qemu_validate: Drop VIR_DOMAIN_HYPERV_SYNIC dependency on VIR_DOMAIN_HYPERV_VPINDEX
Turns out, that synic hyperv enlightenment not always requires
vpindex. Some (older) machine types (e.g. pc-i440fx-3.0,
pc-q35-3.0, pc-i440fx-rhel7.6.0) can run with synic enabled and vpindex
disabled. This is because they did enable 'x-hv-synic-kvm-only'
CPU property, but starting from QEMU commit v3.1.0-rc0~44^2~9 the
property is disabled by default.
To avoid parsing machine type version, let's just drop this
dependency validation and rely on QEMU to report sensible error
message.
Resolves: https://gitlab.com/libvirt/libvirt/-/issues/837
Resolves: https://issues.redhat.com/browse/RHEL-138689 Fixes: 1822d030c32d9857020ee8385b0a8808a29a472f Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Antonio Terceiro [Mon, 22 Dec 2025 17:46:33 +0000 (14:46 -0300)]
libvirt-guests.service: use Type=exec
Type=oneshot means that the service is only considered started after the
main process exits. In setups where libvirt-guests is configured to be
used and imposes a delay on the startup of guests, this will cause
systemd to report a quite high boot time as it will wait until all
guests have booted, plus all the delay between them. High boot times are
often reported as issues in monitoring systems, and require operator
attention, while in this case there is not really an issue with the
system, it's just doing what it was configured to do.
With Type=exec, the service is considered started right after the main
process is *started*, but the boot process will not wait for it.
Having other units depend on libvirt-guests.service finishing was
already not reliable because one cannot know how long the OS inside each
guest takes to boot, and libvirt-guests already does not wait for them
to be in any particular state.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Antonio Terceiro <terceiro@debian.org>
tools: check for failure decoding secret base64 value
The g_base64_decode function will return a valid pointer, but with
length of zero when it fails to decode data. Report an error in that
scenario, so avoid a later more obsecure error.
eg old behaviour
# virsh secret-set-value f52a81b2-424e-490c-823d-6bd4235bc507 foo
warning: Passing secret value as command-line argument is insecure!
error: Failed to set secret value
error: value in virSecretSetValue must not be NULL
new behaviour
# /home/berrange/virsh secret-set-value f52a81b2-424e-490c-823d-6bd4235bc507 foo
warning: Passing secret value as command-line argument is insecure!
error: Secret value is not valid base64
Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
The UUID had only 11 characters in the last component, instead of the
required 12. Add the missing trailing '2' which is present in all the
other matching example UUIDs.
Reviewed-by: Arun Menon <armenon@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Peter Krempa [Mon, 5 Jan 2026 14:00:18 +0000 (15:00 +0100)]
virjsontest: Add test for nesting depth
Add an example of 250 layer deep nested JSON to make sure the parser
supports it. This is in order to maintain compatibility with external
snapshots in qemu, where such a deeply nested document is returned with
a 'query-block' QMP call.
I've used a fake JSON as a real reply from qemu is around 1.4MiB for a
200 deep image chain.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Thu, 11 Dec 2025 08:39:03 +0000 (09:39 +0100)]
util: json: Increase JSON nesting limit when parsing to 300
The default in json-c is 32 which is too low to accomodate the 200
snapshot layers we supported historically in the qemu driver (200 is
picked based on the 256 layer limit in libxml).
The response to 'query-block' is otherwise too low and we fail to start
the VM when there's around 26 images in a backing chain.
'json_tokener_new_ex' is supported since json-c 0.11 and we require at
least 0.14.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Currently, to probe PCI devices, for each device libvirt
calls "bhyve -s 0,<device_type>" and parses the error message to check
if this specific device is supported.
For quite some time, bhyve reports the list of devices using:
bhyve -s help
where it prints all supported devices, one device per line.
Update the code to use this command:
* It is more accurate as we don't need to rely on the error message
parsing.
* It's faster as we get all the devices in one run instead of
running bhyve for every device type.
* The code is simpler.
Signed-off-by: Roman Bogorodskiy <bogorodskiy@gmail.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
This partially reverts commit 3caa28dc50df which changed the DST times
to start at Jan 2 due to an issue that is already solved in GLib that we
require for almost a year now.
This also fixes the test failures that would go away on Jan 2 11:00
UTC (less than two hours from writing this commit message) due to the
timezone definitions (the last failing test case has a timezone which is
UTC+11:00), but because of the change from '0/' to '1/' it did occur on
a day which is not caught by isNearYearEnd() which exists solely for
this purpose.
Signed-off-by: Martin Kletzander <mkletzan@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Michal Privoznik [Thu, 18 Dec 2025 08:59:31 +0000 (09:59 +0100)]
network: Propagate DNS forwarder port into dnsmasq config
If a DNS forwarder has port specified then we ought to format it
into dnsmasq config. The correct syntax is
server=/domain/ip-address#port
Closes: https://gitlab.com/libvirt/libvirt/-/issues/833 Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Laine Stump <laine@redhat.com>
Michal Privoznik [Wed, 17 Dec 2025 08:35:40 +0000 (09:35 +0100)]
network: Introduce port for DNS forwarder
In the <dns/> section of network configuration users can set up
forwarding of DNS requests to custom DNS servers. These are
specified using 'addr' attribute. But configuring port wasn't
possible, until now. New 'port' attribute is introduced, which
allows overriding the default DNS port for given address.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Laine Stump <laine@redhat.com>
Signed-off-by: Roman Bogorodskiy <bogorodskiy@gmail.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Laine Stump <laine@redhat.com>
Bhyve supports SLIRP networking using the following syntax:
-s 12:0,e1000,slirp,mac=<macaddr>,open
Where "e1000" is a NIC model, "slirp" is the SLIRP backend and "open"
specifies open mode where external network is available to the guest.
The "open" mode is a recent addition in FreeBSD -CURRENT.
Unfortunately, bhyve does not provide a way to probe whether
the open mode is supported, so users will have to make sure
it's supported on their own.
For the reference, without the "open" mode, the guest will have no
outside network connectivity. To make this mode useful,
it is possible to configure forwarding from the host to the guest,
but it is not covered by this patch.
Signed-off-by: Roman Bogorodskiy <bogorodskiy@gmail.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Laine Stump <laine@redhat.com>
Jiri Denemark [Fri, 5 Dec 2025 15:52:32 +0000 (16:52 +0100)]
util: Rework virFileIsSharedFSOverride using virFileCheckParents
The newly introduced virFileCheckParents is generic enough to be used
for checking whether a specific path or any of its parents is included
in the overrides array.
Jiri Denemark [Fri, 5 Dec 2025 15:51:25 +0000 (16:51 +0100)]
util: Fix race condition in virFileIsSharedFSOverride
Switch virFileIsSharedFSOverride to use virFileCheckParents to avoid a
race which could result in virFileCanonicalizePath to be called on a
path that does not exist anymore.
Jiri Denemark [Fri, 5 Dec 2025 15:47:14 +0000 (16:47 +0100)]
util: Fix race condition in virFileIsSharedFSType
virFileIsSharedFSType could end up calling statfs on a path that no
longer exists and return an error. If this happens for a path on a
shared filesystem, the caller may incorrectly consider the path as
non-shared.
Specifically, when starting a domain with TPM enabled and deciding
whether its vTPM state is stored on a shared storage, the race could
cause qemuTPMEmulatorBuildCommand to consider the state to be
non-shared. This means swtpm would be started without --migration even
when the state is actually stored on a shared storage and any attempt to
migrate such domain would fail with
Operation not supported: the running swtpm does not support
migration with shared storage
In fact, any caller of virFileGetExistingParent contained an inherent
TOCTOU race condition as the existing parent of a given path return by
virFileGetExistingParent may no longer exist at the time the caller
wants to check it.
This patch introduces a new virFileCheckParents API which is almost
identical to virFileGetExistingParent, but uses a supplied callback to
check each path. This new API is used in virFileIsSharedFSType to avoid
the race. The old function will later be completely removed once all
callers are switched to the new one.
Jiri Denemark [Fri, 5 Dec 2025 14:09:15 +0000 (15:09 +0100)]
tests: Test virFileIsSharedFSOverride
Technically virFileIsSharedFSOverride is available on any OS, but we
need a mocked realpath() to test it. Because the virfilemock library
also mocks statfs() which is only available on Linux, we don't even try
to load the library anywhere else. Thus we need to skip testing
virFileIsSharedFSOverride on non-Linux too.
Peter Krempa [Thu, 4 Dec 2025 17:09:05 +0000 (18:09 +0100)]
qemuMigrationParamsForSave: Don't take opaque 'flags'
Similarly to previous commit, 'flags' is really opaque. The function
lives in migration code and similar functions there expect migration
flags. Here we get virDomainSaveRestoreFlags. Here at least the dump
code handles it properly and passes VIR_DOMAIN_SAVE_BYPASS_CACHE rather
than VIR_DUMP_BYPASS_CACHE.
Note: We, in many cases, encourage use of 'flags' instead of a bunch of
boolean parameters. Since C doesn't do proper type checks on enums and
in fact with 'flags' we pass a binary or of some flags rather than pure
options from the enum there isn't really an elegant solution that would
be enforced by the compiler and easy on eyes. With a bunch of booleans
at least anyone reading the code will need to look up the function
definition to see the header rather than assume that passing in 'flags'
is fine without properly checking *which* flags are accepted by the
function.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
The meaning of 'flags' is context dependant. 'qemuMigrationSrcToFile'
expects 'virDomainSaveRestoreFlags' rather than migration flags which is
not expected based on the location of the function.
Why this is wrong is clearly visible in 'doCoreDump' which passes in
'dump_flags' which are actually 'virDomainCoreDumpFlags' and the values
are different:
VIR_DUMP_BYPASS_CACHE = (1 << 2)
VIR_DOMAIN_SAVE_BYPASS_CACHE = 1 << 0
Since it checks only for VIR_DOMAIN_SAVE_BYPASS_CACHE pass it in as a
boolean instead.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Peter Krempa [Thu, 4 Dec 2025 14:22:56 +0000 (15:22 +0100)]
include: Create constants for save image format values
The 'VIR_DOMAIN_SAVE_PARAM_IMAGE_FORMAT' typed parameter for
'virDomainSaveParams' is implemented as a string but really encodes an
enumeration of supported types. We can't change the format any more but
can export the corresponding types as constants.
Additionally this also mentions the missing 'sparse' format.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Peter Krempa [Mon, 1 Dec 2025 15:50:09 +0000 (16:50 +0100)]
qemuSnapshotPrepare: Prohibit 'manual' disk snapshot mode with VIR_DOMAIN_SNAPSHOT_CREATE_QUIESCE flag
If the snapshot has a disk using 'manual' snapshot mode we keep the VM
paused until the user resumes it (presumably after they've done steps to
take the disk snapshot).
Since quiescing is done via the guest agent this means it will not be
possible while the VM is paused.
Rather than trying to implement complex recovery from this state prevent
the use of VIR_DOMAIN_SNAPSHOT_CREATE_QUIESCE for the snapshot. The user
still can call virDomainFSFreeze/virDomainFSThaw manually.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
qemu: Treat memory device source nodemask as strict NUMA policy
A memory device can have <nodemask/> which specifies which host
NUMA nodes the memory should be allocated from (currently
supported for dimm, virtio-mem and sgx-epc models).
But when generating corresponding command line for the device,
the NUMA policy is taken from the guest NUMA node that
corresponds to the memory device (as defined by target/node) or
overall domain NUMA policy (as defined by <numatune/>).
This may lead to memory being allocated from unexpected NUMA
node. For instance, if the memory device has
<nodemask>0</nodemask> and domain has <numatune> <memory
mode='preferred' nodeset='1'/> </numatune> then the cmd line for
the memory device also has just "policy":"preferred".
Treat <nodemask/> as mode='strict'.
But I agree that this is kind of nonsense configuration. Why
would somebody want to prefer one NUMA node but then configure
memory device to allocate NUMA from the other?
Resolves: https://issues.redhat.com/browse/RHEL-114415 Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Mon, 1 Dec 2025 10:35:32 +0000 (11:35 +0100)]
qemu: tpm: Account for possible migration without actually sharing storage
The current logic in 'qemuTPMEmulatorBuildCommand' skips all setup if
the *location* of the data is on what we'd consider shared storage.
This means that if the location is not actually shared (e.g. it's shared
betweeh some other hosts than the two doing the migration) and the path
wasn't ever used (e.g. by migrating out) from the host where we're
migrating into the complete setup of the location would be skipped even
when it doesn't exist.
Fix the logic by skipping only some of the setup steps so that
'qemuTPMEmulatorCreateStorage' can still create the storage if it
doesn't exist.
The rest of the code then needs to take the 'created' flag returned from
'qemuTPMEmulatorCreateStorage' into account.
Fixes: 68103e9daf633b789428fedef56f816c92f6ee75 Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Use presence of non-negative pci_bus to identify multi-smmuv3
IOMMU model, instead of the niommus attribute. This allows for
specifying a single arm-smmuv3 on the qemu command line,
instead of both the virt-machine smmuv3 and arm-smmuv3
being specified at the same time.
Signed-off-by: Nathan Chen <nathanc@nvidia.com> Fixes: e70c4d54d365 conf: Support multiple device-pluggable smmuv3 IOMMUs Reviewed-by: Ján Tomko <jtomko@redhat.com>
Michal Privoznik [Wed, 26 Nov 2025 13:50:11 +0000 (14:50 +0100)]
lib: Avoid changing const strings via strchr() and friends
There's new commit in glibc [1] which makes memchr(), strchr(),
strrchr(), strpbrk() and strstr() reflect type of the input
string. If it's a constant string, then the return type of these
functions is also 'const char *'. But this change tickles
-Wincompatible-pointer-types-discards-qualifiers warning.
And indeed, there are some places where we use a 'char *' typed
variable to store the retval, or even misuse the fact 'char *' is
returned and modify const string.
To fix this, a couple of different approaches is used:
a) switch variable type to 'const char *',
b) switch argument to 'char *' (in a few places we have
strdup()-ed) the const string already,
c) strdup() the string and use b).
1: https://sourceware.org/git/?p=glibc.git;a=commit;h=cd748a63ab1a7ae846175c532a3daab341c62690 Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Tested-by: Jaroslav Suchanek <jsuchane@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
The iptablesPrivateChainCreate() function is given an array of
const strings. This constitutes a promise to the caller that the
data is not modified. But inside the data is modified anyway (to
cut out some parts of the data). Well, with a help from
g_strdup() the promise can be kept.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Tested-by: Jaroslav Suchanek <jsuchane@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Michal Privoznik [Wed, 26 Nov 2025 14:05:50 +0000 (15:05 +0100)]
iptablesPrivateChainCreate: Switch to STRSKIP()
The body of iptablesPrivateChainCreate() uses STRPREFIX() to
match strings starting with certain prefix. Then it uses pointer
arithmetic to skip the prefix. Well, that's exactly what
STRSKIP() is meant to do. Switch the body to use the latter.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Tested-by: Jaroslav Suchanek <jsuchane@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Michal Privoznik [Wed, 26 Nov 2025 15:32:11 +0000 (16:32 +0100)]
iptablesPrivateChainCreate: Rename @tmp variable
The iptablesPrivateChainCreate() function gets a NULL terminated
array of strings (@lines argument), each item representing one
line of iptables output. Currently, the variable used to iterate
over the array is named 'tmp' which is not very descriptive.
Rename it to 'line'.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Tested-by: Jaroslav Suchanek <jsuchane@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Michal Privoznik [Wed, 26 Nov 2025 09:05:49 +0000 (10:05 +0100)]
virSkipSpacesBackwards: Turn @endp into const
The aim of virSkipSpacesBackwards() is find the first space
trailing character in given string, For instance, if the input is
"Something whitespacey ", then the output should be pointing to
the very first space after "y".
Problem here is that the input string is constant, but the
returned pointer is non-constant. This is confusing, a caller
shouldn't be able to modify the string, since the input was a
constant string.
Therefore, make the function return a const pointer too.
Under the hood the function used virTrimSpaces() which under some
circumstances could modify the input string. A trick was used to
hide this fact away, but to be double sure rewrite the function's
body.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Tested-by: Jaroslav Suchanek <jsuchane@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
When the network driver starts up it may inject some firewall
rules (e.g. for a network with NAT). So far, this scenario wasn't
covered in our test suite. The reason for adding this test is
twofold: the first, check we add correct rules, the second is to
cover iptablesPrivateChainCreate() as its implementation is soon
to be changed.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Tested-by: Jaroslav Suchanek <jsuchane@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Hector Cao [Mon, 24 Nov 2025 13:40:30 +0000 (14:40 +0100)]
cpu_map: update vmx-* features
the vmx-* features are currently decoded from the 32-lower bits
(EAX) of the MSR 64-bit values. They should be decoded instead
from the 32-higher bits (EDX).
Signed-off-by: Hector Cao <hector.cao@canonical.com> Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
Hector Cao [Mon, 24 Nov 2025 13:40:29 +0000 (14:40 +0100)]
cpu_map: fix sync script to extract correctly vmx-* features
The src/cpu_map/x86_features.xml file contains the definition
of all x86 CPU features, these definitions specify how we can
decode the feature support fom the CPUID or MSR values.
The helper script sync_qemu_features_i386.py builds the
x86_features.xml file from QEMU source code to be in sync
with supported features in QEMU. This helper script parses
QEMU target/i386/cpu.c file looking for CPU feature definitions
and convert them into x86_features.xml contents.
This is the resulting definition for the vmx-intr-exit feature
encoded in the MSR 0x48d.
EAX holds the 32 lower bits of the MSRE 64-bits value and should
not be used to detect the VMX-* features. Indeed, VMX-* bit
position should be parsed from QEMU source code in the 32 higher
bits of the corresponding MSR value.
This commit fixes this issue by using the 32 higher bits (EDX)
to represent VMX-* features.
Signed-off-by: Hector Cao <hector.cao@canonical.com> Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
is redundant. If the meson check for linux/kvm.h succeeded, we
must be on a Linux host and cannot be on a FreeBSD host. Remove
these redundant OS conditions from the MSR code to stop misleading
readers.
Reviewed-by: Peter Krempa <pkrempa@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Peter Krempa [Mon, 24 Nov 2025 09:33:25 +0000 (10:33 +0100)]
qemuxmlconftest: Update 'aarch64' tests using 'virt-4.0' machine type
In the upcoming qemu-10.2 release the 'virt-4.0' machine type will be
removed. Update all existing tests which use it to 'virt-10.0' which is
currently present in our caps dump.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
Notable changes:
- New 'postcopy-device' migration state
- New 'exit-with-parent' option
- Features 'guest_tunnel_csum', 'host_tunnel', 'host_tunnel_csum',
'guest_tunnel' of 'virtio-net-pci' are now enabled by default
- 'extended-tseg-mbytes' is now 64 for 'mch' device
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
Peter Krempa [Mon, 24 Nov 2025 07:42:56 +0000 (08:42 +0100)]
spec: Fix 'libvirt-daemon-driver-storage-zfs' on Fedora 43 and newer
On Fedora 43 and newer the 'fuse-zfs' package was removed. Commit bd30147e740 added an 'Obsoletes' directive so that the storage driver
core package will update properly but hardcoded the obsoleted version
as 11.4 (when the change was comitted) similarly to the old sheepdog/rbd
packages and disabled the build.
Now it is still possible to obtain ZFS support from other means and it
may be useful for users to have libvirt's ZFS backend. This patch thus:
- re-enables build of 'libvirt-daemon-driver-storage-zfs' on Fedora
- removes 'libvirt-daemon-driver-storage-zfs' as 'Requires dependency
from 'daemon-driver-storage' meta-package on Fedora 43 and newer
- removes dependancy on '/sbin/zpool' and '/sbin/zfs' on Fedora 43
and newer
With this the package still is built and installable but will require
users to get their ZFS support installed somehow.
Fixes: bd30147e740d49fdb5844160e480ca34611f75e5 Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Peter Krempa [Fri, 21 Nov 2025 13:46:21 +0000 (14:46 +0100)]
Add support for 'dpofua' setting for SCSI disks
Add the 'dpofua' setting in the XML and for the qemu driver.
DPO - Disable Page Out and FUA - Force Unit Access are two features
implemented by SCSI disks (either both together or neither of them)
which influence how caching is handled. QEMU provides a good default
but in certain specific occasions changing the default may have
performance benefits.
Add support for setting them via the XML.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
Peter Krempa [Sun, 23 Nov 2025 14:42:23 +0000 (15:42 +0100)]
docs: site.xsl: Use separate 'asset_href_base' and 'link_href_base'
While our main page uses same argument for both to ensure that the
linking works also when browsed locally sub-projects such as
libvirt-wiki and libvirt-security-notice will want to pull 'site.xsl' as
is into their build assets. Pass both arguments via the build system so
that we don't have to carry distinct instances.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Sun, 23 Nov 2025 14:10:48 +0000 (15:10 +0100)]
docs: index: Link to security notices from home page
Our main page mentions security notices which we host at
https://security.libvirt.org but links to them only from the security
process page. Since we already have the wording there, turn it directly
into a link.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Thu, 13 Nov 2025 15:26:43 +0000 (16:26 +0100)]
qemu: backup: Add support for VIR_DOMAIN_BACKUP_BEGIN_PRESERVE_SHUTDOWN_DOMAIN
Implement the support for VIR_DOMAIN_BACKUP_BEGIN_PRESERVE_SHUTDOWN_DOMAIN
which will keep the qemu process around while the backup is still
running.
The above is achieved by avoiding killing the qemu process in the
shutdown qemu monitor event handlers. Instead 'system_reset' QMP command
is issued and the domain object is transitioned into _PAUSED state in
sync with what qemu does.
Now once the backup job finishes (or is cancelled e.g. for pull mode
backups) the backup job termination code re-asseses if the qemu process
needs to be killed or the VM was re-started by un-pausing.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Thu, 13 Nov 2025 15:12:08 +0000 (16:12 +0100)]
lib: Introduce VIR_DOMAIN_BACKUP_BEGIN_PRESERVE_SHUTDOWN_DOMAIN flag
This flag will instruct the hypervisor driver to keep the VM around
while the backup is running if the guest OS decides to shut down, so
that the backup can be finished.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Upcoming patches will introduce the possibility for the domain to be
kept paused after the guest OS shuts itself down. It'll allow jobs
such as backup to finish as e.g. in the qemu driver it requires the qemu
process.
Add an the appropriate reason for the VIR_DOMAIN_EVENT_SUSPENDED
lifecycle event.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Thu, 13 Nov 2025 16:15:57 +0000 (17:15 +0100)]
qemuBlockJobProcessEventConcludedBackup: Notify the backup job later
Move the notification to the backup job after finishing the cleanup of
the current block job the backup operation consists of.
Currently the termination of the blockjob would e.g. delete the scratch
files before they are detached from qemu.
In later patches the termination of the backup job may cause the qemu
process to be killed (if the guest OS shut down but the qemu process
was being kept alive to finish the backup) which would cause errors in
the monitor commands for dismissing the block job.
Since the NBD server still needs to be terminated first as otherwise
the scratch files can't be unplugged from qemu we need to split the
operation into two. First the NBD server is terminated, then the
current block job is finalized and then the backup job is notified.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Wed, 19 Nov 2025 08:11:18 +0000 (09:11 +0100)]
qemu: backup: Don't attempt to stop the NBD server twice
When notifying the backup code about termination of the block job which
is part of a backup operation the code attempts to terminate the NBD
server. This is done for every blockjob so could cause us to attempt to
terminate the NBD server multiple times which doesn't cause problems but
generates spurious errors.
Add a flag that the NBD server was stopped and do it just once. Don't
bother storing the flag in the status XML as it's just for the shutdown
phase.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Wed, 19 Nov 2025 09:19:29 +0000 (10:19 +0100)]
qemuProcessReconnect: Continue reconnection if VM untergoes fake-reboot
'qemuProcessShutdownOrReboot' may or may not kill the VM. In
'qemuProcessReconnect' if we decided that the VM was in a state
requiring 'qemuProcessShutdownOrReboot' to be called we'd stop the
reconnection unconditionally.
Now if the VM ought to undergo a fake reboot we really need to reconnect
to the process because the process will be kept around for much longer.
Make qemuProcessShutdownOrReboot return whether it killed the VM and
continue the reconnection if it didn't.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Tue, 18 Nov 2025 16:09:33 +0000 (17:09 +0100)]
virDomainNestedJobAllowed: Allow VIR_JOB_MODIFY_MIGRATION_SAFE if VIR_JOB_MODIFY is allowed
The VIR_JOB_MODIFY_MIGRATION_SAFE is supposed to be a subset of _MODIFY
jobs which are allowed during migration.
Now with async jobs which allow VIR_JOB_MODIFY (namely the backup job)
it shouldn't be required to explicitly mention
VIR_JOB_MODIFY_MIGRATION_SAFE since we already allow everything.
Adjust the logic in virDomainNestedJobAllowed to accept
VIR_JOB_MODIFY_MIGRATION_SAFE if VIR_JOB_MODIFY is allowed so that other
places can simply allow the latter.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Querying existence of the 'tdx-guest' type merely tells us whether
QEMU has been compiled with TDX support, not whether it is usable
on the host. Thus QEMU was incorrectly reporting
Unfortunately an earlier patch for a 'query-tdx-capabilities' QMP
command in QEMU was dropped, so there is no way to ask QEMU whether
it can launch a TDX guest. Libvirt must directly query the KVM
device and ask for supported VM types.
Reviewed-by: Peter Krempa <pkrempa@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
rpc: support loading multiple certificate identities
In addition to servercert.pem / serverkey.pem, we now also support
loading servercert{N}.pem / serverkey{N}.pem, for values of {N}
between 0 and 3 inclusive.
If servercert0.pem is provided, then using servercert.pem becomes
optional. The first missing index terminates the loading process.
eg if servercert1.pem is NOT present, then it will NOT attempt to
look for servercert2.pem / servercert3.pem.
This also applies to clientcert.pem / clientkey.pem.
This facilitates the transition to post-quantum cryptography by
allowing loading of certificates with different algorithms,
eg traditional RSA based cert, and optional ECC based cert or
MLDSA based cert for PQC.
The use of CA cert files is unchanged with only a single cacert.pem
loaded. WHen multiple CAs are needed they must be concatenated in
the single cacert.pem file.
Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
The three different APIs for locating credentials differ only in
what directories they search and their policy for missing files.
Their code can be collapsed onto a single helper method. This
will greatly facilitate the subsequent patch that expands the
logic to locate many certificate files.
Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
projects / thirdparty / libvirt.git / log
