diff --git a/libvirt-Don-t-require-secdrivers-to-implement-.domainMoveIma.patch b/libvirt-Don-t-require-secdrivers-to-implement-.domainMoveIma.patch new file mode 100644 index 0000000000000000000000000000000000000000..1da2fbb71db307b960e4e0e5933a623e3e17a1d0 --- /dev/null +++ b/libvirt-Don-t-require-secdrivers-to-implement-.domainMoveIma.patch @@ -0,0 +1,40 @@ +From 19845de491a3102df4256a3457c7d5669bccda63 Mon Sep 17 00:00:00 2001 +From: Michal Privoznik +Date: Mon, 18 May 2020 10:07:30 +0200 +Subject: [PATCH] Don't require secdrivers to implement + .domainMoveImageMetadata + +The AppArmor secdriver does not use labels to grant access to +resources. Therefore, it doesn't use XATTRs and hence it lacks +implementation of .domainMoveImageMetadata callback. This leads +to a harmless but needless error message appearing in the logs: + + virSecurityManagerMoveImageMetadata:476 : this function is not + supported by the connection driver: virSecurityManagerMoveImageMetadata + +Closes: https://gitlab.com/libvirt/libvirt/-/issues/25 + +Signed-off-by: Michal Privoznik +Reviewed-by: Erik Skultety +Signed-off-by: Jin Yan +--- + src/security/security_manager.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/src/security/security_manager.c b/src/security/security_manager.c +index fe03274..1445291 100644 +--- a/src/security/security_manager.c ++++ b/src/security/security_manager.c +@@ -473,8 +473,7 @@ virSecurityManagerMoveImageMetadata(virSecurityManagerPtr mgr, + return ret; + } + +- virReportUnsupportedError(); +- return -1; ++ return 0; + } + + +-- +1.8.3.1 + diff --git a/libvirt-Fix-some-wrong-usage-of-ATTRIBUTE_NONNULL.patch b/libvirt-Fix-some-wrong-usage-of-ATTRIBUTE_NONNULL.patch new file mode 100644 index 0000000000000000000000000000000000000000..8dda751a9325d6c8fb6e2c51bb06d03325e6b09b --- /dev/null +++ b/libvirt-Fix-some-wrong-usage-of-ATTRIBUTE_NONNULL.patch @@ -0,0 +1,54 @@ +From 42e4b74e1bbd08aad3afa46d741e46c40a8af73d Mon Sep 17 00:00:00 2001 +From: Bihong Yu +Date: Sat, 6 Jun 2020 18:52:35 +0800 +Subject: [PATCH] Fix some wrong usage of ATTRIBUTE_NONNULL() + +The virStateInitialize() function has ATTRIBUTE_NONNULL() +referring to @root argument (incorrectly anyway) but in +daemonRunStateInit() NULL is passed in anyway. + +Then there is virCommandAddArgPair() which also has +ATTRIBUTE_NONNULL() for one of its arguments and then checks the +argument for being NULL anyways. + +Signed-off-by:Bihong Yu +Reviewed-by:Chuan Zheng +Signed-off-by: Michal Privoznik +Reviewed-by: Michal Privoznik +Signed-off-by: Jin Yan +--- + src/libvirt_internal.h | 3 +-- + src/util/vircommand.h | 3 +-- + 2 files changed, 2 insertions(+), 4 deletions(-) + +diff --git a/src/libvirt_internal.h b/src/libvirt_internal.h +index 00ef7aa..72c6127 100644 +--- a/src/libvirt_internal.h ++++ b/src/libvirt_internal.h +@@ -33,8 +33,7 @@ int virStateInitialize(bool privileged, + bool mandatory, + const char *root, + virStateInhibitCallback inhibit, +- void *opaque) +- ATTRIBUTE_NONNULL(2); ++ void *opaque); + int virStateCleanup(void); + int virStateReload(void); + int virStateStop(void); +diff --git a/src/util/vircommand.h b/src/util/vircommand.h +index 9086f9a..4e6cb0a 100644 +--- a/src/util/vircommand.h ++++ b/src/util/vircommand.h +@@ -128,8 +128,7 @@ void virCommandAddArgFormat(virCommandPtr cmd, + + void virCommandAddArgPair(virCommandPtr cmd, + const char *name, +- const char *val) +- ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3); ++ const char *val); + + void virCommandAddArgSet(virCommandPtr cmd, + const char *const*vals) ATTRIBUTE_NONNULL(2); +-- +1.8.3.1 + diff --git a/libvirt-conf-Increase-cpuset-length-limit-for-CPU-pinning.patch b/libvirt-conf-Increase-cpuset-length-limit-for-CPU-pinning.patch new file mode 100644 index 0000000000000000000000000000000000000000..f5d59c740f3a8c55f6835463711bf87669aec75b --- /dev/null +++ b/libvirt-conf-Increase-cpuset-length-limit-for-CPU-pinning.patch @@ -0,0 +1,31 @@ +From fc8c41dbb52eb9ce3ee36680ecb53a41f4146610 Mon Sep 17 00:00:00 2001 +From: Jiri Denemark +Date: Thu, 11 Jun 2020 13:53:27 +0200 +Subject: [PATCH] conf: Increase cpuset length limit for CPU pinning + +Domains are now allowed to be pinned to host CPUs with IDs up to 16383. +The new limit is as arbitrary as the old one. It's just bigger. + +Signed-off-by: Jiri Denemark +Reviewed-by: Michal Privoznik +Signed-off-by: Jin Yan +--- + src/conf/domain_conf.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h +index a40773a..16e6253 100644 +--- a/src/conf/domain_conf.h ++++ b/src/conf/domain_conf.h +@@ -2241,7 +2241,7 @@ struct _virDomainHugePage { + unsigned long long size; /* hugepage size in KiB */ + }; + +-#define VIR_DOMAIN_CPUMASK_LEN 1024 ++#define VIR_DOMAIN_CPUMASK_LEN 16384 + + struct _virDomainIOThreadIDDef { + bool autofill; +-- +1.8.3.1 + diff --git a/libvirt-qemu-Skip-pre-creation-of-NVMe-disks.patch b/libvirt-qemu-Skip-pre-creation-of-NVMe-disks.patch new file mode 100644 index 0000000000000000000000000000000000000000..3a20fb0ff536dcc696e5214de39cbeb151e6e5c0 --- /dev/null +++ b/libvirt-qemu-Skip-pre-creation-of-NVMe-disks.patch @@ -0,0 +1,51 @@ +From a7f7d8f7513af2b98d01259480f63167cf44cced Mon Sep 17 00:00:00 2001 +From: Michal Privoznik +Date: Tue, 26 May 2020 16:26:25 +0200 +Subject: [PATCH] qemu: Skip pre-creation of NVMe disks +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Upon migration with disks, libvirt determines if each disk exists +on the destination and tries to pre-create missing ones. Well, +NVMe disks can't be pre-created, but they can be checked for +presence. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1823639 + +Signed-off-by: Michal Privoznik +Reviewed-by: Ján Tomko +Signed-off-by: Jin Yan +--- + src/qemu/qemu_migration.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c +index 65b47ec..3f4627b 100644 +--- a/src/qemu/qemu_migration.c ++++ b/src/qemu/qemu_migration.c +@@ -315,6 +315,7 @@ qemuMigrationDstPrecreateStorage(virDomainObjPtr vm, + for (i = 0; i < nbd->ndisks; i++) { + virDomainDiskDefPtr disk; + const char *diskSrcPath; ++ g_autofree char *nvmePath = NULL; + + VIR_DEBUG("Looking up disk target '%s' (capacity=%llu)", + nbd->disks[i].target, nbd->disks[i].capacity); +@@ -326,7 +327,12 @@ qemuMigrationDstPrecreateStorage(virDomainObjPtr vm, + goto cleanup; + } + +- diskSrcPath = virDomainDiskGetSource(disk); ++ if (disk->src->type == VIR_STORAGE_TYPE_NVME) { ++ virPCIDeviceAddressGetSysfsFile(&disk->src->nvme->pciAddr, &nvmePath); ++ diskSrcPath = nvmePath; ++ } else { ++ diskSrcPath = virDomainDiskGetSource(disk); ++ } + + /* Skip disks we don't want to migrate and already existing disks. */ + if (!qemuMigrationAnyCopyDisk(disk, nmigrate_disks, migrate_disks) || +-- +1.8.3.1 + diff --git a/libvirt-qemu-do-not-add-model-when-actual-iface-type-is-host.patch b/libvirt-qemu-do-not-add-model-when-actual-iface-type-is-host.patch new file mode 100644 index 0000000000000000000000000000000000000000..89c09a4e666d9c781ebfa2e5d115e1d29418c314 --- /dev/null +++ b/libvirt-qemu-do-not-add-model-when-actual-iface-type-is-host.patch @@ -0,0 +1,32 @@ +From c8a043dcdf4f04288bcfc34c25054dcef571a6a7 Mon Sep 17 00:00:00 2001 +From: Paulo de Rezende Pinatti +Date: Tue, 16 Jun 2020 16:32:10 +0200 +Subject: [PATCH] qemu: do not add model when actual iface type is hostdev + +No default model should be added to the interface +entry at post parse when its actual network type is hostdev +as doing so might cause a mismatch between the interface +definition and its actual device type. + +Signed-off-by: Paulo de Rezende Pinatti +Reviewed-by: Laine Stump +Signed-off-by: Jin Yan +--- + src/qemu/qemu_domain.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c +index 91c1a49..cfada81 100644 +--- a/src/qemu/qemu_domain.c ++++ b/src/qemu/qemu_domain.c +@@ -9334,6 +9334,7 @@ qemuDomainDeviceNetDefPostParse(virDomainNetDefPtr net, + virQEMUCapsPtr qemuCaps) + { + if (net->type != VIR_DOMAIN_NET_TYPE_HOSTDEV && ++ virDomainNetResolveActualType(net) != VIR_DOMAIN_NET_TYPE_HOSTDEV && + !virDomainNetGetModelString(net)) + net->model = qemuDomainDefaultNetModel(def, qemuCaps); + +-- +1.8.3.1 + diff --git a/libvirt-qemu-only-stop-external-devices-after-the-domain.patch b/libvirt-qemu-only-stop-external-devices-after-the-domain.patch new file mode 100644 index 0000000000000000000000000000000000000000..7bf670e45e5720ff500034177790fde092a23c7b --- /dev/null +++ b/libvirt-qemu-only-stop-external-devices-after-the-domain.patch @@ -0,0 +1,45 @@ +From 7dd15a340179598dece5546c9e4fec9b8e47aca7 Mon Sep 17 00:00:00 2001 +From: Ján Tomko +Date: Tue, 12 May 2020 12:59:07 +0200 +Subject: [PATCH] qemu: only stop external devices after the domain +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +A failure in qemuProcessLaunch would lead to qemuExtDevicesStop +being called twice - once in the cleanup section and then again +in qemuProcessStop. + +However, the first one is called while the QEMU process is +still running, which is too soon for the swtpm process, because +the swtmp_ioctl command can lock up: + +https://bugzilla.redhat.com/show_bug.cgi?id=1822523 + +Remove the first call and only leave the one in qemuProcessStop, +which is called after the QEMU process is killed. + +Signed-off-by: Ján Tomko +Reviewed-by: Daniel Henrique Barboza +Reviewed-by: Erik Skultety +Signed-off-by: Jin Yan +--- + src/qemu/qemu_process.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c +index 6b9f6fb..6fbe0c1 100644 +--- a/src/qemu/qemu_process.c ++++ b/src/qemu/qemu_process.c +@@ -6998,8 +6998,6 @@ qemuProcessLaunch(virConnectPtr conn, + ret = 0; + + cleanup: +- if (ret < 0) +- qemuExtDevicesStop(driver, vm); + qemuDomainSecretDestroy(vm); + return ret; + } +-- +1.8.3.1 + diff --git a/libvirt-qemuDomainCleanupRun-Actually-run-cleanup-callbacks-.patch b/libvirt-qemuDomainCleanupRun-Actually-run-cleanup-callbacks-.patch new file mode 100644 index 0000000000000000000000000000000000000000..e0d36a662368762df1253bf20e557beac3c1f30e --- /dev/null +++ b/libvirt-qemuDomainCleanupRun-Actually-run-cleanup-callbacks-.patch @@ -0,0 +1,52 @@ +From 517d69d6c3935adf59fcf9ed11cb05e1dfa8a6f3 Mon Sep 17 00:00:00 2001 +From: Michal Privoznik +Date: Tue, 5 May 2020 13:45:44 +0200 +Subject: [PATCH] qemuDomainCleanupRun: Actually run cleanup callbacks in + reverse order +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We have a framework to register cleanup callbacks that are run +when a domain is shut down. The idea is to run callbacks in +reverse order than they were registered. However, looking at the +code this is not the case. Fortunately, this framework is used to +register a single callback and a single callback only - +qemuMigrationDstPrepareCleanup() - therefore there was no problem +just yet. + +Signed-off-by: Michal Privoznik +Reviewed-by: Ján Tomko +Signed-off-by: Jin Yan +--- + src/qemu/qemu_domain.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c +index b1a4647..36bef67 100644 +--- a/src/qemu/qemu_domain.c ++++ b/src/qemu/qemu_domain.c +@@ -11561,18 +11561,14 @@ qemuDomainCleanupRun(virQEMUDriverPtr driver, + virDomainObjPtr vm) + { + qemuDomainObjPrivatePtr priv = vm->privateData; +- size_t i; + + VIR_DEBUG("driver=%p, vm=%s", driver, vm->def->name); + + /* run cleanup callbacks in reverse order */ +- for (i = 0; i < priv->ncleanupCallbacks; i++) { +- if (priv->cleanupCallbacks[priv->ncleanupCallbacks - (i + 1)]) +- priv->cleanupCallbacks[i](driver, vm); +- } ++ while (priv->ncleanupCallbacks) ++ priv->cleanupCallbacks[--priv->ncleanupCallbacks](driver, vm); + + VIR_FREE(priv->cleanupCallbacks); +- priv->ncleanupCallbacks = 0; + priv->ncleanupCallbacks_max = 0; + } + +-- +1.8.3.1 + diff --git a/libvirt-qemuDomainSetNumaParamsLive-set-nodeset-for-root-cgr.patch b/libvirt-qemuDomainSetNumaParamsLive-set-nodeset-for-root-cgr.patch new file mode 100644 index 0000000000000000000000000000000000000000..8fd176b96ddaab6b5529ea34bcebaa56f1a053c7 --- /dev/null +++ b/libvirt-qemuDomainSetNumaParamsLive-set-nodeset-for-root-cgr.patch @@ -0,0 +1,47 @@ +From 222d16af976dc08ee3ea2008d1dc68b00a1ccc9f Mon Sep 17 00:00:00 2001 +From: Daniel Henrique Barboza +Date: Thu, 11 Jun 2020 15:54:57 -0300 +Subject: [PATCH] qemuDomainSetNumaParamsLive: set nodeset for root cgroup + +This function handles the change of NUMA nodeset for a given +guest, setting CpusetMems for the emulator, vcpus and IOThread +sub-groups. It doesn't set the same nodeset to the root cgroup +though. This means that cpuset.mems of the root cgroup ends up +holding the new nodeset and the old nodeset as well. For +a guest with placement=strict, nodeset='0', doing + +virsh numatune 0 8 --live + +Will make cpuset.mems of emulator, vcpus and iothread to be +"8", but cpuset.mems of the root cgroup will be "0,8". + +This means that any new tasks that ends up landing in the +root cgroup, aside from the emulator/vcpus/iothread sub-groups, +will be split between the old nodeset and the new nodeset, +which is not what we want. + +Signed-off-by: Daniel Henrique Barboza +Reviewed-by: Michal Privoznik +Signed-off-by: Jin Yan +--- + src/qemu/qemu_driver.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c +index 8bc5368..cb049fe 100644 +--- a/src/qemu/qemu_driver.c ++++ b/src/qemu/qemu_driver.c +@@ -9728,6 +9728,10 @@ qemuDomainSetNumaParamsLive(virDomainObjPtr vm, + virCgroupFree(&cgroup_temp); + } + ++ /* set nodeset for root cgroup */ ++ if (virCgroupSetCpusetMems(priv->cgroup, nodeset_str) < 0) ++ goto cleanup; ++ + ret = 0; + cleanup: + virCgroupFree(&cgroup_temp); +-- +1.8.3.1 + diff --git a/libvirt-qemuDomainStorageSourcePrivateDispose-Free-httpcooki.patch b/libvirt-qemuDomainStorageSourcePrivateDispose-Free-httpcooki.patch new file mode 100644 index 0000000000000000000000000000000000000000..bfcae999eb77d5d3b6ad823f3375cbd721e27386 --- /dev/null +++ b/libvirt-qemuDomainStorageSourcePrivateDispose-Free-httpcooki.patch @@ -0,0 +1,41 @@ +From 8263665d2003446a9b08181fdcc13b89397aae7d Mon Sep 17 00:00:00 2001 +From: Michal Privoznik +Date: Thu, 14 May 2020 10:47:42 +0200 +Subject: [PATCH] qemuDomainStorageSourcePrivateDispose: Free httpcookie + +==156803== 58 (40 direct, 18 indirect) bytes in 1 blocks are definitely lost in loss record 306 of 463 +==156803== at 0x4839EC6: calloc (vg_replace_malloc.c:762) +==156803== by 0x5791AC0: g_malloc0 (in /usr/lib64/libglib-2.0.so.0.6400.1) +==156803== by 0x48F60DC: virAlloc (viralloc.c:48) +==156803== by 0x18DD74: qemuStorageSourcePrivateDataAssignSecinfo (qemu_domain.c:2384) +==156803== by 0x18DFD5: qemuStorageSourcePrivateDataParse (qemu_domain.c:2433) +==156803== by 0x49EC884: virDomainStorageSourceParse (domain_conf.c:9857) +==156803== by 0x49ECBA3: virDomainDiskBackingStoreParse (domain_conf.c:9909) +==156803== by 0x49F129D: virDomainDiskDefParseXML (domain_conf.c:10785) +==156803== by 0x4A1804E: virDomainDefParseXML (domain_conf.c:21543) +==156803== by 0x4A1B60C: virDomainObjParseXML (domain_conf.c:22254) +==156803== by 0x4A1BFE9: virDomainObjParseNode (domain_conf.c:22429) +==156803== by 0x4A1C0B4: virDomainObjParseFile (domain_conf.c:22443 + +Signed-off-by: Michal Privoznik +Reviewed-by: Peter Krempa +Signed-off-by: Jin Yan +--- + src/qemu/qemu_domain.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c +index 36bef67..91c1a49 100644 +--- a/src/qemu/qemu_domain.c ++++ b/src/qemu/qemu_domain.c +@@ -1203,6 +1203,7 @@ qemuDomainStorageSourcePrivateDispose(void *obj) + + g_clear_pointer(&priv->secinfo, qemuDomainSecretInfoFree); + g_clear_pointer(&priv->encinfo, qemuDomainSecretInfoFree); ++ g_clear_pointer(&priv->httpcookie, qemuDomainSecretInfoFree); + } + + +-- +1.8.3.1 + diff --git a/libvirt-qemuProcessStop-Reattach-NVMe-disks-a-domain-is-mirr.patch b/libvirt-qemuProcessStop-Reattach-NVMe-disks-a-domain-is-mirr.patch new file mode 100644 index 0000000000000000000000000000000000000000..4508a3ee25a2c64c3baa18f13a291dcb25a3d801 --- /dev/null +++ b/libvirt-qemuProcessStop-Reattach-NVMe-disks-a-domain-is-mirr.patch @@ -0,0 +1,39 @@ +From 2358e2dd4971793f4c8cc530251ed0b01536e603 Mon Sep 17 00:00:00 2001 +From: Michal Privoznik +Date: Mon, 18 May 2020 15:11:49 +0200 +Subject: [PATCH] qemuProcessStop: Reattach NVMe disks a domain is mirroring + into + +If the mirror destination is not a file but a NVMe disk, then +call qemuHostdevReAttachOneNVMeDisk() to reattach the NVMe back +to the host. + +This would be done by blockjob code when the job finishes, but in +this case the job won't finish - QEMU is killed meanwhile. + +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1825785 + +Signed-off-by: Michal Privoznik +Reviewed-by: Peter Krempa +Signed-off-by: Jin Yan +--- + src/qemu/qemu_process.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c +index 9285ace..280fed9 100644 +--- a/src/qemu/qemu_process.c ++++ b/src/qemu/qemu_process.c +@@ -7606,6 +7606,9 @@ void qemuProcessStop(virQEMUDriverPtr driver, + if (disk->mirror) { + if (qemuSecurityRestoreImageLabel(driver, vm, disk->mirror, false) < 0) + VIR_WARN("Unable to restore security label on %s", disk->dst); ++ ++ if (virStorageSourceChainHasNVMe(disk->mirror)) ++ qemuHostdevReAttachOneNVMeDisk(driver, vm->def->name, disk->mirror); + } + + qemuBlockRemoveImageMetadata(driver, vm, disk->dst, disk->src); +-- +1.8.3.1 + diff --git a/libvirt-qemuProcessStop-Use-XATTRs-to-restore-seclabels-on-d.patch b/libvirt-qemuProcessStop-Use-XATTRs-to-restore-seclabels-on-d.patch new file mode 100644 index 0000000000000000000000000000000000000000..16acb720cd8cff0ba230b17b4b4fd8dd5928e2ee --- /dev/null +++ b/libvirt-qemuProcessStop-Use-XATTRs-to-restore-seclabels-on-d.patch @@ -0,0 +1,42 @@ +From 63846560cf12789ff592374dfc6211d83e693e9d Mon Sep 17 00:00:00 2001 +From: Michal Privoznik +Date: Mon, 18 May 2020 15:07:46 +0200 +Subject: [PATCH] qemuProcessStop: Use XATTRs to restore seclabels on disks a + domain is mirroring into + +In v5.10.0-rc1~42 (which was later fixed in v6.0.0-rc1~487) I am +removing XATTRs for a file that QEMU is mirroring a disk into but +it is killed meanwhile. Well, we can call +qemuSecurityRestoreImageLabel() which will not only remove XATTRs +but also use them to restore the original owner of the file. + +This would be done by blockjob code when the job finishes, but in +this case the job won't finish - QEMU is killed meanwhile + +Signed-off-by: Michal Privoznik +Reviewed-by: Peter Krempa +Signed-off-by: Jin Yan +--- + src/qemu/qemu_process.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c +index 6fbe0c1..9285ace 100644 +--- a/src/qemu/qemu_process.c ++++ b/src/qemu/qemu_process.c +@@ -7603,8 +7603,10 @@ void qemuProcessStop(virQEMUDriverPtr driver, + for (i = 0; i < def->ndisks; i++) { + virDomainDiskDefPtr disk = def->disks[i]; + +- if (disk->mirror) +- qemuBlockRemoveImageMetadata(driver, vm, disk->dst, disk->mirror); ++ if (disk->mirror) { ++ if (qemuSecurityRestoreImageLabel(driver, vm, disk->mirror, false) < 0) ++ VIR_WARN("Unable to restore security label on %s", disk->dst); ++ } + + qemuBlockRemoveImageMetadata(driver, vm, disk->dst, disk->src); + } +-- +1.8.3.1 + diff --git a/libvirt-remote-fix-driver-name-check-for-libxl-driver.patch b/libvirt-remote-fix-driver-name-check-for-libxl-driver.patch new file mode 100644 index 0000000000000000000000000000000000000000..2340c668a18fd0c2cad260c2ad12d7cfd1eea2b3 --- /dev/null +++ b/libvirt-remote-fix-driver-name-check-for-libxl-driver.patch @@ -0,0 +1,36 @@ +From 1285a266c106ebac3fc6d1a7d5bf839a7623a5a0 Mon Sep 17 00:00:00 2001 +From: Daniel P. Berrangé +Date: Mon, 4 May 2020 17:41:46 +0100 +Subject: [PATCH] remote: fix driver name check for libxl driver +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The virConnectGetType() returns "Xen" for libxl, not "LIBXL". + +This prevents users opening a connection to the libxl driver when using +the modular daemons. + +Reviewed-by: Jim Fehlig +Signed-off-by: Daniel P. Berrangé +Signed-off-by: Jin Yan +--- + src/remote/remote_daemon_dispatch.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/remote/remote_daemon_dispatch.c b/src/remote/remote_daemon_dispatch.c +index c5506c2..d2652e3 100644 +--- a/src/remote/remote_daemon_dispatch.c ++++ b/src/remote/remote_daemon_dispatch.c +@@ -2111,7 +2111,7 @@ remoteDispatchConnectOpen(virNetServerPtr server G_GNUC_UNUSED, + + VIR_DEBUG("Primary driver type is '%s'", type); + if (STREQ(type, "QEMU") || +- STREQ(type, "LIBXL") || ++ STREQ(type, "Xen") || + STREQ(type, "LXC") || + STREQ(type, "VBOX") || + STREQ(type, "bhyve") || +-- +1.8.3.1 + diff --git a/libvirt-security-don-t-fail-if-built-without-attr-support.patch b/libvirt-security-don-t-fail-if-built-without-attr-support.patch new file mode 100644 index 0000000000000000000000000000000000000000..16ce48d601de5529a5d5e0f82dfdbdcfd2edcba2 --- /dev/null +++ b/libvirt-security-don-t-fail-if-built-without-attr-support.patch @@ -0,0 +1,73 @@ +From ba950b814f7a2037829d54e3d1e0522c42c104a4 Mon Sep 17 00:00:00 2001 +From: Christian Ehrhardt +Date: Tue, 26 May 2020 09:33:38 +0200 +Subject: [PATCH] security: don't fail if built without attr support + +If built without attr support removing any image will trigger + qemuBlockRemoveImageMetadata (the one that emits the warning) + -> qemuSecurityMoveImageMetadata + -> virSecurityManagerMoveImageMetadata + -> virSecurityDACMoveImageMetadata + -> virSecurityDACMoveImageMetadataHelper + -> virProcessRunInFork (spawns subprocess) + -> virSecurityMoveRememberedLabel + +In there due to !HAVE_LIBATTR virFileGetXAttrQuiet will return +ENOSYS and from there the chain will error out. + +That is wrong and looks like: + libvirtd[6320]: internal error: child reported (status=125): + libvirtd[6320]: Unable to remove disk metadata on vm testguest from + /var/lib/uvtool/libvirt/images/testguest.qcow (disk target vda) + +This change makes virSecurityDACMoveImageMetadataHelper and +virSecuritySELinuxMoveImageMetadataHelper accept that +error code gracefully and in that sense it is an extension of: +5214b2f1a3f "security: Don't skip label restore on file systems lacking XATTRs" +which does the same for other call chains into the virFile*XAttr functions. + +Signed-off-by: Christian Ehrhardt +Reviewed-by: Michal Privoznik +Signed-off-by: Jin Yan +--- + src/security/security_dac.c | 6 ++++++ + src/security/security_selinux.c | 6 ++++++ + 2 files changed, 12 insertions(+) + +diff --git a/src/security/security_dac.c b/src/security/security_dac.c +index 11fff63..51cabf1 100644 +--- a/src/security/security_dac.c ++++ b/src/security/security_dac.c +@@ -1132,6 +1132,12 @@ virSecurityDACMoveImageMetadataHelper(pid_t pid G_GNUC_UNUSED, + + ret = virSecurityMoveRememberedLabel(SECURITY_DAC_NAME, data->src, data->dst); + virSecurityManagerMetadataUnlock(data->mgr, &state); ++ ++ if (ret == -2) { ++ /* Libvirt built without XATTRS */ ++ ret = 0; ++ } ++ + return ret; + } + +diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c +index 72d1658..78ea618 100644 +--- a/src/security/security_selinux.c ++++ b/src/security/security_selinux.c +@@ -1990,6 +1990,12 @@ virSecuritySELinuxMoveImageMetadataHelper(pid_t pid G_GNUC_UNUSED, + + ret = virSecurityMoveRememberedLabel(SECURITY_SELINUX_NAME, data->src, data->dst); + virSecurityManagerMetadataUnlock(data->mgr, &state); ++ ++ if (ret == -2) { ++ /* Libvirt built without XATTRS */ ++ ret = 0; ++ } ++ + return ret; + } + +-- +1.8.3.1 + diff --git a/libvirt-systemd-start-libvirtd-after-firewalld-iptables-serv.patch b/libvirt-systemd-start-libvirtd-after-firewalld-iptables-serv.patch new file mode 100644 index 0000000000000000000000000000000000000000..15cc436d780e3f636f41759e8fb9cd0c91fb7aea --- /dev/null +++ b/libvirt-systemd-start-libvirtd-after-firewalld-iptables-serv.patch @@ -0,0 +1,104 @@ +From 1ed313f35a4ac27ed29395ed30ec6e7966b798fd Mon Sep 17 00:00:00 2001 +From: Laine Stump +Date: Fri, 1 May 2020 00:05:50 -0400 +Subject: [PATCH] systemd: start libvirtd after firewalld/iptables services + +When a system has enabled the iptables/ip6tables services rather than +firewalld, there is no explicit ordering of the start of those +services vs. libvirtd. This creates a problem when libvirtd.service is +started before ip[6]tables, as the latter, when it finally is started, +will remove all of the iptables rules that had previously been added +by libvirt, including the custom chains where libvirt's rules are +kept. This results in an error message similar to the following when a +user subsequently tries to start a new libvirt network: + + "Error while activating network: Call to virNetworkCreate failed: + internal error: Failed to apply firewall rules + /usr/sbin/ip6tables -w --table filter --insert LIBVIRT_FWO \ + --in-interface virbr2 --jump REJECT: + ip6tables: No chain/target/match by that name." + +(Prior to logging this error, it also would have caused failure to +forward (or block) traffic in some cases, e.g. for guests on a NATed +network, since libvirt's rules to forward/block had all been deleted +and libvirt didn't know about it, so it couldn't fix the problem) + +When this happens, the problem can be remedied by simply restarting +libvirtd.service (which has the side-effect of reloading all +libvirt-generated firewall rules) + +Instead, we can just explicitly stating in the libvirtd.service file +that libvirtd.service should start after ip6tables.service and +ip6tables.service, eliminating the race condition that leads to the +error. + +There is also nothing (that I can see) in the systemd .service files +to guarantee that firewalld.service will be started (if enabled) prior +to libvirtd.service. The same error scenario given above would occur +if libvirtd.service started before firewalld.service. Even before +that, though libvirtd would have detected that firewalld.service was +disabled, and then turn off all firewalld support. So, for example, +firewalld's libvirt zone wouldn't be used, and most likely traffic +from guests would therefore be blocked (all with no external +indication of the source of the problem other than a debug-level log +when libvirtd was started saying that firewalld wasn't in use); also +libvirtd wouldn't notice when firewalld reloaded its rules (which also +simultaneously deletes all of libvirt's rules). + +I'm not aware of any reports that have been traced back to +libvirtd.service starting before firewalld.service, but have seen that +error reported multiple times, and also don't see an existing +dependency that would guarantee firewalld.service starts before +libvirtd.service, so it's possible it's been happening and we just +haven't gotten to the bottom of it. + +This patch adds an After= line to the libvirtd.service file for each +of iptables.service, ip6tables.service, and firewalld.servicee, which +should guarantee that libvirtd.service isn't started until systemd has +started whichever of the others is enabled. + +This race was diagnosed, and patch proposed, by Jason Montleon in +https://bugzilla.redhat.com/1723698 . At the time (April 2019) danpb +agreed with him that this change to libvirtd.service was a reasonable +thing to do, but I guess everyone thought someone else was going to +post a patch, so in the end nobody did. + +Signed-off-by: Laine Stump +Reviewed-by: Michal Privoznik +Signed-off-by: Jin Yan +--- + src/network/virtnetworkd.service.in | 3 +++ + src/remote/libvirtd.service.in | 3 +++ + 2 files changed, 6 insertions(+) + +diff --git a/src/network/virtnetworkd.service.in b/src/network/virtnetworkd.service.in +index 656e8b4..56182e1 100644 +--- a/src/network/virtnetworkd.service.in ++++ b/src/network/virtnetworkd.service.in +@@ -5,6 +5,9 @@ Requires=virtnetworkd.socket + Requires=virtnetworkd-ro.socket + Requires=virtnetworkd-admin.socket + After=network.target ++After=firewalld.service ++After=iptables.service ++After=ip6tables.service + After=dbus.service + After=apparmor.service + After=local-fs.target +diff --git a/src/remote/libvirtd.service.in b/src/remote/libvirtd.service.in +index 90b2cad..cc0d4e3 100644 +--- a/src/remote/libvirtd.service.in ++++ b/src/remote/libvirtd.service.in +@@ -11,6 +11,9 @@ Wants=libvirtd-admin.socket + Wants=systemd-machined.service + Before=libvirt-guests.service + After=network.target ++After=firewalld.service ++After=iptables.service ++After=ip6tables.service + After=dbus.service + After=iscsid.service + After=apparmor.service +-- +1.8.3.1 + diff --git a/libvirt-virDevMapperGetTargetsImpl-quit-early-if-device-is-n.patch b/libvirt-virDevMapperGetTargetsImpl-quit-early-if-device-is-n.patch new file mode 100644 index 0000000000000000000000000000000000000000..9d08df8174f6a8bbd9aa93bc43243d111a8a50d9 --- /dev/null +++ b/libvirt-virDevMapperGetTargetsImpl-quit-early-if-device-is-n.patch @@ -0,0 +1,61 @@ +From c279162d6d335d4302a74c1e19dbce8eaff75679 Mon Sep 17 00:00:00 2001 +From: Michal Privoznik +Date: Fri, 24 Apr 2020 13:17:51 +0200 +Subject: [PATCH] virDevMapperGetTargetsImpl: quit early if device is not a + devmapper target +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +As suggested in the linked bug, libvirt should firstly check +whether the major number of the device is device mapper major. +Because if it isn't subsequent DM_DEVICE_DEPS task may not only +fail, but also yield different results. In the bugzilla this is +demonstrated by creating a devmapper target named 'loop0' and +then creating loop target /dev/loop0. When the latter is then +passed to a domain, our virDevMapperGetTargetsImpl() function +blindly asks devmapper to provide target dependencies for +/dev/loop0 and because of the way devmapper APIs work, it will +'sanitize' the input by using the last component only which is +'loop0' and thus return different results than expected. + +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1823976 + +Signed-off-by: Michal Privoznik +Reviewed-by: Ján Tomko +Signed-off-by: Jin Yan +--- + src/util/virdevmapper.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/src/util/virdevmapper.c b/src/util/virdevmapper.c +index feb5982..79dbc3d 100644 +--- a/src/util/virdevmapper.c ++++ b/src/util/virdevmapper.c +@@ -64,6 +64,7 @@ virDevMapperGetTargetsImpl(const char *path, + char ***devPaths_ret, + unsigned int ttl) + { ++ struct stat sb; + struct dm_task *dmt = NULL; + struct dm_deps *deps; + struct dm_info info; +@@ -82,6 +83,15 @@ virDevMapperGetTargetsImpl(const char *path, + return ret; + } + ++ if (stat(path, &sb) < 0) { ++ if (errno == ENOENT) ++ return 0; ++ return -1; ++ } ++ ++ if (!dm_is_dm_major(major(sb.st_dev))) ++ return 0; ++ + if (!(dmt = dm_task_create(DM_DEVICE_DEPS))) { + if (errno == ENOENT || errno == ENODEV) { + /* It's okay. Kernel is probably built without +-- +1.8.3.1 + diff --git a/libvirt-virQEMUDriverConfigNew-Add-slash-to-cfg-defaultTLSx5.patch b/libvirt-virQEMUDriverConfigNew-Add-slash-to-cfg-defaultTLSx5.patch new file mode 100644 index 0000000000000000000000000000000000000000..bc9f6496450ac73be0c2a2df4bd29e7e0486234e --- /dev/null +++ b/libvirt-virQEMUDriverConfigNew-Add-slash-to-cfg-defaultTLSx5.patch @@ -0,0 +1,33 @@ +From a34f1d6623f3fb1ec03982ef776e31a4b450158d Mon Sep 17 00:00:00 2001 +From: Peter Krempa +Date: Tue, 16 Jun 2020 12:36:55 +0200 +Subject: [PATCH] virQEMUDriverConfigNew: Add slash to + cfg->defaultTLSx509certdir for non-embedded driver + +Commit 068efae5b1a9ef accidentally removed the slash. + +https://bugzilla.redhat.com/show_bug.cgi?id=1847234 + +Signed-off-by: Peter Krempa +Reviewed-by: Andrea Bolognani +Signed-off-by: Jin Yan +--- + src/qemu/qemu_conf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c +index 15837ce..809e8fe 100644 +--- a/src/qemu/qemu_conf.c ++++ b/src/qemu/qemu_conf.c +@@ -234,7 +234,7 @@ virQEMUDriverConfigPtr virQEMUDriverConfigNew(bool privileged, + * directory doesn't exist (although we don't check if this exists). + */ + if (root == NULL) { +- cfg->defaultTLSx509certdir = g_strdup(SYSCONFDIR "pki/qemu"); ++ cfg->defaultTLSx509certdir = g_strdup(SYSCONFDIR "/pki/qemu"); + } else { + cfg->defaultTLSx509certdir = g_strdup_printf("%s/etc/pki/qemu", root); + } +-- +1.8.3.1 + diff --git a/libvirt.spec b/libvirt.spec index c16d114f4d3bcc094a8c20772328394a9dfe52d1..804183a870f26fa3299479de3b8ded7402125f52 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -99,7 +99,7 @@ Summary: Library providing a simple virtualization API Name: libvirt Version: 6.2.0 -Release: 9 +Release: 10 License: LGPLv2+ URL: https://libvirt.org/ @@ -133,6 +133,22 @@ Patch0022: libvirt-conf-Don-t-format-http-cookies-unless-VIR_DOMAIN_DEF.patch Patch0023: libvirt-virstoragetest-testBackingParse-Use-VIR_DOMAIN_DEF_F.patch Patch0024: libvirt-support-aarch64-vtpm-with-parameter-tpm-tis-.patch Patch0025: libvirt-tests-commandtest-skip-the-test4-if-the-testcase-is-.patch +Patch0026: libvirt-remote-fix-driver-name-check-for-libxl-driver.patch +Patch0027: libvirt-systemd-start-libvirtd-after-firewalld-iptables-serv.patch +Patch0028: libvirt-qemuDomainCleanupRun-Actually-run-cleanup-callbacks-.patch +Patch0029: libvirt-virDevMapperGetTargetsImpl-quit-early-if-device-is-n.patch +Patch0030: libvirt-qemu-only-stop-external-devices-after-the-domain.patch +Patch0031: libvirt-qemuDomainStorageSourcePrivateDispose-Free-httpcooki.patch +Patch0032: libvirt-Don-t-require-secdrivers-to-implement-.domainMoveIma.patch +Patch0033: libvirt-qemuProcessStop-Use-XATTRs-to-restore-seclabels-on-d.patch +Patch0034: libvirt-qemuProcessStop-Reattach-NVMe-disks-a-domain-is-mirr.patch +Patch0035: libvirt-security-don-t-fail-if-built-without-attr-support.patch +Patch0036: libvirt-qemu-Skip-pre-creation-of-NVMe-disks.patch +Patch0037: libvirt-Fix-some-wrong-usage-of-ATTRIBUTE_NONNULL.patch +Patch0038: libvirt-conf-Increase-cpuset-length-limit-for-CPU-pinning.patch +Patch0039: libvirt-virQEMUDriverConfigNew-Add-slash-to-cfg-defaultTLSx5.patch +Patch0040: libvirt-qemuDomainSetNumaParamsLive-set-nodeset-for-root-cgr.patch +Patch0041: libvirt-qemu-do-not-add-model-when-actual-iface-type-is-host.patch Requires: libvirt-daemon = %{version}-%{release} Requires: libvirt-daemon-config-network = %{version}-%{release} @@ -1865,6 +1881,8 @@ exit 0 %changelog +* Thu Sep 10 2020 Jin Yan - 6.2.0-10 +- bugfix: cherry-pick some bugfix patches from open source community * Wed Aug 5 2020 AlexChen - 6.2.0-9 - tests: skip the test4 if the testcase is run in the container env * Wed Aug 5 2020 Jiang Fangjie - 6.2.0-8