October 2023 - Devel - libvirt List Archives

[PATCH] hw/rdma: Deprecate the pvrdma device and the rdma subsystem
by Thomas Huth 05 Oct '23

05 Oct '23

This subsystem is said to be in a bad shape (see e.g. [1], [2] and [3]), and nobody seems to feel responsible to pick up patches for this and send them via a pull request. For example there is a patch for a CVE-worthy bug posted more than half a year ago [4] which has never been merged. Quoting Markus: "Given the shape it is in, I wouldn't let friends use it in production" - we shouldn't expose this to our users in the current state. Thus let's mark it as deprecated and finally remove it unless somebody steps up and improves the code quality and adds proper regression tests. [1] https://lore.kernel.org/qemu-devel/20230918144206.560120-1-armbru@redhat.co… [2] https://lore.kernel.org/qemu-devel/ZQnojJOqoFu73995@redhat.com/ [3] https://lore.kernel.org/qemu-devel/1054981c-e8ae-c676-3b04-eeb030e11f65@tls… [4] https://lore.kernel.org/qemu-devel/20230301142926.18686-1-yuval.shaia.ml@gm… [5] https://lore.kernel.org/qemu-devel/8734z9f086.fsf@pond.sub.org/ Signed-off-by: Thomas Huth <thuth(a)redhat.com> --- MAINTAINERS | 2 +- docs/about/deprecated.rst | 8 ++++++++ hw/rdma/vmw/pvrdma_main.c | 2 ++ 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/MAINTAINERS b/MAINTAINERS index 355b1960ce..ca42b89ef8 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -3815,7 +3815,7 @@ F: docs/block-replication.txt PVRDMA M: Yuval Shaia <yuval.shaia.ml(a)gmail.com> M: Marcel Apfelbaum <marcel.apfelbaum(a)gmail.com> -S: Maintained +S: Odd Fixes F: hw/rdma/* F: hw/rdma/vmw/* F: docs/pvrdma.txt diff --git a/docs/about/deprecated.rst b/docs/about/deprecated.rst index dc4da95329..f0c7addb1f 100644 --- a/docs/about/deprecated.rst +++ b/docs/about/deprecated.rst @@ -365,6 +365,14 @@ QEMU's ``vhost`` feature, which would eliminate the high latency costs under which the 9p ``proxy`` backend currently suffers. However as of to date nobody has indicated plans for such kind of reimplementation unfortunately. +``-device pvrdma`` and the rdma subsystem (since 8.2) +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The pvrdma device and the whole rdma subsystem are in a bad shape and +without active maintenance. The QEMU project intends to remove this +device and subsystem from the code base in a future release without +replacement unless somebody steps up and improves the situation. + Block device options '''''''''''''''''''' diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c index 4fc6712025..ed49ce1e72 100644 --- a/hw/rdma/vmw/pvrdma_main.c +++ b/hw/rdma/vmw/pvrdma_main.c @@ -601,6 +601,8 @@ static void pvrdma_realize(PCIDevice *pdev, Error **errp) bool ram_shared = false; PCIDevice *func0; + warn_report_once("pvrdma is deprecated and will be removed in a future release"); + rdma_info_report("Initializing device %s %x.%x", pdev->name, PCI_SLOT(pdev->devfn), PCI_FUNC(pdev->devfn)); -- 2.41.0

4 4

[libvirt PATCH] meson: Improve nbdkit configurability
by Andrea Bolognani 04 Oct '23

04 Oct '23

Currently, nbdkit support will automatically be enabled as long as the pidfd_open(2) syscall is available. Optionally, libnbd is used to generate more user-friendly error messages. In theory this is all good, since use of nbdkit is supposed to be transparent to the user. In practice, however, there is a problem: if support for it is enabled at build time and the necessary runtime components are installed, nbdkit will always be preferred, with no way for the user to opt out. This will arguably be fine in the long run, but right now none of the platforms that we target ships with a SELinux policy that allows libvirt to launch nbdkit, and the AppArmor policy that we maintain ourselves hasn't been updated either. So, in practice, as of today having nbdkit installed on the host makes network disks completely unusable unless you're willing to compromise the overall security of the system by disabling SELinux/AppArmor. In order to make the transition smoother, provide a convenient way for users and distro packagers to disable nbdkit support at compile time until SELinux and AppArmor are ready. In the process, detection is completely overhauled. libnbd is made mandatory when nbdkit support is enabled, since availability across operating systems is comparable and offering users the option to make error messages worse doesn't make a lot of sense; we also make sure that an explicit request from the user to enable/disable nbdkit support is either complied with, or results in a build failure when that's not possible. Last but not least, we avoid linking against libnbd when nbdkit support is disabled. At the RPM level, we disable the feature when building against RHEL 8, which doesn't have pidfd_open(2), and also allow it to be disabled at build time the same as other optional features, that is, by passing "--define '_without_nbdkit 1'" to rpmbuild. Finally, if nbdkit support has been disabled, installing libvirt will no longer drag it in as a (weak) dependency. Signed-off-by: Andrea Bolognani <abologna(a)redhat.com> --- libvirt.spec.in | 23 ++++++++++++++++++++--- meson.build | 29 +++++++++++++++++++++-------- meson_options.txt | 2 +- src/qemu/qemu_nbdkit.c | 6 +++--- 4 files changed, 45 insertions(+), 15 deletions(-) diff --git a/libvirt.spec.in b/libvirt.spec.in index f3d21ccc8f..2ea465348c 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -95,6 +95,7 @@ %define with_fuse 0 %define with_sanlock 0 %define with_numad 0 +%define with_nbdkit 0 %define with_firewalld_zone 0 %define with_netcf 0 %define with_libssh2 0 @@ -173,6 +174,13 @@ %endif %endif +# nbdkit support requires pidfd_open(2), which is not in RHEL 8 +%if %{with_qemu} + %if 0%{?fedora} || 0%{?rhel} >= 9 + %define with_nbdkit 0%{!?_without_nbdkit:1} + %endif +%endif + %ifarch %{arches_dmidecode} %define with_dmidecode 0%{!?_without_dmidecode:1} %endif @@ -312,6 +320,9 @@ BuildRequires: util-linux BuildRequires: libacl-devel # From QEMU RPMs, used by virstoragetest BuildRequires: /usr/bin/qemu-img +%endif +# nbdkit support requires libnbd +%if %{with_nbdkit} BuildRequires: libnbd-devel %endif # For LVM drivers @@ -769,9 +780,11 @@ Requires: numad Recommends: passt Recommends: passt-selinux %endif + %if %{with_nbdkit} Recommends: nbdkit Recommends: nbdkit-curl-plugin Recommends: nbdkit-ssh-plugin + %endif %description daemon-driver-qemu The qemu driver plugin for the libvirtd daemon, providing @@ -1078,10 +1091,8 @@ exit 1 %if %{with_qemu} %define arg_qemu -Ddriver_qemu=enabled - %define arg_libnbd -Dlibnbd=enabled %else %define arg_qemu -Ddriver_qemu=disabled - %define arg_libnbd -Dlibnbd=disabled %endif %if %{with_openvz} @@ -1158,6 +1169,12 @@ exit 1 %define arg_numad -Dnumad=disabled %endif +%if %{with_nbdkit} + %define arg_nbdkit -Dnbdkit=enabled +%else + %define arg_nbdkit -Dnbdkit=disabled +%endif + %if %{with_fuse} %define arg_fuse -Dfuse=enabled %else @@ -1270,7 +1287,7 @@ export SOURCE_DATE_EPOCH=$(stat --printf='%Y' %{_specdir}/libvirt.spec) -Dyajl=enabled \ %{?arg_sanlock} \ -Dlibpcap=enabled \ - %{?arg_libnbd} \ + %{?arg_nbdkit} \ -Dlibnl=enabled \ -Daudit=enabled \ -Ddtrace=enabled \ diff --git a/meson.build b/meson.build index 6fa1f74670..de23fbda1e 100644 --- a/meson.build +++ b/meson.build @@ -1011,10 +1011,27 @@ endif libiscsi_version = '1.18.0' libiscsi_dep = dependency('libiscsi', version: '>=' + libiscsi_version, required: get_option('libiscsi')) -libnbd_version = '1.0' -libnbd_dep = dependency('libnbd', version: '>=' + libnbd_version, required: get_option('libnbd')) -if libnbd_dep.found() - conf.set('WITH_LIBNBD', 1) +if not get_option('nbdkit').disabled() + libnbd_version = '1.0' + libnbd_dep = dependency('libnbd', version: '>=' + libnbd_version, required: false) + + nbdkit_requested = get_option('nbdkit').enabled() + nbdkit_syscall_ok = conf.has('WITH_DECL_SYS_PIDFD_OPEN') + nbdkit_libnbd_ok = libnbd_dep.found() + + if not nbdkit_syscall_ok and nbdkit_requested + error('nbdkit support requires pidfd_open(2)') + endif + if not nbdkit_libnbd_ok and nbdkit_requested + error('nbdkit support requires libnbd') + endif + + if nbdkit_syscall_ok and nbdkit_libnbd_ok + conf.set('WITH_NBDKIT', 1) + endif +endif +if not conf.has('WITH_NBDKIT') + libnbd_dep = dependency('', required: false) endif libnl_version = '3.0' @@ -2024,10 +2041,6 @@ endif conf.set_quoted('TLS_PRIORITY', get_option('tls_priority')) -if conf.has('WITH_DECL_SYS_PIDFD_OPEN') - conf.set('WITH_NBDKIT', 1) -endif - # Various definitions # Python3 < 3.7 treats the C locale as 7-bit only. We must force env vars so diff --git a/meson_options.txt b/meson_options.txt index ba6e49afc5..7c428a9eb0 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -25,7 +25,6 @@ option('curl', type: 'feature', value: 'auto', description: 'curl support') option('fuse', type: 'feature', value: 'auto', description: 'fuse support') option('glusterfs', type: 'feature', value: 'auto', description: 'glusterfs support') option('libiscsi', type: 'feature', value: 'auto', description: 'libiscsi support') -option('libnbd', type: 'feature', value: 'auto', description: 'libnbd support') option('libnl', type: 'feature', value: 'auto', description: 'libnl support') option('libpcap', type: 'feature', value: 'auto', description: 'libpcap support') option('libssh', type: 'feature', value: 'auto', description: 'libssh support') @@ -105,6 +104,7 @@ option('loader_nvram', type: 'string', value: '', description: 'Pass list of pai option('login_shell', type: 'feature', value: 'auto', description: 'build virt-login-shell') option('nss', type: 'feature', value: 'auto', description: 'enable Name Service Switch plugin for resolving guest IP addresses') option('numad', type: 'feature', value: 'auto', description: 'use numad to manage CPU placement dynamically') +option('nbdkit', type: 'feature', value: 'auto', description: 'use nbdkit to access network disks') option('pm_utils', type: 'feature', value: 'auto', description: 'use pm-utils for power management') option('sysctl_config', type: 'feature', value: 'auto', description: 'Whether to install sysctl configs') option('tls_priority', type: 'string', value: 'NORMAL', description: 'set the default TLS session priority string') diff --git a/src/qemu/qemu_nbdkit.c b/src/qemu/qemu_nbdkit.c index 17819ca992..3ad63cfaa0 100644 --- a/src/qemu/qemu_nbdkit.c +++ b/src/qemu/qemu_nbdkit.c @@ -19,7 +19,7 @@ #include <config.h> #include <glib.h> -#if WITH_LIBNBD +#if WITH_NBDKIT # include <libnbd.h> #endif #include <sys/syscall.h> @@ -1159,7 +1159,7 @@ qemuNbdkitProcessStart(qemuNbdkitProcess *proc, g_autofree char *basename = g_strdup_printf("%s-nbdkit-%i", vm->def->name, proc->source->id); int logfd = -1; g_autoptr(qemuLogContext) logContext = NULL; -#if WITH_LIBNBD +#if WITH_NBDKIT struct nbd_handle *nbd = NULL; #endif @@ -1214,7 +1214,7 @@ qemuNbdkitProcessStart(qemuNbdkitProcess *proc, while (virTimeBackOffWait(&timebackoff)) { if (virFileExists(proc->socketfile)) { -#if WITH_LIBNBD +#if WITH_NBDKIT /* if the disk source was misconfigured, nbdkit will not produce an error * until somebody connects to the socket and tries to access the nbd * export. This results in poor user experience because the only error we -- 2.41.0

1 0

Release of libvirt-9.8.0
by Jiri Denemark 02 Oct '23

02 Oct '23

The 9.8.0 release of both libvirt and libvirt-python is tagged and signed tarballs and source RPMs are available at https://download.libvirt.org/ https://download.libvirt.org/python/ Thanks everybody who helped with this release by sending patches, reviewing, testing, or providing feedback. Your work is greatly appreciated. * New features * network: New metadata change event The network object now has a new event ID ``VIR_NETWORK_EVENT_ID_METADATA_CHANGE`` that can be used to get notifications upon changes in any of ``<title>``, ``<description>`` or ``<metadata>``. * qemu: Add support for vDPA block devices With a new enough version of qemu, libvirt will allow you to assign vDPA block devices to a domain. This is configured with:: <disk type='vhostvdpa'> <source dev='/dev/vhost-vdpa-0'> ... * Improvements * qemu: add nbdkit backend for network disks Up until now, libvirt supported network disks (http, ftp, ssh) by passing the URL to qemu and having the appropriate qemu block drivers handle the disk I/O. However, by handling the network I/O outside of the qemu process, we get several advantages, such as reduced attack surface and improved stability of qemu. Therefore, when available, libvirt will use nbdkit as a backend for these network disks and export an NBD disk to qemu. * virnetdevopenvswitch: Propagate OVS error messages When configuring OVS interfaces/bridges libvirt used to report its own error messages instead of passing (more accurate) error messages from `ovs-vsctl`. This is now changed. * Various virtio-mem/virtio-pmem fixes Now libvirt validates more values of virtio-mem and virtio-pmem devices, e.g. overlapping memory addresses or alignment. Enjoy. Jirka

1 0