[libvirt] [PATCH v2] apparmor, libvirt-qemu: Allow qemu-block-extra libraries

From: Jamie Strandboge Allows (multi-arch enabled) access to libraries under the /usr/lib/@{multiarch}/qemu/*.so path in the Debian/Ubuntu qemu-block-extra package and all such libs for the paths of rpm qemu-block-* packages. Bug-Ubuntu: https://bugs.launchpad.net/bugs/1554761

Re: [libvirt] [PATCH 05/12] apparmor, libvirt-qemu: Allow qemu-block-extra libraries

On Tue, Dec 19, 2017 at 5:09 PM, Jamie Strandboge wrote: > On Tue, 2017-12-19 at 16:03 +0100, Christian Ehrhardt wrote: >> From: Jamie Strandboge >> >> Allows (multi-arch enabled) access to libraries under the >> /usr/lib/@{multiarch}/qemu/*.so path in the

[libvirt] RFC: Introduce a dlm-corosync for Lock manager plugin

Hi, Currently the lock manager infrastructure has implementation of nop, sanlock and lockd. The first do nothing, while sanlock and lockd all requires the share stroage, and lockd is not provided fence mechanism, sanlock would force to restart OS when stopping daemon. The first half of 2017,

[libvirt] [PATCH 2/6] port allocator: remove range on manual port reserving

Range check in virPortAllocatorSetUsed is not useful anymore when we manage ports for entire unsigned short range values. --- src/bhyve/bhyve_command.c | 4 +--- src/bhyve/bhyve_process.c | 4 +--- src/qemu/qemu_process.c | 41 +++--

[libvirt] [PATCH 6/6] port allocator: make port range constant object

--- src/libxl/libxl_conf.h | 4 ++-- src/qemu/qemu_conf.h| 6 +++--- src/util/virportallocator.c | 2 +- src/util/virportallocator.h | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/libxl/libxl_conf.h b/src/libxl/libxl_conf.h index 3ba8710..457dabd 100644

[libvirt] [PATCH 0/6] port allocator: make used port bitmap global etc

This patch set addresses issue described in [1] and the core of changes go to the first patch. The others are cleanups and refactorings. [1] https://www.redhat.com/archives/libvir-list/2017-December/msg00600.html Nikolay Shirokovskiy (6): port allocator: make used port bitmap global port

[libvirt] [PATCH 1/6] port allocator: make used port bitmap global

Host tcp4/tcp6 ports is a global resource thus we need to make port accounting also global or we have issues described in [1] when port allocator ranges of different instances are overlapped (which is by default for qemu for example). Let's have only one global port allocator object that take

[libvirt] [PATCH 4/6] port allocator: drop skip flag

This flag is only used for tests and tests overload socket and bind functions using virportallocatormock.c already in a suitable fashion so we don't need this flag at all. --- src/bhyve/bhyve_driver.c | 2 +- src/libxl/libxl_driver.c | 5 ++--- src/qemu/qemu_driver.c | 9

[libvirt] [PATCH 5/6] port allocator: remove release functionality from set used

Let's use virPortAllocatorRelease instead of virPortAllocatorSetUsed(false). --- src/bhyve/bhyve_command.c | 2 +- src/bhyve/bhyve_process.c | 2 +- src/qemu/qemu_process.c | 16 src/util/virportallocator.c | 22 ++ src/util/virportallocator.h | 2

[libvirt] [PATCH 3/6] port allocator: remove range check in release function

Range check in virPortAllocatorSetUsed is not useful anymore when we manage ports for entire unsigned short range values. --- src/bhyve/bhyve_process.c| 3 +-- src/libxl/libxl_domain.c | 3 +-- src/libxl/libxl_migration.c | 4 ++-- src/qemu/qemu_migration.c| 12 ++--

Re: [libvirt] [PATCH] qemu: Introduce qemuDomainDelChardevTLSObjects

At 2017-12-20 08:01:37, "John Ferlan" wrote: >Let's make a comment deletion helper similar to the Add helper >that can be called after the ExitMonitor. > >The modify qemuDomainRemoveChrDevice and qemuDomainRemoveRNGDevice >to call the helper instead of inlining the copy and

Re: [libvirt] [PATCH v2.1 2/2] news: add change of hot unplug redirdev

news: Add change for hot unplug redirdev On 12/07/2017 05:42 AM, Chen Hanxiao wrote: > From: Chen Hanxiao > > Add hot unplug redirdev in news 'New features' section No need for this part. > > Signed-off-by: Chen Hanxiao > --- > v2.1: >put

Re: [libvirt] [PATCH v2.1 1/2] qemu: Add support for hot unplug redirdev device

On 12/07/2017 05:42 AM, Chen Hanxiao wrote: > From: Chen Hanxiao > > We lacked of hot unplugging redirdev device. > This patch add support for it. > We could use detach-device --live now. Alter to: Add support for hot unplugging redirdev device which can use the

[libvirt] [PATCH] qemu: Introduce qemuDomainDelChardevTLSObjects

Let's make a comment deletion helper similar to the Add helper that can be called after the ExitMonitor. The modify qemuDomainRemoveChrDevice and qemuDomainRemoveRNGDevice to call the helper instead of inlining the copy and pasted code. Signed-off-by: John Ferlan --- An

Re: [libvirt] [PATCH] treat host models as case-insensitive strings

On Tue, 2017-12-19 at 20:05 +0100, Jiri Denemark wrote: > On Tue, Dec 19, 2017 at 12:39:26 -0600, Scott Garfinkle wrote: > > Qemu now allows case-insensitive specification of CPU models. This fixes the > > resulting problems on POWER arch machines. I believe a similar change is > > needed > > in

Re: [libvirt] [PATCH v3 2/6] libxl: do not enable nested HVM by mere presence of element

On Tue, Dec 19, 2017 at 01:45:57PM +, Daniel P. Berrange wrote: > On Tue, Dec 19, 2017 at 01:43:24PM +, Joao Martins wrote: > > On 12/19/2017 01:13 PM, Daniel P. Berrange wrote: > > > On Tue, Dec 19, 2017 at 01:01:36PM +, Joao Martins wrote: > > >> [Sorry for double posting, but I

Re: [libvirt] [PATCH] treat host models as case-insensitive strings

On Tue, Dec 19, 2017 at 12:39:26 -0600, Scott Garfinkle wrote: > Qemu now allows case-insensitive specification of CPU models. This fixes the > resulting problems on POWER arch machines. I believe a similar change is > needed > in src/cpu/cpu_x86.c but I don't have a way to test this. I believe

[libvirt] [PATCH] treat host models as case-insensitive strings

Qemu now allows case-insensitive specification of CPU models. This fixes the resulting problems on POWER arch machines. I believe a similar change is needed in src/cpu/cpu_x86.c but I don't have a way to test this. Signed-off-by: Scott Garfinkle ---

Re: [libvirt] [PATCH 11/12] apparmor, virt-aa-helper: Allow access to ecryptfs files

On Tue, 2017-12-19 at 16:03 +0100, Christian Ehrhardt wrote: > From: Jamie Strandboge > > Bug-Ubuntu: https://bugs.launchpad.net/bugs/591769 > > Signed-off-by: Stefan Bader > --- > examples/apparmor/usr.lib.libvirt.virt-aa-helper | 4 > 1

Re: [libvirt] [PATCH 12/12] apparmor, virt-aa-helper: Allow access to /sys/bus/usb/devices

On Tue, 2017-12-19 at 16:03 +0100, Christian Ehrhardt wrote: > From: Jamie Strandboge > > Required to generate correct profiles when using usb passthrough. > > Bug-Ubuntu: https://bugs.launchpad.net/bugs/565691 > > Signed-off-by: Stefan Bader >

Re: [libvirt] [PATCH 10/12] apparmor, libvirtd: Allow ixr to /var/lib/libvirt/virtd*

On Tue, 2017-12-19 at 16:03 +0100, Christian Ehrhardt wrote: > From: Jamie Strandboge > > This is required for the ebtables functionality added in > libvirt 0.8.0. > > Signed-off-by: Stefan Bader > --- > examples/apparmor/usr.sbin.libvirtd | 4

Re: [libvirt] [PATCH 09/12] apparmor, libvirt-qemu: qemu won't call qemu-nbd

On Tue, 2017-12-19 at 16:03 +0100, Christian Ehrhardt wrote: > While libvirtd might do so, qemu itself as a guest will not need > to call qemu-nbd so remove it from the profile. > > Signed-off-by: Christian Ehrhardt > Signed-off-by: Stefan Bader

Re: [libvirt] [PATCH 06/12] apparmor, libvirt-qemu: Allow access to hugepage mounts

On Tue, 2017-12-19 at 16:03 +0100, Christian Ehrhardt wrote: > From: Serge Hallyn > > Allows owner access to hugepage mounts (both, the old and > new systemd variant). > > Bug-Ubuntu: https://bugs.launchpad.net/bugs/1250216 > Bug-Ubuntu:

Re: [libvirt] [PATCH 08/12] apparmor, libvirt-qemu: add generic base vfio device

On Tue, 2017-12-19 at 16:03 +0100, Christian Ehrhardt wrote: > vfio devices are generated on the fly, but the generic base is > missing. > > The base vfio has not much functionality but to provide a custom > container by opening this path. > See https://www.kernel.org/doc/Documentation/vfio.txt

Re: [libvirt] [PATCH 07/12] apparmor, libvirt-qemu: add default pki path of lbvirt-spice

On Tue, 2017-12-19 at 16:03 +0100, Christian Ehrhardt wrote: > Adding the PKI path that is used as default suggestion in > src/qemu/qemu.conf > If people use non-default paths they should use local overrides but > the > suggested defaults we should open up. > > This is the default path as

Re: [libvirt] [PATCH] rpc: fix race sending and encoding sasl data

On 12/18/2017 12:46 PM, Daniel P. Berrange wrote: > The virNetSocketWriteSASL method has to encode the buffer it is given and then > write it to the underlying socket. This write is not guaranteed to send the > full amount of data that was encoded by SASL. We cache the SASL encoded data > so >

Re: [libvirt] [PATCH 05/12] apparmor, libvirt-qemu: Allow qemu-block-extra libraries

On Tue, 2017-12-19 at 16:03 +0100, Christian Ehrhardt wrote: > From: Jamie Strandboge > > Allows (multi-arch enabled) access to libraries under the > /usr/lib/@{multiarch}/qemu/*.so path in the Debian/Ubuntu > qemu-block-extra package. > > Bug-Ubuntu:

Re: [libvirt] [PATCH 02/12] apparmor, libvirt-qemu: Silence lttng related deny messages

On Tue, 2017-12-19 at 16:03 +0100, Christian Ehrhardt wrote: > From: Stefan Bader > > Prevent denial messages related to attempted reads on lttng > files from spamming the logs. > > Bug-Ubuntu: https://bugs.launchpad.net/bugs/1432644 > > Signed-off-by: Christian

Re: [libvirt] [PATCH 04/12] apparmor, libvirt-qemu: Allow read access to max_mem_regions

On Tue, 2017-12-19 at 16:03 +0100, Christian Ehrhardt wrote: > From: Serge Hallyn > > Allows read access to /sys/module/vhost/parameters/max_mem_regions. > > Bug-Ubuntu: https://bugs.launchpad.net/bugs/1531564 > > Signed-off-by: Stefan Bader

Re: [libvirt] [PATCH 03/12] apparmor, libvirt-qemu: Allow read access to sysfs system info

On Tue, 2017-12-19 at 16:03 +0100, Christian Ehrhardt wrote: > From: Jamie Strandboge > > Newer qemu wants to read > /sys/devices/system/node/ > /sys/devices/system/cpu/ > /sys/devices/system/node/node[0-9]*/meminfo > > Signed-off-by: Stefan Bader

Re: [libvirt] [PATCH] apparmor: allow unix stream for p2p migrations

On Tue, 2017-12-19 at 14:13 +0100, Christian Ehrhardt wrote: > On live migration with --p2p like: > $ virsh migrate --live --p2p kvmguest-bionic-normal \ >qemu+ssh://10.6.221.80/system > > We hit an apparmor deny like: > apparmor="DENIED" operation="file_inherit" >

Re: [libvirt] [PATCH 01/12] apparmor, libvirt-qemu: Allow use of sgabios

On Tue, 2017-12-19 at 16:03 +0100, Christian Ehrhardt wrote: > From: Serge Hallyn > > Bug-Ubuntu: https://bugs.launchpad.net/bugs/1393548 > > Signed-off-by: Stefan Bader > --- > examples/apparmor/libvirt-qemu | 1 + > 1 file changed, 1

Re: [libvirt] [PATCH 00/12] Various apparmor related changes (part )

I beg your pardon - too much open edit's at once - should have been "part 3" in the subject :-) -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

[libvirt] [PATCH 09/12] apparmor, libvirt-qemu: qemu won't call qemu-nbd

While libvirtd might do so, qemu itself as a guest will not need to call qemu-nbd so remove it from the profile. Signed-off-by: Christian Ehrhardt Signed-off-by: Stefan Bader --- examples/apparmor/libvirt-qemu | 1 - 1 file changed,

[libvirt] [PATCH 11/12] apparmor, virt-aa-helper: Allow access to ecryptfs files

From: Jamie Strandboge Bug-Ubuntu: https://bugs.launchpad.net/bugs/591769 Signed-off-by: Stefan Bader --- examples/apparmor/usr.lib.libvirt.virt-aa-helper | 4 1 file changed, 4 insertions(+) diff --git

[libvirt] [PATCH 08/12] apparmor, libvirt-qemu: add generic base vfio device

vfio devices are generated on the fly, but the generic base is missing. The base vfio has not much functionality but to provide a custom container by opening this path. See https://www.kernel.org/doc/Documentation/vfio.txt for more. Current access by qemu is "wr": [ 2652.756712] audit: type=1400

[libvirt] [PATCH 06/12] apparmor, libvirt-qemu: Allow access to hugepage mounts

From: Serge Hallyn Allows owner access to hugepage mounts (both, the old and new systemd variant). Bug-Ubuntu: https://bugs.launchpad.net/bugs/1250216 Bug-Ubuntu: https://bugs.launchpad.net/bugs/1524737 Signed-off-by: Stefan Bader ---

[libvirt] [PATCH 05/12] apparmor, libvirt-qemu: Allow qemu-block-extra libraries

From: Jamie Strandboge Allows (multi-arch enabled) access to libraries under the /usr/lib/@{multiarch}/qemu/*.so path in the Debian/Ubuntu qemu-block-extra package. Bug-Ubuntu: https://bugs.launchpad.net/bugs/1554761 Signed-off-by: Christian Ehrhardt

[libvirt] [PATCH 07/12] apparmor, libvirt-qemu: add default pki path of lbvirt-spice

Adding the PKI path that is used as default suggestion in src/qemu/qemu.conf If people use non-default paths they should use local overrides but the suggested defaults we should open up. This is the default path as referenced by src/qemu/qemu.conf in libvirt. Bug-Ubuntu:

[libvirt] [PATCH 01/12] apparmor, libvirt-qemu: Allow use of sgabios

From: Serge Hallyn Bug-Ubuntu: https://bugs.launchpad.net/bugs/1393548 Signed-off-by: Stefan Bader --- examples/apparmor/libvirt-qemu | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/apparmor/libvirt-qemu

[libvirt] [PATCH 12/12] apparmor, virt-aa-helper: Allow access to /sys/bus/usb/devices

From: Jamie Strandboge Required to generate correct profiles when using usb passthrough. Bug-Ubuntu: https://bugs.launchpad.net/bugs/565691 Signed-off-by: Stefan Bader --- examples/apparmor/usr.lib.libvirt.virt-aa-helper | 2 ++ 1 file changed, 2

[libvirt] [PATCH 04/12] apparmor, libvirt-qemu: Allow read access to max_mem_regions

From: Serge Hallyn Allows read access to /sys/module/vhost/parameters/max_mem_regions. Bug-Ubuntu: https://bugs.launchpad.net/bugs/1531564 Signed-off-by: Stefan Bader --- examples/apparmor/libvirt-qemu | 2 ++ 1 file changed, 2

[libvirt] [PATCH 10/12] apparmor, libvirtd: Allow ixr to /var/lib/libvirt/virtd*

From: Jamie Strandboge This is required for the ebtables functionality added in libvirt 0.8.0. Signed-off-by: Stefan Bader --- examples/apparmor/usr.sbin.libvirtd | 4 1 file changed, 4 insertions(+) diff --git

[libvirt] [PATCH 00/12] Various apparmor related changes (part )

Hi, this is a continuation of the ongoing effort to feed back Ubuntu apparmor Delta on libvirt to the community (or to sort out remaining todos or to keep them distro specific). In that it is a follow on to: - https://www.redhat.com/archives/libvir-list/2017-May/msg00630.html -

[libvirt] [PATCH 03/12] apparmor, libvirt-qemu: Allow read access to sysfs system info

From: Jamie Strandboge Newer qemu wants to read /sys/devices/system/node/ /sys/devices/system/cpu/ /sys/devices/system/node/node[0-9]*/meminfo Signed-off-by: Stefan Bader --- examples/apparmor/libvirt-qemu | 4 1 file changed, 4 insertions(+)

[libvirt] [PATCH 02/12] apparmor, libvirt-qemu: Silence lttng related deny messages

From: Stefan Bader Prevent denial messages related to attempted reads on lttng files from spamming the logs. Bug-Ubuntu: https://bugs.launchpad.net/bugs/1432644 Signed-off-by: Christian Ehrhardt Signed-off-by: Stefan Bader

Re: [libvirt] [PATCH] Let virt-manager 1.4.0+ work to access console of VM

This starves a bit in the corners of the ML, any chance to pick this up for 3.11? On Thu, Mar 2, 2017 at 8:42 AM, Guido Günther wrote: > On Wed, Mar 01, 2017 at 05:11:53PM -0500, Bryan Quigley wrote: >> Hi Guido, >> >> It's only needed when a user actually clicks on the running

Re: [libvirt] [PATCH v3 2/6] libxl: do not enable nested HVM by mere presence of element

On Tue, Dec 19, 2017 at 01:43:24PM +, Joao Martins wrote: > On 12/19/2017 01:13 PM, Daniel P. Berrange wrote: > > On Tue, Dec 19, 2017 at 01:01:36PM +, Joao Martins wrote: > >> [Sorry for double posting, but I mistakenly forgot to include libvirt list) > >> > >> +WimT +Daniel > >> > >> On

Re: [libvirt] [PATCH v3 2/6] libxl: do not enable nested HVM by mere presence of element

On 12/19/2017 01:13 PM, Daniel P. Berrange wrote: > On Tue, Dec 19, 2017 at 01:01:36PM +, Joao Martins wrote: >> [Sorry for double posting, but I mistakenly forgot to include libvirt list) >> >> +WimT +Daniel >> >> On 12/10/2017 02:10 AM, Marek Marczykowski-Górecki wrote: >>> element may be

Re: [libvirt] [PATCH v2 1/2] qemu: Invert condition nesting in qemuDomainDefValidate()

On Fri, Dec 15, 2017 at 15:48:27 +0100, Andrea Bolognani wrote: > While at the moment we're only performing a single check that is > connected to vCPU hotplugging, we're going to introduce a second > one soon. Move the topology check underneath the capability check > to make that easier; since,

Re: [libvirt] [PATCH v2 2/2] qemu: Enforce vCPU hotplug granularity constraints

On Fri, Dec 15, 2017 at 15:48:28 +0100, Andrea Bolognani wrote: > QEMU 2.7 and newer don't allow guests to start unless the initial > vCPUs count is a multiple of the vCPU hotplug granularity, so > validate it and report an error if needed. > > Resolves:

Re: [libvirt] [PATCH v3.1 3/6] libxl: add support for CPUID features policy

On 12/13/2017 07:09 PM, Marek Marczykowski-Górecki wrote: > Convert CPU features policy into libxl cpuid policy settings. Use new > ("libxl") syntax, which allow to enable/disable specific bits, using > host CPU as a base. For this reason, only "host-passthrough" mode is > accepted. > Libxl do not

Re: [libvirt] [PATCH v3 2/6] libxl: do not enable nested HVM by mere presence of element

On Tue, Dec 19, 2017 at 01:01:36PM +, Joao Martins wrote: > [Sorry for double posting, but I mistakenly forgot to include libvirt list) > > +WimT +Daniel > > On 12/10/2017 02:10 AM, Marek Marczykowski-Górecki wrote: > > element may be used to configure other > > features, like NUMA, or

[libvirt] [PATCH] apparmor: allow unix stream for p2p migrations

On live migration with --p2p like: $ virsh migrate --live --p2p kvmguest-bionic-normal \ qemu+ssh://10.6.221.80/system We hit an apparmor deny like: apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/libvirtd" pid=23477 comm="ssh" family="unix" sock_type="stream"

Re: [libvirt] [PATCH v3 2/6] libxl: do not enable nested HVM by mere presence of element

[Sorry for double posting, but I mistakenly forgot to include libvirt list) +WimT +Daniel On 12/10/2017 02:10 AM, Marek Marczykowski-Górecki wrote: > element may be used to configure other > features, like NUMA, or CPUID. Do not enable nested HVM (which is in > "preview" state after all) by

Re: [libvirt] [PATCH 2/2] qemu: move qemuDomainDefValidateVideo into qemuDomainDeviceDefValidateVideo

On 12/18/2017 10:35 AM, Laine Stump wrote: > > qemuDomainDefValidateVideo() is just a loop performing various checks > on each video device. Rather than maintaining this outlyer function *outlying > called from qemuDomainDefValidateVideo(), just fold the validations > into

Re: [libvirt] [PATCH 1/2] qemu: assign correct type of PCI address for vhost-scsi when using pcie-root

On 12/18/2017 10:35 AM, Laine Stump wrote: > Commit 10c73bf1 fixed a bug that I had introduced back in commit > 70249927 - if a vhost-scsi device had no manually assigned PCI > address, one wouldn't be assigned automatically. There was a slight > problem with the logic of the fix though - in the

Re: [libvirt] [PATCH] virt-aa-helper: handle more disk images

Hi there! Has that one landed in abyssal depths of the mailing list? -- Cedric On Mon, 2017-12-11 at 16:23 +0100, Cédric Bosdonnat wrote: > virt-aa-helper needs read access to the disk image to resolve symlinks > and add the proper rules to the profile. Its profile whitelists a few > common

[libvirt] [PATCH 0/3] processor frequency information on S390

Since kernel version 4.7, processor frequency information is available on S390. This patch series extends the parser for both node information and system information, respectively. Let's also add a testcase to the test suite for a S390 CPU configuration running kernel version 4.14 on LPAR. This

[libvirt] [PATCH 1/3] util: virhostcpu: parse frequency information on S390

Since kernel version 4.7, processor frequency information is available on S390. Let's adjust the parser so this information shows up for virsh nodeinfo: # virsh nodeinfo CPU model: s390x CPU(s): 8 CPU frequency: 5000 MHz CPU socket(s): 1

[libvirt] [PATCH 2/3] tests: virhostcputest: testcase for S390 system

Let's add a testcase for a S390 system running kernel version 4.14 on LPAR. Reviewed-by: Marc Hartmayer Reviewed-by: Boris Fiuczynski Signed-off-by: Bjoern Walk --- .../linux-s390x-with-frequency.cpuinfo

[libvirt] [PATCH 3/3] util: virsysinfo: parse frequency information on S390

Let's also parse the available processor frequency information on S390 so that it can be utilized by virsh sysinfo: # virsh sysinfo ... 2964 IBM/S390 00 5000 5000 145F07 ... Reviewed-by: Marc Hartmayer