
-ring (packed virtqueue) might be overrided by new entries. To solve
+ring (packed virtqueue) might be overridden by new entries. To solve
this problem, slave need to allocate an extra buffer to store this
information of inflight descriptors and share it with master for
persistent. ``VHOST_USER_GET_INFLIGHT_FD`` and
diff --git a/docs/replay.txt b/docs/replay.txt
index 87a64ae068..5b008ca491 100644
--- a/docs/replay.txt
+++ b/docs/replay.txt
@@ -328,7 +328,7 @@ between the snapshots. Each of the passes include the following steps:
1. loading the snapshot
2. replaying to examine the breakpoints
3. if breakpoint or watchpoint was met
- - loading the snaphot again
+ - loading the snapshot again
- replaying to the required breakpoint
4. else
- proceeding to the p.1 with the earlier snapshot
diff --git a/docs/specs/ppc-spapr-numa.rst b/docs/specs/ppc-spapr-numa.rst
index 5fca2bdd8e..ffa687dc89 100644
--- a/docs/specs/ppc-spapr-numa.rst
+++ b/docs/specs/ppc-spapr-numa.rst
@@ -198,7 +198,7 @@ This is how it is being done:
* user distance 121 and beyond will be interpreted as 160
* user distance 10 stays 10
-The reasoning behind this aproximation is to avoid any round up to the local
+The reasoning behind this approximation is to avoid any round up to the local
distance (10), keeping it exclusive to the 4th NUMA level (which is still
exclusive to the node_id). All other ranges were chosen under the developer
discretion of what would be (somewhat) sensible considering the user input.
diff --git a/docs/system/deprecated.rst b/docs/system/deprecated.rst
index 32a0e620db..63e9db1463 100644
--- a/docs/system/deprecated.rst
+++ b/docs/system/deprecated.rst
@@ -465,7 +465,7 @@ default configuration.
The CPU model runnability guarantee won't apply anymore to
existing CPU models. Management software that needs runnability
-guarantees must resolve the CPU model aliases using te
+guarantees must resolve the CPU model aliases using the
``alias-of`` field returned by the ``query-cpu-definitions`` QMP
command.
@@ -637,7 +637,7 @@ Splitting RAM by default between NUMA nodes had the same issues as ``mem``
parameter with the difference that the role of the user plays QEMU using
implicit generic or board specific splitting rule.
Use ``memdev`` with *memory-backend-ram* backend or ``mem`` (if
-it's supported by used machine type) to define mapping explictly instead.
+it's supported by used machine type) to define mapping explicitly instead.
Users of existing VMs, wishing to preserve the same RAM distribution, should
configure it explicitly using ``-numa node,memdev`` options. Current RAM
distribution can be retrieved using HMP command ``info numa`` and if separate
diff --git a/docs/tools/virtiofsd.rst b/docs/tools/virtiofsd.rst
index 34a9e40146..866b7db3ee 100644
--- a/docs/tools/virtiofsd.rst
+++ b/docs/tools/virtiofsd.rst
@@ -174,7 +174,7 @@ Using ':' as the separator a rule is of the form:
- 'bad' - If a client tries to use a name matching 'key' it's
denied using EPERM; when the server passes an attribute
name matching 'prepend' it's hidden. In many ways it's use is very like
- 'ok' as either an explict terminator or for special handling of certain
+ 'ok' as either an explicit terminator or for special handling of certain
patterns.
**key** is a string tested as a prefix on an attribute name originating
diff --git a/hw/vfio/igd.c b/hw/vfio/igd.c
index 64e332746b..470205f487 100644
--- a/hw/vfio/igd.c
+++ b/hw/vfio/igd.c
@@ -535,7 +535,7 @@ void vfio_probe_igd_bar4_quirk(VFIOPCIDevice *vdev, int nr)
}
/*
- * Assume we have no GMS memory, but allow it to be overrided by device
+ * Assume we have no GMS memory, but allow it to be overridden by device
* option (experimental). The spec doesn't actually allow zero GMS when
* when IVD (IGD VGA Disable) is clear, but the claim is that it's unused,
* so let's not waste VM memory for it.
--
2.29.2
3 years, 10 months
[libvirt PATCH 00/11] fix various issues
by Pavel Hrdina
Issues reported by coverity.
Pavel Hrdina (11):
domain_conf: remove unused rc variable
domain_conf: fix NULL dereference on error in
virDomainObjCopyPersistentDef
hyperv_wmi: remove unreachable cleanup code
interface_backend_udev: refactor udevListInterfacesByStatus
qemu_command: fix FD usage in qemuBuildInterfaceCommandLine
qemu_monitor_json: explicitly ignore return values
qemu_process: no need to check for NULL
remote_driver: remove unreachable cleanup code
virdevmapper: fix stat comparison in virDMSanitizepath
vbox_common: unlock vbox_driver_lock before return
testutils: call va_end before return
src/conf/domain_conf.c | 10 +++++----
src/hyperv/hyperv_wmi.c | 12 ++---------
src/interface/interface_backend_udev.c | 13 ++---------
src/qemu/qemu_command.c | 2 +-
src/qemu/qemu_monitor_json.c | 4 ++--
src/qemu/qemu_process.c | 30 +++++++++++---------------
src/remote/remote_driver.c | 18 ++++------------
src/util/virdevmapper.c | 2 +-
src/vbox/vbox_common.c | 3 +++
tests/testutils.c | 1 +
10 files changed, 35 insertions(+), 60 deletions(-)
--
2.26.2
3 years, 10 months
[PATCH v2 0/6] Introduce OpenSSH authorized key file mgmt APIs
by Michal Privoznik
v2 of:
https://www.redhat.com/archives/libvir-list/2020-November/msg00444.html
diff to v1:
- Fixed issues raised by Peter (RO connection check, switched virsh from
ARGV to --file, etc.)
Marc-André Lureau (1):
qemu_agent: add qemuAgentSSH{Add,Remove,Get}AuthorizedKeys
Michal Prívozník (5):
Introduce OpenSSH authorized key file mgmt APIs
remote: Implement OpenSSH authorized key file mgmt APIs
virsh: Expose OpenSSH authorized key file mgmt APIs
qemu: Implement OpenSSH authorized key file mgmt APIs
news: Document recent OpenSSH authorized key file mgmt APIs
NEWS.rst | 6 +
docs/manpages/virsh.rst | 37 ++++++
include/libvirt/libvirt-domain.h | 17 +++
src/driver-hypervisor.h | 15 +++
src/libvirt-domain.c | 133 ++++++++++++++++++++++
src/libvirt_public.syms | 6 +
src/qemu/qemu_agent.c | 142 +++++++++++++++++++++++
src/qemu/qemu_agent.h | 15 +++
src/qemu/qemu_driver.c | 81 ++++++++++++++
src/remote/remote_daemon_dispatch.c | 82 ++++++++++++++
src/remote/remote_driver.c | 87 +++++++++++++++
src/remote/remote_protocol.x | 34 +++++-
src/remote_protocol-structs | 22 ++++
tests/qemuagenttest.c | 79 +++++++++++++
tools/virsh-domain.c | 167 ++++++++++++++++++++++++++++
15 files changed, 922 insertions(+), 1 deletion(-)
--
2.26.2
3 years, 10 months
[libvirt] improve security by adjusting the privileges of libvirtd processes
by yebiaoxiang
Hi Team
The daemon libvirtd runs as root user, which against the least privilege
security model.
root 567642 1.2 0.0 2856020 47576 ? Ssl 15:49 0:02 /usr/sbin/libvirtd --listen
In addition, the "--listen" parameter exposes TCP or TLS ports on the network,
it increasing the attack surface.
tcp 0 0 0.0.0.0:16509 0.0.0.0:* LISTEN 647824/libvirtd
tcp 0 0 0.0.0.0:16514 0.0.0.0:* LISTEN 647824/libvirtd
I have the following puzzles:
1. Whether root is the least privilege required for libvirtd to manage
virtualization platforms, it's possible to run libvirtd as a non-root user?
2. Is there any plan to resolve this security weaknesses?
(like move the function of "--listen" to an independent non-root process,
or other better schemes)
Regards,
BiaoXiang
3 years, 10 months
[libvirt PATCH 0/2] network: Drop UUID handling for default network
by Andrea Bolognani
<blurb>cc30b49f-6084-48da-879e-55645459f2a0</blurb>
Andrea Bolognani (2):
network: Drop UUID handling for default network
spec: Drop UUID handling for default network
libvirt.spec.in | 4 ----
src/network/meson.build | 32 +++++++-------------------------
2 files changed, 7 insertions(+), 29 deletions(-)
--
2.26.2
3 years, 10 months
[libvirt PATCH 0/4] nodedev: cleanup some historical baggage
by Daniel P. Berrangé
Daniel P. Berrangé (4):
nodedev: improve debugging logs from udev device/event processing
nodedev: dont rely on ignoring errors on missing properties
nodedev: drop DKD_MEDIA_AVAILABLE property check
nodedev: report errors about missing integer properties
src/node_device/node_device_udev.c | 70 +++++++++++++-----------------
1 file changed, 30 insertions(+), 40 deletions(-)
--
2.28.0
3 years, 10 months
[PATCH] add phytium FT-2000+ and Tengyun-S2500 support on arm architecture.
by yangshaojun19@163.com
From: yangshaojun <yangshaojun(a)phytium.com.cn>
Signed-off-by: yangshaojun <yangshaojun(a)phytium.com.cn>
---
src/cpu_map/arm_Phytium.xml | 10 ++++++++++
src/cpu_map/arm_vendors.xml | 1 +
src/cpu_map/index.xml | 3 +++
3 files changed, 14 insertions(+)
create mode 100644 src/cpu_map/arm_Phytium.xml
diff --git a/src/cpu_map/arm_Phytium.xml b/src/cpu_map/arm_Phytium.xml
new file mode 100644
index 0000000..f8b4852
--- /dev/null
+++ b/src/cpu_map/arm_Phytium.xml
@@ -0,0 +1,10 @@
+<cpus>
+ <model name='FT-2000+'>
+ <vendor name='Phytium'/>
+ <pvr value='0x662'/>
+ </model>
+ <model name='Tengyun-S2500'>
+ <vendor name='Phytium'/>
+ <pvr value='0x663'/>
+ </model>
+</cpus>
diff --git a/src/cpu_map/arm_vendors.xml b/src/cpu_map/arm_vendors.xml
index ff799ef..4465463 100644
--- a/src/cpu_map/arm_vendors.xml
+++ b/src/cpu_map/arm_vendors.xml
@@ -11,4 +11,5 @@
<vendor name='Qualcomm' value='0x51'/>
<vendor name='Marvell' value='0x56'/>
<vendor name='Intel' value='0x69'/>
+ <vendor name='Phytium' value='0x70'/>
</cpus>
diff --git a/src/cpu_map/index.xml b/src/cpu_map/index.xml
index 08f052e..e2c454b 100644
--- a/src/cpu_map/index.xml
+++ b/src/cpu_map/index.xml
@@ -103,5 +103,8 @@
<!-- Hisilicon-based CPU models -->
<include filename='arm_Kunpeng-920.xml'/>
+
+ <!-- Phytium-based CPU models -->
+ <include filename='arm_Phytium.xml'/>
</arch>
</cpus>
--
2.7.4
3 years, 10 months
[PATCH 0/5] qemu: Don't cache domCaps
by Michal Privoznik
See 4/5 for explanation.
Michal Prívozník (5):
qemu: Validate RNG model
qemu: Validate video model
conf: Drop virDomainCapsDeviceDefValidate()
qemu: Don't cache domCaps in virQEMUDriverGetDomainCapabilities()
qemu: Remove virQEMUDomainCapsCache code
src/conf/domain_capabilities.c | 88 ------------
src/conf/domain_capabilities.h | 4 -
src/libvirt_private.syms | 1 -
src/qemu/qemu_capabilities.c | 129 ------------------
src/qemu/qemu_capabilities.h | 10 --
src/qemu/qemu_conf.c | 27 ++--
src/qemu/qemu_validate.c | 77 +++++++++--
.../default-video-type-x86_64-caps-test-0.err | 2 +-
.../video-invalid-multiple-devices.err | 2 +-
9 files changed, 83 insertions(+), 257 deletions(-)
--
2.26.2
3 years, 10 months
