Debian

Available patches from Ubuntu

To see Ubuntu differences wrt. to Debian, write down a grep-dctrl query identifying the packages you're interested in:
grep-dctrl -n -sPackage Sources.Debian
(e.g. -FPackage linux-ntfs or linux-ntfs)

Modified packages are listed below:

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: libvirt

libvirt (6.0.0-0ubuntu11) groovy; urgency=medium * SECURITY UPDATE: privilege escalation via incorrect socket permissions - debian/patches/ubuntu/Allow-libvirt-group-to-access-the-socket.patch: updated patch to also set appropriate permissions on socket created by systemd. - CVE-2020-15708 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 05 Aug 2020 09:08:34 -0400 libvirt (6.0.0-0ubuntu10) groovy; urgency=medium * enable attr support to store XATTR labels. Among other things this allows to properly restore file ownership (LP: #691590) - d/control: build depend to libattr1-dev - d/rules: configure --with-attr -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 22 Jun 2020 21:30:50 +0200 libvirt (6.0.0-0ubuntu9) groovy; urgency=medium * d/p/ubuntu/lp-1879325-*: avoid issues with apparmor metadata labeling (LP: #1879325) -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 20 May 2020 06:59:57 +0200 libvirt (6.0.0-0ubuntu8) focal; urgency=medium * d/control, d/rules: Disable rbd and zfs on riscv64 where they are unavailable (LP: #1872952) -- William Grant <wgrant@ubuntu.com> Sat, 18 Apr 2020 13:59:21 +1000 libvirt (6.0.0-0ubuntu7) focal; urgency=medium * d/p/ubuntu-aa/lp-1871354*: fix apparmor denials on libpmem init (LP: #1871354) * d/p/ubuntu/CVE-CVE-2020-10701-api-disallow-virDomainAgentSetResponseTimeout -on-rea.patch: avoid DOS through read only connections CVE-2020-10701 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 15 Apr 2020 12:29:12 +0200 libvirt (6.0.0-0ubuntu6) focal; urgency=medium * d/p/ubuntu/lp-1867460-*: fix domcapabilities before capabilities and binary autodetection in general (LP: #1867460) * d/p/stable/lp-1868539-*: stabilize libvirt by backporting upstream fixes (LP: #1868539) * d/p/ubuntu/lp-1853200*: add cpu models without hle/rtm features to have modern types on kernels with recent security fixes (LP: #1853200) * d/p/ubuntu/lp-1868528-*: Fail when fetching CPU Status for invalid CPU (LP: #1868528) -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Fri, 20 Mar 2020 10:34:19 +0100 libvirt (6.0.0-0ubuntu5) focal; urgency=medium * d/p/ubuntu-aa/lp-1847361-load-versioned-module.patch: allow loading versioned modules after qemu package upgrades (LP: #1847361) -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 10 Mar 2020 08:58:04 +0100 libvirt (6.0.0-0ubuntu4) focal; urgency=medium * d/p/ubuntu/lp-1865425-*: avoid killing the monitor job in qemuDomainSetTimeAgent (LP: #1865425) -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 02 Mar 2020 10:44:22 +0100 libvirt (6.0.0-0ubuntu3) focal; urgency=medium * rebuild against libxen-dev 4.11.3 (no change needed) * d/p/ubuntu-aa/virt-aa-helper-Add-support-for-smartcard-host-certif.patch: allow emulation of smartcard via host certificates * d/p/ubuntu/lp-1861125-*: fix non host-model migrations from old machine types (LP: #1861125) * d/p/ubuntu-aa/apparmor-allow-to-call-vhost-user-gpu.patch: do not apparmor block vhost-user-gpu usage -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 12 Feb 2020 14:20:08 +0100 libvirt (6.0.0-0ubuntu2) focal; urgency=medium [ Christian Ehrhardt ] * Bring back the ubuntu default URI handling. While no more needed for xen its removal made libvirt fallback further to the upstream default qemu:///session while Ubuntu forever had and for now wants to keep qemu:///system (LP: #1861693) - revert 'd/libvirt-clients.maintscript: rm_conffile libvirt-uri.sh that was optional for use on xen hosts' - libvirt-uri.sh: Automatically switch default libvirt URI for users on Xen dom0 via user profile [added back former delta] [ Andrea Bolognani ] * Merge further fixes from debian/experimental - Install virt-login-shell-helper - Install augeas lenses for all drivers - Remove all mentions of Devhelp - not-installed: Remove obsolete entries - not-installed: List all split daemons files -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 04 Feb 2020 13:08:49 +0100 libvirt (6.0.0-0ubuntu1) focal; urgency=medium * Merged with Debian 5.6.0-4 from experimental and v6.0.0 from upstream Among many other new features and fixes this includes fixes for: - LP: #1859253 - rbd driver fails to create a new volume - LP: #1858341 - rbd driver does not list all volumes in pool - LP: #1845506 - Libvirt snapshot doesn't update apparmor profile - LP: #1854653 - slow libvirt-guests.sh during shutdown if service is off - LP: #1848229 - enable ppc64el to use ccf-assist feature - LP: #1853315 - Enable CPU Model Comparison and Baselining on s390x - LP: #1853317 - CCW IPL support to boot from ECKD DASDs - LP: #1859506 - security: AppArmor profile fixes for swtpm Remaining changes: - Disable libssh2 support (universe dependency) - Disable firewalld support (universe dependency) - Set qemu-group to kvm (for compat with older ubuntu) - Additional apport package-hook - Autostart default bridged network (As upstream does, but not Debian). In addition to just enabling it our solution provides: + do not autostart if subnet is already taken (e.g. in guests). + iterate some alternative subnets before giving up - d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch: This is the group based access to libvirt functions as it was used in Ubuntu for quite long. + d/p/ubuntu/daemon-augeas-fix-expected.patch fix some related tests due to the group access change. + d/libvirt-daemon-system.postinst: add users in sudo to the libvirt group. - ubuntu/parallel-shutdown.patch: set parallel shutdown by default. - Update Vcs-Git and Vcs-Browser fields to point to launchpad - Update README.Debian with Ubuntu changes - Enable some additional features on ppc64el and s390x (for arch parity) + systemtap, zfs, numa and numad on s390x. + systemtap on ppc64el. - d/p/ubuntu/ubuntu_machine_type.patch: accept ubuntu types as pci440fx - Further upstreamed apparmor Delta, especially any new one Our former delta is split into logical pieces and is either Ubuntu only or is part of a continuous upstreaming effort. Listing related remaining changes in debian/patches/ubuntu-aa/: - fix autopkgtests + d/t/control, d/t/smoke-qemu-session: fixup smoke-qemu-session by making vmlinuz available and accessible (Debian bug 848314) + d/t/control: fix smoke-qemu-session by ensuring the service will run installing libvirt-daemon-system + d/t/smoke-lxc: fix smoke-lxc by ignoring potential issues on destroy as long as the following undefine succeeds + d/t/smoke-lxc: use systemd instead of sysV to restart the service - dnsmasq related enhancements + run dnsmasq as libvirt-dnsmasq (LP: 1743718) + d/libvirt-daemon-system.postinst: add libvirt-dnsmasq user and group + d/libvirt-daemon-system.postrm: remove libvirt-dnsmasq user and group on purge + d/p/ubuntu/dnsmasq-as-priv-user: write dnsmasq config with user libvirt-dnsmasq and adapt the self tests to expect that config + d/libvirt-daemon-system.postinst: fix old libvirt-dnsmasq users group + Add dnsmasq configuration to work with system wide dnsmasq-base - debian/rules: disable the netcf backend. (LP: 1764314) - debian/patches/ubuntu/ovmf_paths.patch: adjust paths to secboot.fd UEFI Secure Boot enabled variants of the OVMF firmware and variable store for the paths where we ship these files in Ubuntu. - d/rules: install virtlockd correctly with defaults file (LP: 1729516) - d/rules: also check build time self test results on all architectures - d/p/ubuntu/set-default-machine-to-ubuntu.patch: to select default machine type correctly with newer qemu/libvirt - d/rules: add --no-restart-after-upgrade to services that are supposed to stay up through upgrades - this also applies to related sockets. - Apparmor Delta that is Ubuntu specific or yet to be upstreamed split into logical pieces. File names in debian/patches/ubuntu-aa/: + 0003-apparmor-libvirt-qemu-Allow-read-access-to-overcommi.patch: apparmor, libvirt-qemu: Allow read access to overcommit_memory + 0007-apparmor-libvirt-qemu-Allow-owner-read-access-to-PRO.patch: apparmor, libvirt-qemu: Allow owner read access to @{PROC}/*/auxv + 0017-apparmor-virt-aa-helper-Allow-access-to-tmp-director.patch: apparmor, virt-aa-helper: Allow access to tmp directories + 0020-virt-aa-helper-ubuntu-storage-paths.patch: apparmor, virt-aa-helper: Allow various storage pools and image locations + 0021-apparmor-virt-aa-helper-Add-openvswitch-support.patch: apparmor, virt-aa-helper: Add openvswitch support + 0029-appmor-libvirt-qemu-Add-9p-support.patch: appmor, libvirt-qemu: Add 9p support + 0030-virt-aa-helper-Complete-9p-support.patch: virt-aa-helper: add l to 9p file options. + 0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch: virt-aa-helper: Ask for no deny rule for readonly disk (renamed and reworded, was virt-aa-helper-no-explicity-deny-for-basefiles.patch) + 0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch: apparmor, libvirt-qemu: Allow reading charm-specific ceph config + 0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch: allow commands executed by ubuntu only kvm wrapper on ppc64el (LP 1686621 LP 1680384 LP 1784023) + 0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch: apparmor, virt-aa-helper: access for snapped nova + 0050-local-include-for-libvirt-qemu.patch, d/libvirt-daemon-system.postinst: provide a local apparmor include for abstraction/libvirt-qemu (LP: 1786019) + lp-1815910-allow-vhost-net.patch: avoid apparmor issues with vhost-net/vhost-vsock/vhost-scsi hotplug (LP: 1815910) * Dropped changes (in Debian) - d/libvirt0.symbols: bump symbol versions for 5.4.0 - avoid service dependency issues on upgrade (LP: 1786179) This will in the long term be resolved in dh_* tools, but to let an upgrade work for now we need to drop the sysV scripts (which we don't use anyway) and slightly modify the systemd service to work with todays dh_systemd_start properly. Can be dropped once Debian bug 905772 is resolved in dh_* tools and libvirt uses those new code. + d/libvirt-daemon-system.virtlogd.init: removed sysV init file + d/libvirt-daemon-system.libvirtd.init: removed sysV init file + debian/libvirt-daemon-system.maintscript: rm_conffile for virtlogd and lbivirtd sysV init file + d/p/ubuntu/avoid-restarting-virtlog-socket.patch: drop Also references to virtlogd/virtlockd sockets as they would imply a restart of virtlogd breaking it. [ we now have split packages for sysv and systemd support ] - d/t/control, d/t/smoke-lxc: fix up lxc smoke test isolation - Refreshed to match new upstream + d/p/Reduce-udevadm-settle-timeout-to-10-seconds.patch * Dropped changes (now upstream) - d/p/ubuntu/lp-1828495-*: make libvirt able to handle arch_capabilities cpu features for the Host. (LP: 1828495 - not closing yet as guest caps are still need fixups to work well LP: 1841066) - SECURITY UPDATEs: CVE-2019-10161, CVE-2019-10166, CVE-2019-10167 and CVE-2019-10168 - d/p/ubuntu-aa/lp-1833040-Add-openGraphicsFD-rule-for-named-profile.patch: avoid issues with remote screen connections like virt-manager due to apparmor changes in libvirt 5.1 (LP 1833040) - 0001-apparmor-Allow-pygrub-to-run-on-Debian-Ubuntu.patch: apparmor: Allow pygrub to run on Debian/Ubuntu - update to v5.4.0 * Dropped changes (Xen demoted to universe) - d/p/ubuntu/ubuntu-libxl-qemu-path.patch: this change was split. The section that adapts the path of the emulator to the Debian/Ubuntu packaging is kept. - d/p/ubuntu/ubuntu-libxl-Fix-up-VRAM-to-minimum-requirements.patch: auto set VRAM to minimum requirements - d/p/ubuntu/xen-default-uri.patch: set default URI on xen hosts - Add libxl log directory - libvirt-uri.sh: Automatically switch default libvirt URI for users on Xen dom0 via user profile (was missing on changelogs before) * Dropped changes (no more needed) - d/p/ubuntu/apibuild-skip-libvirt-common.h: drop libvirt-common.h from included_files to avoid build failures due to duplicate definitions. [ finally works in v6.0.0 ] - d/control: Revert iptables/ebtables dependency as Eoan still is on 1.6.x [ focal has iptables 1.8.3 ] - d/rules: adapt iptables binary paths present in Eoan (LP 1832297) [ focal has iptables 1.8.3 ] * Added Changes: - refreshed patches for libvirt v6.0.0 - d/control: bump build dep to python3 - d/control: VCS links to use generic Ubuntu launchpad git URLs - d/control: add python3-docutils as build dependency - d/control: add libzfslinux-dev to build-deps - d/rules: set enable-dependency-tracking to avoid FTBFS - d/rules: drop the no more existing phyp option - d/rules: drop the no more existing xen configure option - d/libvirt-clients.maintscript: rm_conffile libvirt-uri.sh that was optional for use on xen hosts - d/control: drop libvirt-lxc, vbox and xen drivers to suggest - minimize patches generated by autoreconf - fix build on Debian/Ubuntu in qemuhotplugtest - d/libvirt-doc.doc: install rendered docs - d/libvirt-daemon-system.examples: drop old examples that are now active - d/libvirt-doc.doc-base.libvirt-doc: adapt doc base to new file placement - d/libvirt-daemon-system-sysv.lintian-overrides: not shipiing systemd files - d/libnss-libvirt.lintian-overrides: accept having two nss so files - d/rules: don't ship split daemons just yet - d/rules: install /etc/default/* files that are shared between sysv and systemd packages - d/rules: add libvirt-guests.default to libvirt-daemon-system instead of libvirt-daemon-system-sysv - d/p/ubuntu/lp-1655111*: fix qemu_bridge_helper to work with named profiles (LP: #1655111) -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 13 Jan 2020 13:14:14 +0100

Modifications :
  1. Download patch debian/libvirt-daemon.dnsmasq

    --- 6.0.0-1/debian/libvirt-daemon.dnsmasq 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/libvirt-daemon.dnsmasq 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,2 @@ +bind-interfaces +except-interface=virbr0
  2. Download patch debian/libvirt0.symbols

    --- 6.0.0-1/debian/libvirt0.symbols 2020-02-12 10:52:12.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/libvirt0.symbols 2020-06-22 19:30:50.000000000 +0000 @@ -121,11 +121,7 @@ libvirt.so.0 libvirt0 #MINVER# *@LIBVIRT_5.2.0 5.2.0~rc1 *@LIBVIRT_5.5.0 5.6.0 *@LIBVIRT_5.6.0 5.6.0 - *@LIBVIRT_5.7.0 6.0.0~rc1 - *@LIBVIRT_5.8.0 6.0.0~rc1 - *@LIBVIRT_5.10.0 6.0.0~rc1 - *@LIBVIRT_6.0.0 6.0.0~rc1 - *@LIBVIRT_PRIVATE_6.0.0 6.0.0~rc1 + *@LIBVIRT_PRIVATE_5.6.0 5.6.0 libvirt-qemu.so.0 libvirt0 #MINVER# *@LIBVIRT_QEMU_0.8.3 0.8.3 @@ -147,4 +143,4 @@ libvirt-admin.so.0 libvirt0 #MINVER# *@LIBVIRT_ADMIN_1.3.0 1.2.18 *@LIBVIRT_ADMIN_2.0.0 2.0.0~rc1 *@LIBVIRT_ADMIN_3.0.0 3.0.0 - *@LIBVIRT_ADMIN_PRIVATE_6.0.0 6.0.0~rc1 + *@LIBVIRT_ADMIN_PRIVATE_5.6.0 5.6.0
  3. Download patch debian/patches/ubuntu-aa/0003-apparmor-libvirt-qemu-Allow-read-access-to-overcommi.patch

    --- 6.0.0-1/debian/patches/ubuntu-aa/0003-apparmor-libvirt-qemu-Allow-read-access-to-overcommi.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/ubuntu-aa/0003-apparmor-libvirt-qemu-Allow-read-access-to-overcommi.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,30 @@ +From 0631bc4d4a3758319d2c7e61a26c32dbfdf6b07a Mon Sep 17 00:00:00 2001 +From: Jamie Strandboge <jamie@ubuntu.com> +Date: Tue, 23 May 2017 17:15:01 +0200 +Subject: [PATCH 03/33] apparmor, libvirt-qemu: Allow read access to + overcommit_memory + +Allow qemu to read @{PROC}/sys/vm/overcommit_memory. + +Forwarded: no (part of continuous upstreaming effort) +Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> +Signed-off-by: Stefan Bader <stefan.bader@canonical.com> +--- + src/security/apparmor/libvirt-qemu | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu +index 899bf6c..e990ab4 100644 +--- a/src/security/apparmor/libvirt-qemu ++++ b/src/security/apparmor/libvirt-qemu +@@ -26,6 +26,7 @@ + # only modify its comm value or those in its thread group. + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + @{PROC}/sys/kernel/cap_last_cap r, ++ @{PROC}/sys/vm/overcommit_memory r, + + # For hostdev access. The actual devices will be added dynamically + /sys/bus/usb/devices/ r, +-- +2.7.4 +
  4. Download patch debian/patches/ubuntu-aa/0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch

    --- 6.0.0-1/debian/patches/ubuntu-aa/0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/ubuntu-aa/0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,43 @@ +From df20057fd2774cd61d86a6f0a7f05a545e1bd862 Mon Sep 17 00:00:00 2001 +From: Serge Hallyn <serge.hallyn@ubuntu.com> +Date: Wed, 10 May 2017 15:16:30 +0200 +Subject: [PATCH 31/33] virt-aa-helper: Ask for no deny rule for readonly disk + elements + +Just because a disk element only requests read access doesn't mean +there may not be another readwrite request. + +Using 'R' when creating the apparmor rule will prevent an implicit +write-deny rule to be created alongside. This does not mean write +is allowed but it would cause a denial message and probably more +relevant, allows to add write access later. + +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1554031 + +Review note: Investigate whether instead of dropping explicit deny +write it would be possible to create explicit blockcommit rules +(LP: #1692441). + +Forwarded: no (part of continuous upstreaming effort) +Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> +Signed-off-by: Stefan Bader <stefan.bader@canonical.com> +--- + src/security/virt-aa-helper.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/src/security/virt-aa-helper.c ++++ b/src/security/virt-aa-helper.c +@@ -883,11 +883,11 @@ add_file_path(virStorageSourcePtr src, + + if (depth == 0) { + if (src->readonly) +- ret = vah_add_file(buf, src->path, "rk"); ++ ret = vah_add_file(buf, src->path, "Rk"); + else + ret = vah_add_file(buf, src->path, "rwk"); + } else { +- ret = vah_add_file(buf, src->path, "rk"); ++ ret = vah_add_file(buf, src->path, "Rk"); + } + + if (ret != 0)
  5. Download patch debian/patches/ubuntu/set-default-machine-to-ubuntu.patch

    --- 6.0.0-1/debian/patches/ubuntu/set-default-machine-to-ubuntu.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/ubuntu/set-default-machine-to-ubuntu.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,45 @@ +Description: set default machine type to ubuntu + Upstream qemu is about to change the default machine type to q35. + But libvirt has sort of an API-contract that guarantees to have the + default be at a "pc" type. + Note: it can not be overemphasized that users/tools should choose a type + themselves in any cases possible + . + Due to those changes in qemu libvirt now ignores the qemu default type. + But we want the latest distro machine type the default. + Qemu only provides max one alias per type, so we can not set "ubuntu" + which is the default we provided for users asking for the latest type + matching the current series AND at the same time an alias to "pc" which + is what libvirt now explicitly selects. + . + The lowest amount of confusion is to let libvirt select "ubuntu" instead of + "pc" as the default. That matches all former Ubuntu releases where "ubuntu" + was the default qemu provided and libvirt picked up and at the same time it + stays a pc-based type as required by libvirt. + . + Distro-only: as the machine types only are that way to maintain + differences between pure upstream and derived qemu implementation. +Forwarded: not-needed +Author: Christian Ehrhardt <christian.ehrhardt@canonical.com> +Last-Update: 2019-01-10 + +--- a/src/qemu/qemu_capabilities.c ++++ b/src/qemu/qemu_capabilities.c +@@ -2207,7 +2207,7 @@ static const char *preferredMachines[] = + + "integratorcp", /* VIR_ARCH_AARCH64 */ + "axis-dev88", /* VIR_ARCH_CRIS */ +- "pc", /* VIR_ARCH_I686 */ ++ "ubuntu", /* VIR_ARCH_I686 */ + NULL, /* VIR_ARCH_ITANIUM (doesn't exist in QEMU any more) */ + "lm32-evr", /* VIR_ARCH_LM32 */ + +@@ -2239,7 +2239,7 @@ static const char *preferredMachines[] = + "SS-5", /* VIR_ARCH_SPARC */ + "sun4u", /* VIR_ARCH_SPARC64 */ + "puv3", /* VIR_ARCH_UNICORE32 */ +- "pc", /* VIR_ARCH_X86_64 */ ++ "ubuntu", /* VIR_ARCH_X86_64 */ + + "sim", /* VIR_ARCH_XTENSA */ + "sim", /* VIR_ARCH_XTENSAEB */
  6. Download patch debian/patches/ubuntu/parallel-shutdown.patch

    --- 6.0.0-1/debian/patches/ubuntu/parallel-shutdown.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/ubuntu/parallel-shutdown.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,25 @@ +Description: enhance default shutdown behavior + Modify the default config to do 10 parallel shutdown requests and reduce + the timeout to 120s/2m. +Forwarded: no +Author: Stefan Bader <stefan.bader@canonical.com> + +--- a/tools/libvirt-guests.sysconf ++++ b/tools/libvirt-guests.sysconf +@@ -28,14 +28,14 @@ + # "ON_SHUTDOWN" is set to "shutdown". If Set to 0, guests will be shutdown one + # after another. Number of guests on shutdown at any time will not exceed number + # set in this variable. +-#PARALLEL_SHUTDOWN=0 ++PARALLEL_SHUTDOWN=10 + + # Number of seconds we're willing to wait for a guest to shut down. If parallel + # shutdown is enabled, this timeout applies as a timeout for shutting down all + # guests on a single URI defined in the variable URIS. If this is 0, then there + # is no time out (use with caution, as guests might not respond to a shutdown + # request). The default value is 300 seconds (5 minutes). +-#SHUTDOWN_TIMEOUT=300 ++SHUTDOWN_TIMEOUT=120 + + # If non-zero, try to bypass the file system cache when saving and + # restoring guests, even though this may give slower operation for
  7. Download patch debian/patches/ubuntu/lp-1853200-cpu_map-Don-t-use-new-noTSX-models-for-host-model-CP.patch

    --- 6.0.0-1/debian/patches/ubuntu/lp-1853200-cpu_map-Don-t-use-new-noTSX-models-for-host-model-CP.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/ubuntu/lp-1853200-cpu_map-Don-t-use-new-noTSX-models-for-host-model-CP.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,129 @@ +From 29ecbe2f821644b2d24d4d0064333942ddedabc7 Mon Sep 17 00:00:00 2001 +From: Jiri Denemark <jdenemar@redhat.com> +Date: Wed, 18 Mar 2020 11:13:22 +0100 +Subject: [PATCH] cpu_map: Don't use new noTSX models for host-model CPUs + +Host-model CPU definitions (and domain capabilities) will use the +original CPU models (without noTSX in their name) and explicitly disable +hle and rtm features. This way domains with host-model CPUs will be +migratable even to older versions of libvirt which do not support the +noTSX model variants. + +The new models will be advertised in host capabilities and they may +be used explicitly with custom CPUs. + +Signed-off-by: Jiri Denemark <jdenemar@redhat.com> + +Origin: upstream, https://libvirt.org/git/?p=libvirt.git;a=commit;h=17cdefe5f1 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1853200 +Last-Update: 2020-03-23 + +--- + src/cpu_map/x86_Cascadelake-Server-noTSX.xml | 2 +- + src/cpu_map/x86_Icelake-Client-noTSX.xml | 2 +- + src/cpu_map/x86_Icelake-Server-noTSX.xml | 2 +- + src/cpu_map/x86_Skylake-Client-noTSX-IBRS.xml | 2 +- + src/cpu_map/x86_Skylake-Server-noTSX-IBRS.xml | 2 +- + tests/cputestdata/x86_64-cpuid-Core-i7-8550U-guest.xml | 4 +++- + tests/cputestdata/x86_64-cpuid-Core-i7-8550U-json.xml | 4 +++- + 7 files changed, 11 insertions(+), 7 deletions(-) + +diff --git a/src/cpu_map/x86_Cascadelake-Server-noTSX.xml b/src/cpu_map/x86_Cascadelake-Server-noTSX.xml +index 5adea664e9..459174a30d 100644 +--- a/src/cpu_map/x86_Cascadelake-Server-noTSX.xml ++++ b/src/cpu_map/x86_Cascadelake-Server-noTSX.xml +@@ -1,6 +1,6 @@ + <cpus> + <model name='Cascadelake-Server-noTSX'> +- <decode host='on' guest='on'/> ++ <decode host='on' guest='off'/> + <signature family='6' model='85'/> <!-- 050654 --> + <vendor name='Intel'/> + <feature name='3dnowprefetch'/> +diff --git a/src/cpu_map/x86_Icelake-Client-noTSX.xml b/src/cpu_map/x86_Icelake-Client-noTSX.xml +index 540732af6f..65e648ae21 100644 +--- a/src/cpu_map/x86_Icelake-Client-noTSX.xml ++++ b/src/cpu_map/x86_Icelake-Client-noTSX.xml +@@ -1,6 +1,6 @@ + <cpus> + <model name='Icelake-Client-noTSX'> +- <decode host='on' guest='on'/> ++ <decode host='on' guest='off'/> + <signature family='6' model='126'/> <!-- 0706e0 --> + <vendor name='Intel'/> + <feature name='3dnowprefetch'/> +diff --git a/src/cpu_map/x86_Icelake-Server-noTSX.xml b/src/cpu_map/x86_Icelake-Server-noTSX.xml +index 5a53da23c7..2fd6906406 100644 +--- a/src/cpu_map/x86_Icelake-Server-noTSX.xml ++++ b/src/cpu_map/x86_Icelake-Server-noTSX.xml +@@ -1,6 +1,6 @@ + <cpus> + <model name='Icelake-Server-noTSX'> +- <decode host='on' guest='on'/> ++ <decode host='on' guest='off'/> + <signature family='6' model='134'/> <!-- 080660 --> + <vendor name='Intel'/> + <feature name='3dnowprefetch'/> +diff --git a/src/cpu_map/x86_Skylake-Client-noTSX-IBRS.xml b/src/cpu_map/x86_Skylake-Client-noTSX-IBRS.xml +index 0c2f1e6ac4..ffba34502a 100644 +--- a/src/cpu_map/x86_Skylake-Client-noTSX-IBRS.xml ++++ b/src/cpu_map/x86_Skylake-Client-noTSX-IBRS.xml +@@ -1,6 +1,6 @@ + <cpus> + <model name='Skylake-Client-noTSX-IBRS'> +- <decode host='on' guest='on'/> ++ <decode host='on' guest='off'/> + <signature family='6' model='94'/> <!-- 0506e0 --> + <signature family='6' model='78'/> <!-- 0406e0 --> + <!-- These are Kaby Lake and Coffee Lake successors to Skylake, +diff --git a/src/cpu_map/x86_Skylake-Server-noTSX-IBRS.xml b/src/cpu_map/x86_Skylake-Server-noTSX-IBRS.xml +index 91a206f575..c2b7de40e8 100644 +--- a/src/cpu_map/x86_Skylake-Server-noTSX-IBRS.xml ++++ b/src/cpu_map/x86_Skylake-Server-noTSX-IBRS.xml +@@ -1,6 +1,6 @@ + <cpus> + <model name='Skylake-Server-noTSX-IBRS'> +- <decode host='on' guest='on'/> ++ <decode host='on' guest='off'/> + <signature family='6' model='85'/> <!-- 050654 --> + <vendor name='Intel'/> + <feature name='3dnowprefetch'/> +diff --git a/tests/cputestdata/x86_64-cpuid-Core-i7-8550U-guest.xml b/tests/cputestdata/x86_64-cpuid-Core-i7-8550U-guest.xml +index e03c4a06ba..92404e4d03 100644 +--- a/tests/cputestdata/x86_64-cpuid-Core-i7-8550U-guest.xml ++++ b/tests/cputestdata/x86_64-cpuid-Core-i7-8550U-guest.xml +@@ -1,5 +1,5 @@ + <cpu mode='custom' match='exact'> +- <model fallback='forbid'>Skylake-Client-noTSX-IBRS</model> ++ <model fallback='forbid'>Skylake-Client-IBRS</model> + <vendor>Intel</vendor> + <feature policy='require' name='ds'/> + <feature policy='require' name='acpi'/> +@@ -26,4 +26,6 @@ + <feature policy='require' name='pdpe1gb'/> + <feature policy='require' name='invtsc'/> + <feature policy='require' name='skip-l1dfl-vmentry'/> ++ <feature policy='disable' name='hle'/> ++ <feature policy='disable' name='rtm'/> + </cpu> +diff --git a/tests/cputestdata/x86_64-cpuid-Core-i7-8550U-json.xml b/tests/cputestdata/x86_64-cpuid-Core-i7-8550U-json.xml +index 3d8e6775bf..645c0934c2 100644 +--- a/tests/cputestdata/x86_64-cpuid-Core-i7-8550U-json.xml ++++ b/tests/cputestdata/x86_64-cpuid-Core-i7-8550U-json.xml +@@ -1,5 +1,5 @@ + <cpu mode='custom' match='exact'> +- <model fallback='forbid'>Skylake-Client-noTSX-IBRS</model> ++ <model fallback='forbid'>Skylake-Client-IBRS</model> + <vendor>Intel</vendor> + <feature policy='require' name='ss'/> + <feature policy='require' name='vmx'/> +@@ -14,4 +14,6 @@ + <feature policy='require' name='xsaves'/> + <feature policy='require' name='pdpe1gb'/> + <feature policy='require' name='skip-l1dfl-vmentry'/> ++ <feature policy='disable' name='hle'/> ++ <feature policy='disable' name='rtm'/> + </cpu> +-- +2.25.1 +
  8. Download patch debian/tests/control

    --- 6.0.0-1/debian/tests/control 2020-01-11 11:25:55.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/tests/control 2020-06-22 19:30:50.000000000 +0000 @@ -3,7 +3,8 @@ Depends: libvirt-clients Restrictions: allow-stderr Tests: smoke-qemu-session -Depends: libvirt-daemon, libvirt-clients, libxml2-utils, qemu-system, qemu-kvm +Depends: libvirt-daemon-system, libvirt-clients, libxml2-utils, qemu-system, qemu-kvm, + linux-image-amd64 [amd64] | linux-generic [amd64] Restrictions: allow-stderr, isolation-container Tests: smoke-lxc
  9. Download patch debian/patches/ubuntu/daemon-augeas-fix-expected.patch

    --- 6.0.0-1/debian/patches/ubuntu/daemon-augeas-fix-expected.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/ubuntu/daemon-augeas-fix-expected.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,23 @@ +Description: Fix the expected augeas output for 'make check' + This never used to run for us because we never build-depended on + augeas-tools. +Author: Serge Hallyn <serge.hallyn@ubuntu.com> +Forwarded: no + +This is only needed in combination with + d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch and makes the tests +match the slightly different default configuration. + +--- a/src/remote/test_libvirtd.aug.in ++++ b/src/remote/test_libvirtd.aug.in +@@ -11,10 +11,8 @@ module Test_@DAEMON_NAME@ = + @END@ + { "unix_sock_group" = "libvirt" } + { "unix_sock_ro_perms" = "0777" } +- { "unix_sock_rw_perms" = "0770" } + { "unix_sock_admin_perms" = "0700" } + { "unix_sock_dir" = "@runstatedir@/libvirt" } +- { "auth_unix_ro" = "none" } + { "auth_unix_rw" = "none" } + @CUT_ENABLE_IP@ + { "auth_tcp" = "sasl" }
  10. Download patch debian/libvirt-daemon-system.dirs

    --- 6.0.0-1/debian/libvirt-daemon-system.dirs 2018-03-18 09:53:51.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/libvirt-daemon-system.dirs 2020-06-22 19:30:50.000000000 +0000 @@ -1,3 +1,4 @@ +/usr/share/apport/package-hooks /var/lib/libvirt/boot /var/lib/libvirt/images /var/lib/libvirt/qemu @@ -9,5 +10,6 @@ /var/log/libvirt/uml /var/log/libvirt/lxc /etc/libvirt/hooks +/etc/dnsmasq.d-available /usr/share/polkit-1/rules.d/ /var/lib/polkit-1/localauthority/10-vendor.d/
  11. Download patch debian/patches/ubuntu-aa/apparmor-allow-to-call-vhost-user-gpu.patch

    --- 6.0.0-1/debian/patches/ubuntu-aa/apparmor-allow-to-call-vhost-user-gpu.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/ubuntu-aa/apparmor-allow-to-call-vhost-user-gpu.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,37 @@ +From f8b0bda3bf9c1040d4f3c9f34bccc169867e5116 Mon Sep 17 00:00:00 2001 +From: Christian Ehrhardt <christian.ehrhardt@canonical.com> +Date: Thu, 13 Feb 2020 12:29:00 +0100 +Subject: [PATCH] apparmor: allow to call vhost-user-gpu + +Configuring vhost-user-gpu like: + <video> + <driver name='vhostuser'/> + <model type='virtio' heads='1'/> + </video> +Triggers an apparmor denial like: + apparmor="DENIED" operation="exec" profile="libvirtd" + name="/usr/lib/qemu/vhost-user-gpu" pid=888257 comm="libvirtd" + requested_mask="x" denied_mask="x" fsuid=0 ouid=0 + +This helper is provided by qemu for vhost-user-gpu and thereby being +in the same path as qemu_bridge_helper. Due to that adding a rule allowing +to call uses the same path list. + +Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> + +Forwarded: yes (https://www.redhat.com/archives/libvir-list/2020-February/msg00522.html) +Last-Update: 2020-02-13 + +--- + src/security/apparmor/usr.sbin.libvirtd | 1 + + 1 file changed, 1 insertion(+) +--- a/src/security/apparmor/usr.sbin.libvirtd ++++ b/src/security/apparmor/usr.sbin.libvirtd +@@ -88,6 +88,7 @@ profile libvirtd /usr/sbin/libvirtd flag + /usr/{lib,lib64}/xen/bin/* Ux, + /usr/lib/xen-*/bin/libxl-save-helper PUx, + /usr/lib/xen-*/bin/pygrub PUx, ++ /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx, + + # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to + # read and run an ebtables script.
  12. Download patch debian/patches/ubuntu/lp-1867460-qemu_capabilities-Rework-domain-caps-cache.patch
  13. Download patch debian/patches/ubuntu/lp-1853200-cpu_x86-Honor-CPU-models-decode-element.patch

    --- 6.0.0-1/debian/patches/ubuntu/lp-1853200-cpu_x86-Honor-CPU-models-decode-element.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/ubuntu/lp-1853200-cpu_x86-Honor-CPU-models-decode-element.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,59 @@ +From 31cafe4f441dbe621494b281db03a474911c27d8 Mon Sep 17 00:00:00 2001 +From: Jiri Denemark <jdenemar@redhat.com> +Date: Wed, 18 Mar 2020 11:13:21 +0100 +Subject: [PATCH] cpu_x86: Honor CPU models' <decode> element + +Signed-off-by: Jiri Denemark <jdenemar@redhat.com> + +Origin: upstream, https://libvirt.org/git/?p=libvirt.git;a=commit;h=7cd896ef31 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1853200 +Last-Update: 2020-03-23 + +--- + src/cpu/cpu_x86.c | 22 +++++++++++++++++----- + 1 file changed, 17 insertions(+), 5 deletions(-) + +diff --git a/src/cpu/cpu_x86.c b/src/cpu/cpu_x86.c +index 366337ef57..ce15bb0454 100644 +--- a/src/cpu/cpu_x86.c ++++ b/src/cpu/cpu_x86.c +@@ -2044,10 +2044,23 @@ x86DecodeUseCandidate(virCPUx86ModelPtr current, + virCPUx86ModelPtr candidate, + virCPUDefPtr cpuCandidate, + uint32_t signature, +- const char *preferred, +- bool checkPolicy) ++ const char *preferred) + { +- if (checkPolicy) { ++ if (cpuCandidate->type == VIR_CPU_TYPE_HOST && ++ !candidate->decodeHost) { ++ VIR_DEBUG("%s is not supposed to be used for host CPU definition", ++ cpuCandidate->model); ++ return 0; ++ } ++ ++ if (cpuCandidate->type == VIR_CPU_TYPE_GUEST && ++ !candidate->decodeGuest) { ++ VIR_DEBUG("%s is not supposed to be used for guest CPU definition", ++ cpuCandidate->model); ++ return 0; ++ } ++ ++ if (cpuCandidate->type == VIR_CPU_TYPE_HOST) { + size_t i; + for (i = 0; i < cpuCandidate->nfeatures; i++) { + if (cpuCandidate->features[i].policy == VIR_CPU_FEATURE_DISABLE) +@@ -2209,8 +2222,7 @@ x86Decode(virCPUDefPtr cpu, + + if ((rc = x86DecodeUseCandidate(model, cpuModel, + candidate, cpuCandidate, +- signature, preferred, +- cpu->type == VIR_CPU_TYPE_HOST))) { ++ signature, preferred))) { + virCPUDefFree(cpuModel); + cpuModel = cpuCandidate; + model = candidate; +-- +2.25.1 +
  14. Download patch debian/patches/stable/lp-1868539-qemu-Stop-domain-on-failed-restore.patch

    --- 6.0.0-1/debian/patches/stable/lp-1868539-qemu-Stop-domain-on-failed-restore.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/stable/lp-1868539-qemu-Stop-domain-on-failed-restore.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,104 @@ +From 4c581527d431939a63be70c201b4ddab703cddbe Mon Sep 17 00:00:00 2001 +From: Michal Privoznik <mprivozn@redhat.com> +Date: Mon, 13 Jan 2020 11:07:53 +0100 +Subject: [PATCH] qemu: Stop domain on failed restore + +When resuming a domain from a save file, we read the domain XML +from the file, add it onto our internal list of domains, start +the qemu process, let it load the incoming migration stream and +resume its vCPUs afterwards. If anything goes wrong, the domain +object is removed from the list of domains and error is returned +to the caller. However, the qemu process might be left behind - +if resuming vCPUs fails (e.g. because qemu is unable to acquire +write lock on a disk) then due to a bug the qemu process is not +killed but the domain object is removed from the list. + +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1718707 + +Signed-off-by: Michal Privoznik <mprivozn@redhat.com> +Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com> + +Origin: upstream, https://libvirt.org/git/?p=libvirt.git;a=commit;h=4c581527d4 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1868539 +Last-Update: 2020-03-23 + +--- + src/qemu/qemu_driver.c | 23 ++++++++++++----------- + 1 file changed, 12 insertions(+), 11 deletions(-) + +diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c +index 99829ad229..62d7b581f4 100644 +--- a/src/qemu/qemu_driver.c ++++ b/src/qemu/qemu_driver.c +@@ -6800,7 +6800,7 @@ qemuDomainSaveImageStartVM(virConnectPtr conn, + { + qemuDomainObjPrivatePtr priv = vm->privateData; + int ret = -1; +- bool restored = false; ++ bool started = false; + virObjectEventPtr event; + VIR_AUTOCLOSE intermediatefd = -1; + g_autoptr(virCommand) cmd = NULL; +@@ -6808,6 +6808,7 @@ qemuDomainSaveImageStartVM(virConnectPtr conn, + g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver); + virQEMUSaveHeaderPtr header = &data->header; + g_autoptr(qemuDomainSaveCookie) cookie = NULL; ++ int rc = 0; + + if (virSaveCookieParseString(data->cookie, (virObjectPtr *)&cookie, + virDomainXMLOptionGetSaveCookie(driver->xmlopt)) < 0) +@@ -6848,12 +6849,12 @@ qemuDomainSaveImageStartVM(virConnectPtr conn, + VIR_NETDEV_VPORT_PROFILE_OP_RESTORE, + VIR_QEMU_PROCESS_START_PAUSED | + VIR_QEMU_PROCESS_START_GEN_VMID) == 0) +- restored = true; ++ started = true; + + if (intermediatefd != -1) { + virErrorPtr orig_err = NULL; + +- if (!restored) { ++ if (!started) { + /* if there was an error setting up qemu, the intermediate + * process will wait forever to write to stdout, so we + * must manually kill it and ignore any error related to +@@ -6864,21 +6865,17 @@ qemuDomainSaveImageStartVM(virConnectPtr conn, + VIR_FORCE_CLOSE(*fd); + } + +- if (virCommandWait(cmd, NULL) < 0) { +- qemuProcessStop(driver, vm, VIR_DOMAIN_SHUTOFF_FAILED, asyncJob, 0); +- restored = false; +- } ++ rc = virCommandWait(cmd, NULL); + VIR_DEBUG("Decompression binary stderr: %s", NULLSTR(errbuf)); +- + virErrorRestore(&orig_err); + } + if (VIR_CLOSE(*fd) < 0) { + virReportSystemError(errno, _("cannot close file: %s"), path); +- restored = false; ++ rc = -1; + } + +- virDomainAuditStart(vm, "restored", restored); +- if (!restored) ++ virDomainAuditStart(vm, "restored", started); ++ if (!started || rc < 0) + goto cleanup; + + /* qemuProcessStart doesn't unset the qemu error reporting infrastructure +@@ -6918,6 +6915,10 @@ qemuDomainSaveImageStartVM(virConnectPtr conn, + ret = 0; + + cleanup: ++ if (ret < 0 && started) { ++ qemuProcessStop(driver, vm, VIR_DOMAIN_SHUTOFF_FAILED, ++ asyncJob, VIR_QEMU_PROCESS_STOP_MIGRATED); ++ } + if (qemuSecurityRestoreSavedStateLabel(driver, vm, path) < 0) + VIR_WARN("failed to restore save state label on %s", path); + return ret; +-- +2.25.1 +
  15. Download patch debian/patches/stable/lp-1868539-daemon-set-default-memlock-limit-for-systemd-service.patch

    --- 6.0.0-1/debian/patches/stable/lp-1868539-daemon-set-default-memlock-limit-for-systemd-service.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/stable/lp-1868539-daemon-set-default-memlock-limit-for-systemd-service.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,94 @@ +From b379fee11772976f85e095717602e5e010b95e6e Mon Sep 17 00:00:00 2001 +From: Pavel Hrdina <phrdina@redhat.com> +Date: Wed, 26 Feb 2020 13:23:00 +0100 +Subject: [PATCH] daemon: set default memlock limit for systemd service + +The default memlock limit is 64k which is not enough to start a single +VM. The requirements for one VM are 12k, 8k for eBPF map and 4k for eBPF +program, however, it fails to create eBPF map and program with 64k limit. +By testing I figured out that the minimal limit is 80k to start a single +VM with functional eBPF and if I add 12k I can start another one. + +This leads into following calculation: + +80k as memlock limit worked to start a VM with eBPF which means there +is 68k of lock memory that I was not able to figure out what was using +it. So to get a number for 4096 VMs: + + 68 + 12 * 4096 = 49220 + +If we round it up we will get 64M of memory lock limit to support 4096 +VMs with default map size which can hold 64 entries for devices. + +This should be good enough as a sane default and users can change it if +the need to. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1807090 + +Signed-off-by: Pavel Hrdina <phrdina@redhat.com> +Reviewed-by: Michal Privoznik <mprivozn@redhat.com> + +Origin: upstream, https://libvirt.org/git/?p=libvirt.git;a=commit;h=b379fee117 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1868539 +Last-Update: 2020-03-23 + +--- + src/lxc/virtlxcd.service.in | 6 ++++++ + src/qemu/virtqemud.service.in | 6 ++++++ + src/remote/libvirtd.service.in | 6 ++++++ + 3 files changed, 18 insertions(+) + +diff --git a/src/lxc/virtlxcd.service.in b/src/lxc/virtlxcd.service.in +index c732499a64..33f8ca2d4d 100644 +--- a/src/lxc/virtlxcd.service.in ++++ b/src/lxc/virtlxcd.service.in +@@ -32,6 +32,12 @@ LimitNOFILE=8192 + # A conservative default of 8 tasks per guest results in a TasksMax of + # 32k to support 4096 guests. + TasksMax=32768 ++# With cgroups v2 there is no devices controller anymore, we have to use ++# eBPF to control access to devices. In order to do that we create a eBPF ++# hash MAP which locks memory. The default map size for 64 devices together ++# with program takes 12k per guest. After rounding up we will get 64M to ++# support 4096 guests. ++LimitMEMLOCK=64M + + [Install] + WantedBy=multi-user.target +diff --git a/src/qemu/virtqemud.service.in b/src/qemu/virtqemud.service.in +index 44eb2a2bf7..aa24bdaab7 100644 +--- a/src/qemu/virtqemud.service.in ++++ b/src/qemu/virtqemud.service.in +@@ -32,6 +32,12 @@ LimitNOFILE=8192 + # A conservative default of 8 tasks per guest results in a TasksMax of + # 32k to support 4096 guests. + TasksMax=32768 ++# With cgroups v2 there is no devices controller anymore, we have to use ++# eBPF to control access to devices. In order to do that we create a eBPF ++# hash MAP which locks memory. The default map size for 64 devices together ++# with program takes 12k per guest. After rounding up we will get 64M to ++# support 4096 guests. ++LimitMEMLOCK=64M + + [Install] + WantedBy=multi-user.target +diff --git a/src/remote/libvirtd.service.in b/src/remote/libvirtd.service.in +index 9c8c54a2ef..90b2cad5b0 100644 +--- a/src/remote/libvirtd.service.in ++++ b/src/remote/libvirtd.service.in +@@ -40,6 +40,12 @@ LimitNOFILE=8192 + # A conservative default of 8 tasks per guest results in a TasksMax of + # 32k to support 4096 guests. + TasksMax=32768 ++# With cgroups v2 there is no devices controller anymore, we have to use ++# eBPF to control access to devices. In order to do that we create a eBPF ++# hash MAP which locks memory. The default map size for 64 devices together ++# with program takes 12k per guest. After rounding up we will get 64M to ++# support 4096 guests. ++LimitMEMLOCK=64M + + [Install] + WantedBy=multi-user.target +-- +2.25.1 +
  16. Download patch debian/patches/ubuntu/lp-1865425-qemu-end-the-agent-job-in-qemuDomainSetTimeAgent.patch

    --- 6.0.0-1/debian/patches/ubuntu/lp-1865425-qemu-end-the-agent-job-in-qemuDomainSetTimeAgent.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/ubuntu/lp-1865425-qemu-end-the-agent-job-in-qemuDomainSetTimeAgent.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,41 @@ +From d61f95cf6a6fbd564e104c168d325581acd9cd8d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com> +Date: Mon, 20 Jan 2020 07:55:48 +0100 +Subject: [PATCH] qemu: end the agent job in qemuDomainSetTimeAgent +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This function grabs an agent job but ends a monitor job. +End the agent job instead. + +https://bugzilla.redhat.com/show_bug.cgi?id=1792723 + +Signed-off-by: Ján Tomko <jtomko@redhat.com> +Reported-by: Dan Zheng <dzheng@redhat.com> +Fixes: e005c95f56fee9ed780be7f8db103d690bd34cbd + +Origin: upstream, https://libvirt.org/git/?p=libvirt.git;a=commit;h=d61f95cf6a6 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1865425 +Last-Update: 2020-03-02 + +--- + src/qemu/qemu_driver.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c +index 7e379fe83a..2f66d7cd9a 100644 +--- a/src/qemu/qemu_driver.c ++++ b/src/qemu/qemu_driver.c +@@ -20464,7 +20464,7 @@ qemuDomainSetTimeAgent(virQEMUDriverPtr driver, + qemuDomainObjExitAgent(vm, agent); + + endjob: +- qemuDomainObjEndJob(driver, vm); ++ qemuDomainObjEndAgentJob(vm); + return ret; + } + +-- +2.25.1 +
  17. Download patch debian/patches/stable/lp-1868539-vz-Fix-return-value-in-error-path.patch

    --- 6.0.0-1/debian/patches/stable/lp-1868539-vz-Fix-return-value-in-error-path.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/stable/lp-1868539-vz-Fix-return-value-in-error-path.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,49 @@ +From 2ab1a5534944f514528b32913e11ca9fd323feff Mon Sep 17 00:00:00 2001 +From: Rikard Falkeborn <rikard.falkeborn@gmail.com> +Date: Sun, 23 Feb 2020 00:22:47 +0100 +Subject: [PATCH] vz: Fix return value in error path +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If PrlVmDev_GetType(), PrlVmDev_GetIndex() or PrlVmCfg_GetBootDevCount() +fails, return false to indicate error. Returning -1 would be interpreted +as true when used in an if-statement. + +Fixes: 8c9252aa6d95247537da0939b54fdd2f31695e32 +Signed-off-by: Rikard Falkeborn <rikard.falkeborn@gmail.com> +Signed-off-by: Ján Tomko <jtomko@redhat.com> +Reviewed-by: Ján Tomko <jtomko@redhat.com> + +Origin: upstream, https://libvirt.org/git/?p=libvirt.git;a=commit;h=2ab1a55349 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1868539 +Last-Update: 2020-03-23 + +--- + src/vz/vz_sdk.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/vz/vz_sdk.c b/src/vz/vz_sdk.c +index 877692aeba..2c68c7cb27 100644 +--- a/src/vz/vz_sdk.c ++++ b/src/vz/vz_sdk.c +@@ -1609,13 +1609,13 @@ prlsdkInBootList(PRL_HANDLE sdkdom, + size_t i; + + pret = PrlVmDev_GetType(sdktargetdev, &targetType); +- prlsdkCheckRetExit(pret, -1); ++ prlsdkCheckRetExit(pret, false); + + pret = PrlVmDev_GetIndex(sdktargetdev, &targetIndex); +- prlsdkCheckRetExit(pret, -1); ++ prlsdkCheckRetExit(pret, false); + + pret = PrlVmCfg_GetBootDevCount(sdkdom, &bootNum); +- prlsdkCheckRetExit(pret, -1); ++ prlsdkCheckRetExit(pret, false); + + for (i = 0; i < bootNum; ++i) { + pret = PrlVmCfg_GetBootDev(sdkdom, i, &bootDev); +-- +2.25.1 +
  18. Download patch debian/patches/stable/lp-1868539-qemu-Use-g_autoptr-for-qemuDomainSaveCookie.patch

    --- 6.0.0-1/debian/patches/stable/lp-1868539-qemu-Use-g_autoptr-for-qemuDomainSaveCookie.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/stable/lp-1868539-qemu-Use-g_autoptr-for-qemuDomainSaveCookie.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,140 @@ +From 3203ad6cfd617fb11d4bb47e514c370b6624641b Mon Sep 17 00:00:00 2001 +From: Michal Privoznik <mprivozn@redhat.com> +Date: Mon, 13 Jan 2020 11:06:39 +0100 +Subject: [PATCH] qemu: Use g_autoptr() for qemuDomainSaveCookie + +Signed-off-by: Michal Privoznik <mprivozn@redhat.com> +Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com> + +Origin: upstream, https://libvirt.org/git/?p=libvirt.git;a=commit;h=3203ad6cfd +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1868539 +Last-Update: 2020-03-23 + +--- + src/qemu/qemu_domain.c | 28 ++++++++++------------------ + src/qemu/qemu_domain.h | 1 + + src/qemu/qemu_driver.c | 6 ++---- + 3 files changed, 13 insertions(+), 22 deletions(-) + +diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c +index a6dde15bad..128bcaee7d 100644 +--- a/src/qemu/qemu_domain.c ++++ b/src/qemu/qemu_domain.c +@@ -15997,27 +15997,23 @@ qemuDomainSaveCookiePtr + qemuDomainSaveCookieNew(virDomainObjPtr vm) + { + qemuDomainObjPrivatePtr priv = vm->privateData; +- qemuDomainSaveCookiePtr cookie = NULL; ++ g_autoptr(qemuDomainSaveCookie) cookie = NULL; + + if (qemuDomainInitialize() < 0) +- goto error; ++ return NULL; + + if (!(cookie = virObjectNew(qemuDomainSaveCookieClass))) +- goto error; ++ return NULL; + + if (priv->origCPU && !(cookie->cpu = virCPUDefCopy(vm->def->cpu))) +- goto error; ++ return NULL; + + cookie->slirpHelper = qemuDomainGetSlirpHelperOk(vm); + + VIR_DEBUG("Save cookie %p, cpu=%p, slirpHelper=%d", + cookie, cookie->cpu, cookie->slirpHelper); + +- return cookie; +- +- error: +- virObjectUnref(cookie); +- return NULL; ++ return g_steal_pointer(&cookie); + } + + +@@ -16025,26 +16021,22 @@ static int + qemuDomainSaveCookieParse(xmlXPathContextPtr ctxt G_GNUC_UNUSED, + virObjectPtr *obj) + { +- qemuDomainSaveCookiePtr cookie = NULL; ++ g_autoptr(qemuDomainSaveCookie) cookie = NULL; + + if (qemuDomainInitialize() < 0) +- goto error; ++ return -1; + + if (!(cookie = virObjectNew(qemuDomainSaveCookieClass))) +- goto error; ++ return -1; + + if (virCPUDefParseXML(ctxt, "./cpu[1]", VIR_CPU_TYPE_GUEST, + &cookie->cpu) < 0) +- goto error; ++ return -1; + + cookie->slirpHelper = virXPathBoolean("boolean(./slirpHelper)", ctxt) > 0; + +- *obj = (virObjectPtr) cookie; ++ *obj = (virObjectPtr) g_steal_pointer(&cookie); + return 0; +- +- error: +- virObjectUnref(cookie); +- return -1; + } + + +diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h +index c6afc484f6..60b80297fa 100644 +--- a/src/qemu/qemu_domain.h ++++ b/src/qemu/qemu_domain.h +@@ -610,6 +610,7 @@ struct _qemuDomainSaveCookie { + bool slirpHelper; + }; + ++G_DEFINE_AUTOPTR_CLEANUP_FUNC(qemuDomainSaveCookie, virObjectUnref); + + typedef struct _qemuDomainXmlNsDef qemuDomainXmlNsDef; + typedef qemuDomainXmlNsDef *qemuDomainXmlNsDefPtr; +diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c +index 3c1fb11b10..99829ad229 100644 +--- a/src/qemu/qemu_driver.c ++++ b/src/qemu/qemu_driver.c +@@ -3293,7 +3293,7 @@ qemuDomainSaveInternal(virQEMUDriverPtr driver, + virObjectEventPtr event = NULL; + qemuDomainObjPrivatePtr priv = vm->privateData; + virQEMUSaveDataPtr data = NULL; +- qemuDomainSaveCookiePtr cookie = NULL; ++ g_autoptr(qemuDomainSaveCookie) cookie = NULL; + + if (!qemuMigrationSrcIsAllowed(driver, vm, false, 0)) + goto cleanup; +@@ -3399,7 +3399,6 @@ qemuDomainSaveInternal(virQEMUDriverPtr driver, + qemuDomainRemoveInactiveJob(driver, vm); + + cleanup: +- virObjectUnref(cookie); + virQEMUSaveDataFree(data); + virObjectEventStateQueue(driver->domainEventState, event); + return ret; +@@ -6808,7 +6807,7 @@ qemuDomainSaveImageStartVM(virConnectPtr conn, + g_autofree char *errbuf = NULL; + g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver); + virQEMUSaveHeaderPtr header = &data->header; +- qemuDomainSaveCookiePtr cookie = NULL; ++ g_autoptr(qemuDomainSaveCookie) cookie = NULL; + + if (virSaveCookieParseString(data->cookie, (virObjectPtr *)&cookie, + virDomainXMLOptionGetSaveCookie(driver->xmlopt)) < 0) +@@ -6919,7 +6918,6 @@ qemuDomainSaveImageStartVM(virConnectPtr conn, + ret = 0; + + cleanup: +- virObjectUnref(cookie); + if (qemuSecurityRestoreSavedStateLabel(driver, vm, path) < 0) + VIR_WARN("failed to restore save state label on %s", path); + return ret; +-- +2.25.1 +
  19. Download patch debian/patches/stable/lp-1868539-tests-fix-double-unlock-of-monitor-in-hotplug-test.patch

    --- 6.0.0-1/debian/patches/stable/lp-1868539-tests-fix-double-unlock-of-monitor-in-hotplug-test.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/stable/lp-1868539-tests-fix-double-unlock-of-monitor-in-hotplug-test.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,64 @@ +From 46e16b553dc82235cf8b412dc703d5fc7c1e4c09 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com> +Date: Thu, 12 Mar 2020 18:33:51 +0000 +Subject: [PATCH] tests: fix double unlock of monitor in hotplug test +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The qemuMonitorTestNew() function returns with the monitor object +locked, and expects it to still be locked when qemuMonitorTestFree +is called. The qemuhotplug test, however, explicitly unlocks the +monitor, but then forgets to lock it again. As a result the +qemuMonitorTestFree function is unlocking a mutex it doesn't own. + +This bug has existed forever, but since we use normal POSIX mutexes +and don't check the return value of pthread_mutex_lock/unlock we +didn't see the error. It was harmless until the switch to the per +monitor event loop which requires the thread synchronization to +work reliably, whereupon it started crashing. + +Reviewed-by: Peter Krempa <pkrempa@redhat.com> +Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> + +Origin: upstream, https://libvirt.org/git/?p=libvirt.git;a=commit;h=46e16b553d +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1868539 +Last-Update: 2020-03-23 + +--- + tests/qemuhotplugtest.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/tests/qemuhotplugtest.c b/tests/qemuhotplugtest.c +index 8b411d63f0..d9244dca44 100644 +--- a/tests/qemuhotplugtest.c ++++ b/tests/qemuhotplugtest.c +@@ -337,6 +337,8 @@ testQemuHotplug(const void *data) + ret = testQemuHotplugUpdate(vm, dev); + } + ++ virObjectLock(priv->mon); ++ + cleanup: + VIR_FREE(domain_filename); + VIR_FREE(device_filename); +@@ -378,6 +380,7 @@ static void + testQemuHotplugCpuDataFree(struct testQemuHotplugCpuData *data) + { + qemuDomainObjPrivatePtr priv; ++ qemuMonitorPtr mon; + + if (!data) + return; +@@ -396,6 +399,8 @@ testQemuHotplugCpuDataFree(struct testQemuHotplugCpuData *data) + virObjectUnref(data->vm); + } + ++ mon = qemuMonitorTestGetMonitor(data->mon); ++ virObjectLock(mon); + qemuMonitorTestFree(data->mon); + VIR_FREE(data); + } +-- +2.25.1 +
  20. Download patch debian/rules

    --- 6.0.0-1/debian/rules 2020-02-12 10:52:12.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/rules 2020-06-22 19:30:50.000000000 +0000 @@ -27,29 +27,35 @@ ifneq (,$(findstring $(DEB_HOST_ARCH_OS) WITH_STORAGE_LVM = --with-storage-lvm WITH_STORAGE_ISCSI = --with-storage-iscsi WITH_STORAGE_DISK = --with-storage-disk - WITH_STORAGE_RBD = --with-storage-rbd - WITH_STORAGE_ZFS = --with-storage-zfs + ifneq (,$(findstring $(DEB_HOST_ARCH), amd64 arm64 armhf i386 ppc64el s390x)) + WITH_STORAGE_RBD = --with-storage-rbd + WITH_STORAGE_ZFS = --with-storage-zfs + else + WITH_STORAGE_RBD = --without-storage-rbd + WITH_STORAGE_ZFS = --without-storage-zfs + endif WITH_STORAGE_GLUSTER = --with-storage-gluster WITH_UDEV = --with-udev WITH_CAPNG = --with-capng WITH_MACVTAP = --with-macvtap WITH_NETWORK = --with-network WITH_OPENVZ = --with-openvz - WITH_NETCF = --with-netcf + WITH_NETCF = --without-netcf WITH_SANLOCK = --with-sanlock WITH_INIT_SCRIPT = --with-init-script=systemd WITH_SYSTEMD = --with-systemd-daemon - WITH_FIREWALLD = --with-firewalld + WITH_FIREWALLD = --without-firewalld + WITH_ATTR = --with-attr WITH_AUDIT = --with-audit WITH_SELINUX = --with-selinux --with-secdriver-selinux --with-selinux-mount=/sys/fs/selinux WITH_APPARMOR = --with-apparmor --with-secdriver-apparmor --with-apparmor-profiles WITH_NSS_PLUGIN = --with-nss-plugin - ifneq (,$(findstring $(DEB_HOST_ARCH), amd64 armel armhf i386 ia64 powerpc s390)) + ifneq (,$(findstring $(DEB_HOST_ARCH), amd64 armel armhf i386 ia64 powerpc ppc64el s390 s390x)) WITH_DTRACE = --with-dtrace else WITH_DTRACE = --without-dtrace endif - ifneq (,$(findstring $(DEB_HOST_ARCH), amd64 arm64 i386 ia64 mips mipsel powerpc ppc64el)) + ifneq (,$(findstring $(DEB_HOST_ARCH), amd64 arm64 i386 ia64 mips mipsel powerpc ppc64el s390x)) WITH_NUMA = --with-numactl --with-numad else WITH_NUMA = --without-numactl --without-numad @@ -77,6 +83,7 @@ else WITH_INIT_SCRIPT = --with-init-script=none WITH_SYSTEMD = --without-systemd-daemon WITH_FIREWALLD = --without-firewalld + WITH_ATTR = --without-attr WITH_AUDIT = --without-audit WITH_SELINUX = --without-selinux WITH_APPARMOR = --without-apparmor @@ -96,11 +103,11 @@ DEB_CONFIGURE_EXTRA_ARGS := \ --disable-rpath \ --with-qemu \ --with-qemu-user=libvirt-qemu \ - --with-qemu-group=libvirt-qemu \ + --with-qemu-group=kvm \ $(WITH_OPENVZ) \ --with-sasl \ --with-yajl \ - --with-ssh2 \ + --without-ssh2 \ --with-polkit \ $(WITH_UDEV) \ --with-storage-fs \ @@ -129,7 +136,7 @@ DEB_CONFIGURE_EXTRA_ARGS := \ $(WITH_AUDIT) \ --without-hal \ $(WITH_FIREWALLD) \ - --without-attr \ + $(WITH_ATTR) \ $(WITH_NSS_PLUGIN) \ --with-wireshark-dissector \ $(NULL) @@ -174,6 +181,17 @@ override_dh_auto_test: fi override_dh_install-arch: + mkdir -p debian/tmp/usr/share/apport/package-hooks + cp -f debian/libvirt-daemon.apport \ + debian/tmp/usr/share/apport/package-hooks/source_libvirt.py + # copy dnsmasq configuration + mkdir -p debian/tmp/etc/dnsmasq.d-available + cp debian/libvirt-daemon.dnsmasq \ + debian/tmp/etc/dnsmasq.d-available/libvirt-daemon + # Add profile script to automatically set default URI + mkdir -p debian/tmp/etc/profile.d + cp -f debian/libvirt-uri.sh debian/tmp/etc/profile.d/ + dh_install # Copy upstream files to debian/ so dh_* can find them @@ -242,7 +260,7 @@ override_dh_installinit: override_dh_installsystemd: dh_installsystemd -p libvirt-daemon-system --restart-after-upgrade libvirtd.service - dh_installsystemd -p libvirt-daemon-system --no-stop-on-upgrade $(LIBVIRT_SYSTEM_SERVICES) + dh_installsystemd -p libvirt-daemon-system --no-stop-on-upgrade --no-restart-after-upgrade $(LIBVIRT_SYSTEM_SERVICES) override_dh_installdocs: dh_installdocs -plibvirt-doc --doc-main-package libvirt-doc
  21. Download patch debian/patches/ubuntu-aa/0021-apparmor-virt-aa-helper-Add-openvswitch-support.patch

    --- 6.0.0-1/debian/patches/ubuntu-aa/0021-apparmor-virt-aa-helper-Add-openvswitch-support.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/ubuntu-aa/0021-apparmor-virt-aa-helper-Add-openvswitch-support.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,33 @@ +From 8db2fc32dd0edc1b6a8b7841201e50971234cedf Mon Sep 17 00:00:00 2001 +From: Serge Hallyn <serge.hallyn@ubuntu.com> +Date: Thu, 11 May 2017 16:45:40 +0200 +Subject: [PATCH 21/33] apparmor, virt-aa-helper: Add openvswitch support + +Add permission to read under /var/run. This is required for +some openvswitch info. + +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1513367 + +Forwarded: no (part of continuous upstreaming effort) +Signed-off-by: Stefan Bader <stefan.bader@canonical.com> +--- + src/security/apparmor/usr.lib.libvirt.virt-aa-helper | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper +index 9cd6e68..396890c 100644 +--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper ++++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper +@@ -38,6 +38,9 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper { + /usr/{lib,lib64}/libvirt/virt-aa-helper mr, + /{usr/,}sbin/apparmor_parser Ux, + ++ # for openvswitch ++ /{,var/}run/** rw, ++ + /etc/apparmor.d/libvirt/* r, + /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw, + +-- +2.7.4 +
  22. Download patch debian/patches/ubuntu/lp-1853200-cpu_map-Add-more-noTSX-x86-CPU-models.patch
  23. Download patch debian/patches/ubuntu/Allow-libvirt-group-to-access-the-socket.patch

    --- 6.0.0-1/debian/patches/ubuntu/Allow-libvirt-group-to-access-the-socket.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/ubuntu/Allow-libvirt-group-to-access-the-socket.patch 2020-08-05 13:08:04.000000000 +0000 @@ -0,0 +1,74 @@ +From: Guido Guenther <agx@sigxcpu.org> +Date: Thu, 26 Jun 2008 20:01:38 +0200 +Subject: Allow libvirt group to access the socket +Forwarded: no +Updated: 2020-08-05 + +This is the group based access to libvirt functions as it was used +in Ubuntu for quite long. + +Debian uses root + policykit for the same. But since Ubuntu did it +the group based way for so long people are used to that, so we keep it. + +There are some related tests (if augeas is enabled as build depend) that need +to be adapted in their expected output, that is done in: + d/p/ubuntu/daemon-augeas-fix-expected.patch + + +--- a/src/remote/libvirtd.conf.in ++++ b/src/remote/libvirtd.conf.in +@@ -81,6 +81,7 @@ + # + # This is restricted to 'root' by default. + #unix_sock_group = "libvirt" ++unix_sock_group = "libvirt" + + # Set the UNIX socket permissions for the R/O socket. This is used + # for monitoring VM status only +@@ -91,6 +92,7 @@ + # Default allows any user. If setting group ownership, you may want to + # restrict this too. + #unix_sock_ro_perms = "0777" ++unix_sock_ro_perms = "0777" + + # Set the UNIX socket permissions for the R/W socket. This is used + # for full management of VMs +@@ -103,7 +105,7 @@ + # + # If not using PolicyKit and setting group ownership for access + # control, then you may want to relax this too. +-#unix_sock_rw_perms = "0770" ++unix_sock_rw_perms = "0770" + + # Set the UNIX socket permissions for the admin interface socket. + # +@@ -149,7 +151,7 @@ + # + # To restrict monitoring of domains you may wish to enable + # an authentication mechanism here +-#auth_unix_ro = "none" ++auth_unix_ro = "none" + + # Set an authentication scheme for UNIX read-write sockets + # By default socket permissions only allow root. If PolicyKit +@@ -159,6 +161,7 @@ + # If the unix_sock_rw_perms are changed you may wish to enable + # an authentication mechanism here + #auth_unix_rw = "none" ++auth_unix_rw = "none" + @CUT_ENABLE_IP@ + + # Change the authentication scheme for TCP sockets. +--- a/src/remote/libvirtd.socket.in ++++ b/src/remote/libvirtd.socket.in +@@ -8,7 +8,9 @@ Before=@service@.service + # when using systemd version < 227 + ListenStream=@runstatedir@/libvirt/@sockprefix@-sock + Service=@service@.service +-SocketMode=0666 ++SocketMode=0660 ++SocketUser=root ++SocketGroup=libvirt + + [Install] + WantedBy=sockets.target
  24. Download patch debian/patches/stable/lp-1868539-qemuDomainGetStatsIOThread-Don-t-leak-array-with-0-i.patch

    --- 6.0.0-1/debian/patches/stable/lp-1868539-qemuDomainGetStatsIOThread-Don-t-leak-array-with-0-i.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/stable/lp-1868539-qemuDomainGetStatsIOThread-Don-t-leak-array-with-0-i.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,49 @@ +From 9bf9e0ae6af38c806f4672ca7b12a6b38d5a9581 Mon Sep 17 00:00:00 2001 +From: Peter Krempa <pkrempa@redhat.com> +Date: Wed, 19 Feb 2020 08:40:59 +0100 +Subject: [PATCH] qemuDomainGetStatsIOThread: Don't leak array with 0 iothreads +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +qemuMonitorGetIOThreads returns a NULL-terminated list even when 0 +iothreads are present. The caller didn't perform cleanup if there were 0 +iothreads leaking the array. + +https://bugzilla.redhat.com/show_bug.cgi?id=1804548 + +Fixes: d1eac92784573559b6fd56836e33b215c89308e3 +Reported-by: Jing Yan <jiyan@redhat.com> +Signed-off-by: Peter Krempa <pkrempa@redhat.com> +Reviewed-by: Ján Tomko <jtomko@redhat.com> + +Origin: upstream, https://libvirt.org/git/?p=libvirt.git;a=commit;h=9bf9e0ae6a +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1868539 +Last-Update: 2020-03-23 + +--- + src/qemu/qemu_driver.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c +index f686b858cf..39e1f044e0 100644 +--- a/src/qemu/qemu_driver.c ++++ b/src/qemu/qemu_driver.c +@@ -21759,8 +21759,12 @@ qemuDomainGetStatsIOThread(virQEMUDriverPtr driver, + if ((niothreads = qemuDomainGetIOThreadsMon(driver, dom, &iothreads)) < 0) + return -1; + +- if (niothreads == 0) +- return 0; ++ /* qemuDomainGetIOThreadsMon returns a NULL-terminated list, so we must free ++ * it even if it returns 0 */ ++ if (niothreads == 0) { ++ ret = 0; ++ goto cleanup; ++ } + + if (virTypedParamListAddUInt(params, niothreads, "iothread.count") < 0) + goto cleanup; +-- +2.25.1 +
  25. Download patch debian/patches/ubuntu-aa/0029-appmor-libvirt-qemu-Add-9p-support.patch

    --- 6.0.0-1/debian/patches/ubuntu-aa/0029-appmor-libvirt-qemu-Add-9p-support.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/ubuntu-aa/0029-appmor-libvirt-qemu-Add-9p-support.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,34 @@ +From 0e7ed68253072d77b2997b316d37403a275c3d2f Mon Sep 17 00:00:00 2001 +From: Stefan Bader <stefan.bader@canonical.com> +Date: Fri, 19 May 2017 09:48:52 +0200 +Subject: [PATCH 29/33] appmor, libvirt-qemu: Add 9p support + +Add fowner and fsetid to libvirt-qemu profile. + +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1378434 + +Note: While upstreaming Serge and Guido were not very happy +with granting those permissions unconditionally. Instead they +thought it would be better to do this in virt-aa-helper only +if 9p filesystem is in use. + +Forwarded: no (part of continuous upstreaming effort) +Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> +Signed-off-by: Stefan Bader <stefan.bader@canonical.com> +--- + src/security/apparmor/libvirt-qemu | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/src/security/apparmor/libvirt-qemu ++++ b/src/security/apparmor/libvirt-qemu +@@ -13,6 +13,10 @@ + capability setgid, + capability setuid, + ++ # for 9p ++ capability fsetid, ++ capability fowner, ++ + network inet stream, + network inet6 stream, +
  26. Download patch debian/patches/ubuntu/lp-1861125-ubuntu-models.patch

    --- 6.0.0-1/debian/patches/ubuntu/lp-1861125-ubuntu-models.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/ubuntu/lp-1861125-ubuntu-models.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,21 @@ +Description: Ubuntu Models for LP: 1861125 + We got the issue fixed through + https://bugzilla.redhat.com/show_bug.cgi?id=1795651 but it is type based + so at least for the support time of Xenial we need to carry a delty adding + the named Ubuntu types to the workaround. +Forwarded: no (Ubuntu specific) +Author: Christian Ehrhardt <christian.ehrhardt@canonical.com> +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1861125 +Bug-Upstream: https://bugzilla.redhat.com/show_bug.cgi?id=1795651 +Last-Update: 2020-02-12 +--- a/src/qemu/qemu_capabilities.c ++++ b/src/qemu/qemu_capabilities.c +@@ -2157,6 +2157,8 @@ const char *s390HostPassthroughOnlyMachi + "s390-ccw-virtio-2.5", + "s390-ccw-virtio-2.6", + "s390-ccw-virtio-2.7", ++ "s390-ccw-virtio-xenial", ++ "s390-ccw-virtio-yakkety", + NULL + }; +
  27. Download patch debian/tests/smoke-lxc

    --- 6.0.0-1/debian/tests/smoke-lxc 2018-03-18 09:53:51.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/tests/smoke-lxc 2020-06-22 19:30:50.000000000 +0000 @@ -37,9 +37,9 @@ virsh start ${DOMAIN} grep -qs "starting up" /var/log/libvirt/lxc/sl.log check_domain # Make sure a restart doesn't termiante the domain -/etc/init.d/libvirtd restart +systemctl restart libvirtd check_domain -virsh destroy ${DOMAIN} +virsh destroy ${DOMAIN} || true virsh undefine ${DOMAIN} CLEANED_UP=1 set +x
  28. Download patch debian/patches/ubuntu/lp-1853200-cputest-Add-data-for-Intel-R-Core-TM-i7-8550U-CPU-wi.patch
  29. Download patch debian/patches/stable/lp-1868539-security-Try-harder-to-run-transactions.patch

    --- 6.0.0-1/debian/patches/stable/lp-1868539-security-Try-harder-to-run-transactions.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/stable/lp-1868539-security-Try-harder-to-run-transactions.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,97 @@ +From ea903036fa8d2333edb74b617416416dd75be533 Mon Sep 17 00:00:00 2001 +From: Michal Privoznik <mprivozn@redhat.com> +Date: Wed, 18 Mar 2020 10:18:46 +0100 +Subject: [PATCH] security: Try harder to run transactions + +When a QEMU process dies in the middle of a hotplug, then we fail +to restore the seclabels on the device. The problem is that if +the thread doing hotplug locks the domain object first and thus +blocks the thread that wants to do qemuProcessStop(), the +seclabel cleanup code will see vm->pid still set and mount +namespace used and therefore try to enter the namespace +represented by the PID. But the PID is gone really and thus +entering will fail and no restore is done. What we can do is to +try enter the namespace (if requested to do so) but if entering +fails, fall back to no NS mode. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1814481 + +Signed-off-by: Michal Privoznik <mprivozn@redhat.com> +Reviewed-by: Pavel Mores <pmores@redhat.com> + +Origin: upstream, https://libvirt.org/git/?p=libvirt.git;a=commit;h=ea903036fa +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1868539 +Last-Update: 2020-03-23 + +--- + src/security/security_dac.c | 16 ++++++++++++---- + src/security/security_selinux.c | 16 ++++++++++++---- + 2 files changed, 24 insertions(+), 8 deletions(-) + +diff --git a/src/security/security_dac.c b/src/security/security_dac.c +index 9046b51004..11fff63bc7 100644 +--- a/src/security/security_dac.c ++++ b/src/security/security_dac.c +@@ -640,15 +640,23 @@ virSecurityDACTransactionCommit(virSecurityManagerPtr mgr G_GNUC_UNUSED, + + list->lock = lock; + ++ if (pid != -1) { ++ rc = virProcessRunInMountNamespace(pid, ++ virSecurityDACTransactionRun, ++ list); ++ if (rc < 0) { ++ if (virGetLastErrorCode() == VIR_ERR_SYSTEM_ERROR) ++ pid = -1; ++ else ++ goto cleanup; ++ } ++ } ++ + if (pid == -1) { + if (lock) + rc = virProcessRunInFork(virSecurityDACTransactionRun, list); + else + rc = virSecurityDACTransactionRun(pid, list); +- } else { +- rc = virProcessRunInMountNamespace(pid, +- virSecurityDACTransactionRun, +- list); + } + + if (rc < 0) +diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c +index c94f31727c..8aeb6e45a5 100644 +--- a/src/security/security_selinux.c ++++ b/src/security/security_selinux.c +@@ -1163,15 +1163,23 @@ virSecuritySELinuxTransactionCommit(virSecurityManagerPtr mgr G_GNUC_UNUSED, + + list->lock = lock; + ++ if (pid != -1) { ++ rc = virProcessRunInMountNamespace(pid, ++ virSecuritySELinuxTransactionRun, ++ list); ++ if (rc < 0) { ++ if (virGetLastErrorCode() == VIR_ERR_SYSTEM_ERROR) ++ pid = -1; ++ else ++ goto cleanup; ++ } ++ } ++ + if (pid == -1) { + if (lock) + rc = virProcessRunInFork(virSecuritySELinuxTransactionRun, list); + else + rc = virSecuritySELinuxTransactionRun(pid, list); +- } else { +- rc = virProcessRunInMountNamespace(pid, +- virSecuritySELinuxTransactionRun, +- list); + } + + if (rc < 0) +-- +2.25.1 +
  30. Download patch debian/patches/stable/lp-1868539-qemuTestParseCapabilitiesArch-Free-binary.patch

    --- 6.0.0-1/debian/patches/stable/lp-1868539-qemuTestParseCapabilitiesArch-Free-binary.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/stable/lp-1868539-qemuTestParseCapabilitiesArch-Free-binary.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,52 @@ +From 6d371d92f8863b2192c682dd9b6cff5283e13880 Mon Sep 17 00:00:00 2001 +From: Michal Privoznik <mprivozn@redhat.com> +Date: Fri, 21 Feb 2020 08:28:13 +0100 +Subject: [PATCH] qemuTestParseCapabilitiesArch: Free @binary +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The variable is allocated, but never freed. + +==119642== 29 bytes in 1 blocks are definitely lost in loss record 409 of 671 +==119642== at 0x483579F: malloc (vg_replace_malloc.c:309) +==119642== by 0x5AB075F: __vasprintf_internal (in /lib64/libc-2.29.so) +==119642== by 0x57C1A28: g_vasprintf (in /usr/lib64/libglib-2.0.so.0.6000.7) +==119642== by 0x579A0CC: g_strdup_vprintf (in /usr/lib64/libglib-2.0.so.0.6000.7) +==119642== by 0x4AE6D58: vir_g_strdup_printf (glibcompat.c:197) +==119642== by 0x136EEE: qemuTestParseCapabilitiesArch (testutilsqemu.c:291) +==119642== by 0x138506: testQemuInfoSetArgs (testutilsqemu.c:763) +==119642== by 0x135FFF: mymain (qemuxml2argvtest.c:3093) +==119642== by 0x13A60E: virTestMain (testutils.c:839) +==119642== by 0x1368C2: main (qemuxml2argvtest.c:3121) + +Fixes: 42b3e5b9e4b919644afe55a815992c07fb79b9dc +Signed-off-by: Michal Privoznik <mprivozn@redhat.com> +Reviewed-by: Ján Tomko <jtomko@redhat.com> + +Origin: upstream, https://libvirt.org/git/?p=libvirt.git;a=commit;h=6d371d92f8 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1868539 +Last-Update: 2020-03-23 + +--- + tests/testutilsqemu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tests/testutilsqemu.c b/tests/testutilsqemu.c +index 0cb9a7456d..4dd5664f7b 100644 +--- a/tests/testutilsqemu.c ++++ b/tests/testutilsqemu.c +@@ -288,8 +288,8 @@ qemuTestParseCapabilitiesArch(virArch arch, + const char *capsFile) + { + virQEMUCapsPtr qemuCaps = NULL; +- char *binary = g_strdup_printf("/usr/bin/qemu-system-%s", +- virArchToString(arch)); ++ g_autofree char *binary = g_strdup_printf("/usr/bin/qemu-system-%s", ++ virArchToString(arch)); + + if (!(qemuCaps = virQEMUCapsNewBinary(binary)) || + virQEMUCapsLoadCache(arch, qemuCaps, capsFile) < 0) +-- +2.25.1 +
  31. Download patch debian/libvirt-uri.sh

    --- 6.0.0-1/debian/libvirt-uri.sh 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/libvirt-uri.sh 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,27 @@ +#!/bin/sh +# libvirt-uri.sh - Automatically switch default libvirt URI for user +# Copyright (C) 2015 Canonical Ltd. +# +# Authors: Stefan Bader <stefan.bader@canonical.com> +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, version 3 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +LIBVIRT_DEFAULT_URI="qemu:///system" +if [ -f /proc/xen/capabilities ]; then + if [ "$(cat /proc/xen/capabilities)" = "control_d" ]; then + LIBVIRT_DEFAULT_URI="xen:///" + fi +fi + +export LIBVIRT_DEFAULT_URI +
  32. Download patch debian/control

    --- 6.0.0-1/debian/control 2020-02-12 10:52:12.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/control 2020-06-22 19:30:50.000000000 +0000 @@ -1,7 +1,8 @@ Source: libvirt Section: libs Priority: optional -Maintainer: Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org> +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> +XSBC-Original-Maintainer: Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.debian.org> Uploaders: Guido Günther <agx@sigxcpu.org>, Laurent Léonard <laurent@open-minds.org> Build-Depends: bash-completion, @@ -22,6 +23,7 @@ Build-Depends: libdevmapper-dev [linux-any], uuid-dev, libudev-dev [linux-any], + libattr1-dev [linux-any], libpciaccess-dev, kmod [linux-any], policykit-1 (>= 0.105-4~), @@ -32,25 +34,25 @@ Build-Depends: libnl-route-3-dev [linux-any], libyajl-dev, libpcap0.8-dev, - libnuma-dev [amd64 arm64 i386 ia64 mips mipsel powerpc ppc64 ppc64el], - numad [amd64 arm64 i386 ia64 mips mipsel powerpc ppc64 ppc64el], + libnuma-dev [amd64 arm64 i386 ia64 mips mipsel powerpc ppc64 ppc64el s390x], + numad [amd64 arm64 i386 ia64 mips mipsel powerpc ppc64 ppc64el s390x], radvd [linux-any], - libnetcf-dev (>= 1:0.2.3-3~) [linux-any], libsanlock-dev [linux-any], libaudit-dev [linux-any], libselinux1-dev (>= 2.0.82) [linux-any], libapparmor-dev [linux-any], libdbus-1-dev [linux-any], nfs-common, - systemtap-sdt-dev [amd64 armel armhf i386 ia64 powerpc s390], + systemtap-sdt-dev [amd64 armel armhf i386 ia64 powerpc ppc64el s390 s390x], python3, python3-docutils, xsltproc, zfsutils [kfreebsd-amd64 kfreebsd-i386], + libzfslinux-dev [amd64 arm64 armhf i386 ppc64el s390x], po-debconf, # for --with-storage-rados - librbd-dev [linux-any], - librados-dev [linux-any], + librbd-dev [amd64 arm64 armhf i386 ppc64el s390x], + librados-dev [amd64 arm64 armhf i386 ppc64el s390x], # for --with-storage-gluster libglusterfs-dev, # for --with-wireshark-dissector @@ -59,7 +61,7 @@ Build-Depends: # for lxc fuse support libfuse-dev [linux-any], # for libssh2 connection URIs - libssh2-1-dev, +# libssh2-1-dev, # for qemu-bridge-helper qemu-system-common, # For "make check" @@ -71,8 +73,10 @@ Build-Depends: iptables (>= 1.8.1) [linux-any], qemu-utils, Build-Conflicts: dpkg-dev (= 1.15.3) -Vcs-Git: https://salsa.debian.org/libvirt-team/libvirt.git -Vcs-Browser: https://salsa.debian.org/libvirt-team/libvirt +XS-Debian-Vcs-Git: https://salsa.debian.org/libvirt-team/libvirt.git +XS-Debian-Vcs-Browser: https://salsa.debian.org/libvirt-team/libvirt +Vcs-Git: https://git.launchpad.net/ubuntu/+source/libvirt +Vcs-Browser: https://code.launchpad.net/ubuntu/+source/libvirt Homepage: https://libvirt.org/ Standards-Version: 4.1.1 @@ -107,12 +111,12 @@ Recommends: qemu-kvm | qemu (>= 0.9.1), libxml2-utils, netcat-openbsd, + libvirt-daemon-driver-storage-rbd, +Suggests: libvirt-daemon-driver-lxc, libvirt-daemon-driver-vbox, libvirt-daemon-driver-xen, -Suggests: libvirt-daemon-driver-storage-gluster, - libvirt-daemon-driver-storage-rbd, libvirt-daemon-driver-storage-zfs, libvirt-daemon-system, numad, @@ -210,7 +214,7 @@ Description: Virtualization daemon glust This package contains the libvirtd storage driver for GlusterFS. Package: libvirt-daemon-driver-storage-rbd -Architecture: linux-any +Architecture: amd64 arm64 armhf i386 ppc64el s390x Depends: ${misc:Depends}, ${shlibs:Depends}, @@ -227,7 +231,7 @@ Description: Virtualization daemon RBD s This package contains the libvirtd storage driver for RBD/Rados/Ceph. Package: libvirt-daemon-driver-storage-zfs -Architecture: linux-any +Architecture: amd64 arm64 armhf i386 ppc64el s390x Depends: ${misc:Depends}, ${shlibs:Depends},
  33. Download patch debian/patches/ubuntu-aa/virt-aa-helper-Add-support-for-smartcard-host-certif.patch

    --- 6.0.0-1/debian/patches/ubuntu-aa/virt-aa-helper-Add-support-for-smartcard-host-certif.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/ubuntu-aa/virt-aa-helper-Add-support-for-smartcard-host-certif.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,76 @@ +From 800aed46447edb57b16dd84c5347116c5912a3aa Mon Sep 17 00:00:00 2001 +From: Arnaud Patard <apatard@hupstream.com> +Date: Thu, 5 Dec 2019 18:11:41 +0100 +Subject: [PATCH] virt-aa-helper: Add support for smartcard host-certificates + +When emulating smartcard with host certificates, qemu needs to +be able to read the certificates files. Add necessary code to +add the smartcard certificates file path to the apparmor profile. + +Passthrough support has been tested with spicevmc and remote-viewer. + +v2: +- Fix CodingStyle +- Add support for 'host' case. +- Add a comment to mention that the passthrough case doesn't need + some configuration +- Use one rule with '{,*}' instead of two rules. + +Signed-off-by: Arnaud Patard <apatard@hupstream.com> +Reviewed-by: Cole Robinson <crobinso@redhat.com> +Acked-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> + +Origin: upstream, https://libvirt.org/git/?p=libvirt.git;a=commit;h=800aed46447edb57b16dd84c5347116c5912a3aa +Last-Update: 2020-02-12 + +--- + src/security/virt-aa-helper.c | 33 +++++++++++++++++++++++++++++++++ + 1 file changed, 33 insertions(+) + +diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c +index 3ce58c8a6c..6f36652c7c 100644 +--- a/src/security/virt-aa-helper.c ++++ b/src/security/virt-aa-helper.c +@@ -1265,6 +1265,39 @@ get_files(vahControl * ctl) + } + } + ++ for (i = 0; i < ctl->def->nsmartcards; i++) { ++ virDomainSmartcardDefPtr sc = ctl->def->smartcards[i]; ++ virDomainSmartcardType sc_type = sc->type; ++ char *sc_db = (char *)VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE; ++ if (sc->data.cert.database) ++ sc_db = sc->data.cert.database; ++ switch (sc_type) { ++ /* ++ * Note: At time of writing, to get this working, qemu seccomp sandbox has ++ * to be disabled or the host must be running QEMU with commit ++ * 9a1565a03b79d80b236bc7cc2dbce52a2ef3a1b8. ++ * It's possibly due to libcacard:vcard_emul_new_event_thread(), which calls ++ * PR_CreateThread(), which calls {g,s}etpriority(). And resourcecontrol seccomp ++ * filter forbids it (cf src/qemu/qemu_command.c which seems to always use ++ * resourcecontrol=deny). ++ */ ++ case VIR_DOMAIN_SMARTCARD_TYPE_HOST: ++ virBufferAddLit(&buf, " \"/etc/pki/nssdb/{,*}\" rk,\n"); ++ break; ++ case VIR_DOMAIN_SMARTCARD_TYPE_HOST_CERTIFICATES: ++ virBufferAsprintf(&buf, " \"%s/{,*}\" rk,\n", sc_db); ++ break; ++ /* ++ * Nothing to do for passthrough, as the smartcard ++ * access is done through TCP or Spice ++ */ ++ case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH: ++ break; ++ case VIR_DOMAIN_SMARTCARD_TYPE_LAST: ++ break; ++ } ++ } ++ + if (ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) { + for (i = 0; i < ctl->def->nnets; i++) { + virDomainNetDefPtr net = ctl->def->nets[i]; +-- +2.25.0 +
  34. Download patch debian/patches/ubuntu-aa/lp-1871354-apparmor-avoid-denials-on-libpmem-initialization.patch

    --- 6.0.0-1/debian/patches/ubuntu-aa/lp-1871354-apparmor-avoid-denials-on-libpmem-initialization.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/ubuntu-aa/lp-1871354-apparmor-avoid-denials-on-libpmem-initialization.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,47 @@ +From 8f61fd6bf2dc7e1107e010fdc14bab9ecfde43af Mon Sep 17 00:00:00 2001 +From: Christian Ehrhardt <christian.ehrhardt@canonical.com> +Date: Wed, 8 Apr 2020 16:47:58 +0200 +Subject: [PATCH] apparmor: avoid denials on libpmem initialization + +With libpmem support compiled into qemu it will trigger the following +denials on every startup. + apparmor="DENIED" operation="open" name="/" + apparmor="DENIED" operation="open" name="/sys/bus/nd/devices/" + +This is due to [1] that tries to auto-detect if the platform supports +auto flush for all region. + +Once we know all the paths that are potentially needed if this feature +is really used we can add them conditionally in virt-aa-helper and labelling +calls in case </pmem> is enabled. + +But until then the change here silences the denial warnings seen above. + +[1]: https://github.com/pmem/pmdk/blob/master/src/libpmem2/auto_flush_linux.c#L131 + +Bug: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1871354 + +Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> +Acked-by: Jamie Strandboge <jamie@canonical.com> + +Origin: backport, https://libvirt.org/git/?p=libvirt.git;a=commit;h=8f61fd6b +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1871354 +Last-Update: 2020-04-15 + +--- + src/security/apparmor/libvirt-qemu | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/src/security/apparmor/libvirt-qemu ++++ b/src/security/apparmor/libvirt-qemu +@@ -259,5 +259,10 @@ + /etc/gss/mech.d/ r, + /etc/gss/mech.d/* r, + ++ # required by libpmem init to fts_open()/fts_read() the symlinks in ++ # /sys/bus/nd/devices ++ / r, # harmless on any lsb compliant system ++ /sys/bus/nd/devices/{,**/} r, ++ + # Site-specific additions and overrides. See local/README for details. + #include <local/abstractions/libvirt-qemu>
  35. Download patch debian/patches/stable/lp-1868539-bhyve-command-remove-unused-includes.patch

    --- 6.0.0-1/debian/patches/stable/lp-1868539-bhyve-command-remove-unused-includes.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/stable/lp-1868539-bhyve-command-remove-unused-includes.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,41 @@ +From 6801ad16241ef8c45a57e00e0ff70e60c7c63044 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com> +Date: Sun, 23 Feb 2020 14:33:30 +0100 +Subject: [PATCH] bhyve: command: remove unused includes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +These were needed for virBhyveTapGetRealDeviceName +but were not deleted after the function was moved +to src/util. + +Signed-off-by: Ján Tomko <jtomko@redhat.com> +Fixes: a1bd8d2546c3e469f6a5ce119fad7da1cd473db5 + +Origin: upstream, https://libvirt.org/git/?p=libvirt.git;a=commit;h=6801ad1624 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1868539 +Last-Update: 2020-03-23 + +--- + src/bhyve/bhyve_command.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/src/bhyve/bhyve_command.c b/src/bhyve/bhyve_command.c +index 2df7b60115..03bb99d496 100644 +--- a/src/bhyve/bhyve_command.c ++++ b/src/bhyve/bhyve_command.c +@@ -21,10 +21,6 @@ + + #include <config.h> + +-#include <sys/types.h> +-#include <net/if.h> +-#include <net/if_tap.h> +- + #include "bhyve_capabilities.h" + #include "bhyve_command.h" + #include "bhyve_domain.h" +-- +2.25.1 +
  36. Download patch debian/patches/ubuntu/lp-1867460-qemu-fixing-auto-detecting-binary-in-domain-capabili.patch

    --- 6.0.0-1/debian/patches/ubuntu/lp-1867460-qemu-fixing-auto-detecting-binary-in-domain-capabili.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/ubuntu/lp-1867460-qemu-fixing-auto-detecting-binary-in-domain-capabili.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,115 @@ +From 6d786f95a366600e7bbae68c1b324a8131f5e2c5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com> +Date: Fri, 17 Jan 2020 13:25:02 +0000 +Subject: [PATCH] qemu: fixing auto-detecting binary in domain capabilities +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The virConnectGetDomainCapabilities API accepts either a binary path +to the emulator, or desired guest arch. If guest arch is not given, +then the host arch is assumed. + +In the case where the binary is not given, the code tried to find the +emulator binary in the existing list of cached emulator capabilities. +This is not valid since we switched to lazy population of the cache in: + + commit 3dd91af01f30c5bda6328454ef49f3afece755d6 + Author: Daniel P. Berrangé <berrange@redhat.com> + Date: Mon Dec 2 13:04:26 2019 +0000 + + qemu: stop creating capabilities at driver startup + +As a result of this change, if there are no persistent guests defined +using the requested guest architecture, virConnectGetDomainCapabilities +will fail to find an emulator binary. + +The solution is to stop relying on the cached capabilities to find the +binary and instead use the same logic we use to pick default a binary +per arch when populating capabilities. + +Tested-by: Boris Fiuczynski <fiuczy@linux.ibm.com> +Tested-by: Richard W.M. Jones <rjones@redhat.com> +Reviewed-by: Michal Privoznik <mprivozn@redhat.com> +Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> + +Origin: upstream, https://libvirt.org/git/?p=libvirt.git;a=commit;h=6d786f95a366600e7bbae68c1b324a8131f5e2c5 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867460 +Last-Update: 2020-03-20 + +--- + src/qemu/qemu_capabilities.c | 45 ++++++++++++++++++------------------ + 1 file changed, 22 insertions(+), 23 deletions(-) + +diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c +index b0854deada..17b0134ab8 100644 +--- a/src/qemu/qemu_capabilities.c ++++ b/src/qemu/qemu_capabilities.c +@@ -5284,10 +5284,13 @@ virQEMUCapsCacheLookupDefault(virFileCachePtr cache, + const char **retMachine) + { + int virttype = VIR_DOMAIN_VIRT_NONE; +- int arch = virArchFromHost(); ++ virArch hostarch = virArchFromHost(); ++ virArch arch = hostarch; + virDomainVirtType capsType; + virQEMUCapsPtr qemuCaps = NULL; + virQEMUCapsPtr ret = NULL; ++ virArch arch_from_caps; ++ g_autofree char *probedbinary = NULL; + + if (virttypeStr && + (virttype = virDomainVirtTypeFromString(virttypeStr)) < 0) { +@@ -5303,31 +5306,27 @@ virQEMUCapsCacheLookupDefault(virFileCachePtr cache, + goto cleanup; + } + +- if (binary) { +- virArch arch_from_caps; ++ if (!binary) { ++ probedbinary = virQEMUCapsGetDefaultEmulator(hostarch, arch); ++ binary = probedbinary; ++ } + +- if (!(qemuCaps = virQEMUCapsCacheLookup(cache, binary))) +- goto cleanup; ++ if (!(qemuCaps = virQEMUCapsCacheLookup(cache, binary))) ++ goto cleanup; + +- arch_from_caps = virQEMUCapsGetArch(qemuCaps); ++ arch_from_caps = virQEMUCapsGetArch(qemuCaps); + +- if (arch_from_caps != arch && +- !((ARCH_IS_X86(arch) && ARCH_IS_X86(arch_from_caps)) || +- (ARCH_IS_PPC(arch) && ARCH_IS_PPC(arch_from_caps)) || +- (ARCH_IS_ARM(arch) && ARCH_IS_ARM(arch_from_caps)) || +- (ARCH_IS_S390(arch) && ARCH_IS_S390(arch_from_caps)))) { +- virReportError(VIR_ERR_INVALID_ARG, +- _("architecture from emulator '%s' doesn't " +- "match given architecture '%s'"), +- virArchToString(arch_from_caps), +- virArchToString(arch)); +- goto cleanup; +- } +- } else { +- if (!(qemuCaps = virQEMUCapsCacheLookupByArch(cache, arch))) +- goto cleanup; +- +- binary = virQEMUCapsGetBinary(qemuCaps); ++ if (arch_from_caps != arch && ++ !((ARCH_IS_X86(arch) && ARCH_IS_X86(arch_from_caps)) || ++ (ARCH_IS_PPC(arch) && ARCH_IS_PPC(arch_from_caps)) || ++ (ARCH_IS_ARM(arch) && ARCH_IS_ARM(arch_from_caps)) || ++ (ARCH_IS_S390(arch) && ARCH_IS_S390(arch_from_caps)))) { ++ virReportError(VIR_ERR_INVALID_ARG, ++ _("architecture from emulator '%s' doesn't " ++ "match given architecture '%s'"), ++ virArchToString(arch_from_caps), ++ virArchToString(arch)); ++ goto cleanup; + } + + if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_KVM)) +-- +2.25.1 +
  37. Download patch debian/patches/stable/lp-1868539-qemu-preserve-error-on-bandwidth-rollback.patch

    --- 6.0.0-1/debian/patches/stable/lp-1868539-qemu-preserve-error-on-bandwidth-rollback.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/stable/lp-1868539-qemu-preserve-error-on-bandwidth-rollback.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,59 @@ +From 457b0e74888f61b759e334d91479c258663835d5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com> +Date: Fri, 7 Feb 2020 12:40:51 +0100 +Subject: [PATCH] qemu: preserve error on bandwidth rollback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We call APIs that reset the error in the rollback code. +Preserve the error from the original call that failed. + +This turns the boringly cryptic: + error: Unable to set interface parameters + error: An error occurred, but the cause is unknown +to the unexpectedly anarchist: + error: internal error: Child process (/usr/sbin/tc filter add + dev vnet1 parent ffff: protocol all u32 match u32 0 0 police + rate 4294968kbps burst 4294968kb mtu 64kb drop flowid :1) + unexpected exit status 1: Illegal "rate" + Illegal "police" + +Signed-off-by: Ján Tomko <jtomko@redhat.com> +Fixes: f02e21cb3379a41cd42f2d8116f2d10dabace83b +https://bugzilla.redhat.com/show_bug.cgi?id=1800505 +Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com> + +Origin: upstream, https://libvirt.org/git/?p=libvirt.git;a=commit;h=457b0e7488 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1868539 +Last-Update: 2020-03-23 + +--- + src/qemu/qemu_driver.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c +index 9b244ec4f2..2813f084cd 100644 +--- a/src/qemu/qemu_driver.c ++++ b/src/qemu/qemu_driver.c +@@ -11678,6 +11678,9 @@ qemuDomainSetInterfaceParameters(virDomainPtr dom, + + if (virNetDevBandwidthSet(net->ifname, newBandwidth, false, + !virDomainNetTypeSharesHostView(net)) < 0) { ++ virErrorPtr orig_err; ++ ++ virErrorPreserveLast(&orig_err); + ignore_value(virNetDevBandwidthSet(net->ifname, + net->bandwidth, + false, +@@ -11686,6 +11689,7 @@ qemuDomainSetInterfaceParameters(virDomainPtr dom, + ignore_value(virDomainNetBandwidthUpdate(net, + net->bandwidth)); + } ++ virErrorRestore(&orig_err); + goto endjob; + } + +-- +2.25.1 +
  38. Download patch debian/patches/ubuntu-aa/0007-apparmor-libvirt-qemu-Allow-owner-read-access-to-PRO.patch

    --- 6.0.0-1/debian/patches/ubuntu-aa/0007-apparmor-libvirt-qemu-Allow-owner-read-access-to-PRO.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/ubuntu-aa/0007-apparmor-libvirt-qemu-Allow-owner-read-access-to-PRO.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,28 @@ +From 6beb6d41a87fae5499e12034233e5c8def1f56da Mon Sep 17 00:00:00 2001 +From: Stefan Bader <stefan.bader@canonical.com> +Date: Tue, 23 May 2017 17:18:39 +0200 +Subject: [PATCH 07/33] apparmor, libvirt-qemu: Allow owner read access to + @{PROC}/*/auxv + +Forwarded: no (part of continuous upstreaming effort) +Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> +Signed-off-by: Stefan Bader <stefan.bader@canonical.com> +--- + src/security/apparmor/libvirt-qemu | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu +index 7e99eb4..597d282 100644 +--- a/src/security/apparmor/libvirt-qemu ++++ b/src/security/apparmor/libvirt-qemu +@@ -30,6 +30,7 @@ + # only modify its comm value or those in its thread group. + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + @{PROC}/sys/kernel/cap_last_cap r, ++ owner @{PROC}/*/auxv r, + @{PROC}/sys/vm/overcommit_memory r, + + # For hostdev access. The actual devices will be added dynamically +-- +2.7.4 +
  39. Download patch debian/libvirt-daemon.apport

    --- 6.0.0-1/debian/libvirt-daemon.apport 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/libvirt-daemon.apport 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,22 @@ +'''apport package hook for libvirt source package + +(c) 2009-2011 Canonical Ltd. +Author: +Jamie Strandboge <jamie@ubuntu.com> + +''' + +from apport.hookutils import * +from os import path +import re + +def add_info(report): + attach_conffiles(report, 'libvirt-daemon-system') + attach_related_packages(report, ['apparmor', 'libapparmor1', + 'libapparmor-perl', 'apparmor-utils', 'auditd', 'libaudit0']) + + # get apparmor stuff. + attach_mac_events(report, ['/usr/lib/libvirt/virt-aa-helper', + '/usr/sbin/libvirtd', + 'libvirt-.*']) +
  40. Download patch debian/patches/ubuntu/lp-1879325-security-don-t-fail-if-built-without-attr-support.patch

    --- 6.0.0-1/debian/patches/ubuntu/lp-1879325-security-don-t-fail-if-built-without-attr-support.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/ubuntu/lp-1879325-security-don-t-fail-if-built-without-attr-support.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,77 @@ +From 55029d93150e33d70b02b6de2b899c05054c5d3a Mon Sep 17 00:00:00 2001 +From: Christian Ehrhardt <christian.ehrhardt@canonical.com> +Date: Tue, 26 May 2020 09:33:38 +0200 +Subject: [PATCH] security: don't fail if built without attr support + +If built without attr support removing any image will trigger + qemuBlockRemoveImageMetadata (the one that emits the warning) + -> qemuSecurityMoveImageMetadata + -> virSecurityManagerMoveImageMetadata + -> virSecurityDACMoveImageMetadata + -> virSecurityDACMoveImageMetadataHelper + -> virProcessRunInFork (spawns subprocess) + -> virSecurityMoveRememberedLabel + +In there due to !HAVE_LIBATTR virFileGetXAttrQuiet will return +ENOSYS and from there the chain will error out. + +That is wrong and looks like: + libvirtd[6320]: internal error: child reported (status=125): + libvirtd[6320]: Unable to remove disk metadata on vm testguest from + /var/lib/uvtool/libvirt/images/testguest.qcow (disk target vda) + +This change makes virSecurityDACMoveImageMetadataHelper and +virSecuritySELinuxMoveImageMetadataHelper accept that +error code gracefully and in that sense it is an extension of: +5214b2f1a3f "security: Don't skip label restore on file systems lacking XATTRs" +which does the same for other call chains into the virFile*XAttr functions. + +Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> +Reviewed-by: Michal Privoznik <mprivozn@redhat.com> + +Origin: upstream, https://libvirt.org/git/?p=libvirt.git;a=commit;h=55029d93150e33d70b02b6de2b899c05054c5d3a +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1879325 +Last-Update: 2020-05-27 + +--- + src/security/security_dac.c | 6 ++++++ + src/security/security_selinux.c | 6 ++++++ + 2 files changed, 12 insertions(+) + +diff --git a/src/security/security_dac.c b/src/security/security_dac.c +index bdc2d7edf3..7b95a6f86d 100644 +--- a/src/security/security_dac.c ++++ b/src/security/security_dac.c +@@ -1117,6 +1117,12 @@ virSecurityDACMoveImageMetadataHelper(pid_t pid G_GNUC_UNUSED, + + ret = virSecurityMoveRememberedLabel(SECURITY_DAC_NAME, data->src, data->dst); + virSecurityManagerMetadataUnlock(data->mgr, &state); ++ ++ if (ret == -2) { ++ /* Libvirt built without XATTRS */ ++ ret = 0; ++ } ++ + return ret; + } + +diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c +index 9a929debe1..7bb7c2b7b1 100644 +--- a/src/security/security_selinux.c ++++ b/src/security/security_selinux.c +@@ -1975,6 +1975,12 @@ virSecuritySELinuxMoveImageMetadataHelper(pid_t pid G_GNUC_UNUSED, + + ret = virSecurityMoveRememberedLabel(SECURITY_SELINUX_NAME, data->src, data->dst); + virSecurityManagerMetadataUnlock(data->mgr, &state); ++ ++ if (ret == -2) { ++ /* Libvirt built without XATTRS */ ++ ret = 0; ++ } ++ + return ret; + } + +-- +2.26.0 +
  41. Download patch debian/patches/ubuntu-aa/0017-apparmor-virt-aa-helper-Allow-access-to-tmp-director.patch

    --- 6.0.0-1/debian/patches/ubuntu-aa/0017-apparmor-virt-aa-helper-Allow-access-to-tmp-director.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/ubuntu-aa/0017-apparmor-virt-aa-helper-Allow-access-to-tmp-director.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,25 @@ +From 5bc815f6a88f5e00613f6794c3c338abb45526fc Mon Sep 17 00:00:00 2001 +From: Stefan Bader <stefan.bader@canonical.com> +Date: Thu, 11 May 2017 16:19:24 +0200 +Subject: [PATCH 17/33] apparmor, virt-aa-helper: Allow access to tmp + directories + +Done by importing user-tmp abstraction which includes per-user +and globale tmp directories. + +Forwarded: no (part of continuous upstreaming effort) +Signed-off-by: Stefan Bader <stefan.bader@canonical.com> +--- + src/security/apparmor/usr.lib.libvirt.virt-aa-helper | 1 + + 1 file changed, 1 insertion(+) + +--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper ++++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper +@@ -4,6 +4,7 @@ + profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper { + #include <abstractions/base> + #include <abstractions/nameservice> ++ #include <abstractions/user-tmp> + + # needed for searching directories + capability dac_override,
  42. Download patch debian/patches/ubuntu/lp-1853200-cpu_map-Add-decode-element-to-x86-CPU-model-definiti.patch
  43. Download patch debian/patches/stable/lp-1868539-m4-libxl-properly-fail-when-libxl-is-required.patch

    --- 6.0.0-1/debian/patches/stable/lp-1868539-m4-libxl-properly-fail-when-libxl-is-required.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/stable/lp-1868539-m4-libxl-properly-fail-when-libxl-is-required.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,47 @@ +From 215b5daf43d339284f01610e6952d3b7cb5f18be Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com> +Date: Thu, 20 Feb 2020 15:53:08 +0100 +Subject: [PATCH] m4: libxl: properly fail when libxl is required +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We specify "true" as the fail-action for LIBVIRT_CHECK_PKG. + +This was used when we had a fallback to non-pkg-config detection, +then removed in commit 5bdcef13d13560512c7d6d8c9e8822e456889e0c +later re-introduced in commit dc3d2c9f8c7678a950abedd227b1587ca62335c4 +and then left in when removing the old detection again in +commit 18981877d2e20390a79d068861a24e716f8ee422 + +Remove it to properly error out when libxl was requested but not +detected. + +Signed-off-by: Ján Tomko <jtomko@redhat.com> +Fixes: 18981877d2e20390a79d068861a24e716f8ee422 +Reviewed-by: Andrea Bolognani <abologna@redhat.com> + +Origin: upstream, https://libvirt.org/git/?p=libvirt.git;a=commit;h=215b5daf43 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1868539 +Last-Update: 2020-03-23 + +--- + m4/virt-driver-libxl.m4 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/m4/virt-driver-libxl.m4 b/m4/virt-driver-libxl.m4 +index 2f3565f1d5..a958cb26fa 100644 +--- a/m4/virt-driver-libxl.m4 ++++ b/m4/virt-driver-libxl.m4 +@@ -30,7 +30,7 @@ AC_DEFUN([LIBVIRT_DRIVER_CHECK_LIBXL], [ + + dnl search for libxl, aka libxenlight + old_with_libxl="$with_libxl" +- LIBVIRT_CHECK_PKG([LIBXL], [xenlight], [4.6.0], [true]) ++ LIBVIRT_CHECK_PKG([LIBXL], [xenlight], [4.6.0]) + if test "x$with_libxl" = "xyes" ; then + LIBXL_FIRMWARE_DIR=$($PKG_CONFIG --variable xenfirmwaredir xenlight) + LIBXL_EXECBIN_DIR=$($PKG_CONFIG --variable libexec_bin xenlight) +-- +2.25.1 +
  44. Download patch debian/libvirt-daemon.README.Debian

    --- 6.0.0-1/debian/libvirt-daemon.README.Debian 2020-01-11 11:25:55.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/libvirt-daemon.README.Debian 2020-06-22 19:30:50.000000000 +0000 @@ -42,30 +42,11 @@ EOF This makes dnsmasq only bind to the loopback interface by default so libvirtd can handle the virtual bridges. -Bridged network -=============== -libvirt can use the qemu-bridge-helper to create bridged network interfaces for -session domains. For this to work the helper must have the capability to create -TUN/TAP devices or must have the SUID permission set. -This can be done by running the following command as the user root: - - setcap cap_net_admin+ep /usr/lib/qemu/qemu-bridge-helper - -The allowed bridges must be configured in the file '/etc/qemu/bridge.conf'. For -each bridge add a line like 'allow br0'. - Access Control ============== -Access to the libvirt managing tasks is controlled by PolicyKit. To ease -configuration membership in the "libvirt" group is sufficient. If you want to -manage VMs as non-root you need to add a user to that group. - -Note that this will allow users in this group to use all of libvirt's -API including modifying files on the host. For finer grained access -control have a look at libvirt's ACLs. - -System QEMU/KVM processes are run as user and group libvirt-qemu. This can be -adjusted via /etc/libvirt/qemu.conf. +Access to the libvirt socket is controlled by membership in the "libvirtd" +group. +If you want to manage VMs as non root you need to add a user to that group. QEMU/KVM: Dropping Capabilties ============================== @@ -116,3 +97,82 @@ model. See for further details. -- Guido Günther <agx@sigxcpu.org> Wen, 24 Dec 2014 09:55:41 +0200 + +AppArmor Profile +================ +Libvirt now contains AppArmor integration when using KVM or QEMU using +libvirt's sVirt infrastructure. Libvirtd can be configured to launch virtual +machines that are confined by uniquely restrictive AppArmor profiles. This +feature significantly improves virtualization in Ubuntu by providing user-space +host protection as well as guest isolation. + +In the sVirt model, if a profile is loaded for the libvirtd daemon, then each +qemu:///system QEMU virtual machine will have a profile created for it when +the virtual machine is started if one does not already exist. This generated +profile is based on a template file and uses a profile name based on the UUID +of the QEMU virtual machine and contains rules allowing access to only the +files it needs to run, such as its disks, pid file and log files. Just before +the QEMU virtual machine is started, the libvirtd daemon will change into this +unique profile, preventing the QEMU process from accessing any file resources +that are present in another QEMU process or the host machine. + +The AppArmor sVirt implementation is flexible in that it allows a user to +customize the template file in /etc/apparmor.d/libvirt/TEMPLATE for +site-specific access for all newly created QEMU virtual machines. When a +new profile is generated, two files are created: + + /etc/apparmor.d/libvirt/libvirt-<uuid> + /etc/apparmor.d/libvirt/libvirt-<uuid>.files + +The former can be fine-tuned by the administrator to allow custom access for +this particular QEMU virtual machine, and the latter will be updated +appropriately when required file access changes, such as when a disk is added. +This flexibility allows for situations such as having one virtual machine in +complain mode with all others in enforce mode. + +Profiles for /usr/sbin/libvirtd, /usr/lib/libvirt/virt-aa-helper (a helper +program which the libvirtd daemon uses instead of manipulating AppArmor +directly), and /etc/apparmor.d/abstractions/libvirt-qemu are used to configure +AppArmor confinement with sVirt. Administrators of libvirt in production +environments are encouraged to review these files (especially 'libvirt-qemu') +to ensure that only the access required is given to the virtual machines. + +If the sVirt security model is active, then the node capabilities XML will +include its details. If a virtual machine is currently protected by the +security model, then the guest XML will include its assigned profile name. If +enabled at compile time, the sVirt security model will be activated if AppArmor +is available on the host OS and a profile for the libvirtd daemon is loaded +when libvirtd is started. To disable sVirt, and revert to the basic level of +AppArmor protection (host protection only), the /etc/libvirt/qemu.conf file can +be used to change the setting to security_driver="none". Users may also +disable AppArmor integration through AppArmor itself by performing: + +$ sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.libvirtd +$ sudo ln -s /etc/apparmor.d/usr.sbin.libvirtd /etc/apparmor.d/disable/usr.sbin.libvirtd + +If your system uses AppArmor, please note that the shipped profile works with +the default installation, and changes in your configuration may require changes +to the installed apparmor profile. Before filing a bug against this software, +please see https://wiki.ubuntu.com/DebuggingApparmor before filing a bug +against this software. + +qemu:///system +-------------- +Adding users to the libvirtd group effectively grants them root access. In +Ubuntu, users in the sudo group (who already have 'sudo' access) are added to +this group automatically. + +Virtual machines started from qemu:///system may run with or without root +privileges. As discussed above, in Ubuntu Qemu/KVM virtual machines are fully +isolated and confined by the AppArmor security driver. Users can adjust this +/etc/libvirt/qemu.conf so that virtual machines started under qemu:///system +run as a non-privileged user (new in libvirt 0.7). The 'libvirt-qemu' user and +'kvm' group are configured for this purpose. In Ubuntu, libvirt runs virtual +machines with non-root privileges as well as fully confined by AppArmor. + +While the current non-root implementation does reduce the privileges of virtual +machines running under qemu:///system, continuing to use a MAC system such as +AppArmor is important because without the MAC system all VMs will still run +under the same user and there is no guest isolation. Additionally, if each VM +ran under its own user, an attacker could potentially break out of the VM and +have unconfined user access to the host machine.
  45. Download patch debian/patches/ubuntu/CVE-CVE-2020-10701-api-disallow-virDomainAgentSetResponseTimeout-on-rea.patch

    --- 6.0.0-1/debian/patches/ubuntu/CVE-CVE-2020-10701-api-disallow-virDomainAgentSetResponseTimeout-on-rea.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/ubuntu/CVE-CVE-2020-10701-api-disallow-virDomainAgentSetResponseTimeout-on-rea.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,38 @@ +From 4cc90c2e62df653e909ad31fd810224bf8bcf913 Mon Sep 17 00:00:00 2001 +From: Jonathon Jongsma <jjongsma@redhat.com> +Date: Fri, 20 Mar 2020 09:43:13 -0500 +Subject: [PATCH] api: disallow virDomainAgentSetResponseTimeout() on read-only + connections + +This function changes the amount of time that libvirt waits for a +response from the guest agent for all guest agent commands. Since this +is a configuration change, it should not be allowed on read-only +connections. + +Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com> +Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com> +Reviewed-by: Michal Privoznik <mprivozn@redhat.com> + +Origin: upstream, https://libvirt.org/git/?p=libvirt.git;a=commit;h=4cc90c2e62df653e909ad31fd810224bf8bcf913 +Last-Update: 2020-04-15 + +--- + src/libvirt-domain.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c +index 65813b68cc..a12809c2d5 100644 +--- a/src/libvirt-domain.c ++++ b/src/libvirt-domain.c +@@ -12576,6 +12576,8 @@ virDomainAgentSetResponseTimeout(virDomainPtr domain, + virCheckDomainReturn(domain, -1); + conn = domain->conn; + ++ virCheckReadOnlyGoto(conn->flags, error); ++ + if (conn->driver->domainAgentSetResponseTimeout) { + if (conn->driver->domainAgentSetResponseTimeout(domain, timeout, flags) < 0) + goto error; +-- +2.26.0 +
  46. Download patch debian/patches/stable/lp-1868539-qemuDomainSaveImageStartVM-Use-VIR_AUTOCLOSE-for-int.patch

    --- 6.0.0-1/debian/patches/stable/lp-1868539-qemuDomainSaveImageStartVM-Use-VIR_AUTOCLOSE-for-int.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/stable/lp-1868539-qemuDomainSaveImageStartVM-Use-VIR_AUTOCLOSE-for-int.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,50 @@ +From 1c16f261d0764ff70fb33ece4367f25e741cdb74 Mon Sep 17 00:00:00 2001 +From: Michal Privoznik <mprivozn@redhat.com> +Date: Mon, 13 Jan 2020 10:07:32 +0100 +Subject: [PATCH] qemuDomainSaveImageStartVM: Use VIR_AUTOCLOSE for + @intermediatefd + +Signed-off-by: Michal Privoznik <mprivozn@redhat.com> +Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com> + +Origin: upstream, https://libvirt.org/git/?p=libvirt.git;a=commit;h=1c16f261d0 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1868539 +Last-Update: 2020-03-23 + +--- + src/qemu/qemu_driver.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c +index 57d1103c45..e1f8968136 100644 +--- a/src/qemu/qemu_driver.c ++++ b/src/qemu/qemu_driver.c +@@ -6803,7 +6803,7 @@ qemuDomainSaveImageStartVM(virConnectPtr conn, + int ret = -1; + bool restored = false; + virObjectEventPtr event; +- int intermediatefd = -1; ++ VIR_AUTOCLOSE intermediatefd = -1; + virCommandPtr cmd = NULL; + g_autofree char *errbuf = NULL; + g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver); +@@ -6829,6 +6829,7 @@ qemuDomainSaveImageStartVM(virConnectPtr conn, + + if (virCommandRunAsync(cmd, NULL) < 0) { + *fd = intermediatefd; ++ intermediatefd = -1; + goto cleanup; + } + } +@@ -6872,8 +6873,6 @@ qemuDomainSaveImageStartVM(virConnectPtr conn, + + virErrorRestore(&orig_err); + } +- VIR_FORCE_CLOSE(intermediatefd); +- + if (VIR_CLOSE(*fd) < 0) { + virReportSystemError(errno, _("cannot close file: %s"), path); + restored = false; +-- +2.25.1 +
  47. Download patch debian/salsa-ci.yml

    --- 6.0.0-1/debian/salsa-ci.yml 2020-01-20 16:46:49.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/salsa-ci.yml 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -stages: - - build - - test - -variables: - # Default docker image to use - LV_DOCKER_IMAGE: debian:unstable - LV_WORKING_DIR: $CI_PROJECT_DIR/debian/output - -build-debian-package: - image: ${LV_DOCKER_IMAGE} - stage: build - timeout: 3h - before_script: - - echo "man-db man-db/auto-update boolean false" | debconf-set-selections - - export DEBIAN_FRONTEND=noninteractive - - apt-get -y update - - apt-get -y install build-essential git-buildpackage pristine-tar - - apt-get -y build-dep . - - rm -f ../* || true - - git config user.email 'libvirt@exmple.com' - - git config user.name 'Gitlab CI' - script: - - 'UPSTREAM_BRANCH=$(gbp config dch.upstream-branch)' - - git branch "${UPSTREAM_BRANCH}" "origin/${UPSTREAM_BRANCH}" - - gbp dch --git-author -S -a --ignore-branch - - mkdir -p "${LV_WORKING_DIR}/tarballs" - - gbp export-orig --tarball-dir="${LV_WORKING_DIR}/tarballs" - --pristine-tar - - git add debian/changelog - - gbp buildpackage --git-ignore-new - --git-ignore-branch - --git-export-dir="${LV_WORKING_DIR}/" - --git-export=INDEX - --git-tarball-dir="${LV_WORKING_DIR}/tarballs" - -j -b -uc -us > "${LV_WORKING_DIR}/build.log" - artifacts: - when: always - paths: - - "${LV_WORKING_DIR}/build.log" - - "${LV_WORKING_DIR}/*.deb" - - "${LV_WORKING_DIR}/*.buildinfo" - - "${LV_WORKING_DIR}/*.changes" - -lint-debian-package: - image: ${LV_DOCKER_IMAGE} - stage: test - dependencies: - - build-debian-package - before_script: - - echo "man-db man-db/auto-update boolean false" | debconf-set-selections - - export DEBIAN_FRONTEND=noninteractive - - apt-get -y update - - apt-get -y install lintian - script: - - ls "${LV_WORKING_DIR}" - - lintian ${LV_LINTIAN_OPTS} ${LV_WORKING_DIR}/*.changes - -autopkgtest-debian-package: - image: ${LV_DOCKER_IMAGE} - stage: test - dependencies: - - build-debian-package - before_script: - - echo "man-db man-db/auto-update boolean false" | debconf-set-selections - - export DEBIAN_FRONTEND=noninteractive - - apt-get -y update - - apt-get -y install autopkgtest - script: - - ls "${LV_WORKING_DIR}" - - RET=0; - autopkgtest -U ${LV_WORKING_DIR}/*.changes -- autopkgtest-virt-null || RET=$?; - echo "Autopkgtest exited with ${RET}"; - [ "${RET}" -eq 8 ] && exit 0 || exit "${RET}"
  48. Download patch debian/patches/ubuntu/lp-1868528-util-virhostcpu-Fail-when-fetching-CPU-Stats-for-inv.patch

    --- 6.0.0-1/debian/patches/ubuntu/lp-1868528-util-virhostcpu-Fail-when-fetching-CPU-Stats-for-inv.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/ubuntu/lp-1868528-util-virhostcpu-Fail-when-fetching-CPU-Stats-for-inv.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,99 @@ +From 75a4ec42f70b5324f95d7ffbbfbf7457620735e4 Mon Sep 17 00:00:00 2001 +From: "Mauro S. M. Rodrigues" <maurosr@linux.vnet.ibm.com> +Date: Fri, 21 Feb 2020 15:10:45 -0300 +Subject: [PATCH] util: virhostcpu: Fail when fetching CPU Stats for invalid + cpu + +virHostCPUGetStatsLinux walks through every cpu in /proc/stat until it +finds cpu%cpuNum that matches with the requested cpu. +If none is found it logs the error but it should return -1, instead of 0. +Otherwise virsh nodecpustats --cpu <invalid cpu number> and API bindings +don't fail properly, printing a blank line instead of an error message. + +This patch also includes an additional test for virhostcputest to avoid +this regression to happen again in the future. + +Fixes: 93af79fba3fd75a8df6b7ca608719dd97f9511a0 +Reported-by: Satheesh Rajendran <satheera@in.ibm.com> +Signed-off-by: Mauro S. M. Rodrigues <maurosr@linux.vnet.ibm.com> +Signed-off-by: Michal Privoznik <mprivozn@redhat.com> +Reviewed-by: Michal Privoznik <mprivozn@redhat.com> +Reviewed-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> +Tested-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> + +Origin: upstream, https://libvirt.org/git/?p=libvirt.git;a=commit;h=75a4ec42f70b5 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1868528 +Last-Update: 2020-03-25 + +--- + src/util/virhostcpu.c | 2 +- + tests/virhostcputest.c | 21 ++++++++++++++++++--- + 2 files changed, 19 insertions(+), 4 deletions(-) + +diff --git a/src/util/virhostcpu.c b/src/util/virhostcpu.c +index 41033b7473..721d959d46 100644 +--- a/src/util/virhostcpu.c ++++ b/src/util/virhostcpu.c +@@ -852,7 +852,7 @@ virHostCPUGetStatsLinux(FILE *procstat, + _("Invalid cpuNum in %s"), + __FUNCTION__); + +- return 0; ++ return -1; + } + + +diff --git a/tests/virhostcputest.c b/tests/virhostcputest.c +index 7865b61578..70a723098b 100644 +--- a/tests/virhostcputest.c ++++ b/tests/virhostcputest.c +@@ -196,6 +196,7 @@ linuxTestHostCPU(const void *opaque) + struct nodeCPUStatsData { + const char *name; + int ncpus; ++ bool shouldFail; + }; + + static int +@@ -214,6 +215,19 @@ linuxTestNodeCPUStats(const void *data) + result = linuxCPUStatsCompareFiles(cpustatfile, + testData->ncpus, + outfile); ++ if (result < 0) { ++ if (testData->shouldFail) { ++ /* Expected error */ ++ result = 0; ++ } ++ } else { ++ if (testData->shouldFail) { ++ fprintf(stderr, "Expected a failure, got success"); ++ result = -1; ++ } ++ } ++ ++ + VIR_FREE(cpustatfile); + VIR_FREE(outfile); + return result; +@@ -258,14 +272,15 @@ mymain(void) + if (virTestRun(nodeData[i].testName, linuxTestHostCPU, &nodeData[i]) != 0) + ret = -1; + +-# define DO_TEST_CPU_STATS(name, ncpus) \ ++# define DO_TEST_CPU_STATS(name, ncpus, shouldFail) \ + do { \ +- static struct nodeCPUStatsData data = { name, ncpus }; \ ++ static struct nodeCPUStatsData data = { name, ncpus, shouldFail}; \ + if (virTestRun("CPU stats " name, linuxTestNodeCPUStats, &data) < 0) \ + ret = -1; \ + } while (0) + +- DO_TEST_CPU_STATS("24cpu", 24); ++ DO_TEST_CPU_STATS("24cpu", 24, false); ++ DO_TEST_CPU_STATS("24cpu", 25, true); + + return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE; + } +-- +2.25.1 +
  49. Download patch debian/patches/ubuntu/lp-1861125-qemu_capabilities-Disable-CPU-models-on-old-s390-mac.patch

    --- 6.0.0-1/debian/patches/ubuntu/lp-1861125-qemu_capabilities-Disable-CPU-models-on-old-s390-mac.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/ubuntu/lp-1861125-qemu_capabilities-Disable-CPU-models-on-old-s390-mac.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,104 @@ +From c6ff3d1535480ef7fac8c9911ad7715f7d0e2acb Mon Sep 17 00:00:00 2001 +From: Jiri Denemark <jdenemar@redhat.com> +Date: Thu, 6 Feb 2020 10:22:23 +0100 +Subject: [PATCH] qemu_capabilities: Disable CPU models on old s390 machine types + +Starting a KVM domain on s390 with old machine type (such as +s390-ccw-virtio-2.5) and without any guest CPU model configured fails +with + + CPU models are not available: KVM doesn't support CPU models + +QEMU error. This is cause by libvirt using host-model CPU as the default +CPU based on QEMU reporting "host" CPU model as being the default one +(see commit v5.9.0-402-g24d8202294: qemu: Use host-model CPU on s390 by +default). However, even though both QEMU and KVM support CPU models on +s390 and QEMU can give us the host-model CPU, we can't use it with old +machine types which only support -cpu host. + +https://bugzilla.redhat.com/show_bug.cgi?id=1795651 + +Reported-by: Christian Ehrhardt <paelzer@gmail.com> +Signed-off-by: Jiri Denemark <jdenemar@redhat.com> +Reviewed-by: Ján Tomko <jtomko@redhat.com> + +Origin: upstream, https://libvirt.org/git/?p=libvirt.git;a=commit;h=c6ff3d1535480ef7fac8c9911ad7715f7d0e2acb +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1861125 +Last-Update: 2020-02-12 + +--- + src/qemu/qemu_capabilities.c | 19 ++++++++++++++++++- + ...t-cpu-kvm-ccw-virtio-2.7.s390x-latest.args | 4 +--- + ...lt-cpu-kvm-ccw-virtio-2.7.s390x-latest.xml | 2 +- + 3 files changed, 20 insertions(+), 5 deletions(-) + +diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c +index 162e49e2d4..dd2311cfa9 100644 +--- a/src/qemu/qemu_capabilities.c ++++ b/src/qemu/qemu_capabilities.c +@@ -2274,16 +2274,33 @@ virQEMUCapsIsVirtTypeSupported(virQEMUCapsPtr qemuCaps, + return false; + } + ++const char *s390HostPassthroughOnlyMachines[] = { ++ "s390-ccw-virtio-2.4", ++ "s390-ccw-virtio-2.5", ++ "s390-ccw-virtio-2.6", ++ "s390-ccw-virtio-2.7", ++ NULL ++}; + + bool + virQEMUCapsIsCPUModeSupported(virQEMUCapsPtr qemuCaps, + virArch hostarch, + virDomainVirtType type, + virCPUMode mode, +- const char *machineType G_GNUC_UNUSED) ++ const char *machineType) + { + qemuMonitorCPUDefsPtr cpus; + ++ /* CPU models (except for "host") are not supported by QEMU for on s390 ++ * KVM domains with old machine types regardless on QEMU version. */ ++ if (ARCH_IS_S390(qemuCaps->arch) && ++ type == VIR_DOMAIN_VIRT_KVM && ++ mode != VIR_CPU_MODE_HOST_PASSTHROUGH && ++ machineType && ++ g_strv_contains(s390HostPassthroughOnlyMachines, machineType)) { ++ return false; ++ } ++ + switch (mode) { + case VIR_CPU_MODE_HOST_PASSTHROUGH: + return type == VIR_DOMAIN_VIRT_KVM && +diff --git a/tests/qemuxml2argvdata/s390-default-cpu-kvm-ccw-virtio-2.7.s390x-latest.args b/tests/qemuxml2argvdata/s390-default-cpu-kvm-ccw-virtio-2.7.s390x-latest.args +index 8c25a01e74..0c2567df6c 100644 +--- a/tests/qemuxml2argvdata/s390-default-cpu-kvm-ccw-virtio-2.7.s390x-latest.args ++++ b/tests/qemuxml2argvdata/s390-default-cpu-kvm-ccw-virtio-2.7.s390x-latest.args +@@ -13,9 +13,7 @@ QEMU_AUDIO_DRV=none \ + -object secret,id=masterKey0,format=raw,\ + file=/tmp/lib/domain--1-test/master-key.aes \ + -machine s390-ccw-virtio-2.7,accel=kvm,usb=off,dump-guest-core=off \ +--cpu z13.2-base,aen=on,aefsi=on,msa5=on,msa4=on,msa3=on,msa2=on,msa1=on,\ +-sthyi=on,edat=on,ri=on,edat2=on,vx=on,ipter=on,ap=on,esop=on,apft=on,apqci=on,\ +-cte=on,bpb=on,ppa15=on,zpci=on,sea_esop2=on,te=on,cmm=on \ ++-cpu host \ + -m 256 \ + -overcommit mem-lock=off \ + -smp 1,sockets=1,cores=1,threads=1 \ +diff --git a/tests/qemuxml2xmloutdata/s390-default-cpu-kvm-ccw-virtio-2.7.s390x-latest.xml b/tests/qemuxml2xmloutdata/s390-default-cpu-kvm-ccw-virtio-2.7.s390x-latest.xml +index 56fd22b6e5..8799584c11 100644 +--- a/tests/qemuxml2xmloutdata/s390-default-cpu-kvm-ccw-virtio-2.7.s390x-latest.xml ++++ b/tests/qemuxml2xmloutdata/s390-default-cpu-kvm-ccw-virtio-2.7.s390x-latest.xml +@@ -8,7 +8,7 @@ + <type arch='s390x' machine='s390-ccw-virtio-2.7'>hvm</type> + <boot dev='hd'/> + </os> +- <cpu mode='host-model' check='partial'/> ++ <cpu mode='host-passthrough' check='none'/> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>restart</on_reboot> +-- +2.25.0 +
  50. Download patch debian/patches/stable/lp-1868539-testutils-check-return-value-of-g_setenv.patch

    --- 6.0.0-1/debian/patches/stable/lp-1868539-testutils-check-return-value-of-g_setenv.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/stable/lp-1868539-testutils-check-return-value-of-g_setenv.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,39 @@ +From 879e9db194865d70b7d66b1087a5d6903e902eab Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com> +Date: Sun, 9 Feb 2020 01:26:08 +0100 +Subject: [PATCH] testutils: check return value of g_setenv +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The function returns gboolean. +Compare against the FALSE value from GLib. + +Signed-off-by: Ján Tomko <jtomko@redhat.com> +Fixes: 2c3353242337bb50fe5abc9454fd5fc98236d4ef +Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> + +Origin: upstream, https://libvirt.org/git/?p=libvirt.git;a=commit;h=879e9db194 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1868539 +Last-Update: 2020-03-23 + +--- + tests/testutils.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/testutils.c b/tests/testutils.c +index 0cf0ac7e5c..83daed8940 100644 +--- a/tests/testutils.c ++++ b/tests/testutils.c +@@ -836,7 +836,7 @@ virTestSetEnvPath(void) + } + + if (new_path && +- g_setenv("PATH", new_path, TRUE) < 0) ++ g_setenv("PATH", new_path, TRUE) == FALSE) + goto cleanup; + + ret = 0; +-- +2.25.1 +
  51. Download patch debian/libvirt-daemon.install

    --- 6.0.0-1/debian/libvirt-daemon.install 2020-02-12 10:52:12.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/libvirt-daemon.install 2020-06-22 19:30:50.000000000 +0000 @@ -1,3 +1,4 @@ +usr/share/apport/package-hooks/source_libvirt.py usr/sbin/libvirtd usr/sbin/virt-sanlock-cleanup usr/sbin/virtlockd
  52. Download patch debian/patches/ubuntu/lp-1879325-Don-t-require-secdrivers-to-implement-.domainMoveIma.patch

    --- 6.0.0-1/debian/patches/ubuntu/lp-1879325-Don-t-require-secdrivers-to-implement-.domainMoveIma.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/ubuntu/lp-1879325-Don-t-require-secdrivers-to-implement-.domainMoveIma.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,44 @@ +From cc8c297e473afd55e5d8e35e18345d8df176059d Mon Sep 17 00:00:00 2001 +From: Michal Privoznik <mprivozn@redhat.com> +Date: Mon, 18 May 2020 10:07:30 +0200 +Subject: [PATCH] Don't require secdrivers to implement + .domainMoveImageMetadata + +The AppArmor secdriver does not use labels to grant access to +resources. Therefore, it doesn't use XATTRs and hence it lacks +implementation of .domainMoveImageMetadata callback. This leads +to a harmless but needless error message appearing in the logs: + + virSecurityManagerMoveImageMetadata:476 : this function is not + supported by the connection driver: virSecurityManagerMoveImageMetadata + +Closes: https://gitlab.com/libvirt/libvirt/-/issues/25 + +Signed-off-by: Michal Privoznik <mprivozn@redhat.com> +Reviewed-by: Erik Skultety <eskultet@redhat.com> + +Origin: upstream, https://libvirt.org/git/?p=libvirt.git;a=commit;h=cc8c297e473afd55e5d8e35e18345d +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1879325 +Last-Update: 2020-05-20 + +--- + src/security/security_manager.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/src/security/security_manager.c b/src/security/security_manager.c +index 2dea294784..b1237d63b6 100644 +--- a/src/security/security_manager.c ++++ b/src/security/security_manager.c +@@ -473,8 +473,7 @@ virSecurityManagerMoveImageMetadata(virSecurityManagerPtr mgr, + return ret; + } + +- virReportUnsupportedError(); +- return -1; ++ return 0; + } + + +-- +2.26.0 +
  53. Download patch debian/patches/stable/lp-1868539-qemu-use-correct-backendType-when-checking-memfd-cap.patch

    --- 6.0.0-1/debian/patches/stable/lp-1868539-qemu-use-correct-backendType-when-checking-memfd-cap.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/stable/lp-1868539-qemu-use-correct-backendType-when-checking-memfd-cap.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,46 @@ +From 8400b6c1983dd1e4504fe19d3421fff0e5866091 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com> +Date: Mon, 24 Feb 2020 13:32:30 +0100 +Subject: [PATCH] qemu: use correct backendType when checking memfd capability +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The backend name is memory-backend-memfd but we've been checking +for memory-backend-memory. + +Reported by GCC on rawhide: +../../../src/internal.h:75:22: error: 'strcmp' of a string of length 21 and +an array of size 21 evaluates to nonzero [-Werror=string-compare] +../../../src/qemu/qemu_command.c:3525:20: note: in expansion of macro 'STREQ' + 3525 | } else if (STREQ(backendType, "memory-backend-memory") && + | ^~~~~ + +Signed-off-by: Ján Tomko <jtomko@redhat.com> +Fixes: 24b74d187cab48a9dc9f409ea78900154c709579 +Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> + +Origin: upstream, https://libvirt.org/git/?p=libvirt.git;a=commit;h=8400b6c198 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1868539 +Last-Update: 2020-03-23 + +--- + src/qemu/qemu_command.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c +index f69a9e651c..6d5b53d30a 100644 +--- a/src/qemu/qemu_command.c ++++ b/src/qemu/qemu_command.c +@@ -3522,7 +3522,7 @@ qemuBuildMemoryBackendProps(virJSONValuePtr *backendProps, + _("this qemu doesn't support the " + "memory-backend-ram object")); + return -1; +- } else if (STREQ(backendType, "memory-backend-memory") && ++ } else if (STREQ(backendType, "memory-backend-memfd") && + !virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_OBJECT_MEMORY_MEMFD)) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + _("this qemu doesn't support the " +-- +2.25.1 +
  54. Download patch debian/tests/smoke-qemu-session.xml

    --- 6.0.0-1/debian/tests/smoke-qemu-session.xml 2018-03-18 09:53:51.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/tests/smoke-qemu-session.xml 2020-06-22 19:30:50.000000000 +0000 @@ -1,4 +1,4 @@ -<domain type='kvm'> +<domain type='qemu'> <name>sqs</name> <memory unit='KiB'>256000</memory> <currentMemory unit='KiB'>256000</currentMemory> @@ -18,7 +18,7 @@ <on_reboot>destroy</on_reboot> <on_crash>destroy</on_crash> <devices> - <emulator>/usr/bin/kvm</emulator> + <emulator>/usr/bin/qemu-system-x86_64</emulator> <controller type='virtio-serial' index='0'> <alias name='virtio-serial0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
  55. Download patch debian/patches/series

    --- 6.0.0-1/debian/patches/series 2020-02-12 10:52:12.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/series 2020-06-22 19:30:50.000000000 +0000 @@ -17,3 +17,68 @@ apparmor-Allow-virt-aa-helper-to-access- debian/Prefer-sbin-over-usr-sbin.patch Include-etc-pki-qemu-in-apparmor.patch apparmor-Allow-run-pygrub.patch + +ubuntu/Allow-libvirt-group-to-access-the-socket.patch +ubuntu/daemon-augeas-fix-expected.patch +ubuntu/ubuntu_machine_type.patch +ubuntu/parallel-shutdown.patch +ubuntu/dnsmasq-as-priv-user +ubuntu/ovmf_paths.patch +ubuntu/set-default-machine-to-ubuntu.patch + +# Ubuntu Apparmor Changes +ubuntu-aa/0003-apparmor-libvirt-qemu-Allow-read-access-to-overcommi.patch +ubuntu-aa/0007-apparmor-libvirt-qemu-Allow-owner-read-access-to-PRO.patch +ubuntu-aa/0017-apparmor-virt-aa-helper-Allow-access-to-tmp-director.patch +ubuntu-aa/0020-virt-aa-helper-ubuntu-storage-paths.patch +ubuntu-aa/0021-apparmor-virt-aa-helper-Add-openvswitch-support.patch +ubuntu-aa/0029-appmor-libvirt-qemu-Add-9p-support.patch +ubuntu-aa/0030-virt-aa-helper-Complete-9p-support.patch +ubuntu-aa/0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch +ubuntu-aa/0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch +ubuntu-aa/0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch +ubuntu-aa/0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch +ubuntu-aa/0050-local-include-for-libvirt-qemu.patch +ubuntu-aa/lp-1815910-allow-vhost-hotplug.patch +ubuntu/lp-1655111-apparmor-fix-qemu_bridge_helper-for-named-profile.patch +ubuntu-aa/virt-aa-helper-Add-support-for-smartcard-host-certif.patch +ubuntu/lp-1861125-qemu-Pass-machine-type-to-virQEMUCapsIsCPUModeSuppor.patch +ubuntu/lp-1861125-qemuxml2-test-Add-default-CPU-tests-for-s390-ccw-vir.patch +ubuntu/lp-1861125-qemu_capabilities-Disable-CPU-models-on-old-s390-mac.patch +ubuntu/lp-1861125-ubuntu-models.patch +ubuntu-aa/apparmor-allow-to-call-vhost-user-gpu.patch +ubuntu/lp-1865425-qemu-end-the-agent-job-in-qemuDomainSetTimeAgent.patch +ubuntu-aa/lp-1847361-load-versioned-module.patch +ubuntu/lp-1867460-qemu-fixing-auto-detecting-binary-in-domain-capabili.patch +ubuntu/lp-1867460-qemu_capabilities-Rework-domain-caps-cache.patch +stable/lp-1868539-qemuDomainSaveImageStartVM-Use-VIR_AUTOCLOSE-for-int.patch +stable/lp-1868539-qemuDomainSaveImageStartVM-Use-g_autoptr-for-virComm.patch +stable/lp-1868539-qemu-Use-g_autoptr-for-qemuDomainSaveCookie.patch +stable/lp-1868539-qemu-Stop-domain-on-failed-restore.patch +stable/lp-1868539-qemu-do-not-revert-to-NULL-bandwidth.patch +stable/lp-1868539-qemu-preserve-error-on-bandwidth-rollback.patch +stable/lp-1868539-testutils-check-return-value-of-g_setenv.patch +stable/lp-1868539-qemuDomainGetStatsIOThread-Don-t-leak-array-with-0-i.patch +stable/lp-1868539-m4-libxl-properly-fail-when-libxl-is-required.patch +stable/lp-1868539-qemu-save-restore-original-error-when-recovering-fro.patch +stable/lp-1868539-virDomainFSDefFree-Unref-private-data.patch +stable/lp-1868539-qemuTestParseCapabilitiesArch-Free-binary.patch +stable/lp-1868539-bhyve-command-remove-unused-includes.patch +stable/lp-1868539-vz-Fix-return-value-in-error-path.patch +stable/lp-1868539-qemu-use-correct-backendType-when-checking-memfd-cap.patch +stable/lp-1868539-testutilsxen-error-out-on-initialization-failure.patch +stable/lp-1868539-daemon-set-default-memlock-limit-for-systemd-service.patch +stable/lp-1868539-qemu-Don-t-compare-local-and-remote-hostnames-on-mig.patch +stable/lp-1868539-virsystemdtest-do-not-leak-socket-path.patch +stable/lp-1868539-tests-fix-double-unlock-of-monitor-in-hotplug-test.patch +stable/lp-1868539-security-Try-harder-to-run-transactions.patch +ubuntu/lp-1853200-cputest-Add-data-for-Intel-R-Core-TM-i7-8550U-CPU-wi.patch +ubuntu/lp-1853200-cpu_map-Add-more-noTSX-x86-CPU-models.patch +ubuntu/lp-1853200-cpu_map-Add-decode-element-to-x86-CPU-model-definiti.patch +ubuntu/lp-1853200-cpu_x86-Honor-CPU-models-decode-element.patch +ubuntu/lp-1853200-cpu_map-Don-t-use-new-noTSX-models-for-host-model-CP.patch +ubuntu/lp-1868528-util-virhostcpu-Fail-when-fetching-CPU-Stats-for-inv.patch +ubuntu-aa/lp-1871354-apparmor-avoid-denials-on-libpmem-initialization.patch +ubuntu/CVE-CVE-2020-10701-api-disallow-virDomainAgentSetResponseTimeout-on-rea.patch +ubuntu/lp-1879325-Don-t-require-secdrivers-to-implement-.domainMoveIma.patch +ubuntu/lp-1879325-security-don-t-fail-if-built-without-attr-support.patch
  56. Download patch debian/patches/stable/lp-1868539-testutilsxen-error-out-on-initialization-failure.patch

    --- 6.0.0-1/debian/patches/stable/lp-1868539-testutilsxen-error-out-on-initialization-failure.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/stable/lp-1868539-testutilsxen-error-out-on-initialization-failure.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,42 @@ +From 43773d48e6e12248bb7fc598abbbf43ab7e68e3f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com> +Date: Sat, 22 Feb 2020 12:44:45 +0100 +Subject: [PATCH] testutilsxen: error out on initialization failure +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +libxlDriverConfigNew can possibly fail on wrong +firmware values (unlikely) or on failure to create +the log directory (possible if you're debugging +tests with VIR_FILE_ACCESS) + +Signed-off-by: Ján Tomko <jtomko@redhat.com> +Fixes: 4a4132b4625778cf80acb9c92d06351b44468ac3 +Reviewed-by: Jim Fehlig <jfehlig@suse.com> + +Origin: upstream, https://libvirt.org/git/?p=libvirt.git;a=commit;h=43773d48e6 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1868539 +Last-Update: 2020-03-23 + +--- + tests/testutilsxen.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tests/testutilsxen.c b/tests/testutilsxen.c +index b73c79581d..76da33826c 100644 +--- a/tests/testutilsxen.c ++++ b/tests/testutilsxen.c +@@ -94,7 +94,8 @@ libxlDriverPrivatePtr testXLInitDriver(void) + return NULL; + } + +- driver->config = libxlDriverConfigNew(); ++ if (!(driver->config = libxlDriverConfigNew())) ++ return NULL; + + driver->config->caps = testXLInitCaps(); + +-- +2.25.1 +
  57. Download patch debian/patches/ubuntu/lp-1861125-qemu-Pass-machine-type-to-virQEMUCapsIsCPUModeSuppor.patch

    --- 6.0.0-1/debian/patches/ubuntu/lp-1861125-qemu-Pass-machine-type-to-virQEMUCapsIsCPUModeSuppor.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/ubuntu/lp-1861125-qemu-Pass-machine-type-to-virQEMUCapsIsCPUModeSuppor.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,105 @@ +From 80791859aced44e6feac35db4f4ecbb9a5de664f Mon Sep 17 00:00:00 2001 +From: Jiri Denemark <jdenemar@redhat.com> +Date: Wed, 5 Feb 2020 15:51:09 +0100 +Subject: [PATCH] qemu: Pass machine type to virQEMUCapsIsCPUModeSupported + +The usability of a specific CPU mode may depend on machine type, let's +prepare for this by passing it to virQEMUCapsIsCPUModeSupported. + +Signed-off-by: Jiri Denemark <jdenemar@redhat.com> +Reviewed-by: Ján Tomko <jtomko@redhat.com> + +Origin: upstream, https://libvirt.org/git/?p=libvirt.git;a=commit;h=80791859aced44e6feac35db4f4ecbb9a5de664f +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1861125 +Last-Update: 2020-02-12 + +--- + src/qemu/qemu_capabilities.c | 12 ++++++++---- + src/qemu/qemu_capabilities.h | 3 ++- + src/qemu/qemu_domain.c | 3 ++- + src/qemu/qemu_process.c | 2 +- + 4 files changed, 13 insertions(+), 7 deletions(-) + +diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c +index dfe7d48550..162e49e2d4 100644 +--- a/src/qemu/qemu_capabilities.c ++++ b/src/qemu/qemu_capabilities.c +@@ -2279,7 +2279,8 @@ bool + virQEMUCapsIsCPUModeSupported(virQEMUCapsPtr qemuCaps, + virArch hostarch, + virDomainVirtType type, +- virCPUMode mode) ++ virCPUMode mode, ++ const char *machineType G_GNUC_UNUSED) + { + qemuMonitorCPUDefsPtr cpus; + +@@ -5644,18 +5645,21 @@ virQEMUCapsFillDomainCPUCaps(virQEMUCapsPtr qemuCaps, + virDomainCapsPtr domCaps) + { + if (virQEMUCapsIsCPUModeSupported(qemuCaps, hostarch, domCaps->virttype, +- VIR_CPU_MODE_HOST_PASSTHROUGH)) ++ VIR_CPU_MODE_HOST_PASSTHROUGH, ++ domCaps->machine)) + domCaps->cpu.hostPassthrough = true; + + if (virQEMUCapsIsCPUModeSupported(qemuCaps, hostarch, domCaps->virttype, +- VIR_CPU_MODE_HOST_MODEL)) { ++ VIR_CPU_MODE_HOST_MODEL, ++ domCaps->machine)) { + virCPUDefPtr cpu = virQEMUCapsGetHostModel(qemuCaps, domCaps->virttype, + VIR_QEMU_CAPS_HOST_CPU_REPORTED); + domCaps->cpu.hostModel = virCPUDefCopy(cpu); + } + + if (virQEMUCapsIsCPUModeSupported(qemuCaps, hostarch, domCaps->virttype, +- VIR_CPU_MODE_CUSTOM)) { ++ VIR_CPU_MODE_CUSTOM, ++ domCaps->machine)) { + const char *blacklist[] = { "host", NULL }; + VIR_AUTOSTRINGLIST models = NULL; + +diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h +index b97c11ee1d..2473e64654 100644 +--- a/src/qemu/qemu_capabilities.h ++++ b/src/qemu/qemu_capabilities.h +@@ -629,7 +629,8 @@ bool virQEMUCapsIsVirtTypeSupported(virQEMUCapsPtr qemuCaps, + bool virQEMUCapsIsCPUModeSupported(virQEMUCapsPtr qemuCaps, + virArch hostarch, + virDomainVirtType type, +- virCPUMode mode); ++ virCPUMode mode, ++ const char *machineType); + const char *virQEMUCapsGetCanonicalMachine(virQEMUCapsPtr qemuCaps, + virDomainVirtType virtType, + const char *name); +diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c +index 851f750bd7..1b4825a539 100644 +--- a/src/qemu/qemu_domain.c ++++ b/src/qemu/qemu_domain.c +@@ -4600,7 +4600,8 @@ qemuDomainDefSetDefaultCPU(virDomainDefPtr def, + if (STREQ(model, "host")) { + if (ARCH_IS_S390(def->os.arch) && + virQEMUCapsIsCPUModeSupported(qemuCaps, hostarch, def->virtType, +- VIR_CPU_MODE_HOST_MODEL)) { ++ VIR_CPU_MODE_HOST_MODEL, ++ def->os.machine)) { + def->cpu->mode = VIR_CPU_MODE_HOST_MODEL; + } else { + def->cpu->mode = VIR_CPU_MODE_HOST_PASSTHROUGH; +diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c +index ddcc763cfd..e3df75d281 100644 +--- a/src/qemu/qemu_process.c ++++ b/src/qemu/qemu_process.c +@@ -6022,7 +6022,7 @@ qemuProcessUpdateGuestCPU(virDomainDefPtr def, + } + + if (!virQEMUCapsIsCPUModeSupported(qemuCaps, hostarch, def->virtType, +- def->cpu->mode)) { ++ def->cpu->mode, def->os.machine)) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, + _("CPU mode '%s' for %s %s domain on %s host is not " + "supported by hypervisor"), +-- +2.25.0 +
  58. Download patch debian/tests/smoke-qemu-session

    --- 6.0.0-1/debian/tests/smoke-qemu-session 2018-03-18 09:53:51.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/tests/smoke-qemu-session 2020-06-22 19:30:50.000000000 +0000 @@ -27,8 +27,13 @@ if [ $(uname -m) != "x86_64" ]; then exit 0 fi +# to be able to load our simple guest from /vmlinuz later +sudo chown $USER /initrd.img +sudo chown $USER /vmlinuz + echo echo "Running as $USER" set -x + virt-host-validate qemu || true virsh capabilities virsh capabilities | grep -qs "arch name='x86_64'"
  59. Download patch debian/patches/ubuntu-aa/0020-virt-aa-helper-ubuntu-storage-paths.patch

    --- 6.0.0-1/debian/patches/ubuntu-aa/0020-virt-aa-helper-ubuntu-storage-paths.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/ubuntu-aa/0020-virt-aa-helper-ubuntu-storage-paths.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,37 @@ +From 4a8125774ff0745c0273a199fa8b9fb8316c2992 Mon Sep 17 00:00:00 2001 +From: Stefan Bader <stefan.bader@canonical.com> +Date: Thu, 11 May 2017 16:36:19 +0200 +Subject: [PATCH 20/33] UBUNTU-only: apparmor, virt-aa-helper: Allow various storage pools + and image locations + +Got various updates over time to include further Ubuntu specific paths. + +Forwarded: no (Ubuntu specific paths) +Signed-off-by: Stefan Bader <stefan.bader@canonical.com> +--- + src/security/apparmor/usr.lib.libvirt.virt-aa-helper | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper ++++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper +@@ -52,7 +52,19 @@ profile virt-aa-helper /usr/{lib,lib64}/ + @{HOME}/** r, + /var/lib/libvirt/images/ r, + /var/lib/libvirt/images/** r, +- /var/lib/nova/instances/_base/* r, ++ # nova base images (LP: #907269) ++ /var/lib/nova/images/** r, ++ /var/lib/nova/instances/_base/** r, ++ # nova snapshots (LP: #1244694) ++ /var/lib/nova/instances/snapshots/** r, ++ # eucalyptus (LP: #564914) ++ /var/lib/eucalyptus/instances/**/disk* r, ++ # eucalyptus loader (LP: #637544) ++ /var/lib/eucalyptus/instances/**/loader* r, ++ # for uvtool ++ /var/lib/uvtool/libvirt/images/** r, ++ # for multipass ++ /var/snap/multipass/common/data/multipassd/vault/instances/** r, + /{media,mnt,opt,srv}/** r, + # For virt-sandbox + /{,var/}run/libvirt/**/[sv]d[a-z] r,
  60. Download patch debian/patches/stable/lp-1868539-qemu-save-restore-original-error-when-recovering-fro.patch

    --- 6.0.0-1/debian/patches/stable/lp-1868539-qemu-save-restore-original-error-when-recovering-fro.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/stable/lp-1868539-qemu-save-restore-original-error-when-recovering-fro.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,60 @@ +From 3f8b57a61fdc2f685a46f52fc794225615b0e38a Mon Sep 17 00:00:00 2001 +From: Laine Stump <laine@redhat.com> +Date: Thu, 13 Feb 2020 11:57:43 -0500 +Subject: [PATCH] qemu: save/restore original error when recovering from failed + bridge attach +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Not only was the original error code destroyed in the case of +encountering an error during recovery from a failed attach to the +bridge (and then *that* error was destroyed by logging a *second* +error about the failure to recover - virNetDevBridgeAddPort() already +logs an error, so the one about failing to recover was redundant), but +if the recovery was successful, the function would then return success +to the caller even though it had failed. + +Fixes: 2711ac87160d7ac7d550c57f4339e6c6749942fa +(overwritten errors were introduced along with this functionality) +Fixes: 6bde0a1a37424c84492658223ff845b1ebb0e25c +(the wrong return value was introduced by a refactor) + +Signed-off-by: Laine Stump <laine@redhat.com> +Reviewed-by: Ján Tomko <jtomko@redhat.com> + +Origin: upstream, https://libvirt.org/git/?p=libvirt.git;a=commit;h=3f8b57a61f +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1868539 +Last-Update: 2020-03-23 + +--- + src/qemu/qemu_hotplug.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c +index c840889968..6395826c69 100644 +--- a/src/qemu/qemu_hotplug.c ++++ b/src/qemu/qemu_hotplug.c +@@ -3352,14 +3352,13 @@ qemuDomainChangeNetBridge(virDomainObjPtr vm, + ret = virNetDevBridgeAddPort(newbridge, olddev->ifname); + virDomainAuditNet(vm, NULL, newdev, "attach", ret == 0); + if (ret < 0) { ++ virErrorPtr err; ++ ++ virErrorPreserveLast(&err); + ret = virNetDevBridgeAddPort(oldbridge, olddev->ifname); + virDomainAuditNet(vm, NULL, olddev, "attach", ret == 0); +- if (ret < 0) { +- virReportError(VIR_ERR_OPERATION_FAILED, +- _("unable to recover former state by adding port " +- "to bridge %s"), oldbridge); +- } +- return ret; ++ virErrorRestore(&err); ++ return -1; + } + /* caller will replace entire olddev with newdev in domain nets list */ + return 0; +-- +2.25.1 +
  61. Download patch debian/patches/ubuntu-aa/0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch

    --- 6.0.0-1/debian/patches/ubuntu-aa/0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/ubuntu-aa/0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,33 @@ +From 4c5da648e1f1bb3fd721de59ff8b2c3614ef07a9 Mon Sep 17 00:00:00 2001 +From: Corey Bryant <corey.bryant@canonical.com> +Date: Wed, 5 Jul 2017 17:07:48 +0200 +Subject: [PATCH 34/34] apparmor:, virt-aa-helper: access for snapped nova + +Allow access to base images stored in nova-hypervisor snap's +$SNAP_COMMON directory, enabling use of the libvirt deb from the +nova-hypervisor snap (LP: #1644507). + +Author: Corey Bryant <corey.bryant@canonical.com> +Forwarded: no (part of continuous upstreaming effort) +Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> +--- + src/security/apparmor/usr.lib.libvirt.virt-aa-helper | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper +index 387a261..63799ea 100644 +--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper ++++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper +@@ -69,6 +69,9 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper { + /var/lib/nova/instances/_base/** r, + # nova snapshots (LP: #1244694) + /var/lib/nova/instances/snapshots/** r, ++ # nova base/snapshot files in snapped nova (LP: #1644507) ++ /var/snap/nova-hypervisor/common/instances/_base/** r, ++ /var/snap/nova-hypervisor/common/instances/snapshots/** r, + # eucalyptus (LP: #564914) + /var/lib/eucalyptus/instances/**/disk* r, + # eucalyptus loader (LP: #637544) +-- +2.7.4 +
  62. Download patch debian/patches/ubuntu-aa/0030-virt-aa-helper-Complete-9p-support.patch

    --- 6.0.0-1/debian/patches/ubuntu-aa/0030-virt-aa-helper-Complete-9p-support.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/ubuntu-aa/0030-virt-aa-helper-Complete-9p-support.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,36 @@ +From b6911f3285a80c6bde0574f4bdc9d4294c021bf4 Mon Sep 17 00:00:00 2001 +From: Serge Hallyn <serge.hallyn@ubuntu.com> +Date: Thu, 11 May 2017 12:21:30 +0200 +Subject: [PATCH 30/33] virt-aa-helper: Complete 9p support + +Allow links on 9p shares in addition to rw. + +Note: on review Guido wondered whether it would be possible to +allow links only if the target is below the source path. If that +is possible anyhow. + +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1378434 + +Forwarded: no (part of continuous upstreaming effort) +Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> +Signed-off-by: Stefan Bader <stefan.bader@canonical.com> +--- + src/security/virt-aa-helper.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c +index 7f3b7ad..87a5481 100644 +--- a/src/security/virt-aa-helper.c ++++ b/src/security/virt-aa-helper.c +@@ -1108,7 +1108,7 @@ get_files(vahControl * ctl) + /* We don't need to add deny rw rules for readonly mounts, + * this can only lead to troubles when mounting / readonly. + */ +- if (vah_add_path(&buf, fs->src->path, fs->readonly ? "R" : "rw", true) != 0) ++ if (vah_add_path(&buf, fs->src->path, fs->readonly ? "R" : "rwl", true) != 0) + goto cleanup; + } + } +-- +2.7.4 +
  63. Download patch debian/patches/ubuntu/ovmf_paths.patch

    --- 6.0.0-1/debian/patches/ubuntu/ovmf_paths.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/ubuntu/ovmf_paths.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,60 @@ +From: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com> +Subject: Add paths to "ms" variants of OVMF code/vars + +The "ms" Secure Boot -enabled variants of OVMF_CODE and OVMF_VARS +both should include the added label rather than just the OVMF_CODE file: +in Ubuntu, we always build OVMF_CODE with Secure Boot enabled, as we only +build it once, but the variable store in the ms.fd file additionally +includes preloaded Microsoft KEK/DB keys, as well as an ephemeral PK/KEK +key that was generated just for that purpose (for which only the public +part is available, the secret key has been deleted). The fact that a PK, +KEK, and DB keys are loaded means Secure Boot is effectively enabled and +can validate UEFI binaries. When users use the non-secboot variant, then +Secure Boot is effectively not in use due to the absence of the keys. + +--- + src/qemu/qemu.conf | 3 ++- + src/qemu/qemu_conf.c | 3 ++- + src/qemu/test_libvirtd_qemu.aug.in | 1 + + 3 files changed, 5 insertions(+), 2 deletions(-) + +Index: b/src/qemu/qemu.conf +=================================================================== +--- a/src/qemu/qemu.conf ++++ b/src/qemu/qemu.conf +@@ -726,7 +726,8 @@ + # "/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd", + # "/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd", + # "/usr/share/AAVMF/AAVMF_CODE.fd:/usr/share/AAVMF/AAVMF_VARS.fd", +-# "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd" ++# "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd", ++# "/usr/share/OVMF/OVMF_CODE.ms.fd:/usr/share/OVMF/OVMF_VARS.ms.fd" + #] + + # The backend to use for handling stdout/stderr output from +Index: b/src/qemu/qemu_conf.c +=================================================================== +--- a/src/qemu/qemu_conf.c ++++ b/src/qemu/qemu_conf.c +@@ -130,7 +130,8 @@ void qemuDomainCmdlineDefFree(qemuDomain + "/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd:" \ + "/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd:" \ + "/usr/share/AAVMF/AAVMF_CODE.fd:/usr/share/AAVMF/AAVMF_VARS.fd:" \ +- "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd" ++ "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd:" \ ++ "/usr/share/OVMF/OVMF_CODE.ms.fd:/usr/share/OVMF/OVMF_VARS.ms.fd" + #endif + + +Index: b/src/qemu/test_libvirtd_qemu.aug.in +=================================================================== +--- a/src/qemu/test_libvirtd_qemu.aug.in ++++ b/src/qemu/test_libvirtd_qemu.aug.in +@@ -93,6 +93,7 @@ module Test_libvirtd_qemu = + { "2" = "/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd" } + { "3" = "/usr/share/AAVMF/AAVMF_CODE.fd:/usr/share/AAVMF/AAVMF_VARS.fd" } + { "4" = "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd" } ++ { "5" = "/usr/share/OVMF/OVMF_CODE.ms.fd:/usr/share/OVMF/OVMF_VARS.ms.fd" } + } + { "stdio_handler" = "logd" } + { "gluster_debug_level" = "9" }
  64. Download patch debian/patches/ubuntu/lp-1861125-qemuxml2-test-Add-default-CPU-tests-for-s390-ccw-vir.patch
  65. Download patch debian/patches/ubuntu-aa/0050-local-include-for-libvirt-qemu.patch

    --- 6.0.0-1/debian/patches/ubuntu-aa/0050-local-include-for-libvirt-qemu.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/ubuntu-aa/0050-local-include-for-libvirt-qemu.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,19 @@ +Description: UBUNTU-ONLY: provide a local include to tune libvirt-qemu +This is the most likely apparmor profile that a user +wants to tune, so it should have a local include to do +so without conffile trouble. + +Forwarded: no +Forward-info: Upstream can't guarantee the existance of the includes +Author: Christian Ehrhardt <christian.ehrhardt@canonical.com> +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1786019 +Last-Update: 2018-08-08 +--- a/src/security/apparmor/libvirt-qemu ++++ b/src/security/apparmor/libvirt-qemu +@@ -226,3 +226,6 @@ + # required for sasl GSSAPI plugin + /etc/gss/mech.d/ r, + /etc/gss/mech.d/* r, ++ ++ # Site-specific additions and overrides. See local/README for details. ++ #include <local/abstractions/libvirt-qemu>
  66. Download patch debian/patches/stable/lp-1868539-virsystemdtest-do-not-leak-socket-path.patch

    --- 6.0.0-1/debian/patches/stable/lp-1868539-virsystemdtest-do-not-leak-socket-path.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/stable/lp-1868539-virsystemdtest-do-not-leak-socket-path.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,55 @@ +From 7b6308b725f2a6b5b4a2d3b30f4577096b45a115 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com> +Date: Sat, 22 Feb 2020 00:57:33 +0100 +Subject: [PATCH] virsystemdtest: do not leak socket path +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Use an autofree'd helper variable to store the socket path +and free it after the function finishes. + +Signed-off-by: Ján Tomko <jtomko@redhat.com> +Fixes: 5b8569dd6e284b9159c701e8bffafb196983fc4a +Reviewed-by: Michal Privoznik <mprivozn@redhat.com> + +Origin: upstream, https://libvirt.org/git/?p=libvirt.git;a=commit;h=7b6308b725 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1868539 +Last-Update: 2020-03-23 + +--- + tests/virsystemdtest.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/tests/virsystemdtest.c b/tests/virsystemdtest.c +index b7dfd64d06..1e36298189 100644 +--- a/tests/virsystemdtest.c ++++ b/tests/virsystemdtest.c +@@ -555,12 +555,15 @@ testActivation(bool useNames) + size_t nfds = 0; + g_autoptr(virSystemdActivation) act = NULL; + g_auto(virBuffer) names = VIR_BUFFER_INITIALIZER; ++ g_autofree char *demo_socket_path = NULL; + + virBufferAddLit(&names, "demo-unix.socket"); + + if (testActivationCreateFDs(&sockUNIX, &sockIP, &nsockIP) < 0) + return -1; + ++ demo_socket_path = virNetSocketGetPath(sockUNIX); ++ + for (i = 0; i < nsockIP; i++) + virBufferAddLit(&names, ":demo-ip.socket"); + +@@ -577,7 +580,7 @@ testActivation(bool useNames) + + map[0].name = "demo-unix.socket"; + map[0].family = AF_UNIX; +- map[0].path = virNetSocketGetPath(sockUNIX); ++ map[0].path = demo_socket_path; + + map[1].name = "demo-ip.socket"; + map[1].family = AF_INET; +-- +2.25.1 +
  67. Download patch debian/patches/ubuntu-aa/lp-1847361-load-versioned-module.patch

    --- 6.0.0-1/debian/patches/ubuntu-aa/lp-1847361-load-versioned-module.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/ubuntu-aa/lp-1847361-load-versioned-module.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,44 @@ +Description: allow loading modules from /var/run + apparmor: qemu load old shared objects + + On qemu upgrades the old .so files usually are replaced. But on the other + hand since a qemu process represents a guest instance it is usually kept + around. + + That makes late addition of dynamic features e.g. 'hot-attach of a ceph + disk' fail by trying to load a new version of e.f. block-rbd.so into an + old still running qemu binary. + + Qemu adds a fallback to also load modules from a versioned directory in the + temporary /var/run path. That way qemu is providing a way for packaging + to store modules of an upgraded qemu package as needed until the next reboot. + + This change is allowing the qemu process access to these paths. + + Background: + This is a continuation of a discussion at KVM Forum 2019 eventually + becoming [1] and recently this change is queued to get into qemu properly [2]. + + [1]: https://lists.gnu.org/archive/html/qemu-devel/2019-11/msg00005.html + [2]: https://lists.nongnu.org/archive/html/qemu-devel/2020-03/msg03313.html + + Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> + +Forwarded: yes, https://www.redhat.com/archives/libvir-list/2020-March/msg00486.html +Author: Christian Ehrhardt <christian.ehrhardt@canonical.com> +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1847361 +Last-Update: 2020-03-13 +--- a/src/security/apparmor/libvirt-qemu ++++ b/src/security/apparmor/libvirt-qemu +@@ -164,6 +164,11 @@ + /usr/{lib,lib64}/qemu/*.so mr, + /usr/lib/@{multiarch}/qemu/*.so mr, + ++ # let qemu load old shared objects after upgrades (LP: #1847361) ++ /{var/,}run/qemu/*/*.so mr, ++ # but explicitly deny with auditing writing to these files ++ audit deny /{var/,}run/qemu/*/*.so w, ++ + # swtpm + /{usr/,}bin/swtpm rmix, + /usr/{lib,lib64}/libswtpm_libtpms.so mr,
  68. Download patch debian/patches/ubuntu-aa/0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch

    --- 6.0.0-1/debian/patches/ubuntu-aa/0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/ubuntu-aa/0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,34 @@ +From b1d54d7e56da3961f9db8705f7a5eaecd6f9222c Mon Sep 17 00:00:00 2001 +From: Stefan Bader <stefan.bader@canonical.com> +Date: Tue, 23 May 2017 17:21:08 +0200 +Subject: [PATCH 32/33] apparmor, libvirt-qemu: Allow reading charm-specific + ceph config + +Allows reading ceph configuration files from (juju) charm +specific location and silence denial messages which were +occuring related to that. + +Bug-Ubuntu: http://bugs.launchpad.net/bugs/1403648 + +Forwarded: no (part of continuous upstreaming effort) +Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> +Signed-off-by: Stefan Bader <stefan.bader@canonical.com> +--- + src/security/apparmor/libvirt-qemu | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/src/security/apparmor/libvirt-qemu ++++ b/src/security/apparmor/libvirt-qemu +@@ -219,6 +219,12 @@ + unix (send, receive) type=stream addr=none peer=(label=libvirtd), + unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd), + ++ # allow access to charm-specific ceph config (LP: #1403648). ++ # No more silencing spurious denials as it can more critically hide other issues (LP: #1719579) ++ # Also allow the optional asok key that might be enabled by the charm (LP: #1779674) ++ /var/lib/charm/*/ceph.conf r, ++ /run/ceph/rbd-client-*.asok rw, ++ + # for gathering information about available host resources + /sys/devices/system/cpu/ r, + /sys/devices/system/node/ r,
  69. Download patch debian/patches/ubuntu/lp-1655111-apparmor-fix-qemu_bridge_helper-for-named-profile.patch

    --- 6.0.0-1/debian/patches/ubuntu/lp-1655111-apparmor-fix-qemu_bridge_helper-for-named-profile.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/ubuntu/lp-1655111-apparmor-fix-qemu_bridge_helper-for-named-profile.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,66 @@ +From 5a21fd513adcbd0738bf5528f835083cfb92fc86 Mon Sep 17 00:00:00 2001 +From: Christian Ehrhardt <christian.ehrhardt@canonical.com> +Date: Thu, 30 Jan 2020 08:12:38 +0100 +Subject: [PATCH] apparmor: fix qemu_bridge_helper for named profile + +Since a3ab6d42 "apparmor: convert libvirtd profile to a named profile" +the detection of the subelement for qemu_bridge_helper is wrong. + +In combination with the older 123cc3e1 "apparmor: allow +/usr/lib/qemu/qemu-bridge-helper" it now detects qemu-bridge-helper no +more with its path, but instead as a proper subelement of the named profile +like: label=libvirtd//qemu_bridge_helper + +In the same fashion the reverse rule in the qemu_bridge_helper +sub-profile still uses the path and not the named profile label. + +Triggering denies like: +apparmor="DENIED" operation="file_inherit" + profile="libvirtd//qemu_bridge_helper" pid=5629 comm="qemu-bridge-hel" + family="unix" sock_type="stream" protocol=0 requested_mask="send receive" + denied_mask="send receive" addr=none peer_addr=none peer="libvirtd" + +This patch fixes the unix socket rules for the communication between +libvirtd and qemu-bridge-helper to match that. + +Fixes: a3ab6d42d825499af44b8f19f9299e150d9687bc +Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1655111 + +Reviewed-by: Michal Privoznik <mprivozn@redhat.com> +Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> + +Origin: upstream, https://libvirt.org/git/?p=libvirt.git;a=commit;h=5a21fd513adcbd0738bf5528f835083cfb92fc86 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1655111 +Last-Update: 2020-01-31 + +--- + src/security/apparmor/usr.sbin.libvirtd | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/security/apparmor/usr.sbin.libvirtd b/src/security/apparmor/usr.sbin.libvirtd +index b21f31b2e1..c1acea70a1 100644 +--- a/src/security/apparmor/usr.sbin.libvirtd ++++ b/src/security/apparmor/usr.sbin.libvirtd +@@ -61,8 +61,8 @@ profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) { + signal (send) set=("kill", "term") peer=unconfined, + + # For communication/control to qemu-bridge-helper +- unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd//qemu_bridge_helper), +- signal (send) set=("term") peer=/usr/sbin/libvirtd//qemu_bridge_helper, ++ unix (send, receive) type=stream addr=none peer=(label=libvirtd//qemu_bridge_helper), ++ signal (send) set=("term") peer=libvirtd//qemu_bridge_helper, + + # allow connect with openGraphicsFD, direction reversed in newer versions + unix (send, receive) type=stream addr=none peer=(label=libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*), +@@ -120,7 +120,7 @@ profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) { + network inet stream, + + # For communication/control from libvirtd +- unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd), ++ unix (send, receive) type=stream addr=none peer=(label=libvirtd), + signal (receive) set=("term") peer=/usr/sbin/libvirtd, + signal (receive) set=("term") peer=libvirtd, + +-- +2.25.0 +
  70. Download patch debian/patches/ubuntu-aa/0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch

    --- 6.0.0-1/debian/patches/ubuntu-aa/0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/ubuntu-aa/0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,41 @@ +From a7cf113469ba32951a0cfa44a35992153ae876c8 Mon Sep 17 00:00:00 2001 +From: Christian Ehrhardt <christian.ehrhardt@canonical.com> +Date: Tue, 4 Jul 2017 07:57:19 +0200 +Subject: [PATCH 33/33] UBUNTU-only: apparmor: for kvm.powerpc (LP: #1680384) + +The (so far) Ubuntu only kvm wrappers call a lot more on ppc. +Since this is already considered as the qemu binary it must be opened up +in apparmor to work. +So allow these extra tools executed by kvm.powerpc + +Note: this got added in 1680384 and extended by 1686621 + +Forwarded: no (part of continuous upstreaming effort) +Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> + +Author: Christian Ehrhardt <christian.ehrhardt@canonical.com> +Forwarded: no +Forward-info: Distro specific +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1680384 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686621 +Last-Update: 2018-06-17 +--- + src/security/apparmor/libvirt-qemu | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/src/security/apparmor/libvirt-qemu ++++ b/src/security/apparmor/libvirt-qemu +@@ -203,6 +203,13 @@ + /var/lib/charm/*/ceph.conf r, + /run/ceph/rbd-client-*.asok rw, + ++ # kvm.powerpc executes/accesses this ++ /{usr/,}bin/uname rmix, ++ /{usr/,}sbin/ppc64_cpu rmix, ++ /{usr/,}bin/grep rmix, ++ /sys/devices/system/cpu/subcores_per_core r, ++ /sys/devices/system/cpu/cpu*/online r, ++ + # for gathering information about available host resources + /sys/devices/system/cpu/ r, + /sys/devices/system/node/ r,
  71. Download patch debian/patches/stable/lp-1868539-qemuDomainSaveImageStartVM-Use-g_autoptr-for-virComm.patch

    --- 6.0.0-1/debian/patches/stable/lp-1868539-qemuDomainSaveImageStartVM-Use-g_autoptr-for-virComm.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/stable/lp-1868539-qemuDomainSaveImageStartVM-Use-g_autoptr-for-virComm.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,40 @@ +From 82e127e34350dc0ed908611a3b2a4fbd78ad9903 Mon Sep 17 00:00:00 2001 +From: Michal Privoznik <mprivozn@redhat.com> +Date: Mon, 13 Jan 2020 11:05:41 +0100 +Subject: [PATCH] qemuDomainSaveImageStartVM: Use g_autoptr() for virCommand + +Signed-off-by: Michal Privoznik <mprivozn@redhat.com> +Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com> + +Origin: upstream, https://libvirt.org/git/?p=libvirt.git;a=commit;h=82e127e34 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1868539 +Last-Update: 2020-03-23 + +--- + src/qemu/qemu_driver.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c +index e1f8968136..3c1fb11b10 100644 +--- a/src/qemu/qemu_driver.c ++++ b/src/qemu/qemu_driver.c +@@ -6804,7 +6804,7 @@ qemuDomainSaveImageStartVM(virConnectPtr conn, + bool restored = false; + virObjectEventPtr event; + VIR_AUTOCLOSE intermediatefd = -1; +- virCommandPtr cmd = NULL; ++ g_autoptr(virCommand) cmd = NULL; + g_autofree char *errbuf = NULL; + g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver); + virQEMUSaveHeaderPtr header = &data->header; +@@ -6920,7 +6920,6 @@ qemuDomainSaveImageStartVM(virConnectPtr conn, + + cleanup: + virObjectUnref(cookie); +- virCommandFree(cmd); + if (qemuSecurityRestoreSavedStateLabel(driver, vm, path) < 0) + VIR_WARN("failed to restore save state label on %s", path); + return ret; +-- +2.25.1 +
  72. Download patch debian/libvirt-daemon-system.install

    --- 6.0.0-1/debian/libvirt-daemon-system.install 2020-01-11 11:25:55.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/libvirt-daemon-system.install 2020-06-22 19:30:50.000000000 +0000 @@ -5,4 +5,4 @@ etc/libvirt/virtlockd.conf etc/libvirt/virtlogd.conf etc/sasl2/* usr/share/polkit-1 -usr/lib/firewalld/zones/libvirt.xml +etc/dnsmasq.d-available/libvirt-daemon
  73. Download patch debian/libvirt-clients.install

    --- 6.0.0-1/debian/libvirt-clients.install 2020-02-12 10:52:12.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/libvirt-clients.install 2020-06-22 19:30:50.000000000 +0000 @@ -5,3 +5,4 @@ etc/libvirt/libvirt.conf etc/libvirt/libvirt-admin.conf usr/share/man/man7/virkeycode-*.7 usr/share/man/man7/virkeyname-*.7 +etc/profile.d/libvirt-uri.sh
  74. Download patch debian/patches/stable/lp-1868539-qemu-Don-t-compare-local-and-remote-hostnames-on-mig.patch

    --- 6.0.0-1/debian/patches/stable/lp-1868539-qemu-Don-t-compare-local-and-remote-hostnames-on-mig.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/stable/lp-1868539-qemu-Don-t-compare-local-and-remote-hostnames-on-mig.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,62 @@ +From 6799b72d927015db4ce4cab879f072abc91a41ae Mon Sep 17 00:00:00 2001 +From: Michal Privoznik <mprivozn@redhat.com> +Date: Tue, 25 Feb 2020 15:53:12 +0100 +Subject: [PATCH] qemu: Don't compare local and remote hostnames on migration +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Libvirt tries to forbid migration onto the same host and it does +that by checking if local and remote hostnames are the same and +whether local and remote UUIDs are the same. Well, the latter +makes sense but the former doesn't really because libvirtd can be +running inside an UTS namespace and hostnames can appear the same +on both sides of migration. On the other hand, host UUIDs are +unique, so rely on them when trying to prevent migration onto the +same host. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1639596 + +Signed-off-by: Michal Privoznik <mprivozn@redhat.com> +Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> + +Origin: upstream, https://libvirt.org/git/?p=libvirt.git;a=commit;h=6799b72d92 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1868539 +Last-Update: 2020-03-23 + +--- + src/qemu/qemu_migration_cookie.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/src/qemu/qemu_migration_cookie.c b/src/qemu/qemu_migration_cookie.c +index a5a9edffc3..1d88ac1d22 100644 +--- a/src/qemu/qemu_migration_cookie.c ++++ b/src/qemu/qemu_migration_cookie.c +@@ -1230,19 +1230,17 @@ qemuMigrationCookieXMLParse(qemuMigrationCookiePtr mig, + } + VIR_FREE(tmp); + +- /* Check & forbid "localhost" migration */ + if (!(mig->remoteHostname = virXPathString("string(./hostname[1])", ctxt))) { + virReportError(VIR_ERR_INTERNAL_ERROR, + "%s", _("missing hostname element in migration data")); + goto error; + } +- if (STREQ(mig->remoteHostname, mig->localHostname)) { +- virReportError(VIR_ERR_INTERNAL_ERROR, +- _("Attempt to migrate guest to the same host %s"), +- mig->remoteHostname); +- goto error; +- } ++ /* Historically, this is the place where we checked whether remoteHostname ++ * and localHostname are the same. But even if they were, it doesn't mean ++ * the domain is migrating onto the same host. Rely on UUID which can tell ++ * for sure. */ + ++ /* Check & forbid localhost migration */ + if (!(tmp = virXPathString("string(./hostuuid[1])", ctxt))) { + virReportError(VIR_ERR_INTERNAL_ERROR, + "%s", _("missing hostuuid element in migration data")); +-- +2.25.1 +
  75. Download patch debian/patches/stable/lp-1868539-qemu-do-not-revert-to-NULL-bandwidth.patch

    --- 6.0.0-1/debian/patches/stable/lp-1868539-qemu-do-not-revert-to-NULL-bandwidth.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/stable/lp-1868539-qemu-do-not-revert-to-NULL-bandwidth.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,45 @@ +From bd622e2a211aad449b54683e2ebd5e980418dd7c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com> +Date: Fri, 7 Feb 2020 12:40:39 +0100 +Subject: [PATCH] qemu: do not revert to NULL bandwidth +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Otherwise an attempt to set an invalid value: + virsh domiftune rhel8.2 vnet0 --outbound 4294968 +on an interface with no bandwidth set crashes. + +Signed-off-by: Ján Tomko <jtomko@redhat.com> +Fixes: f02e21cb3379a41cd42f2d8116f2d10dabace83b +https://bugzilla.redhat.com/show_bug.cgi?id=1800505 +Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com> + +Origin: upstream, https://libvirt.org/git/?p=libvirt.git;a=commit;h=bd622e2a21 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1868539 +Last-Update: 2020-03-23 + +--- + src/qemu/qemu_driver.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c +index e69d083836..9b244ec4f2 100644 +--- a/src/qemu/qemu_driver.c ++++ b/src/qemu/qemu_driver.c +@@ -11682,8 +11682,10 @@ qemuDomainSetInterfaceParameters(virDomainPtr dom, + net->bandwidth, + false, + !virDomainNetTypeSharesHostView(net))); +- ignore_value(virDomainNetBandwidthUpdate(net, +- net->bandwidth)); ++ if (net->bandwidth) { ++ ignore_value(virDomainNetBandwidthUpdate(net, ++ net->bandwidth)); ++ } + goto endjob; + } + +-- +2.25.1 +
  76. Download patch debian/patches/ubuntu-aa/lp-1815910-allow-vhost-hotplug.patch

    --- 6.0.0-1/debian/patches/ubuntu-aa/lp-1815910-allow-vhost-hotplug.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/ubuntu-aa/lp-1815910-allow-vhost-hotplug.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,57 @@ +Description: UBUNTU-only: apparmor: allow vhost-net/vsock + There are use case scenarios where a guest is started without vhost-net + or vhost-vsock, but later on such devices are hot added. + In the static start with such devices virt-aa-helper could generate rules + but actually doesn't have to as libvirt mediates access and passes FDs that + qemu will use. + This works fine, but on a hotplug of such devices without a static device + being present (that would have added the rule on start) we only have the + labeling calls of the security modules which do not vocer vhost-net/vsock. + The paths are considered security sensitive in general but even without + apparmor are protected by DAC due to Ubuntu by default not running guests + as root user or group. + To make people changing user/group aware this also adds a comment about it + to the qemu.conf file. + Under this constraint (warn in the .conf) we got the ack from security to + do this change for the comfort of our users until a more complex change like + new labellig calls is implemented. +Forwarded: yes (nacked, but complex solution has unknown ETA) +Author: Christian Ehrhardt <christian.ehrhardt@canonical.com> +Origin: https://www.redhat.com/archives/libvir-list/2019-April/msg00750.html +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1815910 +Last-Update: 2019-05-15 + +--- a/src/security/apparmor/libvirt-qemu ++++ b/src/security/apparmor/libvirt-qemu +@@ -236,6 +236,11 @@ + # for vfio hotplug on systems without static vfio (LP: #1775777) + /dev/vfio/vfio rw, + ++ # for vhost-net/vsock/scsi hotplug (LP: #1815910) ++ /dev/vhost-net rw, ++ /dev/vhost-vsock rw, ++ /dev/vhost-scsi rw, ++ + # required for sasl GSSAPI plugin + /etc/gss/mech.d/ r, + /etc/gss/mech.d/* r, +--- a/src/qemu/qemu.conf ++++ b/src/qemu/qemu.conf +@@ -433,6 +433,17 @@ + # can be used to ensure that a user id will not be interpreted as a user + # name. + # ++# By default libvirt runs VMs as non-root and uses AppArmor profiles ++# to provide host protection and VM isolation. While AppArmor ++# continues to provide this protection when the VMs are running as ++# root, /dev/vhost-net, /dev/vhost-vsock and /dev/vhost-scsi access is ++# allowed by default in the AppArmor security policy, so malicious VMs ++# running as root would have direct access to this file. If changing this ++# to run as root, you may want to remove this access from ++# /etc/apparmor.d/abstractions/libvirt-qemu. For more information, see: ++# https://launchpad.net/bugs/1815910 ++# https://www.redhat.com/archives/libvir-list/2019-April/msg00750.html ++# + # Some examples of valid values are: + # + # user = "qemu" # A user named "qemu"
  77. Download patch debian/patches/ubuntu/ubuntu_machine_type.patch

    --- 6.0.0-1/debian/patches/ubuntu/ubuntu_machine_type.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/ubuntu/ubuntu_machine_type.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,14 @@ +Description: Extend libvirt checks for ubuntu machine types +Author: Felix Geyer <debfx@ubuntu.com> +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1379346 +Last-Update: 2015-11-24 +--- a/src/qemu/qemu_domain.c ++++ b/src/qemu/qemu_domain.c +@@ -10097,6 +10097,7 @@ qemuDomainMachineIsI440FX(const char *ma + STRPREFIX(machine, "pc-0.") || + STRPREFIX(machine, "pc-1.") || + STRPREFIX(machine, "pc-i440fx-") || ++ STREQ(machine, "ubuntu") || + STRPREFIX(machine, "rhel")) { + return true; + }
  78. Download patch debian/libvirt-daemon-system.postinst

    --- 6.0.0-1/debian/libvirt-daemon-system.postinst 2020-01-11 11:25:55.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/libvirt-daemon-system.postinst 2020-06-22 19:30:50.000000000 +0000 @@ -65,6 +65,96 @@ add_users_groups() addgroup --quiet --system $PARAMETER_GID libvirt-qemu adduser --quiet libvirt-qemu libvirt-qemu fi + + # Add each sudo user to the libvirt group + for u in $(getent group sudo | sed -e "s/^.*://" -e "s/,/ /g"); do + adduser "$u" libvirt >/dev/null || true + done + + if ! getent group libvirt-dnsmasq >/dev/null; then + addgroup --quiet --system libvirt-dnsmasq + fi + if ! getent passwd libvirt-dnsmasq >/dev/null; then + adduser --quiet \ + --system \ + --ingroup libvirt-dnsmasq \ + --disabled-login \ + --disabled-password \ + --home /var/lib/libvirt/dnsmasq \ + --no-create-home \ + --gecos "Libvirt Dnsmasq" \ + libvirt-dnsmasq + fi + # For upgrades that still have the insecure libvirt group (too much privileges) + if [ -n "$2" ] && dpkg --compare-versions -- "$2" le-nl "4.0.0-1ubuntu5~"; then + if [ "$(id -r -g -n libvirt-dnsmasq)" == "libvirt" ]; then + echo "assigning libvirt-dnsmasq a less privileged group (libvirt->libvirt-dnsmasq)" + usermod libvirt-dnsmasq -g libvirt-dnsmasq + fi + fi +} + +includes_addr() { + addr=${1} + mask=${2} + viraddr=${3} + for n in $(seq 1 4); do + curaddrcomponent=$(echo "${addr}" | awk -F. '{ print $'"${n}"' }') + tgtaddrcomponent=$(echo "${viraddr}" | awk -F. '{ print $'"${n}"' }') + cmp=$((mask/8)) + if [ "${cmp}" -ge "${n}" ]; then + if [ "${curaddrcomponent}" -ne "${tgtaddrcomponent}" ]; then + echo "false" + return + fi + elif [ "$((cmp+1))" -ge "${n}" ]; then + # do we bother comparing partial (i.e. /25)? + : + else + break + fi + done + echo "true" + return +} + +set_autostart() +{ + echo "Enabling libvirt default network" + if [ ! -e /etc/libvirt/qemu/networks/autostart/default.xml ]; then + ln -s /etc/libvirt/qemu/networks/default.xml \ + /etc/libvirt/qemu/networks/autostart/ + fi +} + +# on first install, don't set default network to autostart if we already +# have a conflicting network. Good for instance for nested libvirt. +maybe_set_autostart() +{ + # 122 is the common default, but iterate a few more options + for thirdoctet in $(seq 122 128); do + tryip="192.168.${thirdoctet}.1" + found=0 + for pair in $(ip addr show | grep "inet\>" |awk '{ print $2 }'); do + a=$(echo "$pair" | awk -F/ '{ print $1}') + m=$(echo "$pair" | awk -F/ '{ print $2}') + res=$(includes_addr "${a}" "${m}" "${tryip}") + if [ "${res}" = "true" ]; then + found=1 + fi + done + if [ $found -ne 1 ]; then + # found a free subnet + if [ "${thirdoctet}" -ne "122" ]; then + echo "Default libvirt network on 192.168.122.1/24 already taken" + echo "Changing to free 192.168.${thirdoctet}.1/24" + sed -i 's/192.168.122/192.168.'"${thirdoctet}"'/g' /etc/libvirt/qemu/networks/default.xml + fi + set_autostart + return + fi + done + echo "Not enabling default network as no free network was found" } @@ -134,6 +224,12 @@ case "$1" in # Force refresh of capabilties (#731815) rm -f /var/cache/libvirt/qemu/capabilities/*.xml + + # On an initial package install, create the default network autostart + # symlink if on a system that it will work on. + if [ -z $2 ]; then + maybe_set_autostart + fi ;; abort-upgrade|abort-remove|abort-deconfigure) @@ -147,11 +243,43 @@ esac db_stop +# dh_apparmor can't work with dir/file profile filenames, also we don't want +# the reload section of dh_apparmor - just the install of an empty include +if [ "$1" = "configure" ]; then + APP_PROFILE="/etc/apparmor.d/abstractions/libvirt-qemu" + if [ -f "$APP_PROFILE" ]; then + # Add the local/ include + LOCAL_APP_PROFILE="/etc/apparmor.d/local/abstractions/libvirt-qemu" + + test -e "$LOCAL_APP_PROFILE" || { + mkdir -p `dirname "$LOCAL_APP_PROFILE"` + install --mode 644 /dev/null "$LOCAL_APP_PROFILE" + } + fi +fi + # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# +# We need this after the debhelper generated code so that dpkg-maintscript +# can do its renamming first. +if [ "$1" = "configure" ]; then + # Configure dnsmasq + if [ -f /etc/dnsmasq.d-available/libvirt-daemon ]; then + echo "Setting up libvirt-daemon dnsmasq configuration." + mkdir -p /etc/dnsmasq.d + if [ ! -e /etc/dnsmasq.d/libvirt-daemon ]; then + ln -s /etc/dnsmasq.d-available/libvirt-daemon \ + /etc/dnsmasq.d/libvirt-daemon + fi + + # Try to restart a potential system wide dnsmasq + invoke-rc.d dnsmasq restart 2>/dev/null || true + fi +fi + exit 0
  79. Download patch debian/patches/ubuntu/dnsmasq-as-priv-user
  80. Download patch debian/patches/stable/lp-1868539-virDomainFSDefFree-Unref-private-data.patch

    --- 6.0.0-1/debian/patches/stable/lp-1868539-virDomainFSDefFree-Unref-private-data.patch 1970-01-01 00:00:00.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/patches/stable/lp-1868539-virDomainFSDefFree-Unref-private-data.patch 2020-06-22 19:30:50.000000000 +0000 @@ -0,0 +1,52 @@ +From d8b4f70e1e36772ef82dbe0f0706fa7845583e6c Mon Sep 17 00:00:00 2001 +From: Michal Privoznik <mprivozn@redhat.com> +Date: Fri, 21 Feb 2020 08:27:50 +0100 +Subject: [PATCH] virDomainFSDefFree: Unref private data +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The privateData object is allocated in virDomainFSDefNew() but +never unref'd. + +==119642== 480 bytes in 20 blocks are definitely lost in loss record 656 of 671 +==119642== at 0x4837B86: calloc (vg_replace_malloc.c:762) +==119642== by 0x57806A0: g_malloc0 (in /usr/lib64/libglib-2.0.so.0.6000.7) +==119642== by 0x4AE7392: virAllocVar (viralloc.c:331) +==119642== by 0x4B64395: virObjectNew (virobject.c:241) +==119642== by 0x48F1464: qemuDomainFSPrivateNew (qemu_domain.c:1427) +==119642== by 0x4BBF004: virDomainFSDefNew (domain_conf.c:2307) +==119642== by 0x4BD859A: virDomainFSDefParseXML (domain_conf.c:11217) +==119642== by 0x4BF9DD1: virDomainDefParseXML (domain_conf.c:21179) +==119642== by 0x4BFCD5B: virDomainDefParseNode (domain_conf.c:21943) +==119642== by 0x4BFCC36: virDomainDefParse (domain_conf.c:21901) +==119642== by 0x4BFCCCB: virDomainDefParseFile (domain_conf.c:21924) +==119642== by 0x114A9D: testCompareXMLToArgv (qemuxml2argvtest.c:452) + +Fixes: 5120577ed79f89e172e3deed534fa9b585f4701f +Signed-off-by: Michal Privoznik <mprivozn@redhat.com> +Reviewed-by: Ján Tomko <jtomko@redhat.com> + +Origin: upstream, https://libvirt.org/git/?p=libvirt.git;a=commit;h=d8b4f70e1e +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1868539 +Last-Update: 2020-03-23 + +--- + src/conf/domain_conf.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c +index a2603f095e..bd2ca53f1d 100644 +--- a/src/conf/domain_conf.c ++++ b/src/conf/domain_conf.c +@@ -2324,6 +2324,7 @@ void virDomainFSDefFree(virDomainFSDefPtr def) + VIR_FREE(def->dst); + virDomainDeviceInfoClear(&def->info); + VIR_FREE(def->virtio); ++ virObjectUnref(def->privateData); + + VIR_FREE(def); + } +-- +2.25.1 +
  81. Download patch debian/libvirt-daemon-system.postrm

    --- 6.0.0-1/debian/libvirt-daemon-system.postrm 2020-01-11 11:25:55.000000000 +0000 +++ 6.0.0-0ubuntu11/debian/libvirt-daemon-system.postrm 2020-06-22 19:30:50.000000000 +0000 @@ -25,13 +25,22 @@ case "$1" in delgroup libvirt >/dev/null || true fi + if getent group libvirt-qemu >/dev/null; then + delgroup libvirt-qemu >/dev/null || true + fi if getent passwd libvirt-qemu >/dev/null; then deluser libvirt-qemu >/dev/null || true fi - if getent group libvirt-qemu >/dev/null; then - delgroup libvirt-qemu >/dev/null || true - fi + # a running libvirt-dnsmasq will break these removals + # yet the lifecycle of the network is non-related to the pkg purge + # Therefore ignore errors on these removals, better leave a user than break + if getent group libvirt-dnsmasq >/dev/null; then + delgroup libvirt-dnsmasq --system 2>/dev/null >/dev/null || true + fi + if getent passwd libvirt-dnsmasq >/dev/null; then + deluser libvirt-dnsmasq --system 2>/dev/null >/dev/null || true + fi # Clean up logs and cached capabilities rm -rf /var/log/libvirt \ @@ -51,8 +60,21 @@ case "$1" in /var/cache/libvirt/qemu; do [ ! -d $dir ] || rmdir --ignore-fail-on-non-empty $dir done + + # Remove the link set up by postinst + rm -f /etc/libvirt/qemu/networks/autostart/default.xml + + ;; + remove) + if [ -L /etc/dnsmasq.d/libvirt-daemon ]; then + echo "Removing libvirt-daemon dnsmasq configuration" + rm -f /etc/dnsmasq.d/libvirt-daemon 2>/dev/null || true + + # Try to restart a potential system wide dnsmasq + invoke-rc.d dnsmasq restart 2>/dev/null || true + fi ;; - remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) ;; *)

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: libvirt-sandbox

libvirt-sandbox (0.5.1+git20160404-1ubuntu2) focal; urgency=medium * No-change rebuild with fixed binutils on arm64. -- Matthias Klose <doko@ubuntu.com> Mon, 10 Feb 2020 08:23:14 +0100 libvirt-sandbox (0.5.1+git20160404-1ubuntu1) focal; urgency=medium * Build-depend on dh-python. * virt-sandbox: Depend on python2 instead of python. -- Matthias Klose <doko@ubuntu.com> Fri, 10 Jan 2020 15:26:54 +0100

Modifications :
  1. Download patch debian/rules

    --- 0.5.1+git20160404-1/debian/rules 2017-05-28 13:18:03.000000000 +0000 +++ 0.5.1+git20160404-1ubuntu2/debian/rules 2020-01-10 14:26:47.000000000 +0000 @@ -12,7 +12,7 @@ export DEB_BUILD_MAINT_OPTIONS = hardeni # main packaging script based on dh7 syntax %: - dh $@ --buildsystem=autoconf + dh $@ --with python2 --buildsystem=autoconf override_dh_auto_configure:
  2. Download patch debian/control

    --- 0.5.1+git20160404-1/debian/control 2017-05-28 13:18:03.000000000 +0000 +++ 0.5.1+git20160404-1ubuntu2/debian/control 2020-01-10 14:26:33.000000000 +0000 @@ -7,6 +7,7 @@ Build-Depends: autoconf, automake, debhelper (>= 9), + dh-python, python2, gtk-doc-tools, intltool, libcap-ng-dev, @@ -26,7 +27,7 @@ Package: virt-sandbox Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends}, - python, + python2, gir1.2-libvirt-sandbox-1.0 (= ${binary:Version}), Suggests: libguestfs-tools Description: Application sandbox toolkit
  1. libvirt
  2. libvirt-sandbox