Upon VM bootstrapping (start,restore,incoming migration)
iptablesCreateBaseChainsFW is called and unconditionally deletes and
reinserts top-level firewall chain jumps (e.g. INPUT, FORWARD rules).
This briefly opens a hole in the firewall, allowing packets through
until the insertions complete.
Thi
Upon VM bootstrapping (start,restore,incoming migration)
iptablesCreateBaseChainsFW is called and unconditionally deletes and
reinserts top-level firewall chain jumps (e.g. INPUT, FORWARD rules).
This briefly opens a hole in the firewall, allowing packets through
until the insertions complete.
Thi
From: Michal Privoznik
In some cases (well, majority), open() is either rewritten to
open64(), either by plain '#define open open64') or at assembly
level (using __REDIRECT macro). See for more info.
This didn't really matter to us, because we do not chain load two
mocks that would need to reim
From: Michal Privoznik
After previous cleanup the cleanup label is no longer necessary.
Drop it.
Signed-off-by: Michal Privoznik
---
src/security/virt-aa-helper.c | 120 ++
1 file changed, 62 insertions(+), 58 deletions(-)
diff --git a/src/security/virt-aa-help
From: Michal Privoznik
Instead of treating -d and -v arguments as positional, use
getopts to parse cmd line arguments passed to
virt-aa-helper-test script.
While at it, introduce -h for printing basic help describing each
argument.
Signed-off-by: Michal Privoznik
---
tests/virt-aa-helper-test
From: Michal Privoznik
Inside of get_files() there are two cases where vah_add_file() is
not checked for its retval. This is possibly dangerous, because
vah_add_file() might fail. Fix those places by introducing checks
for the retval.
Signed-off-by: Michal Privoznik
---
src/security/virt-aa-he
From: Michal Privoznik
The way virt-aa-helper works is the following: the apparmor
secdriver formats domain XML, spawns virt-aa-helper process and
feeds it with domain XML (through stdin). The helper process then
parses the XML and iterates over devices, appending paths in each
loop.
These loops
From: Michal Privoznik
Signed-off-by: Michal Privoznik
---
src/security/virt-aa-helper.c | 14 --
1 file changed, 4 insertions(+), 10 deletions(-)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 64cada3b3b..2ea4b47fa5 100644
--- a/src/security/virt-
From: Michal Privoznik
The @mem_path variable inside of get_files() is used only within
a single block. Move its declaration inside it. And also utilize
automatic memory freeing.
Signed-off-by: Michal Privoznik
---
src/security/virt-aa-helper.c | 4 ++--
1 file changed, 2 insertions(+), 2 dele
From: Michal Privoznik
For an USB device, the virt-aa-helper must put that
/dev/bus/usb/... path associated with given device. The way the
code is currently written not only leads to a memleak (the @usb
variable is allocated only to be overwritten right away), but is
needlessly cumbersome.
We ca
From: Michal Privoznik
Our test suite is very feature rich. In particular, it has two
mocks that implement sysfs close enough to create
host-independent environment to work with PCI and USB devices.
These mocks are called virpcimock and virusbmock, respectively.
Inside of virt-aa-helper-test the
From: Michal Privoznik
virt-aa-helper checks presence of files before it adds them into
a profile. Because of that, test cases inside of
virt-aa-helper-test that require presence of /boot/initrd* are
guarded by a check. The check uses ls to find at least one initrd
file. If there's none, then ls
From: Michal Privoznik
When a test case fails, there are two echo-s executed: the first
one either prints the error message into /dev/null (default) or
onto stdout (when the test script is executed with -d). Then, the
second one prints the error message onto stdout. While this
technically works,
From: Michal Privoznik
The mocked implementation of virFileCanonicalizePath() redirects
accesses to few dirs into a temporary directory, where PCI
related files live. See getrealpath() for more info on this.
Anyway, in the end - real implementation of
virFileCanonicalizePath() is called which th
From: Michal Privoznik
Currently, all users of virpcimock do set LIBVIRT_FAKE_ROOT_DIR
envvar. But soon, virt-aa-helper will be run with it and
basically right at the beginning of its main() it clears whole
environment. So even if the envvar is provided the mock won't see
that.
Anyway, the solut
From: Michal Privoznik
While use of realpath() is not forbidden, our some of our mocks
already have a test friendly reimplementation of
virFileCanonicalizePath(). Use the latter.
Signed-off-by: Michal Privoznik
---
src/logging/log_cleaner.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
From: Michal Privoznik
While use of realpath() is not forbidden, our some of our mocks
already have a test friendly reimplementation of
virFileCanonicalizePath(). Use the latter.
Signed-off-by: Michal Privoznik
---
src/security/virt-aa-helper.c | 2 +-
1 file changed, 1 insertion(+), 1 deletio
Inspired by a patchset against virt-aa-helper that I reviewed recently:
https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/QQXMAK56H2CXCIZPALG5BHDNTKT3OQKZ/
Green pipeline:
https://gitlab.com/MichalPrivoznik/libvirt/-/pipelines/1866451277
Michal Prívozník (15):
log_cleaner
On Wed, Jun 11, 2025 at 05:12:50PM +0200, Ján Tomko wrote:
On a Monday in 2025, Martin Kletzander via Devel wrote:
From: Martin Kletzander
Signed-off-by: Martin Kletzander
---
NEWS.rst | 5 +
1 file changed, 5 insertions(+)
diff --git a/NEWS.rst b/NEWS.rst
index 2559aaf7e031..a831c76be5b0
On Sat, Mar 08, 2025 at 14:57:39 +0900, Akihiko Odaki wrote:
> usb-storage is a compound device that automatically creates a USB mass
> storage device and a SCSI device as its backend. Unfortunately it lacks
> some configuration options that are usually present with a SCSI device,
> and cannot repr
On Wed, Jun 11, 2025 at 05:11:01PM +0200, Ján Tomko wrote:
On a Monday in 2025, Martin Kletzander via Devel wrote:
From: Martin Kletzander
Add new URI parameter which allows for using non-system CA certificates
to verify remote peers.
Signed-off-by: Martin Kletzander
---
docs/drvesx.rst|
On Wed, Jun 11, 2025 at 21:57:15 +, Krisstoffe wrote:
> From: Krisstoffe
I'll add a note that this is the same approach we use e.g. in the gluster
storage driver backend.
> Resolves: https://gitlab.com/libvirt/libvirt/-/issues/448
>
> Signed-off-by: Krisstoffe
> ---
> src/storage/storage_
From: Krisstoffe
Resolves: https://gitlab.com/libvirt/libvirt/-/issues/448
Signed-off-by: Krisstoffe
---
src/storage/storage_backend_rbd.c | 12
1 file changed, 12 insertions(+)
diff --git a/src/storage/storage_backend_rbd.c
b/src/storage/storage_backend_rbd.c
index 038a1a9e34..
From: Akio Kakuno
- Add ARM CCA support in domain capabilies XML schema.
[Capability example]
- Execution results of 'virsh domcapability" on qemu
...
...
sha256
sha512
...
Signed-off-by: Kazuhiro Abe
---
docs/formatdomaincaps.rst
Hi, all.
This patch adds Arm CCA support to QEMU driver for aarch64 system.
CCA is an abbreviation for Arm Confidential Compute Architecture
feature, it enhances the virtualization capabilities of
the platform by separating the management of resources from access
to those resources.
We are not yet
From: Akio Kakuno
- Add ARM CCA support to the qemu driver for aarch64 systems.
[XML example]
...
sha256
...
Signed-off-by: Kazuhiro Abe
---
docs/formatdomain.rst | 43 ++
src/conf/domain_capabilities.h | 6 +
src/conf/domain_conf.
From: Akio Kakuno
- Add ARM CCA support in domain schema files.
Signed-off-by: Kazuhiro Abe
---
src/conf/schemas/domaincaps.rng | 36 ++
src/conf/schemas/domaincommon.rng | 26 +++
src/qemu/qemu_capabilities.c | 113 ++
src/qemu/qemu_capabilitie
27 matches
Mail list logo
