Michael Tremer [Thu, 9 Jan 2025 15:05:54 +0000 (15:05 +0000)]
kernel: Strip modules
The kernel does not strip modules by default. This can be enabled by
passing INSTALL_MOD_STRIP=1 when installing the modules.
Since we are not actually building the kernel with debuginfo and we are
comressing the modules afterwards, there is not a huge saving on disk
space, but there is a small saving of memory when loading the modules.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 21 Dec 2024 12:55:39 +0000 (13:55 +0100)]
clamav: Update to version 1.4.1
- Update from version 1.3.2 to 1.4.1
- Update of rootfile
- Changelog
1.4.1
ClamAV 1.4.1 is a critical patch release with the following fixes:
- [CVE-2024-20506](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20506):
Changed the logging module to disable following symlinks on Linux and Unix
systems so as to prevent an attacker with existing access to the 'clamd' or
'freshclam' services from using a symlink to corrupt system files.
This issue affects all currently supported versions. It will be fixed in:
- 1.4.1
- 1.3.2
- 1.0.7
- 0.103.12
Thank you to Detlef for identifying this issue.
- [CVE-2024-20505](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20505):
Fixed a possible out-of-bounds read bug in the PDF file parser that could
cause a denial-of-service (DoS) condition.
This issue affects all currently supported versions. It will be fixed in:
- 1.4.1
- 1.3.2
- 1.0.7
- 0.103.12
Thank you to OSS-Fuzz for identifying this issue.
- Removed unused Python modules from freshclam tests including deprecated
'cgi' module that is expected to cause test failures in Python 3.13.
1.4.0
Major changes
- Added support for extracting ALZ archives.
The new ClamAV file type for ALZ archives is `CL_TYPE_ALZ`.
Added a [DCONF](https://docs.clamav.net/manual/Signatures/DynamicConfig.html)
option to enable or disable ALZ archive support.
> _Tip_: DCONF (Dynamic CONFiguration) is a feature that allows for some
> configuration changes to be made via ClamAV `.cfg` "signatures".
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1183)
- Added support for extracting LHA/LZH archives.
The new ClamAV file type for LHA/LZH archives is `CL_TYPE_LHA_LZH`.
Added a [DCONF](https://docs.clamav.net/manual/Signatures/DynamicConfig.html)
option to enable or disable LHA/LZH archive support.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1192)
- Added the ability to disable image fuzzy hashing, if needed. For context,
image fuzzy hashing is a detection mechanism useful for identifying malware
by matching images included with the malware or phishing email/document.
New ClamScan options:
```
--scan-image[=yes(*)/no]
--scan-image-fuzzy-hash[=yes(*)/no]
```
New ClamD config options:
```
ScanImage yes(*)/no
ScanImageFuzzyHash yes(*)/no
```
New libclamav scan options:
```c
options.parse &= ~CL_SCAN_PARSE_IMAGE;
options.parse &= ~CL_SCAN_PARSE_IMAGE_FUZZY_HASH;
```
Added a [DCONF](https://docs.clamav.net/manual/Signatures/DynamicConfig.html)
option to enable or disable image fuzzy hashing support.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1186)
Other improvements
- Added cross-compiling instructions for targeting ARM64/aarch64 processors for
[Windows](https://github.com/Cisco-Talos/clamav/blob/main/INSTALL-cross-windows-arm64.md)
and
[Linux](https://github.com/Cisco-Talos/clamav/blob/main/INSTALL-cross-linux-arm64.md).
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1116)
- Improved the Freshclam warning messages when being blocked or rate limited
so as to include the Cloudflare Ray ID, which helps with issue triage.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1195)
- Removed unnecessary memory allocation checks when the size to be allocated
is fixed or comes from a trusted source.
We also renamed internal memory allocation functions and macros, so it is
more obvious what each function does.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1137)
- Improved the Freshclam documentation to make it clear that the `--datadir`
option must be an absolute path to a directory that already exists, is
writable by Freshclam, and is readable by ClamScan and ClamD.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1199)
- Added an optimization to avoid calculating the file hash if the clean file
cache has been disabled. The file hash may still be calculated as needed to
perform hash-based signature matching if any hash-based signatures exist that
target a file of the same size, or if any hash-based signatures exist that
target "any" file size.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1167)
- Added an improvement to the SystemD service file for ClamOnAcc so that the
service will shut down faster on some systems.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1164)
- Added a CMake build dependency on the version map files so that the build
will re-run if changes are made to the version map files.
Work courtesy of Sebastian Andrzej Siewior.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1294)
- Added an improvement to the CMake build so that the RUSTFLAGS settings
are inherited from the environment.
Work courtesy of liushuyu.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1301)
Bug fixes
- Silenced confusing warning message when scanning some HTML files.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1252)
- Fixed minor compiler warnings.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1197)
- Since the build system changed from Autotools to CMake, ClamAV no longer
supports building with configurations where bzip2, libxml2, libz, libjson-c,
or libpcre2 are not available. Libpcre is no longer supported in favor of
libpcre2. In this release, we removed all the dead code associated with those
unsupported build configurations.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1217)
- Fixed assorted typos. Patch courtesy of RainRat.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1228)
- Added missing documentation for the ClamScan `--force-to-disk` option.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1186)
- Fixed an issue where ClamAV unit tests would prefer an older
libclamunrar_iface library from the install path, if present, rather than
the recently compiled library in the build path.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1258)
- Fixed a build issue on Windows with newer versions of Rust.
Also upgraded GitHub Actions imports to fix CI failures.
Fixes courtesy of liushuyu.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1307)
- Fixed an unaligned pointer dereference issue on select architectures.
Fix courtesy of Sebastian Andrzej Siewior.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1293)
- Fixed a bug that prevented loading plaintext (non-CVD) signature files
when using the `--fail-if-cvd-older-than=DAYS` / `FailIfCvdOlderThan` option.
Fix courtesy of Bark.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1309)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Sat, 21 Dec 2024 12:55:08 +0000 (13:55 +0100)]
rust: Update to version 1.83.0
- Update from version 1.67.0 to 1.83.0
- Update x86_64, aarch64 & riscv64 rootfiles
- This version of rust hasd the fix to ensure that ruby builds okay with aarch64 &
riscv64. This required a fix to be applied to the LLVM and then for the updated
LLVM to be built into rust. That has occurred with this version.
- Tested out the build on aarch64 and riscv64 and confirmed that ruby built without
any problems with this version of rust.
- The update of rust required a range of updates of other rust crates plus the
inclusion of new crates and the pinning of some crates to older versions. This patch
set includes all the rust crate changes.
- The download-rust-crate script results in source tarballs that have a Cargo.toml.orig
file included in them. This is not allowed in the rust building so the rust-rand file
which is used as a template for the rust crate script has been modified to remove
this .orig file so that the build can complete.
- With this updated version of rust the clamav addon can also now be updated and so is
also included in this patch set.
- There are 29 rust crate changes.
- Changelog is too large to include here. Details can be found at
https://releases.rs/docs/
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:17 +0000 (18:51 +0200)]
samba: Modification to disable cups for samba build and install
- As discussed at IPFire conf call on 7th Oct
- disable cups for the samba configure stage
- Update of rootfiles
- Update of samba.cgi to remove the printing of a printer share into the samba
configuration file.
- Tested out on vm system. Installed samba with only avahi, perl-Parse-Yapp, perl-JSON
and wsdd as dependencies. Installed without any problems. Existing share was able
to be accessed without any problems and a new share was created and was also able
to be accessed without problems.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:16 +0000 (18:51 +0200)]
perl-Imager: Removal of all tiff related lines in rootfile
- With removal of libtiff, the perl-Imager rootfile has to have tiff related lines
removed.
- perl-Imager works without the tiff lines in place. Only no tiff images will be able
to be processed by perl-Imager but that is not required for its use in IPFire.
- Tested out creating an OpenVPN connection with OTP enabled and the OTP QR code was
produced and able to be viewed.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:15 +0000 (18:51 +0200)]
make.sh: All removed packages removed from make.sh
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:14 +0000 (18:51 +0200)]
qpdf: Removal of package
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:13 +0000 (18:51 +0200)]
poppler-data: Removal of package
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:12 +0000 (18:51 +0200)]
poppler: Removal of package
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:11 +0000 (18:51 +0200)]
openjpeg: Removal of package
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:10 +0000 (18:51 +0200)]
libtiff: Removal of package
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:09 +0000 (18:51 +0200)]
lcms2: Removal of package
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:08 +0000 (18:51 +0200)]
hplip: Removal of package
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:07 +0000 (18:51 +0200)]
gutenprint: Removal of package
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:06 +0000 (18:51 +0200)]
ghostscript: Removal of package
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:05 +0000 (18:51 +0200)]
foomatic: Removal of package
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:04 +0000 (18:51 +0200)]
epson-inkjet-printer-escpr: Removal of package
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:03 +0000 (18:51 +0200)]
cups-pdf: Removal of cups-pdf
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:02 +0000 (18:51 +0200)]
cups-filters: Removal of cups-filters
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:01 +0000 (18:51 +0200)]
cups: Removal of cups and associated packages
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 2 Jan 2025 16:29:26 +0000 (17:29 +0100)]
miniupnpc: revert the addition of this package due to transmission reversion
- As transmission has been reverted back to version 4.0.5 then miniupnpc is no longer
needed for building or runtime.
- This removes the minupnpc lfs and rootfile files. It also removes miniupnpc from
the make.sh file.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 2 Jan 2025 16:29:25 +0000 (17:29 +0100)]
transmission: revert version back to 4.0.5
- Revert back from 4.0.6 to 4.0.5 due to a bug in 4.0.6 that has resulted in a variety
of torrent mirrors banning transmission-4.0.6
- The update from 4.0.5 to 4.0.6 did not have any security fixes in it so there is no
issue in moving backward to 4.0.5
- A fix has been created but it is unclear when (and if) version 4.0.7 will be released.
The fix has also been included in version 4.1.0 but this is still in beta development
form.
- Version 4.0.6 required minupnpc for building and run time. This reversion is also
removing miniupnpc in an associated patch in this patch set.
- No change required in the rootfile.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Fri, 27 Dec 2024 09:10:00 +0000 (09:10 +0000)]
Tor: Update to 0.4.8.13
Full changelog according to
https://gitlab.torproject.org/tpo/core/tor/-/blob/tor-0.4.8.13/ChangeLog :
Changes in version 0.4.8.13 - 2024-10-24
This is minor release fixing an important client circuit building (Conflux
related) bug which lead to performance degradation and extra load on the
network. Some minor memory leaks fixes as well as an important minor feature
for pluggable transports. We strongly recommend to update as soon as possible
for clients in order to neutralize this conflux bug.
o Major bugfixes (circuit building):
- Conflux circuit building was ignoring the "predicted ports"
feature, which aims to make Tor stop building circuits if there
have been no user requests lately. This bug led to every idle Tor
on the network building and discarding circuits every 30 seconds,
which added overall load to the network, used bandwidth and
battery from clients that weren't actively using their Tor, and
kept sockets open on guards which added connection padding
essentially forever. Fixes bug 40981; bugfix on 0.4.8.1-alpha;
o Minor feature (bridges, pluggable transport):
- Add STATUS TYPE=version handler for Pluggable Transport. This
allows us to gather version statistics on Pluggable Transport
usage from bridge servers on our metrics portal. Closes
ticket 11101.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on October 24, 2024.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2024/10/24.
o Minor bugfixes (memleak, authority):
- Fix a small memleak when computing a new consensus. This only
affects directory authorities. Fixes bug 40966; bugfix
on 0.3.5.1-alpha.
o Minor bugfixes (memory):
- Fix memory leaks of the CPU worker code during shutdown. Fixes bug
833; bugfix on 0.3.5.1-alpha.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Fri, 20 Dec 2024 10:04:05 +0000 (11:04 +0100)]
backup.pl: Fix Bug13799 - addon restore not working
- This fixes the existence check for the addon .ipf file from a check of existence
of a directory to a check of existence of a file.
Suggested-by: Bernhard Bitsch <bbitsch@ipfire.org> Tested-by: Bernhard Bitsch <bbitsch@ipfire.org> Fixes: Bug13799 Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Sat, 21 Dec 2024 10:54:42 +0000 (10:54 +0000)]
make.sh: Explicitely check the source tarballs
The Makefiles do not automatically perform the check that I expected
them to perform when running a build. They check if the source tarballs
are all present, but they don't check whether they match the checksum.
This is only being done when "./make.sh downloadsrc" is being run.
In case of the automated builds, we explicitely run "./make.sh
downloadsrc", so I don't think that this might have introduced any
malicious source into the published builds.
Reported-by: Stephen Cuka <stephen@firemypi.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Fri, 20 Dec 2024 11:40:02 +0000 (12:40 +0100)]
libyajl: Removal of addon as no longer required by libvirt
- libyajl is no longer being used by libvirt. libvirt now uses json-c which is a core
package in IPFire. libyajl was stopped being used as it had not been updated and
is considered effectively dead upstream.
- lfs, rootfile and libyajl entry in make.sh removed.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Fri, 20 Dec 2024 11:40:01 +0000 (12:40 +0100)]
libvirt: Update to version 10.10.0
- Update from version 10.7.0 to 10.10.0
- Update of rootfile
- version 10.7.0 had a change in it which meant that the script friendly output of
``virsh list --uuid`` was replaced. This change was reverted in version 10.8.0
- In version 10.8.0 libyajl was replaced by json-c for JSON parsing and formatting.
Therefore this patch set also removes libyajl from IPFire as it is no longer
required.
- Changelog
10.10.0
New features
* qemu: add multi boot device support on s390x
For classical mainframe guests (i.e. LPAR or z/VM installations), you
always have to explicitly specify the disk where you want to boot from (or
"IPL" from, in s390x-speak -- IPL means "Initial Program Load").
In the past QEMU only used the first device in the boot order to IPL from.
With the new multi boot device support on s390x that is available with QEMU
version 9.2 and newer, this limitation is lifted. If the IPL fails for the
first device with the lowest boot index, the device with the second lowest
boot index will be tried and so on until IPL is successful or there are no
remaining boot devices to try.
Limitation: The s390x BIOS will try to IPL up to 8 total devices, any
number of which may be disks or network devices.
* qemu: Add support for versioned CPU models
Updates to QEMU CPU models with -vN suffix can now be used in libvirt just
like any other CPU model.
* qemu: Support for the 'data-file' QCOW2 image feature
The QEMU hypervisor driver now supports QCOW2 images with 'data-file'
feature present (both when probing form the image itself and when specified
explicitly via ``<dataStore>`` element). This can be useful when it's
required to keep data "raw" on disk, but the use case requires features
of the QCOW2 format such as incremental backups.
* swtpm: Add support for profiles
Upcoming swtpm release will have TPM profile support that allows to
restrict a TPM's provided set of crypto algorithms and commands. Users can
now select profile by using ``<profile/>`` in their TPM XML definition.
Improvements
* qemu: Support UEFI NVRAM images on block storage
Libvirt now allows users to use block storage as backend for UEFI NVRAM
images and allows them to be in format different than the template. When
qcow2 is used as the format, the images are now also auto-populated from the
template.
* qemu: Automatically add IOMMU when needed
When domain of 'qemu' or 'kvm' type has more than 255 vCPUs IOMMU with EIM
mode is required. Starting with this release libvirt automatically adds one
(or turns on the EIM mode if there's IOMMU without it).
* ch: allow hostdevs in domain definition
The Cloud Hypervisor driver (ch) now supports ``<hostdev/>``-s.
* ch: Enable callbacks for ch domain events
The Cloud Hypervisor driver (ch) now supports emitting events on domain
define, undefine, start, boot, stop and destroy.
Bug fixes
* qemu: Fix reversion and inactive deletion of internal snapshots with UEFI
NVRAM. In `v10.9.0 (2024-11-01)`_ creation of internal snapshots of VMs
with UEFI firmware was allowed, but certain operations such as reversion
or inactive deletion didn't work properly as they didn't consider the
NVRAM qcow2 file.
* virnetdevopenvswitch: Warn on unsupported QoS settings
For OpenVSwitch vNICs libivrt does not set QoS directly using 'tc' but
offloads setting to OVS. But OVS is not as feature full as libvirt in this
regard and setting different 'peak' than 'average' results in vNIC always
sticking with 'peak'. Produce a warning if that's the case.
10.9.0
New features
* qemu: zero block detection for non-shared-storage migration
Users can now request that all-zero blocks are not transferred when migrating
non-shared disk data without actually enabling zero detection on the disk
itself. This allows sparsifying images during migration where the source
has no access to the allocation state of blocks at the cost of CPU overhead.
This feature is available via the ``--migrate-disks-detect-zeroes`` option
for ``virsh migrate`` or ``VIR_MIGRATE_PARAM_MIGRATE_DISKS_DETECT_ZEROES``
migration parameter. See the documentation for caveats.
Improvements
* qemu: internal snapshot improvements
The qemu internal snapshot handling code was updated to use modern commands
which avoid the problems the old ones had, preventing use of internal
snapshots on VMs with UEFI NVRAM. Internal snapshots of VMs using UEFI are
now possible provided that the NVRAM is in ``qcow2`` format.
The new code also allows better control when deleting snapshots. To prevent
possible regressions no strict checking is done, but in case inconsistent
state is encountered a log message is added::
warning : qemuSnapshotActiveInternalDeleteGetDevices:3841 : inconsistent
internal snapshot state (deletion): VM='snap' snapshot='1727959843'
missing='vda ' unexpected='' extra=''
Users are encouraged to report any occurence of the above message along
with steps they took to the upstream tracker.
* qemu: improve documentation of image format settings
The documentation of the various ``*_image_format`` settings in ``qemu.conf``
imply they can only be used to control compression of the image. The
documentation has been improved to clarify the settings describe the
representation of guest memory blocks on disk, which includes compression
among other possible layouts.
* Report CPU model blockers in domain capabilities
When a CPU model is reported as usable='no' an additional
``<blockers model='...'>`` element is added for that CPU model listing
features required by the CPU model, but not supported on the host.
10.8.0
Improvements
* network: make networks with ``<forward mode='open'/>`` more useful
It is now permissable to have a ``<forward mode='open'>`` network that
has no IP address assigned to the host's port of the bridge. This
is the only way to create a libvirt network where guests are
unreachable from the host (and vice versa) and also 0 firewall
rules are added on the host.
It is now also possible for a ``<forward mode='open'/>`` network to
use the ``zone`` attribute of ``<bridge>`` to set the firewalld zone of
the bridge interface (normally it would not be set, as is done
with other forward modes).
* storage: Lessen dependancy on the ``showmount`` program
Libvirt now automatically detects presence of ``showmount`` during runtime
as we do with other helper programs and also the
``daemon-driver-storage-core`` RPM package now doesn't strongly depend on it
if the users wish for a more minimal deployment.
* Switch from YAJL to json-c for JSON parsing and formatting
The parser and formatter in the libvirt library, as well
as the parsers in the nss plugin were rewritten to use json-c
instead of YAJL, which is effectively dead upstream.
* Relax restrictions for memorytune settings
It should now be possible to use resctrl on AMD CPUs as well as Intel CPUs
when the resctrl filesystem is mounted with ``mba_MBps`` option.
Bug fixes
* virsh: Fix script-friedly output of ``virsh list --uuid``
The script-friendly output of just 1 UUID per line was mistakenly replaced
by the full human-targetted table view full of redundant information
and very hard to parse. Users who wish to see the UUIDs in the tabular
output need to use ``virsh list --table --uuid`` as old behaviour was
reverted.
Note that this also broke the ``libvirt-guests`` script. The bug was
introduced in `v10.7.0 (2024-09-02)`_.
* network/qemu: fix some cases where ``device-update`` of a network
interface was failing:
* If the interface was connected to a libvirt network that was
providing a pool of VFs to be used with macvtap passthrough
mode, then *any* update to the interface would fail, even
changing the link state. Updating (the updateable parts of) a
macvtap passthrough interface will now succeed.
* It previously was not possible to move an interface from a Linux
host bridge to an OVS bridge. This (and the opposite direction)
now works.
* qemu: backup: Fix possible crashes when running monitoring commands during
backup job The qemu monitor code was fixed to not crash in specific cases
when monitoing APIs are called during a backup job.
* Fix various memleaks and overflows
Multiple memory leaks and overflows in corner cases were fixed based on
upstream issues reported.
* network: Better cleanup after disappeared networks
If a network disappeared while virtnetworkd was not running not all clean up
was done properly once the daemon was started, especially when only the
network interface disappeared. This could have in some cases resulted in
the network being shown as inactive, but not being able to start.
* qemu: Remember memory backing directory for domains
If ``memory_backing_dir`` is changed during the lifetime of a domain with
file backed memory, files in the old directory would not be cleaned up once
the domain is shut down. Now the directory that was used during startup is
remembered for each running domain.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
projects / people / ms / ipfire-2.x.git / log
