Hector Cao [Wed, 20 Aug 2025 15:49:59 +0000 (17:49 +0200)]
virt-aa-helper: Avoid duplicate when append rule
when a device is dynamically attached to a VM, and it needs a special
system access for apparmor, libvirt calls virt-aa-helper (with argument -F)
to append a new rule to the apparmor profile of the VM. virt-aa-helper does
not check for duplicate and blindly appends the rule to the profile. since
there is no rule removal when a device is detached, this can make the profile
grow in size if a big number of attach/detach operations are done and the
profile might hit the size limit and futur attach operations might dysfunction
because no rule can be added into the apparmor profile.
this patch tries to mitigate this issue by doing a duplicate check
when rules are appended into the profile. this fix does not guarantee
the absence of duplicates but should be enough to prevent the profile
to grow significantly in size and reach its size limit.
Signed-off-by: Hector CAO <hector.cao@canonical.com> Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Older libvirt versions still only work if 'encryption_key' is enabled
in the server and client certificates. Add a note.
Suggested-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Sebastian Mitterle <smitterl@redhat.com>
docs/tlscerts: document need for socket activation
Mention that the tls socket needs to be started and the libvirtd
or virtproxyd service might have to be started.
If this is not done the user might run into connection issues and
it seems this is not mentioned elsewhere in the docs.
Suggested-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Sebastian Mitterle <smitterl@redhat.com>
Michal Privoznik [Tue, 19 Aug 2025 08:01:11 +0000 (10:01 +0200)]
spec: Package newly introduced CH conf files
In a recent commit of v11.6.0-25-g5dca0567f6 new config files for
the CH driver were introduced. But corresponding change to the
specfile was missing resulting in a broken rpmbuild. Just put
those files into daemon-driver-ch rpm.
Fixes: 5dca0567f694a7405ca3e796149aed857b1f6090 Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Stefan Kober [Mon, 18 Aug 2025 09:20:54 +0000 (11:20 +0200)]
ch: add log level configuration option
Allow a user to set the verbosity of the cloud hypervisor instances by
specifying it in the ch.conf configuration file.
Signed-off-by: Stefan Kober <stefan.kober@cyberus-technology.de> Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Stefan Kober [Mon, 18 Aug 2025 09:20:53 +0000 (11:20 +0200)]
ch: Add config file support
Similar to the QEMU driver, the ch driver receives support for
configuration files that allows doing certain configuration on the
virtchd daemon.
The initial use case will be setting the verbosity of the cloud
hypervisor instances started by virtchd, but the implementation allows
for adding further options.
Signed-off-by: Stefan Kober <stefan.kober@cyberus-technology.de> Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Michal Privoznik [Wed, 13 Aug 2025 13:36:48 +0000 (15:36 +0200)]
qemuxmlconftest: Paper over test failure at MacOS
MacOS has its own dynamic linker (dyld) which is different to
Linux/BSD one. But with a little help (by setting
"DYLD_FORCE_FLAT_NAMESPACE" env var) it would behave similarly to
Linux/BSD ones. In particular, if a library is preloaded via
"DYLD_INSERT_LIBRARIES" on MacOS or "LD_PRELOAD" on Linux/BSD,
then dlsym(RTLD_NEXT, ...) considers ALL preloaded libraries. For
instance, the virFileCanonicalizePath() is reimplemented in
virpcimock and qemuxml2argvmock. Each one of these
reimplementations uses dlsym(RTLD_NEXT, ...) to look up and call
virFileCanonicalizePath() from next library in the queue and
possibly even the actual implementation from libvirt.so.
This chaining of mocks allows us to have mock libraries that
create stable, reproducible environment for tests.
Now, because of unknown reason Apple decided to remove the flat
namespace feature [1] (I recommend to just clone the repo and
view the commit via 'git show' as github's web interface hides
interesting bits away). They did so in 2022. And it wasn't until
my commit of v11.6.0-19-g12c35ab161 that we've noticed this,
because until that commit no two mock reimplemented the same
function. Well, now they do and with flat namespaces gone the
dlsym(RLTD_NEXT, ...) returns an address from libvirt.so instead
of from next mock on the list.
Since reimplementation of virFileCanonicalizePath() in
qemuxml2argvmock.c is only to cover a case on some Linux systems
and virpcimock.c creates full sysfs imitation of PCI devices, the
latter is more important than the former.
Therefore, switch order of those mocks.
On Linux/BSD this has virtually no effect, but on MacOS it fixes
the qemuxmlconftest failure.
1: https://github.com/apple-oss-distributions/dyld/commit/9a9e3e4cfa7de205d61f4114c9b564e4bab7ef7f Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
James Le Cuirot [Thu, 24 Jul 2025 13:49:38 +0000 (14:49 +0100)]
qemu: Match firmware with fully resolved and canonicalized paths
Distros may provide compatibility symlinks after moving firmware files
around, but they won't work for existing VMs when doing a straight
string comparison.
I tried to compare inodes instead, but even glib doesn't provide a
straightforward cross-platform method to do this.
Resolves: https://bugs.gentoo.org/960591 Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Michal Privoznik [Thu, 31 Jul 2025 09:19:43 +0000 (11:19 +0200)]
qemuxml2argvmock: Pretend FW blobs are always present
Soon, the QEMU driver, specifically the part that picks firmware
based on firmware descriptor files (qemu_firmware.c) is going to
check for the presence of those firmware blobs (well, for their
realpath()). Just collect the list of all blobs we use in our
tests and mock virFileCanonicalizePath() so that for any path on
that list its strdup()-ed version is returned.
This means, qemuxmlconftest won't touch host files really.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Pavel Hrdina [Thu, 10 Jul 2025 09:23:26 +0000 (11:23 +0200)]
docs: hacking: Define policy forbidding use of AI code generators
This policy is a copy of what QEMU project is using [1] as there is no
reason to use different policy, only modification is changing the
project name and link to DCO.
Peter Krempa [Thu, 31 Jul 2025 12:14:05 +0000 (14:14 +0200)]
virCHDomainRefreshThreadInfo: Don't trust vcpu ID returned by hypervisor
The hypervisor may return an index out of range of current vCPUs
defined in the domain which would cause a NULL dereference. Validate
that the vCPU struct with ID fetched from hypervisor exists before
dereferencing it.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Implementation uses pf's anchor feature to group rules. All rules live
in the "libvirt" anchor and every libvirt's network has its own
sub-anchor.
Currently there are some assumptions and limitations:
- We assume that a user has created the "libvirt" (nat-)anchors. As
they cannot be created on fly, it's better not to touch global pf
configuration and let the user do the changes. If the user doesn't
have these anchors configured, the rules will still be created in
sub-anchors, but will not be effective until these anchors are
activated. Should we check if these anchors are not active to
give some runtime warning?
- Currently, rule reloading is not smart: it always deletes rules,
flushes rules and re-creates that. It would be better to do that
more gracefully.
- IPv6 configurations are currently not supported
- For NAT, pf requires explicit IP address or an interface to NAT to.
We try to obtain that from the network XML definition, and if it's
not specified, we try to determine interface corresponding to the
default route.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Roman Bogorodskiy <bogorodskiy@gmail.com>
qemu: don't warn about missing SMM for CVM firmware
Neither Intel TDX / AMD SEV(SNP) allow use of SMM, but the EDK2
firmware none the less supports secureboot. Libvirt currently
issues bogus warnings about Fedora firmware
warning : qemuFirmwareSanityCheck:1575 : Firmware description
'/usr/share/qemu/firmware/60-edk2-ovmf-x64-inteltdx.json' has
invalid set of features: requires-smm = 0, secure-boot = 1,
enrolled-keys = 1
This removes the warning if the firmware descriptor indicates use
of any confidential VM technology.
Reviewed-by: Andrea Bolognani <abologna@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
George Melikov [Thu, 24 Jul 2025 14:34:03 +0000 (17:34 +0300)]
Storage: ZFS: implement `resizeVol` method to support native resize
ZFS doesn't have thick allocations, every allocation is
thin-provisioned, so resize operation is essentially
a zvol size limit change
(`zfs set volsize=X pool/zvol_name`).
Shrink is allowed too (which leads to data destruction),
but shrink restriction is already implemented in libvirt,
so this function doesn't need to check anything.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: George Melikov <mail@gmelikov.ru>
Mark Cave-Ayland [Fri, 18 Jul 2025 08:44:39 +0000 (09:44 +0100)]
qemuxmlconftest: add tests for new hardware UUID (hwuuid) element
Add new 'hwuuid' and 'hwuuid-smbios-uuid-match' tests to verify that the new
hardware UUID (hwuuid) element is working as intended.
In particular the 'hwuuid-smbios-uuid-match' test is designed to ensure that
the hwuuid and smbios UUIDs are always identical, similar to the existing logic
works for the domain UUID and the smbios UUID.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Mark Cave-Ayland <mark.caveayland@nutanix.com>
Mark Cave-Ayland [Fri, 18 Jul 2025 08:44:38 +0000 (09:44 +0100)]
conf: introduce hardware UUID (hwuuid) element
The hardware UUID (hwuuid) element provides a mechanism to supply an external
UUID to the guest, as opposed to the libvirt domain UUID. This is to allow
for the scenario whereby a domain can be stopped, cloned and then started as
a new domain without altering the guest-visible UUID.
Add the element, documentation and core code for the hwuuid feature along
with an implementation for the QEMU driver.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Mark Cave-Ayland <mark.caveayland@nutanix.com>
src: add missing libvirt-admin.pc.in for local usage
When using the 'run' script, we point pkg-config to files
in $BUILD/src, which resolve to the local build tree.
Unfortunately we forgot a libvirt-admin.pc.in, so the run
script was not taking effect for the admin APIs.
Reviewed-by: Peter Krempa <pkrempa@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Michal Privoznik [Wed, 23 Jul 2025 10:57:18 +0000 (12:57 +0200)]
virnetdevvportprofile: Drop explicit enum virNetDevVPortProfile declaration
The virNetDevVPortProfile enum is both explicitly declared and
also typedef-ed. This repetition is redundant. Just use typedef.
To make matters worse, there's another type with the same name,
but because in the code, those few places used 'enum
virNetDevVPortProfile var;' to declare variables compilers didn't
complain.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
qemu: Bypass sending VIR_DOMAIN_EVENT_RESUMED event when TD VM reboot
When TD VM reboot, qemu process is recreated by destroying old and
creating new one. When new qemu process starts, it sends a RESUME
event while libvirt domain isn't in run state yet. Then event
VIR_DOMAIN_EVENT_RESUMED is sent out and confuse control plane.
Check priv->pausedShutdown and bypass the event for TD VM, for
normal VM, domain is in run state and already bypassing it.
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Peter Krempa [Tue, 29 Jul 2025 11:05:09 +0000 (13:05 +0200)]
Revert "qemu: Match firmware with fully resolved and canonicalized paths"
The canonicalization of the paths is not mocked properly and thus the
tests depend on the host system. While the tests do pass on our CI they
break on real deployments at least on Fedora 42.
Since we're in code freeze for the upcoming release, revert the patch
instead of attempts to fix it.
James Le Cuirot [Thu, 24 Jul 2025 13:49:38 +0000 (14:49 +0100)]
qemu: Match firmware with fully resolved and canonicalized paths
Distros may provide compatibility symlinks after moving firmware files
around, but they won't work for existing VMs when doing a straight
string comparison.
I tried to compare inodes instead, but even glib doesn't provide a
straightforward cross-platform method to do this.
Resolves: https://bugs.gentoo.org/960591 Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Allow to define the default for deprecated_features when the attribute
is not set in the cpu defintion of a domain XML. If these features are
still desired, they may be reenabled via the deprecated_features='on'
attribute.
Some existing tests utilize this updated behavior, so update the CPU
features on the corresponding args files.
Signed-off-by: Boris Fiuczynski <fiuczy@linux.ibm.com> Signed-off-by: Collin Walling <walling@linux.ibm.com> Acked-by: Thomas Huth <thuth@redhat.com>
Boris Fiuczynski [Mon, 30 Jun 2025 03:19:29 +0000 (23:19 -0400)]
tests: new qemuxmlactive tests for s390x
Add tests for active/inactive XML with deprecated_features attribute.
Note that for the qemuxmlactivetest, it is not possible to test an
inactive guest XML with the absence of "deprecated_features" attribute
and expect the active XML to have the attribute present. This is due to
the fact that the tests never touch the code path in qemu_process that
trigger this change in the domain definition.
Signed-off-by: Boris Fiuczynski <fiuczy@linux.ibm.com> Reviewed-by: Collin Walling <walling@linux.ibm.com> Acked-by: Thomas Huth <thuth@redhat.com>
Collin Walling [Mon, 30 Jun 2025 03:19:28 +0000 (23:19 -0400)]
qemu: process: refactor deprecated features code
Group up the deprecated features code into a single block to keep things
clean; only check if the deprecated_features attribute is present
once and then do relevent work.
Signed-off-by: Collin Walling <walling@linux.ibm.com> Reviewed-by: Boris Fiuczynski <fiuczy@linux.ibm.com> Acked-by: Thomas Huth <thuth@redhat.com>
Collin Walling [Mon, 30 Jun 2025 03:19:27 +0000 (23:19 -0400)]
qemu: caps: add virCPUFeaturePolicy param to virQEMUCapsUpdateCPUDeprecatedFeatures
Currently, virQEMUCapsUpdateCPUDeprecatedFeatures only allows for
disabling deprecated features. This locks the deprecated_features
attribute to only do something if set to 'off'.
Let's add a virCPUFeaturePolicy to the function's parameters which will
allow the caller to decide what happens to these features.
Add a test with guest XML using deprecated_features='on' to ensure the
API is working properly.
Signed-off-by: Collin Walling <walling@linux.ibm.com> Reviewed-by: Boris Fiuczynski <fiuczy@linux.ibm.com> Acked-by: Thomas Huth <thuth@redhat.com>
TDX guest doesn't support system_reset, so have to kill the old QEMU and
start a new one to simulate the reset. This can be achieved by calling
qemuProcessFakeRebootViaRecreate().
Simiar as FakeReboot, QEMU sends SHUTDOWN event with "host-signal" reason
which can trigger another FakeReset. Check if a FakeReset is ongoing and
bypass "host-signal" processing which originally comes from FakeReset.
Domain lock is already hold in qemuDomainReset() before calling
qemuProcessFakeRebootViaRecreate(), so bypass locking in it.
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
qemu: Send event VIR_DOMAIN_EVENT_[STOPPED|STARTED] during recreation
For secure guest, FakeReboot kills original QEMU instance and
create new one which is quite different from normal guest.
To reflect this fact, VIR_DOMAIN_EVENT_[STOPPED|STARTED]
are sent to control plane with new introduced reasons
VIR_DOMAIN_EVENT_[STOPPED|STARTED]_RECREATION.
That would let control plane software understand that these
events are from a fake reboot.
Suggested-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
For secure guest, FakeReboot kills original QEMU instance and
create new one. During this process, QEMU send SHUTDOWN event
with "host-signal" reason which can trigger another FakeReboot.
Check if a FakeReboot is ongoing and bypass "host-signal"
processing which originally comes from FakeReboot.
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
We can reboot a TDX guest with 'virsh reboot' or 'virsh shutdown' if action
for onPoweroff is 'restart'. But running reboot command in guest shell will
always lead to shutdown.
This behavior is not consistent with normal guest, fix it by checking
shutdown reason and action configuration to trigger FakeReboot.
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
qemu: Add command line for TDX Quote Generation Service(QGS)
'tdx-guest' object supports a "quote-generation-socket" property for
attestation purpose. When "quote-generation-socket" is configured in
guest xml, libvirt generates unix socket format cmdline for QEMU.
'Path' element can be omitted, default path "/var/run/tdx-qgs/qgs.socket"
is used in this case.
conf: Add Intel TDX Quote Generation Service(QGS) support
Add element "quoteGenerationService" to tdx launch security type.
It contains only an optional unix socket address attribute,
when omitted, libvirt will use default QGS server address
"/var/run/tdx-qgs/qgs.socket".
UNIX sockets offer the required functionality with greater
security than vsock, so libvirt only provides support for unix
socket.
qemu_firmware: Pick the right firmware for TDX guests
The firmware descriptors have 'intel-tdx' feature which
describes whether firmware is suitable for TDX guests.
Provide necessary implementation to detect the feature and pick
the right firmware if guest is TDX enabled.
Suggested-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
Let's log this information into the domain log file, e.g.:
2025-07-10 03:39:18.243+0000: panic tdx: error_code='0x0' message='TD misconfiguration: SEPT #VE has to be disabled'
Suggested-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
projects / thirdparty / libvirt.git / log
