rpms
/
libvirt
7
0
Fork 1
Code Issues Pull Requests Releases Activity

libvirt-9.0.0-4.el9 

- qemuProcessStop: Fix detection of outgoing migration for external devices (rhbz#2161557)
- qemuExtTPMStop: Restore TPM state label more often (rhbz#2161557)
- qemuProcessLaunch: Tighten rules for external devices wrt incoming migration (rhbz#2161557)
- qemu_process: Produce better debug message wrt domain namespaces (rhbz#2167302)
- qemu_namespace: Deal with nested mounts when umount()-ing /dev (rhbz#2167302)
- qemuProcessRefreshDisks: Don't skip filling of disk information if tray state didn't change (rhbz#2166411)

Resolves: rhbz#2161557, rhbz#2166411, rhbz#2167302
This commit is contained in:
Jiri Denemark 2023-02-09 11:24:05 +01:00
parent ff5db98bff
commit 18102c088b
7 changed files with 366 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
libvirt-qemuExtTPMStop-Restore-TPM-state-label-more-often.patch Normal file
View File

@ -0,0 +1,51 @@
From 01d7e15c8c4a33a379e8297182dc474bb2046d2a Mon Sep 17 00:00:00 2001
Message-Id: <01d7e15c8c4a33a379e8297182dc474bb2046d2a@dist-git>
From: Michal Privoznik <mprivozn@redhat.com>
Date: Fri, 27 Jan 2023 10:46:55 +0100
Subject: [PATCH] qemuExtTPMStop: Restore TPM state label more often
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When stopping swtpm we can restore the label either on just the
swtpm's domain specific logfile (/var/log/swtpm/libvirt/qemu/...),
or on the logfile and the state too (/var/lib/libvirt/swtpm/...).
The deciding factor is whether the guest is stopped because of
outgoing migration OR the state is on a shared filesystem.
But this is not correct condition, because for instance saving the
guest into a file (virsh save) is also an outgoing migration.
Alternatively, when the swtpm state is stored on a shared
filesystem, but the guest is destroyed (virsh destroy), i.e.
stopped because of different reason than migration, we want to
restore the seclabels.
The correct condition is: skip restoring the state on outgoing
migration AND shared filesystem.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2161557
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
(cherry picked from commit 794fddf866676ef4119b3acf43b5547a9e868bb9)
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
src/qemu/qemu_tpm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
index b2748eb6a4..5831ffc32e 100644
--- a/src/qemu/qemu_tpm.c
+++ b/src/qemu/qemu_tpm.c
@@ -1142,7 +1142,7 @@ qemuExtTPMStop(virQEMUDriver *driver,
return;
qemuTPMEmulatorStop(cfg->swtpmStateDir, shortName);
- if (outgoingMigration || qemuTPMHasSharedStorage(vm->def))
+ if (outgoingMigration && qemuTPMHasSharedStorage(vm->def))
restoreTPMStateLabel = false;
if (qemuSecurityRestoreTPMLabels(driver, vm, restoreTPMStateLabel) < 0)
--
2.39.1

69
libvirt-qemuProcessLaunch-Tighten-rules-for-external-devices-wrt-incoming-migration.patch Normal file
View File

@ -0,0 +1,69 @@
From dd64ec40a29739464cfe886818588bb9946b8d8d Mon Sep 17 00:00:00 2001
Message-Id: <dd64ec40a29739464cfe886818588bb9946b8d8d@dist-git>
From: Michal Privoznik <mprivozn@redhat.com>
Date: Fri, 27 Jan 2023 13:59:08 +0100
Subject: [PATCH] qemuProcessLaunch: Tighten rules for external devices wrt
incoming migration
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When starting a guest, helper processes are started first. But
they need a bit of special handling. Just consider a regular cold
boot and an incoming migration. For instance, in case of swtpm
with its state on a shared volume, we want to set label on the
state for the cold boot case, but don't want to touch the label
in case of incoming migration (because the source very
specifically did not restore it either).
Until now, these two cases were differentiated by testing
@incoming against NULL. And while that makes sense for other
aspects of domain startup, for external devices we need a bit
more, because a restore from a save file is also 'incoming
migration'.
Now, there is a difference between regular migration and restore
from a save file. In the former case we do not want to set
seclabels in the save state. BUT, in the latter case we do need
to set them, because the code that saves the machine restored
seclabels.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2161557
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
(cherry picked from commit 5c4007ddc6c29632b5cc96ab4ef81ebb7797d1bb)
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
src/qemu/qemu_process.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 2de87211fb..1217fb1856 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -7620,6 +7620,7 @@ qemuProcessLaunch(virConnectPtr conn,
size_t nnicindexes = 0;
g_autofree int *nicindexes = NULL;
unsigned long long maxMemLock = 0;
+ bool incomingMigrationExtDevices = false;
VIR_DEBUG("conn=%p driver=%p vm=%p name=%s id=%d asyncJob=%d "
"incoming.uri=%s "
@@ -7674,7 +7675,13 @@ qemuProcessLaunch(virConnectPtr conn,
if (qemuDomainSchedCoreStart(cfg, vm) < 0)
goto cleanup;
- if (qemuExtDevicesStart(driver, vm, incoming != NULL) < 0)
+ /* For external devices the rules of incoming migration are a bit stricter,
+ * than plain @incoming != NULL. They need to differentiate between
+ * incoming migration and restore from a save file. */
+ incomingMigrationExtDevices = incoming &&
+ vmop == VIR_NETDEV_VPORT_PROFILE_OP_MIGRATE_IN_START;
+
+ if (qemuExtDevicesStart(driver, vm, incomingMigrationExtDevices) < 0)
goto cleanup;
if (!(cmd = qemuBuildCommandLine(vm,
--
2.39.1

62
libvirt-qemuProcessRefreshDisks-Don-t-skip-filling-of-disk-information-if-tray-state-didn-t-change.patch Normal file
View File

@ -0,0 +1,62 @@
From b53d7b7150f81ee6f014815fa7ee3f1106c491d5 Mon Sep 17 00:00:00 2001
Message-Id: <b53d7b7150f81ee6f014815fa7ee3f1106c491d5@dist-git>
From: Peter Krempa <pkrempa@redhat.com>
Date: Thu, 9 Feb 2023 09:40:32 +0100
Subject: [PATCH] qemuProcessRefreshDisks: Don't skip filling of disk
information if tray state didn't change
Commit 5ef2582646eb98 added emitting of even when refreshign disk state,
where it wanted to avoid sending the event if disk state didn't change.
This was achieved by using 'continue' in the loop filling the
information. Unfortunately this skips extraction of whether the device
has a tray which is propagated into internal structures, which in turn
broke cdrom media change as the code thought there's no tray for the
device.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2166411
Fixes: 5ef2582646eb98af208ce37355f82bdef39931fa
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Kristina Hanicova <khanicov@redhat.com>
(cherry picked from commit 86cfe93ef7fdc2d665a2fc88b79af89e7978ba78)
---
src/qemu/qemu_process.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 32083de563..7ae859d68f 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -8713,16 +8713,13 @@ qemuProcessRefreshDisks(virDomainObj *vm,
continue;
if (info->removable) {
- virObjectEvent *event = NULL;
+ bool emitEvent = info->tray_open != disk->tray_status;
int reason;
if (info->empty)
virDomainDiskEmptySource(disk);
if (info->tray) {
- if (info->tray_open == disk->tray_status)
- continue;
-
if (info->tray_open) {
reason = VIR_DOMAIN_EVENT_TRAY_CHANGE_OPEN;
disk->tray_status = VIR_DOMAIN_DISK_TRAY_OPEN;
@@ -8731,8 +8728,10 @@ qemuProcessRefreshDisks(virDomainObj *vm,
disk->tray_status = VIR_DOMAIN_DISK_TRAY_CLOSED;
}
- event = virDomainEventTrayChangeNewFromObj(vm, disk->info.alias, reason);
- virObjectEventStateQueue(driver->domainEventState, event);
+ if (emitEvent) {
+ virObjectEvent *event = virDomainEventTrayChangeNewFromObj(vm, disk->info.alias, reason);
+ virObjectEventStateQueue(driver->domainEventState, event);
+ }
}
}
--
2.39.1

46
libvirt-qemuProcessStop-Fix-detection-of-outgoing-migration-for-external-devices.patch Normal file
View File

@ -0,0 +1,46 @@
From 102efebe3cd2bfebace026744a7835309cf124fa Mon Sep 17 00:00:00 2001
Message-Id: <102efebe3cd2bfebace026744a7835309cf124fa@dist-git>
From: Michal Privoznik <mprivozn@redhat.com>
Date: Fri, 27 Jan 2023 10:45:50 +0100
Subject: [PATCH] qemuProcessStop: Fix detection of outgoing migration for
external devices
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When cleaning up host in qemuProcessStop(), our external helper
processes (e.g. swtpm) want to know whether the domain is being
migrated out or not (so that they restore seclabels on a device
state that's on a shared storage).
This fact is reflected in the @outgoingMigration variable which
is set to true if asyncJob is anything but
VIR_ASYNC_JOB_MIGRATION_IN. Well, we have a specific job for
outgoing migration (VIR_ASYNC_JOB_MIGRATION_OUT) and thus we
should check for that.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
(cherry picked from commit 88f0fbf63851c6ae80ad03b2a05a966d8a2f296c)
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2161557
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
src/qemu/qemu_process.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 29716ecb19..2de87211fb 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -8397,7 +8397,7 @@ void qemuProcessStop(virQEMUDriver *driver,
qemuDomainCleanupRun(driver, vm);
outgoingMigration = (flags & VIR_QEMU_PROCESS_STOP_MIGRATED) &&
- (asyncJob != VIR_ASYNC_JOB_MIGRATION_IN);
+ (asyncJob == VIR_ASYNC_JOB_MIGRATION_OUT);
qemuExtDevicesStop(driver, vm, outgoingMigration);
qemuDBusStop(driver, vm);
--
2.39.1

59
libvirt-qemu_namespace-Deal-with-nested-mounts-when-umount-ing-dev.patch Normal file
View File

@ -0,0 +1,59 @@
From fd06fc3affcda0d7af1721c26915b8d87e0b2614 Mon Sep 17 00:00:00 2001
Message-Id: <fd06fc3affcda0d7af1721c26915b8d87e0b2614@dist-git>
From: Michal Privoznik <mprivozn@redhat.com>
Date: Tue, 7 Feb 2023 15:06:32 +0100
Subject: [PATCH] qemu_namespace: Deal with nested mounts when umount()-ing
/dev
In one of recent commits (v9.0.0-rc1~106) I've made our QEMU
namespace code umount the original /dev. One of the reasons was
enhanced security, because previously we just mounted a tmpfs
over the original /dev. Thus a malicious QEMU could just
umount("/dev") and it would get to the original /dev with all
nodes.
Now, on some systems this introduced a regression:
failed to umount devfs on /dev: Device or resource busy
But how this could be? We've moved all file systems mounted under
/dev to a temporary location. Or have we? As it turns out, not
quite. If there are two file systems mounted on the same target,
e.g. like this:
mount -t tmpfs tmpfs /dev/shm/ && mount -t tmpfs tmpfs /dev/shm/
then only the top most (i.e. the last one) is moved. See
qemuDomainUnshareNamespace() for more info.
Now, we could enhance our code to deal with these "doubled" mount
points. Or, since it is the top most file system that is
accessible anyways (and this one is preserved), we can
umount("/dev") in a recursive fashion.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2167302
Fixes: 379c0ce4bfed8733dfbde557c359eecc5474ce38
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Jim Fehlig <jfehlig@suse.com>
(cherry picked from commit 5155ab4b2a704285505dfea6ffee8b980fdaa29e)
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
src/qemu/qemu_namespace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/qemu/qemu_namespace.c b/src/qemu/qemu_namespace.c
index 5769a4dfe0..5fc043bd62 100644
--- a/src/qemu/qemu_namespace.c
+++ b/src/qemu/qemu_namespace.c
@@ -777,7 +777,7 @@ qemuDomainUnshareNamespace(virQEMUDriverConfig *cfg,
}
#if defined(__linux__)
- if (umount("/dev") < 0) {
+ if (umount2("/dev", MNT_DETACH) < 0) {
virReportSystemError(errno, "%s", _("failed to umount devfs on /dev"));
return -1;
}
--
2.39.1

64
libvirt-qemu_process-Produce-better-debug-message-wrt-domain-namespaces.patch Normal file
View File

@ -0,0 +1,64 @@
From 99f69000a1ecacc2f064043993ece8ddba366976 Mon Sep 17 00:00:00 2001
Message-Id: <99f69000a1ecacc2f064043993ece8ddba366976@dist-git>
From: Michal Privoznik <mprivozn@redhat.com>
Date: Tue, 7 Feb 2023 10:34:40 +0100
Subject: [PATCH] qemu_process: Produce better debug message wrt domain
namespaces
When going through debug log of a domain startup process, one can
meet the following line:
debug : qemuProcessLaunch:7668 : Building mount namespace
But this is in fact wrong. Firstly, domain namespaces are just
enabled in domain's privateData. Secondly, the debug message says
nothing about actual state of namespace - whether it was enabled
or not.
Therefore, move the debug printing into
qemuProcessEnableDomainNamespaces() and tweak it so that the
actual value is reflected.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Jim Fehlig <jfehlig@suse.com>
(cherry picked from commit 697c16e39ae9a9e18ce7cad0729bf2293b12a307)
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2167302
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
src/qemu/qemu_process.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 1217fb1856..32083de563 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -7377,11 +7377,17 @@ qemuProcessEnableDomainNamespaces(virQEMUDriver *driver,
virDomainObj *vm)
{
g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
+ const char *state = "disabled";
if (virBitmapIsBitSet(cfg->namespaces, QEMU_DOMAIN_NS_MOUNT) &&
qemuDomainEnableNamespace(vm, QEMU_DOMAIN_NS_MOUNT) < 0)
return -1;
+ if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
+ state = "enabled";
+
+ VIR_DEBUG("Mount namespace for domain name=%s is %s",
+ vm->def->name, state);
return 0;
}
@@ -7705,8 +7711,6 @@ qemuProcessLaunch(virConnectPtr conn,
qemuDomainLogContextMarkPosition(logCtxt);
- VIR_DEBUG("Building mount namespace");
-
if (qemuProcessEnableDomainNamespaces(driver, vm) < 0)
goto cleanup;
--
2.39.1

16
libvirt.spec
View File

@ -229,7 +229,7 @@
Summary: Library providing a simple virtualization API
Name: libvirt
Version: 9.0.0
Release: 3%{?dist}%{?extra_release}
Release: 4%{?dist}%{?extra_release}
License: LGPLv2+
URL: https://libvirt.org/
@ -257,6 +257,12 @@ Patch16: libvirt-qemuFDPassTransferCommand-Mark-that-FD-was-passed.patch
Patch17: libvirt-qemu-fd-Add-helpers-allowing-storing-FD-set-data-in-status-XML.patch
Patch18: libvirt-qemu-domain-Store-fdset-ID-for-disks-passed-to-qemu-via-FD.patch
Patch19: libvirt-qemu-block-Properly-handle-FD-passed-disk-hot-un-plug.patch
Patch20: libvirt-qemuProcessStop-Fix-detection-of-outgoing-migration-for-external-devices.patch
Patch21: libvirt-qemuExtTPMStop-Restore-TPM-state-label-more-often.patch
Patch22: libvirt-qemuProcessLaunch-Tighten-rules-for-external-devices-wrt-incoming-migration.patch
Patch23: libvirt-qemu_process-Produce-better-debug-message-wrt-domain-namespaces.patch
Patch24: libvirt-qemu_namespace-Deal-with-nested-mounts-when-umount-ing-dev.patch
Patch25: libvirt-qemuProcessRefreshDisks-Don-t-skip-filling-of-disk-information-if-tray-state-didn-t-change.patch
Requires: libvirt-daemon = %{version}-%{release}
@ -2347,6 +2353,14 @@ exit 0
%endif
%changelog
* Thu Feb 9 2023 Jiri Denemark <jdenemar@redhat.com> - 9.0.0-4
- qemuProcessStop: Fix detection of outgoing migration for external devices (rhbz#2161557)
- qemuExtTPMStop: Restore TPM state label more often (rhbz#2161557)
- qemuProcessLaunch: Tighten rules for external devices wrt incoming migration (rhbz#2161557)
- qemu_process: Produce better debug message wrt domain namespaces (rhbz#2167302)
- qemu_namespace: Deal with nested mounts when umount()-ing /dev (rhbz#2167302)
- qemuProcessRefreshDisks: Don't skip filling of disk information if tray state didn't change (rhbz#2166411)
* Wed Feb 1 2023 Jiri Denemark <jdenemar@redhat.com> - 9.0.0-3
- src: Don't use virReportSystemError() on virProcessGetStatInfo() failure (rhbz#2148266)
- qemu: Provide virDomainGetCPUStats() implementation for session connection (rhbz#2148266)