June 2024 - Devel - libvirt List Archives

[libvirt PATCH 00/28] native support for nftables in virtual network driver
by Laine Stump 11 Jun '24

11 Jun '24

(After replying to your message, I noticed that you had sent it as a reply to a much earlier version of the nftables patches sent a year ago to the old mailing list, rather than the most recent version that was pushed, which was very different, and sent to deel(a)lists.libvirt.org, so I'm re-sending my response, but to the new mailing list :-)) On 6/10/24 2:54 PM, Roman Bogorodskiy wrote: > Laine Stump wrote: > >> This patch series enables libvirt to use nftables rules rather than >> iptables *when setting up virtual networks* (it does *not* add >> nftables support to the nwfilter driver). It accomplishes this by >> abstracting several iptables functions (from viriptables.[ch] called >> by the virtual network driver into a rudimentary "virNetfilter API" >> (in virnetfilter.[ch], having the virtual network driver call the >> virNetFilter API rather than calling the existing iptables functions >> directly, and then finally adding an equivalent virNftables backend >> that can be used instead of iptables (selected manually via a >> network.conf setting, or automatically if iptables isn't found on the >> host). > > Hi, > > Apparently, I'm late to the discussion. > > I noticed that now I cannot use the bridge driver on FreeBSD as it's > failing to initialize both iptables and nftables backends (which is > expect). Yeah, previously we wouldn't check if iptables was available until someone tried to start a network that would need to use it, and would then log an error (and just fail starting that network, but the network driver would remain running). But now we figure out which firewall backend to use immediately when the driver is loaded, and if we fail to fin a workable backend we fail the entire driver init.r How did you use the network driver before? With a <forward mode='open'/> network? Truthfully I hadn't ever considered the case of someone using it with only network types that didn't need firewall rules. I wonder if there are other platforms we support that have a usable network driver for <forward mode='open'/> (MacOS?) > > What would be a good way to address that? I see at least two options: > > 1. Add a Noop firewall driver > 2. Implement a "real" FreeBSD driver based either on pf or ipfw (that's > been on my TODO list forever, but I somehow got stuck on the very first > step on choosing between pf and ipfw). Why not both? :-) > This obviously will take much > more time. > > Maybe there are other options I'm missing. Obviously (2) would be nicest, but I guess in the short term some variation of (1) would be quicker. Another possibility could be to restore the old behavior of saving the error and only reporting it when a network requiring a firewall is loaded, but I think I remember a discussion about this during review of an earlier revision of the patches, and we agreed that it made the problem easier to find if it was reported immediately and the driver load failed. I suppose in the long run the build-time option firewall_backend_priority should be used to control which backends are included in the build (rather than just which ones are checked at runtime), so that FreeBSD could completely skip all the iptables and nftables code (and firewalld when that's done), and Linux platforms could skip pf and ipfw. > > What do you think? I'm about to be offline for 3 weeks, but in the meantime if you'd like to try making a NULL backend that is only an option if it's listed in firewall_backend_priority (you'll need to remove the compile-time check that all possible backends are accounted for - I think that is the first of the two G_STATIC_ASSERTS at the top of virNetworkLoadDriverConfig()), always initializes successfully in bridge_driver_conf.c if it is listed in the options, and then in networkAddFirewallRules add a check to log an error and fail if backend == NULL (something about attempting to start a network type that would require firewall rules, but the system not having any of the supported types of firewallbackend or something - it's too late now and my brain is too fried and sleepy to think of good wording :-)). As long as it isn't a valid selection on Linux builds that are done with firewall_backend_priority=nftables,iptables, but *is* a valid selection if the setting is "firewall_backend_priority=null" that shouldn't be *too* controversial. Later we can talk about pf and ipfw backends :-)

1 0

[PATCH v2] meson: allow systemd sysusersdir to be changed
by Daniel P. Berrangé 10 Jun '24

10 Jun '24

We currently hardcode the systemd sysusersdir, but it is desirable to be able to choose a different location in some cases. For example, Fedora flatpak builds change the RPM %_sysusersdir macro, but we can't currently honour that. Reported-by: Yaakov Selkowitz <yselkowi(a)redhat.com> Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com> --- libvirt.spec.in | 1 + meson.build | 5 +++++ meson_options.txt | 1 + src/qemu/meson.build | 2 +- 4 files changed, 8 insertions(+), 1 deletion(-) diff --git a/libvirt.spec.in b/libvirt.spec.in index 244e5e824c..347a609add 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -1328,6 +1328,7 @@ export SOURCE_DATE_EPOCH=$(stat --printf='%Y' %{_specdir}/libvirt.spec) -Drunstatedir=%{_rundir} \ -Dinitconfdir=%{_sysconfdir}/sysconfig \ -Dunitdir=%{_unitdir} \ + -Dsysusersdir=%{_sysusersdir} \ %{?arg_qemu} \ %{?arg_openvz} \ %{?arg_lxc} \ diff --git a/meson.build b/meson.build index 295613fd93..5c7cd7ec2e 100644 --- a/meson.build +++ b/meson.build @@ -100,6 +100,11 @@ if unitdir == '' unitdir = prefix / 'lib' / 'systemd' / 'system' endif +sysusersdir = get_option('sysusersdir') +if sysusersdir == '' + sysusersdir = prefix / 'lib' / 'sysusers.d' +endif + bindir = prefix / get_option('bindir') datadir = prefix / get_option('datadir') includedir = prefix / get_option('includedir') diff --git a/meson_options.txt b/meson_options.txt index a4f1dd769f..50d71427cb 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -5,6 +5,7 @@ option('system', type: 'boolean', value: false, description: 'Set install paths option('runstatedir', type: 'string', value: '', description: 'State directory for temporary sockets, pid files, etc') option('initconfdir', type: 'string', value: '', description: 'directory for init script configuration files') option('unitdir', type: 'string', value: '', description: 'directory for systemd unit files') +option('sysusersdir', type: 'string', value: '', description: 'directory for sysusers files') # dep:tests option('expensive_tests', type: 'feature', value: 'auto', description: 'set the default for enabling expensive tests (long timeouts)') option('test_coverage', type: 'boolean', value: false, description: 'turn on code coverage instrumentation') diff --git a/src/qemu/meson.build b/src/qemu/meson.build index 907893d431..57356451e4 100644 --- a/src/qemu/meson.build +++ b/src/qemu/meson.build @@ -163,7 +163,7 @@ if conf.has('WITH_QEMU') # Install the sysuser config for the qemu driver install_data( 'libvirt-qemu.sysusers.conf', - install_dir: prefix / 'lib' / 'sysusers.d', + install_dir: sysusersdir, rename: [ 'libvirt-qemu.conf' ], ) -- 2.43.0

2 1

[PATCH 0/5] Introduce pstore device
by Michal Privoznik 10 Jun '24

10 Jun '24

*** BLURB HERE *** Michal Prívozník (5): qemu_capabilities: Introduce QEMU_CAPS_DEVICE_ACPI_ERST conf: Introduce pstore device qemu: Build cmd line for pstore device security: Set seclabels for pstore device NEWS: Document pstore device addition NEWS.rst | 7 + docs/formatdomain.rst | 32 ++++ src/ch/ch_domain.c | 1 + src/conf/domain_conf.c | 153 ++++++++++++++++++ src/conf/domain_conf.h | 19 +++ src/conf/domain_postparse.c | 1 + src/conf/domain_validate.c | 30 ++++ src/conf/schemas/domaincommon.rng | 25 +++ src/conf/virconftypes.h | 2 + src/hyperv/hyperv_driver.c | 1 + src/libvirt_private.syms | 2 + src/libxl/libxl_driver.c | 6 + src/lxc/lxc_driver.c | 6 + src/qemu/qemu_alias.c | 10 ++ src/qemu/qemu_capabilities.c | 4 + src/qemu/qemu_capabilities.h | 3 + src/qemu/qemu_command.c | 52 ++++++ src/qemu/qemu_domain.c | 3 + src/qemu/qemu_domain_address.c | 11 ++ src/qemu/qemu_driver.c | 3 + src/qemu/qemu_hotplug.c | 5 + src/qemu/qemu_validate.c | 26 +++ src/security/security_dac.c | 10 ++ src/security/security_selinux.c | 9 ++ src/security/virt-aa-helper.c | 4 + .../caps_7.0.0_aarch64+hvf.xml | 1 + .../caps_7.0.0_aarch64.xml | 1 + .../qemucapabilitiesdata/caps_7.0.0_ppc64.xml | 1 + .../caps_7.0.0_x86_64.xml | 1 + .../qemucapabilitiesdata/caps_7.1.0_ppc64.xml | 1 + .../caps_7.1.0_x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_7.2.0_ppc.xml | 1 + .../caps_7.2.0_x86_64+hvf.xml | 1 + .../caps_7.2.0_x86_64.xml | 1 + .../caps_8.0.0_x86_64.xml | 1 + .../caps_8.1.0_x86_64.xml | 1 + .../caps_8.2.0_aarch64.xml | 1 + .../caps_8.2.0_armv7l.xml | 1 + .../caps_8.2.0_loongarch64.xml | 1 + .../caps_8.2.0_x86_64.xml | 1 + .../caps_9.0.0_x86_64.xml | 1 + .../caps_9.1.0_x86_64.xml | 1 + .../pstore-acpi-erst.x86_64-latest.args | 38 +++++ .../pstore-acpi-erst.x86_64-latest.xml | 1 + tests/qemuxmlconfdata/pstore-acpi-erst.xml | 53 ++++++ tests/qemuxmlconftest.c | 1 + 46 files changed, 535 insertions(+) create mode 100644 tests/qemuxmlconfdata/pstore-acpi-erst.x86_64-latest.args create mode 120000 tests/qemuxmlconfdata/pstore-acpi-erst.x86_64-latest.xml create mode 100644 tests/qemuxmlconfdata/pstore-acpi-erst.xml -- 2.44.2

1 5

[PATCH] network: allow for forward dev to be a transient interface
by Laine Stump 07 Jun '24

07 Jun '24

A user reported that if they set <forward mode='nat|route' dev='blah'> starting the network would fail if the device 'blah' didn't already exist. This is caused by using "iif" and "oif" in nftables rules to check for the forwarding device - these two commands work by saving the named interface's ifindex (an unsigned integer) when the rule is added, and comparing it to the ifindex associated with the packet's path at runtime. This works great if the interface both 1) exists when the rule is added, and 2) is never deleted and re-created after the rule is added (since it would end up with a different ifindex). When checking for the network's bridge device, it is okay for us to use "iif" and "oif", because the bridge device is created before the firewall rules are added, and will continue to exist until just after the firewall rules are deleted when the network is shutdown. But since the forward device might be deleted/re-added during the lifetime of the network's firewall rules, we must instead us "oifname" and "iifname" - these are much less efficient than "Xif" because they do a string compare of the interface's name rather than just comparing two integers (ifindex), but they don't require the interface to exist when the rule is added, and they can properly cope with the named interface being deleted and re-added later. Fixes: a4f38f6ffe6a9edc001d18890ccfc3f38e72fb94 Signed-off-by: Laine Stump <laine(a)redhat.com> --- src/network/network_nftables.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/network/network_nftables.c b/src/network/network_nftables.c index 59ab231a06..268d1f12ca 100644 --- a/src/network/network_nftables.c +++ b/src/network/network_nftables.c @@ -362,7 +362,7 @@ nftablesAddForwardAllowOut(virFirewall *fw, "iif", iface, NULL); if (physdev && physdev[0]) - virFirewallCmdAddArgList(fw, fwCmd, "oif", physdev, NULL); + virFirewallCmdAddArgList(fw, fwCmd, "oifname", physdev, NULL); virFirewallCmdAddArgList(fw, fwCmd, "counter", "accept", NULL); @@ -398,7 +398,7 @@ nftablesAddForwardAllowRelatedIn(virFirewall *fw, VIR_NFTABLES_FWD_IN_CHAIN, NULL); if (physdev && physdev[0]) - virFirewallCmdAddArgList(fw, fwCmd, "iif", physdev, NULL); + virFirewallCmdAddArgList(fw, fwCmd, "iifname", physdev, NULL); virFirewallCmdAddArgList(fw, fwCmd, "oif", iface, layerStr, "daddr", networkstr, @@ -437,7 +437,7 @@ nftablesAddForwardAllowIn(virFirewall *fw, layerStr, "daddr", networkstr, NULL); if (physdev && physdev[0]) - virFirewallCmdAddArgList(fw, fwCmd, "iif", physdev, NULL); + virFirewallCmdAddArgList(fw, fwCmd, "iifname", physdev, NULL); virFirewallCmdAddArgList(fw, fwCmd, "oif", iface, "counter", "accept", NULL); @@ -566,7 +566,7 @@ nftablesAddForwardMasquerade(virFirewall *fw, layerStr, "daddr", "!=", networkstr, NULL); if (physdev && physdev[0]) - virFirewallCmdAddArgList(fw, fwCmd, "oif", physdev, NULL); + virFirewallCmdAddArgList(fw, fwCmd, "oifname", physdev, NULL); if (protocol && protocol[0]) { if (port->start == 0 && port->end == 0) { @@ -634,7 +634,7 @@ nftablesAddDontMasquerade(virFirewall *fw, VIR_NFTABLES_NAT_POSTROUTE_CHAIN, NULL); if (physdev && physdev[0]) - virFirewallCmdAddArgList(fw, fwCmd, "oif", physdev, NULL); + virFirewallCmdAddArgList(fw, fwCmd, "oifname", physdev, NULL); virFirewallCmdAddArgList(fw, fwCmd, layerStr, "saddr", networkstr, -- 2.45.1

2 2

[PATCH] meson: allow systemd sysusersdir to be changed
by Daniel P. Berrangé 07 Jun '24

07 Jun '24

We currently hardcode the systemd sysusersdir, but it is desirable to be able to choose a different location in some cases. For example, Fedora flatpak builds change the RPM %_sysusersdir macro, but we can't currently honour that. Reported-by: Yaakov Selkowitz <yselkowi(a)redhat.com> Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com> --- libvirt.spec.in | 1 + meson.build | 5 +++++ meson_options.txt | 1 + src/qemu/meson.build | 2 +- 4 files changed, 8 insertions(+), 1 deletion(-) diff --git a/libvirt.spec.in b/libvirt.spec.in index 244e5e824c..347a609add 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -1328,6 +1328,7 @@ export SOURCE_DATE_EPOCH=$(stat --printf='%Y' %{_specdir}/libvirt.spec) -Drunstatedir=%{_rundir} \ -Dinitconfdir=%{_sysconfdir}/sysconfig \ -Dunitdir=%{_unitdir} \ + -Dsysusersdir=%{_sysusersdir} \ %{?arg_qemu} \ %{?arg_openvz} \ %{?arg_lxc} \ diff --git a/meson.build b/meson.build index 295613fd93..2fc9ab3e96 100644 --- a/meson.build +++ b/meson.build @@ -100,6 +100,11 @@ if unitdir == '' unitdir = prefix / 'lib' / 'systemd' / 'system' endif +sysusersdir = getoption('sysusersdir') +if sysusersdir == '' + sysusersdir = prefix / 'lib' / 'sysusers.d' +endif + bindir = prefix / get_option('bindir') datadir = prefix / get_option('datadir') includedir = prefix / get_option('includedir') diff --git a/meson_options.txt b/meson_options.txt index a4f1dd769f..50d71427cb 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -5,6 +5,7 @@ option('system', type: 'boolean', value: false, description: 'Set install paths option('runstatedir', type: 'string', value: '', description: 'State directory for temporary sockets, pid files, etc') option('initconfdir', type: 'string', value: '', description: 'directory for init script configuration files') option('unitdir', type: 'string', value: '', description: 'directory for systemd unit files') +option('sysusersdir', type: 'string', value: '', description: 'directory for sysusers files') # dep:tests option('expensive_tests', type: 'feature', value: 'auto', description: 'set the default for enabling expensive tests (long timeouts)') option('test_coverage', type: 'boolean', value: false, description: 'turn on code coverage instrumentation') diff --git a/src/qemu/meson.build b/src/qemu/meson.build index 907893d431..57356451e4 100644 --- a/src/qemu/meson.build +++ b/src/qemu/meson.build @@ -163,7 +163,7 @@ if conf.has('WITH_QEMU') # Install the sysuser config for the qemu driver install_data( 'libvirt-qemu.sysusers.conf', - install_dir: prefix / 'lib' / 'sysusers.d', + install_dir: sysusersdir, rename: [ 'libvirt-qemu.conf' ], ) -- 2.43.0

2 1

[PATCH-for-9.1 v2 0/3] rdma: Remove RDMA subsystem and pvrdma device
by Philippe Mathieu-Daudé 07 Jun '24

07 Jun '24

Since v1: - split in 3 (Thomas) - justify gluster removal Philippe Mathieu-Daudé (3): hw/rdma: Remove pvrdma device and rdmacm-mux helper migration: Remove RDMA protocol handling block/gluster: Remove RDMA protocol handling MAINTAINERS | 17 - docs/about/deprecated.rst | 9 - docs/about/removed-features.rst | 4 + docs/devel/migration/main.rst | 6 - docs/pvrdma.txt | 345 -- docs/rdma.txt | 420 -- docs/system/device-url-syntax.rst.inc | 4 +- docs/system/loongarch/virt.rst | 2 +- docs/system/qemu-block-drivers.rst.inc | 1 - meson.build | 59 - qapi/machine.json | 17 - qapi/migration.json | 31 +- qapi/qapi-schema.json | 1 - qapi/rdma.json | 38 - contrib/rdmacm-mux/rdmacm-mux.h | 61 - hw/rdma/rdma_backend.h | 129 - hw/rdma/rdma_backend_defs.h | 76 - hw/rdma/rdma_rm.h | 97 - hw/rdma/rdma_rm_defs.h | 146 - hw/rdma/rdma_utils.h | 63 - hw/rdma/trace.h | 1 - hw/rdma/vmw/pvrdma.h | 144 - hw/rdma/vmw/pvrdma_dev_ring.h | 46 - hw/rdma/vmw/pvrdma_qp_ops.h | 28 - hw/rdma/vmw/trace.h | 1 - include/hw/rdma/rdma.h | 37 - include/monitor/hmp.h | 1 - .../infiniband/hw/vmw_pvrdma/pvrdma_dev_api.h | 685 --- .../infiniband/hw/vmw_pvrdma/pvrdma_verbs.h | 348 -- .../standard-headers/rdma/vmw_pvrdma-abi.h | 310 -- migration/migration-stats.h | 6 +- migration/migration.h | 9 - migration/options.h | 2 - migration/rdma.h | 69 - block/gluster.c | 39 - contrib/rdmacm-mux/main.c | 831 ---- hw/core/machine-qmp-cmds.c | 32 - hw/rdma/rdma.c | 30 - hw/rdma/rdma_backend.c | 1401 ------ hw/rdma/rdma_rm.c | 812 ---- hw/rdma/rdma_utils.c | 126 - hw/rdma/vmw/pvrdma_cmd.c | 815 ---- hw/rdma/vmw/pvrdma_dev_ring.c | 141 - hw/rdma/vmw/pvrdma_main.c | 735 --- hw/rdma/vmw/pvrdma_qp_ops.c | 298 -- migration/migration-stats.c | 5 +- migration/migration.c | 31 - migration/options.c | 16 - migration/qemu-file.c | 1 - migration/ram.c | 86 +- migration/rdma.c | 4184 ----------------- migration/savevm.c | 2 +- monitor/qmp-cmds.c | 1 - Kconfig.host | 3 - contrib/rdmacm-mux/meson.build | 7 - hmp-commands-info.hx | 13 - hw/Kconfig | 1 - hw/meson.build | 1 - hw/rdma/Kconfig | 3 - hw/rdma/meson.build | 12 - hw/rdma/trace-events | 31 - hw/rdma/vmw/trace-events | 17 - meson_options.txt | 4 - migration/meson.build | 1 - migration/trace-events | 68 +- qapi/meson.build | 1 - qemu-options.hx | 6 - .../org.centos/stream/8/build-environment.yml | 1 - .../ci/org.centos/stream/8/x86_64/configure | 3 - scripts/ci/setup/build-environment.yml | 4 - scripts/coverity-scan/run-coverity-scan | 2 +- scripts/meson-buildoptions.sh | 6 - scripts/update-linux-headers.sh | 27 - tests/lcitool/projects/qemu.yml | 3 - tests/migration/guestperf/engine.py | 4 +- 75 files changed, 20 insertions(+), 12997 deletions(-) delete mode 100644 docs/pvrdma.txt delete mode 100644 docs/rdma.txt delete mode 100644 qapi/rdma.json delete mode 100644 contrib/rdmacm-mux/rdmacm-mux.h delete mode 100644 hw/rdma/rdma_backend.h delete mode 100644 hw/rdma/rdma_backend_defs.h delete mode 100644 hw/rdma/rdma_rm.h delete mode 100644 hw/rdma/rdma_rm_defs.h delete mode 100644 hw/rdma/rdma_utils.h delete mode 100644 hw/rdma/trace.h delete mode 100644 hw/rdma/vmw/pvrdma.h delete mode 100644 hw/rdma/vmw/pvrdma_dev_ring.h delete mode 100644 hw/rdma/vmw/pvrdma_qp_ops.h delete mode 100644 hw/rdma/vmw/trace.h delete mode 100644 include/hw/rdma/rdma.h delete mode 100644 include/standard-headers/drivers/infiniband/hw/vmw_pvrdma/pvrdma_dev_api.h delete mode 100644 include/standard-headers/drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.h delete mode 100644 include/standard-headers/rdma/vmw_pvrdma-abi.h delete mode 100644 migration/rdma.h delete mode 100644 contrib/rdmacm-mux/main.c delete mode 100644 hw/rdma/rdma.c delete mode 100644 hw/rdma/rdma_backend.c delete mode 100644 hw/rdma/rdma_rm.c delete mode 100644 hw/rdma/rdma_utils.c delete mode 100644 hw/rdma/vmw/pvrdma_cmd.c delete mode 100644 hw/rdma/vmw/pvrdma_dev_ring.c delete mode 100644 hw/rdma/vmw/pvrdma_main.c delete mode 100644 hw/rdma/vmw/pvrdma_qp_ops.c delete mode 100644 migration/rdma.c delete mode 100644 contrib/rdmacm-mux/meson.build delete mode 100644 hw/rdma/Kconfig delete mode 100644 hw/rdma/meson.build delete mode 100644 hw/rdma/trace-events delete mode 100644 hw/rdma/vmw/trace-events -- 2.41.0

17 80

[PATCH] meson: allow systemd unitdir to be changed
by Daniel P. Berrangé 06 Jun '24

06 Jun '24

We currently hardcode the systemd unitdir, but it is desirable to be able to choose a different location in some cases. For examples, Fedora flatpak builds change the RPM %_unitdir macro, but we can't currently honour that. Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com> --- libvirt.spec.in | 1 + meson.build | 5 +++++ meson_options.txt | 1 + src/meson.build | 8 +++----- 4 files changed, 10 insertions(+), 5 deletions(-) diff --git a/libvirt.spec.in b/libvirt.spec.in index 1d3240ee6f..0a121515b9 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -1329,6 +1329,7 @@ export SOURCE_DATE_EPOCH=$(stat --printf='%Y' %{_specdir}/libvirt.spec) %meson \ -Drunstatedir=%{_rundir} \ -Dinitconfdir=%{_sysconfdir}/sysconfig \ + -Dunitdir=%{_unitdir} \ %{?arg_qemu} \ %{?arg_openvz} \ %{?arg_lxc} \ diff --git a/meson.build b/meson.build index 62e49be37d..295613fd93 100644 --- a/meson.build +++ b/meson.build @@ -95,6 +95,11 @@ if initconfdir == '' endif endif +unitdir = get_option('unitdir') +if unitdir == '' + unitdir = prefix / 'lib' / 'systemd' / 'system' +endif + bindir = prefix / get_option('bindir') datadir = prefix / get_option('datadir') includedir = prefix / get_option('includedir') diff --git a/meson_options.txt b/meson_options.txt index cdc8687795..a4f1dd769f 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -4,6 +4,7 @@ option('packager_version', type: 'string', value: '', description: 'Extra packag option('system', type: 'boolean', value: false, description: 'Set install paths to system ones') option('runstatedir', type: 'string', value: '', description: 'State directory for temporary sockets, pid files, etc') option('initconfdir', type: 'string', value: '', description: 'directory for init script configuration files') +option('unitdir', type: 'string', value: '', description: 'directory for systemd unit files') # dep:tests option('expensive_tests', type: 'feature', value: 'auto', description: 'set the default for enabling expensive tests (long timeouts)') option('test_coverage', type: 'boolean', value: false, description: 'turn on code coverage instrumentation') diff --git a/src/meson.build b/src/meson.build index dd2682ec19..8cce42c7ad 100644 --- a/src/meson.build +++ b/src/meson.build @@ -812,11 +812,9 @@ endforeach if conf.has('WITH_LIBVIRTD') # Generate systemd service and socket unit files if init_script == 'systemd' - systemd_unit_dir = prefix / 'lib' / 'systemd' / 'system' - install_data( guest_unit_files, - install_dir: systemd_unit_dir, + install_dir: unitdir, ) if conf.has('WITH_POLKIT') @@ -855,7 +853,7 @@ if conf.has('WITH_LIBVIRTD') output: service_out, configuration: unit_conf, install: true, - install_dir: systemd_unit_dir, + install_dir: unitdir, ) foreach socket : unit.get('sockets', [ 'main', 'ro', 'admin' ]) @@ -881,7 +879,7 @@ if conf.has('WITH_LIBVIRTD') output: socket_out, configuration: unit_conf, install: true, - install_dir: systemd_unit_dir, + install_dir: unitdir, ) endforeach endforeach -- 2.43.0

2 1

[PATCH] rpm: drop cyrus-sasl dep
by Daniel P. Berrangé 06 Jun '24

06 Jun '24

We link to libsasl2.so, so get a dep on cyrus-sasl-libs automatically. The dep on cyrus-sasl-gssapi gets us the mechanism that matches our default config. The 'cyrus-sasl' package merely contains some man pages and the saslauthd daemon, which is not required by libvirt. This dep appears to have been redundant since we first added in commit 1b1d647439059b7e10fb94e1ade227fb695d7110 Author: Daniel P. Berrangé <berrange(a)redhat.com> Date: Wed Dec 5 15:24:15 2007 +0000 Initial integration of SASL authentication, working for Kerberos only Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com> --- libvirt.spec.in | 2 -- 1 file changed, 2 deletions(-) diff --git a/libvirt.spec.in b/libvirt.spec.in index 1d3240ee6f..343015ad1d 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -1055,8 +1055,6 @@ with some QEMU specific features of libvirt. %package libs Summary: Client side libraries -# So remote clients can access libvirt over SSH tunnel -Requires: cyrus-sasl # Needed by default sasl.conf - no onerous extra deps, since # 100's of other things on a system already pull in krb5-libs Requires: cyrus-sasl-gssapi -- 2.43.0

2 1

Re: [PATCH] qemu_block: Validate number of hosts for iSCSI disk device
by Peter Krempa 06 Jun '24

06 Jun '24

On Thu, Jun 06, 2024 at 16:17:41 +0530, Rayhan Faizel wrote: > Hi, Hi, please *always* keep replies on-list (use reply-all). I've re-added the mailing list again. > > On Thu, Jun 6, 2024 at 4:12 PM Peter Krempa <pkrempa(a)redhat.com> wrote: > > > > On Thu, Jun 06, 2024 at 15:45:16 +0530, Rayhan Faizel wrote: > > > An iSCSI device with zero hosts will result in a segmentation fault. This patch > > > adds a check for the number of hosts, which must be one in the case of iSCSI. > > > > > > Minimal reproducing XML: > > > > > > <domain type='qemu'> > > > <name>MyGuest</name> > > > <uuid>4dea22b3-1d52-d8f3-2516-782e98ab3fa0</uuid> > > > <os> > > > <type arch='x86_64'>hvm</type> > > > </os> > > > <memory>4096</memory> > > > <devices> > > > <disk type='network'> > > > <source name='dummy' protocol='iscsi'/> > > > <target dev='vda'/> > > > </disk> > > > </devices> > > > </domain> > > > > Please transform this bit into a test case in qemuxmlconftest to see > > that it's properly rejected. > > > > I did try to add a testcase but the schema tests fail on this > particular XML because it expects one or more <hosts>. Is there a way > to exclude schema validation for certain testcases or should I just > modify the schema and change it from oneOrMore to zeroOrMore? Schema test result can be inverted by naming the file with '-invalid.xml' suffix. In such case the test will require that the XML has invalid schema. Additionally it's also possible by adding an exception in virschematest, but we have more than a few tests with the suffix in qemuxmlconftest.

1 0

[PATCH] qemu_block: Validate number of hosts for iSCSI disk device
by Rayhan Faizel 06 Jun '24

06 Jun '24

An iSCSI device with zero hosts will result in a segmentation fault. This patch adds a check for the number of hosts, which must be one in the case of iSCSI. Minimal reproducing XML: <domain type='qemu'> <name>MyGuest</name> <uuid>4dea22b3-1d52-d8f3-2516-782e98ab3fa0</uuid> <os> <type arch='x86_64'>hvm</type> </os> <memory>4096</memory> <devices> <disk type='network'> <source name='dummy' protocol='iscsi'/> <target dev='vda'/> </disk> </devices> </domain> Signed-off-by: Rayhan Faizel <rayhan.faizel(a)gmail.com> --- This crashing XML was detected by the WIP fuzzer which is being developed as part of Google Summer of Code 2024. src/qemu/qemu_block.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c index 738b72d7ea..d6cdf521c4 100644 --- a/src/qemu/qemu_block.c +++ b/src/qemu/qemu_block.c @@ -602,6 +602,12 @@ qemuBlockStorageSourceGetISCSIProps(virStorageSource *src, * } */ + if (src->nhosts != 1) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("iSCSI protocol accepts only one host")); + return NULL; + } + target = g_strdup(src->path); /* Separate the target and lun */ -- 2.34.1

2 1