to me to implement those as well.
> >
> > Do you mind cooking up a patch so that we can have the whole sha-bang
> > included in the upcoming release? Thanks in advance!
>
> I should have time to do that today.
>
> Regards,
> Jim
>
--
Christian Ehrhardt
Senior Staff Engineer and acting Director, Ubuntu Server
Canonical Ltd
On Tue, Nov 22, 2022 at 9:55 AM Michal Prívozník wrote:
>
> On 11/22/22 09:47, Christian Ehrhardt wrote:
> > On Mon, Nov 21, 2022 at 4:51 PM Michal Prívozník
> > wrote:
> >>
> >> On 11/17/22 09:42, christian.ehrha...@canonical.com wrote:
> >>&g
On Mon, Nov 21, 2022 at 4:51 PM Michal Prívozník wrote:
>
> On 11/17/22 09:42, christian.ehrha...@canonical.com wrote:
> > From: Christian Ehrhardt
> >
> > For the handling of usb we already allow plenty of read access,
> > but so far /sys/bus/usb/devices only neede
From: Christian Ehrhardt
For the handling of usb we already allow plenty of read access,
but so far /sys/bus/usb/devices only needed read access to the directory
to enumerate the symlinks in there that point to the actual entries via
relative links to ../../../devices/.
But in more recent
From: Christian Ehrhardt
Certain udev entries might be of a size that makes libudev emit EINVAL
which right now leads to udevEventHandleThread exiting. Due to no more
handling events other elements of libvirt will start pushing for events
to be consumed which never happens causing a busy loop
On Thu, Oct 13, 2022 at 10:06 AM Erik Skultety wrote:
>
> On Thu, Oct 13, 2022 at 08:05:41AM +0200, christian.ehrha...@canonical.com
> wrote:
> > From: Christian Ehrhardt
> >
> > Certiain udev entries might be of a size that makes libudev emit EINVAL
&
From: Christian Ehrhardt
Certain udev entries might be of a size that makes libudev emit EINVAL
which right now leads to udevEventHandleThread exiting. Due to no more
handling events other elements of libvirt will start pushing for events
to be consumed which never happens causing a busy loop
From: Christian Ehrhardt
Certiain udev entries might be of a size that makes libudev emit EINVAL
which right now leads to udevEventHandleThread exiting. Due to no more
handling events other elements of libvirt will start pushing for events
to be consumed which never happens causing a busy loop
On Fri, Sep 30, 2022 at 6:37 PM Jim Fehlig wrote:
>
> On 9/29/22 23:43, Christian Ehrhardt wrote:
> > On Thu, Sep 29, 2022 at 11:30 PM Jim Fehlig wrote:
> >>
> >> On 9/28/22 06:45, christian.ehrha...@canonical.com wrote:
> >>> From: Christian Ehrhardt
On Thu, Sep 29, 2022 at 2:01 PM Michal Prívozník wrote:
>
> On 9/27/22 12:17, christian.ehrha...@canonical.com wrote:
> > From: Christian Ehrhardt
> >
> > Sadly some devices provide invalid VPD data even with fully updated
> > firmware. Former hardning like 600f5
On Thu, Sep 29, 2022 at 11:30 PM Jim Fehlig wrote:
>
> On 9/28/22 06:45, christian.ehrha...@canonical.com wrote:
> > From: Christian Ehrhardt
> >
> > Riscv64 usually uses u-boot as external -kernel and a loader from
> > the open implementation of RISC-V SBI. The p
From: Christian Ehrhardt
Riscv64 usually uses u-boot as external -kernel and a loader from
the open implementation of RISC-V SBI. The paths for those binaries
as packaged in Debian and Ubuntu are in paths which are usually
forbidden to be added by the user under /usr/lib...
People used to start
From: Christian Ehrhardt
Sadly some devices provide invalid VPD data even with fully updated
firmware. Former hardning like 600f580d "PCI VPD: Skip fields with
invalid values" have already helped for those to some extent.
But if one happens to have such a device installed in the syste
On Thu, May 19, 2022 at 3:04 PM Michal Prívozník wrote:
>
> On 5/19/22 08:09, Christian Ehrhardt wrote:
> > On Thu, May 12, 2022 at 3:27 PM Max Goodhart wrote:
> >>
> >> Oops, I didn't intend for the commit author email to be
> >> git...
; \"/sys/devices/**/{uevent,vendor,device,subsystem_vendor,subsystem_device,config,revision}\"
>> r,\n");
>> virBufferAddLit(&buf, " # dri libs will trigger that, but t is not
>> requited and DAC would deny it anyway\n");
>> virBufferAddLit(&buf, " deny \"/var/lib/libvirt/.cache/\" w,\n");
>> }
>> --
>> 2.34.1
>>
--
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd
On Thu, May 12, 2022 at 3:27 PM Max Goodhart wrote:
>
> From: Max Goodhart
Hi Max,
thanks for the work to identify and fix this!
It is indeed a natural evolution of my 27a9ebf2818 00fbb9e5167
f2cbb94eabd that made the rules so far.
Signed-off-by: Christian Ehrhardt
> This fixe
+ ptrace (read,trace) peer=swtpm,
>
>signal (send) peer=dnsmasq,
>signal (send) peer=/usr/sbin/dnsmasq,
> --
> 2.25.1
>
--
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd
From: Christian Ehrhardt
Since purged is a bool variable it should be initialized by false
instead of 0.
Suggested-by: Sergio Durigan Junior
Signed-off-by: Christian Ehrhardt
---
src/security/virt-aa-helper.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/security
On Thu, Nov 4, 2021 at 1:07 PM Christian Ehrhardt
wrote:
>
> On Tue, Nov 2, 2021 at 3:04 PM Ioanna Alifieraki
> wrote:
> >
> > This is a v2 of the patches sent previously and hopefully makes things
> > simpler.
> > (previous patches subject: [PATCH 0/4]
almost never would have ran there isn't much reason for it as-is.
I was unsure at first if this now would have an issue when called with
-F triggering ctl->append extending the include_files and then (due to
empty profile setting purged) going into create_profile.
But since you only detect
On Sat, Oct 9, 2021 at 2:33 PM Jamie Strandboge wrote:
>
> On Thu, 07 Oct 2021, christian.ehrha...@canonical.com wrote:
>
> > From: Christian Ehrhardt
> >
> > If running multiple [1] clusters (uncommon) the ceph config file will be
> > derived from the cluster
uot;-r -u $valid_uuid" "$test_xml"
> + # All the tests are run with the --dry-run option this test is
> + # never going to fail because the profile is not going to be loaded.
> + # However, since we touch the profile if it's still here after the
> test
> + # it means that something went wrong, so make the test fail.
> + if [ -f "$profile_path/$valid_uuid" ]; then
> + echo "FAIL: failed to purge corrupted profile" >$output
> + echo " '$extra_args $args': "
> + errors=$(($errors + 1))
> + # remove corrupted profile anyways not to interfere with
> + # subsequent runs of the tests.
> + rm "$profile_path/$valid_uuid"
> + fi
> +fi
> +
> testme "0" "help" "-h"
>
> echo "" >$output
> --
> 2.17.1
>
--
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd
per.c | 87 ++-
> tests/meson.build | 1 +
> tests/virt-aa-helper-test | 29
> 3 files changed, 96 insertions(+), 21 deletions(-)
>
> --
> 2.17.1
>
--
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd
From: Christian Ehrhardt
If running multiple [1] clusters (uncommon) the ceph config file will be
derived from the cluster name. Therefore the rule to allow to read ceph
config files need to be opened up slightly to allow for that condition.
[1]:
https://docs.ceph.com/en/mimic/rados
ad no chance to test it myself it looks
exactly as I'd have expected a virtqemud profile.
Reviewed-by: Christian Ehrhardt
>
> diff --git a/src/security/apparmor/libvirt-qemu
> b/src/security/apparmor/libvirt-qemu
> index 85c9e61d6c..3e31ed4981 100644
> --- a/src/securit
le I don't immediately see which configuration makes virt-aa-helper
need openssl it is an abstraction that isn't allowing a lot, so IMHO
that should be ok to add.
Reviewed-by: Christian Ehrhardt
> ---
> src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 1 +
> 1 fil
n this file,
> which are then used by all libnl tools, possibly those used by libvirt.
> To be on the safe side, allow read access to the file in the virt-aa-helper
> profile and the libvirt-qemu abstraction.
>
> Signed-off-by: Jim Fehlig
While this particular rule would be covered in
efix'])
800 unit_conf.set('deps', unit.get('deps', ''))
801 if conf.has('WITH_POLKIT')
802 unit_conf.set('mode', '0666')
803 else
804 unit_conf.set('mode', '0600')
805 endif
...
Also see:
https://gitlab.com/libvirt/libvirt/-/commit/dd4f2c73ad7f9fc0eae5325d5bf5786afd3a467e
So if not just an error/mistake somewhere, then setting
socket_$name_in and providing such a file with your needs could be a
start
> Regards,
> Jim
>
> [1] https://bugzilla.opensuse.org/show_bug.cgi?id=1181838
>
--
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd
c/remote/virt-guest-shutdown.target
> > +++ b/src/remote/virt-guest-shutdown.target
> > @@ -1,4 +1,3 @@
> > [Unit]
> > Description=Libvirt guests shutdown
> > -Requires=libvirtd.service
> > Documentation=https://libvirt.org
>
> Reviewed-by: Daniel P. Berrangé
On Wed, Nov 4, 2020 at 7:47 AM Neal Gompa wrote:
>
> On Tue, Nov 3, 2020 at 9:26 PM Jim Fehlig wrote:
> >
> > When restarting libvirt services and sockets *and* libvirt-guests.service
> > is running, the latter will sometimes hang when trying to connect to
> > libvirtd. Even though libvirt-guests
On Tue, Jan 19, 2021 at 11:43 AM Peter Krempa wrote:
>
> On Tue, Jan 19, 2021 at 11:23:16 +0100, Christian Ehrhardt wrote:
> > When adding a rule for an image file and that image file has a chain
> > of backing files then we need to add a rule for each of those files.
> >
On Tue, Jan 19, 2021 at 12:28 PM Peter Krempa wrote:
>
> On Tue, Jan 19, 2021 at 12:15:31 +0100, Christian Ehrhardt wrote:
> > On Tue, Jan 19, 2021 at 11:43 AM Peter Krempa wrote:
> > >
> > > On Tue, Jan 19, 2021 at 11:23:16 +0100, Christian Ehrhardt wrote:
>
On Tue, Jan 19, 2021 at 11:43 AM Peter Krempa wrote:
>
> On Tue, Jan 19, 2021 at 11:23:16 +0100, Christian Ehrhardt wrote:
> > When adding a rule for an image file and that image file has a chain
> > of backing files then we need to add a rule for each of those files.
> >
/-/issues/118
Signed-off-by: Christian Ehrhardt
---
src/security/security_apparmor.c | 39 ++--
1 file changed, 27 insertions(+), 12 deletions(-)
diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index 29f0956d22..1f309c0c9f 100644
--- a/src
ropriate virInterface*() APIs, reproduced in
> virNodeDeviceGetXMLDesc(), or just dropped altogether.
>
> On the netcf side, there are several small patches that have been
> sitting in git for a few years without being in any official release; it
> would probably be nice to make one final release before closing up shop.
> The mailing list could then be closed down, and some final message put
> in a README in the git repo (on pagure.io) before putting it into some
> archival state.
>
> After those things are done, the various distros could be notified of
> the newfound irrelevance of netcf, and given the opportunity to remove
> the package from their releases.
>
> Anything else?
>
--
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd
at it is the same rule as in libvirt-qemu and therefore
should be rather safe.
TBH I did not see the denial when testing 6.9.0 [1], but the pattern
is known and therefore I think adding the rule is fine.
Reviewed-by: Christian Ehrhardt
[1]:
https://objectstorage.prodstack4-5.canonical.com/v1/AUT
:
> > > > On Wed, Nov 25, 2020 at 04:49:14PM +0100, Christian Ehrhardt wrote:
> > > > > I found that the same vol-download vs 127.0.0.1 gives the same
> > > > > results.
> > > > > That in turn makes it easier to gather results as we on
back to netcat (expected and ok).
- patched -> 6.9 - slow (as before)
- 6.9 -> patched - fast (which is good as upgrade paths use migration
and it is sufficient to upgrade the target)
Tested-by: Christian Ehrhardt
Thank you Daniel!
> src/remote/remote_ssh_helper.c | 113 ++
On Wed, Nov 25, 2020 at 2:47 PM Daniel P. Berrangé wrote:
>
> On Wed, Nov 25, 2020 at 02:33:44PM +0100, Christian Ehrhardt wrote:
> > On Wed, Nov 25, 2020 at 1:38 PM Daniel P. Berrangé
> > wrote:
> > >
> > > On Wed, Nov 25, 2020 at 01:28:09PM +0100, Christian
On Wed, Nov 25, 2020 at 1:38 PM Daniel P. Berrangé wrote:
>
> On Wed, Nov 25, 2020 at 01:28:09PM +0100, Christian Ehrhardt wrote:
> > On Wed, Nov 25, 2020 at 10:55 AM Christian Ehrhardt
> > wrote:
> > >
> > > On Tue, Nov 24, 2020 at 4:30 PM Peter Krempa w
On Wed, Nov 25, 2020 at 10:55 AM Christian Ehrhardt
wrote:
>
> On Tue, Nov 24, 2020 at 4:30 PM Peter Krempa wrote:
> >
> > On Tue, Nov 24, 2020 at 16:05:53 +0100, Christian Ehrhardt wrote:
> > > Hi,
> >
> > [...]
>
> BTW to reduce the scope what to
On Tue, Nov 24, 2020 at 4:30 PM Peter Krempa wrote:
>
> On Tue, Nov 24, 2020 at 16:05:53 +0100, Christian Ehrhardt wrote:
> > Hi,
>
> [...]
BTW to reduce the scope what to think about - I have rebuilt 6.8 as
well it works.
Thereby I can confirm that the offending change sh
o debug a hanging migration
Thanks in advance!
[1]:
https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1904584/+attachment/5437541/+files/full-log.tgz
--
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd
On Wed, Nov 18, 2020 at 10:38 AM Daniel P. Berrangé wrote:
>
> On Tue, Nov 17, 2020 at 09:11:48PM -0500, Neal Gompa wrote:
> > On Tue, Nov 17, 2020 at 11:49 AM Christian Ehrhardt
> > wrote:
> > >
> > > On Mon, Nov 16, 2020 at 3:28 PM Michal Privoznik
> &
On Mon, Nov 16, 2020 at 3:28 PM Michal Privoznik wrote:
>
> On 11/16/20 1:26 PM, Christian Ehrhardt wrote:
> > 'kvm-spice' is a binary name used to call 'kvm' which actually is a wrapper
> > around qemu-system-x86_64 enabling kvm acceleration. This isn'
On Mon, Nov 16, 2020 at 4:24 PM Laine Stump wrote:
>
> On 11/16/20 2:01 AM, Christian Ehrhardt wrote:
> > Hi,
> > I have last week discussed breakage in nwfilter usage on IRC
> >
> >
> >
> >
> > virsh start
> >error
.org/qemu-team/qemu/-/commit/9944836d3
Signed-off-by: Christian Ehrhardt
---
src/security/apparmor/libvirt-qemu | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/security/apparmor/libvirt-qemu
b/src/security/apparmor/libvirt-qemu
index a03e9e2c94..85c9e61d6c 100644
--- a/src/security/apparmor/lib
testrule3 testrule3-renamed
ebtables v1.8.6 (nf_tables): Chain 'testrule3' doesn't exists
This led to upstream ebtables bug [1] - for now just FYI in case you
want/need to subscribe for your own tracking.
[1]: https://bugzilla.netfilter.org/show_bug.cgi?id=1481
--
Christian Ehrhar
@
> +
> + foo
> + c7a5fdbd-edaf-9455-926a-d65c16db1809
> + 219136
> + 219136
> + 1
> +
> +hvm
> +
> +
> +
> +
> +
> +
> + destroy
> + restart
> + destroy
> +
> +
> +
> diff --git a/tests/qemuxml2argvdata/cpu-phys-bits-passthrough3.err
> b/tests/qemuxml2argvdata/cpu-phys-bits-passthrough3.err
> new file mode 100644
> index 00..28f2e43432
> --- /dev/null
> +++ b/tests/qemuxml2argvdata/cpu-phys-bits-passthrough3.err
> @@ -0,0 +1 @@
> +unsupported configuration: CPU maximum physical address bits number
> specification cannot be used with mode='passthrough'
> diff --git a/tests/qemuxml2argvdata/cpu-phys-bits-passthrough3.xml
> b/tests/qemuxml2argvdata/cpu-phys-bits-passthrough3.xml
> new file mode 100644
> index 00..a94e567dcb
> --- /dev/null
> +++ b/tests/qemuxml2argvdata/cpu-phys-bits-passthrough3.xml
> @@ -0,0 +1,20 @@
> +
> + foo
> + c7a5fdbd-edaf-9455-926a-d65c16db1809
> + 219136
> + 219136
> + 1
> +
> +hvm
> +
> +
> +
> +
> +
> +
> + destroy
> + restart
> + destroy
> +
> +
> +
> diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
> index c5a0095e0d..fd17fea744 100644
> --- a/tests/qemuxml2argvtest.c
> +++ b/tests/qemuxml2argvtest.c
> @@ -3409,6 +3409,13 @@ mymain(void)
>
> DO_TEST_CAPS_LATEST("virtio-9p-multidevs");
>
> +DO_TEST("cpu-phys-bits-passthrough", QEMU_CAPS_KVM,
> QEMU_CAPS_CPU_PHYS_BITS);
> +DO_TEST("cpu-phys-bits-emulate", QEMU_CAPS_KVM,
> QEMU_CAPS_CPU_PHYS_BITS);
> +DO_TEST("cpu-phys-bits-emulate2", QEMU_CAPS_KVM,
> QEMU_CAPS_CPU_PHYS_BITS);
> +DO_TEST_PARSE_ERROR("cpu-phys-bits-emulate3", QEMU_CAPS_KVM);
> +DO_TEST_PARSE_ERROR("cpu-phys-bits-passthrough2", QEMU_CAPS_KVM);
> +DO_TEST_PARSE_ERROR("cpu-phys-bits-passthrough3", QEMU_CAPS_KVM);
> +
> if (getenv("LIBVIRT_SKIP_CLEANUP") == NULL)
> virFileDeleteTree(fakerootdir);
>
>
>
>
--
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd
On Wed, Sep 23, 2020 at 6:45 PM Jim Fehlig wrote:
>
> On 9/23/20 7:51 AM, Jim Fehlig wrote:
> > On 9/23/20 7:26 AM, Christian Ehrhardt wrote:
> >> On Wed, Sep 23, 2020 at 12:35 AM Jim Fehlig wrote:
> >>>
> >>> Like other distros, openSUSE Tumblewee
PUx,
> + /usr/{lib,libexec}/xen-*/bin/pygrub PUx,
>/usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx,
>/usr/{lib,lib64,lib/qemu,libexec}/virtiofsd PUx,
>
> --
> 2.28.0
>
>
--
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd
literally at https://libvirt.org/formatdomain.html#video-devices
"This legacy behaviour can be inconvenient in cases where GPU mediated
devices are meant to be the only rendering device within a guest and
so specifying another video device along with type none."
Thank you Gerd and
On Fri, Sep 4, 2020 at 12:37 PM Gerd Hoffmann wrote:
>
> On Fri, Sep 04, 2020 at 12:05:08PM +0200, Christian Ehrhardt wrote:
> > Hi,
> > I've had continuous issues with this and wanted to reach out
> > if that is a common issue everyone has or just me lacking a
Hi,
I've had continuous issues with this and wanted to reach out
if that is a common issue everyone has or just me lacking a little
detail on my setup.
Setup:
- tried qemu up to 4.2
- tried libvirt up to 6.0
- virt-viewer up to 7.0-2build1
- virt-manager up to 2.2.1
- I plan to retry with qemu 5.0
On Thu, Sep 3, 2020 at 12:36 PM Daniel P. Berrangé wrote:
>
> On Thu, Sep 03, 2020 at 12:18:42PM +0200, Christian Ehrhardt wrote:
> > On Wed, Sep 2, 2020 at 6:49 PM Michal Privoznik wrote:
> > >
> > > On 9/2/20 3:58 PM, Christian Ehrhardt wrote:
> > > >
On Thu, Sep 3, 2020 at 12:49 PM Richard Laager wrote:
>
> On 9/3/20 5:18 AM, Christian Ehrhardt wrote:
> > Even if my fix lands, we are back to square one and would need
> > virt-manager to submit a different XML.
> > Remember: my target here would be to come back to pra
On Wed, Sep 2, 2020 at 6:49 PM Michal Privoznik wrote:
>
> On 9/2/20 3:58 PM, Christian Ehrhardt wrote:
> > In c9ec7088 "storage: extend preallocation flags support for qemu-img"
> > the option to fallocate was added and meant to be active when (quote):
> > "
com/show_bug.cgi?id=1759454
Fixes: https://bugs.launchpad.net/ubuntu/focal/+source/libvirt/+bug/1847105
Signed-off-by: Christian Ehrhardt
---
src/storage/storage_util.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/storage/storage_util.c b/src/storage/storage_util.c
in
creates that socket:
$ qemu-system-x86_64 -vnc socket:/tmp/foobar
creates:
srwxrwxr-x 1 paelzer paelzer 0 Sep 1 11:43 /tmp/foobar=
Therefore qemu would need the write permission to that value IMHO.
And as I said the concern of "VMs can connect to each other" would
only be tru
after pivot_root need not to allow everything
- settle on common paths with the community
Signed-off-by: Christian Ehrhardt
---
src/security/apparmor/libvirt-qemu | 3 ++
src/security/apparmor/usr.sbin.libvirtd.in | 46 ++
2 files changed, 49 insertions(+)
diff --git a
" requested_mask="x" denied_mask="x"
> fsuid=0 ouid=0
>
> To avoid this, allow execution of virtiofsd from the libvirtd AppArmor
> profile.
>
> [virtiofs]: https://libvirt.org/kbase/virtiofs.html
> [virtiofsd]: https://www.qemu.org/docs/master/interop/v
On Tue, Aug 25, 2020 at 4:07 PM Daniel P. Berrangé wrote:
>
> On Tue, Aug 25, 2020 at 03:16:50PM +0200, Christian Ehrhardt wrote:
> > Hi,
> > I expect that this falls under the "with meson now everything is
> > different anyway" umbrella but wanted to let you
On Mon, Aug 24, 2020 at 2:21 PM Christian Ehrhardt
wrote:
>
> On Mon, Aug 24, 2020 at 2:03 PM Kevin Locke wrote:
> >
> > When using [virtiofs], libvirtd must launch [virtiofsd] to provide
> > filesystem access on the host. When a guest is configured wi
ct-libvirt.sh
[4]:
https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-groovy/groovy/amd64/libv/libvirt/20200825_005918_44b74@/log.gz
--
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd
d=0
>
> To avoid this, allow execution of virtiofsd from the libvirtd AppArmor
> profile.
>
> [virtiofs]: https://libvirt.org/kbase/virtiofs.html
> [virtiofsd]: https://www.qemu.org/docs/master/interop/virtiofsd.html
The added rule and reasoning LGTM,
Reviewed-by: Christian Ehrhardt
P.
On Thu, Aug 20, 2020 at 10:50 AM Michael Chapman wrote:
>
> On Thu, 20 Aug 2020, Christian Ehrhardt wrote:
> > On Wed, Aug 19, 2020 at 12:15 PM Christian Ehrhardt
> > wrote:
> > >
> > > In libvirt 6.6 stopping guests with libvirt-guests.sh is broken.
> >
On Thu, Aug 20, 2020 at 5:15 PM Mark Mielke wrote:
>
> On Thu, Aug 20, 2020 at 8:55 AM Christian Ehrhardt
> wrote:
>>
>> On Thu, Aug 20, 2020 at 12:43 PM Martin Wilck wrote:
>> > The simplest approach is to touch the qemu binaries. We discussed this
>> &g
ne a known path in
there like /var/run/qemu/last_packaging_change the packages could easily
touch it on any install/remove/update as Daniel suggested and libvirt could
check this path like it does with the date of the qemu binary already.
[1]:
https://github.com/qemu/qemu/commit/bd83c861c0628a64997b7bd95c3bcc2e916baf2e
> Cheers,
> Martin
>
>
--
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd
On Wed, Aug 19, 2020 at 12:15 PM Christian Ehrhardt
wrote:
>
> In libvirt 6.6 stopping guests with libvirt-guests.sh is broken.
> As soon as there is more than one guest one can see
> `systemctl stop libvirt-guests` faiing and in the log we see:
> libvirt-guests.sh[2455]: Ru
and as discussed on IRC users are kind
of used to trim logs, so it should be ok.
Reviewed-by: Christian Ehrhardt
> Reported-by: Christian Ehrhardt
> Signed-off-by: Michal Privoznik
> ---
> src/util/virdevmapper.c | 23 +++
> 1 file changed, 15 inserti
APPARMOR_DIR
Thanks a lot for doing this work early on!
Changes LGTM
Reviewed-by: Christian Ehrhardt
> meson.build | 5 -
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> --
> 2.26.2
>
>
--
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd
t 'textify' all assignments that are strings or potentially
can become such lists (even if they are not using the local qualifier).
Fixes: 08071ec0 "tools: variables clean-up in libvirt-guests script"
Signed-off-by: Christian Ehrhardt
---
tools/libvirt-guests.sh.in | 136 ++
On Tue, Aug 18, 2020 at 12:47 PM Christian Ehrhardt
wrote:
>
> On Tue, Aug 18, 2020 at 12:11 PM Christian Ehrhardt
> wrote:
> >
> > On Tue, Aug 18, 2020 at 11:36 AM Michal Privoznik
> > wrote:
> > >
> > > v2 of:
> > >
> > > https:
On Tue, Aug 18, 2020 at 12:11 PM Christian Ehrhardt
wrote:
>
> On Tue, Aug 18, 2020 at 11:36 AM Michal Privoznik wrote:
> >
> > v2 of:
> >
> > https://www.redhat.com/archives/libvir-list/2020-August/msg00489.html
> >
> > diff to v1:
> > - After dis
fferent.
>
> Michal Prívozník (2):
> virdevmapper: Don't cache device-mapper major
> virdevmapper: Handle kernel without device-mapper support
Reviewed-by: Christian Ehrhardt
Builds have started to re-test it as well ...
> src/util/virdevmapper.c | 35 +++
your patches a try for this use case as well since I wasn't sure
anyone else would.
I can confirm that functionally your patches applied on top of 6.6 (as
we work on it for
Debian&Ubuntu) make it work again. Therefore:
Tested-by: Christian Ehrhardt
On Fri, Aug 7, 2020 at 6:14 PM Daniel P. Berrangé
wrote:
> On Fri, Aug 07, 2020 at 12:21:19PM +0200, Christian Ehrhardt wrote:
> > The design of apparmor in libvirt always had a way to define custom
> > per-guest rules as described in docs/drvqemu.html and [1].
> >
> &g
On Fri, Aug 7, 2020 at 6:14 PM Daniel P. Berrangé
wrote:
> On Fri, Aug 07, 2020 at 12:21:20PM +0200, Christian Ehrhardt wrote:
> > With qemu 5.0 and libvirt 6.6 there are new apparmor denials:
> > apparmor="DENIED" operation="umount" profile="libvirtd&q
ere is an entry in devices (in host and in the container)
$ cat /proc/devices | grep map
253 device-mapper
But libvirt 6.6 in this case running in a LXD system container
(working before) now fails related to this with what seems to be the
same high level symptom.
# virsh start kvmguest-groovy-normal3
error: Failed to start domain kvmguest-groovy-normal3
error: internal error: Process exited prior to exec: libvirt: QEMU
Driver error : Unable to get devmapper targets for
/var/lib/uvtool/libvirt/images/kvmguest-groovy-normal3.qcow: No such
file or directory
> --
> Andrea Bolognani / Red Hat / Virtualization
>
>
--
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd
in the GitLab group with "Developer" role you
> should be able to do that on your own.
>
Thanks for the offer, I planned to push these today giving people who would
look more likely to review on the weekend a chance as well.
Now pushed with all the review/ack tags I got on these chan
overrides and thereby break a documented feature.
[1]: https://gitlab.com/apparmor/apparmor/-/wikis/Libvirt#advanced-usage
Fixes: eba2225b "apparmor: delete profile on VM shutdown"
Signed-off-by: Christian Ehrhardt
---
src/security/virt-aa-helper.c | 3 +--
1 file changed, 1 inser
handling [1] and the
error path triggered by these issues now causes this new denial.
There are already related rules for mounting and it seems right to
allow also the related umount.
[1]: https://www.redhat.com/archives/libvir-list/2020-August/msg00236.html
Signed-off-by: Christian Ehrhardt
---
s
://www.qemu.org/docs/master/system/tls.html
[2]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930100
Signed-off-by: Christian Ehrhardt
Acked-by: Jamie Strandboge
---
src/security/apparmor/libvirt-qemu | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/security/apparmor/libvirt-qemu
b
From: Stefan Bader
On some architectures (ppc, s390x, sparc, arm) qemu will read auxv
to detect hardware capabilities via qemu_getauxval.
Allow that access read-only for the entry owned by the current
qemu process.
Signed-off-by: Christian Ehrhardt
Signed-off-by: Stefan Bader
Acked-by: Jamie
]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931768
[2]: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1326003
Signed-off-by: Christian Ehrhardt
Acked-by: Jamie Strandboge
---
src/security/apparmor/usr.sbin.libvirtd.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/security
so one can understand the
case a commit tries to fix without knowing too much context.
Update since v1:
- drop a few commits that in discussion turned out to be not/no-more needed
- fixed a few typos
- added the ack's that I received by Jamie Strandboge
Christian Ehrhardt (1):
apparmor: let qemu
feature load [2] after package upgrades.
[1]: https://github.com/qemu/qemu/commit/bd83c861
[2]: https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1847361
Signed-off-by: Christian Ehrhardt
Acked-by: Jamie Strandboge
---
src/security/apparmor/libvirt-qemu | 5 +
1 file changed, 5 insertions
From: Jamie Strandboge
Allow qemu to read @{PROC}/sys/vm/overcommit_memory.
This is read on guest start-up and (as read-only) not a
critical secret that has to stay hidden.
Signed-off-by: Christian Ehrhardt
Signed-off-by: Stefan Bader
Signed-off-by: Jamie Strandboge
---
src/security
On Mon, Aug 3, 2020 at 5:05 PM Jamie Strandboge wrote:
> On Mon, 03 Aug 2020, Christian Ehrhardt wrote:
>
> > Since quite a while libvirt-aa-helper triggers nss related apparmor
> > denials like:
> > operation="open" profile="virt-aa-helper" na
On Mon, Aug 3, 2020 at 5:13 PM Jamie Strandboge wrote:
> On Mon, 03 Aug 2020, Christian Ehrhardt wrote:
>
> > From: Serge Hallyn
> >
> > Chardevs/sockets configured for openvswitch-dpdk use cases
> > might be probed by virt-aa-helper. Allow that access to enable
&g
On Mon, Aug 3, 2020 at 5:11 PM Jamie Strandboge wrote:
> On Mon, 03 Aug 2020, Christian Ehrhardt wrote:
>
> > From: Stefan Bader
> >
> > temporary directories are a common place images are placed by users
> > for any sort of quick evaluation. Allow virt-aa-he
On Mon, Aug 3, 2020 at 5:07 PM Jamie Strandboge wrote:
> On Mon, 03 Aug 2020, Christian Ehrhardt wrote:
>
> > From: Stefan Bader
> >
> > On some architectures (ppc, s390x, sparc, arm) qemu will read auxv
> > to detect hardware capabilities via qemu_getauxval.
>
bin/bugreport.cgi?bug=882979
[2]: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1546674
[3]: https://gitlab.com/apparmor/apparmor
Signed-off-by: Christian Ehrhardt
---
src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/securit
From: Jamie Strandboge
Allow qemu to read @{PROC}/sys/vm/overcommit_memory.
This is read on guest start-up and (as read-only) not a
critical secret that has to stay hidden.
Signed-off-by: Christian Ehrhardt
Signed-off-by: Stefan Bader
Signed-off-by: Jamie Strandboge
---
src/security
properly probe them e.g. for further backing files in
the case of qcow2.
Signed-off-by: Christian Ehrhardt
---
src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
b/src/security/apparmor
From: Stefan Bader
On some architectures (ppc, s390x, sparc, arm) qemu will read auxv
to detect hardware capabilities via qemu_getauxval.
Allow that access read-only for the entry owned by the current
qemu process.
Signed-off-by: Christian Ehrhardt
Signed-off-by: Stefan Bader
---
src
]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931768
[2]: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1326003
Signed-off-by: Christian Ehrhardt
---
src/security/apparmor/usr.sbin.libvirtd.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/security/apparmor
so one can understand the
case a commit tries to fix without knowing too much context.
Christian Ehrhardt (2):
apparmor: allow virt-aa-helper nameservices
apparmor: let qemu load old shared objects after upgrades
Jamie Strandboge (1):
apparmor: read only access to overcommit_memory
Sam
feature load [2] after package upgrades.
[1]: https://github.com/qemu/qemu/commit/bd83c861
[2]: https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1847361
Signed-off-by: Christian Ehrhardt
---
src/security/apparmor/libvirt-qemu | 5 +
1 file changed, 5 insertions(+)
diff --git a/src
://www.qemu.org/docs/master/system/tls.html
[2]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930100
Signed-off-by: Christian Ehrhardt
---
src/security/apparmor/libvirt-qemu | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/security/apparmor/libvirt-qemu
b/src/security/apparmor/libvirt
1 - 100 of 482 matches
Mail list logo
