Jiri Denemark [Fri, 5 Dec 2025 15:52:32 +0000 (16:52 +0100)]
util: Rework virFileIsSharedFSOverride using virFileCheckParents
The newly introduced virFileCheckParents is generic enough to be used
for checking whether a specific path or any of its parents is included
in the overrides array.
Jiri Denemark [Fri, 5 Dec 2025 15:51:25 +0000 (16:51 +0100)]
util: Fix race condition in virFileIsSharedFSOverride
Switch virFileIsSharedFSOverride to use virFileCheckParents to avoid a
race which could result in virFileCanonicalizePath to be called on a
path that does not exist anymore.
Jiri Denemark [Fri, 5 Dec 2025 15:47:14 +0000 (16:47 +0100)]
util: Fix race condition in virFileIsSharedFSType
virFileIsSharedFSType could end up calling statfs on a path that no
longer exists and return an error. If this happens for a path on a
shared filesystem, the caller may incorrectly consider the path as
non-shared.
Specifically, when starting a domain with TPM enabled and deciding
whether its vTPM state is stored on a shared storage, the race could
cause qemuTPMEmulatorBuildCommand to consider the state to be
non-shared. This means swtpm would be started without --migration even
when the state is actually stored on a shared storage and any attempt to
migrate such domain would fail with
Operation not supported: the running swtpm does not support
migration with shared storage
In fact, any caller of virFileGetExistingParent contained an inherent
TOCTOU race condition as the existing parent of a given path return by
virFileGetExistingParent may no longer exist at the time the caller
wants to check it.
This patch introduces a new virFileCheckParents API which is almost
identical to virFileGetExistingParent, but uses a supplied callback to
check each path. This new API is used in virFileIsSharedFSType to avoid
the race. The old function will later be completely removed once all
callers are switched to the new one.
Jiri Denemark [Fri, 5 Dec 2025 14:09:15 +0000 (15:09 +0100)]
tests: Test virFileIsSharedFSOverride
Technically virFileIsSharedFSOverride is available on any OS, but we
need a mocked realpath() to test it. Because the virfilemock library
also mocks statfs() which is only available on Linux, we don't even try
to load the library anywhere else. Thus we need to skip testing
virFileIsSharedFSOverride on non-Linux too.
Peter Krempa [Thu, 4 Dec 2025 17:09:05 +0000 (18:09 +0100)]
qemuMigrationParamsForSave: Don't take opaque 'flags'
Similarly to previous commit, 'flags' is really opaque. The function
lives in migration code and similar functions there expect migration
flags. Here we get virDomainSaveRestoreFlags. Here at least the dump
code handles it properly and passes VIR_DOMAIN_SAVE_BYPASS_CACHE rather
than VIR_DUMP_BYPASS_CACHE.
Note: We, in many cases, encourage use of 'flags' instead of a bunch of
boolean parameters. Since C doesn't do proper type checks on enums and
in fact with 'flags' we pass a binary or of some flags rather than pure
options from the enum there isn't really an elegant solution that would
be enforced by the compiler and easy on eyes. With a bunch of booleans
at least anyone reading the code will need to look up the function
definition to see the header rather than assume that passing in 'flags'
is fine without properly checking *which* flags are accepted by the
function.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
The meaning of 'flags' is context dependant. 'qemuMigrationSrcToFile'
expects 'virDomainSaveRestoreFlags' rather than migration flags which is
not expected based on the location of the function.
Why this is wrong is clearly visible in 'doCoreDump' which passes in
'dump_flags' which are actually 'virDomainCoreDumpFlags' and the values
are different:
VIR_DUMP_BYPASS_CACHE = (1 << 2)
VIR_DOMAIN_SAVE_BYPASS_CACHE = 1 << 0
Since it checks only for VIR_DOMAIN_SAVE_BYPASS_CACHE pass it in as a
boolean instead.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Peter Krempa [Thu, 4 Dec 2025 14:22:56 +0000 (15:22 +0100)]
include: Create constants for save image format values
The 'VIR_DOMAIN_SAVE_PARAM_IMAGE_FORMAT' typed parameter for
'virDomainSaveParams' is implemented as a string but really encodes an
enumeration of supported types. We can't change the format any more but
can export the corresponding types as constants.
Additionally this also mentions the missing 'sparse' format.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Peter Krempa [Mon, 1 Dec 2025 15:50:09 +0000 (16:50 +0100)]
qemuSnapshotPrepare: Prohibit 'manual' disk snapshot mode with VIR_DOMAIN_SNAPSHOT_CREATE_QUIESCE flag
If the snapshot has a disk using 'manual' snapshot mode we keep the VM
paused until the user resumes it (presumably after they've done steps to
take the disk snapshot).
Since quiescing is done via the guest agent this means it will not be
possible while the VM is paused.
Rather than trying to implement complex recovery from this state prevent
the use of VIR_DOMAIN_SNAPSHOT_CREATE_QUIESCE for the snapshot. The user
still can call virDomainFSFreeze/virDomainFSThaw manually.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
qemu: Treat memory device source nodemask as strict NUMA policy
A memory device can have <nodemask/> which specifies which host
NUMA nodes the memory should be allocated from (currently
supported for dimm, virtio-mem and sgx-epc models).
But when generating corresponding command line for the device,
the NUMA policy is taken from the guest NUMA node that
corresponds to the memory device (as defined by target/node) or
overall domain NUMA policy (as defined by <numatune/>).
This may lead to memory being allocated from unexpected NUMA
node. For instance, if the memory device has
<nodemask>0</nodemask> and domain has <numatune> <memory
mode='preferred' nodeset='1'/> </numatune> then the cmd line for
the memory device also has just "policy":"preferred".
Treat <nodemask/> as mode='strict'.
But I agree that this is kind of nonsense configuration. Why
would somebody want to prefer one NUMA node but then configure
memory device to allocate NUMA from the other?
Resolves: https://issues.redhat.com/browse/RHEL-114415 Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Mon, 1 Dec 2025 10:35:32 +0000 (11:35 +0100)]
qemu: tpm: Account for possible migration without actually sharing storage
The current logic in 'qemuTPMEmulatorBuildCommand' skips all setup if
the *location* of the data is on what we'd consider shared storage.
This means that if the location is not actually shared (e.g. it's shared
betweeh some other hosts than the two doing the migration) and the path
wasn't ever used (e.g. by migrating out) from the host where we're
migrating into the complete setup of the location would be skipped even
when it doesn't exist.
Fix the logic by skipping only some of the setup steps so that
'qemuTPMEmulatorCreateStorage' can still create the storage if it
doesn't exist.
The rest of the code then needs to take the 'created' flag returned from
'qemuTPMEmulatorCreateStorage' into account.
Fixes: 68103e9daf633b789428fedef56f816c92f6ee75 Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Use presence of non-negative pci_bus to identify multi-smmuv3
IOMMU model, instead of the niommus attribute. This allows for
specifying a single arm-smmuv3 on the qemu command line,
instead of both the virt-machine smmuv3 and arm-smmuv3
being specified at the same time.
Signed-off-by: Nathan Chen <nathanc@nvidia.com> Fixes: e70c4d54d365 conf: Support multiple device-pluggable smmuv3 IOMMUs Reviewed-by: Ján Tomko <jtomko@redhat.com>
Michal Privoznik [Wed, 26 Nov 2025 13:50:11 +0000 (14:50 +0100)]
lib: Avoid changing const strings via strchr() and friends
There's new commit in glibc [1] which makes memchr(), strchr(),
strrchr(), strpbrk() and strstr() reflect type of the input
string. If it's a constant string, then the return type of these
functions is also 'const char *'. But this change tickles
-Wincompatible-pointer-types-discards-qualifiers warning.
And indeed, there are some places where we use a 'char *' typed
variable to store the retval, or even misuse the fact 'char *' is
returned and modify const string.
To fix this, a couple of different approaches is used:
a) switch variable type to 'const char *',
b) switch argument to 'char *' (in a few places we have
strdup()-ed) the const string already,
c) strdup() the string and use b).
1: https://sourceware.org/git/?p=glibc.git;a=commit;h=cd748a63ab1a7ae846175c532a3daab341c62690 Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Tested-by: Jaroslav Suchanek <jsuchane@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
The iptablesPrivateChainCreate() function is given an array of
const strings. This constitutes a promise to the caller that the
data is not modified. But inside the data is modified anyway (to
cut out some parts of the data). Well, with a help from
g_strdup() the promise can be kept.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Tested-by: Jaroslav Suchanek <jsuchane@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Michal Privoznik [Wed, 26 Nov 2025 14:05:50 +0000 (15:05 +0100)]
iptablesPrivateChainCreate: Switch to STRSKIP()
The body of iptablesPrivateChainCreate() uses STRPREFIX() to
match strings starting with certain prefix. Then it uses pointer
arithmetic to skip the prefix. Well, that's exactly what
STRSKIP() is meant to do. Switch the body to use the latter.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Tested-by: Jaroslav Suchanek <jsuchane@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Michal Privoznik [Wed, 26 Nov 2025 15:32:11 +0000 (16:32 +0100)]
iptablesPrivateChainCreate: Rename @tmp variable
The iptablesPrivateChainCreate() function gets a NULL terminated
array of strings (@lines argument), each item representing one
line of iptables output. Currently, the variable used to iterate
over the array is named 'tmp' which is not very descriptive.
Rename it to 'line'.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Tested-by: Jaroslav Suchanek <jsuchane@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Michal Privoznik [Wed, 26 Nov 2025 09:05:49 +0000 (10:05 +0100)]
virSkipSpacesBackwards: Turn @endp into const
The aim of virSkipSpacesBackwards() is find the first space
trailing character in given string, For instance, if the input is
"Something whitespacey ", then the output should be pointing to
the very first space after "y".
Problem here is that the input string is constant, but the
returned pointer is non-constant. This is confusing, a caller
shouldn't be able to modify the string, since the input was a
constant string.
Therefore, make the function return a const pointer too.
Under the hood the function used virTrimSpaces() which under some
circumstances could modify the input string. A trick was used to
hide this fact away, but to be double sure rewrite the function's
body.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Tested-by: Jaroslav Suchanek <jsuchane@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
When the network driver starts up it may inject some firewall
rules (e.g. for a network with NAT). So far, this scenario wasn't
covered in our test suite. The reason for adding this test is
twofold: the first, check we add correct rules, the second is to
cover iptablesPrivateChainCreate() as its implementation is soon
to be changed.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Tested-by: Jaroslav Suchanek <jsuchane@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Hector Cao [Mon, 24 Nov 2025 13:40:30 +0000 (14:40 +0100)]
cpu_map: update vmx-* features
the vmx-* features are currently decoded from the 32-lower bits
(EAX) of the MSR 64-bit values. They should be decoded instead
from the 32-higher bits (EDX).
Signed-off-by: Hector Cao <hector.cao@canonical.com> Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
Hector Cao [Mon, 24 Nov 2025 13:40:29 +0000 (14:40 +0100)]
cpu_map: fix sync script to extract correctly vmx-* features
The src/cpu_map/x86_features.xml file contains the definition
of all x86 CPU features, these definitions specify how we can
decode the feature support fom the CPUID or MSR values.
The helper script sync_qemu_features_i386.py builds the
x86_features.xml file from QEMU source code to be in sync
with supported features in QEMU. This helper script parses
QEMU target/i386/cpu.c file looking for CPU feature definitions
and convert them into x86_features.xml contents.
This is the resulting definition for the vmx-intr-exit feature
encoded in the MSR 0x48d.
EAX holds the 32 lower bits of the MSRE 64-bits value and should
not be used to detect the VMX-* features. Indeed, VMX-* bit
position should be parsed from QEMU source code in the 32 higher
bits of the corresponding MSR value.
This commit fixes this issue by using the 32 higher bits (EDX)
to represent VMX-* features.
Signed-off-by: Hector Cao <hector.cao@canonical.com> Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
is redundant. If the meson check for linux/kvm.h succeeded, we
must be on a Linux host and cannot be on a FreeBSD host. Remove
these redundant OS conditions from the MSR code to stop misleading
readers.
Reviewed-by: Peter Krempa <pkrempa@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Peter Krempa [Mon, 24 Nov 2025 09:33:25 +0000 (10:33 +0100)]
qemuxmlconftest: Update 'aarch64' tests using 'virt-4.0' machine type
In the upcoming qemu-10.2 release the 'virt-4.0' machine type will be
removed. Update all existing tests which use it to 'virt-10.0' which is
currently present in our caps dump.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
Notable changes:
- New 'postcopy-device' migration state
- New 'exit-with-parent' option
- Features 'guest_tunnel_csum', 'host_tunnel', 'host_tunnel_csum',
'guest_tunnel' of 'virtio-net-pci' are now enabled by default
- 'extended-tseg-mbytes' is now 64 for 'mch' device
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
Peter Krempa [Mon, 24 Nov 2025 07:42:56 +0000 (08:42 +0100)]
spec: Fix 'libvirt-daemon-driver-storage-zfs' on Fedora 43 and newer
On Fedora 43 and newer the 'fuse-zfs' package was removed. Commit bd30147e740 added an 'Obsoletes' directive so that the storage driver
core package will update properly but hardcoded the obsoleted version
as 11.4 (when the change was comitted) similarly to the old sheepdog/rbd
packages and disabled the build.
Now it is still possible to obtain ZFS support from other means and it
may be useful for users to have libvirt's ZFS backend. This patch thus:
- re-enables build of 'libvirt-daemon-driver-storage-zfs' on Fedora
- removes 'libvirt-daemon-driver-storage-zfs' as 'Requires dependency
from 'daemon-driver-storage' meta-package on Fedora 43 and newer
- removes dependancy on '/sbin/zpool' and '/sbin/zfs' on Fedora 43
and newer
With this the package still is built and installable but will require
users to get their ZFS support installed somehow.
Fixes: bd30147e740d49fdb5844160e480ca34611f75e5 Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Peter Krempa [Fri, 21 Nov 2025 13:46:21 +0000 (14:46 +0100)]
Add support for 'dpofua' setting for SCSI disks
Add the 'dpofua' setting in the XML and for the qemu driver.
DPO - Disable Page Out and FUA - Force Unit Access are two features
implemented by SCSI disks (either both together or neither of them)
which influence how caching is handled. QEMU provides a good default
but in certain specific occasions changing the default may have
performance benefits.
Add support for setting them via the XML.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
Peter Krempa [Sun, 23 Nov 2025 14:42:23 +0000 (15:42 +0100)]
docs: site.xsl: Use separate 'asset_href_base' and 'link_href_base'
While our main page uses same argument for both to ensure that the
linking works also when browsed locally sub-projects such as
libvirt-wiki and libvirt-security-notice will want to pull 'site.xsl' as
is into their build assets. Pass both arguments via the build system so
that we don't have to carry distinct instances.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Sun, 23 Nov 2025 14:10:48 +0000 (15:10 +0100)]
docs: index: Link to security notices from home page
Our main page mentions security notices which we host at
https://security.libvirt.org but links to them only from the security
process page. Since we already have the wording there, turn it directly
into a link.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Thu, 13 Nov 2025 15:26:43 +0000 (16:26 +0100)]
qemu: backup: Add support for VIR_DOMAIN_BACKUP_BEGIN_PRESERVE_SHUTDOWN_DOMAIN
Implement the support for VIR_DOMAIN_BACKUP_BEGIN_PRESERVE_SHUTDOWN_DOMAIN
which will keep the qemu process around while the backup is still
running.
The above is achieved by avoiding killing the qemu process in the
shutdown qemu monitor event handlers. Instead 'system_reset' QMP command
is issued and the domain object is transitioned into _PAUSED state in
sync with what qemu does.
Now once the backup job finishes (or is cancelled e.g. for pull mode
backups) the backup job termination code re-asseses if the qemu process
needs to be killed or the VM was re-started by un-pausing.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Thu, 13 Nov 2025 15:12:08 +0000 (16:12 +0100)]
lib: Introduce VIR_DOMAIN_BACKUP_BEGIN_PRESERVE_SHUTDOWN_DOMAIN flag
This flag will instruct the hypervisor driver to keep the VM around
while the backup is running if the guest OS decides to shut down, so
that the backup can be finished.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Upcoming patches will introduce the possibility for the domain to be
kept paused after the guest OS shuts itself down. It'll allow jobs
such as backup to finish as e.g. in the qemu driver it requires the qemu
process.
Add an the appropriate reason for the VIR_DOMAIN_EVENT_SUSPENDED
lifecycle event.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Thu, 13 Nov 2025 16:15:57 +0000 (17:15 +0100)]
qemuBlockJobProcessEventConcludedBackup: Notify the backup job later
Move the notification to the backup job after finishing the cleanup of
the current block job the backup operation consists of.
Currently the termination of the blockjob would e.g. delete the scratch
files before they are detached from qemu.
In later patches the termination of the backup job may cause the qemu
process to be killed (if the guest OS shut down but the qemu process
was being kept alive to finish the backup) which would cause errors in
the monitor commands for dismissing the block job.
Since the NBD server still needs to be terminated first as otherwise
the scratch files can't be unplugged from qemu we need to split the
operation into two. First the NBD server is terminated, then the
current block job is finalized and then the backup job is notified.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Wed, 19 Nov 2025 08:11:18 +0000 (09:11 +0100)]
qemu: backup: Don't attempt to stop the NBD server twice
When notifying the backup code about termination of the block job which
is part of a backup operation the code attempts to terminate the NBD
server. This is done for every blockjob so could cause us to attempt to
terminate the NBD server multiple times which doesn't cause problems but
generates spurious errors.
Add a flag that the NBD server was stopped and do it just once. Don't
bother storing the flag in the status XML as it's just for the shutdown
phase.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Wed, 19 Nov 2025 09:19:29 +0000 (10:19 +0100)]
qemuProcessReconnect: Continue reconnection if VM untergoes fake-reboot
'qemuProcessShutdownOrReboot' may or may not kill the VM. In
'qemuProcessReconnect' if we decided that the VM was in a state
requiring 'qemuProcessShutdownOrReboot' to be called we'd stop the
reconnection unconditionally.
Now if the VM ought to undergo a fake reboot we really need to reconnect
to the process because the process will be kept around for much longer.
Make qemuProcessShutdownOrReboot return whether it killed the VM and
continue the reconnection if it didn't.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Tue, 18 Nov 2025 16:09:33 +0000 (17:09 +0100)]
virDomainNestedJobAllowed: Allow VIR_JOB_MODIFY_MIGRATION_SAFE if VIR_JOB_MODIFY is allowed
The VIR_JOB_MODIFY_MIGRATION_SAFE is supposed to be a subset of _MODIFY
jobs which are allowed during migration.
Now with async jobs which allow VIR_JOB_MODIFY (namely the backup job)
it shouldn't be required to explicitly mention
VIR_JOB_MODIFY_MIGRATION_SAFE since we already allow everything.
Adjust the logic in virDomainNestedJobAllowed to accept
VIR_JOB_MODIFY_MIGRATION_SAFE if VIR_JOB_MODIFY is allowed so that other
places can simply allow the latter.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Querying existence of the 'tdx-guest' type merely tells us whether
QEMU has been compiled with TDX support, not whether it is usable
on the host. Thus QEMU was incorrectly reporting
Unfortunately an earlier patch for a 'query-tdx-capabilities' QMP
command in QEMU was dropped, so there is no way to ask QEMU whether
it can launch a TDX guest. Libvirt must directly query the KVM
device and ask for supported VM types.
Reviewed-by: Peter Krempa <pkrempa@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
rpc: support loading multiple certificate identities
In addition to servercert.pem / serverkey.pem, we now also support
loading servercert{N}.pem / serverkey{N}.pem, for values of {N}
between 0 and 3 inclusive.
If servercert0.pem is provided, then using servercert.pem becomes
optional. The first missing index terminates the loading process.
eg if servercert1.pem is NOT present, then it will NOT attempt to
look for servercert2.pem / servercert3.pem.
This also applies to clientcert.pem / clientkey.pem.
This facilitates the transition to post-quantum cryptography by
allowing loading of certificates with different algorithms,
eg traditional RSA based cert, and optional ECC based cert or
MLDSA based cert for PQC.
The use of CA cert files is unchanged with only a single cacert.pem
loaded. WHen multiple CAs are needed they must be concatenated in
the single cacert.pem file.
Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
The three different APIs for locating credentials differ only in
what directories they search and their policy for missing files.
Their code can be collapsed onto a single helper method. This
will greatly facilitate the subsequent patch that expands the
logic to locate many certificate files.
Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
A future patch will require fule access checks to be done
as part of locating the certificate files, as we will have
the ability to load many more files, most of which will be
optional.
Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
The virNetTLSConfigCustomCreds will always set the cert paths
to non-NULL strings. This in turn means that the later call to
virNetTLSConfigSystemCreds will be a no-op aside from duplicating
log information. Refactor the conditions so that the call to
find system credentials is skipped when using custom credentials.
While this patch could have just done an early "return 0" after
the virNetTLSConfigCustomCreds call, an "} else {" branch is
instead added, since this will facilitate a later patch in this
series which prefers a common return path.
Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
remote: support specifying multiple keys/certs in libvirtd.conf
The 'cert_file' and 'key_file' parameters in libvirtd.conf only
permit a single cert/key. To support hybrid deployments for PQC,
we need to be able to request multiple certs/keys. This involves
new 'cert_files' and 'key_files' config parameters that accept a
list of filenames. The new parameters are mutually exclusive with
the old parameters.
Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
rpc: add support for loading multiple certs & keys
In the transition to Post-Quantum Cryptography, it will often be
desirable to load multiple sets of certificates, some with RSA/ECC
and some with MLDSA. This extends the TLS context code to support
the loading of many certs, passed as a NULL terminated array.
Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
rpc: refactor TLS sanity checking to support many cert files
Future patches will make it possible to load multiple certificate
files. This prepares the sanity checking code to support that by
taking a NUL terminated array of cert filenames.
Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Aaron M. Brown [Fri, 19 Sep 2025 19:26:20 +0000 (15:26 -0400)]
domain_addr.c: update virtconsole port reservation comment and allowZero var
Rename variable "allowZero" to "allowPortZero" for clarity and update the virtconsole port reservation comment,
as port 0 is reserved for the first virtconsole unless specified.
Signed-off-by: Aaron M. Brown <aaronmbr@linux.ibm.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Aaron M. Brown [Fri, 19 Sep 2025 19:26:19 +0000 (15:26 -0400)]
domain_addr.c: Fix virtio console port autoassign on virtio-serial bus
This change fixes an issue with virtio console port assignment on virtio-serial buses.
Currently, when trying to autoassign a virtio console device, the device cannot be
assigned to a port greater than 0 on virtio-serial buses.
You will receive the following error:
`virtio-serial-bus: A port already exists at id 0`
Therefore, the data needs to be passed back into info when allowZero is true.
We should also preserve the controller data when allowZero is true, and
propagate allowZero into virDomainVirtioSerialAddrNextFromController
to get an appropriate startPort.
Fixes: 16db8d2e ("Add functions to track virtio-serial addresses") Signed-off-by: Aaron M. Brown <aaronmbr@linux.ibm.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Add test coverage for multiple virtio consoles on a virtio-serial controller.
This test makes sure that multiple virtconsoles get auto-assigned appropriate
port numbers on a virtio-serial-bus.
Reviewed-by: Peter Krempa <pkrempa@redhat.com> Signed-off-by: Aaron M. Brown <aaronmbr@linux.ibm.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
The main stream I/O functions have a design flaw in that they accept
'size_t' as the input data length, while intending to return the
amount actually processed in an 'int'.
Fortunately all functions explicitly document that less data may be
processed than requested, and with the remote driver data cap we will
never get anywhere near exceeding an 'int' even on 32-bit.
For sanity, however, lets explicitly cap the data size in the public
API to fix the design flaw.
Reviewed-by: Peter Krempa <pkrempa@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Create a common `virttype` definition in basictypes.rng and reuse it
to enumerate all virt types. This change eliminates the need to duplicate
virttypes in multiple locations.
Signed-off-by: Praveen K Paladugu <prapal@linux.microsoft.com> Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
projects / thirdparty / libvirt.git / log
