January 2025 - Devel - libvirt List Archives

[PATCH] spec: Enable ch driver
by Praveen K Paladugu 09 Jan '25

09 Jan '25

Enabling building and packaging ch driver in the spec file. Signed-off-by: Praveen K Paladugu <praveenkpaladugu(a)gmail.com> --- libvirt.spec.in | 51 ++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 48 insertions(+), 3 deletions(-) diff --git a/libvirt.spec.in b/libvirt.spec.in index 3d5164b534..303d7cb34a 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -35,6 +35,7 @@ %define with_lxc 0%{!?_without_lxc:1} %define with_libxl 0%{!?_without_libxl:1} %define with_vbox 0%{!?_without_vbox:1} +%define with_ch 0%{!?_without_ch:1} %ifarch %{arches_qemu_kvm} %define with_qemu_kvm %{with_qemu} @@ -1026,6 +1027,20 @@ Server side daemon and driver required to manage the virtualization capabilities of VirtualBox %endif + %if %{with_ch} +%package daemon-driver-ch +Summary: Cloud-Hypervisor driver plugin for libvirtd daemon +Requires: libvirt-daemon-common = %{version}-%{release} +Requires: libvirt-daemon-log = %{version}-%{release} +Requires: libvirt-libs = %{version}-%{release} + +%description daemon-driver-ch +The ch driver plugin for the libvirtd daemon, providing +an implementation of the hypervisor driver APIs by +Cloud-Hypervisor + %endif + + %package client Summary: Client side utilities of the libvirt library Requires: libvirt-libs = %{version}-%{release} @@ -1188,9 +1203,15 @@ exit 1 %endif %if %{with_esx} - %define arg_esx -Ddriver_esx=enabled -Dcurl=enabled + %define arg_esx -Ddriver_esx=enabled +%else + %define arg_esx -Ddriver_esx=disabled +%endif + +%if %{with_esx} || %{with_ch} + %define arg_curl -Dcurl=enabled %else - %define arg_esx -Ddriver_esx=disabled -Dcurl=disabled + %define arg_curl -Dcurl=disabled %endif %if %{with_hyperv} @@ -1205,6 +1226,12 @@ exit 1 %define arg_vmware -Ddriver_vmware=disabled %endif +%if %{with_ch} + %define arg_ch -Ddriver_ch=enabled +%else + %define arg_ch -Ddriver_ch=disabled +%endif + %if %{with_storage_rbd} %define arg_storage_rbd -Dstorage_rbd=enabled %else @@ -1335,11 +1362,12 @@ export SOURCE_DATE_EPOCH=$(stat --printf='%Y' %{_specdir}/libvirt.spec) -Ddriver_remote=enabled \ -Ddriver_test=enabled \ %{?arg_esx} \ + %{?arg_curl} \ %{?arg_hyperv} \ %{?arg_vmware} \ + %{?arg_ch} \ -Ddriver_vz=disabled \ -Ddriver_bhyve=disabled \ - -Ddriver_ch=disabled \ %{?arg_remote_mode} \ -Ddriver_interface=enabled \ -Ddriver_network=enabled \ @@ -1541,6 +1569,10 @@ rm -rf $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/libvirtd.libxl rm -f $RPM_BUILD_ROOT%{_datadir}/augeas/lenses/libvirtd_libxl.aug rm -f $RPM_BUILD_ROOT%{_datadir}/augeas/lenses/tests/test_libvirtd_libxl.aug %endif + %if ! %{with_ch} +rm -f $RPM_BUILD_ROOT%{_datadir}/augeas/lenses/libvirtd_ch.aug +rm -f $RPM_BUILD_ROOT%{_datadir}/augeas/lenses/tests/test_libvirtd_ch.aug + %endif # Copied into libvirt-docs subpackage eventually mv $RPM_BUILD_ROOT%{_datadir}/doc/libvirt libvirt-docs @@ -2405,6 +2437,19 @@ exit 0 %attr(0755, root, root) %{_libexecdir}/libvirt_sanlock_helper %endif + %if %{with_ch} +%files daemon-driver-ch +%attr(0755, root, root) %{_sbindir}/virtchd +%config(noreplace) %{_sysconfdir}/libvirt/virtchd.conf +%{_datadir}/augeas/lenses/virtchd.aug +%{_datadir}/augeas/lenses/tests/test_virtchd.aug +%{_unitdir}/virtchd-admin.socket +%{_unitdir}/virtchd-ro.socket +%{_unitdir}/virtchd.service +%{_unitdir}/virtchd.socket +%{_libdir}/libvirt/connection-driver/libvirt_driver_ch.so + %endif + %files client %{_mandir}/man1/virsh.1* %{_mandir}/man1/virt-xml-validate.1* -- 2.47.0

2 2

[PATCH] meson: Drop devmapper_dep for libvirt_admin_lib
by Michal Privoznik 08 Jan '25

08 Jan '25

Nothing inside libvirt-admin library calls devmapper nor it should. This is a historic artefact that was just copied over from autotools era. Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com> --- NB, I think there are more deps that can be dropped. I've built successfully with capng_dep, gnutls_dep, json_c_dep, libssh2_dep, libssh_dep and sasl_dep removed. Those libraries are required by libvirt.so which libvirt_admin.so links with. src/meson.build | 1 - 1 file changed, 1 deletion(-) diff --git a/src/meson.build b/src/meson.build index cce89fac27..74fbe43667 100644 --- a/src/meson.build +++ b/src/meson.build @@ -556,7 +556,6 @@ if conf.has('WITH_REMOTE') ], dependencies: [ capng_dep, - devmapper_dep, gnutls_dep, json_c_dep, libssh2_dep, -- 2.45.2

3 2

[PATCH] tools: fix ordering mistake in virt-admin daemon-set-timeout code
by Daniel P. Berrangé 08 Jan '25

08 Jan '25

Most of the impl for the 'daemon-set-timeout' command was ordered under the heading for the 'daemon-log-filters' command. Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com> --- tools/virt-admin.c | 67 +++++++++++++++++++++++----------------------- 1 file changed, 34 insertions(+), 33 deletions(-) diff --git a/tools/virt-admin.c b/tools/virt-admin.c index 3eb4f0f3fd..325b7aa827 100644 --- a/tools/virt-admin.c +++ b/tools/virt-admin.c @@ -1005,27 +1005,38 @@ static const vshCmdInfo info_daemon_log_outputs = { "daemon."), }; -static const vshCmdOptDef opts_daemon_timeout[] = { - {.name = "timeout", - .type = VSH_OT_INT, - .required = true, +static const vshCmdOptDef opts_daemon_log_outputs[] = { + {.name = "outputs", + .type = VSH_OT_STRING, .positional = true, - .help = N_("number of seconds the daemon will run without any active connection"), + .help = N_("redefine the existing set of logging outputs"), + .allowEmpty = true }, {.name = NULL} }; static bool -cmdDaemonTimeout(vshControl *ctl, const vshCmd *cmd) +cmdDaemonLogOutputs(vshControl *ctl, const vshCmd *cmd) { vshAdmControl *priv = ctl->privData; - unsigned int timeout = 0; - if (vshCommandOptUInt(ctl, cmd, "timeout", &timeout) < 0) - return false; + if (vshCommandOptBool(cmd, "outputs")) { + const char *outputs = NULL; + if ((vshCommandOptString(ctl, cmd, "outputs", &outputs) < 0 || + virAdmConnectSetLoggingOutputs(priv->conn, outputs, 0) < 0)) { + vshError(ctl, _("Unable to change daemon logging settings")); + return false; + } + } else { + g_autofree char *outputs = NULL; + if (virAdmConnectGetLoggingOutputs(priv->conn, &outputs, 0) < 0) { + vshError(ctl, _("Unable to get daemon logging outputs information")); + return false; + } - if (virAdmConnectSetDaemonTimeout(priv->conn, timeout, 0) < 0) - return false; + vshPrintExtra(ctl, " %-15s", _("Logging outputs: ")); + vshPrint(ctl, "%s\n", NULLSTR_EMPTY(outputs)); + } return true; } @@ -1040,42 +1051,32 @@ static const vshCmdInfo info_daemon_timeout = { .desc = N_("set the auto shutdown timeout of the daemon"), }; -static const vshCmdOptDef opts_daemon_log_outputs[] = { - {.name = "outputs", - .type = VSH_OT_STRING, +static const vshCmdOptDef opts_daemon_timeout[] = { + {.name = "timeout", + .type = VSH_OT_INT, + .required = true, .positional = true, - .help = N_("redefine the existing set of logging outputs"), - .allowEmpty = true + .help = N_("number of seconds the daemon will run without any active connection"), }, {.name = NULL} }; static bool -cmdDaemonLogOutputs(vshControl *ctl, const vshCmd *cmd) +cmdDaemonTimeout(vshControl *ctl, const vshCmd *cmd) { vshAdmControl *priv = ctl->privData; + unsigned int timeout = 0; - if (vshCommandOptBool(cmd, "outputs")) { - const char *outputs = NULL; - if ((vshCommandOptString(ctl, cmd, "outputs", &outputs) < 0 || - virAdmConnectSetLoggingOutputs(priv->conn, outputs, 0) < 0)) { - vshError(ctl, _("Unable to change daemon logging settings")); - return false; - } - } else { - g_autofree char *outputs = NULL; - if (virAdmConnectGetLoggingOutputs(priv->conn, &outputs, 0) < 0) { - vshError(ctl, _("Unable to get daemon logging outputs information")); - return false; - } + if (vshCommandOptUInt(ctl, cmd, "timeout", &timeout) < 0) + return false; - vshPrintExtra(ctl, " %-15s", _("Logging outputs: ")); - vshPrint(ctl, "%s\n", NULLSTR_EMPTY(outputs)); - } + if (virAdmConnectSetDaemonTimeout(priv->conn, timeout, 0) < 0) + return false; return true; } + static void * vshAdmConnectionHandler(vshControl *ctl) { -- 2.47.1

2 1

[PATCH] conf: Restrict model type to enum members
by Adam Julis 08 Jan '25

08 Jan '25

Historically, we supported any string as the model type for network devices. This approach allowed us to stay up-to-date with QEMU's frequent introduction of new model types. However, this solution now causes more problems than benefits. A clearly nonsensical model name can pass validation but result in a QEMU internal error when the VM is started. This patch restricts model types to members of the 'virDomainNetModelType' enum. The enum has been extended to include all model types currently supported by QEMU. If QEMU introduces new models in the future, the enum must be updated to support them. Resolves: https://issues.redhat.com/browse/RHEL-72082 Signed-off-by: Adam Julis <ajulis(a)redhat.com> --- I'm not sure if the virtio-net-pci should be in this enum, since its not located in qemu repo in hw/net/ but in hw/virtio/. When I manually tested it, the qemu this option supported. The last two members have not been supported for several years but I wanted to keep backward compatibility. src/conf/domain_conf.c | 23 +++++++++++++++++++++++ src/conf/domain_conf.h | 23 +++++++++++++++++++++++ src/conf/domain_validate.c | 7 +++++++ 3 files changed, 53 insertions(+) diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index af88d0bcfd..5e8ca0015d 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -613,6 +613,29 @@ VIR_ENUM_IMPL(virDomainNetModel, "82540EM", "82545EM", "82543GC", + "dp8393x", + "eepro100", + "ftgmac100", + "igbvf", + "lasi_i82596", + "mcf_fec", + "mipsnet", + "ne2000-isa", + "ne2000-pci", + "npcm7xx_emc", + "npcm_gmac", + "opencores_eth", + "pcnet-pci", + "rocker", + "spapr_llan", + "sungem", + "sunhme", + "tulip", + "virtio-net", + "xen_nic", + "virtio-net-pci", + "etraxfs_eth", + "milkymist-minimac2", ); VIR_ENUM_IMPL(virDomainNetDriver, diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h index 9f7c28343f..d7f0073ba5 100644 --- a/src/conf/domain_conf.h +++ b/src/conf/domain_conf.h @@ -951,6 +951,29 @@ typedef enum { VIR_DOMAIN_NET_MODEL_82540EM, VIR_DOMAIN_NET_MODEL_82545EM, VIR_DOMAIN_NET_MODEL_82543GC, + VIR_DOMAIN_NET_MODEL_DP8393X, + VIR_DOMAIN_NET_MODEL_EEPRO100, + VIR_DOMAIN_NET_MODEL_FTGMAC100, + VIR_DOMAIN_NET_MODEL_IGBVF, + VIR_DOMAIN_NET_MODEL_LASI_I82596, + VIR_DOMAIN_NET_MODEL_MCF_FEC, + VIR_DOMAIN_NET_MODEL_MIPSNET, + VIR_DOMAIN_NET_MODEL_NE2000_ISA, + VIR_DOMAIN_NET_MODEL_NE2000_PCI, + VIR_DOMAIN_NET_MODEL_NPCM7XX_EMC, + VIR_DOMAIN_NET_MODEL_NPCM_GMAC, + VIR_DOMAIN_NET_MODEL_OPENCORES_ETH, + VIR_DOMAIN_NET_MODEL_PCNET_PCI, + VIR_DOMAIN_NET_MODEL_ROCKER, + VIR_DOMAIN_NET_MODEL_SPARP_LLAN, + VIR_DOMAIN_NET_MODEL_SUNGEM, + VIR_DOMAIN_NET_MODEL_SUNHME, + VIR_DOMAIN_NET_MODEL_TULIP, + VIR_DOMAIN_NET_MODEL_VIRTIO_NET, + VIR_DOMAIN_NET_MODEL_XEN_NIC, + VIR_DOMAIN_NET_MODEL_VIRTIO_NET_PCI, + VIR_DOMAIN_NET_MODEL_ETRAXFS_ETH, + VIR_DOMAIN_NET_MODEL_MILKYMIST_MINIMAC2, VIR_DOMAIN_NET_MODEL_LAST } virDomainNetModelType; diff --git a/src/conf/domain_validate.c b/src/conf/domain_validate.c index 1034bb57f5..fed013835d 100644 --- a/src/conf/domain_validate.c +++ b/src/conf/domain_validate.c @@ -2218,6 +2218,13 @@ virDomainNetDefValidate(const virDomainNetDef *net) break; case VIR_DOMAIN_NET_TYPE_NETWORK: + if (net->modelstr) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, + _("Unsupported model type '%s'"), + net->modelstr); + return -1; + } + break; case VIR_DOMAIN_NET_TYPE_VDPA: case VIR_DOMAIN_NET_TYPE_BRIDGE: case VIR_DOMAIN_NET_TYPE_CLIENT: -- 2.47.1

2 1

[RFC v3 PATCH 0/4] iproute2 bridge vlan support
by Leigh Brown 08 Jan '25

08 Jan '25

As requested by Laine, I have converted the code to use netlink rather than executing bridge vlan commands. I have also checked it compiles under FreeBSD. Description ----------- The iproute2 bridge command supports the capability for VLAN filtering that allows each interface connected to a standard linux bridge to be configured to use one or more VLANs. For simple setups, this capability is enough to allow virtual machines or containers to be put onto separate VLANs without creating multiple bridges and VLANs on the host. The first patch adds a new function virNetDevBridgeSetupVlans() that will, given a virNetDevVlan structure, execute the required bridge vlan commands to configure the given interface accordingly. The second patch updates the virNetDevBridgeAddPort() function to allow a virNetDevVlan parameter to be passed, and to call the virNetDevBridgeSetupVlans() function. The third patch updates the lxc and tap code to pass the virNetDevLan parameter from the configuration and to update the XML domain and network validation to permit the VLAN-related tags for standard bridges. The fourth patch updates documentation to match the new capability. Changes since v2 ---------------- - Convert to use netlink rather than executing bridge vlan commands. - Add unsupported on this platform error message on FreeBSD. Changes since v1 ---------------- - Fix bug in virNetDevSetupVlans where bridge port has no native vlan. - Update bridge network validation to permit vlan configuration. - Update documentation to match the functionality. - Tweak some of the commit descriptions for clarity. Usage example ------------- Configure the host with systemd-networkd as follows: /etc/systemd/network/br0.netdev (br0.network not shown) [NetDev] Name=br0 Kind=bridge MACAddress=xx:xx:xx:xx:xx:xx [Bridge] VLANFiltering=on /etc/systemd/network/eno1.network [Match] Name=eno1 [Network] Bridge=br0 [Link] MTUBytes=9000 [BridgeVLAN] VLAN=40 [BridgeVLAN] VLAN=60 Then add <vlan> tags into the lxc or qemu config: lxc interface definition: <interface type='bridge'> <mac address='xx:xx:xx:xx:xx:xx'/> <source bridge='br0'/> <vlan> <tag id='40'/> </vlan> </interface> qemu interface definition: <interface type='network'> <mac address='xx:xx:xx:xx:xx:xx'/> <source network='br0'/> <vlan> <tag id='60'/> </vlan> <model type='virtio'/> <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/> </interface> Then, after starting them, you will see the following $ sudo bridge vlan port vlan-id eno1 1 PVID Egress Untagged 40 60 br0 1 PVID Egress Untagged vnet0 60 PVID Egress Untagged vnet1 40 PVID Egress Untagged Regards, Leigh Brown (4): util: add netlink bridge vlan filtering util: Add vlan support to virNetDevBridgeAddPort Enable vlan support for standard linux bridges docs: standard linux bridges now support vlans docs/formatdomain.rst | 37 +++++++++--------- docs/formatnetwork.rst | 45 +++++++++++----------- src/conf/domain_validate.c | 3 +- src/lxc/lxc_process.c | 3 +- src/network/bridge_driver.c | 13 ++++--- src/util/virnetdevbridge.c | 75 +++++++++++++++++++++++++++++++++++-- src/util/virnetdevbridge.h | 4 +- src/util/virnetdevtap.c | 2 +- src/util/virnetlink.c | 66 ++++++++++++++++++++++++++++++++ src/util/virnetlink.h | 7 ++++ 10 files changed, 202 insertions(+), 53 deletions(-) -- 2.39.5

3 11

[PATCH] qemu: allow migration of guest with mdev vGPU to VF vGPU
by Laine Stump 08 Jan '25

08 Jan '25

GPU vendors are moving away from using mdev to create virtual GPUs towards using SRIOV VFs that are vGPUs. In both cases, once created the vGPUs are assigned to guests via <hostdev> (i.e. VFIO device assignment), and inside the guest the devices look identical, but mdev vGPUs are located by QEMU/VFIO using a uuid, while VF vGPUs are located with a PCI address. So although we generally require the device on the source host to exactly match the device on the destination host, in the case of mdev-created vGPU vs. VF vGPU migration *can* potentially work, except that libvirt has a hard-coded check that prevents us from even trying. This patch loosens up that check so that we will allow attempts to migrate a guest from a source host that has mdev-created vGPUs to a destination host that has VF vGPUs (and vice versa). The expectation is that if this doesn't actually work then QEMU will fail and generate an error that we can report. Based-on-patch-by: Zhiyi Guo <zhguo(a)redhat.com> Signed-off-by: Laine Stump <laine(a)redhat.com> --- Zhiyi's original patch removed the check for subsys type completely, and this worked. My modified patch keeps the check in place, but allows it to pass if the src type is pci and dst is mdev, or vice versa. src/conf/domain_conf.c | 28 +++++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index 4ad8289b89..9d5fda0469 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -20647,13 +20647,27 @@ virDomainHostdevDefCheckABIStability(virDomainHostdevDef *src, return false; } - if (src->mode == VIR_DOMAIN_HOSTDEV_MODE_SUBSYS && - src->source.subsys.type != dst->source.subsys.type) { - virReportError(VIR_ERR_CONFIG_UNSUPPORTED, - _("Target host device subsystem %1$s does not match source %2$s"), - virDomainHostdevSubsysTypeToString(dst->source.subsys.type), - virDomainHostdevSubsysTypeToString(src->source.subsys.type)); - return false; + if (src->mode == VIR_DOMAIN_HOSTDEV_MODE_SUBSYS) { + virDomainHostdevSubsysType srcType = src->source.subsys.type; + virDomainHostdevSubsysType dstType = dst->source.subsys.type; + + /* If the source and destination subsys types aren't the same, + * then migration can't be supported, *except* that it might + * be supported to migrate from subsys type 'pci' to 'mdev' + * and vice versa. (libvirt can't know for certain whether or + * not it will actually work, so we have to just allow it and + * count on QEMU to provide us with an error if it fails) + */ + + if (srcType != dstType + && ((srcType != VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI && srcType != VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_MDEV) + || (dstType != VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI && dstType != VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_MDEV))) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, + _("Target host device subsystem type %1$s is not compatible with source subsystem type %2$s"), + virDomainHostdevSubsysTypeToString(dstType), + virDomainHostdevSubsysTypeToString(srcType)); + return false; + } } if (!virDomainDeviceInfoCheckABIStability(src->info, dst->info)) -- 2.47.1

2 2

[PATCH] util: fix off-by-1 in inhibitor constants
by Daniel P. Berrangé 08 Jan '25

08 Jan '25

The inhibitor constant values were off-by-1, so when converted into string format, we picked the wrong names Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com> --- src/util/virinhibitor.h | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/util/virinhibitor.h b/src/util/virinhibitor.h index 0a1c445d41..49cf32fbeb 100644 --- a/src/util/virinhibitor.h +++ b/src/util/virinhibitor.h @@ -26,13 +26,13 @@ typedef struct _virInhibitor virInhibitor; typedef enum { VIR_INHIBITOR_WHAT_NONE = 0, - VIR_INHIBITOR_WHAT_SLEEP = (1 << 1), - VIR_INHIBITOR_WHAT_SHUTDOWN = (1 << 2), - VIR_INHIBITOR_WHAT_IDLE = (1 << 3), - VIR_INHIBITOR_WHAT_POWER_KEY = (1 << 4), - VIR_INHIBITOR_WHAT_SUSPEND_KEY = (1 << 5), - VIR_INHIBITOR_WHAT_HIBERNATE_KEY = (1 << 6), - VIR_INHIBITOR_WHAT_LID_SWITCH = (1 << 7), + VIR_INHIBITOR_WHAT_SLEEP = (1 << 0), + VIR_INHIBITOR_WHAT_SHUTDOWN = (1 << 1), + VIR_INHIBITOR_WHAT_IDLE = (1 << 2), + VIR_INHIBITOR_WHAT_POWER_KEY = (1 << 3), + VIR_INHIBITOR_WHAT_SUSPEND_KEY = (1 << 4), + VIR_INHIBITOR_WHAT_HIBERNATE_KEY = (1 << 5), + VIR_INHIBITOR_WHAT_LID_SWITCH = (1 << 6), } virInhibitorWhat; typedef enum { -- 2.47.1

2 1

[PATCH] qemu: Add audit entries for suspend and resume
by Jim Fehlig 08 Jan '25

08 Jan '25

We recently received a request from certification auditors to provide audit entries for suspend and resume. This small patch uses the existing virtDomainAudit{Start,Stop} functions with new reasons "suspended" and "resumed". Signed-off-by: Jim Fehlig <jfehlig(a)suse.com> --- For suspend, I initially wrote the following virDomainAuditStart(vm, virDomainPausedReasonTypeToString(reason), true); but I'm not sure it makes sense in resume, where we have reasons such as VIR_DOMAIN_CRASHED_PANICKED. For symmetry, it seemed best to go with "suspended" and "resumed". src/qemu/qemu_driver.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index f1a633fdd3..c670bb681e 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -1682,6 +1682,7 @@ static int qemuDomainSuspend(virDomainPtr dom) goto endjob; } qemuDomainSaveStatus(vm); + virDomainAuditStart(vm, "suspended", true); ret = 0; endjob: @@ -1738,6 +1739,7 @@ static int qemuDomainResume(virDomainPtr dom) } } qemuDomainSaveStatus(vm); + virDomainAuditStop(vm, "resumed"); ret = 0; endjob: -- 2.43.0

3 4

[PATCH v2 0/4] fix AppArmor policy restore for runtime rules
by Georgia Garcia 08 Jan '25

08 Jan '25

Some rules are generated dynamically during boot and added to the AppArmor policy. An example of that is macvtap devices that call the AppArmorSetFDLabel hook to add a rule for the tap device path. Since this information is dynamic, it is not available in the xml config, therefore whenever a "Restore" hook is called, the entire profile is regenerated by virt-aa-helper based only the information from the VM definition, so the dynamic/runtime information is lost. This patchset fixes that by storing these rules in a different file called libvirt-uuid.runtime_files, which is included by libvirt-uuid.files that already exists. It also includes other fixes like memory leaks, adoption of the GLib API in the apparmor files and a fix on the AppArmor policy that incorrectly applies apparmor policy syntax. Georgia Garcia (4): security_apparmor: fix memleaks in AppArmorSetFDLabel security: replace uses of label and VIR_FREE by g_autofree apparmor: fix UUID specification virt-aa-helper: store dynamically generated rules .../usr.lib.libvirt.virt-aa-helper.in | 5 +- src/security/apparmor/usr.sbin.libvirtd.in | 7 +- src/security/security_apparmor.c | 83 +++++----- src/security/virt-aa-helper.c | 145 +++++++++--------- 4 files changed, 120 insertions(+), 120 deletions(-) -- 2.34.1

4 11

[PATCH] meson: remove unneeded dependency on libdevmapper for storage_disk
by Stefan Hellermann 07 Jan '25

07 Jan '25

In commit dfa0e11 the last direct usage of devmapper for storage_disk was removed. There is one stale include remaining, which is unused even longer since df1011ca. Remove the include and change meson.build so we can use storage_disk without devmapper. I'm running it right now with a stripped-down config on a small arm64 router with openwrt. Signed-off-by: Stefan Hellermann <stefan(a)the2masters.de> --- meson.build | 4 ++-- src/storage/parthelper.c | 1 - 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/meson.build b/meson.build index ca1b915737..ffe91dbd46 100644 --- a/meson.build +++ b/meson.build @@ -1787,11 +1787,11 @@ if conf.has('WITH_LIBVIRTD') conf.set('WITH_STORAGE_DIR', 1) endif - if not get_option('storage_disk').disabled() and devmapper_dep.found() and libparted_dep.found() + if not get_option('storage_disk').disabled() and libparted_dep.found() use_storage = true conf.set('WITH_STORAGE_DISK', 1) elif get_option('storage_disk').enabled() - error('You must install libparted and libdevmapper to compile libvirt with disk storage driver') + error('You must install libparted to compile libvirt with disk storage driver') endif if not get_option('storage_fs').disabled() diff --git a/src/storage/parthelper.c b/src/storage/parthelper.c index ee07ba41bb..1169ebfb64 100644 --- a/src/storage/parthelper.c +++ b/src/storage/parthelper.c @@ -31,7 +31,6 @@ #include <config.h> #include <parted/parted.h> -#include <libdevmapper.h> #include <sys/types.h> #include <sys/stat.h> #include <unistd.h> -- 2.47.1

2 1