October 2024 - Devel - libvirt List Archives

[PATCH] apparmor: Allow running i686 VMs on Debian 12
by Andrea Bolognani 15 Oct '24

15 Oct '24

In Debian 12, the qemu-system-i386 binary in /usr/bin is a wrapper script, with the actual executable living in /usr/libexec instead. This makes it impossible to run i686 VMs when AppArmor is enabled. Allow running the actual binary. https://bugs.debian.org/1030926 Signed-off-by: Andrea Bolognani <abologna(a)redhat.com> --- src/security/apparmor/libvirt-qemu.in | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/security/apparmor/libvirt-qemu.in b/src/security/apparmor/libvirt-qemu.in index 8f17256554..694da26dea 100644 --- a/src/security/apparmor/libvirt-qemu.in +++ b/src/security/apparmor/libvirt-qemu.in @@ -172,6 +172,9 @@ /usr/bin/qemu-system-xtensaeb rmix, /usr/bin/qemu-unicore32 rmix, /usr/bin/qemu-x86_64 rmix, + # Debian 12 has a wrapper script in /usr/bin while the actual + # binary lives in /usr/libexec (Debian: #1030926) + /usr/libexec/qemu-system-i386 rmix, # for Debian/Ubuntu qemu-block-extra / RPMs qemu-block-* (LP: #1554761) /usr/{lib,lib64}/qemu/*.so mr, /usr/lib/(a){multiarch}/qemu/*.so mr, -- 2.46.2

2 1

[PATCH 0/5] ci: various CI fixes
by Daniel P. Berrangé 15 Oct '24

15 Oct '24

This fixes various issues with CI across multiple platforms, debian, Fedora and macOS. Daniel P. Berrangé (5): meson: unconditionally enable polkit on non-Windows ci: drop polkit from build deps tests: stop stubbing libselinux APIs for purpose of data overrides wireshark: drop gmodule.h include to avoid glib warnings ci: update macOS versions under test ci/buildenv/almalinux-9.sh | 1 - ci/buildenv/alpine-319.sh | 1 - ci/buildenv/alpine-edge.sh | 1 - ci/buildenv/centos-stream-9.sh | 1 - ci/buildenv/debian-11-cross-aarch64.sh | 1 - ci/buildenv/debian-11-cross-armv6l.sh | 1 - ci/buildenv/debian-11-cross-armv7l.sh | 1 - ci/buildenv/debian-11-cross-i686.sh | 1 - ci/buildenv/debian-11-cross-mips64el.sh | 1 - ci/buildenv/debian-11-cross-mipsel.sh | 1 - ci/buildenv/debian-11-cross-ppc64le.sh | 1 - ci/buildenv/debian-11-cross-s390x.sh | 1 - ci/buildenv/debian-11.sh | 1 - ci/buildenv/debian-12-cross-aarch64.sh | 1 - ci/buildenv/debian-12-cross-armv6l.sh | 1 - ci/buildenv/debian-12-cross-armv7l.sh | 1 - ci/buildenv/debian-12-cross-i686.sh | 1 - ci/buildenv/debian-12-cross-mips64el.sh | 1 - ci/buildenv/debian-12-cross-mipsel.sh | 1 - ci/buildenv/debian-12-cross-ppc64le.sh | 1 - ci/buildenv/debian-12-cross-s390x.sh | 1 - ci/buildenv/debian-12.sh | 1 - ci/buildenv/debian-sid-cross-aarch64.sh | 1 - ci/buildenv/debian-sid-cross-armv6l.sh | 1 - ci/buildenv/debian-sid-cross-armv7l.sh | 1 - ci/buildenv/debian-sid-cross-i686.sh | 1 - ci/buildenv/debian-sid-cross-mips64el.sh | 1 - ci/buildenv/debian-sid-cross-ppc64le.sh | 1 - ci/buildenv/debian-sid-cross-s390x.sh | 1 - ci/buildenv/debian-sid.sh | 1 - ci/buildenv/fedora-39.sh | 1 - ci/buildenv/fedora-40-cross-mingw32.sh | 1 - ci/buildenv/fedora-40-cross-mingw64.sh | 1 - ci/buildenv/fedora-40.sh | 1 - ci/buildenv/fedora-rawhide-cross-mingw32.sh | 1 - ci/buildenv/fedora-rawhide-cross-mingw64.sh | 1 - ci/buildenv/fedora-rawhide.sh | 1 - ci/buildenv/opensuse-leap-15.sh | 2 +- ci/buildenv/opensuse-tumbleweed.sh | 1 - ci/buildenv/ubuntu-2204.sh | 1 - ci/buildenv/ubuntu-2404.sh | 1 - ci/cirrus/build.yml | 2 ++ ci/cirrus/freebsd-13.vars | 2 +- ci/cirrus/freebsd-14.vars | 2 +- ci/cirrus/macos-13.vars | 16 ------------ ci/containers/almalinux-9.Dockerfile | 1 - ci/containers/alpine-319.Dockerfile | 1 - ci/containers/alpine-edge.Dockerfile | 1 - ci/containers/centos-stream-9.Dockerfile | 1 - .../debian-11-cross-aarch64.Dockerfile | 1 - .../debian-11-cross-armv6l.Dockerfile | 1 - .../debian-11-cross-armv7l.Dockerfile | 1 - ci/containers/debian-11-cross-i686.Dockerfile | 1 - .../debian-11-cross-mips64el.Dockerfile | 1 - .../debian-11-cross-mipsel.Dockerfile | 1 - .../debian-11-cross-ppc64le.Dockerfile | 1 - .../debian-11-cross-s390x.Dockerfile | 1 - ci/containers/debian-11.Dockerfile | 1 - .../debian-12-cross-aarch64.Dockerfile | 1 - .../debian-12-cross-armv6l.Dockerfile | 1 - .../debian-12-cross-armv7l.Dockerfile | 1 - ci/containers/debian-12-cross-i686.Dockerfile | 1 - .../debian-12-cross-mips64el.Dockerfile | 1 - .../debian-12-cross-mipsel.Dockerfile | 1 - .../debian-12-cross-ppc64le.Dockerfile | 1 - .../debian-12-cross-s390x.Dockerfile | 1 - ci/containers/debian-12.Dockerfile | 1 - .../debian-sid-cross-aarch64.Dockerfile | 1 - .../debian-sid-cross-armv6l.Dockerfile | 1 - .../debian-sid-cross-armv7l.Dockerfile | 1 - .../debian-sid-cross-i686.Dockerfile | 1 - .../debian-sid-cross-mips64el.Dockerfile | 1 - .../debian-sid-cross-ppc64le.Dockerfile | 1 - .../debian-sid-cross-s390x.Dockerfile | 1 - ci/containers/debian-sid.Dockerfile | 1 - ci/containers/fedora-39.Dockerfile | 1 - .../fedora-40-cross-mingw32.Dockerfile | 1 - .../fedora-40-cross-mingw64.Dockerfile | 1 - ci/containers/fedora-40.Dockerfile | 1 - .../fedora-rawhide-cross-mingw32.Dockerfile | 1 - .../fedora-rawhide-cross-mingw64.Dockerfile | 1 - ci/containers/fedora-rawhide.Dockerfile | 1 - ci/containers/opensuse-leap-15.Dockerfile | 2 +- ci/containers/opensuse-tumbleweed.Dockerfile | 1 - ci/containers/ubuntu-2204.Dockerfile | 1 - ci/containers/ubuntu-2404.Dockerfile | 1 - ci/gitlab/builds.yml | 12 +++++---- ci/lcitool/projects/libvirt.yml | 1 - ci/manifest.yml | 9 ++++--- meson.build | 5 ---- tests/securityselinuxhelper.c | 25 ------------------- tests/securityselinuxlabeltest.c | 5 +++- tests/securityselinuxtest.c | 2 +- tests/viridentitytest.c | 4 +-- tools/wireshark/src/plugin.c | 2 -- 95 files changed, 25 insertions(+), 146 deletions(-) delete mode 100644 ci/cirrus/macos-13.vars -- 2.46.0

2 15

[libvirt ci] Why no artifacts for macOS & FreeBSD?
by Richard W.M. Jones 14 Oct '24

14 Oct '24

[I couldn't find out where to send questions / bugs related to libvirt CI, so here I am ...] https://gitlab.com/nbdkit/libnbd/-/pipelines/1493147187 It would be much easier to fix the above pipeline (which doesn't reproduce locally) if I could download artifacts for the failing builds. However we don't seem to have them for macOS and FreeBSD. They work fine for Linux. Why, and can they be generated somehow? Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com nbdkit - Flexible, fast NBD server with plugins https://gitlab.com/nbdkit/nbdkit

2 4

[PATCH v2 00/13] Implement support for QCOW2 data files
by Nikolai Barybin 14 Oct '24

14 Oct '24

Hello everyone! With help of Peter's review and after researching Cole's patches I've come up with the second version. Changes since last revision: - properly taken in account (while probing disk chain) usecase when we have data-file as part of some backing image - added proper integration with security drivers instead of call to chown - data-file is added to qemu cmdline as a reference to blockdev - added XML formatiing and parsing - added basic tests to qemublocktest Nikolai Barybin (13): conf: add data-file feature and related fields to virStorageSource storage file: add getDataFile function to FileTypeInfo storage file: add qcow2 data-file path parsing from header storage file: fill in src->dataFileStore during file probe security: DAC: handle qcow2 data-file on image label set/restore security: selinux: handle qcow2 data-file on image label set/restore security: apparmor: handle qcow2 data-file qemu: put data-file path to VM's cgroup and namespace qemu: factor out qemuDomainPrepareStorageSource() qemu: enable basic qcow2 data-file feature support conf: schemas: add data-file store to domain rng schema conf: implement XML parsing/formatingo for dataFileStore tests: add qcow2 data-file basic tests to qemublocktest src/conf/domain_conf.c | 98 +++++++++++++++++++ src/conf/domain_conf.h | 13 +++ src/conf/schemas/domaincommon.rng | 15 +++ src/conf/storage_source_conf.c | 11 +++ src/conf/storage_source_conf.h | 5 + src/qemu/qemu_block.c | 7 ++ src/qemu/qemu_cgroup.c | 4 + src/qemu/qemu_command.c | 5 + src/qemu/qemu_domain.c | 50 +++++++--- src/qemu/qemu_namespace.c | 5 + src/security/security_dac.c | 26 ++++- src/security/security_selinux.c | 20 +++- src/security/virt-aa-helper.c | 4 + src/storage_file/storage_file_probe.c | 85 ++++++++++++---- src/storage_file/storage_source.c | 28 ++++++ src/storage_file/storage_source.h | 3 + tests/qemublocktest.c | 78 +++++++++------ ...backing-with-data-file-noopts-srconly.json | 27 +++++ ...e-qcow2-backing-with-data-file-noopts.json | 41 ++++++++ ...le-qcow2-backing-with-data-file-noopts.xml | 35 +++++++ .../file-qcow2-data-file-noopts-srconly.json | 18 ++++ .../xml2json/file-qcow2-data-file-noopts.json | 27 +++++ .../xml2json/file-qcow2-data-file-noopts.xml | 24 +++++ 23 files changed, 558 insertions(+), 71 deletions(-) create mode 100644 tests/qemublocktestdata/xml2json/file-qcow2-backing-with-data-file-noopts-srconly.json create mode 100644 tests/qemublocktestdata/xml2json/file-qcow2-backing-with-data-file-noopts.json create mode 100644 tests/qemublocktestdata/xml2json/file-qcow2-backing-with-data-file-noopts.xml create mode 100644 tests/qemublocktestdata/xml2json/file-qcow2-data-file-noopts-srconly.json create mode 100644 tests/qemublocktestdata/xml2json/file-qcow2-data-file-noopts.json create mode 100644 tests/qemublocktestdata/xml2json/file-qcow2-data-file-noopts.xml -- 2.43.5

2 26

[PATCH] qemu: migration: Fix blockdev config with VIR_MIGRATE_PARAM_MIGRATE_DISKS_DETECT_ZEROES
by Peter Krempa 14 Oct '24

14 Oct '24

The idea of migration with VIR_MIGRATE_PARAM_MIGRATE_DISKS_DETECT_ZEROES populated is to sparsify the image. The QEMU NBD client as it was configured in commit 621f879adf98e2c93ac5c8c869733a57f06cd9aa would signal to the destination to do thick allocation of holes which would result in a non-sparse image for any backend except a qcow2 image which I used to test it. Switch to VIR_DOMAIN_DISK_DETECT_ZEROES_UNMAP and VIR_DOMAIN_DISK_DISCARD_UNMAP which tells the NBD client (and that in turn the NBD server) to preserve the sparse blocks it detected from the image. Fixes: 621f879adf98e2c93ac5c8c869733a57f06cd9aa Signed-off-by: Peter Krempa <pkrempa(a)redhat.com> --- src/qemu/qemu_migration.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c index 179e9d7c83..832b2946e0 100644 --- a/src/qemu/qemu_migration.c +++ b/src/qemu/qemu_migration.c @@ -1092,8 +1092,14 @@ qemuMigrationSrcNBDStorageCopyBlockdevPrepareSource(virDomainDiskDef *disk, copysrc->protocol = VIR_STORAGE_NET_PROTOCOL_NBD; copysrc->format = VIR_STORAGE_FILE_RAW; - if (detect_zeroes) - copysrc->detect_zeroes = VIR_DOMAIN_DISK_DETECT_ZEROES_ON; + if (detect_zeroes) { + /* We need to use both VIR_DOMAIN_DISK_DETECT_ZEROES_UNMAP and + * VIR_DOMAIN_DISK_DISCARD_UNMAP as the qemu NBD client otherwise singals + * to the server to fully allocate the zero blocks + */ + copysrc->detect_zeroes = VIR_DOMAIN_DISK_DETECT_ZEROES_UNMAP; + copysrc->discard = VIR_DOMAIN_DISK_DISCARD_UNMAP; + } copysrc->backingStore = virStorageSourceNew(); -- 2.46.2

2 1

Re: [PATCH RFC v4 11/17] qemu: block: Support block disk along with throttle filters
by Peter Krempa 14 Oct '24

14 Oct '24

On Mon, Sep 30, 2024 at 10:14:59 +0000, Edward Arulanadam wrote: > Dear All, > > My sincere apologies on reaching out regarding this change as I know, someone would be reviewing the change and provide review comments as per the community guidelines. Since this change is very critical for us to move forward, may I request for a review and let us know if this is good now. Hi, when this last iteration was posted I got a note (off-list) from the author stating that they might not be able to continue work on that series. Are you going to pick up the work on that series? If so make sure to configure your mail client to avoid breaking threads (as you did with this mail). I'll use the existing convention of using 'reply-all' to the patches so you might not get CC'd for the postings which are already on-list. If that's a problem please re-post the series (obviously keeping authorship intact). I'm keeping it on my to-do list but due to personal reasons I'm really backlogged in reviews so please be patient.

1 1

[PATCH] qemu: snapshot: Remove dead code in 'qemuSnapshotDeleteBlockJobRunning'
by Peter Krempa 14 Oct '24

14 Oct '24

'qemuSnapshotDeleteBlockJobIsRunning' returns only 0 and 1. Convert it to bool and remove the dead code handling -1 return in the caller. Closes: https://gitlab.com/libvirt/libvirt/-/issues/682 Signed-off-by: Peter Krempa <pkrempa(a)redhat.com> --- src/qemu/qemu_snapshot.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/src/qemu/qemu_snapshot.c b/src/qemu/qemu_snapshot.c index 77ff842fab..1187ebf276 100644 --- a/src/qemu/qemu_snapshot.c +++ b/src/qemu/qemu_snapshot.c @@ -3303,7 +3303,7 @@ qemuSnapshotDeleteUpdateDisks(void *payload, /* Deleting external snapshot is started by running qemu block-commit job. * We need to wait for all block-commit jobs to be 'ready' or 'pending' to * continue with external snapshot deletion. */ -static int +static bool qemuSnapshotDeleteBlockJobIsRunning(qemuBlockjobState state) { switch (state) { @@ -3311,7 +3311,7 @@ qemuSnapshotDeleteBlockJobIsRunning(qemuBlockjobState state) case QEMU_BLOCKJOB_STATE_RUNNING: case QEMU_BLOCKJOB_STATE_ABORTING: case QEMU_BLOCKJOB_STATE_PIVOTING: - return 1; + return true; case QEMU_BLOCKJOB_STATE_COMPLETED: case QEMU_BLOCKJOB_STATE_FAILED: @@ -3323,7 +3323,7 @@ qemuSnapshotDeleteBlockJobIsRunning(qemuBlockjobState state) break; } - return 0; + return false; } @@ -3359,18 +3359,14 @@ static int qemuSnapshotDeleteBlockJobRunning(virDomainObj *vm, qemuBlockJobData *job) { - int rc; qemuBlockJobUpdate(vm, job, VIR_ASYNC_JOB_SNAPSHOT); - while ((rc = qemuSnapshotDeleteBlockJobIsRunning(job->state)) > 0) { + while (qemuSnapshotDeleteBlockJobIsRunning(job->state)) { if (qemuDomainObjWait(vm) < 0) return -1; qemuBlockJobUpdate(vm, job, VIR_ASYNC_JOB_SNAPSHOT); } - if (rc < 0) - return -1; - return 0; } -- 2.46.2

2 1

[PATCH] docs: Document watchdog action=dump slightly more
by Martin Kletzander 12 Oct '24

12 Oct '24

With watchdog action=dump the actual watchdog action is set to pause and the daemon then proceeds to dump the process. After that the domain is resumed. That was the case since the feature was added. However the resuming of the domain might be unexpected, especially when compared to HW watchdog, which will never run the guest from the point where it got interrupted. Document the pre-existing behaviour, since any change might be unexpected as well. Change of behaviour would require new options like dump+reset, dump+pause, etc. That option is still possible, but orthogonal to this change. Resolves: https://issues.redhat.com/browse/RHEL-753 Signed-off-by: Martin Kletzander <mkletzan(a)redhat.com> --- docs/formatdomain.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst index 4336cff3ac05..e6f09a728f0f 100644 --- a/docs/formatdomain.rst +++ b/docs/formatdomain.rst @@ -7914,7 +7914,8 @@ southbridge, which is used with the q35 machine type. :since:`Since 9.1.0` - 'poweroff' - forcefully power off the guest - 'pause' - pause the guest - 'none' - do nothing - - 'dump' - automatically dump the guest :since:`Since 0.8.7` + - 'dump' - automatically dump the guest, beware that after the + dump the guest will be resumed :since:`Since 0.8.7` - 'inject-nmi' - inject a non-maskable interrupt into the guest :since:`Since 1.2.17` -- 2.46.2

3 2

[PATCH] ch: Enable a logfile for ch guests
by Praveen K Paladugu 11 Oct '24

11 Oct '24

Create a logfile to capture output from cloud-hypervisor whenever a guest is started. Signed-off-by: Praveen K Paladugu <prapal(a)linux.microsoft.com> --- src/ch/ch_monitor.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/src/ch/ch_monitor.c b/src/ch/ch_monitor.c index 3e49902791..7421a550b6 100644 --- a/src/ch/ch_monitor.c +++ b/src/ch/ch_monitor.c @@ -541,6 +541,9 @@ virCHMonitorNew(virDomainObj *vm, virCHDriverConfig *cfg) g_autoptr(virCHMonitor) mon = NULL; g_autoptr(virCommand) cmd = NULL; const char *socketdir = cfg->stateDir; + const char *logdir = cfg->logDir; + g_autofree char *logfile = NULL; + int socket_fd = 0; if (virCHMonitorInitialize() < 0) @@ -564,6 +567,14 @@ virCHMonitorNew(virDomainObj *vm, virCHDriverConfig *cfg) return NULL; } + logfile = g_strdup_printf("%s/%s.log", logdir, vm->def->name); + if (g_mkdir_with_parents(logdir, 0777) < 0) { + virReportSystemError(errno, + _("Cannot create log directory '%1$s'"), + logdir); + return NULL; + } + if (g_mkdir_with_parents(cfg->saveDir, 0777) < 0) { virReportSystemError(errno, _("Cannot create save directory '%1$s'"), @@ -583,6 +594,9 @@ virCHMonitorNew(virDomainObj *vm, virCHDriverConfig *cfg) virCommandAddArg(cmd, "--api-socket"); virCommandAddArgFormat(cmd, "fd=%d", socket_fd); + virCommandAddArg(cmd, "-v"); + virCommandAddArg(cmd, "--log-file"); + virCommandAddArgFormat(cmd, "%s", logfile); virCommandPassFD(cmd, socket_fd, VIR_COMMAND_PASS_FD_CLOSE_PARENT); /* launch Cloud-Hypervisor socket */ -- 2.44.0

1 0

[PATCH] util: Rename variable "major" in virIsDevMapperDevice
by Jiri Denemark 11 Oct '24

11 Oct '24

major() is a macro defined in sys/sysmacros.h so luckily the code works, but it's very confusing. Let's rename the local variable to make the difference between it and the macro more obvious. And while touching the line we can also initialize it to make sure "clever" analyzers do not think it may be used uninitialized. Signed-off-by: Jiri Denemark <jdenemar(a)redhat.com> --- src/util/virdevmapper.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/util/virdevmapper.c b/src/util/virdevmapper.c index 70ce0f0c23..d0eae671ab 100644 --- a/src/util/virdevmapper.c +++ b/src/util/virdevmapper.c @@ -321,14 +321,14 @@ bool virIsDevMapperDevice(const char *dev_name) { struct stat buf; - unsigned int major; + unsigned int maj = 0; - if (virDevMapperGetMajor(&major) < 0) + if (virDevMapperGetMajor(&maj) < 0) return false; if (!stat(dev_name, &buf) && S_ISBLK(buf.st_mode) && - major(buf.st_rdev) == major) + major(buf.st_rdev) == maj) return true; return false; -- 2.47.0

2 1