July 2025 - Devel - libvirt List Archives

[PATCH] qemu_tpm: Do not use persistent definition during pre-start checks
by Martin Kletzander 18 Jul '25

18 Jul '25

From: Martin Kletzander <mkletzan(a)redhat.com> Commit 3451987fca7c used the persistent TPM Definition in both calls to qemuTPMVirCommandSwtpmAddTPMState() but in one of the two cases it might've been NULL and what's more, it is not the right definition which should've been used. Change that to @tpm which is the current definition. The other call does not have access to the current definition and is only called during updating the profile. But for the sake of fewer future mistakes, keep the other one as is because there is no issue with calling it that way and adding logic that just skips the extra check on NULL could mistake someone in the future. Signed-off-by: Martin Kletzander <mkletzan(a)redhat.com> --- src/qemu/qemu_tpm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c index 5cb678df0eee..4c9445d72c39 100644 --- a/src/qemu/qemu_tpm.c +++ b/src/qemu/qemu_tpm.c @@ -852,7 +852,7 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDef *tpm, virCommandAddArgFormat(cmd, "type=unixio,path=%s,mode=0600", tpm->data.emulator.source->data.nix.path); - qemuTPMVirCommandSwtpmAddTPMState(cmd, &tpm->data.emulator, persistentTPMDef, cfg); + qemuTPMVirCommandSwtpmAddTPMState(cmd, &tpm->data.emulator, tpm, cfg); virCommandAddArg(cmd, "--log"); if (tpm->data.emulator.debug != 0) -- 2.50.1

2 1

[PATCH 0/6] nss: Rework debugging
by Michal Privoznik 18 Jul '25

18 Jul '25

I've been debugging a problem with NSS plugin recently [1] and the fact that I had to recompile libvirt just to enable debugging printings for the NSS plugin turned out very inconvenient. Make the debug printings env var dependant and add a few more printings. 1: https://bugzilla.redhat.com/show_bug.cgi?id=2364285 Michal Prívozník (6): nss: Promote debug message to proper error when time() fails nss: Move logging into a separate file and turn it temporarily on nss: Make logging conditional on an envvar nss: Include filename in debug printings nss: Print module name nss: Debug print JSON files as they are parsed build-aux/syntax-check.mk | 2 +- docs/nss.rst | 13 ++++++ tools/nss/libvirt_nss.c | 8 +++- tools/nss/libvirt_nss.h | 30 +----------- tools/nss/libvirt_nss_leases.c | 12 +++-- tools/nss/libvirt_nss_log.c | 85 ++++++++++++++++++++++++++++++++++ tools/nss/libvirt_nss_log.h | 41 ++++++++++++++++ tools/nss/meson.build | 1 + 8 files changed, 158 insertions(+), 34 deletions(-) create mode 100644 tools/nss/libvirt_nss_log.c create mode 100644 tools/nss/libvirt_nss_log.h -- 2.49.0

3 10

[PATCH 0/3] qemu_tpm: Do not pollute logs with unnecessary warning
by Martin Kletzander 18 Jul '25

18 Jul '25

https://issues.redhat.com/browse/RHEL-80155 Martin Kletzander (3): qemu_tpm: Rename qemuTPMHasSharedStorage -> qemuTPMDomainHasSharedStorage qemu_tpm: Extract per-TPM functionality from qemuTPMDomainHasSharedStorage qemu_tpm: Only warn about missing locking feature on shared filesystems src/qemu/qemu_migration.c | 2 +- src/qemu/qemu_tpm.c | 75 +++++++++++++++++++++++---------------- src/qemu/qemu_tpm.h | 4 +-- 3 files changed, 47 insertions(+), 34 deletions(-) -- 2.50.1

4 8

[PATCH 0/3] qemu: workaround for GNUTLS bug hitting live migration
by Daniel P. Berrangé 18 Jul '25

18 Jul '25

This is a workaround for existing running QEMU processes which are susceptible to a GNUTLS crasher bug with non-multifd live migration: https://gitlab.com/qemu-project/qemu/-/issues/1937 which in turn is caused by a gnutls regression https://gitlab.com/gnutls/gnutls/-/issues/1717 Even if gnutls is fixed, running QEMU processes are still at risk until restarted, and that can't be done without live migrating workloads off, which triggers the bug we're trying to avoid. The only way to avoid this for running QEMU processes is to change the crypto priority string. On Fedora / RHEL distros we can do this on the target QEMU using /etc/crypto-policies configs, but many other distros have now adopted this - hint: this is a very useful thing to adopt. This series gives a more targetted workaround that is compatible with all distros and can be configured on either the source or dst hosts and whose impact is limited just to live migration. Daniel P. Berrangé (3): qemu: fix order of VNC TLS config entries qemu: sanitize blank lines in config file qemu: add ability to set TLS priority string with QEMU src/conf/storage_source_conf.c | 2 + src/conf/storage_source_conf.h | 1 + src/qemu/libvirtd_qemu.aug | 8 +- src/qemu/qemu.conf.in | 99 +++++++++++++++++-- src/qemu/qemu_backup.c | 5 +- src/qemu/qemu_blockjob.c | 1 + src/qemu/qemu_command.c | 15 ++- src/qemu/qemu_command.h | 1 + src/qemu/qemu_conf.c | 22 +++++ src/qemu/qemu_conf.h | 6 ++ src/qemu/qemu_domain.c | 3 + src/qemu/qemu_domain.h | 1 + src/qemu/qemu_hotplug.c | 4 +- src/qemu/qemu_hotplug.h | 1 + src/qemu/qemu_migration_params.c | 1 + src/qemu/test_libvirtd_qemu.aug.in | 8 +- ...rk-tlsx509-nbd-hostname.x86_64-latest.args | 2 +- ...graphics-vnc-tls-secret.x86_64-latest.args | 2 +- ...-tlsx509-secret-chardev.x86_64-latest.args | 2 +- tests/qemuxmlconftest.c | 6 ++ 20 files changed, 170 insertions(+), 20 deletions(-) -- 2.50.1

2 6

Re: download.libvirt.org HTTPS certificate expired causing download failures
by Daniel P. Berrangé 18 Jul '25

18 Jul '25

On Fri, Jul 18, 2025 at 10:36:53AM +0000, Song, Jiaying (CN) wrote: > Hello libvirt team, > > I am a user trying to fetch packages from https://download.libvirt.org/, but I encountered an issue where the HTTPS certificate issued by Let's Encrypt (CN=R10) appears to have expired. > > This causes download failures in automated builds and package fetching processes. For example, wget reports: > > wget https://download.libvirt.org/python/libvirt-python-11.1.0.tar.gz > ERROR: cannot verify download.libvirt.org's certificate, issued by 'CN=R10,O=Let's Encrypt,C=US': > Issued certificate has expired. > > Could you please update or renew the TLS certificate for download.libvirt.org at your earliest convenience to avoid further disruptions? > > Thank you very much for your help! FYI, we connected on IRC and I got this sorted out. It was a result of us having to move to a new physical server on short notice a few weeks ago, combined with an OS upgrade from RHEL 7 to 9. We copied the certs, but failed to setup acme-tiny again on the new machine to renew them. In 3 months time we'll find out if I got the acme-tiny config correct, so if anyone notices problems at that time let me know.... With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|

1 0

[PATCH 0/7] tls: Improve validation of certificates if multiple certs are concatenated in one file
by Peter Krempa 18 Jul '25

18 Jul '25

Our code handled properly only multiple CA certs in one file. This patch extends the validation also to multiple client/server certs in one file. Peter Krempa (7): rpc: virnettlscontext: Fix formatting of function definitions virNetTLSContextNewPath: Refactor temporary variable usage virNetTLSCertCheckPair: Fix function definition formatting rpc: virnettlscert: Rename virNetTLSCertLoadCAListFromFile to virNetTLSCertLoadListFromFile virPKIValidateIdentity: Validate all concatenated certificates virNetTLSCertSanityCheck: Validate all concatenated certs Remove unused 'virNetTLSCertLoadFromFile' src/rpc/virnettlscert.c | 94 ++++++++++++-------------------------- src/rpc/virnettlscert.h | 6 ++- src/rpc/virnettlscontext.c | 89 +++++++++++++++++------------------- tools/virt-pki-validate.c | 20 ++++++-- 4 files changed, 90 insertions(+), 119 deletions(-) -- 2.50.0

2 16

download.libvirt.org HTTPS certificate expired causing download failures
by Song, Jiaying (CN) 18 Jul '25

18 Jul '25

Hello libvirt team, I am a user trying to fetch packages from https://download.libvirt.org/, but I encountered an issue where the HTTPS certificate issued by Let's Encrypt (CN=R10) appears to have expired. This causes download failures in automated builds and package fetching processes. For example, wget reports: wget https://download.libvirt.org/python/libvirt-python-11.1.0.tar.gz ERROR: cannot verify download.libvirt.org's certificate, issued by 'CN=R10,O=Let's Encrypt,C=US': Issued certificate has expired. Could you please update or renew the TLS certificate for download.libvirt.org at your earliest convenience to avoid further disruptions? Thank you very much for your help! Best regards, Jiaying.

1 0

[PATCH 0/6] Make virConnectBaselineHypervisorCPU a bit more sane
by Jiri Denemark 18 Jul '25

18 Jul '25

See 2/6 for description of the issue this series is trying to deal with. Jiri Denemark (6): cpu: Show input CPU model names in debug log Clarify documentation of virConnectBaselineHypervisorCPU Change documentation style of virConnectBaselineCPUFlags Introduce VIR_CONNECT_BASELINE_CPU_IGNORE_HOST flag qemu: Implement VIR_CONNECT_BASELINE_CPU_IGNORE_HOST virsh: Add support for VIR_CONNECT_BASELINE_CPU_IGNORE_HOST flag docs/manpages/virsh.rst | 20 +++++++++++++++----- include/libvirt/libvirt-host.h | 9 +++++++-- src/cpu/cpu.c | 2 +- src/libvirt-host.c | 30 +++++++++++++++++++++--------- src/qemu/qemu_driver.c | 30 +++++++++++++++++++++--------- tools/virsh-host.c | 8 ++++++++ 6 files changed, 73 insertions(+), 26 deletions(-) -- 2.50.0

3 9

[PATCH] src: fix typo in fixup_name()
by Elizaveta Tereshkina 17 Jul '25

17 Jul '25

Similar branches in the if-else structure look like bad copy-paste. Fix the typo. Fixes: a559ffec44 (src: rewrite ACL rule checker in Python) Signed-off-by: Elizaveta Tereshkina <etereshkina(a)astralinux.ru> --- scripts/check-aclrules.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/check-aclrules.py b/scripts/check-aclrules.py index ed6805058b..13aed99243 100755 --- a/scripts/check-aclrules.py +++ b/scripts/check-aclrules.py @@ -88,7 +88,7 @@ def fixup_name(name): elif name.endswith("Mac"): name = name[:-3] + "MAC" elif name.endswith("Cpu"): - name = name[:-3] + "MAC" + name = name[:-3] + "CPU" elif name.endswith("Os"): name = name[:-2] + "OS" elif name.endswith("Nmi"): -- 2.39.2

2 1

[PATCH v2 0/5] bhyve: TCP console support
by Roman Bogorodskiy 17 Jul '25

17 Jul '25

Changes since v1: I misunderstood semantics of the 'mode' attribute of the <source> element, and used 'connect' while I should have used 'bind', because bhyve listens on the TCP socket and client connects to using using netcat (or any other similar tool). Now it's using the 'bind' value. Other changes: added validation to bhyve_domain.c, and unified error messages used in bhyve_command.c and bhyve_domain.c Roman Bogorodskiy (5): bhyve: support serial type 'tcp' bhyve: increase number of supported consoles to 4 docs: drvbhyve: document TCP console support bhyve: validate serial devices validation bhyve: sync error messages docs/drvbhyve.rst | 19 ++++++ src/bhyve/bhyve_capabilities.c | 3 +- src/bhyve/bhyve_command.c | 42 +++++++++----- src/bhyve/bhyve_domain.c | 27 +++++++++ .../bhyvexml2argv-4-consoles.args | 15 +++++ .../bhyvexml2argv-4-consoles.ldargs | 4 ++ .../bhyvexml2argv-4-consoles.xml | 35 +++++++++++ .../bhyvexml2argv-serial-invalid-port.args | 12 ++++ .../bhyvexml2argv-serial-invalid-port.ldargs | 4 ++ .../bhyvexml2argv-serial-invalid-port.xml | 28 +++++++++ .../bhyvexml2argv-serial-tcp.args | 12 ++++ .../bhyvexml2argv-serial-tcp.ldargs | 4 ++ .../bhyvexml2argv-serial-tcp.xml | 27 +++++++++ tests/bhyvexml2argvtest.c | 3 + .../bhyvexml2xmlout-4-consoles.xml | 58 +++++++++++++++++++ .../bhyvexml2xmlout-serial-tcp.xml | 46 +++++++++++++++ tests/bhyvexml2xmltest.c | 2 + tests/domaincapsdata/bhyve_basic.x86_64.xml | 1 + tests/domaincapsdata/bhyve_fbuf.x86_64.xml | 1 + tests/domaincapsdata/bhyve_uefi.x86_64.xml | 1 + 20 files changed, 328 insertions(+), 16 deletions(-) create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-4-consoles.args create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-4-consoles.ldargs create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-4-consoles.xml create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-serial-invalid-port.args create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-serial-invalid-port.ldargs create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-serial-invalid-port.xml create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-serial-tcp.args create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-serial-tcp.ldargs create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-serial-tcp.xml create mode 100644 tests/bhyvexml2xmloutdata/bhyvexml2xmlout-4-consoles.xml create mode 100644 tests/bhyvexml2xmloutdata/bhyvexml2xmlout-serial-tcp.xml -- 2.49.0

2 8