Create a common `virttype` definition in basictypes.rng and reuse it
to enumerate all virt types. This change eliminates the need to duplicate
virttypes in multiple locations.
Signed-off-by: Praveen K Paladugu <prapal@linux.microsoft.com> Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
Add mshv acceleration (-accel mshv) flag while launching hyperv domains.
Signed-off-by: Praveen K Paladugu <prapal@linux.microsoft.com> Reviewed-by: Martin Kletzander <mkletzan@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
This capability indicates if qemu supports mshv as an accelerator. Qemu
with mshv capabilities can launch domains of type VIR_DOMAIN_VIRT_HYPERV.
Signed-off-by: Praveen K Paladugu <prapal@linux.microsoft.com> Reviewed-by: Martin Kletzander <mkletzan@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Collin Walling [Thu, 20 Nov 2025 22:34:43 +0000 (17:34 -0500)]
qemu: only allow enabling deprecated features that are supported
When updating the guest CPU model and the deprecated_features attribute
is set to on, only enable the features the model can actually enable.
While host-model would normally just enable these features without
intervention (and without the presence of the deprecated_features
attribute), custom models would see no changes to their feature set
without these changes.
Collin Walling [Thu, 20 Nov 2025 22:34:42 +0000 (17:34 -0500)]
qemu: query and cache static/host deprecated features
When performing a static CPU model expansion, the reported list of
deprecated features will reflect the features which are currently
enabled on the CPU model.
Retrieve this subset and store them as static deprecated properties for
the model info, and as host deprecated features in the cache.
Note that this list may exclude items that are shown in the
<deprecatedFeatures> list, as some feature support has been dropped by
hardware (e.g. csske).
Michal Privoznik [Fri, 21 Nov 2025 13:54:27 +0000 (14:54 +0100)]
tests: Don't link vmx2xmltest with esx_lib
When reworking the vmx2xmltest to call esxParseVMXFileName() from
the ESX driver I also made the test link with the driver
statically. But the function then calls some other functions
which are mocked in vmx2xmlmock. Now, on many systems this works
just fine as the dynamic linker finds the mocked functions first.
But on Fedora 41 and Fedora 42 the dynamic linker resolves the
symbols to those from statically linked library rendering our
mock ineffective.
Just don't link in the esx_lib.
Fixes: f82d30307da8bea396a32dcab2ba9be5c3236b7c Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
qemu: Remove redundant kvm group config in sysusers.d
It's already defined by default in systemd:
https://github.com/systemd/systemd/blob/v257.6/sysusers.d/basic.conf.in#L32
Adding it again here in libvirt-qemu.sysusers.conf causes the following
warning by validating it with sd-sysuers:
/usr/lib/sysusers.d/libvirt-qemu.conf:1: Conflict with earlier configuration for group 'kvm' in /usr/lib/sysusers.d/basic.conf:32, ignoring line.
On Fedora/RHEL systemd is built with -Dkvm-gid=36 so there is no change
in the allocated GID on these platforms. Other platforms have the same
facility available to them if they wish to retain a fixed GID.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Achill Gilgenast <achill@achill.org>
The VMX parsing uses the esxParseVMXFileName() function in
the ESX library. This is unavailable when the ESX driver is
disabled, so the tests must be skipped too.
Reviewed-by: Peter Krempa <pkrempa@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Nathan Chen [Thu, 20 Nov 2025 01:42:41 +0000 (17:42 -0800)]
qemu: Implement pluggable-device smmuv3
Introduce support for "pciBus" driver attribute for
"smmuv3" IOMMU model. The "pciBus" attribute indicates
the index of the controller that a smmuv3 IOMMU device
is attached to, and differentiates the device-pluggable
arm-smmuv3 model from the virt-machine-associated smmuv3
model.
Signed-off-by: Nathan Chen <nathanc@nvidia.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Nathan Chen [Thu, 20 Nov 2025 01:42:42 +0000 (17:42 -0800)]
qemu: Format IOMMU devices after controllers
Format qemu arguments for IOMMU devices after
controllers as the multi-SMMUv3 model associates
SMMUv3 devices with hostdevs by plugging them
into the same controller upstream.
Signed-off-by: Nathan Chen <nathanc@nvidia.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
tools: inform user which CVM is found during validation
For AMD, the virt-host-validate 'secure guest' check reports
support for SEV, and there are then further check results
printed for SEV-ES/SEV-SNP which are overly verbose and the
long lines break output alignment.
This uses the new ability to report details with PASS results
to concisely tell the user which out of SEV/SEV-ES/SEV-SNP
are found. Only a single answer is neede, as SEV-SNP implies
SEV & SEV-ES, and SEV-ES implies SEV.
The TDX s390x PROT-VIRT checks also identify themselves.
Reviewed-by: Peter Krempa <pkrempa@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
tools: allow passing details for passed validation tests
In a number of virt-host-validte tests we are testing for
at least one out of multiple acceptable features. For
example the 'secure guest' test can be satisfied by
s390x protvirt, or x86 TDX, SEV, SEV-ES, SEV-SNP.
It would be useful to inform the user which one we detected
when the test passes. This introduces virValidatePassDetails
to enable that.
Reviewed-by: Peter Krempa <pkrempa@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Michal Privoznik [Wed, 19 Nov 2025 13:28:11 +0000 (14:28 +0100)]
esx: Allow disk images in subdirectories
The esxParseVMXFileName() function parses path to a disk image
trying to replace some "known" patterns (e.g. datastore paths).
A simple filename is treated as a path relative to .vmx file. But
disk images (and thus filenames) can be in a subdirectory,
relative to the .vmx file. For instance:
subfolder/disk.vmdk
Adapt our parser to this fact.
Resolves: https://issues.redhat.com/browse/RHEL-122751 Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
Michal Privoznik [Fri, 14 Nov 2025 09:35:14 +0000 (10:35 +0100)]
vmx2xmltest: Drop custom file name parse function
Having a custom file name parsing function in vmx2xml that's
different to the one used in production (esxParseVMXFileName())
might have served us well, but it also defeats the point of
having a unit test. More specifically, if there's a bug in
esxParseVMXFileName() then our unit test would not catch it.
But now that we have vmx2xmlmock the custom parsing function can
be dropped and the test can use the real one.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
Michal Privoznik [Wed, 19 Nov 2025 11:50:49 +0000 (12:50 +0100)]
tests: Introduce vmx2xmlmock
If we want vmx2xmltest to use actual file name parser that's used
in production (esxParseVMXFileName()) we need a mock to stop it
from doing any HTTP requests and also to return predictable data.
So far, the function can call three functions that do HTTP
requests: esxVI_LookupDatastoreList(),
esxVI_LookupDatastoreHostMount() and
esxVI_LookupDatastoreByName().
Mock all three of them. And since their implementation uses some
other symbols (like allocators or _AppendToList() helpers) we
need to expose these symbols too.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
Michal Privoznik [Thu, 13 Nov 2025 09:34:26 +0000 (10:34 +0100)]
esx: Expose esxParseVMXFileName() for tests
So far, our vmx2xmltest uses a custom .parseFileName callback.
And it kind of makes sense because the one that's used in
production (esxParseVMXFileName()) does some HTTP requests which
we don't want to do in our test suite. But this creates other
sorts of problems and the idea is to have the test ditch custom
parse callback and stick with the production one. But for now,
just expose it. With it, the esxVMX_Data struct is exposed too as
it is passed into the function (via 'opaque' argument).
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
Since v0.8.0 a watchdog notification is available under event ID
VIR_DOMAIN_EVENT_ID_WATCHDOG, update the documentation to remove the
previous limitation.
Signed-off-by: Massimiliano Minella <massimiliano.minella@se.com> Reviewed-by: Ján Tomko <jtomko@redhat.com> Signed-off-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Fri, 14 Nov 2025 15:05:06 +0000 (16:05 +0100)]
qemuDomainPrepareDiskSourceData: Setup 'detect_zeroes' for all layers
While it may seem that zero detection is pointless for backing chain
layers other than the top one, which is usually the only one gettin
written to, with block operations such as active-layer commit the
non-top layer may become active, in which case the VM wouldn't be
configured in accordance to the XML any more.
Similarly with snapshots a new image is introduced which would not get
zero detection enabled, but next start of the VM would enable it.
Fix this by propagating the zero detection setting for all layers.
This problem partially addresses one of the issues reported in
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120389
Fixes: 8a78f88a1a6 and a522c3044bd (effectively reverts them) Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Cole Robinson [Tue, 11 Nov 2025 16:52:00 +0000 (11:52 -0500)]
selinux: Mark anything using content_context as shared
This marks kernel, initrd, dtb, and similar elements with is_shared,
meaning we skip label restore if xattr label remembering is not
enabled or supported (like on qemu:///session).
non-xattr based label restore is subject to race conditions if
multiple VMs are starting and stopping using shared media:
https://issues.redhat.com/browse/RHEL-126945
This converts every case that is using content_context (virt_content_t)
as SetFileLabel time, which is how we are marking content as
readonly. All the shareable cases (marked with file_context) are
already skipping remembering/label restore entirely.
Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Signed-off-by: Cole Robinson <crobinso@redhat.com>
Cole Robinson [Tue, 11 Nov 2025 16:50:06 +0000 (11:50 -0500)]
selinux: Don't remember labels for shareable SCSI devices
For shareable/readonly devices, label restore is skipped entirely in
virSecuritySELinuxRestoreSCSILabel. So requesting remember=true here
doesn't accomplish anything
Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Signed-off-by: Cole Robinson <crobinso@redhat.com>
Peter Krempa [Wed, 12 Nov 2025 16:52:05 +0000 (17:52 +0100)]
qemu: snapshot: Set umask for 'qemu-img' when creating external inactive snapshots
External inactive snapshots are created by invoking 'qemu-img' which
creates the file. Currently qemu-img creates image with mode 644 based
on default umask as libvirt doesn't set any.
Having a world-readable image is obviously wrong so set the umask to
077 to have the file readable only by the owner.
Resolves: https://bugs.debian.org/1120119 Signed-off-by: Peter Krempa <pkrempa@redhat.com>
qemu: Check ACLs before parsing the whole domain XML
Utilise the new virDomainDefIDsParseString() for that.
This is one of the more complex ones since there is also a function that
reads relevant metadata from a save image XML. In order _not_ to extract
the parsing out of the function (and make the function basically trivial
and all callers more complex) add a callback to the function which will
be used to check the ACLs.
Fixes: CVE-2025-12748 Reported-by: Святослав Терешин <s.tereshin@fobos-nt.ru> Signed-off-by: Martin Kletzander <mkletzan@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
ch: Check ACLs before parsing the whole domain XML
Utilise the new virDomainDefIDsParseString() for that.
This is one of the more complex ones since there is also a function that
reads relevant metadata from a save image XML. In order not to extract
the parsing out of the function (and make the function basically trivial
and all callers more complex) add a callback to the function which will
be used to check the ACLs. And since this function is called in APIs
that perform ACL checks both with and without flags, add two of them for
good measure.
Fixes: CVE-2025-12748 Reported-by: Святослав Терешин <s.tereshin@fobos-nt.ru> Signed-off-by: Martin Kletzander <mkletzan@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
This function performs only parsing with the underlying
virDomainDefParseIDs() function to get needed metadata for any ACL
checks, but nothing else to avoid extraneous allocations and any
parser-induced DoS over ACL-forbidden connections.
Signed-off-by: Martin Kletzander <mkletzan@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
'libxml2' deprecated the 'xmlIndentTreeOutput' thread-local variable as
well as the 'xmlThrDefIndentTreeOutput' function for setting the global
default, which we use in our code for formatting the metadata sub-XML.
'libxml2' also for now doesn't provide a way to set target indentation
level in 'xmlSaveCtxt' which would allow us to use the modern output
APIs, we can't replace our use of 'xmlDumpNode'. (See
https://gitlab.gnome.org/GNOME/libxml2/-/issues/989 )
Since the indentation is enabled by default in libxml2 and our most
commonly used code which calls xmlDumpNode lives in a standalone
process, where we don't override the setting, just removing the override
will result in identical behaviour.
For the use cases which do live in a process we don't fully control and
thus the default could have been overriden, the result would be that the
<metadata> element would be un-indented, but that is still valid XML.
Thus to fix the deprecated use just stop setting 'xmlIndentTreeOutput'.
Closes: https://gitlab.com/libvirt/libvirt/-/issues/816 Signed-off-by: Peter Krempa <pkrempa@redhat.com>
'xmlIndentTreeOutput' is now deprecated by libxml2.
The default value set by libxml2 is '1', and the vbox driver resides
only inside the standalone daemon where the value will not be changed by
us thus there's no observable change in behaviour.
conf: domain_validate: make disk queue configuration driver specific
Currently, virDomainDiskDefValidate() allows to configure disks' number
of queues and queue size for virtio disks only. However, the bhyve
driver allows to configure these for the NVMe disks, so make this
check driver-specific.
Signed-off-by: Roman Bogorodskiy <bogorodskiy@gmail.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
meson: default to system crypto policies where available
In RHEL and Fedora, the built-in GNUTLS default priority is changed
from "NORMAL" to "@SYSTEM", but because libvirt sets an explicit
policy with gnutls we don't honour that. Instead we force "NORMAL"
unless the 'tls_priority' meson option is changed.
In RPM builds, meanwhile, we ask for "@LIBVIRT,SYSTEM" to make it
look for a libvirt specific profile first, falling back to "@SYSTEM"
This changes the meson option to default to "@LIBVIRT,SYSTEM" if the
crypto-policies config is present on the local machine and the meson
option -Dsystem=true is given.
This gives developers more appropriate default behaviour, matching
that seen in package builds.
Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Michal Privoznik [Fri, 24 Oct 2025 08:11:04 +0000 (10:11 +0200)]
ch: Sort driver sources and drop header files
Firstly, there's no need to list header files in
ch_driver_sources (we don't do that anywhere else, and meson is
smart enough to figure them out). And secondly, the list of
source file is not sorted which means new source files are added
in random order.
Thus, drop header files from the list and sort it.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
Michal Privoznik [Thu, 23 Oct 2025 13:53:20 +0000 (15:53 +0200)]
ch: Assign device alias early
Assigning device should happen from ch_hotplug.c (just like it's
done for disks currently) not in ch_process.c. Move alias
assignment out of chProcessAddNetworkDevice(). And while at it,
mimic what's done with disks and have net hotplug handling done
from a function.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
Michal Privoznik [Fri, 24 Oct 2025 13:42:53 +0000 (15:42 +0200)]
ch: Set transient domain definition
Libvirt's philosophy is that for a running domain there are two
(in general distinct) definitions: live definition (reflects the
running state) and inactive definition (used to seed the live
definition when domain is being created). That's why we have
VIR_DOMAIN_AFFECT_LIVE and VIR_DOMAIN_AFFECT_CONFIG flags to APIs
that modify domain definitions.
Well, the CH driver doesn't do this distinction. Fix this by
making the domain definition transient when it's being created.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
ch: Use correct domain definition in chDomainGetXMLDesc()
The chDomainGetXMLDesc() function claims to support
VIR_DOMAIN_XML_INACTIVE to obtain the persistent definition of a
running domain (in its call to virCheckFlags()) but in fact, it's
always passing vm->def to virDomainDefFormat().
So far, there's no harm done because CH driver never sets domain
def as transient. But that'll change.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
ch_process: Avoid memleak in chProcessAddNetworkDevice()
The 'payload' variable inside of chProcessAddNetworkDevice() is
reused and thus the memory it points to just before its
repurpose is not freed. Avoid reusing g_autofree variables.
128 bytes in 1 blocks are definitely lost in loss record 1,828 of 2,026
at 0x491A120: realloc (vg_replace_malloc.c:1801)
by 0x4FEC251: g_realloc (in /usr/lib64/libglib-2.0.so.0.8400.4)
by 0x500BB7E: g_string_expand (in /usr/lib64/libglib-2.0.so.0.8400.4)
by 0x500BBF0: g_string_sized_new (in /usr/lib64/libglib-2.0.so.0.8400.4)
by 0x4A114C0: virBufferInitialize (virbuffer.c:121)
by 0x4A11890: virBufferAdd (virbuffer.c:160)
by 0x4A67344: virJSONValueToBuffer (virjson.c:1562)
by 0x4A673DB: virJSONValueToString (virjson.c:1599)
by 0xBC878AB: virCHMonitorBuildNetJson (ch_monitor.c:466)
by 0xBC8D4A9: chProcessAddNetworkDevice (ch_process.c:688)
by 0xBC8FCE2: chDomainAttachDeviceLive (ch_hotplug.c:78)
by 0xBC900CA: chDomainAttachDeviceLiveAndUpdateConfig (ch_hotplug.c:174)
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
domain_capabilities: Use virXMLFormatElement() in FORMAT_PROLOGUE and FORMAT_EPILOGUE macros
Domain capabilities XML is formatted (mostly) using
FORMAT_PROLOGUE and FORMAT_EPILOGUE macros. These format opening
and closing stanzas for given element. The FORMAT_PROLOGUE macro
even tries to be clever and format element onto one line (if the
element isn't supported), but that's not enough. Fortunately, we
have virXMLFormatElement() which formats elements properly, so
let's switch macros into using that.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
domain_capabilities: Check NULL in FORMAT_PROLOGUE
In the virDomainCaps struct there are some pointers that might be
NULL (for instance 'sev', 'sgx', 'hyperv'). Teach FORMAT_PROLOGUE
macro to check for NULL argument so that format functions (like
virDomainCapsFeatureHypervFormat()) don't need to.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
domain_capabilities: Move indentation adjustment out of virDomainCapsCPUCustomFormat()
The aim of virDomainCapsCPUCustomFormat() is to format CPU models
into given buffer. But it starts by adjusting indentation. Move
this one level up into the caller so that another buffer can be
used. This also makes the pattern match in the caller
(virDomainCapsCPUFormat()) with the rest of CPU related domcaps
formatting.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
bhyve: Support passing the 'passthru' command line option
Bhyve supports PCI device passthrough using the following syntax:
bhyve ... -s 4:0,passthru,5/2/0 ...
Where 5/2/0 is PCI address of the device in the host, and "4:0" is the
address in the guest.
Currently, user is responsible for reserving the device for passthrough,
i.e. by configuring pptdevs in loader.conf(5), or using devctl(8) to
detach the device.
Co-authored-by: Roman Bogorodskiy <bogorodskiy@gmail.com> Signed-off-by: Alexander Shursha <kekek2@ya.ru> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
After executing the bhyve binary, it might happen that it fails very
early due to configuration issues (missing/inaccessible files, incorrect
custom args), bugs, etc. In this case it'll look like the domain has
started normally, but quickly turned off.
Improve that by waiting for the domain's vmm entity to appear in
/dev/vmm.
Signed-off-by: Roman Bogorodskiy <bogorodskiy@gmail.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Jiri Denemark [Thu, 6 Nov 2025 13:10:06 +0000 (14:10 +0100)]
cputest: Read more MSRs in cpu-data.py
The features defined in our CPU map use quite a bit more than just the
two MSRs the script is currently trying to read. Let's read all of them
to get complete host CPU data.
Signed-off-by: Jiri Denemark <jdenemar@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Jiri Denemark [Thu, 6 Nov 2025 12:40:14 +0000 (13:40 +0100)]
cputest: Ignore missing MSRs in cpu-data.py
The current code made sense when we were reading only one MSR, but since
we started reading more MSRs, the host CPU would have to support all of
them otherwise the function would just return an empty dict.
Signed-off-by: Jiri Denemark <jdenemar@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
projects / thirdparty / libvirt.git / log
