Michal Privoznik [Tue, 12 Jul 2022 13:58:12 +0000 (15:58 +0200)]
domcaps: Introduce TPM backendVersion
We accept TPM version in the domain XML. However, supported
version depends on the host (swtpm_setup binary) and thus it may
be tricky for users (or mgmt applications) chose a version.
Introduce machinery for reporting supported version in domain
capabilities.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Michal Privoznik [Tue, 12 Jul 2022 14:10:08 +0000 (16:10 +0200)]
docs: Document TPM portion of domcaps
Surprisingly, we don't document TPM part of domain capabilities.
Fortunately, the information exposed is pretty much self
explanatory, but we should document it regardless.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Peter Krempa [Tue, 12 Jul 2022 10:45:52 +0000 (12:45 +0200)]
remote: conf: Mention that 'virtproxyd' doesn't require the '--listen' flag
'virtproxyd' doesn't have the '--listen' parameter and it's enough just
to enable the corresponding option in the config.
The config file is generic for all the daemons and we just omit/adjust
some sections. Adding a separate mechanism to omit the note about the
'--listen' parameter would be overkill so mention explicitly that it's
required only for libvirtd and not virtproxyd.
The section is omitted for other daemons.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2094641 Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
The PCIe 5.0 and PCIe 6.0 standards define new link speeds:
32GT/s and 64GT/s, respectively. Update our internal enum to
include these new speeds. Otherwise we format incorrect XML:
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2105231 Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Wed, 22 Jun 2022 13:28:49 +0000 (15:28 +0200)]
qemucapabilitiestest: Fake proper version for 'caps_4.2.0.aarch64' case
The capabilities for that version were not updated from the development
version and thus would fail our upcoming minimum version change. Fake
the data to report 4.2.0.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Wed, 22 Jun 2022 13:28:49 +0000 (15:28 +0200)]
qemucapabilitiestest: Fake proper version for 'caps_4.2.0.ppc64' case
The capabilities for that version were not updated from the development
version and thus would fail our upcoming minimum version change. Fake
the data to report 4.2.0.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Wed, 22 Jun 2022 11:07:53 +0000 (13:07 +0200)]
qemuxml2argvtest: Make 'qemu-ns' test case more stable
The test was showing that the 'blockdev' capability is properly added
although we didn't detect it yet. Unfortunately this test can't be
carried over once we bump minimum qemu version to qemu-4.2.
Make the test case future-proof by removing the qemu-4.0.0 version which
would become pointless and use only already deprecated capability flags
so that the test output does not change.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Tue, 21 Jun 2022 13:48:06 +0000 (15:48 +0200)]
qemuxml2(argv|xml)test: Drop qemu-3.1 version of 'cpu-Icelake-Server-pconfig'
Prior to qemu-3.2 we'd have to disable the 'pconfig' feature explicitly
which is no longer needed with new qemu. Remove the version locked to
qemu-3.1 as the 'latest' case sufficiently handles what we want to test.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Michal Privoznik [Thu, 30 Jun 2022 11:44:58 +0000 (13:44 +0200)]
qemu_monitor_json: Implement logic for setting iothread.thread-pool-{min,max}
When virDomainSetIOThreadParams() API is called, well its QEMU
impl: qemuDomainSetIOThreadParams() then typed params are parsed
by qemuDomainIOThreadParseParams() into this
qemuMonitorIOThreadInfo struct. In the struct we have a <int,
bool> pair for every IOThread attribute we can tune through
monitor. The struct is then passed to
qemuMonitorJSONSetIOThread() which looks at the bool and if set
then the corresponding attribute is set to given value. Each
attribute is thus changed in a separate call. While this works
for attributes independent of each other ("poll-max-ns",
"poll-grow", "poll-shrink"), it does not always work for the
other attributes ("thread-pool-min" and "thread-pool-max").
The limitation here is that the lower boundary (minimum) has to
be lower (or equal to) the upper boundary (maximum) at all times.
This means, that in some cases we might need to set attributes in
reversed order to meet the constraint.
Resolves: https://gitlab.com/libvirt/libvirt/-/issues/339 Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
Peter Krempa [Mon, 13 Jun 2022 13:48:51 +0000 (15:48 +0200)]
kbase: debuglogs: Add a note about auto-shutdown of daemons
When using runtime setting of logging with 'virt-admin' it can be
confusing that the settings are discarded when the shutdown timeout of a
daemon is reached.
Add a note about this behaviour along with a suggestion to use
virt-admin to disable the behaviour if needed.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Peter Krempa [Mon, 13 Jun 2022 11:02:09 +0000 (13:02 +0200)]
admin: Introduce virAdmConnectSetDaemonTimeout
Use of the admin APIs to modify logging temporarily has a rather serious
deficiency when the daemon whose config is being changed is using
auto-shutdown (default with socket-activated deployments) as the
configuration is discarded if there is no client or VM/other object
blocking auto shutdown.
This API allows users to disable/postpone shutdown timeout so that the
configuration doesn't change under their hands.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Peter Krempa [Mon, 13 Jun 2022 12:25:06 +0000 (14:25 +0200)]
virNetDaemonAutoShutdown: Allow live update of shutdown timeout
Modify the code so that calling 'virNetDaemonAutoShutdown' will update
the auto shutdown timeout also for running daemons.
This involves changing the logic when to do the update of the timer so
that it can be called from both when the daemon is not yet runnign and
when doing a live update.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
domain_postparse: Move error messages onto single line
Our coding style suggests 80 chars per line with error messages
being exception (for easier git-grep). Apply this exception onto
the newly created domain_postparse.c file.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
conf: Separate domain post parse code into domain_postparse.c
The domain post parse functions currently live in domain_conf.c
which thus grows always larger. Mimic what we've done for the
validation code and move the post parse code into a separate
file: domain_postparse.c.
I've started by moving every function with PostParse in its name
into the new file and then compile hunting for helper functions
only to move them as well.
In the end, I've moved virDomainDefPostParse symbol in
libvirt_private.syms into a new section. And while
virDomainDeviceDefPostParseOne() is made 'public' in
domain_postparse.h too, I'm not exporting it because it has no
caller outside src/conf/ and it's unlikely it ever will.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
The virDomainDefPostParseDeviceIteratorData struct is exported in
domain_conf.h because it's used in both domain_conf.c and
domain_validate.c. However, the latter usage is not warranted,
it's just a shortcut so that we don't have to introduce a similar
struct just for domain_validate.c. Well, do the extra step and
introduce a separate structure for domain_validate.c. This allows
us to move post parse code later on.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Han Han [Wed, 6 Jul 2022 02:42:02 +0000 (10:42 +0800)]
schemas: rng: Make secret optional in storage vol
For a qcow2 storage volume with luks encryption created by qemu-img, its
dumped storage vol XML has no secret element in encryption:
<volume type='file'>
...
<encryption format='luks'>
</encryption>
...
</volume>
That will cause a failure in rng validation. Fix that validation failure.
Signed-off-by: Han Han <hhan@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
domain_validate: Properly terminate switch() in virDomainIOMMUDefValidate()
In my previous commit I've introduced virDomainIOMMUDefValidate()
function with a switch() statement. However, two cases in it,
though empty, were not terminated with a break statement which
made compiler complain.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
domain_validate: Disallow non-virtio IOMMU with an <address/>
Per v8.3.0-rc1~199 it's only a virtio IOMMU that can have
<address/>. The rest (Intel and SMMUv3) are system devices and
thus have no address associated with them. However, this
assumption is never checked for.
Fixes: b0eb1e193f5db033d0fbbf91ff71a121066ad77c Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
qemu_domain_address: Drop needless virDomainIOMMUModel typecast
There are two places where the @model member of
_virDomainIOMMUDef struct is typecasted to virDomainIOMMUModel
which is completely unnecessary because the struct already
defines the member of that type.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Fri, 1 Jul 2022 14:53:08 +0000 (16:53 +0200)]
storagepoolxml2argvtest: Fix output data for 'pool-netfs-protocol-ver'
The storage pool tests have host-specific versions which I neglected to
update in commit c44930d932203b4a58dccbbeaa814fff6cea8216 thus breaking
the test-suite on non-linux OSes.
Fixes: c44930d932203b4a58dccbbeaa814fff6cea8216 Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Peter Krempa [Thu, 23 Jun 2022 15:17:06 +0000 (17:17 +0200)]
storage: pool: Allow more intricate nfs protocol versions
Treat the 'protocolVer' field as a string so that e.g. '4.1' can be
used. Forbid only ',' in the string as it's a separator of arguments for
mount options.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
will correctly pick a firmware that implements the Secure Boot
feature and initialize the NVRAM file so that it contains the
keys necessary to enforce the signing requirements. However, the
lack of a
<loader secure='yes'/>
element makes it possible for pflash writes to happen outside
of SMM mode. This means that the authenticated UEFI variables
where the keys are stored could potentially be overwritten by
malicious code running in the guest, thus making it possible to
circumvent Secure Boot.
To prevent that from happening, automatically turn on the
loader.secure feature whenever a firmware that implements Secure
Boot is chosen by the firmware autoselection logic. This is
identical to the way we already automatically enable SMM in such
a scenario.
Note that, while this is technically a guest-visible change, it
will not affect migration of existings VMs and will not prevent
legitimate guest code from running.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Andrea Bolognani [Mon, 20 Jun 2022 15:44:17 +0000 (17:44 +0200)]
conf: Always parse firmware features
Regardless of whether firmware autoselection is in use, we
still want to parse the list of requested features. Doing this
will allow us to produce better error messages.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Andrea Bolognani [Wed, 15 Jun 2022 10:00:58 +0000 (12:00 +0200)]
conf: Validate firmware configuration more thoroughly
Generally speaking, when firmware autoselection is in use we
don't want any information to be provided manually. There are
two exceptions:
* we still want the path to the NVRAM file to be customizable;
* using <loader secure='yes'/> was how you would ask for a
firmware that implements the Secure Boot feature in the
original approach to firmware autoselection, so we want to
keep that working.
Anything else should result in a descriptive error.
Resolves: https://gitlab.com/libvirt/libvirt/-/issues/327 Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Andrea Bolognani [Thu, 16 Jun 2022 09:30:30 +0000 (11:30 +0200)]
conf: Refactor virDomainDefOSValidate()
This makes it explicit that there are two possible scenarios
(whether or not firmware autoselection is in use) and will make
upcoming changes cleaner to implement.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Andrea Bolognani [Thu, 16 Jun 2022 09:26:37 +0000 (11:26 +0200)]
conf: Always parse all firmware information
Currently we're simply ignoring some elements and attributes,
such as the loader path, when firmware autoselection is enabled
because we know we're not going to use them.
This makes sense, but has the unfortunate consequence of
confusing users who experience part of their configuration
simply going away for no apparent reason.
A more user-friendly approach is to produce meaningful error
messages in those scenarios. As a first step towards that goal,
stop conditionally parsing information.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Andrea Bolognani [Wed, 15 Jun 2022 09:30:48 +0000 (11:30 +0200)]
conf: Reject enrolled-keys=yes with secure-boot=no
This combination doesn't make sense and so the firmware
autoselection logic will not be able to find a suitable firmware,
but it's more user-friendly to report a detailed error upfront.
Note that this check would ideally happen in the validate phase,
but if we moved it there we would no longer be able to
automatically enable secure-boot when enrolled-keys=yes. Since
the combination never resulted in a working configuration, the
chances of this causing real-world VMs to disappear are
extremely low.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Andrea Bolognani [Fri, 17 Jun 2022 09:40:14 +0000 (11:40 +0200)]
conf: Always parse NVRAM path if present
Currently, the lack of a <loader> element results in the <nvram>
element being completely ignored, but this is unnecessarily
limiting: even when firmware autoselection is in use, it should
be possible for the user to specify a custom path for the NVRAM
file.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Andrea Bolognani [Thu, 16 Jun 2022 16:02:14 +0000 (18:02 +0200)]
conf: Handle NVRAM in virDomainLoaderDefParseXML()
All the data in the <nvram> element ends up in the same struct
as that coming from the <loader> element, so it makes sense to
have a single entry point for parsing an XML document into a
virDomainLoaderDef instance.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Andrea Bolognani [Thu, 16 Jun 2022 15:53:11 +0000 (17:53 +0200)]
conf: Move setting type for NVRAM source
When the 'type' attribute is present we'd end up overwriting
this value via virDomainStorageSourceParse(). Moving this
assignment makes the current code clearer and will also help
with upcoming changes.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Note that some of these new tests are displaying incorrect or
suboptimal behavior. When we address those in upcoming patches,
this will be highlighted by changes in the test data.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
When testing firmware selection, we don't really care about any
of the hardware assigned to the VM, and in fact it's better to
keep it as minimal as possible to make sure that the focus
remains on the firmware bits.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Group all tests related to firmware selection together and give
them consistent names that leave room for further tests to be
added in an upcoming commit.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
This supports sockets created by libvirt and passed by FD using the
same method as in security_dac.c.
Signed-off-by: David Michael <david@bigbadwolfsecurity.com> Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Michal Privoznik [Wed, 29 Jun 2022 09:16:06 +0000 (11:16 +0200)]
virnettlscontext: Don't set DH parameters ourselves
According to [1]:
Prior to GnuTLS 3.6.0 for the ephemeral or anonymous
Diffie-Hellman (DH) TLS ciphersuites the application was
required to generate or provide DH parameters. That is no
longer necessary as GnuTLS utilizes DH parameters and
negotiation from [RFC7919].
This allows us to:
a) drop the code that's setting DH params,
b) drop @dhParams member from _virNetTLSContext struct. and
c) drop gnutls_dh_params_generate2() mock.
Michal Privoznik [Tue, 28 Jun 2022 08:02:01 +0000 (10:02 +0200)]
virnetdevbandwidthtest: Test QoS for OVS
Ever since v7.6.0-rc1~235 we can use ovs-vsctl to set QoS instead
of tc. However, we don't have a test that's verifying generated
cmd line for ovs-vsctl.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
However, one can argue that there are few cases where shifting
the alignment makes the code more readable. And this is the case
of expected cmd line for DO_TEST_SET() where a long cmd line can
be aligned on the arguments rather than the binary:
TC " filter ..."
" police ..."
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
Jiri Denemark [Thu, 30 Jun 2022 10:52:38 +0000 (12:52 +0200)]
qemu_migration: Apply max-postcopy-bandwidth on post-copy resume
When resuming post-copy migration users may want to limit the bandwidth
used by the migration and use a value that is different from the one
specified when the migration was originally started.
We will need to annotate individual parameters a bit more than just
noting their type. Let's introduce qemuMigrationParamInfo replacing
simple qemuMigrationParamTypes with an array of structs.
Signed-off-by: Jiri Denemark <jdenemar@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Jiri Denemark [Fri, 24 Jun 2022 14:26:06 +0000 (16:26 +0200)]
qemu_migration: Avoid mem.hard_limit > 0 check
My original commit v8.4.0-288-gf01fc4d119 accidentally forgot to fix
both instances of the same problem. While it fixed the destination side
of migration, the source one remained broken.
However, that commit was also wrong in saying the issue could have
caused unlimited memory locking to be allowed for QEMU when RDMA
migration was used. It could not, because the code would refuse to even
think about starting RDMA migration if hard_limit was not set. But
avoiding the "mem.hard_limit > 0" check is useful anyway.
Signed-off-by: Jiri Denemark <jdenemar@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
qemu_hotplug: Don't skip cleanup in qemuDomainAttachNetDevice()
Introduced in v8.4.0-rc1~183 but the first real problem
introduced in v8.4.0-rc1~170, there's a
qemuBuildInterfaceConnect() call inside of
qemuDomainAttachNetDevice(). If the former fails, then the
function is immediately returned from instead of jumping onto the
cleanup label. This is crucial, because at this point the domain
definition contains 'borrowed' net definition, which is then
freed, since an error was met. The domain definition is then left
with a dangling pointer which leads to all sorts of different
crashes.
Michal Privoznik [Thu, 30 Jun 2022 06:32:49 +0000 (08:32 +0200)]
API: Remove internal impl detail from VIR_DOMAIN_IOTHREAD_THREAD_POOL_{MIN,MAX} description
When introducing VIR_DOMAIN_IOTHREAD_THREAD_POOL_MIN and
VIR_DOMAIN_IOTHREAD_THREAD_POOL_MAX typed parameters, I've made a
shortcut. Since at the monitor level these two are set in two
separate calls and minimum has to be always smaller than maximum
(or equal to it), it may happen that one of the values we want to
set violates this restriction. So I've put a little note in the
public API description warning users about this.
However, the proper solution is to have a logic that checks the
current values and based on that set either minimum or maximum
value first. But until we get there, remove that note from the
public API before it gets released.
Related: https://gitlab.com/libvirt/libvirt/-/issues/339 Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
projects / libvirt.git / log