[PATCH rfcv4 00/13] LIBVIRT: X86: TDX support
by Zhenzhong Duan
Hi,
This series brings libvirt the x86 TDX support.
* What's TDX?
TDX stands for Trust Domain Extensions which isolates VMs from
the virtual-machine manager (VMM)/hypervisor and any other software on
the platform.
To support TDX, multiple software components, not only KVM but also QEMU,
guest Linux and virtual bios, need to be updated. For more details, please
check link[1].
This patchset is another software component to extend libvirt to support TDX,
with which one can start a TDX guest from high level rather than running qemu
directly.
* Misc
As QEMU use a software emulated way to reset guest which isn't supported by TDX
guest for security reason. We simulate reboot for TDX guest by kill and create a
new one in FakeReboot framework.
Complete code can be found at [2], matching qemu code can be found at [3].
There is a 'debug' property for tdx-guest object which isn't in matching qemu[3]
yet. I keep them intentionally as they will be implemented in qemu as extention
series of [3].
* Test
start/stop/reboot with virsh
stop/reboot trigger in guest
stop with on_poweroff=destroy/restart
reboot with on_reboot=destroy/restart
* Patch organization
- patch 1-4: Support query of TDX capabilities.
- patch 5-8: Add TDX type to launchsecurity framework.
- patch 9-11: Add reboot support to TDX guest
- patch 12-13: Add test and docs
TODO:
- update QEMU capabilities data in tests, depending on qemu TDX merged beforehand
- add reconnect logic in virsh command
[1] https://lore.kernel.org/kvm/cover.1708933498.git.isaku.yamahata@intel.com
[2] https://github.com/intel/libvirt-tdx/commits/tdx_for_upstream_rfcv4
[3] https://github.com/intel/qemu-tdx/tree/tdx-qemu-upstream-v5
Thanks
Zhenzhong
Changelog:
rfcv4:
- add a check to tools/virt-host-validate-qemu.c (Daniel)
- remove check of q35 (Daniel)
- model 'SocktetAddress' QAPI in xml schema (Daniel)
- s/Quote-Generation-Service/quoteGenerationService/ (Daniel)
- define bits in tdx->policy and add validating logic (Daniel)
- presume QEMU choose split kernel irqchip for TDX guest by default (Daniel)
- utilize existing FakeReboot framework to do reboot for TDX guest (Daniel)
- drop patch11 'conf: Add support to keep same domid for hard reboot' (Daniel)
- add test in tests/ to validate parsing and formatting logic (Daniel)
- add doc in docs/formatdomain.rst (Daniel)
- add R-B
rfcv3:
- Change to generate qemu cmdline with -bios
- drop firmware auto match as -bios is used
- add a hard reboot method to reboot TDX guest
rfcv3: https://www.mail-archive.com/devel@lists.libvirt.org/msg00385.html
rfcv2:
- give up using qmp cmd and check TDX directly on host for TDX capabilities.
- use launchsecurity framework to support TDX
- use <os>.<loader> for general loader
- add auto firmware match feature for TDX
A example TDVF fimware description file 70-edk2-x86_64-tdx.json:
{
"description": "UEFI firmware for x86_64, supporting Intel TDX",
"interface-types": [
"uefi"
],
"mapping": {
"device": "generic",
"filename": "/usr/share/OVMF/OVMF_CODE-tdx.fd"
},
"targets": [
{
"architecture": "x86_64",
"machines": [
"pc-q35-*"
]
}
],
"features": [
"intel-tdx",
"verbose-dynamic"
],
"tags": [
]
}
rfcv2: https://www.mail-archive.com/libvir-list@redhat.com/msg219378.html
Zhenzhong Duan (13):
tools: Secure guest check for Intel in virt-host-validate
qemu: Check if INTEL Trust Domain Extention support is enabled
qemu: Add TDX capability
conf: expose TDX feature in domain capabilities
conf: add tdx as launch security type
qemu: Add command line and validation for TDX type
qemu: force special parameters enabled for TDX guest
Add Intel TDX Quote Generation Service(QGS) support
qemu: add FakeReboot support for TDX guest
qemu: Support reboot command in guest
qemu: Avoid duplicate FakeReboot for secure guest
Add test cases for Intel TDX
docs: domain: Add documentation for Intel TDX guest
docs/formatdomain.rst | 68 ++++
docs/formatdomaincaps.rst | 1 +
src/conf/domain_capabilities.c | 1 +
src/conf/domain_capabilities.h | 1 +
src/conf/domain_conf.c | 312 ++++++++++++++++++
src/conf/domain_conf.h | 75 +++++
src/conf/schemas/domaincaps.rng | 9 +
src/conf/schemas/domaincommon.rng | 135 ++++++++
src/conf/virconftypes.h | 2 +
src/qemu/qemu_capabilities.c | 36 +-
src/qemu/qemu_capabilities.h | 1 +
src/qemu/qemu_command.c | 139 ++++++++
src/qemu/qemu_firmware.c | 1 +
src/qemu/qemu_monitor.c | 28 +-
src/qemu/qemu_monitor.h | 2 +-
src/qemu/qemu_monitor_json.c | 6 +-
src/qemu/qemu_namespace.c | 1 +
src/qemu/qemu_process.c | 75 +++++
src/qemu/qemu_validate.c | 44 +++
...unch-security-tdx-qgs-fd.x86_64-latest.xml | 77 +++++
.../launch-security-tdx-qgs-fd.xml | 30 ++
...ch-security-tdx-qgs-inet.x86_64-latest.xml | 77 +++++
.../launch-security-tdx-qgs-inet.xml | 30 ++
...ch-security-tdx-qgs-unix.x86_64-latest.xml | 77 +++++
.../launch-security-tdx-qgs-unix.xml | 30 ++
...h-security-tdx-qgs-vsock.x86_64-latest.xml | 77 +++++
.../launch-security-tdx-qgs-vsock.xml | 30 ++
tests/qemuxmlconftest.c | 24 ++
tools/virt-host-validate-common.c | 22 +-
tools/virt-host-validate-common.h | 1 +
30 files changed, 1407 insertions(+), 5 deletions(-)
create mode 100644 tests/qemuxmlconfdata/launch-security-tdx-qgs-fd.x86_64-latest.xml
create mode 100644 tests/qemuxmlconfdata/launch-security-tdx-qgs-fd.xml
create mode 100644 tests/qemuxmlconfdata/launch-security-tdx-qgs-inet.x86_64-latest.xml
create mode 100644 tests/qemuxmlconfdata/launch-security-tdx-qgs-inet.xml
create mode 100644 tests/qemuxmlconfdata/launch-security-tdx-qgs-unix.x86_64-latest.xml
create mode 100644 tests/qemuxmlconfdata/launch-security-tdx-qgs-unix.xml
create mode 100644 tests/qemuxmlconfdata/launch-security-tdx-qgs-vsock.x86_64-latest.xml
create mode 100644 tests/qemuxmlconfdata/launch-security-tdx-qgs-vsock.xml
--
2.34.1
4 months, 3 weeks
[PATCH v2 00/13] Implement support for QCOW2 data files
by Nikolai Barybin
Hello everyone!
With help of Peter's review and after researching Cole's patches I've
come up with the second version.
Changes since last revision:
- properly taken in account (while probing disk chain) usecase when we have
data-file as part of some backing image
- added proper integration with security drivers instead of call to
chown
- data-file is added to qemu cmdline as a reference to blockdev
- added XML formatiing and parsing
- added basic tests to qemublocktest
Nikolai Barybin (13):
conf: add data-file feature and related fields to virStorageSource
storage file: add getDataFile function to FileTypeInfo
storage file: add qcow2 data-file path parsing from header
storage file: fill in src->dataFileStore during file probe
security: DAC: handle qcow2 data-file on image label set/restore
security: selinux: handle qcow2 data-file on image label set/restore
security: apparmor: handle qcow2 data-file
qemu: put data-file path to VM's cgroup and namespace
qemu: factor out qemuDomainPrepareStorageSource()
qemu: enable basic qcow2 data-file feature support
conf: schemas: add data-file store to domain rng schema
conf: implement XML parsing/formatingo for dataFileStore
tests: add qcow2 data-file basic tests to qemublocktest
src/conf/domain_conf.c | 98 +++++++++++++++++++
src/conf/domain_conf.h | 13 +++
src/conf/schemas/domaincommon.rng | 15 +++
src/conf/storage_source_conf.c | 11 +++
src/conf/storage_source_conf.h | 5 +
src/qemu/qemu_block.c | 7 ++
src/qemu/qemu_cgroup.c | 4 +
src/qemu/qemu_command.c | 5 +
src/qemu/qemu_domain.c | 50 +++++++---
src/qemu/qemu_namespace.c | 5 +
src/security/security_dac.c | 26 ++++-
src/security/security_selinux.c | 20 +++-
src/security/virt-aa-helper.c | 4 +
src/storage_file/storage_file_probe.c | 85 ++++++++++++----
src/storage_file/storage_source.c | 28 ++++++
src/storage_file/storage_source.h | 3 +
tests/qemublocktest.c | 78 +++++++++------
...backing-with-data-file-noopts-srconly.json | 27 +++++
...e-qcow2-backing-with-data-file-noopts.json | 41 ++++++++
...le-qcow2-backing-with-data-file-noopts.xml | 35 +++++++
.../file-qcow2-data-file-noopts-srconly.json | 18 ++++
.../xml2json/file-qcow2-data-file-noopts.json | 27 +++++
.../xml2json/file-qcow2-data-file-noopts.xml | 24 +++++
23 files changed, 558 insertions(+), 71 deletions(-)
create mode 100644 tests/qemublocktestdata/xml2json/file-qcow2-backing-with-data-file-noopts-srconly.json
create mode 100644 tests/qemublocktestdata/xml2json/file-qcow2-backing-with-data-file-noopts.json
create mode 100644 tests/qemublocktestdata/xml2json/file-qcow2-backing-with-data-file-noopts.xml
create mode 100644 tests/qemublocktestdata/xml2json/file-qcow2-data-file-noopts-srconly.json
create mode 100644 tests/qemublocktestdata/xml2json/file-qcow2-data-file-noopts.json
create mode 100644 tests/qemublocktestdata/xml2json/file-qcow2-data-file-noopts.xml
--
2.43.5
4 months, 4 weeks
Re: [PATCH RFC v4 11/17] qemu: block: Support block disk along with
throttle filters
by Peter Krempa
On Mon, Sep 30, 2024 at 10:14:59 +0000, Edward Arulanadam wrote:
> Dear All,
>
> My sincere apologies on reaching out regarding this change as I know, someone would be reviewing the change and provide review comments as per the community guidelines. Since this change is very critical for us to move forward, may I request for a review and let us know if this is good now.
Hi,
when this last iteration was posted I got a note (off-list) from the
author stating that they might not be able to continue work on that
series.
Are you going to pick up the work on that series? If so make sure to
configure your mail client to avoid breaking threads (as you did with
this mail). I'll use the existing convention of using 'reply-all' to the
patches so you might not get CC'd for the postings which are already
on-list. If that's a problem please re-post the series (obviously
keeping authorship intact).
I'm keeping it on my to-do list but due to personal reasons I'm really
backlogged in reviews so please be patient.
4 months, 4 weeks
[PATCH v2] chardev: introduce 'reconnect-ms' and deprecate 'reconnect'
by Daniil Tatianin
The 'reconnect' option only allows to specify the time in seconds,
which is way too long for certain workflows.
We have a lightweight disk backend server, which takes about 20ms to
live update, but due to this limitation in QEMU, previously the guest
disk controller would hang for one second because it would take this
long for QEMU to reinitialize the socket connection.
Introduce a new option called 'reconnect-ms', which is the same as
'reconnect', except the value is treated as milliseconds. These are
mutually exclusive and specifying both results in an error.
'reconnect' is also deprecated by this commit to make it possible to
remove it in the future as to not keep two options that control the
same thing.
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov(a)yandex-team.ru>
Acked-by: Peter Krempa <pkrempa(a)redhat.com>
Signed-off-by: Daniil Tatianin <d-tatianin(a)yandex-team.ru>
---
Changes since v0:
- Mention the deprecation in docs (Paolo)
Changes since v1:
- Move option validation to qmp_chardev_validate_socket as qemu_chr_parse_socket
is only called for the command line and not QMP. (thanks to Markus Armbruster for spotting)
---
chardev/char-socket.c | 33 ++++++++++++++++++++++++---------
chardev/char.c | 3 +++
docs/about/deprecated.rst | 6 ++++++
include/chardev/char-socket.h | 2 +-
qapi/char.json | 17 +++++++++++++++--
5 files changed, 49 insertions(+), 12 deletions(-)
diff --git a/chardev/char-socket.c b/chardev/char-socket.c
index 1ca9441b1b..91496ceda9 100644
--- a/chardev/char-socket.c
+++ b/chardev/char-socket.c
@@ -74,7 +74,7 @@ static void qemu_chr_socket_restart_timer(Chardev *chr)
assert(!s->reconnect_timer);
name = g_strdup_printf("chardev-socket-reconnect-%s", chr->label);
s->reconnect_timer = qemu_chr_timeout_add_ms(chr,
- s->reconnect_time * 1000,
+ s->reconnect_time_ms,
socket_reconnect_timeout,
chr);
g_source_set_name(s->reconnect_timer, name);
@@ -481,7 +481,7 @@ static void tcp_chr_disconnect_locked(Chardev *chr)
if (emit_close) {
qemu_chr_be_event(chr, CHR_EVENT_CLOSED);
}
- if (s->reconnect_time && !s->reconnect_timer) {
+ if (s->reconnect_time_ms && !s->reconnect_timer) {
qemu_chr_socket_restart_timer(chr);
}
}
@@ -1080,9 +1080,9 @@ static int tcp_chr_wait_connected(Chardev *chr, Error **errp)
} else {
Error *err = NULL;
if (tcp_chr_connect_client_sync(chr, &err) < 0) {
- if (s->reconnect_time) {
+ if (s->reconnect_time_ms) {
error_free(err);
- g_usleep(s->reconnect_time * 1000ULL * 1000ULL);
+ g_usleep(s->reconnect_time_ms * 1000ULL);
} else {
error_propagate(errp, err);
return -1;
@@ -1267,13 +1267,13 @@ skip_listen:
static int qmp_chardev_open_socket_client(Chardev *chr,
- int64_t reconnect,
+ int64_t reconnect_ms,
Error **errp)
{
SocketChardev *s = SOCKET_CHARDEV(chr);
- if (reconnect > 0) {
- s->reconnect_time = reconnect;
+ if (reconnect_ms > 0) {
+ s->reconnect_time_ms = reconnect_ms;
tcp_chr_connect_client_async(chr);
return 0;
} else {
@@ -1354,6 +1354,12 @@ static bool qmp_chardev_validate_socket(ChardevSocket *sock,
}
}
+ if (sock->has_reconnect_ms && sock->has_reconnect) {
+ error_setg(errp,
+ "'reconnect' and 'reconnect-ms' are mutually exclusive");
+ return false;
+ }
+
return true;
}
@@ -1371,7 +1377,7 @@ static void qmp_chardev_open_socket(Chardev *chr,
bool is_tn3270 = sock->has_tn3270 ? sock->tn3270 : false;
bool is_waitconnect = sock->has_wait ? sock->wait : false;
bool is_websock = sock->has_websocket ? sock->websocket : false;
- int64_t reconnect = sock->has_reconnect ? sock->reconnect : 0;
+ int64_t reconnect_ms = 0;
SocketAddress *addr;
s->is_listen = is_listen;
@@ -1443,7 +1449,13 @@ static void qmp_chardev_open_socket(Chardev *chr,
return;
}
} else {
- if (qmp_chardev_open_socket_client(chr, reconnect, errp) < 0) {
+ if (sock->has_reconnect) {
+ reconnect_ms = sock->reconnect * 1000ULL;
+ } else if (sock->has_reconnect_ms) {
+ reconnect_ms = sock->reconnect_ms;
+ }
+
+ if (qmp_chardev_open_socket_client(chr, reconnect_ms, errp) < 0) {
return;
}
}
@@ -1509,6 +1521,9 @@ static void qemu_chr_parse_socket(QemuOpts *opts, ChardevBackend *backend,
sock->wait = qemu_opt_get_bool(opts, "wait", true);
sock->has_reconnect = qemu_opt_find(opts, "reconnect");
sock->reconnect = qemu_opt_get_number(opts, "reconnect", 0);
+ sock->has_reconnect_ms = qemu_opt_find(opts, "reconnect-ms");
+ sock->reconnect_ms = qemu_opt_get_number(opts, "reconnect-ms", 0);
+
sock->tls_creds = g_strdup(qemu_opt_get(opts, "tls-creds"));
sock->tls_authz = g_strdup(qemu_opt_get(opts, "tls-authz"));
diff --git a/chardev/char.c b/chardev/char.c
index ba847b6e9e..35623c78a3 100644
--- a/chardev/char.c
+++ b/chardev/char.c
@@ -888,6 +888,9 @@ QemuOptsList qemu_chardev_opts = {
},{
.name = "reconnect",
.type = QEMU_OPT_NUMBER,
+ },{
+ .name = "reconnect-ms",
+ .type = QEMU_OPT_NUMBER,
},{
.name = "telnet",
.type = QEMU_OPT_BOOL,
diff --git a/docs/about/deprecated.rst b/docs/about/deprecated.rst
index 88f0f03786..e5db9bc6e9 100644
--- a/docs/about/deprecated.rst
+++ b/docs/about/deprecated.rst
@@ -430,6 +430,12 @@ Backend ``memory`` (since 9.0)
``memory`` is a deprecated synonym for ``ringbuf``.
+``reconnect`` (since 9.2)
+^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The ``reconnect`` option only allows specifiying second granularity timeouts,
+which is not enough for all types of use cases, use ``reconnect-ms`` instead.
+
CPU device properties
'''''''''''''''''''''
diff --git a/include/chardev/char-socket.h b/include/chardev/char-socket.h
index 0708ca6fa9..d6d13ad37f 100644
--- a/include/chardev/char-socket.h
+++ b/include/chardev/char-socket.h
@@ -74,7 +74,7 @@ struct SocketChardev {
bool is_websock;
GSource *reconnect_timer;
- int64_t reconnect_time;
+ int64_t reconnect_time_ms;
bool connect_err_reported;
QIOTask *connect_task;
diff --git a/qapi/char.json b/qapi/char.json
index ef58445cee..7f117438c6 100644
--- a/qapi/char.json
+++ b/qapi/char.json
@@ -273,7 +273,19 @@
#
# @reconnect: For a client socket, if a socket is disconnected, then
# attempt a reconnect after the given number of seconds. Setting
-# this to zero disables this function. (default: 0) (Since: 2.2)
+# this to zero disables this function. The use of this member is
+# deprecated, use @reconnect-ms instead. (default: 0) (Since: 2.2)
+#
+# @reconnect-ms: For a client socket, if a socket is disconnected,
+# then attempt a reconnect after the given number of milliseconds.
+# Setting this to zero disables this function. This member is
+# mutually exclusive with @reconnect.
+# (default: 0) (Since: 9.2)
+#
+# Features:
+#
+# @deprecated: Member @reconnect is deprecated. Use @reconnect-ms
+# instead.
#
# Since: 1.4
##
@@ -287,7 +299,8 @@
'*telnet': 'bool',
'*tn3270': 'bool',
'*websocket': 'bool',
- '*reconnect': 'int' },
+ '*reconnect': { 'type': 'int', 'features': [ 'deprecated' ] },
+ '*reconnect-ms': 'int' },
'base': 'ChardevCommon' }
##
--
2.34.1
5 months
[PATCH V2 0/2] qemu: Clarify purpose of image format settings
by Jim Fehlig
The current documentation of the various foo_image_format settings in
qemu.conf subtly implies they are only used for specifying compression.
Patch1 of this small series attempts to clarify and improve the description
of the settings. It defines image format as a way to specify the desired
layout of guest memory blocks on disk.
Patch2 changes the use of 'compressed' with 'format' throughout the
code, removing implication that format == compressed.
V2:
Replace more uses of 'compressed' with 'format' in patch2
Jim Fehlig (2):
qemu: conf: Improve the foo_image_format setting descriptions
qemu: Use consistent naming for save image format
src/qemu/qemu.conf.in | 40 +++++++++++++++++++++++----------------
src/qemu/qemu_driver.c | 30 ++++++++++++++---------------
src/qemu/qemu_saveimage.c | 32 +++++++++++++++----------------
src/qemu/qemu_saveimage.h | 4 ++--
src/qemu/qemu_snapshot.c | 6 +++---
5 files changed, 60 insertions(+), 52 deletions(-)
--
2.35.3
5 months
[PATCH v2 0/1] Add support for RAPL MSRs feature in QEMU
by Anthony Harivel
Hi,
First of all, kudos to Peter Krempa for his fast review!
In this v2, I've addressed the following points:
- The socket is *not* mandatory and my code totally confused Peter.
Sorry about that!
here a snippet of the QEMU code to understand:
/* Compute the socket path if necessary */
if (s->msr_energy.socket_path == NULL) {
s->msr_energy.socket_path = vmsr_compute_default_paths();
}
So I made all the modification to make it not necessary.
- Change the socket name to "rapl_helper_socket"
- Change the socket to be absFilePath
- I did not add anything to honour the _OFF state, because it is not
necessary to explicitly disable it.
That's about it.
Regards,
Anthony
Anthony Harivel (1):
qemu: Add support for RAPL MSRs feature
docs/formatdomain.rst | 2 ++
src/conf/domain_conf.c | 18 ++++++++++++++++++
src/conf/domain_conf.h | 2 ++
src/conf/schemas/domaincommon.rng | 10 ++++++++++
src/qemu/qemu_command.c | 11 +++++++++++
tests/qemuxmlconfdata/kvm-features-off.xml | 1 +
.../kvm-features.x86_64-latest.args | 2 +-
tests/qemuxmlconfdata/kvm-features.xml | 1 +
8 files changed, 46 insertions(+), 1 deletion(-)
--
2.46.0
5 months
[PATCH v2 0/4] Add TPM emulator <source file=''/>
by marcandre.lureau@redhat.com
From: Marc-André Lureau <marcandre.lureau(a)redhat.com>
Hi,
When swtpm capabilities reports "nvram-backend-dir", it can accepts a single
file or block device where TPM state will be stored.
--tpmstate must be backend-uri=file://.
v2:
- add <source dir='..'/> support as well (Daniel)
Related: https://issues.redhat.com/browse/CNV-35250
Marc-André Lureau (4):
util: check swtpm nvram-backend-dir capability
schema: add TPM emulator <source file='..'>
schema: add TPM emulator <source dir='..'>
qemu_tpm: handle file/block storage source
docs/formatdomain.rst | 18 +++++
src/conf/domain_conf.c | 28 +++++++
src/conf/domain_conf.h | 7 ++
src/conf/schemas/domaincommon.rng | 20 +++++
src/qemu/qemu_tpm.c | 76 +++++++++++++++----
src/util/virtpm.c | 1 +
src/util/virtpm.h | 1 +
.../qemuxmlconfdata/tpm-emulator-tpm2-enc.xml | 1 +
tests/qemuxmlconfdata/tpm-emulator-tpm2.xml | 1 +
9 files changed, 140 insertions(+), 13 deletions(-)
--
2.45.2.827.g557ae147e6
5 months, 1 week
[PATCH V2 0/4] Rework qemu internal active snapshots to use QMP
by Nikolai Barybin
Den, Peter, Daniel thank you for your comments!
I'm sending v2 of this patchset.
Changes since last revision:
- dropped [PATCH 4/4] qemu monitor: reap qemu_monitor_text
- added new patch: qemu capabilities: add QEMU_CAPS_SNAPSHOT_SAVE/_DELETE
- preserved old-style snapshotting (HMP savevm) in case we have QEMU < 6.0
- enhanced requirements for allowing snapshotting. All writable disks
should be qcow2, non-shared. If such disks exist and we have qcow2
NVRAM, add NVRAM device to the list of wrdevs. But never save vmstate
to NVRAM
- make char** wrdevs list allocation inside
qemuSnapshotActiveInternalGetWrdevListHelper()
Nikolai Barybin (4):
qemu monitor: add snaphot-save/delete QMP commands
qemu blockjob: add snapshot-save/delete job types
qemu capabilities: add QEMU_CAPS_SNAPSHOT_SAVE/_DELETE
qemu snapshot: use QMP snapshot-save/delete for internal snapshots
src/qemu/qemu_block.c | 2 +
src/qemu/qemu_blockjob.c | 6 +-
src/qemu/qemu_blockjob.h | 2 +
src/qemu/qemu_capabilities.c | 4 +
src/qemu/qemu_capabilities.h | 2 +
src/qemu/qemu_domain.c | 4 +
src/qemu/qemu_monitor.c | 30 +++
src/qemu/qemu_monitor.h | 13 ++
src/qemu/qemu_monitor_json.c | 66 ++++++
src/qemu/qemu_monitor_json.h | 13 ++
src/qemu/qemu_snapshot.c | 207 ++++++++++++++++--
.../caps_6.0.0_aarch64.xml | 2 +
.../qemucapabilitiesdata/caps_6.0.0_s390x.xml | 2 +
.../caps_6.0.0_x86_64.xml | 2 +
.../caps_6.1.0_x86_64.xml | 2 +
.../caps_6.2.0_aarch64.xml | 2 +
.../qemucapabilitiesdata/caps_6.2.0_ppc64.xml | 2 +
.../caps_6.2.0_x86_64.xml | 2 +
.../caps_7.0.0_aarch64+hvf.xml | 2 +
.../caps_7.0.0_aarch64.xml | 2 +
.../qemucapabilitiesdata/caps_7.0.0_ppc64.xml | 2 +
.../caps_7.0.0_x86_64.xml | 2 +
.../qemucapabilitiesdata/caps_7.1.0_ppc64.xml | 2 +
.../caps_7.1.0_x86_64.xml | 2 +
tests/qemucapabilitiesdata/caps_7.2.0_ppc.xml | 2 +
.../caps_7.2.0_x86_64+hvf.xml | 2 +
.../caps_7.2.0_x86_64.xml | 2 +
.../caps_8.0.0_riscv64.xml | 2 +
.../caps_8.0.0_x86_64.xml | 2 +
.../qemucapabilitiesdata/caps_8.1.0_s390x.xml | 2 +
.../caps_8.1.0_x86_64.xml | 2 +
.../caps_8.2.0_aarch64.xml | 2 +
.../caps_8.2.0_armv7l.xml | 2 +
.../caps_8.2.0_loongarch64.xml | 2 +
.../qemucapabilitiesdata/caps_8.2.0_s390x.xml | 2 +
.../caps_8.2.0_x86_64.xml | 2 +
.../qemucapabilitiesdata/caps_9.0.0_sparc.xml | 2 +
.../caps_9.0.0_x86_64.xml | 2 +
.../caps_9.1.0_x86_64.xml | 2 +
39 files changed, 391 insertions(+), 14 deletions(-)
--
2.43.5
5 months, 1 week
[PATCH 0/2] add NIC hotplug support to test hypervisor
by John Levon
These two patches add basic support for NIC hot[un]plug to the test hypervisor,
based on the qemu driver; only ethernet and bridge type VNICS are currently
supported.
John Levon (2):
test_driver: provide basic NIC hotplug support
test_driver: provide basic NIC hotunplug support
src/test/test_driver.c | 305 ++++++++++++++++++++++++++++++++++++++---
1 file changed, 283 insertions(+), 22 deletions(-)
--
2.34.1
5 months, 1 week
[PATCH v6 00/13] qemu: Introduce shared_filesystems configuration option
by Andrea Bolognani
The need to have something like this in the first place is driven by
KubeVirt (see [1] and [2]). A draft version of this series has been
integrated into KubeVirt and it has been confirmed that it was
effective in removing the need to use LD_PRELOAD hacks in the storage
provider.
Changes from [v5]:
* make migration of domains with TPM work (patches 12 and 13);
* fixed all typos for "remember";
* added R-bs for Peter's patches.
Changes from [v4] (v5 was posted by Peter):
* added patch 7 cleaning up a helper function (noticed just while
reading the code)
* added patch 8 properly unrefing security labels in dac/selinux
drivers on outgoing migration
* patch 11: added handling of the 'nvram' image file (and refactored
the function to
allow reuse)
Changes from [v3] (v4 was posted by Peter):
* patch 2/8 was modified to change the docs for the new option.
* patches 1-5 will get an R-b by me as I've adopted them.
* patches 6, 9-11 are new.
* patches 7, 8 were not part of v3
Changes from [v2]:
* added canonicalization for user-provided paths;
* fixed compilation issues when AppArmor support is enabled.
Changes from [v1]:
* documented more explicitly that the newly introduced option is
intended for very specific scenarios and not general usage; as
part of this, the NEWS update has been dropped too;
* made a few tweaks and addressed a few oversight based on review
feedback;
* several preparatory cleanup patches have been pushed.
Changes from [v0]:
* reworked approach.
[v5] https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/H...
[v4] https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/F...
[v3] https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/P...
[v2] https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/XP...
[v1] https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/XE...
[v0] https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/MM...
[1] https://issues.redhat.com/browse/CNV-34322
[2] https://issues.redhat.com/browse/CNV-39370
Andrea Bolognani (7):
security: Fix alignment
qemu: Introduce shared_filesystems configuration option
qemu: Propagate shared_filesystems
utils: Use overrides in virFileIsSharedFS()
qemu: Always set labels for TPM state
security: Always forget labels for TPM state directory
qemu: Don't lock TPM state directory for incoming migration
Peter Krempa (6):
virFileIsSharedFSOverride: Export
virParseOwnershipIds: Refactor
virSecuritySELinuxRestoreImageLabelInt: Move FD image relabeling after
'migrated' check
security_(dac|selinux): Unref remembered security labels on outgoing
migration
storage_source: Add field for skipping seclabel remembering
qemu: migration: Don't remember seclabel for images shared from
current host
src/conf/storage_source_conf.c | 3 +
src/conf/storage_source_conf.h | 9 ++
src/libvirt_private.syms | 1 +
src/lxc/lxc_controller.c | 3 +-
src/lxc/lxc_driver.c | 2 +-
src/lxc/lxc_process.c | 4 +-
src/qemu/libvirtd_qemu.aug | 3 +
src/qemu/qemu.conf.in | 26 +++++
src/qemu/qemu_conf.c | 31 ++++++
src/qemu/qemu_conf.h | 2 +
src/qemu/qemu_domain.c | 7 +-
src/qemu/qemu_extdevice.c | 2 +-
src/qemu/qemu_migration.c | 86 ++++++++++++++---
src/qemu/qemu_security.c | 95 +++++++++++++-----
src/qemu/qemu_security.h | 6 +-
src/qemu/qemu_tpm.c | 50 ++++++----
src/qemu/qemu_tpm.h | 10 +-
src/qemu/test_libvirtd_qemu.aug.in | 5 +
src/security/security_apparmor.c | 8 +-
src/security/security_dac.c | 53 +++++++++--
src/security/security_driver.h | 8 +-
src/security/security_manager.c | 33 +++++--
src/security/security_manager.h | 9 +-
src/security/security_nop.c | 5 +
src/security/security_selinux.c | 148 +++++++++++++++++++++++------
src/security/security_stack.c | 32 +++++--
src/util/virfile.c | 63 +++++++++++-
src/util/virfile.h | 5 +-
src/util/virutil.c | 20 ++--
tests/securityselinuxlabeltest.c | 2 +-
tests/virfiletest.c | 2 +-
31 files changed, 594 insertions(+), 139 deletions(-)
--
2.46.0
5 months, 1 week