May 2021 - Devel - libvirt List Archives

[libvirt PATCH 00/10] Refactor more XML parsing boilerplate code, part IX
by Tim Wiederhake 11 May '21

11 May '21

For background, see https://listman.redhat.com/archives/libvir-list/2021-April/msg00668.html Tim Wiederhake (10): virDomainObjParseXML: Use virXMLProp* virDomainObjParseXML: Use g_autoptr virNetworkDHCPLeaseTimeDef: Make expiry unsigned long long virNetworkDHCPLeaseTimeDefParseXML: Use virXMLProp* virPCIEDeviceInfoLinkParseXML: Use virXMLProp* virPCIEDeviceInfoLinkParseXML: Remove unused parameter ctxt virNodeDevCapsDefParseXML: Use virXMLProp* conf: node_device: Register autoptr cleanup function for virNodeDevCapsDef virNodeDevCapsDefParseXML: Use g_autoptr virNodeDeviceDefParseXML: Use virXMLProp* src/conf/domain_conf.c | 64 ++++++++++--------------- src/conf/network_conf.c | 32 +++++-------- src/conf/network_conf.h | 2 +- src/conf/node_device_conf.c | 94 ++++++++----------------------------- src/conf/node_device_conf.h | 2 + src/network/bridge_driver.c | 2 +- 6 files changed, 62 insertions(+), 134 deletions(-) -- 2.26.3

2 11

[PATCH 0/5] Couple of virCapabilities cleanups
by Michal Privoznik 11 May '21

11 May '21

I'm working on reporting HMAT in virCapabilities and noticed couple of possible cleanups. I'm sending them upfront. Michal Prívozník (5): virCapabilitiesHostNUMAFormat: Swap order of arguments virCapabilitiesHostNUMAInitReal: Free @cpus properly virCapabilitiesHostNUMAAddCell: Take double pointer virCapabilitiesHostNUMAInitReal: Use g_auto* where possible virCapabilitiesHostNUMAInitReal: Bring variables into loop src/conf/capabilities.c | 75 ++++++++++++++++++---------------- src/conf/capabilities.h | 6 +-- src/libxl/libxl_capabilities.c | 4 +- src/test/test_driver.c | 5 ++- tests/testutils.c | 6 +-- 5 files changed, 50 insertions(+), 46 deletions(-) -- 2.26.3

4 8

[libvirt PATCH v2 0/2] rST-ify and rewrite a couple of block-layer docs
by Kashyap Chamarthy 11 May '21

11 May '21

I don't think the Debian "sid" failure is related to my patch: https://gitlab.com/kashyapc/libvirt/-/pipelines/300380749/failures Changes in v2: - Mention backupBegin() [Peter] - Add examples of push-mode backup using backupBegin() [Peter, Kashyap] - Use existing rST conventions to make `rst2html5` happy [Michal] - Update meson.build [Michal] - Use .contents:: [Michal] - Paragraph alignment [Michal] Kashyap Chamarthy (2): docs: kbase: Add a doc on live full disk backup docs: kbase: Add a doc on merging disk image chains docs/kbase/live_full_disk_backup.rst | 186 +++++++++++++++++++++ docs/kbase/merging_disk_image_chains.rst | 200 +++++++++++++++++++++++ docs/kbase/meson.build | 2 + 3 files changed, 388 insertions(+) create mode 100644 docs/kbase/live_full_disk_backup.rst create mode 100644 docs/kbase/merging_disk_image_chains.rst -- 2.30.2

2 7

[libvirt PATCH v2 00/10] make internal only secrets work with split daemons
by Daniel P. Berrangé 10 May '21

10 May '21

If you define a secret with private="yes", then libvirt won't let any client query the secret value after it is set. Only other libvirt drivers inside the daemon can query it by passing a special internal only flag to the virSecretGetValue API. The remote driver/daemon refuses to let this internal flag go over the wire preventing normal clients from using it This doesn't work with the split daemons because the virSecretGetValue API done by virqemud / virtstoraged has to go over the wire to reach the virsecretd. We need to come up with an alternative way to "prove" that the caller of virSecretGetValue is a libvirt daemon, as opposed to a general libvirt client. Note with if only traditional POSIX DAC permissions are in effect then we could consider it pointless trying to restrict access to clients running the same user/group as the libvirt daemon. We ought to take into account that the client might be confined by SELinux though, so the "private secret" concept isn't entirely pointless. Thus doing a simple uid of client == uid of daemon check is a bit too weak. The UID check might also not fly if the modular daemons are run inside containers with user namespaces, as the container for virtsecretd and virtqemud might have different user mappings in theory. This series adds a concept of a "token" which is known only to the libvirt daemons. The first daemon to use it writes a random hex string to /var/run/libvirt/common/system.token. Other daemons can read and compare this. Unless a MAC system is present this is still largely security theatre, but that's not really worse than the historical behaviour. When an API call is made the virIdentity by default reflects the identity of the UNIX process that initiated it. When connecting to virtproxyd, the client apps' identity is forwarded to the next virtNNNNd daemon. When libvirt drivers, however, initiate an API call we never set any identity. With monolithic libvirtd, they'd inherit the current client identity automagically since it was all in the same thread local. With modular daemons the othe driver would see the identity of the other libvirt daemon which is bad as this gives elevated privileges in the ACL check. Thus we fix the code which drivers use to open a connection to other daemons, such that it applies the current caller's identity. It does this using an "elevated" identity though, which means, we have added in the system token. Thus the virtsecretd daemon getting the call virSecretGetValue sees the virIdentity reflecting the client application which originally called the virDomainCreate() API, but with the system token set. Thus virsecretd can see that the virSecretGetValue was invoked by another daemon, not a libvirt client app. Changed in v2... We can't set the elevated identity only when opening the virConnect for the secret driver. This works for modular daemons, as the identity is passed to the virsecretd at time of opening and thus applies to the later virSecretGetValue call on that connection. For monolithic daemon, the identity present at virConnectOpen is irrelevant. The virSecretGetValue call will just directly query the current thread's identity. IOW, to work in both deployment scenarios we need to have the elevated identity set across both virConnectOpen and virSecretGetValue Daniel P. Berrangé (10): util: add virRandomToken API util: introduce concept of a system token into identities util: generate a persistent system token util: set system token for system identity util: add API for copying identity objects util: helper to temporary elevate privileges of the current identity src: add API to determine if current identity is a system identity src: set identity when opening secondary drivers src: elevate current identity privilege when fetching secret secret: rework handling of private secrets src/driver-secret.h | 9 +- src/driver.c | 27 +++ src/libvirt-secret.c | 2 +- src/libvirt_private.syms | 7 + src/libxl/libxl_conf.c | 5 + src/qemu/qemu_domain.c | 11 +- src/qemu/qemu_tpm.c | 5 + src/remote/remote_driver.c | 8 +- src/secret/secret_driver.c | 34 ++- src/storage/storage_backend_iscsi.c | 5 + src/storage/storage_backend_iscsi_direct.c | 5 + src/storage/storage_backend_rbd.c | 5 + src/storage/storage_util.c | 5 + src/util/viridentity.c | 239 +++++++++++++++++++++ src/util/viridentity.h | 11 + src/util/virrandom.c | 18 ++ src/util/virrandom.h | 1 + src/util/virsecret.c | 3 +- tests/qemuxml2argvtest.c | 3 +- 19 files changed, 375 insertions(+), 28 deletions(-) -- 2.31.1

3 15

[PATCH] Introduce a new virDomainReloadTlsCertificates API
by Zheng Yan 10 May '21

10 May '21

The new virDomainReloadTlsCertificates API is used to notify domain reload its certificates without restart, and avoid service interruption. Currently, only QEMU VNC TLS certificates are supported, but parameters and flags are also reserved for subsequent scenarios. Take reload QEMU VNC TLS certificates as an example, we can call: virDomainReloadTlsCertificates(domain, VIR_DOMAIN_TLS_CERT_GRAPHICS_VNC, NULL, 0, 0); Then the specified QMP message would be send to QEMU: {"execute": "display-reload", "arguments":{"type": "vnc", "tls-certs": true}} Refers: https://gitlab.com/qemu-project/qemu/-/commit/9cc07651655ee86eca41059f5ead8… --- include/libvirt/libvirt-domain.h | 20 +++++++++++ src/driver-hypervisor.h | 8 +++++ src/libvirt-domain.c | 58 ++++++++++++++++++++++++++++++++ src/libvirt_public.syms | 5 +++ src/qemu/qemu_driver.c | 40 ++++++++++++++++++++++ src/qemu/qemu_hotplug.c | 17 ++++++++++ src/qemu/qemu_hotplug.h | 4 +++ src/qemu/qemu_monitor.c | 27 +++++++++++++++ src/qemu/qemu_monitor.h | 3 ++ src/qemu/qemu_monitor_json.c | 27 +++++++++++++++ src/qemu/qemu_monitor_json.h | 4 +++ src/remote/remote_driver.c | 1 + src/remote/remote_protocol.x | 15 ++++++++- src/remote_protocol-structs | 10 ++++++ 14 files changed, 238 insertions(+), 1 deletion(-) diff --git a/include/libvirt/libvirt-domain.h b/include/libvirt/libvirt-domain.h index e99bfb7654..357d3598a6 100644 --- a/include/libvirt/libvirt-domain.h +++ b/include/libvirt/libvirt-domain.h @@ -5152,4 +5152,24 @@ int virDomainStartDirtyRateCalc(virDomainPtr domain, int seconds, unsigned int flags); +/** + * virDomainTlsCertificateType: + * the used scene of TLS certificates for doamin + */ +typedef enum { + VIR_DOMAIN_TLS_CERT_GRAPHICS_VNC = 0, + VIR_DOMAIN_TLS_CERT_GRAPHICS_SPICE = 1, + +# ifdef VIR_ENUM_SENTINELS + VIR_DOMAIN_TLS_CERT_LAST +# endif +} virDomainTlsCertificateType; + +int +virDomainReloadTlsCertificates(virDomainPtr domain, + unsigned int type, + virTypedParameterPtr params, + int nparams, + unsigned int flags); + #endif /* LIBVIRT_DOMAIN_H */ diff --git a/src/driver-hypervisor.h b/src/driver-hypervisor.h index d642af8a37..d0d4976441 100644 --- a/src/driver-hypervisor.h +++ b/src/driver-hypervisor.h @@ -1410,6 +1410,13 @@ typedef int int seconds, unsigned int flags); +typedef int +(*virDrvDomainReloadTlsCertificates)(virDomainPtr domain, + unsigned int type, + virTypedParameterPtr params, + int nparams, + unsigned int flags); + typedef struct _virHypervisorDriver virHypervisorDriver; /** @@ -1676,4 +1683,5 @@ struct _virHypervisorDriver { virDrvDomainAuthorizedSSHKeysSet domainAuthorizedSSHKeysSet; virDrvDomainGetMessages domainGetMessages; virDrvDomainStartDirtyRateCalc domainStartDirtyRateCalc; + virDrvDomainReloadTlsCertificates domainReloadTlsCertificates; }; diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c index 42c75f6cc5..1b6889ab49 100644 --- a/src/libvirt-domain.c +++ b/src/libvirt-domain.c @@ -13218,3 +13218,61 @@ virDomainStartDirtyRateCalc(virDomainPtr domain, virDispatchError(conn); return -1; } + +/** + * virDomainReloadTlsCertificates: + * @domain: a domain object. + * @type: a value of virDomainTlsCertificateType + * @params: pointer to TLS Certs parameter objects, must be NULL if not used + * @nparams: number of TLS Certs parameter objects, must be 0 if not used + * @flags: extra flags; not used yet, so callers should always pass 0 + * + * Notify domain reload its certificates with specified 'type' + * + * Returns 0 in case of success, -1 otherwise. + */ +int +virDomainReloadTlsCertificates(virDomainPtr domain, + unsigned int type, + virTypedParameterPtr params, + int nparams, + unsigned int flags) +{ + virConnectPtr conn; + + VIR_DOMAIN_DEBUG(domain, "certificate type=%u, params=%p, nparams=%d, flags=%x", + type, params, nparams, flags); + + virResetLastError(); + + virCheckDomainReturn(domain, -1); + conn = domain->conn; + + virCheckReadOnlyGoto(conn->flags, error); + virCheckNonNegativeArgGoto(nparams, error); + + if (type >= VIR_DOMAIN_TLS_CERT_LAST) { + virReportInvalidArg(type, + _("type must be less than %d"), + VIR_DOMAIN_TLS_CERT_LAST); + goto error; + } + + if (conn->driver->domainReloadTlsCertificates) { + int ret; + ret = conn->driver->domainReloadTlsCertificates(domain, + type, + params, + nparams, + flags); + if (ret < 0) + goto error; + return ret; + } + + virReportUnsupportedError(); + + error: + virDispatchError(domain->conn); + return -1; +} diff --git a/src/libvirt_public.syms b/src/libvirt_public.syms index 5678a13cda..30ff012958 100644 --- a/src/libvirt_public.syms +++ b/src/libvirt_public.syms @@ -896,4 +896,9 @@ LIBVIRT_7.3.0 { virNodeDeviceCreate; } LIBVIRT_7.2.0; +LIBVIRT_7.4.0 { + global: + virDomainReloadTlsCertificates; +} LIBVIRT_7.3.0; + # .... define new API here using predicted next version number .... diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index c90d52edc0..422a350c65 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -20449,6 +20449,45 @@ qemuDomainStartDirtyRateCalc(virDomainPtr dom, return ret; } +static int +qemuDomainReloadTlsCertificates(virDomainPtr domain, + unsigned int type, + virTypedParameterPtr params, + int nparams, + unsigned int flags) +{ + int ret = -1; + virQEMUDriver *driver = domain->conn->privateData; + virDomainObj *vm = qemuDomObjFromDomain(domain); + + if (!vm) + goto cleanup; + + virCheckNonNullArgGoto(params, cleanup); + if (nparams != 0) { + virReportInvalidZeroArg(nparams); + goto cleanup; + } + virCheckFlagsGoto(0, cleanup); + + if (qemuDomainObjBeginJob(driver, vm, QEMU_JOB_MODIFY) < 0) + goto cleanup; + + if (!virDomainObjIsActive(vm)) { + virReportError(VIR_ERR_OPERATION_INVALID, + "%s", _("domain is not running")); + goto endjob; + } + + ret = qemuDomainReloadTLSCerts(driver, vm, type); + + endjob: + qemuDomainObjEndJob(driver, vm); + + cleanup: + virDomainObjEndAPI(&vm); + return ret; +} static virHypervisorDriver qemuHypervisorDriver = { .name = QEMU_DRIVER_NAME, @@ -20693,6 +20732,7 @@ static virHypervisorDriver qemuHypervisorDriver = { .domainAuthorizedSSHKeysSet = qemuDomainAuthorizedSSHKeysSet, /* 6.10.0 */ .domainGetMessages = qemuDomainGetMessages, /* 7.1.0 */ .domainStartDirtyRateCalc = qemuDomainStartDirtyRateCalc, /* 7.2.0 */ + .domainReloadTlsCertificates = qemuDomainReloadTlsCertificates, /* 7.4.0 */ }; diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c index a64cddb9e7..34dc035d73 100644 --- a/src/qemu/qemu_hotplug.c +++ b/src/qemu/qemu_hotplug.c @@ -6704,3 +6704,20 @@ qemuDomainSetVcpuInternal(virQEMUDriver *driver, virBitmapFree(livevcpus); return ret; } + +int qemuDomainReloadTLSCerts(virQEMUDriverPtr driver, + virDomainObjPtr vm, + unsigned int type) +{ + int ret = -1; + qemuDomainObjPrivate *priv = vm->privateData; + + qemuDomainObjEnterMonitor(driver, vm); + + ret = qemuMonitorDisplayReloadTLSCerts(priv->mon, type); + + if (qemuDomainObjExitMonitor(driver, vm) < 0) + ret = -1; + + return ret; +} diff --git a/src/qemu/qemu_hotplug.h b/src/qemu/qemu_hotplug.h index df8f76f8d6..411741a688 100644 --- a/src/qemu/qemu_hotplug.h +++ b/src/qemu/qemu_hotplug.h @@ -160,3 +160,7 @@ int qemuHotplugAttachDBusVMState(virQEMUDriver *driver, int qemuHotplugRemoveDBusVMState(virQEMUDriver *driver, virDomainObj *vm, qemuDomainAsyncJob asyncJob); + +int qemuDomainReloadTLSCerts(virQEMUDriverPtr driver, + virDomainObjPtr vm, + unsigned int type); diff --git a/src/qemu/qemu_monitor.c b/src/qemu/qemu_monitor.c index 1e6f892e08..11f8cc8670 100644 --- a/src/qemu/qemu_monitor.c +++ b/src/qemu/qemu_monitor.c @@ -4746,3 +4746,30 @@ qemuMonitorQueryDirtyRate(qemuMonitor *mon, return qemuMonitorJSONQueryDirtyRate(mon, info); } + +static const char * +qemuMonitorTLSCertificateTypeToString(unsigned int type) +{ + switch (type) { + /* for now, only VNC is supported */ + case VIR_DOMAIN_TLS_CERT_GRAPHICS_VNC: + return "vnc"; + default: + virReportError(VIR_ERR_INVALID_ARG, + _("unsupported qemu certificate type %u"), + type); + return NULL; + } +} + +int +qemuMonitorDisplayReloadTLSCerts(qemuMonitorPtr mon, unsigned int type) +{ + const char *certType = qemuMonitorTLSCertificateTypeToString(type); + if (!certType) + return -1; + + QEMU_CHECK_MONITOR(mon); + + return qemuMonitorJSONDisplayReload(mon, certType, true); +} diff --git a/src/qemu/qemu_monitor.h b/src/qemu/qemu_monitor.h index 6a25def78b..f26f92fb51 100644 --- a/src/qemu/qemu_monitor.h +++ b/src/qemu/qemu_monitor.h @@ -1496,3 +1496,6 @@ struct _qemuMonitorDirtyRateInfo { int qemuMonitorQueryDirtyRate(qemuMonitor *mon, qemuMonitorDirtyRateInfo *info); + +int qemuMonitorDisplayReloadTLSCerts(qemuMonitorPtr mon, + unsigned int type); diff --git a/src/qemu/qemu_monitor_json.c b/src/qemu/qemu_monitor_json.c index 46aa3330a8..9934613cc2 100644 --- a/src/qemu/qemu_monitor_json.c +++ b/src/qemu/qemu_monitor_json.c @@ -9446,3 +9446,30 @@ qemuMonitorJSONQueryDirtyRate(qemuMonitor *mon, return qemuMonitorJSONExtractDirtyRateInfo(data, info); } + +int qemuMonitorJSONDisplayReload(qemuMonitorPtr mon, + const char *type, + bool tlsCerts) +{ + int ret = -1; + virJSONValuePtr reply = NULL; + virJSONValuePtr cmd = qemuMonitorJSONMakeCommand("display-reload", + "s:type", type, + "b:tls-certs", tlsCerts, + NULL); + if (!cmd) + return -1; + + if (qemuMonitorJSONCommand(mon, cmd, &reply) < 0) + goto cleanup; + + if (qemuMonitorJSONCheckError(cmd, reply) < 0) + goto cleanup; + + ret = 0; + + cleanup: + virJSONValueFree(cmd); + virJSONValueFree(reply); + return ret; +} diff --git a/src/qemu/qemu_monitor_json.h b/src/qemu/qemu_monitor_json.h index 01a3ba25f1..73761d54f8 100644 --- a/src/qemu/qemu_monitor_json.h +++ b/src/qemu/qemu_monitor_json.h @@ -706,3 +706,7 @@ qemuMonitorJSONStartDirtyRateCalc(qemuMonitor *mon, int qemuMonitorJSONQueryDirtyRate(qemuMonitor *mon, qemuMonitorDirtyRateInfo *info); + +int qemuMonitorJSONDisplayReload(qemuMonitorPtr mon, + const char *type, + bool tlsCerts); diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c index 0c72d69933..0e6e4e3007 100644 --- a/src/remote/remote_driver.c +++ b/src/remote/remote_driver.c @@ -8566,6 +8566,7 @@ static virHypervisorDriver hypervisor_driver = { .domainAuthorizedSSHKeysSet = remoteDomainAuthorizedSSHKeysSet, /* 6.10.0 */ .domainGetMessages = remoteDomainGetMessages, /* 7.1.0 */ .domainStartDirtyRateCalc = remoteDomainStartDirtyRateCalc, /* 7.2.0 */ + .domainReloadTlsCertificates = remoteDomainReloadTlsCertificates, /* 7.4.0 */ }; static virNetworkDriver network_driver = { diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x index de69704b68..c13b3e1f5c 100644 --- a/src/remote/remote_protocol.x +++ b/src/remote/remote_protocol.x @@ -286,6 +286,8 @@ const REMOTE_DOMAIN_AUTHORIZED_SSH_KEYS_MAX = 2048; /* Upper limit on number of messages */ const REMOTE_DOMAIN_MESSAGES_MAX = 2048; +/* Upper limit on list of TLS certificate parameters */ +const REMOTE_DOMAIN_RELOAD_TLS_CERT_PARAMETERS_MAX = 16; /* UUID. VIR_UUID_BUFLEN definition comes from libvirt.h */ typedef opaque remote_uuid[VIR_UUID_BUFLEN]; @@ -3836,6 +3838,12 @@ struct remote_domain_start_dirty_rate_calc_args { unsigned int flags; }; +struct remote_domain_reload_tls_certificates_args { + remote_nonnull_domain dom; + unsigned int type; + remote_typed_param params<REMOTE_DOMAIN_RELOAD_TLS_CERT_PARAMETERS_MAX>; + unsigned int flags; +}; /*----- Protocol. -----*/ @@ -6784,6 +6792,11 @@ enum remote_procedure { * @priority: high * @acl: node_device:start */ - REMOTE_PROC_NODE_DEVICE_CREATE = 430 + REMOTE_PROC_NODE_DEVICE_CREATE = 430, + /** + * @generate: both + * @acl: domain:write + */ + REMOTE_PROC_DOMAIN_RELOAD_TLS_CERTIFICATES = 431 }; diff --git a/src/remote_protocol-structs b/src/remote_protocol-structs index 6b46328adc..799a8596ea 100644 --- a/src/remote_protocol-structs +++ b/src/remote_protocol-structs @@ -3192,6 +3192,15 @@ struct remote_domain_start_dirty_rate_calc_args { int seconds; u_int flags; }; +struct remote_domain_reload_tls_certificates_args { + remote_nonnull_domain dom; + u_int type; + struct { + u_int params_len; + remote_typed_param * params_val; + } params; + u_int flags; +}; enum remote_procedure { REMOTE_PROC_CONNECT_OPEN = 1, REMOTE_PROC_CONNECT_CLOSE = 2, @@ -3623,4 +3632,5 @@ enum remote_procedure { REMOTE_PROC_NODE_DEVICE_DEFINE_XML = 428, REMOTE_PROC_NODE_DEVICE_UNDEFINE = 429, REMOTE_PROC_NODE_DEVICE_CREATE = 430, + REMOTE_PROC_DOMAIN_RELOAD_TLS_CERTIFICATES = 431, }; -- 2.25.1

2 1

[PATCH] securityselinuxhelper: Fix retval of setcon_raw() and security_disable()
by Michal Privoznik 10 May '21

10 May '21

The securityselinuxhelper is a mock that's replacing libselinux APIs with our own implementation to achieve deterministic results. Our implementation uses env vars (among other things) to hold internal state. For instance, "FAKE_SELINUX_CONTEXT" and "FAKE_SELINUX_DISABLED" variables are used. However, as we were switching from setenv() to g_setenv() we also changed the set of possible retvals from setcon_raw() and security_disable(). Previously, the retval of setenv() was used directly which returns 0 on success and -1 on error. But g_setenv() has different retval semantics: it returns 1 on success and 0 on error. This discrepancy can be observed by running viridentitytest where case #2 reports an error ("!") - because setcon_raw() returns 1. Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com> --- tests/securityselinuxhelper.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/securityselinuxhelper.c b/tests/securityselinuxhelper.c index b308ef5095..c3d6505ef2 100644 --- a/tests/securityselinuxhelper.c +++ b/tests/securityselinuxhelper.c @@ -140,7 +140,7 @@ int setcon_raw(const char *context) errno = EINVAL; return -1; } - return g_setenv("FAKE_SELINUX_CONTEXT", context, TRUE); + return g_setenv("FAKE_SELINUX_CONTEXT", context, TRUE) == TRUE ? 0 : -1; } int setcon(const char *context) @@ -219,7 +219,7 @@ int security_disable(void) return -1; } - return g_setenv("FAKE_SELINUX_DISABLED", "1", TRUE); + return g_setenv("FAKE_SELINUX_DISABLED", "1", TRUE) == TRUE ? 0 : -1; } int security_getenforce(void) -- 2.26.3

2 1

[libvirt PATCH v3 0/8] cleanup meson checks for runtime binaries
by Pavel Hrdina 10 May '21

10 May '21

Recent attempt to add a lot of meson options to specify different runtime paths motivated me enough to cleanup this from meson. Changes in v3: - some patches were already pushed - removed patch that moved virFindFileInPath from testutilsqemu.c Changes in v2: - split and rework patch 16/17 to address review comments - added a new patch to cleanup libvirt.spec.in file Pavel Hrdina (8): virfile: introduce virFindFileInPathFull() qemu_conf: use virFindFileInPathFull for runtime binaries meson: drop check for runtime binary dependencies meson: move iscsiadm check into storage_iscsi condition meson: stop setting runtime binaries defines during compilation meson: use runtime binaries to only resolve features with "auto" value meson: optional_programs should be used only for building libvirt libvirt.spec: drop no longer required build dependencies libvirt.spec.in | 31 ---- meson.build | 214 +++++++++---------------- src/bhyve/bhyve_command.c | 4 + src/libvirt_private.syms | 2 +- src/locking/lock_driver_lockd.c | 12 +- src/network/bridge_driver.c | 2 + src/node_device/node_device_driver.c | 2 + src/qemu/qemu_conf.c | 23 ++- src/storage/storage_backend_logical.c | 13 ++ src/storage/storage_backend_sheepdog.c | 2 + src/storage/storage_backend_zfs.c | 3 + src/storage/storage_util.c | 2 + src/storage/storage_util.h | 6 + src/util/virdnsmasq.c | 1 + src/util/virfile.c | 16 +- src/util/virfile.h | 5 +- src/util/virfirewall.h | 4 + src/util/viriscsi.h | 2 + src/util/virkmod.h | 3 + src/util/virnetdevbandwidth.h | 2 + src/util/virnetdevip.c | 2 + src/util/virnetdevmidonet.c | 2 + src/util/virnetdevopenvswitch.c | 2 + src/util/virnuma.c | 1 + src/util/virsysinfo.c | 1 + src/util/virutil.c | 2 + tests/testutilsqemu.c | 3 +- tests/virfirewallmock.c | 3 +- 28 files changed, 173 insertions(+), 192 deletions(-) -- 2.30.2

1 9

[PATCH v3 0/1] qemu: add support for max-ram-below-4g option
by Zhiyong Ye 10 May '21

10 May '21

For background, see: https://listman.redhat.com/archives/libvir-list/2021-April/msg01196.html V3 to V2: * Fix conflicts created by git pull V2 to V1: * Change the 'below4g' attribute to not share the 'unit' argument with actual memory size, and let its unit default to KiB * Add docs and test changes * Add check in the ABI stability checker code Zhiyong Ye (1): qemu: add support for max-ram-below-4g option docs/formatdomain.rst | 10 ++++++-- docs/schemas/domaincommon.rng | 5 ++++ src/conf/domain_conf.c | 15 ++++++++++++ src/conf/domain_conf.h | 3 +++ src/conf/domain_validate.c | 13 ++++++++++ src/qemu/qemu_command.c | 4 ++++ tests/qemuxml2argvdata/memory-below4g.args | 29 ++++++++++++++++++++++ tests/qemuxml2argvdata/memory-below4g.xml | 26 ++++++++++++++++++++ tests/qemuxml2argvtest.c | 1 + tests/qemuxml2xmloutdata/memory-below4g.xml | 37 +++++++++++++++++++++++++++++ tests/qemuxml2xmltest.c | 1 + 11 files changed, 142 insertions(+), 2 deletions(-) create mode 100644 tests/qemuxml2argvdata/memory-below4g.args create mode 100644 tests/qemuxml2argvdata/memory-below4g.xml create mode 100644 tests/qemuxml2xmloutdata/memory-below4g.xml -- 2.11.0

1 1

After blockcopy with pivot, a dirty-bitmap is added, but not been removed automatically.
by ChangLimin 10 May '21

10 May '21

Hi Peter, Since https://libvirt.org/git/?p=libvirt.git;a=commitdiff;h=7bfff40fdfe5410c446c1…, after blockcopy with pivot, a dirty-bitmap is added, but not been removed automatically. Is that something wrong? 0. start a vm, and switch on some traces # virsh start cirros # virsh qemu-monitor-command cirros --hmp "trace-event handle_qmp* on" # virsh qemu-monitor-command cirros --hmp "trace-event hbitmap* on" 1. cirros0.img is opened. # virsh domblklist cirros Target Source ------------------------------------ vda /vms/images1/cirros0.img 2. blockcopy and pivot to cirros1.img # virsh blockcopy cirros vda --dest /vms/images1/cirros1.img --pivot --transient-job Successfully pivoted 3. cirros1.img is opened # virsh domblklist cirros Target Source ------------------------------------ vda /vms/images1/cirros1.img 4. From qemu log, a dirty-bitmap is added @1620475221.389151 77998@1620475125.281656:handle_qmp_command mon 0x55ebd4b176b0 req: {"execute": "human-monitor-command", "arguments": {"command-line": "trace-event qmp_job* on"}, "id": "libvirt-380"} 77998@1620475125.299950:handle_qmp_command mon 0x55ebd4b176b0 req: {"execute": "human-monitor-command", "arguments": {"command-line": "trace-event mirror* on"}, "id": "libvirt-381"} 77998@1620475125.317931:handle_qmp_command mon 0x55ebd4b176b0 req: {"execute": "human-monitor-command", "arguments": {"command-line": "trace-event hbitmap* on"}, "id": "libvirt-382"} 77998@1620475217.640133:handle_qmp_command mon 0x55ebd4b176b0 req: {"execute": "query-named-block-nodes", "arguments": {"flat": true}, "id": "libvirt-383"} 77998@1620475217.642025:handle_qmp_command mon 0x55ebd4b176b0 req: {"execute": "blockdev-add", "arguments": {"node-name": "libvirt-2-storage", "driver": "file", "filename": "/vms/images1/cirros1.img", "auto-read-only": true, "aio": "native", "cache": {"no-flush": false, "direct": true}, "discard": "unmap"}, "id": "libvirt-384"} 77998@1620475217.643434:handle_qmp_command mon 0x55ebd4b176b0 req: {"execute": "blockdev-create", "arguments": {"job-id": "create-libvirt-2-format", "options": {"driver": "qcow2", "cluster-size": 65536, "size": 46137344, "file": "libvirt-2-storage"}}, "id": "libvirt-385"} 77998@1620475217.827378:handle_qmp_command mon 0x55ebd4b176b0 req: {"execute": "query-jobs", "id": "libvirt-386"} 77998@1620475217.827980:handle_qmp_command mon 0x55ebd4b176b0 req: {"execute": "job-dismiss", "arguments": {"id": "create-libvirt-2-format"}, "id": "libvirt-387"} 77998@1620475217.850802:handle_qmp_command mon 0x55ebd4b176b0 req: {"execute": "blockdev-add", "arguments": {"backing": null, "node-name": "libvirt-2-format", "driver": "qcow2", "read-only": false, "cache": {"no-flush": false, "direct": true}, "file": "libvirt-2-storage"}, "id": "libvirt-388"} 77998@1620475217.853157:handle_qmp_command mon 0x55ebd4b176b0 req: {"execute": "blockdev-mirror", "arguments": {"auto-finalize": true, "device": "libvirt-1-format", "auto-dismiss": false, "sync": "full", "job-id": "copy-vda-libvirt-1-format", "target": "libvirt-2-format"}, "id": "libvirt-389"} 77998@1620475217.871674:handle_qmp_command mon 0x55ebd4b176b0 req: {"execute": "query-block-jobs", "id": "libvirt-390"} 77998@1620475221.387625:handle_qmp_command mon 0x55ebd4b176b0 req: {"execute": "query-block-jobs", "id": "libvirt-396"} 77998@1620475221.389151:handle_qmp_command mon 0x55ebd4b176b0 req: {"execute": "transaction", "arguments": {"actions": [{"type": "block-dirty-bitmap-add", "data": {"name": "libvirt-tmp-activewrite", "persistent": false, "node": "libvirt-2-format", "disabled": false}}]}, "id": "libvirt-397"} 77998@1620475221.389755:handle_qmp_command mon 0x55ebd4b176b0 req: {"execute": "job-complete", "arguments": {"id": "copy-vda-libvirt-1-format"}, "id": "libvirt-398"} 77998@1620475221.391321:handle_qmp_command mon 0x55ebd4b176b0 req: {"execute": "query-jobs", "id": "libvirt-399"} 77998@1620475221.391926:handle_qmp_command mon 0x55ebd4b176b0 req: {"execute": "job-dismiss", "arguments": {"id": "copy-vda-libvirt-1-format"}, "id": "libvirt-400"} 77998@1620475221.393052:handle_qmp_command mon 0x55ebd4b176b0 req: {"execute": "blockdev-del", "arguments": {"node-name": "libvirt-1-format"}, "id": "libvirt-401"} 77998@1620475221.393702:handle_qmp_command mon 0x55ebd4b176b0 req: {"execute": "blockdev-del", "arguments": {"node-name": "libvirt-1-storage"}, "id": "libvirt-402"} Also there are many hbitmap_xx events. 5. I have debuged the source, in qemuBlockJobProcessEventCompletedCopyBitmaps , QEMU_CAPS_BLOCKDEV_REOPEN cap is not supported unti the latest qemu. So the bitmap is not removed. Is the QEMU_CAPS_BLOCKDEV_REOPEN cap be must? Regards, Chang Limin

1 0

[PATCH v2 0/1] qemu: add support for max-ram-below-4g option
by Zhiyong Ye 10 May '21

10 May '21

Hi all, Sorry to bother again. Since I'm new to the libvirt community, and also this is my first time to submit patches, I'm truly sorry for the format problems that I emailed before. Could you kindly help me review it again, and let me know if there is anything I need to change. For background, see: https://listman.redhat.com/archives/libvir-list/2021-April/msg01196.html Changes since V1: * Change the 'below4g' attribute to not share the 'unit' argument with actual memory size, and let its unit default to KiB * Add docs and test changes * Add check in the ABI stability checker code Best regards! Zhiyong Ye Zhiyong Ye (1): qemu: add support for max-ram-below-4g option docs/formatdomain.rst | 10 ++++++-- docs/schemas/domaincommon.rng | 5 ++++ src/conf/domain_conf.c | 15 ++++++++++++ src/conf/domain_conf.h | 3 +++ src/conf/domain_validate.c | 13 ++++++++++ src/qemu/qemu_command.c | 4 ++++ tests/qemuxml2argvdata/memory-below4g.args | 29 ++++++++++++++++++++++ tests/qemuxml2argvdata/memory-below4g.xml | 26 ++++++++++++++++++++ tests/qemuxml2argvtest.c | 1 + tests/qemuxml2xmloutdata/memory-below4g.xml | 37 +++++++++++++++++++++++++++++ tests/qemuxml2xmltest.c | 1 + 11 files changed, 142 insertions(+), 2 deletions(-) create mode 100644 tests/qemuxml2argvdata/memory-below4g.args create mode 100644 tests/qemuxml2argvdata/memory-below4g.xml create mode 100644 tests/qemuxml2xmloutdata/memory-below4g.xml -- 2.11.0

2 3