From 4769ffad6148f153cb53cd49e9c9ff731f40f112 Mon Sep 17 00:00:00 2001 From: Jiri Denemark Date: Tue, 5 Aug 2025 16:37:08 +0200 Subject: [PATCH] libvirt-11.5.0-4.el10 - qemu: fix order of VNC TLS config entries (RHEL-104382) - qemu: sanitize blank lines in config file (RHEL-104382) - qemu: add ability to set TLS priority string with QEMU (RHEL-104382) Resolves: RHEL-104382 --- ...to-set-TLS-priority-string-with-QEMU.patch | 667 ++++++++++++++++++ ...-fix-order-of-VNC-TLS-config-entries.patch | 84 +++ ...-sanitize-blank-lines-in-config-file.patch | 404 +++++++++++ libvirt.spec | 10 +- 4 files changed, 1164 insertions(+), 1 deletion(-) create mode 100644 libvirt-qemu-add-ability-to-set-TLS-priority-string-with-QEMU.patch create mode 100644 libvirt-qemu-fix-order-of-VNC-TLS-config-entries.patch create mode 100644 libvirt-qemu-sanitize-blank-lines-in-config-file.patch diff --git a/libvirt-qemu-add-ability-to-set-TLS-priority-string-with-QEMU.patch b/libvirt-qemu-add-ability-to-set-TLS-priority-string-with-QEMU.patch new file mode 100644 index 0000000..bc2f431 --- /dev/null +++ b/libvirt-qemu-add-ability-to-set-TLS-priority-string-with-QEMU.patch @@ -0,0 +1,667 @@ +From 5daae8778ba7b7232faf4788ef49891820e2510f Mon Sep 17 00:00:00 2001 +Message-ID: <5daae8778ba7b7232faf4788ef49891820e2510f.1754404628.git.jdenemar@redhat.com> +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Wed, 16 Jul 2025 16:40:01 +0100 +Subject: [PATCH] qemu: add ability to set TLS priority string with QEMU +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +QEMU will either use the GNUTLS default priority string of "NORMAL", +or on Fedora/RHEL related distros, "@QEMU,SYSTEM", which resolves to +a configuration in /etc/crypto-policies/back-ends/gnutls.config. + +The latter gives the sysadmin the ability to change the priority +string used for GNUTLS at deployment time, either system side, or +exclusively for QEMU, avoiding the hardcoded GNUTLS defaults. + +There are still some limitations to this: + + * Priorities cannot be set for different areas of QEMU + functionality (migration, vnc, nbd, etc) + + * Priorities are fixed at the time when QEMU first + triggers GNUTLS to load its config file, often + immediately at startup. + +We recently uncovered a QEMU bug that causes crashes in live +migration with TLS-1.3, where the easiest workaround is to +change the TLS priorities. We can't change this on the running +QEMU, but fortunately it is possible to change it on the target +QEMU and the TLS handshake will make it take effect on both +src and dst. + +The problem is, while fixing the immediate incoming and outgoing +live migration problems, the workaround will apply to everything +else that QEMU does for the rest of the time that process exists. + +We want to make it possible to set the TLS priorities only for +the current migrations, such that if the target QEMU has a fixed +GNUTLS, it will not have its TLS priorities hobbled for the next +live migration. + +To achieve this we need libvirt to be able to (optionally) set +the TLS priority string with QEMU. While live migration is the +most pressing need, the new qemu.conf parameters are wired up +for every subsystem for greater selectivity in future. + +With this we can activate the GNUTLS workaround for running +QEMU processes by editting qemu.conf and restarting virtqemud, +and later undo this the same way. + +Reviewed-by: Peter Krempa +Signed-off-by: Daniel P. Berrangé +(cherry picked from commit 14e41ac9f365b148e69088c5ffeb565a0f9ba326) + +Resolves: https://issues.redhat.com/browse/RHEL-104382 +Signed-off-by: Daniel P. Berrangé +--- + src/conf/storage_source_conf.c | 2 + + src/conf/storage_source_conf.h | 1 + + src/qemu/libvirtd_qemu.aug | 6 +++ + src/qemu/qemu.conf.in | 37 +++++++++++++++++++ + src/qemu/qemu_backup.c | 5 ++- + src/qemu/qemu_blockjob.c | 1 + + src/qemu/qemu_command.c | 15 ++++++-- + src/qemu/qemu_command.h | 1 + + src/qemu/qemu_conf.c | 22 +++++++++++ + src/qemu/qemu_conf.h | 6 +++ + src/qemu/qemu_domain.c | 3 ++ + src/qemu/qemu_domain.h | 1 + + src/qemu/qemu_hotplug.c | 4 +- + src/qemu/qemu_hotplug.h | 1 + + src/qemu/qemu_migration_params.c | 1 + + src/qemu/test_libvirtd_qemu.aug.in | 6 +++ + ...rk-tlsx509-nbd-hostname.x86_64-latest.args | 2 +- + ...graphics-vnc-tls-secret.x86_64-latest.args | 2 +- + ...-tlsx509-secret-chardev.x86_64-latest.args | 2 +- + tests/qemuxmlconftest.c | 6 +++ + 20 files changed, 114 insertions(+), 10 deletions(-) + +diff --git a/src/conf/storage_source_conf.c b/src/conf/storage_source_conf.c +index 8a063be244..8bab116d89 100644 +--- a/src/conf/storage_source_conf.c ++++ b/src/conf/storage_source_conf.c +@@ -832,6 +832,7 @@ virStorageSourceCopy(const virStorageSource *src, + def->compat = g_strdup(src->compat); + def->tlsAlias = g_strdup(src->tlsAlias); + def->tlsCertdir = g_strdup(src->tlsCertdir); ++ def->tlsPriority = g_strdup(src->tlsPriority); + def->tlsHostname = g_strdup(src->tlsHostname); + def->query = g_strdup(src->query); + def->vdpadev = g_strdup(src->vdpadev); +@@ -1185,6 +1186,7 @@ virStorageSourceClear(virStorageSource *def) + + VIR_FREE(def->tlsAlias); + VIR_FREE(def->tlsCertdir); ++ VIR_FREE(def->tlsPriority); + VIR_FREE(def->tlsHostname); + + VIR_FREE(def->ssh_user); +diff --git a/src/conf/storage_source_conf.h b/src/conf/storage_source_conf.h +index ebddf28cd6..a0d5acdb09 100644 +--- a/src/conf/storage_source_conf.h ++++ b/src/conf/storage_source_conf.h +@@ -396,6 +396,7 @@ struct _virStorageSource { + * certificate directory with listen and verify bools. */ + char *tlsAlias; + char *tlsCertdir; ++ char *tlsPriority; + + /* TLS hostname override */ + char *tlsHostname; +diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug +index d36baed6fc..772d4dcabe 100644 +--- a/src/qemu/libvirtd_qemu.aug ++++ b/src/qemu/libvirtd_qemu.aug +@@ -30,6 +30,7 @@ module Libvirtd_qemu = + let default_tls_entry = str_entry "default_tls_x509_cert_dir" + | bool_entry "default_tls_x509_verify" + | str_entry "default_tls_x509_secret_uuid" ++ | str_entry "default_tls_priority" + + let vnc_entry = str_entry "vnc_listen" + | bool_entry "vnc_auto_unix_socket" +@@ -37,6 +38,7 @@ module Libvirtd_qemu = + | str_entry "vnc_tls_x509_cert_dir" + | bool_entry "vnc_tls_x509_verify" + | str_entry "vnc_tls_x509_secret_uuid" ++ | str_entry "vnc_tls_priority" + | str_entry "vnc_password" + | bool_entry "vnc_sasl" + | str_entry "vnc_sasl_dir" +@@ -59,15 +61,18 @@ module Libvirtd_qemu = + | str_entry "chardev_tls_x509_cert_dir" + | bool_entry "chardev_tls_x509_verify" + | str_entry "chardev_tls_x509_secret_uuid" ++ | str_entry "chardev_tls_priority" + + let migrate_entry = str_entry "migrate_tls_x509_cert_dir" + | bool_entry "migrate_tls_x509_verify" + | str_entry "migrate_tls_x509_secret_uuid" ++ | str_entry "migrate_tls_priority" + | bool_entry "migrate_tls_force" + + let backup_entry = str_entry "backup_tls_x509_cert_dir" + | bool_entry "backup_tls_x509_verify" + | str_entry "backup_tls_x509_secret_uuid" ++ | str_entry "backup_tls_priority" + + (* support for vxhs was removed from qemu and the examples were dopped from *) + (* qemu.conf but these need to stay *) +@@ -78,6 +83,7 @@ module Libvirtd_qemu = + let nbd_entry = bool_entry "nbd_tls" + | str_entry "nbd_tls_x509_cert_dir" + | str_entry "nbd_tls_x509_secret_uuid" ++ | str_entry "nbd_tls_priority" + + let nogfx_entry = bool_entry "nographics_allow_host_audio" + +diff --git a/src/qemu/qemu.conf.in b/src/qemu/qemu.conf.in +index 76cbe1a72d..b0fb30d74f 100644 +--- a/src/qemu/qemu.conf.in ++++ b/src/qemu/qemu.conf.in +@@ -62,6 +62,18 @@ + #default_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" + + ++# Libvirt allows QEMU to use its built-in TLS priority by default, ++# however, this allows overriding it at runtime. This is especially ++# useful if TLS priority needs to be changed for an operation run ++# against an existing running QEMU. ++# ++# This must be a valid GNUTLS priority string: ++# ++# https://gnutls.org/manual/html_node/Priority-Strings.html ++# ++#default_tls_priority = "@SYSTEM" ++ ++ + # VNC is configured to listen on 127.0.0.1 by default. + # To make it listen on all public interfaces, uncomment + # this next option. +@@ -127,6 +139,11 @@ + #vnc_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" + + ++# Override QEMU default GNUTLS priority string for VNC ++# ++#vnc_tls_priority = "@SYSTEM" ++ ++ + # The default VNC password. Only 8 bytes are significant for + # VNC passwords. This parameter is only used if the per-domain + # XML config does not already provide a password. To allow +@@ -306,6 +323,11 @@ + #chardev_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" + + ++# Override QEMU default GNUTLS priority string for character devices ++# ++#chardev_tls_priority = "@SYSTEM" ++ ++ + # The support for VxHS network block protocol was removed in qemu-5.2 and + # thus also dropped from libvirt's qemu driver. The following options which + # were used to configure the TLS certificates for VxHS are thus ignored. +@@ -358,6 +380,11 @@ + #nbd_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" + + ++# Override QEMU default GNUTLS priority string for NBD ++# ++#nbd_tls_priority = "@SYSTEM" ++ ++ + # In order to override the default TLS certificate location for migration + # certificates, supply a valid path to the certificate directory. If the + # provided path does not exist, libvirtd will fail to start. If the path is +@@ -397,6 +424,11 @@ + #migrate_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" + + ++# Override QEMU default GNUTLS priority string for live migration ++# ++#migrate_tls_priority = "@SYSTEM" ++ ++ + # By default TLS is requested using the VIR_MIGRATE_TLS flag, thus not requested + # automatically. Setting 'migate_tls_force' to "1" will prevent any migration + # which is not using VIR_MIGRATE_TLS to ensure higher level of security in +@@ -442,6 +474,11 @@ + #backup_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" + + ++# Override QEMU default GNUTLS priority string for NBD backups ++# ++#backup_tls_priority = "@SYSTEM" ++ ++ + # By default, if no graphical front end is configured, libvirt will disable + # QEMU audio output since directly talking to alsa/pulseaudio may not work + # with various security settings. If you know what you're doing, enable +diff --git a/src/qemu/qemu_backup.c b/src/qemu/qemu_backup.c +index fb3558d280..1f43479b5e 100644 +--- a/src/qemu/qemu_backup.c ++++ b/src/qemu/qemu_backup.c +@@ -728,8 +728,9 @@ qemuBackupBeginPrepareTLS(virDomainObj *vm, + } + + if (qemuBuildTLSx509BackendProps(cfg->backupTLSx509certdir, true, +- cfg->backupTLSx509verify, tlsObjAlias, +- tlsKeySecretAlias, ++ cfg->backupTLSx509verify, ++ cfg->backupTLSpriority, ++ tlsObjAlias, tlsKeySecretAlias, + tlsProps) < 0) + return -1; + +diff --git a/src/qemu/qemu_blockjob.c b/src/qemu/qemu_blockjob.c +index c7462e2838..315b742053 100644 +--- a/src/qemu/qemu_blockjob.c ++++ b/src/qemu/qemu_blockjob.c +@@ -624,6 +624,7 @@ qemuBlockJobCleanStorageSourceRuntime(virStorageSource *src) + VIR_FREE(src->nodenameformat); + VIR_FREE(src->tlsAlias); + VIR_FREE(src->tlsCertdir); ++ VIR_FREE(src->tlsPriority); + } + + +diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c +index 202f2dfaca..662d6299f8 100644 +--- a/src/qemu/qemu_command.c ++++ b/src/qemu/qemu_command.c +@@ -1263,6 +1263,7 @@ qemuBuildObjectSecretCommandLine(virCommand *cmd, + * @tlspath: path to the TLS credentials + * @listen: boolean listen for client or server setting + * @verifypeer: boolean to enable peer verification (form of authorization) ++ * @priority: GNUTLS priority string override (optional) + * @alias: alias for the TLS credentials object + * @secalias: if one exists, the alias of the security object for passwordid + * @propsret: json properties to return +@@ -1275,6 +1276,7 @@ int + qemuBuildTLSx509BackendProps(const char *tlspath, + bool isListen, + bool verifypeer, ++ const char *priority, + const char *alias, + const char *secalias, + virJSONValue **propsret) +@@ -1283,6 +1285,7 @@ qemuBuildTLSx509BackendProps(const char *tlspath, + "s:dir", tlspath, + "s:endpoint", (isListen ? "server": "client"), + "b:verify-peer", (isListen ? verifypeer : true), ++ "S:priority", priority, + "S:passwordid", secalias, + NULL) < 0) + return -1; +@@ -1296,6 +1299,7 @@ qemuBuildTLSx509BackendProps(const char *tlspath, + * @tlspath: path to the TLS credentials + * @listen: boolean listen for client or server setting + * @verifypeer: boolean to enable peer verification (form of authorization) ++ * @priority: GNUTLS priority string override (optional) + * @certEncSecretAlias: alias of a 'secret' object for decrypting TLS private key + * (optional) + * @alias: TLS object alias +@@ -1309,13 +1313,14 @@ qemuBuildTLSx509CommandLine(virCommand *cmd, + const char *tlspath, + bool isListen, + bool verifypeer, ++ const char *priority, + const char *certEncSecretAlias, + const char *alias) + { + g_autoptr(virJSONValue) props = NULL; + +- if (qemuBuildTLSx509BackendProps(tlspath, isListen, verifypeer, alias, +- certEncSecretAlias, &props) < 0) ++ if (qemuBuildTLSx509BackendProps(tlspath, isListen, verifypeer, priority, ++ alias, certEncSecretAlias, &props) < 0) + return -1; + + if (qemuBuildObjectCommandlineFromJSON(cmd, props) < 0) +@@ -1357,6 +1362,7 @@ qemuBuildChardevCommand(virCommand *cmd, + if (qemuBuildTLSx509CommandLine(cmd, chrSourcePriv->tlsCertPath, + dev->data.tcp.listen, + chrSourcePriv->tlsVerify, ++ chrSourcePriv->tlsPriority, + tlsCertEncSecAlias, + objalias) < 0) { + return -1; +@@ -8347,6 +8353,7 @@ qemuBuildGraphicsVNCCommandLine(virQEMUDriverConfig *cfg, + cfg->vncTLSx509certdir, + true, + cfg->vncTLSx509verify, ++ cfg->vncTLSpriority, + secretAlias, + gfxPriv->tlsAlias) < 0) + return -1; +@@ -11188,8 +11195,8 @@ qemuBuildStorageSourceAttachPrepareCommon(virStorageSource *src, + } + + if (src->haveTLS == VIR_TRISTATE_BOOL_YES && +- qemuBuildTLSx509BackendProps(src->tlsCertdir, false, true, src->tlsAlias, +- tlsKeySecretAlias, &data->tlsProps) < 0) ++ qemuBuildTLSx509BackendProps(src->tlsCertdir, false, true, src->tlsPriority, ++ src->tlsAlias, tlsKeySecretAlias, &data->tlsProps) < 0) + return -1; + + return 0; +diff --git a/src/qemu/qemu_command.h b/src/qemu/qemu_command.h +index 574dffdc96..ad068f1f16 100644 +--- a/src/qemu/qemu_command.h ++++ b/src/qemu/qemu_command.h +@@ -67,6 +67,7 @@ int + qemuBuildTLSx509BackendProps(const char *tlspath, + bool isListen, + bool verifypeer, ++ const char *priority, + const char *alias, + const char *secalias, + virJSONValue **propsret); +diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c +index 482e19b502..088904eb12 100644 +--- a/src/qemu/qemu_conf.c ++++ b/src/qemu/qemu_conf.c +@@ -454,6 +454,9 @@ virQEMUDriverConfigLoadDefaultTLSEntry(virQEMUDriverConfig *cfg, + if (virConfGetValueString(conf, "default_tls_x509_secret_uuid", + &cfg->defaultTLSx509secretUUID) < 0) + return -1; ++ if (virConfGetValueString(conf, "default_tls_priority", ++ &cfg->defaultTLSpriority) < 0) ++ return -1; + + return 0; + } +@@ -566,6 +569,9 @@ virQEMUDriverConfigLoadSpecificTLSEntry(virQEMUDriverConfig *cfg, + #val "_tls_x509_secret_uuid", \ + &cfg->val## TLSx509secretUUID) < 0) \ + return -1; \ ++ if ((rv = virConfGetValueString(conf, #val "_tls_priority", \ ++ &cfg->val## TLSpriority)) < 0) \ ++ return -1; \ + } while (0) + + #define GET_CONFIG_TLS_CERTINFO_SERVER(val) \ +@@ -1441,6 +1447,22 @@ virQEMUDriverConfigSetDefaults(virQEMUDriverConfig *cfg) + + #undef SET_TLS_SECRET_UUID_DEFAULT + ++#define SET_TLS_PRIORITY_DEFAULT(val) \ ++ do { \ ++ if (!cfg->val## TLSpriority && \ ++ cfg->defaultTLSpriority) { \ ++ cfg->val## TLSpriority = g_strdup(cfg->defaultTLSpriority); \ ++ } \ ++ } while (0) ++ ++ SET_TLS_PRIORITY_DEFAULT(vnc); ++ SET_TLS_PRIORITY_DEFAULT(chardev); ++ SET_TLS_PRIORITY_DEFAULT(migrate); ++ SET_TLS_PRIORITY_DEFAULT(backup); ++ SET_TLS_PRIORITY_DEFAULT(nbd); ++ ++#undef SET_TLS_PRIORITY_DEFAULT ++ + /* + * If a "SYSCONFDIR" + "pki/libvirt-" exists, then assume someone + * has created a val specific area to place service specific certificates. +diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h +index ff376aed4d..192ddd0cbd 100644 +--- a/src/qemu/qemu_conf.h ++++ b/src/qemu/qemu_conf.h +@@ -117,6 +117,7 @@ struct _virQEMUDriverConfig { + bool defaultTLSx509verify; + bool defaultTLSx509verifyPresent; + char *defaultTLSx509secretUUID; ++ char *defaultTLSpriority; + + bool vncAutoUnixSocket; + bool vncTLS; +@@ -125,6 +126,7 @@ struct _virQEMUDriverConfig { + bool vncSASL; + char *vncTLSx509certdir; + char *vncTLSx509secretUUID; ++ char *vncTLSpriority; + char *vncListen; + char *vncPassword; + char *vncSASLdir; +@@ -147,21 +149,25 @@ struct _virQEMUDriverConfig { + bool chardevTLSx509verify; + bool chardevTLSx509verifyPresent; + char *chardevTLSx509secretUUID; ++ char *chardevTLSpriority; + + char *migrateTLSx509certdir; + bool migrateTLSx509verify; + bool migrateTLSx509verifyPresent; + char *migrateTLSx509secretUUID; ++ char *migrateTLSpriority; + bool migrateTLSForce; + + char *backupTLSx509certdir; + bool backupTLSx509verify; + bool backupTLSx509verifyPresent; + char *backupTLSx509secretUUID; ++ char *backupTLSpriority; + + bool nbdTLS; + char *nbdTLSx509certdir; + char *nbdTLSx509secretUUID; ++ char *nbdTLSpriority; + + unsigned int remotePortMin; + unsigned int remotePortMax; +diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c +index 0d2548d8d4..ddc065d8f4 100644 +--- a/src/qemu/qemu_domain.c ++++ b/src/qemu/qemu_domain.c +@@ -955,6 +955,7 @@ qemuDomainChrSourcePrivateDispose(void *obj) + qemuDomainChrSourcePrivateClearFDPass(priv); + + g_free(priv->tlsCertPath); ++ g_free(priv->tlsPriority); + + g_free(priv->tlsCredsAlias); + +@@ -8777,6 +8778,7 @@ qemuDomainPrepareChardevSourceOne(virDomainDeviceDef *dev, + + if (charsrc->data.tcp.haveTLS == VIR_TRISTATE_BOOL_YES) { + charpriv->tlsCertPath = g_strdup(data->cfg->chardevTLSx509certdir); ++ charpriv->tlsPriority = g_strdup(data->cfg->chardevTLSpriority); + charpriv->tlsVerify = data->cfg->chardevTLSx509verify; + } + } +@@ -8842,6 +8844,7 @@ qemuProcessPrepareStorageSourceTLSNBD(virStorageSource *src, + + src->tlsAlias = qemuAliasTLSObjFromSrcAlias(parentAlias); + src->tlsCertdir = g_strdup(cfg->nbdTLSx509certdir); ++ src->tlsPriority = g_strdup(cfg->nbdTLSpriority); + + if (cfg->nbdTLSx509secretUUID) { + qemuDomainStorageSourcePrivate *srcpriv = qemuDomainStorageSourcePrivateFetch(src); +diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h +index c7287eb669..22cad50f55 100644 +--- a/src/qemu/qemu_domain.h ++++ b/src/qemu/qemu_domain.h +@@ -384,6 +384,7 @@ struct _qemuDomainChrSourcePrivate { + + char *tlsCertPath; /* path to certificates if TLS is requested */ + bool tlsVerify; /* whether server should verify client certificates */ ++ char *tlsPriority; /* optional GNUTLS priority string */ + + char *tlsCredsAlias; /* alias of the x509 tls credentials object */ + }; +diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c +index 67a2464ce4..79922f27c7 100644 +--- a/src/qemu/qemu_hotplug.c ++++ b/src/qemu/qemu_hotplug.c +@@ -1744,6 +1744,7 @@ qemuDomainGetTLSObjects(qemuDomainSecretInfo *secinfo, + const char *tlsCertdir, + bool tlsListen, + bool tlsVerify, ++ const char *tlsPriority, + const char *alias, + virJSONValue **tlsProps, + virJSONValue **secProps) +@@ -1757,7 +1758,7 @@ qemuDomainGetTLSObjects(qemuDomainSecretInfo *secinfo, + secAlias = secinfo->alias; + } + +- if (qemuBuildTLSx509BackendProps(tlsCertdir, tlsListen, tlsVerify, ++ if (qemuBuildTLSx509BackendProps(tlsCertdir, tlsListen, tlsVerify, tlsPriority, + alias, secAlias, tlsProps) < 0) + return -1; + +@@ -1801,6 +1802,7 @@ qemuDomainAddChardevTLSObjects(virQEMUDriver *driver, + cfg->chardevTLSx509certdir, + dev->data.tcp.listen, + cfg->chardevTLSx509verify, ++ cfg->chardevTLSpriority, + *tlsAlias, &tlsProps, &secProps) < 0) + return -1; + +diff --git a/src/qemu/qemu_hotplug.h b/src/qemu/qemu_hotplug.h +index de75bf9225..fb0b5b6cd7 100644 +--- a/src/qemu/qemu_hotplug.h ++++ b/src/qemu/qemu_hotplug.h +@@ -41,6 +41,7 @@ qemuDomainGetTLSObjects(qemuDomainSecretInfo *secinfo, + const char *tlsCertdir, + bool tlsListen, + bool tlsVerify, ++ const char *tlsPriority, + const char *alias, + virJSONValue **tlsProps, + virJSONValue **secProps); +diff --git a/src/qemu/qemu_migration_params.c b/src/qemu/qemu_migration_params.c +index 17d08f4aa5..b79bbad5c2 100644 +--- a/src/qemu/qemu_migration_params.c ++++ b/src/qemu/qemu_migration_params.c +@@ -1208,6 +1208,7 @@ qemuMigrationParamsEnableTLS(virQEMUDriver *driver, + if (qemuDomainGetTLSObjects(priv->migSecinfo, + cfg->migrateTLSx509certdir, tlsListen, + cfg->migrateTLSx509verify, ++ cfg->migrateTLSpriority, + *tlsAlias, &tlsProps, &secProps) < 0) + return -1; + +diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qemu.aug.in +index e461fcc9df..1fa0e2206e 100644 +--- a/src/qemu/test_libvirtd_qemu.aug.in ++++ b/src/qemu/test_libvirtd_qemu.aug.in +@@ -5,12 +5,14 @@ module Test_libvirtd_qemu = + { "default_tls_x509_cert_dir" = "/etc/pki/qemu" } + { "default_tls_x509_verify" = "1" } + { "default_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" } ++{ "default_tls_priority" = "@SYSTEM" } + { "vnc_listen" = "0.0.0.0" } + { "vnc_auto_unix_socket" = "1" } + { "vnc_tls" = "1" } + { "vnc_tls_x509_cert_dir" = "/etc/pki/libvirt-vnc" } + { "vnc_tls_x509_verify" = "1" } + { "vnc_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" } ++{ "vnc_tls_priority" = "@SYSTEM" } + { "vnc_password" = "XYZ12345" } + { "vnc_sasl" = "1" } + { "vnc_sasl_dir" = "/some/directory/sasl2" } +@@ -30,19 +32,23 @@ module Test_libvirtd_qemu = + { "chardev_tls_x509_cert_dir" = "/etc/pki/libvirt-chardev" } + { "chardev_tls_x509_verify" = "1" } + { "chardev_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" } ++{ "chardev_tls_priority" = "@SYSTEM" } + { "vxhs_tls" = "1" } + { "vxhs_tls_x509_cert_dir" = "/etc/pki/libvirt-vxhs" } + { "vxhs_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" } + { "nbd_tls" = "1" } + { "nbd_tls_x509_cert_dir" = "/etc/pki/libvirt-nbd" } + { "nbd_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" } ++{ "nbd_tls_priority" = "@SYSTEM" } + { "migrate_tls_x509_cert_dir" = "/etc/pki/libvirt-migrate" } + { "migrate_tls_x509_verify" = "1" } + { "migrate_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" } ++{ "migrate_tls_priority" = "@SYSTEM" } + { "migrate_tls_force" = "0" } + { "backup_tls_x509_cert_dir" = "/etc/pki/libvirt-backup" } + { "backup_tls_x509_verify" = "1" } + { "backup_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" } ++{ "backup_tls_priority" = "@SYSTEM" } + { "nographics_allow_host_audio" = "1" } + { "remote_display_port_min" = "5900" } + { "remote_display_port_max" = "65535" } +diff --git a/tests/qemuxmlconfdata/disk-network-tlsx509-nbd-hostname.x86_64-latest.args b/tests/qemuxmlconfdata/disk-network-tlsx509-nbd-hostname.x86_64-latest.args +index 4ee9a0631b..77d38c3020 100644 +--- a/tests/qemuxmlconfdata/disk-network-tlsx509-nbd-hostname.x86_64-latest.args ++++ b/tests/qemuxmlconfdata/disk-network-tlsx509-nbd-hostname.x86_64-latest.args +@@ -28,7 +28,7 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \ + -boot strict=on \ + -device '{"driver":"piix3-usb-uhci","id":"usb","bus":"pci.0","addr":"0x1.0x2"}' \ + -object '{"qom-type":"secret","id":"objlibvirt-1-storage_tls0-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}' \ +--object '{"qom-type":"tls-creds-x509","id":"objlibvirt-1-storage_tls0","dir":"/etc/pki/libvirt-nbd","endpoint":"client","verify-peer":true,"passwordid":"objlibvirt-1-storage_tls0-secret0"}' \ ++-object '{"qom-type":"tls-creds-x509","id":"objlibvirt-1-storage_tls0","dir":"/etc/pki/libvirt-nbd","endpoint":"client","verify-peer":true,"priority":"@SYSTEM:-VERS-TLS1.3","passwordid":"objlibvirt-1-storage_tls0-secret0"}' \ + -blockdev '{"driver":"nbd","server":{"type":"inet","host":"example.com","port":"1234"},"tls-creds":"objlibvirt-1-storage_tls0","tls-hostname":"test-hostname","node-name":"libvirt-1-storage","read-only":false,"cache":{"direct":true,"no-flush":false}}' \ + -device '{"driver":"virtio-blk-pci","bus":"pci.0","addr":"0x7","drive":"libvirt-1-storage","id":"virtio-disk3","bootindex":1,"write-cache":"on"}' \ + -audiodev '{"id":"audio1","driver":"none"}' \ +diff --git a/tests/qemuxmlconfdata/graphics-vnc-tls-secret.x86_64-latest.args b/tests/qemuxmlconfdata/graphics-vnc-tls-secret.x86_64-latest.args +index 50cc8532d1..32d7be1d3b 100644 +--- a/tests/qemuxmlconfdata/graphics-vnc-tls-secret.x86_64-latest.args ++++ b/tests/qemuxmlconfdata/graphics-vnc-tls-secret.x86_64-latest.args +@@ -29,7 +29,7 @@ SASL_CONF_PATH=/etc/sasl2 \ + -device '{"driver":"piix3-usb-uhci","id":"usb","bus":"pci.0","addr":"0x1.0x2"}' \ + -audiodev '{"id":"audio1","driver":"none"}' \ + -object '{"qom-type":"secret","id":"vnc-tls-creds0-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}' \ +--object '{"qom-type":"tls-creds-x509","id":"vnc-tls-creds0","dir":"/etc/pki/libvirt-vnc","endpoint":"server","verify-peer":true,"passwordid":"vnc-tls-creds0-secret0"}' \ ++-object '{"qom-type":"tls-creds-x509","id":"vnc-tls-creds0","dir":"/etc/pki/libvirt-vnc","endpoint":"server","verify-peer":true,"priority":"@SYSTEM:-VERS-TLS1.3","passwordid":"vnc-tls-creds0-secret0"}' \ + -vnc 127.0.0.1:3,tls-creds=vnc-tls-creds0,sasl=on,audiodev=audio1 \ + -device '{"driver":"cirrus-vga","id":"video0","bus":"pci.0","addr":"0x2"}' \ + -sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \ +diff --git a/tests/qemuxmlconfdata/serial-tcp-tlsx509-secret-chardev.x86_64-latest.args b/tests/qemuxmlconfdata/serial-tcp-tlsx509-secret-chardev.x86_64-latest.args +index c227a04112..492d1be626 100644 +--- a/tests/qemuxmlconfdata/serial-tcp-tlsx509-secret-chardev.x86_64-latest.args ++++ b/tests/qemuxmlconfdata/serial-tcp-tlsx509-secret-chardev.x86_64-latest.args +@@ -32,7 +32,7 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \ + -chardev udp,id=charserial0,host=127.0.0.1,port=2222,localaddr=127.0.0.1,localport=1111 \ + -device '{"driver":"isa-serial","chardev":"charserial0","id":"serial0","index":0}' \ + -object '{"qom-type":"secret","id":"charserial1-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}' \ +--object '{"qom-type":"tls-creds-x509","id":"objcharserial1_tls0","dir":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true,"passwordid":"charserial1-secret0"}' \ ++-object '{"qom-type":"tls-creds-x509","id":"objcharserial1_tls0","dir":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true,"priority":"@SYSTEM:-VERS-TLS1.3","passwordid":"charserial1-secret0"}' \ + -chardev socket,id=charserial1,host=127.0.0.1,port=5555,tls-creds=objcharserial1_tls0 \ + -device '{"driver":"isa-serial","chardev":"charserial1","id":"serial1","index":1}' \ + -audiodev '{"id":"audio1","driver":"none"}' \ +diff --git a/tests/qemuxmlconftest.c b/tests/qemuxmlconftest.c +index 6ad4d90934..1fbfd25e83 100644 +--- a/tests/qemuxmlconftest.c ++++ b/tests/qemuxmlconftest.c +@@ -1596,7 +1596,9 @@ mymain(void) + driver.config->nbdTLSx509secretUUID = g_strdup("6fd3f62d-9fe7-4a4e-a869-7acd6376d8ea"); + DO_TEST_CAPS_LATEST("disk-network-tlsx509-nbd"); + DO_TEST_CAPS_VER_PARSE_ERROR("disk-network-tlsx509-nbd-hostname", "6.2.0"); ++ driver.config->nbdTLSpriority = g_strdup("@SYSTEM:-VERS-TLS1.3"); + DO_TEST_CAPS_LATEST("disk-network-tlsx509-nbd-hostname"); ++ VIR_FREE(driver.config->nbdTLSpriority); + DO_TEST_CAPS_LATEST("disk-network-http"); + VIR_FREE(driver.config->nbdTLSx509secretUUID); + DO_TEST_CAPS_LATEST("disk-network-ssh"); +@@ -1723,8 +1725,10 @@ mymain(void) + driver.config->vncTLS = 1; + driver.config->vncTLSx509verify = 1; + DO_TEST_CAPS_LATEST("graphics-vnc-tls"); ++ driver.config->vncTLSpriority = g_strdup("@SYSTEM:-VERS-TLS1.3"); + driver.config->vncTLSx509secretUUID = g_strdup("6fd3f62d-9fe7-4a4e-a869-7acd6376d8ea"); + DO_TEST_CAPS_LATEST("graphics-vnc-tls-secret"); ++ VIR_FREE(driver.config->vncTLSpriority); + VIR_FREE(driver.config->vncTLSx509secretUUID); + driver.config->vncSASL = driver.config->vncTLSx509verify = driver.config->vncTLS = 0; + DO_TEST_CAPS_LATEST("graphics-vnc-egl-headless"); +@@ -1874,7 +1878,9 @@ mymain(void) + driver.config->chardevTLSx509verify = 0; + DO_TEST_CAPS_LATEST("serial-tcp-tlsx509-chardev-notls"); + driver.config->chardevTLSx509secretUUID = g_strdup("6fd3f62d-9fe7-4a4e-a869-7acd6376d8ea"); ++ driver.config->chardevTLSpriority = g_strdup("@SYSTEM:-VERS-TLS1.3"); + DO_TEST_CAPS_LATEST("serial-tcp-tlsx509-secret-chardev"); ++ VIR_FREE(driver.config->chardevTLSpriority); + VIR_FREE(driver.config->chardevTLSx509secretUUID); + driver.config->chardevTLS = 0; + DO_TEST_CAPS_LATEST("serial-many-chardev"); +-- +2.50.1 diff --git a/libvirt-qemu-fix-order-of-VNC-TLS-config-entries.patch b/libvirt-qemu-fix-order-of-VNC-TLS-config-entries.patch new file mode 100644 index 0000000..43649c6 --- /dev/null +++ b/libvirt-qemu-fix-order-of-VNC-TLS-config-entries.patch @@ -0,0 +1,84 @@ +From 18e04d47dc99d44eb6e1e81f820f1634694a51e9 Mon Sep 17 00:00:00 2001 +Message-ID: <18e04d47dc99d44eb6e1e81f820f1634694a51e9.1754404628.git.jdenemar@redhat.com> +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Wed, 16 Jul 2025 16:32:05 +0100 +Subject: [PATCH] qemu: fix order of VNC TLS config entries +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +For TLS config parameters, the 'verify' option always comes before the +'secret_uuid' option, except in the VNC case which has them reversed. + +Reviewed-by: Peter Krempa +Signed-off-by: Daniel P. Berrangé +(cherry picked from commit 845e1b5138f37dbf91e5b08b7d54d963a6ec0452) + +Resolves: https://issues.redhat.com/browse/RHEL-104382 +Signed-off-by: Daniel P. Berrangé +--- + src/qemu/libvirtd_qemu.aug | 2 +- + src/qemu/qemu.conf.in | 12 ++++++------ + src/qemu/test_libvirtd_qemu.aug.in | 2 +- + 3 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug +index e1e479d72c..d36baed6fc 100644 +--- a/src/qemu/libvirtd_qemu.aug ++++ b/src/qemu/libvirtd_qemu.aug +@@ -35,8 +35,8 @@ module Libvirtd_qemu = + | bool_entry "vnc_auto_unix_socket" + | bool_entry "vnc_tls" + | str_entry "vnc_tls_x509_cert_dir" +- | str_entry "vnc_tls_x509_secret_uuid" + | bool_entry "vnc_tls_x509_verify" ++ | str_entry "vnc_tls_x509_secret_uuid" + | str_entry "vnc_password" + | bool_entry "vnc_sasl" + | str_entry "vnc_sasl_dir" +diff --git a/src/qemu/qemu.conf.in b/src/qemu/qemu.conf.in +index 6358a45ae2..9bb52b5927 100644 +--- a/src/qemu/qemu.conf.in ++++ b/src/qemu/qemu.conf.in +@@ -101,12 +101,6 @@ + #vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc" + + +-# Uncomment and use the following option to override the default secret +-# UUID provided in the default_tls_x509_secret_uuid parameter. +-# +-#vnc_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" +- +- + # The default TLS configuration only uses certificates for the server + # allowing the client to verify the server's identity and establish + # an encrypted channel. +@@ -125,6 +119,12 @@ + #vnc_tls_x509_verify = 1 + + ++# Uncomment and use the following option to override the default secret ++# UUID provided in the default_tls_x509_secret_uuid parameter. ++# ++#vnc_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" ++ ++ + # The default VNC password. Only 8 bytes are significant for + # VNC passwords. This parameter is only used if the per-domain + # XML config does not already provide a password. To allow +diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qemu.aug.in +index 88d1a6aca1..e461fcc9df 100644 +--- a/src/qemu/test_libvirtd_qemu.aug.in ++++ b/src/qemu/test_libvirtd_qemu.aug.in +@@ -9,8 +9,8 @@ module Test_libvirtd_qemu = + { "vnc_auto_unix_socket" = "1" } + { "vnc_tls" = "1" } + { "vnc_tls_x509_cert_dir" = "/etc/pki/libvirt-vnc" } +-{ "vnc_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" } + { "vnc_tls_x509_verify" = "1" } ++{ "vnc_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" } + { "vnc_password" = "XYZ12345" } + { "vnc_sasl" = "1" } + { "vnc_sasl_dir" = "/some/directory/sasl2" } +-- +2.50.1 diff --git a/libvirt-qemu-sanitize-blank-lines-in-config-file.patch b/libvirt-qemu-sanitize-blank-lines-in-config-file.patch new file mode 100644 index 0000000..f555fe9 --- /dev/null +++ b/libvirt-qemu-sanitize-blank-lines-in-config-file.patch @@ -0,0 +1,404 @@ +From f8d6bc01e680b8c226270d100230a92a611f771d Mon Sep 17 00:00:00 2001 +Message-ID: +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Wed, 16 Jul 2025 16:30:52 +0100 +Subject: [PATCH] qemu: sanitize blank lines in config file +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We mostly use 2 blank lines between config file entries to +improve readability. Fix where we don't do that. + +Reviewed-by: Peter Krempa +Signed-off-by: Daniel P. Berrangé +(cherry picked from commit 0b9cfa791f2bd135ea36fe03fd1a8d6c8bf5e3d6) + +Resolves: https://issues.redhat.com/browse/RHEL-104382 +Signed-off-by: Daniel P. Berrangé +--- + src/qemu/qemu.conf.in | 51 ++++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 48 insertions(+), 3 deletions(-) + +diff --git a/src/qemu/qemu.conf.in b/src/qemu/qemu.conf.in +index 9bb52b5927..76cbe1a72d 100644 +--- a/src/qemu/qemu.conf.in ++++ b/src/qemu/qemu.conf.in +@@ -48,7 +48,7 @@ + # + #default_tls_x509_verify = 1 + +-# ++ + # Libvirt assumes the server-key.pem file is unencrypted by default. + # To use an encrypted server-key.pem file, the password to decrypt + # the PEM file is required. This can be provided by creating a secret +@@ -71,6 +71,7 @@ + # + #vnc_listen = "0.0.0.0" + ++ + # Enable this option to have VNC served over an automatically created + # unix socket. This prevents unprivileged access from users on the + # host machine, though most VNC clients do not support it. +@@ -81,6 +82,7 @@ + # + #vnc_auto_unix_socket = 1 + ++ + # Enable use of TLS encryption on the VNC server. This requires + # a VNC client which supports the VeNCrypt protocol extension. + # Examples include vinagre, virt-viewer, virt-manager and vencrypt +@@ -222,6 +224,7 @@ + # + #spice_sasl = 1 + ++ + # The default SASL configuration file is located in /etc/sasl2/ + # When running libvirtd unprivileged, it may be desirable to + # override the configs in this location. Set this parameter to +@@ -229,6 +232,7 @@ + # + #spice_sasl_dir = "/some/directory/sasl2" + ++ + # RDP is configured to listen on 127.0.0.1 by default. + # To make it listen on all public interfaces, uncomment + # this next option. +@@ -242,11 +246,13 @@ + # + #rdp_tls_x509_cert_dir = "/etc/pki/libvirt-rdp" + ++ + # The default RDP username. This parameter is only used if the + # per-domain XML config does not already provide a username. + # + #rdp_username = "user" + ++ + # The default RDP password. This parameter is only used if the + # per-domain XML config does not already provide a password. + # By default, RDP server will not allow password-less connections. +@@ -254,6 +260,7 @@ + # + #rdp_password = "RDP12345" + ++ + # Enable use of TLS encryption on the chardev TCP transports. + # + # It is necessary to setup CA and issue a server certificate +@@ -457,6 +464,7 @@ + #remote_display_port_min = 5900 + #remote_display_port_max = 65535 + ++ + # VNC WebSocket port policies, same rules apply as with remote display + # ports. VNC WebSockets use similar display <-> port mappings, with + # the exception being that ports start from 5700 instead of 5900. +@@ -464,6 +472,7 @@ + #remote_websocket_port_min = 5700 + #remote_websocket_port_max = 65535 + ++ + # The default security driver is SELinux. If SELinux is disabled + # on the host, then the security driver will automatically disable + # itself. If you wish to disable QEMU SELinux security driver while +@@ -481,15 +490,18 @@ + # + #security_driver = "selinux" + ++ + # If set to non-zero, then the default security labeling + # will make guests confined. If set to zero, then guests + # will be unconfined by default. Defaults to 1. + #security_default_confined = 1 + ++ + # If set to non-zero, then attempts to create unconfined + # guests will be blocked. Defaults to 0. + #security_require_confined = 1 + ++ + # The user for QEMU processes run by the system instance. It can be + # specified as a user name or as a user id. The qemu driver will try to + # parse this value first as a name and then, if the name doesn't exist, +@@ -507,10 +519,12 @@ + # + #user = "@QEMU_USER@" + ++ + # The group for QEMU processes run by the system instance. It can be + # specified in a similar way to user. + #group = "@QEMU_GROUP@" + ++ + # Whether libvirt should dynamically change file ownership + # to match the configured user/group above. Defaults to 1. + # +@@ -526,11 +540,13 @@ + # Set to 0 to disable file ownership changes globally in the qemu driver. + #dynamic_ownership = 1 + ++ + # Whether libvirt should remember and restore the original + # ownership over files it is relabeling. Defaults to 1, set + # to 0 to disable the feature. + #remember_owner = 1 + ++ + # What cgroup controllers to make use of with QEMU guests + # + # - 'cpu' - use for scheduler tunables +@@ -552,6 +568,7 @@ + # + #cgroup_controllers = [ "cpu", "devices", "memory", "blkio", "cpuset", "cpuacct" ] + ++ + # This is the basic set of devices allowed / required by + # all virtual machines. + # +@@ -618,12 +635,14 @@ + #dump_image_format = "raw" + #snapshot_image_format = "raw" + ++ + # When a domain is configured to be auto-dumped when libvirtd receives a + # watchdog event from qemu guest, libvirtd will save dump files in directory + # specified by auto_dump_path. Default value is /var/lib/libvirt/qemu/dump + # + #auto_dump_path = "/var/lib/libvirt/qemu/dump" + ++ + # When a domain is configured to be auto-dumped, enabling this flag + # has the same effect as using the VIR_DUMP_BYPASS_CACHE flag with the + # virDomainCoreDump API. That is, the system will avoid using the +@@ -632,6 +651,7 @@ + # + #auto_dump_bypass_cache = 0 + ++ + # When a domain is configured to be auto-started, enabling this flag + # has the same effect as using the VIR_DOMAIN_START_BYPASS_CACHE flag + # with the virDomainCreateWithFlags API. That is, the system will +@@ -640,11 +660,13 @@ + # + #auto_start_bypass_cache = 0 + ++ + # Delay in milliseconds between initiating the startup for + # each VM, during autostart + # + #auto_start_delay = 0 + ++ + # The settings for auto shutdown actions accept one of + # four possible options: + # +@@ -669,6 +691,7 @@ + # they are restarted, or saved and restored. + #auto_shutdown_try_save = "persistent" + ++ + # As above, but with a graceful shutdown action instead of + # managed save. If managed save is enabled, shutdown will + # be tried only on failure to perform managed save. +@@ -683,6 +706,7 @@ + # they are restarted, or saved and restored. + #auto_shutdown_try_shutdown = "all" + ++ + # As above, but with a forced poweroff instead of managed + # save. If managed save or graceful shutdown are enabled, + # forced poweroff will be tried only on failure of the +@@ -702,16 +726,19 @@ + # feature should to be enabled as well to ensure proper cleanup of the VMs. + #auto_shutdown_poweroff = "all" + ++ + # How may seconds to wait for running VMs to gracefully shutdown + # when 'auto_shutdown_try_shutdown' is enabled. If set to 0 + # then an arbitrary built-in default value will be used (which + # is currently 30 secs) + #auto_shutdown_wait = 30 + ++ + # Whether VMs that are automatically powered off or saved during + # host shutdown, should be set to restore on next boot + #auto_shutdown_restore = 1 + ++ + # When a domain is configured to be auto-saved on shutdown, enabling + # this flag has the same effect as using the VIR_DOMAIN_SAVE_BYPASS_CACHE + # flag with the virDomainManagedSave API. That is, the system will +@@ -720,6 +747,7 @@ + # + #auto_save_bypass_cache = 0 + ++ + # If provided by the host and a hugetlbfs mount point is configured, + # a guest may request huge page backing. When this mount point is + # unspecified here, determination of a host mount point in /proc/mounts +@@ -768,6 +796,7 @@ + #max_processes = 0 + #max_files = 0 + ++ + # If max_threads_per_process is set to a positive integer, libvirt + # will use it to set the maximum number of threads that can be + # created by a qemu process. Some VM configurations can result in +@@ -778,6 +807,7 @@ + # + #max_threads_per_process = 0 + ++ + # If max_core is set to a non-zero integer, then QEMU will be + # permitted to create core dumps when it crashes, provided its + # RAM size is smaller than the limit set. +@@ -804,6 +834,7 @@ + # + #max_core = "unlimited" + ++ + # Determine if guest RAM is included in QEMU core dumps. By + # default guest RAM will be excluded on Linux platforms, + # and included on all other patforms. Setting this to '1' will +@@ -814,6 +845,7 @@ + # + #dump_guest_core = 1 + ++ + # mac_filter enables MAC addressed based filtering on bridge ports. + # This currently requires ebtables to be installed. + # +@@ -843,6 +875,7 @@ + # + #max_queued = 0 + ++ + ################################################################### + # Keepalive protocol: + # This allows qemu driver to detect broken connections to remote +@@ -866,7 +899,6 @@ + #keepalive_count = 5 + + +- + # Use seccomp syscall filtering sandbox in QEMU. + # 1 == filter enabled, 0 == filter disabled + # +@@ -901,7 +933,6 @@ + #migration_port_max = 49215 + + +- + # Timestamp QEMU's log messages (if QEMU supports it) + # + # Defaults to 1. +@@ -941,6 +972,7 @@ + # "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd" + #] + ++ + # The backend to use for handling stdout/stderr output from + # QEMU processes. + # +@@ -956,6 +988,7 @@ + # + #stdio_handler = "logd" + ++ + # QEMU gluster libgfapi log level, debug levels are 0-9, with 9 being the + # most verbose, and 0 representing no debugging output. + # +@@ -976,6 +1009,7 @@ + # + #gluster_debug_level = 9 + ++ + # virtiofsd debug + # + # Whether to enable the debugging output of the virtiofsd daemon. +@@ -983,6 +1017,7 @@ + # + #virtiofsd_debug = 1 + ++ + # To enhance security, QEMU driver is capable of creating private namespaces + # for each domain started. Well, so far only "mount" namespace is supported. If + # enabled it means qemu process is unable to see all the devices on the system, +@@ -991,16 +1026,19 @@ + # by default. + #namespaces = [ "mount" ] + ++ + # This directory is used for memoryBacking source if configured as file. + # NOTE: big files will be stored here + #memory_backing_dir = "/var/lib/libvirt/qemu/ram" + ++ + # Path to the SCSI persistent reservations helper. This helper is + # used whenever are enabled for SCSI LUN devices. + # If this is not an absolute path, the program will be searched for + # in $PATH as well as a few additional directories. + #pr_helper = "qemu-pr-helper" + ++ + # Path to the SLIRP networking helper. + #slirp_helper = "/usr/bin/slirp-helper" + +@@ -1010,11 +1048,13 @@ + # in $PATH. + #qemu_rdp = "qemu-rdp" + ++ + # Path to the dbus-daemon + # If this is not an absolute path, the program will be searched for + # in $PATH. + #dbus_daemon = "dbus-daemon" + ++ + # User for the swtpm TPM Emulator + # + # Default is 'tss'; this is the same user that tcsd (TrouSerS) installs +@@ -1023,6 +1063,7 @@ + #swtpm_user = "tss" + #swtpm_group = "tss" + ++ + # For debugging and testing purposes it's sometimes useful to be able to disable + # libvirt behaviour based on the capabilities of the qemu process. This option + # allows to do so. DO _NOT_ use in production and beaware that the behaviour +@@ -1030,6 +1071,7 @@ + # + #capability_filters = [ "capname" ] + ++ + # 'deprecation_behavior' setting controls how the qemu process behaves towards + # deprecated commands and arguments used by libvirt. + # +@@ -1061,6 +1103,7 @@ + # + #deprecation_behavior = "none" + ++ + # If this is set then QEMU and its threads will run in a separate scheduling + # group meaning no other process will share Hyper Threads of a single core with + # QEMU. Each QEMU has its own group. +@@ -1077,6 +1120,7 @@ + # scheduling group + #sched_core = "none" + ++ + # Using nbdkit to access remote disk sources + # + # If this is set then libvirt will use nbdkit to access remote disk sources +@@ -1088,6 +1132,7 @@ + # + #storage_use_nbdkit = @USE_NBDKIT_DEFAULT@ + ++ + # libvirt will normally prevent migration if the storage backing the VM is not + # on a shared filesystems. Sometimes, however, the storage *is* shared despite + # not being detected as such: for example, this is the case when one of the +-- +2.50.1 diff --git a/libvirt.spec b/libvirt.spec index ac8006f..1af30e1 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -289,7 +289,7 @@ Summary: Library providing a simple virtualization API Name: libvirt Version: 11.5.0 -Release: 3%{?dist}%{?extra_release} +Release: 4%{?dist}%{?extra_release} License: GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND OFL-1.1 URL: https://libvirt.org/ @@ -314,6 +314,9 @@ Patch14: libvirt-qemu_tpm-Rename-qemuTPMHasSharedStorage-qemuTPMDomainHasSharedS Patch15: libvirt-qemu_tpm-Extract-per-TPM-functionality-from-qemuTPMDomainHasSharedStorage.patch Patch16: libvirt-qemu_tpm-Only-warn-about-missing-locking-feature-on-shared-filesystems.patch Patch17: libvirt-qemu_tpm-Do-not-use-persistent-definition-during-pre-start-checks.patch +Patch18: libvirt-qemu-fix-order-of-VNC-TLS-config-entries.patch +Patch19: libvirt-qemu-sanitize-blank-lines-in-config-file.patch +Patch20: libvirt-qemu-add-ability-to-set-TLS-priority-string-with-QEMU.patch Requires: libvirt-daemon = %{version}-%{release} @@ -2709,6 +2712,11 @@ exit 0 %endif %changelog +* Tue Aug 5 2025 Jiri Denemark - 11.5.0-4 +- qemu: fix order of VNC TLS config entries (RHEL-104382) +- qemu: sanitize blank lines in config file (RHEL-104382) +- qemu: add ability to set TLS priority string with QEMU (RHEL-104382) + * Fri Jul 25 2025 Jiri Denemark - 11.5.0-3 - qemu_tpm: Do not use persistent definition during pre-start checks (RHEL-80155)