June 2025 - Devel - libvirt List Archives

[PATCH] nwfilter: Avoid firewall hole during VM startup by checking rule presence
by Dion Bosschieter 08 Jul '25

08 Jul '25

Upon VM bootstrapping (start,restore,incoming migration) iptablesCreateBaseChainsFW is called and unconditionally deletes and reinserts top-level firewall chain jumps (e.g. INPUT, FORWARD rules). This briefly opens a hole in the firewall, allowing packets through until the insertions complete. This commit ensures that the base chains are only created once per layer (IPV4/IPV6) and checks whether the expected rules already exist using `iptables -C`. If they do, no delete/insert operations are performed. This eliminates the short window where packets could bypass filters during VM lifecycle operations. Signed-off-by: Dion Bosschieter <dionbosschieter(a)gmail.com> --- src/nwfilter/nwfilter_ebiptables_driver.c | 79 ++++++++++++++--------- 1 file changed, 47 insertions(+), 32 deletions(-) diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c index 067df6e612..42a0133159 100644 --- a/src/nwfilter/nwfilter_ebiptables_driver.c +++ b/src/nwfilter/nwfilter_ebiptables_driver.c @@ -131,6 +131,14 @@ static char chainprefixes_host_temp[3] = { 0 }; +typedef struct { + const char *chain; + const char *position; + const char *targetChain; +} iptablesBaseChainFW; + +static bool baseChainFWDefined[VIR_FIREWALL_LAYER_LAST] = { false }; + static int printVar(virNWFilterVarCombIter *vars, char *buf, int bufsize, @@ -403,38 +411,45 @@ static void iptablesCreateBaseChainsFW(virFirewall *fw, virFirewallLayer layer) { - virFirewallAddCmdFull(fw, layer, - true, NULL, NULL, - "-N", VIRT_IN_CHAIN, NULL); - virFirewallAddCmdFull(fw, layer, - true, NULL, NULL, - "-N", VIRT_OUT_CHAIN, NULL); - virFirewallAddCmdFull(fw, layer, - true, NULL, NULL, - "-N", VIRT_IN_POST_CHAIN, NULL); - virFirewallAddCmdFull(fw, layer, - true, NULL, NULL, - "-N", HOST_IN_CHAIN, NULL); - virFirewallAddCmdFull(fw, layer, - true, NULL, NULL, - "-D", "FORWARD", "-j", VIRT_IN_CHAIN, NULL); - virFirewallAddCmdFull(fw, layer, - true, NULL, NULL, - "-D", "FORWARD", "-j", VIRT_OUT_CHAIN, NULL); - virFirewallAddCmdFull(fw, layer, - true, NULL, NULL, - "-D", "FORWARD", "-j", VIRT_IN_POST_CHAIN, NULL); - virFirewallAddCmdFull(fw, layer, - true, NULL, NULL, - "-D", "INPUT", "-j", HOST_IN_CHAIN, NULL); - virFirewallAddCmd(fw, layer, - "-I", "FORWARD", "1", "-j", VIRT_IN_CHAIN, NULL); - virFirewallAddCmd(fw, layer, - "-I", "FORWARD", "2", "-j", VIRT_OUT_CHAIN, NULL); - virFirewallAddCmd(fw, layer, - "-I", "FORWARD", "3", "-j", VIRT_IN_POST_CHAIN, NULL); - virFirewallAddCmd(fw, layer, - "-I", "INPUT", "1", "-j", HOST_IN_CHAIN, NULL); + iptablesBaseChainFW fw_chains[] = { + {"FORWARD", "1", VIRT_IN_CHAIN}, + {"FORWARD", "2", VIRT_OUT_CHAIN}, + {"FORWARD", "3", VIRT_IN_POST_CHAIN}, + {"INPUT", "1", HOST_IN_CHAIN}, + }; + size_t i; + + // iptablesCreateBaseChainsFW already ran once for this layer, + // we don't have to recreate the base chains on every firewall update + if (baseChainFWDefined[layer]) + return; + + // set defined state so we skip the following logic next run + baseChainFWDefined[layer] = true; + + virFirewallStartTransaction(fw, 0); + + for (i = 0; i < G_N_ELEMENTS(fw_chains); i++) + virFirewallAddCmd(fw, layer, + "-C", fw_chains[i].chain, + "-j", fw_chains[i].targetChain, NULL); + + if (virFirewallApply(fw) == 0) + // rules already in place + return; + + for (i = 0; i < G_N_ELEMENTS(fw_chains); i++) { + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-N", fw_chains[i].targetChain, NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-D", fw_chains[i].chain, "-j", + fw_chains[i].targetChain, NULL); + virFirewallAddCmd(fw, layer, + "-I", fw_chains[i].chain, fw_chains[i].position, + "-j", fw_chains[i].targetChain, NULL); + } } -- 2.39.3 (Apple Git-146)

2 3

[PATCH 0/4] Allow xml-configured coredump format on VM crash
by Nikolai Barybin 08 Jul '25

08 Jul '25

When libvirt processes VM crash event it always dumps core in raw format. This series makes it possible to configure dump format via domain xml. This would be especcialy helpful for Windows guests, because it requires a lot effort to convert raw dump into wingdb. Nikolai Barybin (4): conf: schemas: add coredump_format element to events section src: conf: add parsing/formatting for 'coredump_format' value qemu: use configurable dump format in doCoreDumpToAutoDumpPath() docs: formatdomain: document 'coredump_format' element docs/formatdomain.rst | 9 +++++ src/conf/domain_conf.c | 64 +++++++++++++++++++++++++++++++ src/conf/domain_conf.h | 2 + src/conf/schemas/domaincommon.rng | 19 +++++++++ src/libvirt_private.syms | 2 + src/qemu/qemu_driver.c | 2 +- 6 files changed, 97 insertions(+), 1 deletion(-) -- 2.43.5

3 8

[PATCH] qemu: Switch to virtio-scsi on ARM
by Jim Fehlig 08 Jul '25

08 Jul '25

From: Jim Fehlig <jfehlig(a)suse.com> Similar to x86, the default SCSI controller model for ARM is lsilogic. But unlike x86, the ARM virt machine type prefers virtio devices. Switch the default controller model for ARM from lsilogic to virtio-scsi. Signed-off-by: Jim Fehlig <jfehlig(a)suse.com> --- IMO, the lsilogic SCSI controller is a poor default for the ARM virt machine type. One could argue modern operating systems are more likely to contain a functional virtio-scsi driver than an LSI one. However, I do understand this change could break existing ARM VM configurations containing a SCSI controller without a model specification. One could also argue the pain inflicted is tolerable :-). The test churn is interesting. I haven't yet investigated if there's an underlying bug, or if it's a consequence of libvirt's processing of controllers. Much appreciated if anyone has an explanation handy :-). src/qemu/qemu_domain.c | 3 ++- ...ault-models.aarch64-latest.abi-update.args | 13 +++++------ ...fault-models.aarch64-latest.abi-update.xml | 22 ++++++++----------- ...64-virt-default-models.aarch64-latest.args | 13 +++++------ ...h64-virt-default-models.aarch64-latest.xml | 22 ++++++++----------- 5 files changed, 32 insertions(+), 41 deletions(-) diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index 0d2548d8d4..499db0ad78 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -4252,7 +4252,8 @@ qemuDomainGetSCSIControllerModel(const virDomainDef *def, if (qemuDomainIsPSeries(def)) return VIR_DOMAIN_CONTROLLER_MODEL_SCSI_IBMVSCSI; - if (ARCH_IS_S390(def->os.arch) || qemuDomainIsLoongArchVirt(def)) + if (ARCH_IS_ARM(def->os.arch) || ARCH_IS_S390(def->os.arch) || + qemuDomainIsLoongArchVirt(def)) return VIR_DOMAIN_CONTROLLER_MODEL_SCSI_VIRTIO_SCSI; if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_SCSI_LSI)) return VIR_DOMAIN_CONTROLLER_MODEL_SCSI_LSILOGIC; diff --git a/tests/qemuxmlconfdata/aarch64-virt-default-models.aarch64-latest.abi-update.args b/tests/qemuxmlconfdata/aarch64-virt-default-models.aarch64-latest.abi-update.args index 96fb251d80..ff86567c59 100644 --- a/tests/qemuxmlconfdata/aarch64-virt-default-models.aarch64-latest.abi-update.args +++ b/tests/qemuxmlconfdata/aarch64-virt-default-models.aarch64-latest.abi-update.args @@ -29,20 +29,19 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-guest/.config \ -device '{"driver":"pcie-root-port","port":8,"chassis":1,"id":"pci.1","bus":"pcie.0","multifunction":true,"addr":"0x1"}' \ -device '{"driver":"pcie-root-port","port":9,"chassis":2,"id":"pci.2","bus":"pcie.0","addr":"0x1.0x1"}' \ -device '{"driver":"pcie-root-port","port":10,"chassis":3,"id":"pci.3","bus":"pcie.0","addr":"0x1.0x2"}' \ --device '{"driver":"pcie-pci-bridge","id":"pci.4","bus":"pci.1","addr":"0x0"}' \ --device '{"driver":"pcie-root-port","port":11,"chassis":5,"id":"pci.5","bus":"pcie.0","addr":"0x1.0x3"}' \ --device '{"driver":"pcie-root-port","port":12,"chassis":6,"id":"pci.6","bus":"pcie.0","addr":"0x1.0x4"}' \ --device '{"driver":"qemu-xhci","id":"usb","bus":"pci.3","addr":"0x0"}' \ --device '{"driver":"lsi","id":"scsi0","bus":"pci.4","addr":"0x1"}' \ +-device '{"driver":"pcie-root-port","port":11,"chassis":4,"id":"pci.4","bus":"pcie.0","addr":"0x1.0x3"}' \ +-device '{"driver":"pcie-root-port","port":12,"chassis":5,"id":"pci.5","bus":"pcie.0","addr":"0x1.0x4"}' \ +-device '{"driver":"qemu-xhci","id":"usb","bus":"pci.2","addr":"0x0"}' \ +-device '{"driver":"virtio-scsi-pci","id":"scsi0","bus":"pci.3","addr":"0x0"}' \ -netdev '{"type":"user","id":"hostnet0"}' \ --device '{"driver":"virtio-net-pci","netdev":"hostnet0","id":"net0","mac":"52:54:00:09:a4:37","bus":"pci.2","addr":"0x0"}' \ +-device '{"driver":"virtio-net-pci","netdev":"hostnet0","id":"net0","mac":"52:54:00:09:a4:37","bus":"pci.1","addr":"0x0"}' \ -chardev pty,id=charserial0 \ -serial chardev:charserial0 \ -chardev socket,id=chrtpm,path=/dev/test \ -tpmdev emulator,id=tpm-tpm0,chardev=chrtpm \ -device '{"driver":"tpm-tis-device","tpmdev":"tpm-tpm0","id":"tpm0"}' \ -audiodev '{"id":"audio1","driver":"none"}' \ --device '{"driver":"virtio-gpu-pci","id":"video0","max_outputs":1,"bus":"pci.5","addr":"0x0"}' \ +-device '{"driver":"virtio-gpu-pci","id":"video0","max_outputs":1,"bus":"pci.4","addr":"0x0"}' \ -sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \ -device '{"driver":"pvpanic-pci","bus":"pcie.0","addr":"0x2"}' \ -msg timestamp=on diff --git a/tests/qemuxmlconfdata/aarch64-virt-default-models.aarch64-latest.abi-update.xml b/tests/qemuxmlconfdata/aarch64-virt-default-models.aarch64-latest.abi-update.xml index f27e7e1522..5abf55cf36 100644 --- a/tests/qemuxmlconfdata/aarch64-virt-default-models.aarch64-latest.abi-update.xml +++ b/tests/qemuxmlconfdata/aarch64-virt-default-models.aarch64-latest.abi-update.xml @@ -21,11 +21,11 @@ <devices> <emulator>/usr/bin/qemu-system-aarch64</emulator> <controller type='usb' index='0' model='qemu-xhci'> + <address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/> + </controller> + <controller type='scsi' index='0' model='virtio-scsi'> <address type='pci' domain='0x0000' bus='0x03' slot='0x00' function='0x0'/> </controller> - <controller type='scsi' index='0' model='lsilogic'> - <address type='pci' domain='0x0000' bus='0x04' slot='0x01' function='0x0'/> - </controller> <controller type='pci' index='0' model='pcie-root'/> <controller type='pci' index='1' model='pcie-root-port'> <model name='pcie-root-port'/> @@ -42,24 +42,20 @@ <target chassis='3' port='0xa'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/> </controller> - <controller type='pci' index='4' model='pcie-to-pci-bridge'> - <model name='pcie-pci-bridge'/> - <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/> - </controller> - <controller type='pci' index='5' model='pcie-root-port'> + <controller type='pci' index='4' model='pcie-root-port'> <model name='pcie-root-port'/> - <target chassis='5' port='0xb'/> + <target chassis='4' port='0xb'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x3'/> </controller> - <controller type='pci' index='6' model='pcie-root-port'> + <controller type='pci' index='5' model='pcie-root-port'> <model name='pcie-root-port'/> - <target chassis='6' port='0xc'/> + <target chassis='5' port='0xc'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x4'/> </controller> <interface type='user'> <mac address='52:54:00:09:a4:37'/> <model type='virtio'/> - <address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/> + <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/> </interface> <serial type='pty'> <target type='system-serial' port='0'> @@ -75,7 +71,7 @@ <audio id='1' type='none'/> <video> <model type='virtio' heads='1' primary='yes'/> - <address type='pci' domain='0x0000' bus='0x05' slot='0x00' function='0x0'/> + <address type='pci' domain='0x0000' bus='0x04' slot='0x00' function='0x0'/> </video> <memballoon model='none'/> <panic model='pvpanic'> diff --git a/tests/qemuxmlconfdata/aarch64-virt-default-models.aarch64-latest.args b/tests/qemuxmlconfdata/aarch64-virt-default-models.aarch64-latest.args index 96fb251d80..ff86567c59 100644 --- a/tests/qemuxmlconfdata/aarch64-virt-default-models.aarch64-latest.args +++ b/tests/qemuxmlconfdata/aarch64-virt-default-models.aarch64-latest.args @@ -29,20 +29,19 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-guest/.config \ -device '{"driver":"pcie-root-port","port":8,"chassis":1,"id":"pci.1","bus":"pcie.0","multifunction":true,"addr":"0x1"}' \ -device '{"driver":"pcie-root-port","port":9,"chassis":2,"id":"pci.2","bus":"pcie.0","addr":"0x1.0x1"}' \ -device '{"driver":"pcie-root-port","port":10,"chassis":3,"id":"pci.3","bus":"pcie.0","addr":"0x1.0x2"}' \ --device '{"driver":"pcie-pci-bridge","id":"pci.4","bus":"pci.1","addr":"0x0"}' \ --device '{"driver":"pcie-root-port","port":11,"chassis":5,"id":"pci.5","bus":"pcie.0","addr":"0x1.0x3"}' \ --device '{"driver":"pcie-root-port","port":12,"chassis":6,"id":"pci.6","bus":"pcie.0","addr":"0x1.0x4"}' \ --device '{"driver":"qemu-xhci","id":"usb","bus":"pci.3","addr":"0x0"}' \ --device '{"driver":"lsi","id":"scsi0","bus":"pci.4","addr":"0x1"}' \ +-device '{"driver":"pcie-root-port","port":11,"chassis":4,"id":"pci.4","bus":"pcie.0","addr":"0x1.0x3"}' \ +-device '{"driver":"pcie-root-port","port":12,"chassis":5,"id":"pci.5","bus":"pcie.0","addr":"0x1.0x4"}' \ +-device '{"driver":"qemu-xhci","id":"usb","bus":"pci.2","addr":"0x0"}' \ +-device '{"driver":"virtio-scsi-pci","id":"scsi0","bus":"pci.3","addr":"0x0"}' \ -netdev '{"type":"user","id":"hostnet0"}' \ --device '{"driver":"virtio-net-pci","netdev":"hostnet0","id":"net0","mac":"52:54:00:09:a4:37","bus":"pci.2","addr":"0x0"}' \ +-device '{"driver":"virtio-net-pci","netdev":"hostnet0","id":"net0","mac":"52:54:00:09:a4:37","bus":"pci.1","addr":"0x0"}' \ -chardev pty,id=charserial0 \ -serial chardev:charserial0 \ -chardev socket,id=chrtpm,path=/dev/test \ -tpmdev emulator,id=tpm-tpm0,chardev=chrtpm \ -device '{"driver":"tpm-tis-device","tpmdev":"tpm-tpm0","id":"tpm0"}' \ -audiodev '{"id":"audio1","driver":"none"}' \ --device '{"driver":"virtio-gpu-pci","id":"video0","max_outputs":1,"bus":"pci.5","addr":"0x0"}' \ +-device '{"driver":"virtio-gpu-pci","id":"video0","max_outputs":1,"bus":"pci.4","addr":"0x0"}' \ -sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \ -device '{"driver":"pvpanic-pci","bus":"pcie.0","addr":"0x2"}' \ -msg timestamp=on diff --git a/tests/qemuxmlconfdata/aarch64-virt-default-models.aarch64-latest.xml b/tests/qemuxmlconfdata/aarch64-virt-default-models.aarch64-latest.xml index f27e7e1522..5abf55cf36 100644 --- a/tests/qemuxmlconfdata/aarch64-virt-default-models.aarch64-latest.xml +++ b/tests/qemuxmlconfdata/aarch64-virt-default-models.aarch64-latest.xml @@ -21,11 +21,11 @@ <devices> <emulator>/usr/bin/qemu-system-aarch64</emulator> <controller type='usb' index='0' model='qemu-xhci'> + <address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/> + </controller> + <controller type='scsi' index='0' model='virtio-scsi'> <address type='pci' domain='0x0000' bus='0x03' slot='0x00' function='0x0'/> </controller> - <controller type='scsi' index='0' model='lsilogic'> - <address type='pci' domain='0x0000' bus='0x04' slot='0x01' function='0x0'/> - </controller> <controller type='pci' index='0' model='pcie-root'/> <controller type='pci' index='1' model='pcie-root-port'> <model name='pcie-root-port'/> @@ -42,24 +42,20 @@ <target chassis='3' port='0xa'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/> </controller> - <controller type='pci' index='4' model='pcie-to-pci-bridge'> - <model name='pcie-pci-bridge'/> - <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/> - </controller> - <controller type='pci' index='5' model='pcie-root-port'> + <controller type='pci' index='4' model='pcie-root-port'> <model name='pcie-root-port'/> - <target chassis='5' port='0xb'/> + <target chassis='4' port='0xb'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x3'/> </controller> - <controller type='pci' index='6' model='pcie-root-port'> + <controller type='pci' index='5' model='pcie-root-port'> <model name='pcie-root-port'/> - <target chassis='6' port='0xc'/> + <target chassis='5' port='0xc'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x4'/> </controller> <interface type='user'> <mac address='52:54:00:09:a4:37'/> <model type='virtio'/> - <address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/> + <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/> </interface> <serial type='pty'> <target type='system-serial' port='0'> @@ -75,7 +71,7 @@ <audio id='1' type='none'/> <video> <model type='virtio' heads='1' primary='yes'/> - <address type='pci' domain='0x0000' bus='0x05' slot='0x00' function='0x0'/> + <address type='pci' domain='0x0000' bus='0x04' slot='0x00' function='0x0'/> </video> <memballoon model='none'/> <panic model='pvpanic'> -- 2.43.0

3 7

[PATCH 0/2] network: support NAT networking for FreeBSD/pf
by Roman Bogorodskiy 02 Jul '25

02 Jul '25

This series implements NAT networks support for FreeBSD using the Packet Filter (pf) firewall. The commit messages provide high-level details and limitations of the current implementation, and I'll use this cover letter to provide some more technical details and describe testing I have performed for this change. Libvirt FreeBSD/pf NAT testing For two networks: virsh # net-dumpxml default <network> <name>default</name> <uuid>68cd5419-9fda-4cf0-9ac6-2eb9c1ba41ed</uuid> <forward mode='nat'> <nat> <port start='1024' end='65535'/> </nat> </forward> <bridge name='virbr0' stp='on' delay='0'/> <mac address='52:54:00:db:0e:e5'/> <ip address='192.168.122.1' netmask='255.255.255.0'> <dhcp> <range start='192.168.122.2' end='192.168.122.254'/> </dhcp> </ip> </network> virsh # net-dumpxml natnet <network> <name>natnet</name> <uuid>d3c59659-3ceb-4482-a625-1f839a54429c</uuid> <forward mode='nat'> <nat> <port start='1024' end='65535'/> </nat> </forward> <bridge name='virbr1' stp='on' delay='0'/> <mac address='52:54:00:0a:fc:1d'/> <ip address='10.0.100.1' netmask='255.255.255.0'> <dhcp> <range start='10.0.100.2' end='10.0.100.254'/> </dhcp> </ip> </network> virsh # The following rules are generated: $ sudo pfctl -a '*' -sn nat-anchor "libvirt/*" all { nat-anchor "default" all { nat pass on re0 inet from 192.168.122.0/24 to <natdst> -> (re0) port 1024:65535 round-robin } nat-anchor "natnet" all { nat pass on re0 inet from 10.0.100.0/24 to <natdst> -> (re0) port 1024:65535 round-robin } } $ $ sudo pfctl -a 'libvirt/default' -t natdst -T show 0.0.0.0/0 !192.168.122.0/24 !224.0.0.0/24 !255.255.255.255 $ sudo pfctl -a 'libvirt/natnet' -t natdst -T show 0.0.0.0/0 !10.0.100.0/24 !224.0.0.0/24 !255.255.255.255 $ $ sudo pfctl -a '*' -sr scrub all fragment reassemble anchor "libvirt/*" all { anchor "default" all { pass quick on virbr0 inet from 192.168.122.0/24 to 192.168.122.0/24 flags S/SA keep state pass quick on virbr0 inet from 192.168.122.0/24 to 224.0.0.0/24 flags S/SA keep state pass quick on virbr0 inet from 192.168.122.0/24 to 255.255.255.255 flags S/SA keep state block drop on virbr0 all } anchor "natnet" all { pass quick on virbr1 inet from 10.0.100.0/24 to 10.0.100.0/24 flags S/SA keep state pass quick on virbr1 inet from 10.0.100.0/24 to 224.0.0.0/24 flags S/SA keep state pass quick on virbr1 inet from 10.0.100.0/24 to 255.255.255.255 flags S/SA keep state block drop on virbr1 all } } pass all flags S/SA keep state $ Create two guests attached to the "default" network, vmA and vmB. vmA $ ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host noprefixroute valid_lft forever preferred_lft forever 2: enp0s4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 52:54:00:67:eb:de brd ff:ff:ff:ff:ff:ff inet 192.168.122.92/24 brd 192.168.122.255 scope global dynamic noprefixroute enp0s4 valid_lft 1082sec preferred_lft 1082sec inet6 fe80::5054:ff:fe67:ebde/64 scope link noprefixroute valid_lft forever preferred_lft forever vmA $ vmB $ ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host noprefixroute valid_lft forever preferred_lft forever 2: enp0s4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 52:54:00:d2:8b:41 brd ff:ff:ff:ff:ff:ff inet 192.168.122.154/24 metric 100 brd 192.168.122.255 scope global dynamic enp0s4 valid_lft 1040sec preferred_lft 1040sec inet6 fe80::5054:ff:fed2:8b41/64 scope link valid_lft forever preferred_lft forever vmB $ Test NAT rules: vmA $ ping -c 3 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=57 time=14.7 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=57 time=10.7 ms 64 bytes from 8.8.8.8: icmp_seq=3 ttl=57 time=10.1 ms --- 8.8.8.8 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2006ms rtt min/avg/max/mdev = 10.099/11.835/14.710/2.047 ms vmA $ vmB $ ping -c 3 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=57 time=15.1 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=57 time=11.0 ms 64 bytes from 8.8.8.8: icmp_seq=3 ttl=57 time=10.4 ms --- 8.8.8.8 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2006ms rtt min/avg/max/mdev = 10.434/12.198/15.113/2.075 ms vmB $ vmA $ curl wttr.in/?0Q Fog _ - _ - _ - +4(1) °C _ - _ - _ ↙ 11 km/h _ - _ - _ - 0 km 0.0 mm vmA $ vmB $ curl wttr.in/?0Q Fog _ - _ - _ - +4(1) °C _ - _ - _ ↙ 11 km/h _ - _ - _ - 0 km 0.0 mm vmB $ Inter-VM connectivity: vmA $ ping -c 3 192.168.122.154 PING 192.168.122.154 (192.168.122.154) 56(84) bytes of data. 64 bytes from 192.168.122.154: icmp_seq=1 ttl=64 time=0.253 ms 64 bytes from 192.168.122.154: icmp_seq=2 ttl=64 time=0.226 ms 64 bytes from 192.168.122.154: icmp_seq=3 ttl=64 time=0.269 ms --- 192.168.122.154 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2042ms rtt min/avg/max/mdev = 0.226/0.249/0.269/0.017 ms vmA $ vmA $ ssh 192.168.122.154 uname novel(a)192.168.122.154's password: Linux vmA $ Multicast test: vmA $ iperf -s -u -B 224.0.0.1 -i 1 ------------------------------------------------------------ Server listening on UDP port 5001 Joining multicast group 224.0.0.1 Server set to single client traffic mode (per multicast receive) UDP buffer size: 208 KByte (default) ------------------------------------------------------------ [ 1] local 224.0.0.1 port 5001 connected with 192.168.122.154 port 36963 [ ID] Interval Transfer Bandwidth Jitter Lost/Total Datagrams [ 1] 0.00-1.00 sec 131 KBytes 1.07 Mbits/sec 0.030 ms 0/91 (0%) [ 1] 1.00-2.00 sec 128 KBytes 1.05 Mbits/sec 0.022 ms 0/89 (0%) [ 1] 2.00-3.00 sec 128 KBytes 1.05 Mbits/sec 0.021 ms 0/89 (0%) [ 1] 0.00-3.02 sec 389 KBytes 1.06 Mbits/sec 0.026 ms 0/271 (0%) vmB $ iperf -c 224.0.0.1 -u -T 32 -t 3 -i 1 ------------------------------------------------------------ Client connecting to 224.0.0.1, UDP port 5001 Sending 1470 byte datagrams, IPG target: 11215.21 us (kalman adjust) UDP buffer size: 208 KByte (default) ------------------------------------------------------------ [ 1] local 192.168.122.154 port 36963 connected with 224.0.0.1 port 5001 [ ID] Interval Transfer Bandwidth [ 1] 0.0000-1.0000 sec 131 KBytes 1.07 Mbits/sec [ 1] 1.0000-2.0000 sec 128 KBytes 1.05 Mbits/sec [ 1] 2.0000-3.0000 sec 128 KBytes 1.05 Mbits/sec [ 1] 0.0000-3.0173 sec 389 KBytes 1.06 Mbits/sec [ 1] Sent 272 datagrams vmB $ Broadcast test: vmA $ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=0 net.ipv4.icmp_echo_ignore_broadcasts = 0 vmA $ vmB $ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=0 net.ipv4.icmp_echo_ignore_broadcasts = 0 vmB $ host $ ping 192.168.122.255 PING 192.168.122.255 (192.168.122.255): 56 data bytes 64 bytes from 192.168.122.154: icmp_seq=0 ttl=64 time=0.199 ms 64 bytes from 192.168.122.92: icmp_seq=0 ttl=64 time=0.227 ms (DUP!) 64 bytes from 192.168.122.154: icmp_seq=1 ttl=64 time=0.209 ms 64 bytes from 192.168.122.92: icmp_seq=1 ttl=64 time=0.235 ms (DUP!) ^C --- 192.168.122.255 ping statistics --- 2 packets transmitted, 2 packets received, +2 duplicates, 0.0% packet loss round-trip min/avg/max/stddev = 0.199/0.218/0.235/0.014 ms This testing does not cover any negative scenarios which are probably not that important at this point. Roman Bogorodskiy (2): network: bridge_driver: add BSD implementation network: introduce Packet Filter firewall backend meson.build | 2 + po/POTFILES | 2 + src/network/bridge_driver_bsd.c | 107 +++++++++ src/network/bridge_driver_conf.c | 8 + src/network/bridge_driver_linux.c | 2 + src/network/bridge_driver_platform.c | 2 + src/network/meson.build | 1 + src/network/network_pf.c | 327 +++++++++++++++++++++++++++ src/network/network_pf.h | 26 +++ src/util/virfirewall.c | 4 +- src/util/virfirewall.h | 2 + 11 files changed, 482 insertions(+), 1 deletion(-) create mode 100644 src/network/bridge_driver_bsd.c create mode 100644 src/network/network_pf.c create mode 100644 src/network/network_pf.h -- 2.49.0

2 7

[libvirt PATCH] docs: clarify how to build without -Werror
by Ján Tomko 02 Jul '25

02 Jul '25

From: Ján Tomko <jtomko(a)redhat.com> --werror does not accept any arguments for me and setting git_werror was also needed to disable it with git. Signed-off-by: Ján Tomko <jtomko(a)redhat.com> --- docs/compiling.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/compiling.rst b/docs/compiling.rst index 0a47a50569..06a2d53c3a 100644 --- a/docs/compiling.rst +++ b/docs/compiling.rst @@ -105,8 +105,8 @@ Notes: ~~~~~~ By default when the ``meson`` is run from within a GIT checkout, it will turn -on -Werror for builds. This can be disabled with --werror=false, but this is -not recommended. +on -Werror for builds. This can be disabled with +`-Dwerror=false -Dgit_werror=false`, but this is not recommended. Please ensure that you have the appropriate minimal ``meson`` version installed in your build environment. The minimal version for a specific package can be -- 2.49.0

2 1

[PATCH 00/15] virt-aa-helper: Misc improvements
by Michal Privoznik 02 Jul '25

02 Jul '25

Inspired by a patchset against virt-aa-helper that I reviewed recently: https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/QQXM… Green pipeline: https://gitlab.com/MichalPrivoznik/libvirt/-/pipelines/1866451277 Michal Prívozník (15): log_cleaner: Use virFileCanonicalizePath() virt-aa-helper: Use virFileCanonicalizePath() virpcimock: Automatically invent fakerootdir, if not provided virpcimock: Strip fakerootdir prefix in virFileCanonicalizePath() tests: Fix mocking of open() virt-aa-helper-test: Print errors to stderr virt-aa-helper-test: Silence ls virt-aa-helper-test: Test hostdevs unconditionally virt-aa-helper: Rework USB hostdev handling virt-aa-helper: Simplify paths collection virt-aa-helper: Decrease scope of @mem_path in get_files() virt-aa-helper: Use automatic memory freeing virt-aa-helper: Check retval of vah_add_file() virt-aa-helper: Drop cleanup label from get_files() virt-aa-helper-test: Switch to getopts src/logging/log_cleaner.c | 2 +- src/security/virt-aa-helper.c | 474 +++++++++++++++++----------------- tests/nssmock.c | 4 + tests/qemusecuritymock.c | 4 + tests/vircgroupmock.c | 4 + tests/virfilewrapper.c | 4 + tests/virpcimock.c | 41 ++- tests/virt-aa-helper-test | 77 +++--- tests/virtestmock.c | 4 + tests/virusbmock.c | 4 + 10 files changed, 353 insertions(+), 265 deletions(-) -- 2.49.0

3 21

[PATCH 00/10] Unify argument name of migration APIs
by Michal Privoznik 01 Jul '25

01 Jul '25

Some of our APIs have 'bandwidth' argument but then, at internal impl level it's renamed to 'resource', inconsistently. Since it's really describing bandwidth that the migration can use, let's rename it. Michal Prívozník (10): src: Unify argument name of virDomainMigratePrepare() src: Unify argument name of virDomainMigratePerform() src: Unify argument name of virDomainMigratePrepare2() src: Unify argument name of virDomainMigratePrepareTunnel() src: Unify argument name of virDomainMigratePrepare3() src: Unify argument name of virDomainMigratePrepareTunnel3() src: Unify argument name of virDomainMigrateBegin3() src: Unify argument name of virDomainMigratePerform3() qemu: Finish argument rename gendispatch: Finish rename of the migration argument src/driver-hypervisor.h | 16 +++---- src/esx/esx_driver.c | 2 +- src/libvirt_internal.h | 16 +++---- src/qemu/qemu_driver.c | 18 ++++---- src/qemu/qemu_migration.c | 72 ++++++++++++++--------------- src/remote/remote_daemon_dispatch.c | 10 ++-- src/remote/remote_driver.c | 24 +++++----- src/remote/remote_protocol.x | 16 +++---- src/remote_protocol-structs | 16 +++---- src/rpc/gendispatch.pl | 36 +++++++-------- 10 files changed, 113 insertions(+), 113 deletions(-) -- 2.49.0

2 12

[PATCH] tests: validate an XML config with USB vendor/product set
by Daniel P. Berrangé 01 Jul '25

01 Jul '25

From: Daniel P. Berrangé <berrange(a)redhat.com> The USB vendor/product is usually translated into a device/bus at startup using the hostdev logic. We don't run the latter in the unit test suite, but we can fake it by hardcoding a translation. This demonstrates that we format the command line with the normal device/bus properties, even when vendor/product is set. Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com> --- ...tdev-usb-vendor-product.x86_64-latest.args | 35 +++++++++++++++ ...stdev-usb-vendor-product.x86_64-latest.xml | 44 +++++++++++++++++++ .../hostdev-usb-vendor-product.xml | 36 +++++++++++++++ tests/qemuxmlconftest.c | 18 ++++++++ 4 files changed, 133 insertions(+) create mode 100644 tests/qemuxmlconfdata/hostdev-usb-vendor-product.x86_64-latest.args create mode 100644 tests/qemuxmlconfdata/hostdev-usb-vendor-product.x86_64-latest.xml create mode 100644 tests/qemuxmlconfdata/hostdev-usb-vendor-product.xml diff --git a/tests/qemuxmlconfdata/hostdev-usb-vendor-product.x86_64-latest.args b/tests/qemuxmlconfdata/hostdev-usb-vendor-product.x86_64-latest.args new file mode 100644 index 0000000000..62338db872 --- /dev/null +++ b/tests/qemuxmlconfdata/hostdev-usb-vendor-product.x86_64-latest.args @@ -0,0 +1,35 @@ +LC_ALL=C \ +PATH=/bin \ +HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1 \ +USER=test \ +LOGNAME=test \ +XDG_DATA_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.local/share \ +XDG_CACHE_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.cache \ +XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \ +/usr/bin/qemu-system-x86_64 \ +-name guest=QEMUGuest1,debug-threads=on \ +-S \ +-object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/var/lib/libvirt/qemu/domain--1-QEMUGuest1/master-key.aes"}' \ +-machine pc,usb=off,dump-guest-core=off,memory-backend=pc.ram,acpi=off \ +-accel tcg \ +-cpu qemu64 \ +-m size=219136k \ +-object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":224395264}' \ +-overcommit mem-lock=off \ +-smp 1,sockets=1,cores=1,threads=1 \ +-uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \ +-display none \ +-no-user-config \ +-nodefaults \ +-chardev socket,id=charmonitor,fd=1729,server=on,wait=off \ +-mon chardev=charmonitor,id=monitor,mode=control \ +-rtc base=utc \ +-no-shutdown \ +-boot strict=on \ +-device '{"driver":"piix3-usb-uhci","id":"usb","bus":"pci.0","addr":"0x1.0x2"}' \ +-blockdev '{"driver":"host_device","filename":"/dev/HostVG/QEMUGuest1","node-name":"libvirt-1-storage","read-only":false}' \ +-device '{"driver":"ide-hd","bus":"ide.0","unit":0,"drive":"libvirt-1-storage","id":"ide0-0-0","bootindex":1}' \ +-audiodev '{"id":"audio1","driver":"none"}' \ +-device '{"driver":"usb-host","hostdevice":"/dev/bus/usb/042/4660","id":"hostdev0","guest-reset":true,"guest-resets-all":false,"bus":"usb.0","port":"1"}' \ +-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \ +-msg timestamp=on diff --git a/tests/qemuxmlconfdata/hostdev-usb-vendor-product.x86_64-latest.xml b/tests/qemuxmlconfdata/hostdev-usb-vendor-product.x86_64-latest.xml new file mode 100644 index 0000000000..340df80263 --- /dev/null +++ b/tests/qemuxmlconfdata/hostdev-usb-vendor-product.x86_64-latest.xml @@ -0,0 +1,44 @@ +<domain type='qemu'> + <name>QEMUGuest1</name> + <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid> + <memory unit='KiB'>219136</memory> + <currentMemory unit='KiB'>219136</currentMemory> + <vcpu placement='static'>1</vcpu> + <os> + <type arch='i686' machine='pc'>hvm</type> + <boot dev='hd'/> + </os> + <cpu mode='custom' match='exact' check='none'> + <model fallback='forbid'>qemu64</model> + </cpu> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>restart</on_reboot> + <on_crash>destroy</on_crash> + <devices> + <emulator>/usr/bin/qemu-system-x86_64</emulator> + <disk type='block' device='disk'> + <driver name='qemu' type='raw'/> + <source dev='/dev/HostVG/QEMUGuest1'/> + <target dev='hda' bus='ide'/> + <address type='drive' controller='0' bus='0' target='0' unit='0'/> + </disk> + <controller type='usb' index='0' model='piix3-uhci'> + <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/> + </controller> + <controller type='ide' index='0'> + <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/> + </controller> + <controller type='pci' index='0' model='pci-root'/> + <input type='mouse' bus='ps2'/> + <input type='keyboard' bus='ps2'/> + <audio id='1' type='none'/> + <hostdev mode='subsystem' type='usb' managed='no'> + <source guestReset='uninitialized'> + <vendor id='0x1234'/> + <product id='0x4321'/> + </source> + </hostdev> + <memballoon model='none'/> + </devices> +</domain> diff --git a/tests/qemuxmlconfdata/hostdev-usb-vendor-product.xml b/tests/qemuxmlconfdata/hostdev-usb-vendor-product.xml new file mode 100644 index 0000000000..dfb668f208 --- /dev/null +++ b/tests/qemuxmlconfdata/hostdev-usb-vendor-product.xml @@ -0,0 +1,36 @@ +<domain type='qemu'> + <name>QEMUGuest1</name> + <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid> + <memory unit='KiB'>219136</memory> + <currentMemory unit='KiB'>219136</currentMemory> + <vcpu placement='static'>1</vcpu> + <os> + <type arch='i686' machine='pc'>hvm</type> + <boot dev='hd'/> + </os> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>restart</on_reboot> + <on_crash>destroy</on_crash> + <devices> + <emulator>/usr/bin/qemu-system-x86_64</emulator> + <disk type='block' device='disk'> + <driver name='qemu' type='raw'/> + <source dev='/dev/HostVG/QEMUGuest1'/> + <target dev='hda' bus='ide'/> + <address type='drive' controller='0' bus='0' target='0' unit='0'/> + </disk> + <controller type='usb' index='0'/> + <controller type='ide' index='0'/> + <controller type='pci' index='0' model='pci-root'/> + <input type='mouse' bus='ps2'/> + <input type='keyboard' bus='ps2'/> + <hostdev mode='subsystem' type='usb' managed='no'> + <source guestReset='uninitialized'> + <vendor id='0x1234'/> + <product id='0x4321'/> + </source> + </hostdev> + <memballoon model='none'/> + </devices> +</domain> diff --git a/tests/qemuxmlconftest.c b/tests/qemuxmlconftest.c index f74bd2bb7a..fe90f029d9 100644 --- a/tests/qemuxmlconftest.c +++ b/tests/qemuxmlconftest.c @@ -474,6 +474,23 @@ testCompareXMLToArgvCreateArgs(virQEMUDriver *drv, } } + for (i = 0; i < vm->def->nhostdevs; i++) { + virDomainHostdevDef *hostdev = vm->def->hostdevs[i]; + + if (hostdev->mode == VIR_DOMAIN_HOSTDEV_MODE_SUBSYS && + hostdev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB) { + virDomainHostdevSubsysUSB *usb = &hostdev->source.subsys.u.usb; + if (!usb->device && !usb->bus) { + if (usb->vendor == 0x1234 && usb->product == 0x4321) { + usb->bus = 42; + usb->device = 0x1234; + } else { + g_assert_not_reached(); + } + } + } + } + if (flags & FLAG_SLIRP_HELPER) { for (i = 0; i < vm->def->nnets; i++) { virDomainNetDef *net = vm->def->nets[i]; @@ -2118,6 +2135,7 @@ mymain(void) DO_TEST_CAPS_LATEST("hostdev-usb-address-device"); DO_TEST_CAPS_LATEST("hostdev-usb-address-device-boot"); DO_TEST_CAPS_LATEST_PARSE_ERROR("hostdev-usb-duplicate"); + DO_TEST_CAPS_LATEST("hostdev-usb-vendor-product"); DO_TEST_CAPS_LATEST("hostdev-pci-address"); DO_TEST_CAPS_LATEST("hostdev-pci-address-device"); DO_TEST_CAPS_LATEST_PARSE_ERROR("hostdev-pci-duplicate"); -- 2.49.0

2 1

[PATCH] tls: Don't require 'keyEncipherment' to be enabled altoghther
by Peter Krempa 01 Jul '25

01 Jul '25

From: Peter Krempa <pkrempa(a)redhat.com> Key encipherment is required only for RSA key exchange algorithm. With TLS 1.3 this is not even used as RSA is used only for authentication. Since we can't really check when it's required ahead of time drop the check completely. GnuTLS will moan if it will not be able to use RSA key exchange. In commit 11867b0224a2 I tried to relax the check for some eliptic curve algorithm that explicitly forbid it. Based on the above the proper solution is to completely remove it. Resolves: https://issues.redhat.com/browse/RHEL-100711 Fixes: 11867b0224a2b8dc34755ff0ace446b6842df1c1 Signed-off-by: Peter Krempa <pkrempa(a)redhat.com> --- src/rpc/virnettlscert.c | 28 ---------------------------- 1 file changed, 28 deletions(-) diff --git a/src/rpc/virnettlscert.c b/src/rpc/virnettlscert.c index f197995633..7024e858f0 100644 --- a/src/rpc/virnettlscert.c +++ b/src/rpc/virnettlscert.c @@ -162,34 +162,6 @@ static int virNetTLSCertCheckKeyUsage(gnutls_x509_crt_t cert, certFile); } } - if (!(usage & GNUTLS_KEY_KEY_ENCIPHERMENT)) { - int alg = gnutls_x509_crt_get_pk_algorithm(cert, NULL); - - /* Per RFC8813 [1] which amends RFC5580 [2] ECDSA, ECDH, and ECMQV - * algorithms must not have 'keyEncipherment' present. - * - * [1] https://datatracker.ietf.org/doc/rfc8813/ - * [2] https://datatracker.ietf.org/doc/rfc5480 - */ - - switch (alg) { - case GNUTLS_PK_ECDSA: - case GNUTLS_PK_ECDH_X25519: - case GNUTLS_PK_ECDH_X448: - break; - - default: - if (critical) { - virReportError(VIR_ERR_SYSTEM_ERROR, - _("Certificate %1$s usage does not permit key encipherment"), - certFile); - return -1; - } else { - VIR_WARN("Certificate %s usage does not permit key encipherment", - certFile); - } - } - } } return 0; -- 2.49.0

2 7

pci-hole64-size on q35 questions
by mitchell.augustin＠canonical.com 30 Jun '25

30 Jun '25

Hi, I'm trying to get a better understanding of how libvirt VMs interact with the default QEMU setting for pci-hole64-size on q35 hosts, to assess why my libvirt VMs behave differently from a similarly configured lxd VM. As I understand, both libvirt and lxd are using qemu q35 VMs under the hood, and both are inheriting their pci-hole64-size from qemu's default setting (correct me if that's wrong), but in my tests, I'm getting different behavior from them. I know lxd is probably out of scope from the libvirt project perspective, so consider this more of a libvirt question w/ some added lxd context. All of this is on a DGX B200 host, which contains large (~180GB VRAM) GPUs. With libvirt/virt-install, I created a q35 virtual machine with CPU host passthrough and 1 or more GPUs passed-through via --host-device. Without additional modifications, this works as expected, and I can initialize the GPU driver in the VM and run nvidia-smi. With lxd (which creates a q35 virtual machine with CPU host passthrough by default), I attached 1 GPU via "lxc config device add passthroughtest gpu gpu pci=1b:00.0". On that machine, the pci-hole64-size is too small by default, since I see these in my dmesg: [ 1.099110] pci 0000:00:01.5: bridge window [mem size 0x6000000000 64bit pref]: can't assign; no space [ 1.120274] pci 0000:00:01.5: bridge window [mem size 0x6000000000 64bit pref]: can't assign; no space [ 1.183281] pci 0000:06:00.0: BAR 2 [mem size 0x4000000000 64bit pref]: can't assign; no space [ 1.186320] pci 0000:06:00.0: BAR 0 [mem size 0x04000000 64bit pref]: can't assign; no space [ 1.189340] pci 0000:06:00.0: BAR 4 [mem size 0x02000000 64bit pref]: can't assign; no space and I cannot initialize the GPU driver since the BARs weren't mapped correctly. When I apply a larger hole size to my lxd VM via `lxc config set passthroughtest raw.qemu=' -global q35-pcihost.pci-hole64-size=8192G'`, I don't see any "can't assign; no space" messages, and the driver works as expected. My question about libvirt is - where (if at all) does libvirt interact with qemu's pci-hole64-size value? If libvirt does not automatically do something functionally similar to changing the hole size like I need to do above for lxd, and is in fact just using a qemu default value, is there some other related interaction happening in libvirt that might explain why my libvirt VMs don't require a manual change to pci-hole64-size, despite the fact that the relevant parts of the underlying qemu machine should be the same?

2 1