diff --git a/libvirt-qemuExtTPMStop-Restore-TPM-state-label-more-often.patch b/libvirt-qemuExtTPMStop-Restore-TPM-state-label-more-often.patch new file mode 100644 index 0000000..beeb105 --- /dev/null +++ b/libvirt-qemuExtTPMStop-Restore-TPM-state-label-more-often.patch @@ -0,0 +1,51 @@ +From 01d7e15c8c4a33a379e8297182dc474bb2046d2a Mon Sep 17 00:00:00 2001 +Message-Id: <01d7e15c8c4a33a379e8297182dc474bb2046d2a@dist-git> +From: Michal Privoznik +Date: Fri, 27 Jan 2023 10:46:55 +0100 +Subject: [PATCH] qemuExtTPMStop: Restore TPM state label more often +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When stopping swtpm we can restore the label either on just the +swtpm's domain specific logfile (/var/log/swtpm/libvirt/qemu/...), +or on the logfile and the state too (/var/lib/libvirt/swtpm/...). + +The deciding factor is whether the guest is stopped because of +outgoing migration OR the state is on a shared filesystem. + +But this is not correct condition, because for instance saving the +guest into a file (virsh save) is also an outgoing migration. +Alternatively, when the swtpm state is stored on a shared +filesystem, but the guest is destroyed (virsh destroy), i.e. +stopped because of different reason than migration, we want to +restore the seclabels. + +The correct condition is: skip restoring the state on outgoing +migration AND shared filesystem. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2161557 +Signed-off-by: Michal Privoznik +Reviewed-by: Ján Tomko +(cherry picked from commit 794fddf866676ef4119b3acf43b5547a9e868bb9) +Signed-off-by: Michal Privoznik +--- + src/qemu/qemu_tpm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c +index b2748eb6a4..5831ffc32e 100644 +--- a/src/qemu/qemu_tpm.c ++++ b/src/qemu/qemu_tpm.c +@@ -1142,7 +1142,7 @@ qemuExtTPMStop(virQEMUDriver *driver, + return; + + qemuTPMEmulatorStop(cfg->swtpmStateDir, shortName); +- if (outgoingMigration || qemuTPMHasSharedStorage(vm->def)) ++ if (outgoingMigration && qemuTPMHasSharedStorage(vm->def)) + restoreTPMStateLabel = false; + + if (qemuSecurityRestoreTPMLabels(driver, vm, restoreTPMStateLabel) < 0) +-- +2.39.1 + diff --git a/libvirt-qemuProcessLaunch-Tighten-rules-for-external-devices-wrt-incoming-migration.patch b/libvirt-qemuProcessLaunch-Tighten-rules-for-external-devices-wrt-incoming-migration.patch new file mode 100644 index 0000000..c9e421e --- /dev/null +++ b/libvirt-qemuProcessLaunch-Tighten-rules-for-external-devices-wrt-incoming-migration.patch @@ -0,0 +1,69 @@ +From dd64ec40a29739464cfe886818588bb9946b8d8d Mon Sep 17 00:00:00 2001 +Message-Id: +From: Michal Privoznik +Date: Fri, 27 Jan 2023 13:59:08 +0100 +Subject: [PATCH] qemuProcessLaunch: Tighten rules for external devices wrt + incoming migration +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When starting a guest, helper processes are started first. But +they need a bit of special handling. Just consider a regular cold +boot and an incoming migration. For instance, in case of swtpm +with its state on a shared volume, we want to set label on the +state for the cold boot case, but don't want to touch the label +in case of incoming migration (because the source very +specifically did not restore it either). + +Until now, these two cases were differentiated by testing +@incoming against NULL. And while that makes sense for other +aspects of domain startup, for external devices we need a bit +more, because a restore from a save file is also 'incoming +migration'. + +Now, there is a difference between regular migration and restore +from a save file. In the former case we do not want to set +seclabels in the save state. BUT, in the latter case we do need +to set them, because the code that saves the machine restored +seclabels. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2161557 +Signed-off-by: Michal Privoznik +Reviewed-by: Ján Tomko +(cherry picked from commit 5c4007ddc6c29632b5cc96ab4ef81ebb7797d1bb) +Signed-off-by: Michal Privoznik +--- + src/qemu/qemu_process.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c +index 2de87211fb..1217fb1856 100644 +--- a/src/qemu/qemu_process.c ++++ b/src/qemu/qemu_process.c +@@ -7620,6 +7620,7 @@ qemuProcessLaunch(virConnectPtr conn, + size_t nnicindexes = 0; + g_autofree int *nicindexes = NULL; + unsigned long long maxMemLock = 0; ++ bool incomingMigrationExtDevices = false; + + VIR_DEBUG("conn=%p driver=%p vm=%p name=%s id=%d asyncJob=%d " + "incoming.uri=%s " +@@ -7674,7 +7675,13 @@ qemuProcessLaunch(virConnectPtr conn, + if (qemuDomainSchedCoreStart(cfg, vm) < 0) + goto cleanup; + +- if (qemuExtDevicesStart(driver, vm, incoming != NULL) < 0) ++ /* For external devices the rules of incoming migration are a bit stricter, ++ * than plain @incoming != NULL. They need to differentiate between ++ * incoming migration and restore from a save file. */ ++ incomingMigrationExtDevices = incoming && ++ vmop == VIR_NETDEV_VPORT_PROFILE_OP_MIGRATE_IN_START; ++ ++ if (qemuExtDevicesStart(driver, vm, incomingMigrationExtDevices) < 0) + goto cleanup; + + if (!(cmd = qemuBuildCommandLine(vm, +-- +2.39.1 + diff --git a/libvirt-qemuProcessRefreshDisks-Don-t-skip-filling-of-disk-information-if-tray-state-didn-t-change.patch b/libvirt-qemuProcessRefreshDisks-Don-t-skip-filling-of-disk-information-if-tray-state-didn-t-change.patch new file mode 100644 index 0000000..c20b6c5 --- /dev/null +++ b/libvirt-qemuProcessRefreshDisks-Don-t-skip-filling-of-disk-information-if-tray-state-didn-t-change.patch @@ -0,0 +1,62 @@ +From b53d7b7150f81ee6f014815fa7ee3f1106c491d5 Mon Sep 17 00:00:00 2001 +Message-Id: +From: Peter Krempa +Date: Thu, 9 Feb 2023 09:40:32 +0100 +Subject: [PATCH] qemuProcessRefreshDisks: Don't skip filling of disk + information if tray state didn't change + +Commit 5ef2582646eb98 added emitting of even when refreshign disk state, +where it wanted to avoid sending the event if disk state didn't change. +This was achieved by using 'continue' in the loop filling the +information. Unfortunately this skips extraction of whether the device +has a tray which is propagated into internal structures, which in turn +broke cdrom media change as the code thought there's no tray for the +device. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2166411 +Fixes: 5ef2582646eb98af208ce37355f82bdef39931fa +Signed-off-by: Peter Krempa +Reviewed-by: Kristina Hanicova +(cherry picked from commit 86cfe93ef7fdc2d665a2fc88b79af89e7978ba78) +--- + src/qemu/qemu_process.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c +index 32083de563..7ae859d68f 100644 +--- a/src/qemu/qemu_process.c ++++ b/src/qemu/qemu_process.c +@@ -8713,16 +8713,13 @@ qemuProcessRefreshDisks(virDomainObj *vm, + continue; + + if (info->removable) { +- virObjectEvent *event = NULL; ++ bool emitEvent = info->tray_open != disk->tray_status; + int reason; + + if (info->empty) + virDomainDiskEmptySource(disk); + + if (info->tray) { +- if (info->tray_open == disk->tray_status) +- continue; +- + if (info->tray_open) { + reason = VIR_DOMAIN_EVENT_TRAY_CHANGE_OPEN; + disk->tray_status = VIR_DOMAIN_DISK_TRAY_OPEN; +@@ -8731,8 +8728,10 @@ qemuProcessRefreshDisks(virDomainObj *vm, + disk->tray_status = VIR_DOMAIN_DISK_TRAY_CLOSED; + } + +- event = virDomainEventTrayChangeNewFromObj(vm, disk->info.alias, reason); +- virObjectEventStateQueue(driver->domainEventState, event); ++ if (emitEvent) { ++ virObjectEvent *event = virDomainEventTrayChangeNewFromObj(vm, disk->info.alias, reason); ++ virObjectEventStateQueue(driver->domainEventState, event); ++ } + } + } + +-- +2.39.1 + diff --git a/libvirt-qemuProcessStop-Fix-detection-of-outgoing-migration-for-external-devices.patch b/libvirt-qemuProcessStop-Fix-detection-of-outgoing-migration-for-external-devices.patch new file mode 100644 index 0000000..d7bf0d4 --- /dev/null +++ b/libvirt-qemuProcessStop-Fix-detection-of-outgoing-migration-for-external-devices.patch @@ -0,0 +1,46 @@ +From 102efebe3cd2bfebace026744a7835309cf124fa Mon Sep 17 00:00:00 2001 +Message-Id: <102efebe3cd2bfebace026744a7835309cf124fa@dist-git> +From: Michal Privoznik +Date: Fri, 27 Jan 2023 10:45:50 +0100 +Subject: [PATCH] qemuProcessStop: Fix detection of outgoing migration for + external devices +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When cleaning up host in qemuProcessStop(), our external helper +processes (e.g. swtpm) want to know whether the domain is being +migrated out or not (so that they restore seclabels on a device +state that's on a shared storage). + +This fact is reflected in the @outgoingMigration variable which +is set to true if asyncJob is anything but +VIR_ASYNC_JOB_MIGRATION_IN. Well, we have a specific job for +outgoing migration (VIR_ASYNC_JOB_MIGRATION_OUT) and thus we +should check for that. + +Signed-off-by: Michal Privoznik +Reviewed-by: Ján Tomko +(cherry picked from commit 88f0fbf63851c6ae80ad03b2a05a966d8a2f296c) +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2161557 +Signed-off-by: Michal Privoznik +--- + src/qemu/qemu_process.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c +index 29716ecb19..2de87211fb 100644 +--- a/src/qemu/qemu_process.c ++++ b/src/qemu/qemu_process.c +@@ -8397,7 +8397,7 @@ void qemuProcessStop(virQEMUDriver *driver, + qemuDomainCleanupRun(driver, vm); + + outgoingMigration = (flags & VIR_QEMU_PROCESS_STOP_MIGRATED) && +- (asyncJob != VIR_ASYNC_JOB_MIGRATION_IN); ++ (asyncJob == VIR_ASYNC_JOB_MIGRATION_OUT); + qemuExtDevicesStop(driver, vm, outgoingMigration); + + qemuDBusStop(driver, vm); +-- +2.39.1 + diff --git a/libvirt-qemu_namespace-Deal-with-nested-mounts-when-umount-ing-dev.patch b/libvirt-qemu_namespace-Deal-with-nested-mounts-when-umount-ing-dev.patch new file mode 100644 index 0000000..dd85c70 --- /dev/null +++ b/libvirt-qemu_namespace-Deal-with-nested-mounts-when-umount-ing-dev.patch @@ -0,0 +1,59 @@ +From fd06fc3affcda0d7af1721c26915b8d87e0b2614 Mon Sep 17 00:00:00 2001 +Message-Id: +From: Michal Privoznik +Date: Tue, 7 Feb 2023 15:06:32 +0100 +Subject: [PATCH] qemu_namespace: Deal with nested mounts when umount()-ing + /dev + +In one of recent commits (v9.0.0-rc1~106) I've made our QEMU +namespace code umount the original /dev. One of the reasons was +enhanced security, because previously we just mounted a tmpfs +over the original /dev. Thus a malicious QEMU could just +umount("/dev") and it would get to the original /dev with all +nodes. + +Now, on some systems this introduced a regression: + + failed to umount devfs on /dev: Device or resource busy + +But how this could be? We've moved all file systems mounted under +/dev to a temporary location. Or have we? As it turns out, not +quite. If there are two file systems mounted on the same target, +e.g. like this: + + mount -t tmpfs tmpfs /dev/shm/ && mount -t tmpfs tmpfs /dev/shm/ + +then only the top most (i.e. the last one) is moved. See +qemuDomainUnshareNamespace() for more info. + +Now, we could enhance our code to deal with these "doubled" mount +points. Or, since it is the top most file system that is +accessible anyways (and this one is preserved), we can +umount("/dev") in a recursive fashion. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2167302 +Fixes: 379c0ce4bfed8733dfbde557c359eecc5474ce38 +Signed-off-by: Michal Privoznik +Reviewed-by: Jim Fehlig +(cherry picked from commit 5155ab4b2a704285505dfea6ffee8b980fdaa29e) +Signed-off-by: Michal Privoznik +--- + src/qemu/qemu_namespace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/qemu/qemu_namespace.c b/src/qemu/qemu_namespace.c +index 5769a4dfe0..5fc043bd62 100644 +--- a/src/qemu/qemu_namespace.c ++++ b/src/qemu/qemu_namespace.c +@@ -777,7 +777,7 @@ qemuDomainUnshareNamespace(virQEMUDriverConfig *cfg, + } + + #if defined(__linux__) +- if (umount("/dev") < 0) { ++ if (umount2("/dev", MNT_DETACH) < 0) { + virReportSystemError(errno, "%s", _("failed to umount devfs on /dev")); + return -1; + } +-- +2.39.1 + diff --git a/libvirt-qemu_process-Produce-better-debug-message-wrt-domain-namespaces.patch b/libvirt-qemu_process-Produce-better-debug-message-wrt-domain-namespaces.patch new file mode 100644 index 0000000..161c6d9 --- /dev/null +++ b/libvirt-qemu_process-Produce-better-debug-message-wrt-domain-namespaces.patch @@ -0,0 +1,64 @@ +From 99f69000a1ecacc2f064043993ece8ddba366976 Mon Sep 17 00:00:00 2001 +Message-Id: <99f69000a1ecacc2f064043993ece8ddba366976@dist-git> +From: Michal Privoznik +Date: Tue, 7 Feb 2023 10:34:40 +0100 +Subject: [PATCH] qemu_process: Produce better debug message wrt domain + namespaces + +When going through debug log of a domain startup process, one can +meet the following line: + + debug : qemuProcessLaunch:7668 : Building mount namespace + +But this is in fact wrong. Firstly, domain namespaces are just +enabled in domain's privateData. Secondly, the debug message says +nothing about actual state of namespace - whether it was enabled +or not. + +Therefore, move the debug printing into +qemuProcessEnableDomainNamespaces() and tweak it so that the +actual value is reflected. + +Signed-off-by: Michal Privoznik +Reviewed-by: Jim Fehlig +(cherry picked from commit 697c16e39ae9a9e18ce7cad0729bf2293b12a307) +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2167302 +Signed-off-by: Michal Privoznik +--- + src/qemu/qemu_process.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c +index 1217fb1856..32083de563 100644 +--- a/src/qemu/qemu_process.c ++++ b/src/qemu/qemu_process.c +@@ -7377,11 +7377,17 @@ qemuProcessEnableDomainNamespaces(virQEMUDriver *driver, + virDomainObj *vm) + { + g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver); ++ const char *state = "disabled"; + + if (virBitmapIsBitSet(cfg->namespaces, QEMU_DOMAIN_NS_MOUNT) && + qemuDomainEnableNamespace(vm, QEMU_DOMAIN_NS_MOUNT) < 0) + return -1; + ++ if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) ++ state = "enabled"; ++ ++ VIR_DEBUG("Mount namespace for domain name=%s is %s", ++ vm->def->name, state); + return 0; + } + +@@ -7705,8 +7711,6 @@ qemuProcessLaunch(virConnectPtr conn, + + qemuDomainLogContextMarkPosition(logCtxt); + +- VIR_DEBUG("Building mount namespace"); +- + if (qemuProcessEnableDomainNamespaces(driver, vm) < 0) + goto cleanup; + +-- +2.39.1 + diff --git a/libvirt.spec b/libvirt.spec index 614a373..2b40722 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -229,7 +229,7 @@ Summary: Library providing a simple virtualization API Name: libvirt Version: 9.0.0 -Release: 3%{?dist}%{?extra_release} +Release: 4%{?dist}%{?extra_release} License: LGPLv2+ URL: https://libvirt.org/ @@ -257,6 +257,12 @@ Patch16: libvirt-qemuFDPassTransferCommand-Mark-that-FD-was-passed.patch Patch17: libvirt-qemu-fd-Add-helpers-allowing-storing-FD-set-data-in-status-XML.patch Patch18: libvirt-qemu-domain-Store-fdset-ID-for-disks-passed-to-qemu-via-FD.patch Patch19: libvirt-qemu-block-Properly-handle-FD-passed-disk-hot-un-plug.patch +Patch20: libvirt-qemuProcessStop-Fix-detection-of-outgoing-migration-for-external-devices.patch +Patch21: libvirt-qemuExtTPMStop-Restore-TPM-state-label-more-often.patch +Patch22: libvirt-qemuProcessLaunch-Tighten-rules-for-external-devices-wrt-incoming-migration.patch +Patch23: libvirt-qemu_process-Produce-better-debug-message-wrt-domain-namespaces.patch +Patch24: libvirt-qemu_namespace-Deal-with-nested-mounts-when-umount-ing-dev.patch +Patch25: libvirt-qemuProcessRefreshDisks-Don-t-skip-filling-of-disk-information-if-tray-state-didn-t-change.patch Requires: libvirt-daemon = %{version}-%{release} @@ -2347,6 +2353,14 @@ exit 0 %endif %changelog +* Thu Feb 9 2023 Jiri Denemark - 9.0.0-4 +- qemuProcessStop: Fix detection of outgoing migration for external devices (rhbz#2161557) +- qemuExtTPMStop: Restore TPM state label more often (rhbz#2161557) +- qemuProcessLaunch: Tighten rules for external devices wrt incoming migration (rhbz#2161557) +- qemu_process: Produce better debug message wrt domain namespaces (rhbz#2167302) +- qemu_namespace: Deal with nested mounts when umount()-ing /dev (rhbz#2167302) +- qemuProcessRefreshDisks: Don't skip filling of disk information if tray state didn't change (rhbz#2166411) + * Wed Feb 1 2023 Jiri Denemark - 9.0.0-3 - src: Don't use virReportSystemError() on virProcessGetStatInfo() failure (rhbz#2148266) - qemu: Provide virDomainGetCPUStats() implementation for session connection (rhbz#2148266)