[libvirt] [PATCH v2 14/14] qemu: Use secret objects to pass iSCSI passwords

https://bugzilla.redhat.com/show_bug.cgi?id=1425757 The blockdev-add code provides a mechanism to sanely provide user and password-secret arguments for iscsi without placing them on the command line to be viewable by a 'ps -ef' type command or needing to create separate -iscsi devices for each

[libvirt] [PATCH v2 10/14] qemu: Move encinfo from private disk to private disk src

Since the encryption information can also be disk source specific move it from _qemuDomainDiskPrivate to _qemuDomainDiskSrcPrivate. Signed-off-by: John Ferlan --- src/qemu/qemu_command.c | 6 ++ src/qemu/qemu_domain.c | 16 +++- src/qemu/qemu_domain.h | 10

[libvirt] [PATCH v2 11/14] qemu: Add disk secret object hash table to _qemuDomainObjPrivate

Currently when an AES secret object is added to the domain for either a network disk, a LUKS encryption secret, or for a SCSI hostdev there is no way for domain restart to be able to connect or determine which secret by secrettype and uuid or usage was used in order to generate the object. So, in

[libvirt] [PATCH v2 06/14] qemu: Introduce privateData for _virStorageSource

Since the secret information is really _virStorageSource specific piece of data, let's create a privateData object for _virStorageSource and move the @secinfo from _qemuDomainDiskPrivate into a new _qemuDomainDiskSrcPrivate structure and manage it from there. Signed-off-by: John Ferlan

[libvirt] [PATCH v2 02/14] util: Fix secret generation in virStorageSourceParseRBDColonString

Commit id '5604c056' used the wrong API to generate the --- src/util/virstoragefile.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/util/virstoragefile.c b/src/util/virstoragefile.c index e94ad32f0..1040e9a17 100644 --- a/src/util/virstoragefile.c +++

[libvirt] [PATCH v2 07/14] conf: Add/Allow parsing the encryption in the disk source

Since the virStorageEncryptionPtr encryption; is a member of _virStorageSource it really should be allowed to be a subelement of the disk for various disk formats: Source{File|Dir|Block|Volume} SourceProtocol{RBD|ISCSI|NBD|Gluster|Simple|HTTP} NB: Simple includes sheepdog, ftp, ftps,

[libvirt] [PATCH v2 03/14] conf: Add/Allow parsing the auth in the disk source

Since the virStorageAuthDefPtr auth; is a member of _virStorageSource it really should be allowed to be a subelement of the disk for the RBD and iSCSI prototcols. That way we can set up to allow the element to be formatted within the disk source. For now just allow the format in the RNG and

[libvirt] [PATCH v2 01/14] util: Move virSecretUsageType to virsecret.h

Move the virSecretUsageType into the util. Signed-off-by: John Ferlan --- src/conf/domain_conf.c| 1 + src/conf/secret_conf.c| 4 +--- src/conf/secret_conf.h| 2 -- src/qemu/qemu_parse_command.c | 2 +- src/storage/storage_driver.c | 1 +

[libvirt] [PATCH v2 00/14] Use secret objects to pass iSCSI passwords

v1: https://www.redhat.com/archives/libvir-list/2017-September/msg00100.html Other than patch 1 from v1, everything changed... Don't bother comparing. Highlights - * Two patches of essentially movement of virSecretUsageType because I found (as seen in patch 2) that a previous patch altered

[libvirt] [PATCH v2 13/14] util: Add iSCSI auth/password-secret processing

Generate the example for the iSCSI auth/password-secret similar to what's done for RBD. Signed-off-by: John Ferlan --- src/util/virstoragefile.c | 30 ++ tests/virstoragetest.c| 15 +++ 2 files changed, 45 insertions(+) diff --git

[libvirt] [PATCH v2 12/14] qemu: Get capabilities to use iscsi password-secret argument

Add the capability to use the blockdev-add query-qmp-schema option to find the 'password-secret' parameter that will allow the iSCSI code to use the master secret object (a/k/a AES) to encrypt the secret in an object and only need to provide the object id of tha secret on the command line thus

[libvirt] [PATCH v2 09/14] docs: Add news article for encryption in disk source

Signed-off-by: John Ferlan --- docs/news.xml | 13 + 1 file changed, 13 insertions(+) diff --git a/docs/news.xml b/docs/news.xml index e79ff4349..8ed0509e6 100644 --- a/docs/news.xml +++ b/docs/news.xml @@ -36,6 +36,19 @@ however, when writing out the

[libvirt] [PATCH v2 08/14] conf: Move LUKS encryption formatting to disk source

Alter the output of the formatting to be a child of the disk's source rather than a child of the disk for LUKS encryption, but keep the legacy QCOW encryption as a child of disk. Update the various test outputs for existing disk tests to conform to the new view. The qemuxml2xmlout-luks-disks.xml

[libvirt] [PATCH v2 05/14] docs: Add news article regarding auth placement

Signed-off-by: John Ferlan --- docs/news.xml | 11 +++ 1 file changed, 11 insertions(+) diff --git a/docs/news.xml b/docs/news.xml index a5c3d1d90..e79ff4349 100644 --- a/docs/news.xml +++ b/docs/news.xml @@ -25,6 +25,17 @@ + + +

[libvirt] [PATCH v2 04/14] conf: Move auth formatting to disk source

Alter the output of the formatting to be a child of the disk's source rather than a child of the disk. Update the various test outputs for existing disk tests to conform to the new view. Add tests to validate that if the was found in , then the resulting xml2xml and xml2arg works just fine.

Re: [libvirt] [PATCH] apparmor: cater for new AAVMF image location

On Fri, 2017-09-15 at 18:10 +0200, Guido Günther wrote: > Things moved again, sigh. > --- > src/security/virt-aa-helper.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c > index 55a686a59c..0b43c8e391 100644

Re: [libvirt] [PATCH] util: virPCIGetNetName(): use first netdev name when phys_port_id isn't matched

On Fri, 2017-09-15 at 11:49 -0400, Laine Stump wrote: > @@ -2902,6 +2903,15 @@ virPCIGetNetName(const char *device_link_sysfs_path, > /* if this one doesn't match, keep looking */ > if (STRNEQ_NULLABLE(physPortID, thisPhysPortID)) { >

Re: [libvirt] [PATCH] spec: Use %license when available

On 09/15/2017 12:09 PM, Daniel P. Berrange wrote: > On Fri, Sep 15, 2017 at 09:09:05AM +0100, Daniel P. Berrange wrote: >> On Thu, Sep 14, 2017 at 05:43:37PM -0400, Cole Robinson wrote: >>> This is required by the fedora packaging guidelines: >>> >>>

Re: [libvirt] [PATCH 0/4] qemu: Validate guest CPU features before starting a domain

On Thu, Sep 14, 2017 at 04:22:59PM +0200, Jiri Denemark wrote: CPU features are usually checked by libvirt, but not if libvirt decides it should not check the CPU at all, which happens with host-passthrough CPUs, for example. Let's check all used CPU features are valid for all CPU definitions.

[libvirt] [PATCH] apparmor: cater for new AAVMF image location

Things moved again, sigh. --- src/security/virt-aa-helper.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 55a686a59c..0b43c8e391 100644 --- a/src/security/virt-aa-helper.c +++

[libvirt] [PATCH] util: virPCIGetNetName(): use first netdev name when phys_port_id isn't matched

The mlx4 (Mellanox) netdev driver implements the sysfs phys_port_id file for both VFs and PFs, so you can find the VF netdev plugged into the same physical port as any given PF netdev by comparing the contents of phys_port_id of the respective netdevs. That's what libvirt does when attempting to

Re: [libvirt] [PATCH] apparmor: add attach_disconnected

On Fri, 2017-09-15 at 17:17 +0200, Guido Günther wrote: > Otherwise we fail to reconnect to /dev/net/tun opened by libvirtd > like > > [ 8144.507756] audit: type=1400 audit(1505488162.386:38069121): > apparmor="DENIED" operation="file_perm" info="Failed name lookup - > disconnected path"

Re: [libvirt] [PATCH] spec: Use %license when available

On Fri, Sep 15, 2017 at 09:09:05AM +0100, Daniel P. Berrange wrote: > On Thu, Sep 14, 2017 at 05:43:37PM -0400, Cole Robinson wrote: > > This is required by the fedora packaging guidelines: > > > > https://fedoraproject.org/wiki/Packaging:LicensingGuidelines > > > > This macro isn't available on

[libvirt] [PATCH] apparmor: add attach_disconnected

Otherwise we fail to reconnect to /dev/net/tun opened by libvirtd like [ 8144.507756] audit: type=1400 audit(1505488162.386:38069121): apparmor="DENIED" operation="file_perm" info="Failed name lookup - disconnected path" error=-13 profile="libvirt-5dfcc8a7-b79a-4fa9-a41f-f6271651934c"

Re: [libvirt] Exposing mem-path in domain XML

For the Kove integration, the memory is allocated on external devices, similar to a SAN device LUN allocation. As such, each virt will have its own separate allocation, and will need its memory file(s) managed independently of other virts. We also use information from the virtual machine

Re: [libvirt] [libvirt-sandbox PATCH 1/2] Drop library/ from image path

Hi, On Fri, Sep 15, 2017 at 01:05:27PM +0100, Daniel P. Berrange wrote: > On Wed, Jun 07, 2017 at 08:02:04AM +0200, Guido Günther wrote: > > If one pastes from the output of virt-sansbox-image > > > > $ virt-sandbox-image list > > docker:/library/ubuntu?tag=17.04 > >

Re: [libvirt] Exposing mem-path in domain XML

For the Kove integration, the memory is allocated on external devices, similar to a SAN device LUN allocation. As such, each virt will have its own separate allocation, and will need its memory file(s) managed independently of other virts. We also use information from the virtual machine

[libvirt] [PATCH] qemu: Fix return check on virHashAddEntry call

Luckily it only returns 0 or -1 Signed-off-by: John Ferlan --- Pushed as trivial.. Tripped across this while working on something else. src/qemu/qemu_conf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c

Re: [libvirt] [PATCH 6/6] conf: Use virXMLFormatElement to format disk source network

On 09/15/2017 12:10 AM, Peter Krempa wrote: > On Thu, Sep 14, 2017 at 14:03:10 -0400, John Ferlan wrote: >> Commit id 'e02ff020cac' neglected to use the attrBuf and childBuf >> in the virDomainDiskSourceFormatNetwork call. >> >> So make the necessary alterations to allow usage. >> >>

Re: [libvirt] [PATCH 5/6] conf: Move encryption validation

On 09/15/2017 12:06 AM, Peter Krempa wrote: > On Thu, Sep 14, 2017 at 14:03:09 -0400, John Ferlan wrote: >> Rather than checking during XML processing, move the check for >> valid into virDomainDiskDefParseValidate. >> >> Signed-off-by: John Ferlan >> --- >>

Re: [libvirt] [libvirt-sandbox PATCH 1/2] Drop library/ from image path

On Wed, Jun 07, 2017 at 08:02:04AM +0200, Guido Günther wrote: > If one pastes from the output of virt-sansbox-image > > $ virt-sandbox-image list > docker:/library/ubuntu?tag=17.04 > docker:/library/debian?tag=latest > > verbatim > > $ virt-sandbox-image run -c qemu:///session >

Re: [libvirt] [libvirt-sandbox PATCH 2/2] Sanitize domain name

On Wed, Jun 07, 2017 at 08:02:05AM +0200, Guido Günther wrote: > If one pastes from the output of virt-sansbox-image > > $ virt-sandbox-image list > docker:/library/ubuntu?tag=17.04 > docker:/library/debian?tag=latest > > verbatim > > $ virt-sandbox-image run -c qemu:///session >

Re: [libvirt] [PATCH 1/7] cpu_conf: Introduce virCPUDefList{Parse, Free}

On Thu, Sep 14, 2017 at 12:57:14PM +0200, Jiri Denemark wrote: For parsing a list of CPU XMLs into a NULL-terminated list of CPU defs. Signed-off-by: Jiri Denemark --- src/conf/cpu_conf.c | 78 src/conf/cpu_conf.h |

Re: [libvirt] [PATCH 0/7] qemu: Filter CPU features returned by qemuConnectBaselineCPU

On Thu, Sep 14, 2017 at 12:57:13PM +0200, Jiri Denemark wrote: The host CPU definitions reported in the capabilities XML may contain CPU features unknown to QEMU, but the result of virConnectBaselineCPU is supposed to be directly usable as a guest CPU definition and thus it should only contain

Re: [libvirt] [PATCH 3/6] conf: Move authdef validation

On 09/14/2017 11:58 PM, Peter Krempa wrote: > On Thu, Sep 14, 2017 at 14:03:07 -0400, John Ferlan wrote: >> Rather than checking during XML processing, move the checks for correct >> and valid auth into virDomainDiskDefParseValidate. This will introduce >> virDomainDiskSourceDefParseAuthValidate

Re: [libvirt] [libvirt-sandbox PATCH 0/2] virt-sandbox-image: unbreak start from library

Hi, On Wed, Jun 21, 2017 at 10:00:32PM +0200, Guido Günther wrote: > On Wed, Jun 07, 2017 at 08:02:03AM +0200, Guido Günther wrote: > > This is basically a V2 of "Drop library/ from template name and image path" > > with Dan's comment implemented. > > Ping? Ping again. -- Guido > -- Guido >

Re: [libvirt] RFC: libvirt support for QEMU live patching

On Fri, Sep 15, 2017 at 01:27:31PM +0530, Madhu Pavan wrote: > Hi, > QEMU live patching should be just a matter of updating the QEMU RPM package > and then live migrating the VMs to another QEMU instance on the same host > (which would point to the just installed new QEMU executable). > I think it

Re: [libvirt] [PATCH] spec: Use %license when available

On Thu, Sep 14, 2017 at 05:43:37PM -0400, Cole Robinson wrote: > This is required by the fedora packaging guidelines: > > https://fedoraproject.org/wiki/Packaging:LicensingGuidelines > > This macro isn't available on stock RHEL6 so provide a backcompat > definition > >

Re: [libvirt] [PATCH] spec: Own %{_libdir}/libvirt{, /connection-driver} dirs

On Thu, Sep 14, 2017 at 05:43:06PM -0400, Cole Robinson wrote: > From: Ville Skyttä > > Owning all created directories is a requirement of the Fedora > packaging guidelines > > https://bugzilla.redhat.com/show_bug.cgi?id=1483293 > Signed-off-by: Cole Robinson

[libvirt] RFC: libvirt support for QEMU live patching

Hi, QEMU live patching should be just a matter of updating the QEMU RPM package and then live migrating the VMs to another QEMU instance on the same host (which would point to the just installed new QEMU executable). I think it will be useful to support it from libvirt side. After some searching

[libvirt] [PATCH go-xml] Add support for domain hostdev and test code

Signed-off-by: zhenwei.pi --- domain.go | 36 domain_test.go | 44 2 files changed, 80 insertions(+) diff --git a/domain.go b/domain.go index bead49a..1bcc9cc 100644 ---