This test case demonstrates that it's possible to associate a
custom NVRAM template to a well-known firmware binary, specifying
its format, and libvirt will behave correctly.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Andrea Bolognani [Wed, 26 Nov 2025 17:18:06 +0000 (18:18 +0100)]
schemas: Allow templateFormat without template path
Similarly to how we allow the format for the loader and the NVRAM
file to be specified without the corresponding path being present,
we should allow that to happen for the NVRAM template too.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Andrea Bolognani [Mon, 24 Nov 2025 16:57:25 +0000 (17:57 +0100)]
qemu_firmware: Drop fallback for absent nvramTemplateFormat
If this information is missing, the parsing code will consider
the firmware descriptor to be invalid and matching against it will
not even be attempted. So we can safely drop this redundant
fallback.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Andrea Bolognani [Wed, 26 Nov 2025 18:01:12 +0000 (19:01 +0100)]
qemu_firmware: Ignore stateless/combined when NVRAM is configured
For combined firmware builds, the variable storage is part of the
same image as the executable code, whereas stateless builds don't
support variable storage at all.
In both cases, the use of a separate NVRAM storage area is not
supported, so if attributes connected to one are present in the
domain XML, firmware descriptors for stateless/combined builds
should be ignored.
ROM firmware builds are stateless by definition, so the same
handling applies to them as well.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
This test case demonstrates a flaw in the XML validation process.
Read/write firmware images already contain an area dedicated to
variable storage, which they use, so attempting to use a separate
NVRAM file together with them should have resulted in the domain
XML being rejected.
The issue will be addressed in an upcoming commit.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Andrea Bolognani [Thu, 27 Nov 2025 18:05:17 +0000 (19:05 +0100)]
qemu_firmware: Move copying of nvram.format to loader.format
As explained in the comment that comes along with it, this code
ensures that the user's preference is taken into account when
nvram.format is the only information that's provided. Currently
it lives in the parser, but it makes more sense for it to be
together with the rest of the firmware selection code instead.
Note that this move is not completely seamless: once the code
is moved outside of the parser, it can no longer reliably know
whether the <loader> element actually existed in the domain
XML. The difference is subtle enough that the test suite is
completely unaffected, and we are going to rework the handling
of this scenario in a way that restores the original behavior
later anyway, so it ultimately doesn't matter.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Andrea Bolognani [Thu, 27 Nov 2025 17:25:07 +0000 (18:25 +0100)]
qemu_firmware: Move format=raw compat exception
We currently apply this exception, which is critical to ensure
that the correct firmware is selected when working with older VMs,
in the postparse callback.
Move it to the firmware selection process instead, where it should
have been added in the first place.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Andrea Bolognani [Sun, 28 Dec 2025 17:31:38 +0000 (18:31 +0100)]
qemu_firmware: Drop 'nvram' local variable
We access the NVRAM information via the 'loader' local variable
throughout the file, and this is the only spot where the 'nvram'
local variable exists. It makes things inconsistent and opens up
the possibility of the values for 'loader' and 'nvram' going out
of sync, especially after a future commit will introduce the
need to set the former. Just get rid of the additional variable.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Andrea Bolognani [Thu, 27 Nov 2025 19:14:46 +0000 (20:14 +0100)]
qemu_firmware: Drop support for kernel descriptors
I have been able to find exactly zero evidence of this type of
firmware descriptor actually existing in the wild, so this is
essentialy dead code. Dropping it simplifies the task of further
tweaking the firmware selection code.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
The 'rdseed' CPU features stopped to be presented after updating my host
despite building the same qemu. Re-generate the dump separately from the
update to shield out this difference.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Per our coding style, function shall be separated by either a
single line or two lines. But in esx_util.c functions are
separated by three or even four blank lines. Drop excessive
spacing.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
While discouraged by a KB article to use special characters in
inventory object names [1], ESX won't stop you. And thus users
can end up with a datastore named "datastore2+", for instance.
The datastore name (and datacenter path) are important when
fetching/uploading a .vmx file (used in APIs like
virDomainGetXMLDesc() or virDomainDefineXML()). And while we do
URI encode both (dcPath and dsName), encoding them once is not
enough. Cole Robinson discovered [2] that they need to be
URI-encoded twice. Use newly introduced
esxUtil_EscapeInventoryObject() helper to encode them twice.
1: https://knowledge.broadcom.com/external/article/386368/vcenter-inventory-object-name-with-speci.html
2: https://issues.redhat.com/browse/RHEL-133729#comment-28604072
Resolves: https://issues.redhat.com/browse/RHEL-134127 Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Jiri Denemark <jdenemar@redhat.com> Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
The aim of this helper function is to URI-encode given string
twice. There's a bug (fixed in next commit) in which we're unable
to fetch .vmx file for a domain if corresponding datastore
contains some special characters (like +). Cole Robinson
discovered that encoding datastore twice enables libvirt to work
around the issue [2]. Well, this function does exactly that.
It was tested with the following inputs and all worked
flawlessly: "datastore", "datastore2", "datastore2+",
"datastore3+-@", "data store2+".
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Jiri Denemark <jdenemar@redhat.com> Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
Thomas Prescher [Wed, 7 Jan 2026 14:38:37 +0000 (15:38 +0100)]
qemu: fix locking in qemuProcessHandleMemoryFailure
Fix locking in qemuProcessHandleMemoryFailure. We use a lock guard
now because we can directly return from the default switch cases.
Issue has been discovered by johannes.kulik@sap.com
On-behalf-of: SAP thomas.prescher@sap.com Signed-off-by: Thomas Prescher <thomas.prescher@cyberus-technology.de> Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
This was triggered in my experiments with the `virsh net-*` command
family.
On-behalf-of: SAP philipp.schuster@sap.com Signed-off-by: Philipp Schuster <philipp.schuster@cyberus-technology.de> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Currently, guest capabilities have VIR_ARCH_X86_64 hard-coded
for supported guest. As bhyve supports amd64 and arm64 hosts,
and guests' arch must match host's arch, reporting VIR_ARCH_X86_64
for arm64 is wrong.
Set supported guest arch to the same value as the host arch.
Signed-off-by: Roman Bogorodskiy <bogorodskiy@gmail.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
qemu: snapshot: Check earlier if memory snapshot is possible
Don't unnecessarily pause the VM if the snapshot can't be taken.
Signed-off-by: Nikolay Shirokovskiy <nshirokovskiy@virtuozzo.com> Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Pavel Hrdina <phrdina@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
qemu: snapshot: Don't overwrite 'ret' in qemuSnapshotCreateActiveExternal
Both qemuSaveImageCreate and qemuSnapshotCreateActiveExternalDisks
follow the usual convention of returning 0 on success and -1 on error so
there's no need store the values in 'ret'.
Signed-off-by: Nikolay Shirokovskiy <nshirokovskiy@virtuozzo.com> Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Pavel Hrdina <phrdina@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Where /dev/cam/ctl is a ctl(4) device path.
The optional "scsi-device-options" include "iid" (Initiator ID)
and "bootindex", which are currently not used by libvirt.
CTL stands for CAM Target Layer, and CAM stands for
Common Access Method Storage subsystem, and is available
on FreeBSD.
Quoting the ctl(4) manual page:
The ctl subsystem provides SCSI target devices emulation. It supports
features such as:
• Disk, CD-ROM and processor device emulation
• Tagged queueing
• SCSI task attribute support (ordered, head of queue, simple tags)
• SCSI implicit command ordering support
• Full task management support (abort, query, reset, etc.)
• Support for multiple ports, initiators, targets and backing stores
• Support for VMWare VAAI and Microsoft ODX offload (COMPARE AND WRITE,
XCOPY, POPULATE TOKEN/WRITE USING TOKEN, WRITE SAME and UNMAP)
• Persistent reservation support
• Extensive VPD/mode/log pages support
• Featured error reporting, error injection and basic SMART support
• High Availability clustering support with ALUA
• All I/O handled in-kernel, no userland context switch overhead
This is a preparation for implementing virtio-scsi support for the bhyve
driver.
Co-authored-by: Michal Privoznik <mprivozn@redhat.com> Signed-off-by: Roman Bogorodskiy <bogorodskiy@gmail.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
qemu_validate: Drop VIR_DOMAIN_HYPERV_STIMER dependency on VIR_DOMAIN_HYPERV_VPINDEX
The original commit (v11.9.0-rc1~84) added a dependency checking
of VIR_DOMAIN_HYPERV_STIMER on VIR_DOMAIN_HYPERV_VPINDEX
(meaning, if stimer is on then vpindex must also be on). It
justified this by citing QEMU documentation:
Per QEMU documentation (docs/system/i386/hyperv.rst):
While the documentation is almost correct (see previous commit
when it's incorrect), the code express no dependency on vpindex
(kvm_hyperv_properties[] array from target/i386/kvm/kvm.c):
If transitivity is taken into account then the documentation is
of course correct (minus that one aforementioned special case).
Well, there's no need for us to implement transitional checks.
VIR_DOMAIN_HYPERV_STIMER requires VIR_DOMAIN_HYPERV_SYNIC and
whether that requires VIR_DOMAIN_HYPERV_VPINDEX is another
question.
Just drop the transitive check.
Resolves: https://gitlab.com/libvirt/libvirt/-/issues/837
Resolves: https://issues.redhat.com/browse/RHEL-138689 Fixes: da261327ea94300d1aa2d3b76ba9dcd4de6160f6 Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
qemu_validate: Drop VIR_DOMAIN_HYPERV_SYNIC dependency on VIR_DOMAIN_HYPERV_VPINDEX
Turns out, that synic hyperv enlightenment not always requires
vpindex. Some (older) machine types (e.g. pc-i440fx-3.0,
pc-q35-3.0, pc-i440fx-rhel7.6.0) can run with synic enabled and vpindex
disabled. This is because they did enable 'x-hv-synic-kvm-only'
CPU property, but starting from QEMU commit v3.1.0-rc0~44^2~9 the
property is disabled by default.
To avoid parsing machine type version, let's just drop this
dependency validation and rely on QEMU to report sensible error
message.
Resolves: https://gitlab.com/libvirt/libvirt/-/issues/837
Resolves: https://issues.redhat.com/browse/RHEL-138689 Fixes: 1822d030c32d9857020ee8385b0a8808a29a472f Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Antonio Terceiro [Mon, 22 Dec 2025 17:46:33 +0000 (14:46 -0300)]
libvirt-guests.service: use Type=exec
Type=oneshot means that the service is only considered started after the
main process exits. In setups where libvirt-guests is configured to be
used and imposes a delay on the startup of guests, this will cause
systemd to report a quite high boot time as it will wait until all
guests have booted, plus all the delay between them. High boot times are
often reported as issues in monitoring systems, and require operator
attention, while in this case there is not really an issue with the
system, it's just doing what it was configured to do.
With Type=exec, the service is considered started right after the main
process is *started*, but the boot process will not wait for it.
Having other units depend on libvirt-guests.service finishing was
already not reliable because one cannot know how long the OS inside each
guest takes to boot, and libvirt-guests already does not wait for them
to be in any particular state.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Antonio Terceiro <terceiro@debian.org>
tools: check for failure decoding secret base64 value
The g_base64_decode function will return a valid pointer, but with
length of zero when it fails to decode data. Report an error in that
scenario, so avoid a later more obsecure error.
eg old behaviour
# virsh secret-set-value f52a81b2-424e-490c-823d-6bd4235bc507 foo
warning: Passing secret value as command-line argument is insecure!
error: Failed to set secret value
error: value in virSecretSetValue must not be NULL
new behaviour
# /home/berrange/virsh secret-set-value f52a81b2-424e-490c-823d-6bd4235bc507 foo
warning: Passing secret value as command-line argument is insecure!
error: Secret value is not valid base64
Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
The UUID had only 11 characters in the last component, instead of the
required 12. Add the missing trailing '2' which is present in all the
other matching example UUIDs.
Reviewed-by: Arun Menon <armenon@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Peter Krempa [Mon, 5 Jan 2026 14:00:18 +0000 (15:00 +0100)]
virjsontest: Add test for nesting depth
Add an example of 250 layer deep nested JSON to make sure the parser
supports it. This is in order to maintain compatibility with external
snapshots in qemu, where such a deeply nested document is returned with
a 'query-block' QMP call.
I've used a fake JSON as a real reply from qemu is around 1.4MiB for a
200 deep image chain.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Thu, 11 Dec 2025 08:39:03 +0000 (09:39 +0100)]
util: json: Increase JSON nesting limit when parsing to 300
The default in json-c is 32 which is too low to accomodate the 200
snapshot layers we supported historically in the qemu driver (200 is
picked based on the 256 layer limit in libxml).
The response to 'query-block' is otherwise too low and we fail to start
the VM when there's around 26 images in a backing chain.
'json_tokener_new_ex' is supported since json-c 0.11 and we require at
least 0.14.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Currently, to probe PCI devices, for each device libvirt
calls "bhyve -s 0,<device_type>" and parses the error message to check
if this specific device is supported.
For quite some time, bhyve reports the list of devices using:
bhyve -s help
where it prints all supported devices, one device per line.
Update the code to use this command:
* It is more accurate as we don't need to rely on the error message
parsing.
* It's faster as we get all the devices in one run instead of
running bhyve for every device type.
* The code is simpler.
Signed-off-by: Roman Bogorodskiy <bogorodskiy@gmail.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
This partially reverts commit 3caa28dc50df which changed the DST times
to start at Jan 2 due to an issue that is already solved in GLib that we
require for almost a year now.
This also fixes the test failures that would go away on Jan 2 11:00
UTC (less than two hours from writing this commit message) due to the
timezone definitions (the last failing test case has a timezone which is
UTC+11:00), but because of the change from '0/' to '1/' it did occur on
a day which is not caught by isNearYearEnd() which exists solely for
this purpose.
Signed-off-by: Martin Kletzander <mkletzan@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Michal Privoznik [Thu, 18 Dec 2025 08:59:31 +0000 (09:59 +0100)]
network: Propagate DNS forwarder port into dnsmasq config
If a DNS forwarder has port specified then we ought to format it
into dnsmasq config. The correct syntax is
server=/domain/ip-address#port
Closes: https://gitlab.com/libvirt/libvirt/-/issues/833 Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Laine Stump <laine@redhat.com>
Michal Privoznik [Wed, 17 Dec 2025 08:35:40 +0000 (09:35 +0100)]
network: Introduce port for DNS forwarder
In the <dns/> section of network configuration users can set up
forwarding of DNS requests to custom DNS servers. These are
specified using 'addr' attribute. But configuring port wasn't
possible, until now. New 'port' attribute is introduced, which
allows overriding the default DNS port for given address.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Laine Stump <laine@redhat.com>
Signed-off-by: Roman Bogorodskiy <bogorodskiy@gmail.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Laine Stump <laine@redhat.com>
Bhyve supports SLIRP networking using the following syntax:
-s 12:0,e1000,slirp,mac=<macaddr>,open
Where "e1000" is a NIC model, "slirp" is the SLIRP backend and "open"
specifies open mode where external network is available to the guest.
The "open" mode is a recent addition in FreeBSD -CURRENT.
Unfortunately, bhyve does not provide a way to probe whether
the open mode is supported, so users will have to make sure
it's supported on their own.
For the reference, without the "open" mode, the guest will have no
outside network connectivity. To make this mode useful,
it is possible to configure forwarding from the host to the guest,
but it is not covered by this patch.
Signed-off-by: Roman Bogorodskiy <bogorodskiy@gmail.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Laine Stump <laine@redhat.com>
Jiri Denemark [Fri, 5 Dec 2025 15:52:32 +0000 (16:52 +0100)]
util: Rework virFileIsSharedFSOverride using virFileCheckParents
The newly introduced virFileCheckParents is generic enough to be used
for checking whether a specific path or any of its parents is included
in the overrides array.
Jiri Denemark [Fri, 5 Dec 2025 15:51:25 +0000 (16:51 +0100)]
util: Fix race condition in virFileIsSharedFSOverride
Switch virFileIsSharedFSOverride to use virFileCheckParents to avoid a
race which could result in virFileCanonicalizePath to be called on a
path that does not exist anymore.
Jiri Denemark [Fri, 5 Dec 2025 15:47:14 +0000 (16:47 +0100)]
util: Fix race condition in virFileIsSharedFSType
virFileIsSharedFSType could end up calling statfs on a path that no
longer exists and return an error. If this happens for a path on a
shared filesystem, the caller may incorrectly consider the path as
non-shared.
Specifically, when starting a domain with TPM enabled and deciding
whether its vTPM state is stored on a shared storage, the race could
cause qemuTPMEmulatorBuildCommand to consider the state to be
non-shared. This means swtpm would be started without --migration even
when the state is actually stored on a shared storage and any attempt to
migrate such domain would fail with
Operation not supported: the running swtpm does not support
migration with shared storage
In fact, any caller of virFileGetExistingParent contained an inherent
TOCTOU race condition as the existing parent of a given path return by
virFileGetExistingParent may no longer exist at the time the caller
wants to check it.
This patch introduces a new virFileCheckParents API which is almost
identical to virFileGetExistingParent, but uses a supplied callback to
check each path. This new API is used in virFileIsSharedFSType to avoid
the race. The old function will later be completely removed once all
callers are switched to the new one.
Jiri Denemark [Fri, 5 Dec 2025 14:09:15 +0000 (15:09 +0100)]
tests: Test virFileIsSharedFSOverride
Technically virFileIsSharedFSOverride is available on any OS, but we
need a mocked realpath() to test it. Because the virfilemock library
also mocks statfs() which is only available on Linux, we don't even try
to load the library anywhere else. Thus we need to skip testing
virFileIsSharedFSOverride on non-Linux too.
Peter Krempa [Thu, 4 Dec 2025 17:09:05 +0000 (18:09 +0100)]
qemuMigrationParamsForSave: Don't take opaque 'flags'
Similarly to previous commit, 'flags' is really opaque. The function
lives in migration code and similar functions there expect migration
flags. Here we get virDomainSaveRestoreFlags. Here at least the dump
code handles it properly and passes VIR_DOMAIN_SAVE_BYPASS_CACHE rather
than VIR_DUMP_BYPASS_CACHE.
Note: We, in many cases, encourage use of 'flags' instead of a bunch of
boolean parameters. Since C doesn't do proper type checks on enums and
in fact with 'flags' we pass a binary or of some flags rather than pure
options from the enum there isn't really an elegant solution that would
be enforced by the compiler and easy on eyes. With a bunch of booleans
at least anyone reading the code will need to look up the function
definition to see the header rather than assume that passing in 'flags'
is fine without properly checking *which* flags are accepted by the
function.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
The meaning of 'flags' is context dependant. 'qemuMigrationSrcToFile'
expects 'virDomainSaveRestoreFlags' rather than migration flags which is
not expected based on the location of the function.
Why this is wrong is clearly visible in 'doCoreDump' which passes in
'dump_flags' which are actually 'virDomainCoreDumpFlags' and the values
are different:
VIR_DUMP_BYPASS_CACHE = (1 << 2)
VIR_DOMAIN_SAVE_BYPASS_CACHE = 1 << 0
Since it checks only for VIR_DOMAIN_SAVE_BYPASS_CACHE pass it in as a
boolean instead.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Peter Krempa [Thu, 4 Dec 2025 14:22:56 +0000 (15:22 +0100)]
include: Create constants for save image format values
The 'VIR_DOMAIN_SAVE_PARAM_IMAGE_FORMAT' typed parameter for
'virDomainSaveParams' is implemented as a string but really encodes an
enumeration of supported types. We can't change the format any more but
can export the corresponding types as constants.
Additionally this also mentions the missing 'sparse' format.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Peter Krempa [Mon, 1 Dec 2025 15:50:09 +0000 (16:50 +0100)]
qemuSnapshotPrepare: Prohibit 'manual' disk snapshot mode with VIR_DOMAIN_SNAPSHOT_CREATE_QUIESCE flag
If the snapshot has a disk using 'manual' snapshot mode we keep the VM
paused until the user resumes it (presumably after they've done steps to
take the disk snapshot).
Since quiescing is done via the guest agent this means it will not be
possible while the VM is paused.
Rather than trying to implement complex recovery from this state prevent
the use of VIR_DOMAIN_SNAPSHOT_CREATE_QUIESCE for the snapshot. The user
still can call virDomainFSFreeze/virDomainFSThaw manually.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
qemu: Treat memory device source nodemask as strict NUMA policy
A memory device can have <nodemask/> which specifies which host
NUMA nodes the memory should be allocated from (currently
supported for dimm, virtio-mem and sgx-epc models).
But when generating corresponding command line for the device,
the NUMA policy is taken from the guest NUMA node that
corresponds to the memory device (as defined by target/node) or
overall domain NUMA policy (as defined by <numatune/>).
This may lead to memory being allocated from unexpected NUMA
node. For instance, if the memory device has
<nodemask>0</nodemask> and domain has <numatune> <memory
mode='preferred' nodeset='1'/> </numatune> then the cmd line for
the memory device also has just "policy":"preferred".
Treat <nodemask/> as mode='strict'.
But I agree that this is kind of nonsense configuration. Why
would somebody want to prefer one NUMA node but then configure
memory device to allocate NUMA from the other?
Resolves: https://issues.redhat.com/browse/RHEL-114415 Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Mon, 1 Dec 2025 10:35:32 +0000 (11:35 +0100)]
qemu: tpm: Account for possible migration without actually sharing storage
The current logic in 'qemuTPMEmulatorBuildCommand' skips all setup if
the *location* of the data is on what we'd consider shared storage.
This means that if the location is not actually shared (e.g. it's shared
betweeh some other hosts than the two doing the migration) and the path
wasn't ever used (e.g. by migrating out) from the host where we're
migrating into the complete setup of the location would be skipped even
when it doesn't exist.
Fix the logic by skipping only some of the setup steps so that
'qemuTPMEmulatorCreateStorage' can still create the storage if it
doesn't exist.
The rest of the code then needs to take the 'created' flag returned from
'qemuTPMEmulatorCreateStorage' into account.
Fixes: 68103e9daf633b789428fedef56f816c92f6ee75 Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Use presence of non-negative pci_bus to identify multi-smmuv3
IOMMU model, instead of the niommus attribute. This allows for
specifying a single arm-smmuv3 on the qemu command line,
instead of both the virt-machine smmuv3 and arm-smmuv3
being specified at the same time.
Signed-off-by: Nathan Chen <nathanc@nvidia.com> Fixes: e70c4d54d365 conf: Support multiple device-pluggable smmuv3 IOMMUs Reviewed-by: Ján Tomko <jtomko@redhat.com>
Michal Privoznik [Wed, 26 Nov 2025 13:50:11 +0000 (14:50 +0100)]
lib: Avoid changing const strings via strchr() and friends
There's new commit in glibc [1] which makes memchr(), strchr(),
strrchr(), strpbrk() and strstr() reflect type of the input
string. If it's a constant string, then the return type of these
functions is also 'const char *'. But this change tickles
-Wincompatible-pointer-types-discards-qualifiers warning.
And indeed, there are some places where we use a 'char *' typed
variable to store the retval, or even misuse the fact 'char *' is
returned and modify const string.
To fix this, a couple of different approaches is used:
a) switch variable type to 'const char *',
b) switch argument to 'char *' (in a few places we have
strdup()-ed) the const string already,
c) strdup() the string and use b).
1: https://sourceware.org/git/?p=glibc.git;a=commit;h=cd748a63ab1a7ae846175c532a3daab341c62690 Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Tested-by: Jaroslav Suchanek <jsuchane@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
The iptablesPrivateChainCreate() function is given an array of
const strings. This constitutes a promise to the caller that the
data is not modified. But inside the data is modified anyway (to
cut out some parts of the data). Well, with a help from
g_strdup() the promise can be kept.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Tested-by: Jaroslav Suchanek <jsuchane@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Michal Privoznik [Wed, 26 Nov 2025 14:05:50 +0000 (15:05 +0100)]
iptablesPrivateChainCreate: Switch to STRSKIP()
The body of iptablesPrivateChainCreate() uses STRPREFIX() to
match strings starting with certain prefix. Then it uses pointer
arithmetic to skip the prefix. Well, that's exactly what
STRSKIP() is meant to do. Switch the body to use the latter.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Tested-by: Jaroslav Suchanek <jsuchane@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Michal Privoznik [Wed, 26 Nov 2025 15:32:11 +0000 (16:32 +0100)]
iptablesPrivateChainCreate: Rename @tmp variable
The iptablesPrivateChainCreate() function gets a NULL terminated
array of strings (@lines argument), each item representing one
line of iptables output. Currently, the variable used to iterate
over the array is named 'tmp' which is not very descriptive.
Rename it to 'line'.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Tested-by: Jaroslav Suchanek <jsuchane@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Michal Privoznik [Wed, 26 Nov 2025 09:05:49 +0000 (10:05 +0100)]
virSkipSpacesBackwards: Turn @endp into const
The aim of virSkipSpacesBackwards() is find the first space
trailing character in given string, For instance, if the input is
"Something whitespacey ", then the output should be pointing to
the very first space after "y".
Problem here is that the input string is constant, but the
returned pointer is non-constant. This is confusing, a caller
shouldn't be able to modify the string, since the input was a
constant string.
Therefore, make the function return a const pointer too.
Under the hood the function used virTrimSpaces() which under some
circumstances could modify the input string. A trick was used to
hide this fact away, but to be double sure rewrite the function's
body.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Tested-by: Jaroslav Suchanek <jsuchane@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
When the network driver starts up it may inject some firewall
rules (e.g. for a network with NAT). So far, this scenario wasn't
covered in our test suite. The reason for adding this test is
twofold: the first, check we add correct rules, the second is to
cover iptablesPrivateChainCreate() as its implementation is soon
to be changed.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Tested-by: Jaroslav Suchanek <jsuchane@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Hector Cao [Mon, 24 Nov 2025 13:40:30 +0000 (14:40 +0100)]
cpu_map: update vmx-* features
the vmx-* features are currently decoded from the 32-lower bits
(EAX) of the MSR 64-bit values. They should be decoded instead
from the 32-higher bits (EDX).
Signed-off-by: Hector Cao <hector.cao@canonical.com> Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
Hector Cao [Mon, 24 Nov 2025 13:40:29 +0000 (14:40 +0100)]
cpu_map: fix sync script to extract correctly vmx-* features
The src/cpu_map/x86_features.xml file contains the definition
of all x86 CPU features, these definitions specify how we can
decode the feature support fom the CPUID or MSR values.
The helper script sync_qemu_features_i386.py builds the
x86_features.xml file from QEMU source code to be in sync
with supported features in QEMU. This helper script parses
QEMU target/i386/cpu.c file looking for CPU feature definitions
and convert them into x86_features.xml contents.
This is the resulting definition for the vmx-intr-exit feature
encoded in the MSR 0x48d.
EAX holds the 32 lower bits of the MSRE 64-bits value and should
not be used to detect the VMX-* features. Indeed, VMX-* bit
position should be parsed from QEMU source code in the 32 higher
bits of the corresponding MSR value.
This commit fixes this issue by using the 32 higher bits (EDX)
to represent VMX-* features.
Signed-off-by: Hector Cao <hector.cao@canonical.com> Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
projects / thirdparty / libvirt.git / log
