Peter Krempa [Tue, 1 Jul 2025 11:46:59 +0000 (13:46 +0200)]
kbase: tlscerts: Drop 'encryption_key' feature request
As TLS 1.3 performs key exchange separately from the algorithm used to
verify authenticity, the certificates for libvirt's use of TLS don't
need to require the 'encryption_key' feature any more.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Mon, 30 Jun 2025 17:19:42 +0000 (19:19 +0200)]
tls: Don't require 'keyEncipherment' to be enabled altoghther
Key encipherment is required only for RSA key exchange algorithm. With
TLS 1.3 this is not even used as RSA is used only for authentication.
Since we can't really check when it's required ahead of time drop the
check completely. GnuTLS will moan if it will not be able to use RSA
key exchange.
In commit 11867b0224a2 I tried to relax the check for some eliptic
curve algorithm that explicitly forbid it. Based on the above the proper
solution is to completely remove it.
Resolves: https://issues.redhat.com/browse/RHEL-100711 Fixes: 11867b0224a2b8dc34755ff0ace446b6842df1c1 Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Tue, 1 Jul 2025 15:19:46 +0000 (17:19 +0200)]
virDomainDriverAutoShutdown: Refactor selection logic for VMs
Decide separately and record what shutdown modes are to be applied on
given VM object rather than spreading out the logic through the code.
This centralization simplifies the conditions in the worker functions
and also:
- provides easy way to check if the auto-shutdown code will be acting
on domain object (will be used to fix attempt to auto-restore of
VMs which were not selected to be acted on
- will simplify further work where the desired shutdown action will be
picked per-VM
This refactor also fixes a bug where if restoring of the state is
applied also on VMs that are not selected for action based on current
logic.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
Peter Krempa [Thu, 3 Jul 2025 12:18:46 +0000 (14:18 +0200)]
virDomainDriverAutoShutdownDoSave: Don't attempt to save transient VMs
Commit 84bb136c31e added code that intended to skip the save of
transient domains but did so only in the setup part where we pause the
VMS. The second loop that actually attempts to save the VM was not
modified so we'd still try saving them:
Jul 03 14:15:13 andariel virtqemud[247210]: auto-shutdown: unable to perform managed save of 'cd3': Requested operation is not valid: cannot do managed save for transient domain
Fixes: 84bb136c31e Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
Peter Krempa [Tue, 1 Jul 2025 14:11:12 +0000 (16:11 +0200)]
hypervisor: Split out individual steps out of virDomainDriverAutoShutdown
'virDomainDriverAutoShutdown' grew into an unwieldy function. Extract
the code for each of the save/shutdown/poweroff steps into helpers and
call them.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
Peter Krempa [Fri, 27 Jun 2025 14:10:03 +0000 (16:10 +0200)]
qemu: Fix auto-shutdown of qemu VMs by the qemu driver
When auto-shutdown via the qemu driver is requested (rather than via
libvirt guests) we need to start the VMs in a way that they will be kept
around for libvirt to terminate them. This involves inverting the
dependancy relationship for the machined unit file.
Since the setup is done at startup of the VM, add a disclaimer to
qemu.conf that switching between the two modes with VMs running will not
work properly.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
Peter Krempa [Thu, 26 Jun 2025 15:35:17 +0000 (17:35 +0200)]
virSystemdCreateMachine: Add flag to invert machined unit dependencies
The existing dependency order of the 'machined' unit file for the domain
we're starting ("After libvirtd/virtqemud"->thus shuts down *before* the
daemon) is intended to work with 'libvirt-guests.service' which requires
the daemon to be around to shut down the VMs.
If we want to use the integrated auto shutdown done by the daemon itself
we need to be able to instruct the domains (thus the corresponding
machined units to shut down *after* virtqemud/libvirt.
This means that we need to be able to invert the ordering relationship
to "Before".
This patch adds a parameter to virSystemdCreateMachine so that when
starting the VM we'll be able to tell the daemon to use the proper
relationship.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
Peter Krempa [Fri, 27 Jun 2025 13:13:35 +0000 (15:13 +0200)]
qemu: conf: Store 'autoShutdown' config in virDomainDriverAutoShutdownConfig
Rather than having a bunch of extra variables save the configuration of
the daemon auto shutdown in virDomainDriverAutoShutdownConfig which is
also used when initiating the shutdown.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
Andrea Bolognani [Wed, 24 Jan 2024 10:05:16 +0000 (11:05 +0100)]
qemu: Use virtio-scsi by default on RISC-V
Using lsilogic on RISC-V was never an actual decision, but
rather a consequence of that being the default for legacy x86
guests. Using virtio-scsi is a much more sensible choice.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Make the helper stateless. This requires the caller to check
whether it needs to be called in the first place instead of
adding this check inside the function, which makes for more
readable, if a little more verbose, code.
We also update callers to check the return value against
VIR_DOMAIN_CONTROLLER_MODEL_SCSI_DEFAULT instead of a
functionally equivalent, but semantically less meaningful,
check for whether the return value is negative.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Jim Fehlig [Thu, 26 Jun 2025 21:16:22 +0000 (15:16 -0600)]
qemu: Switch to virtio-scsi on ARM
Similar to x86, the default SCSI controller model for ARM is lsilogic.
But unlike x86, the ARM virt machine type prefers virtio devices. Switch
the default controller model for ARM from lsilogic to virtio-scsi.
Signed-off-by: Jim Fehlig <jfehlig@suse.com> Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Andrea Bolognani [Tue, 13 Feb 2024 18:28:09 +0000 (19:28 +0100)]
qemu: Improve error message for USB controller validation
Use the same wording as for SCSI controllers, which also
happens to contain additional information (the controller's
index).
The new error message and error type are more accurate anyway:
in most cases, it's perfectly fine for the user not to provide
a controller model explicitly, as libvirt will try to figure
out a reasonable default.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
qemu: Move error reporting out of qemuDomainDefaultSCSIControllerModel()
We want this helper to work more like other similar ones, where
error reporting is performed by the caller. This introduces a
small amount of code duplication but makes for a cleaner API.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Michal Privoznik [Wed, 11 Jun 2025 11:59:49 +0000 (13:59 +0200)]
virt-aa-helper: Check retval of vah_add_file()
Inside of get_files() there are two cases where vah_add_file() is
not checked for its retval. This is possibly dangerous, because
vah_add_file() might fail. Fix those places by introducing checks
for the retval.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Michal Privoznik [Wed, 11 Jun 2025 11:52:46 +0000 (13:52 +0200)]
virt-aa-helper: Decrease scope of @mem_path in get_files()
The @mem_path variable inside of get_files() is used only within
a single block. Move its declaration inside it. And also utilize
automatic memory freeing.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Michal Privoznik [Tue, 10 Jun 2025 07:27:58 +0000 (09:27 +0200)]
virt-aa-helper: Simplify paths collection
The way virt-aa-helper works is the following: the apparmor
secdriver formats domain XML, spawns virt-aa-helper process and
feeds it with domain XML (through stdin). The helper process then
parses the XML and iterates over devices, appending paths in each
loop.
These loops usually are in the following form:
for (i = 0; i < ctl->def->nserials; i++) {
if (ctl->def->serials[i] && ...
}
While we are probably honourable members of tautology club, those
NULL checks are redundant. Our XML parses would never append NULL
into def->devices array. If it did, we're in way bigger problems
anyway.
Then, constantly dereferencing ctl->def just to get to a path
that's hidden a couple of structures deep gets hard to read. Just
introduce temporary variables.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Michal Privoznik [Tue, 10 Jun 2025 12:31:20 +0000 (14:31 +0200)]
virt-aa-helper: Rework USB hostdev handling
For an USB device, the virt-aa-helper must put that
/dev/bus/usb/... path associated with given device. The way the
code is currently written not only leads to a memleak (the @usb
variable is allocated only to be overwritten right away), but is
needlessly cumbersome.
We can use virHostdevFindUSBDevice() to find the USB device,
check if its missing and if not add the path associated with it
into the profile.
While at it, also use automatic memory freeing for the variable.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Michal Privoznik [Tue, 10 Jun 2025 12:30:40 +0000 (14:30 +0200)]
virt-aa-helper-test: Test hostdevs unconditionally
Our test suite is very feature rich. In particular, it has two
mocks that implement sysfs close enough to create
host-independent environment to work with PCI and USB devices.
These mocks are called virpcimock and virusbmock, respectively.
Inside of virt-aa-helper-test there is an attempt to test whether
virt-aa-helper generates profiles for <hostdevs/>, once for USB
and the other time for PCI. Use this mocks to run virt-aa-helper
in an environment where certain PCI/USB devices always exist.
There are two problem though:
1) those two test cases use hardcoded PCI/USB addresses, which
makes them host environment dependant,
2) neither of the test cases checks whether corresponding rule
was added into the profile.
Using mocks we can get away with problem 1), and by passing the
fifth argument to testme() we can list an expected rule in the
profile.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Michal Privoznik [Tue, 10 Jun 2025 09:58:34 +0000 (11:58 +0200)]
virt-aa-helper-test: Silence ls
virt-aa-helper checks presence of files before it adds them into
a profile. Because of that, test cases inside of
virt-aa-helper-test that require presence of /boot/initrd* are
guarded by a check. The check uses ls to find at least one initrd
file. If there's none, then ls prints an error onto stderr. This
is not helpful because the test script prints a message on its
own right after.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Michal Privoznik [Tue, 10 Jun 2025 09:57:43 +0000 (11:57 +0200)]
virt-aa-helper-test: Print errors to stderr
When a test case fails, there are two echo-s executed: the first
one either prints the error message into /dev/null (default) or
onto stdout (when the test script is executed with -d). Then, the
second one prints the error message onto stdout. While this
technically works, there's nothing ever printed onto stderr which
is usually what's captured. Worse, if some command within the
script fails, it prints something onto stderr but then looking at
meson logs it's needlessly hard to match stderr and stdout lines.
Just print error messages onto stderr.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Michal Privoznik [Wed, 11 Jun 2025 14:17:33 +0000 (16:17 +0200)]
tests: Fix mocking of open()
In some cases (well, majority), open() is either rewritten to
open64(), either by plain '#define open open64') or at assembly
level (using __REDIRECT macro). See <fcntl.h> for more info.
This didn't really matter to us, because we do not chain load two
mocks that would need to reimplement open() at the same time. But
this is soon going to change.
The problem is, that VIR_MOCK_REAL_INIT(open) glances over
aforementioned rewrite and initializes real_open pointer to
open() from the standard C library. But it needs to point to
open() (well, open64()) from the next mock on the list.
Therefore, init real_open to open64().
But of course, this is all glibc specific and for example musl
does the oposite (#define open64 open).
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Michal Privoznik [Wed, 11 Jun 2025 11:19:32 +0000 (13:19 +0200)]
virpcimock: Strip fakerootdir prefix in virFileCanonicalizePath()
The mocked implementation of virFileCanonicalizePath() redirects
accesses to few dirs into a temporary directory, where PCI
related files live. See getrealpath() for more info on this.
Anyway, in the end - real implementation of
virFileCanonicalizePath() is called which then might contain the
'fakerootdir' prefix. Up until now this did not matter because
none of our test really cared about actual value of resolved
path. They usually cared about last component of the path or
something. But this will soon change.
TLDR - if the returned path has $fakerootdir prefix, strip it.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Michal Privoznik [Tue, 10 Jun 2025 13:11:55 +0000 (15:11 +0200)]
virpcimock: Automatically invent fakerootdir, if not provided
Currently, all users of virpcimock do set LIBVIRT_FAKE_ROOT_DIR
envvar. But soon, virt-aa-helper will be run with it and
basically right at the beginning of its main() it clears whole
environment. So even if the envvar is provided the mock won't see
that.
Anyway, the solution is to just create a tempdir and then 'rm
-rf' it in the desctructor.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Michal Privoznik [Wed, 11 Jun 2025 11:19:12 +0000 (13:19 +0200)]
virt-aa-helper: Use virFileCanonicalizePath()
While use of realpath() is not forbidden, our some of our mocks
already have a test friendly reimplementation of
virFileCanonicalizePath(). Use the latter.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Michal Privoznik [Wed, 11 Jun 2025 11:18:55 +0000 (13:18 +0200)]
log_cleaner: Use virFileCanonicalizePath()
While use of realpath() is not forbidden, our some of our mocks
already have a test friendly reimplementation of
virFileCanonicalizePath(). Use the latter.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
gendispatch: Finish rename of the migration argument
This patch is useless.
Either APIs it don't have 'resource' nor 'bandwidth' argument to
begin with, or they serve as a wrapper over different API
(changed in previous commits). Nonetheless, in the name of
consistency, let's just change those variable names.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
src: Unify argument name of virDomainMigratePerform3()
The virDomainMigratePerform3() API declares its last argument as
'bandwidth', though throughout various typedefs, RPC and callback
implementations the name is changed to 'resource'. This creates a
confusion. Unify the name.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
src: Unify argument name of virDomainMigrateBegin3()
The virDomainMigrateBegin3() API declares its last argument as
'bandwidth', though throughout various typedefs, RPC and callback
implementations the name is changed to 'resource'. This creates a
confusion. Unify the name.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
src: Unify argument name of virDomainMigratePrepareTunnel3()
The virDomainMigratePrepareTunnel3() API declares one of its
argument as 'bandwidth', though throughout various typedefs, RPC
and callback implementations the name is changed to 'resource'.
This creates a confusion. Unify the name.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
src: Unify argument name of virDomainMigratePrepare3()
The virDomainMigratePrepare3() API declares one of its argument
as 'bandwidth', though throughout various typedefs, RPC and
callback implementations the name is changed to 'resource'. This
creates a confusion. Unify the name.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
src: Unify argument name of virDomainMigratePrepareTunnel()
The virDomainMigratePrepareTunnel() API declares one of its
argument as 'bandwidth', though throughout various typedefs, RPC
and callback implementations the name is changed to 'resource'.
This creates a confusion. Unify the name.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
src: Unify argument name of virDomainMigratePrepare2()
The virDomainMigratePrepare2() API declares one of its argument as
'bandwidth', though throughout various typedefs, RPC and callback
implementations the name is changed to 'resource'. This creates a
confusion. Unify the name.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
src: Unify argument name of virDomainMigratePerform()
The virDomainMigratePerform() API declares its last argument as
'bandwidth', though throughout various typedefs, RPC and callback
implementations the name is changed to 'resource'. This creates a
confusion. Unify the name.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
src: Unify argument name of virDomainMigratePrepare()
The virDomainMigratePrepare() API declares its last argument as
'bandwidth', though throughout various typedefs, RPC and callback
implementations the name is changed to 'resource'. This creates a
confusion. Unify the name.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Akihiko Odaki [Sat, 8 Mar 2025 05:57:41 +0000 (14:57 +0900)]
qemu: Replace usb-storage with usb-bot
usb-storage is a compound device that automatically creates a USB mass
storage device and a SCSI device as its backend. Unfortunately it lacks
some configuration options that are usually present with a SCSI device,
and cannot represent CD-ROM in particular.
Replace usb-storage with usb-bot, which can be combined with a manually
created SCSI device. libvirt will configure the SCSI device in a way
identical with how QEMU does for usb-storage except that now it respects
a configuration option to represent CD-ROM.
Peter Krempa [Thu, 19 Jun 2025 07:46:38 +0000 (09:46 +0200)]
qemuBuildDeviceAddresDriveProps: Prepare for 'drive' address for usb-bot disks
While the 'usb-storage' based disks use the USB address directly, with
'usb-bot' the USB address is on the "controller" part of the device and
the 'scsi-hd/cd' device will use a 'drive' address from qemu's PoV.
Since we do not want to expose the 'usb-bot' as explicit controller
to preserve compatibility with existing configs we plan to upgrade
implement the formatter for 'drive' address when the "diskbus" property
is VIR_DOMAIN_DISK_BUS_USB.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
Peter Krempa [Mon, 23 Jun 2025 15:51:16 +0000 (17:51 +0200)]
qemu: Fill in model of 'usb' disks to preserve ABI compatibility
While 'usb-bot' and 'usb-storage' are ABI and migration compatible for
disks it's not the case for cdroms. When migrating from a new config
using 'usb-bot' to an older daemon which would use 'usb-storage' the
guest os will get I/O errors.
Thus we must properly fill in models for 'usb' disks so that cdroms can
be handled properly.
When parsing XML fill in the models and drop the appropriate models when
formatting migratable XML.
The logic is explained in comments in the code.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
Peter Krempa [Thu, 19 Jun 2025 13:46:46 +0000 (15:46 +0200)]
conf: introduce usb disk models 'usb-storage' and 'usb-bot'
Historically libvirt specified 'usb-storage' as driver for USB disks.
This though combined with '-blockdev' doesn't properly configure the
device to look like CDROM for <disk type='cdrom'>.
'usb-bot' acts like a controler and allows explicitly connecting a
-device to it.
In qemu the devices share implementation so they are effectively
identical and can be used interchangably. There is a difference in how
the storage device itself (the SCSI part) looks when configured properly
as CDROM which is unfortunately not compatible/interchangable.
As this is effectively a bugfix we'll be fixing the behaviour for the
default configuration. The possibility to explicitly set the model is
added as a possibility for working around possible problems if they'd
appear.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
projects / thirdparty / libvirt.git / log
