August 2020 - Devel - libvirt List Archives

[libvirt PATCH] docs: improve auth service listing
by Pino Toscano 17 Aug '20

17 Aug '20

Slightly improve the list of known authentication service types: - reword 'ssh' to mention it is used for the ssh driver (for remote QEMU), and stop mentioning the removed Phyp driver - add 'hyperv', used by the HyperV driver - alphabetically sort the list - use a bulletted list instead of a numbered one Signed-off-by: Pino Toscano <ptoscano(a)redhat.com> --- docs/auth.html.in | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/docs/auth.html.in b/docs/auth.html.in index 6f8805b6f5..9964313776 100644 --- a/docs/auth.html.in +++ b/docs/auth.html.in @@ -122,17 +122,19 @@ credentials=defgrp</pre> <p> - The following service types are known to libvirt + The following service types are known to libvirt: </p> - <ol> - <li><code>libvirt</code> - used for connections to a libvirtd - server, which is configured with SASL auth</li> - <li><code>ssh</code> - used for connections to a Phyp server - over SSH, but the Phyp driver has been removed</li> + <ul> <li><code>esx</code> - used for connections to an ESX or VirtualCenter server</li> - </ol> + <li><code>hyperv</code> - used for connections to an HyperV + server</li> + <li><code>libvirt</code> - used for connections to a libvirtd + server, which is configured with SASL auth</li> + <li><code>ssh</code> - used for connections to a remote QEMU driver + over SSH</li> + </ul> <p> Applications using libvirt are free to use this same configuration -- 2.26.2

2 1

[libvirt PATCH] build-aux: Get rid of 'make syntax-check' reference
by Erik Skultety 17 Aug '20

17 Aug '20

Change the 'make syntax-check' reference after the switch to meson/ninja. Signed-off-by: Erik Skultety <eskultet(a)redhat.com> --- This is a follow-up to https://www.redhat.com/archives/libvir-list/2020-August/msg00328.html. Pushed as trivial. build-aux/syntax-check.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build-aux/syntax-check.mk b/build-aux/syntax-check.mk index 6eb59cf90e..16c70750e8 100644 --- a/build-aux/syntax-check.mk +++ b/build-aux/syntax-check.mk @@ -675,7 +675,7 @@ msg_gen_function += virReportErrorHelper msg_gen_function += virReportSystemError msg_gen_function += virLastErrorPrefixMessage -# Uncomment the following and run "make syntax-check" to see diagnostics +# Uncomment the following and run "ninja test" to see diagnostics # that are not yet marked for translation, but that need to be rewritten # so that they are translatable. # msg_gen_function += fprintf -- 2.26.2

1 0

[PATCH 0/4] remove 'make check' references from code
by Daniel Henrique Barboza 17 Aug '20

17 Aug '20

Simple series that removes the references of the now former 'make check', replacing it to 'ninja test'. Daniel Henrique Barboza (4): docs: get rid of 'make check' references ci/Makefile: get rid of 'make check' references tests: get rid of 'make check' references vbox_XPCOMCGlue.c: get rid of 'make check' reference ci/Makefile | 6 +++--- docs/advanced-tests.rst | 2 +- docs/api_extension.html.in | 9 ++++----- docs/testsuites.html.in | 3 ++- src/vbox/vbox_XPCOMCGlue.c | 2 +- tests/domaincapstest.c | 2 +- tests/qemucapabilitiestest.c | 2 +- tests/test-lib.sh | 2 +- 8 files changed, 14 insertions(+), 14 deletions(-) -- 2.26.2

2 5

[PATCH V3 0/3] Xen: Support PCI permissive setting with writeFiltering attribute
by Jim Fehlig 14 Aug '20

14 Aug '20

This is V3 of Marek's series to support the xl.cfg(5) permissive setting on PCI devices. V2 can be found here https://www.redhat.com/archives/libvir-list/2020-April/msg01230.html Changes from V2: Instead of using a permisssive attribute on the <hostdev> element, use a writeFiltering attribute on the <hostdev>'s <source> element. Rational being that the filtering of writes to the PCI config space is done at the source. Jim Fehlig (3): Xen: Add writeFiltering option for PCI devices Xen: Add support for writeFiltering in config converter News: Advertise support for writeFiltering attribute of PCI hostdevs NEWS.rst | 7 +++ docs/formatdomain.rst | 7 ++- docs/schemas/domaincommon.rng | 5 ++ src/conf/domain_conf.c | 14 +++++ src/conf/domain_conf.h | 1 + src/libxl/libxl_conf.c | 1 + src/libxl/xen_common.c | 52 ++++++++++++++++-- .../libxlxml2domconfigdata/moredevs-hvm.json | 6 +++ tests/libxlxml2domconfigdata/moredevs-hvm.xml | 5 ++ tests/xlconfigdata/test-fullvirt-pci.cfg | 25 +++++++++ tests/xlconfigdata/test-fullvirt-pci.xml | 53 +++++++++++++++++++ tests/xlconfigtest.c | 1 + 12 files changed, 171 insertions(+), 6 deletions(-) create mode 100644 tests/xlconfigdata/test-fullvirt-pci.cfg create mode 100644 tests/xlconfigdata/test-fullvirt-pci.xml -- 2.28.0

1 3

[PATCH 0/3] batch: don't require checking retvalue of some bitmap ops
by Nikolay Shirokovskiy 13 Aug '20

13 Aug '20

Most of bitmap setBit/clearBit/getBit users know that the bitmap index is not out of bound and thus don't check the return value. More precisely the stats is next: Method all check =================================== virBitmapSetBit 85 14 virBitmapClearBit 15 3 virBitmapGetBit 15 6 where 'all' is the number of all occurences of the method and 'check' is the number of occurences with 'if (method' pattern. Thus keeping the retvalue checking requirement produces more noise then helps. I guess we even can make these function return void as users can simply compare the index with the bitmap size. The removing of ignore_value was done by sed together with several manual editings where methods calls were splitted across two lines. FILES=`git grep -l 'ignore_value(virBitmapGetBit('` sed -ibak -re 's/ignore_value$virBitmapGetBit\((.*)$\);/virBitmapGetBit(\1\);/' "$FILES" Nikolay Shirokovskiy (3): batch: don't require checking retvalue for virBitmapSetBit batch: don't require checking retvalue for virBitmapClearBit batch: don't require checking retvalue for virBitmapGetBit src/conf/capabilities.c | 2 +- src/conf/checkpoint_conf.c | 2 +- src/conf/domain_addr.c | 8 ++++---- src/conf/domain_conf.c | 9 ++++----- src/conf/node_device_conf.c | 2 +- src/conf/snapshot_conf.c | 2 +- src/conf/storage_conf.c | 2 +- src/libxl/libxl_capabilities.c | 2 +- src/network/bridge_driver.c | 6 +++--- src/qemu/qemu_capabilities.c | 4 ++-- src/qemu/qemu_domain.c | 2 +- src/qemu/qemu_domain_address.c | 4 ++-- src/qemu/qemu_driver.c | 8 ++++---- src/qemu/qemu_hotplug.c | 6 +++--- src/qemu/qemu_migration_cookie.c | 8 ++++---- src/qemu/qemu_migration_params.c | 28 +++++++++++++--------------- src/qemu/qemu_monitor.c | 2 +- src/qemu/qemu_slirp.c | 2 +- src/test/test_driver.c | 2 +- src/util/virbitmap.h | 6 +++--- src/util/vircommand.c | 2 +- src/util/virdnsmasq.c | 2 +- src/util/virhostcpu.c | 2 +- src/util/virjson.c | 2 +- src/util/virnetdev.c | 10 +++++----- src/util/virnuma.c | 4 ++-- src/util/virprocess.c | 4 ++-- src/util/virresctrl.c | 2 +- src/util/virstoragefile.c | 2 +- src/vmx/vmx.c | 2 +- tests/qemumonitorjsontest.c | 2 +- tests/testutils.c | 2 +- tests/virbitmaptest.c | 28 ++++++++++++++-------------- tools/virsh-domain.c | 4 ++-- tools/virt-host-validate-common.c | 2 +- 35 files changed, 87 insertions(+), 90 deletions(-) -- 1.8.3.1

2 7

[PATCH 1/2] apparmor: allow adding permanent per guest rules
by Christian Ehrhardt 13 Aug '20

13 Aug '20

The design of apparmor in libvirt always had a way to define custom per-guest rules as described in docs/drvqemu.html and [1]. A fix meant to clean the profiles after guest shutdown was a bit overzealous and accidentially removed this important admin feature as well. Therefore reduce the --delete option of virt-aa-helper to only delete the .files that would be re-generated in any case. Users/Admins are always free to clean the profiles themselve if they prefer a clean directory - they will be regenerated as needed. But libvirt should never remove the base profile meant to allow per-guest overrides and thereby break a documented feature. [1]: https://gitlab.com/apparmor/apparmor/-/wikis/Libvirt#advanced-usage Fixes: eba2225b "apparmor: delete profile on VM shutdown" Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com> --- src/security/virt-aa-helper.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index dadb9d1614..4b66422b8f 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -99,7 +99,7 @@ vah_usage(void) " Modes:\n" " -a | --add load profile\n" " -c | --create create profile from template\n" - " -D | --delete unload and delete profile\n" + " -D | --delete unload profile and delete generated rules\n" " -r | --replace reload profile\n" " -R | --remove unload profile\n" " Options:\n" @@ -1491,7 +1491,6 @@ main(int argc, char **argv) rc = parserRemove(ctl->uuid); if (ctl->cmd == 'D') { unlink(include_file); - unlink(profile); } } else if (ctl->cmd == 'c' || ctl->cmd == 'r') { char *included_files = NULL; -- 2.27.0

2 5

Plans for the next release
by Jiri Denemark 13 Aug '20

13 Aug '20

I'm sending this quite early this month as I'm on vacation tomorrow and next week and I wanted to make sure the plan for the release is advertised earlier than just a day or two before the freeze. To aim for the release on Sep 01 I suggest entering the freeze in two weeks on Wednesday Aug 26 and tagging RC2 on Friday Aug 28 in the afternoon. I hope this works for everyone. Jirka

1 0

[libvirt PATCH] qemu: fix crash in qemuDomainSetBlkioParameters without cgroups
by Pavel Hrdina 12 Aug '20

12 Aug '20

If we don't have cgroups available and user tries to update blkio parameters for running VM it will crash. It should have been protected by the virCgroupHasController() check but it was never called if the API was executed without any flags. We call virDomainObjGetDefs() which sets `def` and `persistentDef` based on the flags and these two variables should be used to figure out if we need to update LIVE, CONFIG or both states. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1808293 Signed-off-by: Pavel Hrdina <phrdina(a)redhat.com> --- src/qemu/qemu_driver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 07e9518a9b..8008da6d16 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -9356,7 +9356,7 @@ qemuDomainSetBlkioParameters(virDomainPtr dom, if (virDomainObjGetDefs(vm, flags, &def, &persistentDef) < 0) goto endjob; - if (flags & VIR_DOMAIN_AFFECT_LIVE) { + if (def) { if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_BLKIO)) { virReportError(VIR_ERR_OPERATION_INVALID, "%s", _("blkio cgroup isn't mounted")); -- 2.26.2

2 1

[libvirt PATCH] docs: formatdomain: fix superscripts
by Ján Tomko 11 Aug '20

11 Aug '20

There needs to be a space before the :sup: directive. Signed-off-by: Ján Tomko <jtomko(a)redhat.com> --- Pushed as trivial. docs/formatdomain.rst | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst index 218f0c1718..8365fc8bbb 100644 --- a/docs/formatdomain.rst +++ b/docs/formatdomain.rst @@ -896,12 +896,12 @@ Memory Allocation hotplugged later. The units for this value are determined by the optional attribute ``unit``, which defaults to "KiB" (kibibytes, 2\ :sup:`10` or blocks of 1024 bytes). Valid units are "b" or "bytes" for bytes, "KB" for - kilobytes (10:sup:`3` or 1,000 bytes), "k" or "KiB" for kibibytes (1024 - bytes), "MB" for megabytes (10:sup:`6` or 1,000,000 bytes), "M" or "MiB" for - mebibytes (2:sup:`20` or 1,048,576 bytes), "GB" for gigabytes (10:sup:`9` or - 1,000,000,000 bytes), "G" or "GiB" for gibibytes (2:sup:`30` or 1,073,741,824 - bytes), "TB" for terabytes (10:sup:`12` or 1,000,000,000,000 bytes), or "T" - or "TiB" for tebibytes (2:sup:`40` or 1,099,511,627,776 bytes). However, the + kilobytes (10\ :sup:`3` or 1,000 bytes), "k" or "KiB" for kibibytes (1024 + bytes), "MB" for megabytes (10\ :sup:`6` or 1,000,000 bytes), "M" or "MiB" for + mebibytes (2\ :sup:`20` or 1,048,576 bytes), "GB" for gigabytes (10\ :sup:`9` or + 1,000,000,000 bytes), "G" or "GiB" for gibibytes (2\ :sup:`30` or 1,073,741,824 + bytes), "TB" for terabytes (10\ :sup:`12` or 1,000,000,000,000 bytes), or "T" + or "TiB" for tebibytes (2\ :sup:`40` or 1,099,511,627,776 bytes). However, the value will be rounded up to the nearest kibibyte by libvirt, and may be further rounded to the granularity supported by the hypervisor. Some hypervisors also enforce a minimum, such as 4000KiB. In case -- 2.26.2

1 0

[libvirt PATCH v2] kbase: sev: Provide more details on virtio-net configuration
by Erik Skultety 11 Aug '20

11 Aug '20

With virtio-net we also need to disable the iPXE option ROM otherwise a SEV-enabled guest would not boot. While at it, fix the full machine XML examples accordingly. Reported-by: Dr. David Alan Gilbert <dgilbert(a)redhat.com> Signed-off-by: Erik Skultety <eskultet(a)redhat.com> --- since v1: - ditched any mentions of vhost, since we can assume all the supported distros to have the latest QEMU-2.12 build containing the bugfix to make vhost work with SEV docs/kbase/launch_security_sev.rst | 28 ++++++++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/docs/kbase/launch_security_sev.rst b/docs/kbase/launch_security_sev.rst index cfdc2a6120..4a37c0c379 100644 --- a/docs/kbase/launch_security_sev.rst +++ b/docs/kbase/launch_security_sev.rst @@ -291,8 +291,9 @@ can still perform DoS on each other. Virtio ------ -In order to make virtio devices work, we need to enable emulated IOMMU -on the devices so that virtual DMA can work. +In order to make virtio devices work, we need to use +``<driver iommu='on'/>`` inside the given device XML element in order +to enable DMA API in the virtio driver. :: @@ -337,6 +338,26 @@ model, which means that virtio GPU cannot be used. ... </domain> +Virtio-net +~~~~~~~~~~ +With virtio-net it's also necessary to disable the iPXE option ROM as +iPXE is not aware of SEV (at the time of this writing). This translates to the +following XML: + +:: + + <domain> + ... + <interface type='network'> + ... + <model type='virtio'/> + <driver iommu='on'/> + <rom enabled='no'/> + </interface> + ... + <domain> + + Checking SEV from within the guest ================================== @@ -424,6 +445,7 @@ Q35 machine <source network='default'/> <model type='virtio'/> <driver iommu='on'/> + <rom enabled='no'/> </interface> <graphics type='spice' autoport='yes'> <listen type='address'/> @@ -496,6 +518,8 @@ PC-i440fx machine <mac address='52:54:00:d8:96:c8'/> <source network='default'/> <model type='virtio-non-transitional'/> + <driver iommu='on'/> + <rom enabled='no'/> </interface> <serial type='pty'> <target type='isa-serial' port='0'> -- 2.26.2

2 1