Merge branch 'c9' into a9-ppc64le

This commit is contained in:
eabdullin 2023-03-28 09:54:33 +03:00
commit 74c9ecb6e1
13 changed files with 963 additions and 2 deletions

View File

@ -0,0 +1,59 @@
From 332386ae7bc02618d1860f726065448324a6734a Mon Sep 17 00:00:00 2001
Message-Id: <332386ae7bc02618d1860f726065448324a6734a@dist-git>
From: Michal Privoznik <mprivozn@redhat.com>
Date: Mon, 5 Sep 2022 12:37:16 +0200
Subject: [PATCH] kbase: Document QEMU private mount NS limitations
There are two points I've taken for granted:
1) the mount points are set before starting a guest,
2) the / and its submounts are marked as shared, so that mount
events propagate into child namespaces when assumption 1) is
not held.
But what's obvious to me might not be obvious to our users.
Document these known limitations.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2123196
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
(cherry picked from commit d3397885d589c25b8962ae221fd0a71ced5597cb)
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2152083
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
docs/kbase/qemu-passthrough-security.rst | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/docs/kbase/qemu-passthrough-security.rst b/docs/kbase/qemu-passthrough-security.rst
index 4381d9f3a6..106c3cc5b9 100644
--- a/docs/kbase/qemu-passthrough-security.rst
+++ b/docs/kbase/qemu-passthrough-security.rst
@@ -156,3 +156,25 @@ will affect all virtual machines. These settings are all made in
* Cgroups - set ``cgroup_device_acl`` to include the desired device node, or
``cgroup_controllers = [...]`` to exclude the ``devices`` controller.
+
+Private monunt namespace
+----------------------------
+
+As mentioned above, libvirt launches each QEMU process in its own ``mount``
+namespace. It's recommended that all mount points are set up prior starting any
+guest. For cases when that can't be assured, mount points in the namespace are
+marked as slave so that mount events happening in the parent namespace are
+propagated into this child namespace. But this may require an additional step:
+mounts in the parent namespace need to be marked as shared (if the distribution
+doesn't do that by default). This can be achieved by running the following
+command before any guest is started:
+
+::
+
+ # mount --make-rshared /
+
+Another requirement for dynamic mount point propagation is to not place
+``hugetlbfs`` mount points under ``/dev`` because these won't be propagated as
+corresponding directories do not exist in the private namespace. Or just use
+``memfd`` memory backend instead which does not require ``hugetlbfs`` mount
+points.
--
2.39.0

View File

@ -0,0 +1,48 @@
From 08c8ef5eb30983d6ca004e84a11fe7f2547f984e Mon Sep 17 00:00:00 2001
Message-Id: <08c8ef5eb30983d6ca004e84a11fe7f2547f984e@dist-git>
From: Jonathon Jongsma <jjongsma@redhat.com>
Date: Tue, 23 Aug 2022 12:28:02 -0500
Subject: [PATCH] nodedev: wait a bit longer for new node devices
Openstack developers reported that newly-created mdevs were not
recognized by libvirt until after a libvirt daemon restart. The source
of the problem appears to be that when libvirt gets the udev 'add'
event, the sysfs tree for that device might not be ready and so libvirt
waits 100ms for it to appear (max 100 waits of 1ms each). But in the
OpenStack environment, the sysfs tree for new mediated devices was
taking closer to 250ms to appear and therefore libvirt gave up waiting
and didn't add these new devices to its list of nodedevs.
By changing the wait time to 1 second (max 100 waits of 10ms each), this
should provide enough time to enable these deployments to recognize
newly-created mediated devices, but it shouldn't increase the delay for
more traditional deployments too much.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2109450
Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com>
Reviewed-by: Erik Skultety <eskultet@redhat.com>
(cherry picked from commit e4f9682ebc442bb5dfee807ba618c8863355776d)
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2141364
Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com>
---
src/node_device/node_device_udev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/node_device/node_device_udev.c b/src/node_device/node_device_udev.c
index 3d69bdedae..1f63162e23 100644
--- a/src/node_device/node_device_udev.c
+++ b/src/node_device/node_device_udev.c
@@ -1036,7 +1036,7 @@ udevProcessMediatedDevice(struct udev_device *dev,
linkpath = g_strdup_printf("%s/mdev_type", udev_device_get_syspath(dev));
- if (virFileWaitForExists(linkpath, 1, 100) < 0) {
+ if (virFileWaitForExists(linkpath, 10, 100) < 0) {
virReportSystemError(errno,
_("failed to wait for file '%s' to appear"),
linkpath);
--
2.38.1

View File

@ -0,0 +1,86 @@
From 5da85fb944db3dd8213a7302deaffa3b294acd64 Mon Sep 17 00:00:00 2001
Message-Id: <5da85fb944db3dd8213a7302deaffa3b294acd64@dist-git>
From: Michal Privoznik <mprivozn@redhat.com>
Date: Tue, 9 Aug 2022 16:16:09 +0200
Subject: [PATCH] qemu: Implement qemuDomainGetStatsCpu fallback for
qemu:///session
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
For domains started under session URI, we don't set up CGroups
(well, how could we since we're not running as root anyways).
Nevertheless, fetching CPU statistics exits early because of
lacking cpuacct controller. But with recent extension to
virProcessGetStatInfo() we can get the values we need from the
proc filesystem. Implement the fallback for the session URI as
some of virt tools rely on cpu.* stats to be reported (virt-top,
virt-manager).
Resolves: https://gitlab.com/libvirt/libvirt/-/issues/353
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1693707
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
(cherry picked from commit 044b8744d65f8571038f85685b3c4b241162977b)
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2157094
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
src/qemu/qemu_driver.c | 35 +++++++++++++++++++++++++++++++++--
1 file changed, 33 insertions(+), 2 deletions(-)
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 84cf2c6a4f..ac210d8069 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -18042,6 +18042,30 @@ qemuDomainGetStatsCpuCgroup(virDomainObj *dom,
return 0;
}
+
+static int
+qemuDomainGetStatsCpuProc(virDomainObj *vm,
+ virTypedParamList *params)
+{
+ unsigned long long cpuTime = 0;
+ unsigned long long sysTime = 0;
+ unsigned long long userTime = 0;
+
+ if (virProcessGetStatInfo(&cpuTime, &sysTime, &userTime,
+ NULL, NULL, vm->pid, 0) < 0) {
+ /* ignore error */
+ return 0;
+ }
+
+ if (virTypedParamListAddULLong(params, cpuTime, "cpu.time") < 0 ||
+ virTypedParamListAddULLong(params, userTime, "cpu.user") < 0 ||
+ virTypedParamListAddULLong(params, sysTime, "cpu.system") < 0)
+ return -1;
+
+ return 0;
+}
+
+
static int
qemuDomainGetStatsCpuHaltPollTime(virDomainObj *dom,
virTypedParamList *params)
@@ -18066,8 +18090,15 @@ qemuDomainGetStatsCpu(virQEMUDriver *driver,
virTypedParamList *params,
unsigned int privflags G_GNUC_UNUSED)
{
- if (qemuDomainGetStatsCpuCgroup(dom, params) < 0)
- return -1;
+ qemuDomainObjPrivate *priv = dom->privateData;
+
+ if (priv->cgroup) {
+ if (qemuDomainGetStatsCpuCgroup(dom, params) < 0)
+ return -1;
+ } else {
+ if (qemuDomainGetStatsCpuProc(dom, params) < 0)
+ return -1;
+ }
if (qemuDomainGetStatsCpuCache(driver, dom, params) < 0)
return -1;
--
2.39.0

View File

@ -0,0 +1,58 @@
From 198f38fa5540c7545607b9d1beb0bfb689d56c3d Mon Sep 17 00:00:00 2001
Message-Id: <198f38fa5540c7545607b9d1beb0bfb689d56c3d@dist-git>
From: Peter Krempa <pkrempa@redhat.com>
Date: Thu, 1 Dec 2022 17:02:42 +0100
Subject: [PATCH] qemuAgentGetDisks: Don't use virJSONValueObjectGetStringArray
for optional data
The 'dependencies' field in the return data may be missing in some
cases. Historically 'virJSONValueObjectGetStringArray' didn't report
error in such case, but later refactor (commit 043b50b948ef3c2 ) added
an error in order to use it in other places too.
Unfortunately this results in the error log being spammed with an
irrelevant error in case when qemuAgentGetDisks is invoked on a VM
running windows.
Replace the use of virJSONValueObjectGetStringArray by fetching the
array first and calling virJSONValueArrayToStringList only when we have
an array.
Fixes: 043b50b948ef3c2a4adf5fa32a93ec2589851ac6
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2149752
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
(cherry picked from commit 3b576601dfb924bb518870a01de5d1a421cbb467)
https://bugzilla.redhat.com/show_bug.cgi?id=2154410
---
src/qemu/qemu_agent.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/qemu/qemu_agent.c b/src/qemu/qemu_agent.c
index d81f01ba77..7afef06694 100644
--- a/src/qemu/qemu_agent.c
+++ b/src/qemu/qemu_agent.c
@@ -2544,6 +2544,7 @@ int qemuAgentGetDisks(qemuAgent *agent,
for (i = 0; i < ndata; i++) {
virJSONValue *addr;
virJSONValue *entry = virJSONValueArrayGet(data, i);
+ virJSONValue *dependencies;
qemuAgentDiskInfo *disk;
if (!entry) {
@@ -2569,7 +2570,11 @@ int qemuAgentGetDisks(qemuAgent *agent,
goto error;
}
- disk->dependencies = virJSONValueObjectGetStringArray(entry, "dependencies");
+ if ((dependencies = virJSONValueObjectGetArray(entry, "dependencies"))) {
+ if (!(disk->dependencies = virJSONValueArrayToStringList(dependencies)))
+ goto error;
+ }
+
disk->alias = g_strdup(virJSONValueObjectGetString(entry, "alias"));
addr = virJSONValueObjectGetObject(entry, "address");
if (addr) {
--
2.39.0

View File

@ -0,0 +1,57 @@
From b76623b5921238c9a4db9b3e1958b51a4d7e8b52 Mon Sep 17 00:00:00 2001
Message-Id: <b76623b5921238c9a4db9b3e1958b51a4d7e8b52@dist-git>
From: Michal Privoznik <mprivozn@redhat.com>
Date: Wed, 28 Sep 2022 10:12:36 +0200
Subject: [PATCH] qemuProcessReconnect: Don't build memory paths
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Let me take you on a short trip to history. A long time ago,
libvirt would configure all QEMUs to use $hugetlbfs/libvirt/qemu
for their hugepages setup. This was problematic, because it did
not allow enough separation between guests. Therefore in
v3.0.0-rc1~367 the path changed to a per-domain basis:
$hugetlbfs/libvirt/qemu/$domainShortName
And to help with migration on daemon restart a call to
qemuProcessBuildDestroyMemoryPaths() was added to
qemuProcessReconnect() (well, it was named
qemuProcessBuildDestroyHugepagesPath() back then, see
v3.10.0-rc1~174). This was desirable then, because the memory
hotplug code did not call the function, it simply assumes
per-domain paths to exist. But this changed in v3.5.0-rc1~92
after which the per-domain paths are created on memory hotplug
too.
Therefore, it's no longer necessary to create these paths in
qemuProcessReconnect(). They are created exactly when needed
(domain startup and memory hotplug).
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
(cherry picked from commit 3478cca80ea7382cfdbff836d5d0b92aa014297b)
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2152083
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
src/qemu/qemu_process.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 062a0b6dac..979ad99f5a 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -9004,9 +9004,6 @@ qemuProcessReconnect(void *opaque)
goto cleanup;
}
- if (qemuProcessBuildDestroyMemoryPaths(driver, obj, NULL, true) < 0)
- goto error;
-
if ((qemuDomainAssignAddresses(obj->def, priv->qemuCaps,
driver, obj, false)) < 0) {
goto error;
--
2.39.0

View File

@ -0,0 +1,80 @@
From 6b3a0480cf2de402abce168aa0b093a8dc4f7a57 Mon Sep 17 00:00:00 2001
Message-Id: <6b3a0480cf2de402abce168aa0b093a8dc4f7a57@dist-git>
From: Michal Privoznik <mprivozn@redhat.com>
Date: Tue, 6 Sep 2022 13:43:22 +0200
Subject: [PATCH] qemu_namespace: Fix a corner case in
qemuDomainGetPreservedMounts()
When setting up namespace for QEMU we look at mount points under
/dev (like /dev/pts, /dev/mqueue/, etc.) because we want to
preserve those (which is done by moving them to a temp location,
unshare(), and then moving them back). We have a convenience
helper - qemuDomainGetPreservedMounts() - that processes the
mount table and (optionally) moves the other filesystems too.
This helper is also used when attempting to create a path in NS,
because the path, while starting with "/dev/" prefix, may
actually lead to one of those filesystems that we preserved.
And here comes the corner case: while we require the parent mount
table to be in shared mode (equivalent of `mount --make-rshared /'),
these mount events propagate iff the target path exist inside the
slave mount table (= QEMU's private namespace). And since we
create only a subset of /dev nodes, well, that assumption is not
always the case.
For instance, assume that a domain is already running, no
hugepages were configured for it nor any hugetlbfs is mounted.
Now, when a hugetlbfs is mounted into '/dev/hugepages', this is
propagated into the QEMU's namespace, but since the target dir
does not exist in the private /dev, the FS is not mounted in the
namespace.
Fortunately, this difference between namespaces is visible when
comparing /proc/mounts and /proc/$PID/mounts (where PID is the
QEMU's PID). Therefore, if possible we should look at the latter.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
(cherry picked from commit 46b03819ae8d833b11c2aaccb2c2a0361727f51b)
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2152083
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
src/qemu/qemu_namespace.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/src/qemu/qemu_namespace.c b/src/qemu/qemu_namespace.c
index 71e3366ca5..807ec37c91 100644
--- a/src/qemu/qemu_namespace.c
+++ b/src/qemu/qemu_namespace.c
@@ -109,6 +109,8 @@ qemuDomainGetPreservedMountPath(virQEMUDriverConfig *cfg,
* b) generate backup path for all the entries in a)
*
* Any of the return pointers can be NULL. Both arrays are NULL-terminated.
+ * Get the mount table either from @vm's PID (if running), or from the
+ * namespace we're in (if @vm's not running).
*
* Returns 0 on success, -1 otherwise (with error reported)
*/
@@ -123,12 +125,18 @@ qemuDomainGetPreservedMounts(virQEMUDriverConfig *cfg,
size_t nmounts = 0;
g_auto(GStrv) paths = NULL;
g_auto(GStrv) savePaths = NULL;
+ g_autofree char *mountsPath = NULL;
size_t i;
if (ndevPath)
*ndevPath = 0;
- if (virFileGetMountSubtree(QEMU_PROC_MOUNTS, "/dev", &mounts, &nmounts) < 0)
+ if (vm->pid > 0)
+ mountsPath = g_strdup_printf("/proc/%lld/mounts", (long long) vm->pid);
+ else
+ mountsPath = g_strdup(QEMU_PROC_MOUNTS);
+
+ if (virFileGetMountSubtree(mountsPath, "/dev", &mounts, &nmounts) < 0)
return -1;
if (nmounts == 0)
--
2.39.0

View File

@ -0,0 +1,68 @@
From c8379fdd0f13af84f4b2ed449f8de77117fd8bc7 Mon Sep 17 00:00:00 2001
Message-Id: <c8379fdd0f13af84f4b2ed449f8de77117fd8bc7@dist-git>
From: Michal Privoznik <mprivozn@redhat.com>
Date: Tue, 6 Sep 2022 13:43:58 +0200
Subject: [PATCH] qemu_namespace: Introduce qemuDomainNamespaceSetupPath()
Sometimes it may come handy to just bind mount a directory/file
into domain's namespace. Implement a thin wrapper over
qemuNamespaceMknodPaths() which has all the logic we need.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
(cherry picked from commit 5853d707189005a4ea5b2215e80853867b822fd9)
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2152083
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
src/qemu/qemu_namespace.c | 19 +++++++++++++++++++
src/qemu/qemu_namespace.h | 4 ++++
2 files changed, 23 insertions(+)
diff --git a/src/qemu/qemu_namespace.c b/src/qemu/qemu_namespace.c
index 807ec37c91..09e235e120 100644
--- a/src/qemu/qemu_namespace.c
+++ b/src/qemu/qemu_namespace.c
@@ -1424,6 +1424,25 @@ qemuNamespaceUnlinkPaths(virDomainObj *vm,
}
+int
+qemuDomainNamespaceSetupPath(virDomainObj *vm,
+ const char *path,
+ bool *created)
+{
+ g_autoptr(virGSListString) paths = NULL;
+
+ if (!qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
+ return 0;
+
+ paths = g_slist_prepend(paths, g_strdup(path));
+
+ if (qemuNamespaceMknodPaths(vm, paths, created) < 0)
+ return -1;
+
+ return 0;
+}
+
+
int
qemuDomainNamespaceSetupDisk(virDomainObj *vm,
virStorageSource *src,
diff --git a/src/qemu/qemu_namespace.h b/src/qemu/qemu_namespace.h
index fbea865c70..85d990f460 100644
--- a/src/qemu/qemu_namespace.h
+++ b/src/qemu/qemu_namespace.h
@@ -48,6 +48,10 @@ void qemuDomainDestroyNamespace(virQEMUDriver *driver,
bool qemuDomainNamespaceAvailable(qemuDomainNamespace ns);
+int qemuDomainNamespaceSetupPath(virDomainObj *vm,
+ const char *path,
+ bool *created);
+
int qemuDomainNamespaceSetupDisk(virDomainObj *vm,
virStorageSource *src,
bool *created);
--
2.39.0

View File

@ -0,0 +1,45 @@
From 1f0a6e441617da6a95e2188408ad1ed2dd4665e4 Mon Sep 17 00:00:00 2001
Message-Id: <1f0a6e441617da6a95e2188408ad1ed2dd4665e4@dist-git>
From: Michal Privoznik <mprivozn@redhat.com>
Date: Tue, 6 Sep 2022 13:37:23 +0200
Subject: [PATCH] qemu_namespace: Tolerate missing ACLs when creating a path in
namespace
When creating a path in a domain's mount namespace we try to set
ACLs on it, so that it's a verbatim copy of the path in parent's
namespace. The ACLs are queried upfront (by
qemuNamespaceMknodItemInit()) but this is fault tolerant so the
pointer to ACLs might be NULL (meaning no ACLs were queried, for
instance because the underlying filesystem does not support
them). But then we take this NULL and pass it to virFileSetACLs()
which immediately returns an error because NULL is invalid value.
Mimic what we do with SELinux label - only set ACLs if they are
non-NULL which includes symlinks.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
(cherry picked from commit 687374959e160dc566bd4b6d43c7bf1beb470c59)
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2152083
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
src/qemu/qemu_namespace.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/src/qemu/qemu_namespace.c b/src/qemu/qemu_namespace.c
index 98cd794666..71e3366ca5 100644
--- a/src/qemu/qemu_namespace.c
+++ b/src/qemu/qemu_namespace.c
@@ -1040,8 +1040,7 @@ qemuNamespaceMknodOne(qemuNamespaceMknodItem *data)
goto cleanup;
}
- /* Symlinks don't have ACLs. */
- if (!isLink &&
+ if (data->acl &&
virFileSetACLs(data->file, data->acl) < 0 &&
errno != ENOTSUP) {
virReportSystemError(errno,
--
2.39.0

View File

@ -0,0 +1,73 @@
From 9842eb7301f985e4cc08001aff48c269492b2456 Mon Sep 17 00:00:00 2001
Message-Id: <9842eb7301f985e4cc08001aff48c269492b2456@dist-git>
From: Michal Privoznik <mprivozn@redhat.com>
Date: Tue, 6 Sep 2022 13:45:51 +0200
Subject: [PATCH] qemu_process.c: Propagate hugetlbfs mounts on reconnect
When reconnecting to a running QEMU process, we construct the
per-domain path in all hugetlbfs mounts. This is a relict from
the past (v3.4.0-100-g5b24d25062) where we switched to a
per-domain path and we want to create those paths when libvirtd
restarts on upgrade.
And with namespaces enabled there is one corner case where the
path is not created. In fact an error is reported and the
reconnect fails. Ideally, all mount events are propagated into
the QEMU's namespace. And they probably are, except when the
target path does not exist inside the namespace. Now, it's pretty
common for users to mount hugetlbfs under /dev (e.g.
/dev/hugepages), but if domain is started without hugepages (or
more specifically - private hugetlbfs path wasn't created on
domain startup), then the reconnect code tries to create it.
But it fails to do so, well, it fails to set seclabels on the
path because, because the path does not exist in the private
namespace. And it doesn't exist because we specifically create
only a subset of all possible /dev nodes. Therefore, the mount
event, whilst propagated, is not successful and hence the
filesystem is not mounted. We have to do it ourselves.
If hugetlbfs is mount anywhere else there's no problem and this
is effectively a dead code.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2123196
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
(cherry picked from commit 0377177c7856bb87a9d8aa1324b54f5fbe9f1e5b)
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2152083
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
docs/kbase/qemu-passthrough-security.rst | 6 ------
src/qemu/qemu_process.c | 3 +++
2 files changed, 3 insertions(+), 6 deletions(-)
diff --git a/docs/kbase/qemu-passthrough-security.rst b/docs/kbase/qemu-passthrough-security.rst
index 106c3cc5b9..ef10d8af9b 100644
--- a/docs/kbase/qemu-passthrough-security.rst
+++ b/docs/kbase/qemu-passthrough-security.rst
@@ -172,9 +172,3 @@ command before any guest is started:
::
# mount --make-rshared /
-
-Another requirement for dynamic mount point propagation is to not place
-``hugetlbfs`` mount points under ``/dev`` because these won't be propagated as
-corresponding directories do not exist in the private namespace. Or just use
-``memfd`` memory backend instead which does not require ``hugetlbfs`` mount
-points.
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 4b52d664c7..062a0b6dac 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -4039,6 +4039,9 @@ qemuProcessBuildDestroyMemoryPathsImpl(virQEMUDriver *driver,
return -1;
}
+ if (qemuDomainNamespaceSetupPath(vm, path, NULL) < 0)
+ return -1;
+
if (qemuSecurityDomainSetPathLabel(driver, vm, path, true) < 0)
return -1;
} else {
--
2.39.0

View File

@ -0,0 +1,65 @@
From d9b1f47fc3139bccd08838064f4b233b7cff5f29 Mon Sep 17 00:00:00 2001
Message-Id: <d9b1f47fc3139bccd08838064f4b233b7cff5f29@dist-git>
From: Michal Privoznik <mprivozn@redhat.com>
Date: Thu, 8 Dec 2022 08:39:24 +0100
Subject: [PATCH] tools: Fix install_mode for some scripts
Scripts from the following list were installed with group write
bit set: virt-xml-validate, virt-pki-validate,
virt-sanlock-cleanup, libvirt-guests.sh. This is very unusual and
in contrast with the way other scripts/binaries are installed.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151202
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
(cherry picked from commit e771e32f15ff2b263ca70306d93080541a96792b)
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2158208
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
tools/meson.build | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/tools/meson.build b/tools/meson.build
index bb28a904dc..8a3dd63271 100644
--- a/tools/meson.build
+++ b/tools/meson.build
@@ -249,7 +249,7 @@ configure_file(
configuration: tools_conf,
install: true,
install_dir: bindir,
- install_mode: 'rwxrwxr-x',
+ install_mode: 'rwxr-xr-x',
)
configure_file(
@@ -258,7 +258,7 @@ configure_file(
configuration: tools_conf,
install: true,
install_dir: bindir,
- install_mode: 'rwxrwxr-x',
+ install_mode: 'rwxr-xr-x',
)
executable(
@@ -295,7 +295,7 @@ if conf.has('WITH_SANLOCK')
configuration: tools_conf,
install: true,
install_dir: sbindir,
- install_mode: 'rwxrwxr-x',
+ install_mode: 'rwxr-xr-x',
)
endif
@@ -306,7 +306,7 @@ if conf.has('WITH_LIBVIRTD')
configuration: tools_conf,
install: true,
install_dir: libexecdir,
- install_mode: 'rwxrwxr-x',
+ install_mode: 'rwxr-xr-x',
)
if init_script == 'systemd'
--
2.39.1

View File

@ -0,0 +1,165 @@
From b7a08f453fc448415ce320532907e61fa34f95b7 Mon Sep 17 00:00:00 2001
Message-Id: <b7a08f453fc448415ce320532907e61fa34f95b7@dist-git>
From: Michal Privoznik <mprivozn@redhat.com>
Date: Tue, 9 Aug 2022 16:15:55 +0200
Subject: [PATCH] util: Extend virProcessGetStatInfo() for sysTime and userTime
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The virProcessGetStatInfo() helper parses /proc stat file for
given PID and/or TID and reports cumulative cpuTime which is just
a sum of user and sys times. But in near future, we'll need those
times separately, so make the function return them too (if caller
desires).
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
(cherry picked from commit cdc22d9a21e472a02dae8157e3cca5832f161feb)
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2157094
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
src/ch/ch_driver.c | 1 +
src/qemu/qemu_driver.c | 4 +++-
src/util/virprocess.c | 33 ++++++++++++++++++++++-----------
src/util/virprocess.h | 2 ++
4 files changed, 28 insertions(+), 12 deletions(-)
diff --git a/src/ch/ch_driver.c b/src/ch/ch_driver.c
index e7c172c894..bde148075d 100644
--- a/src/ch/ch_driver.c
+++ b/src/ch/ch_driver.c
@@ -1075,6 +1075,7 @@ chDomainHelperGetVcpus(virDomainObj *vm,
vcpuinfo->number = i;
vcpuinfo->state = VIR_VCPU_RUNNING;
if (virProcessGetStatInfo(&vcpuinfo->cpuTime,
+ NULL, NULL,
&vcpuinfo->cpu, NULL,
vm->pid, vcpupid) < 0) {
virReportSystemError(errno, "%s",
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index ebd6365f52..84cf2c6a4f 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -1359,6 +1359,7 @@ qemuDomainHelperGetVcpus(virDomainObj *vm,
vcpuinfo->state = VIR_VCPU_RUNNING;
if (virProcessGetStatInfo(&vcpuinfo->cpuTime,
+ NULL, NULL,
&vcpuinfo->cpu, NULL,
vm->pid, vcpupid) < 0) {
virReportSystemError(errno, "%s",
@@ -2528,6 +2529,7 @@ qemuDomainGetInfo(virDomainPtr dom,
if (virDomainObjIsActive(vm)) {
if (virProcessGetStatInfo(&(info->cpuTime), NULL, NULL,
+ NULL, NULL,
vm->pid, 0) < 0) {
virReportError(VIR_ERR_OPERATION_FAILED, "%s",
_("cannot read cputime for domain"));
@@ -10770,7 +10772,7 @@ qemuDomainMemoryStatsInternal(virQEMUDriver *driver,
ret = 0;
}
- if (virProcessGetStatInfo(NULL, NULL, &rss, vm->pid, 0) < 0) {
+ if (virProcessGetStatInfo(NULL, NULL, NULL, NULL, &rss, vm->pid, 0) < 0) {
virReportError(VIR_ERR_OPERATION_FAILED, "%s",
_("cannot get RSS for domain"));
} else {
diff --git a/src/util/virprocess.c b/src/util/virprocess.c
index 013afd91b4..11f36e00a8 100644
--- a/src/util/virprocess.c
+++ b/src/util/virprocess.c
@@ -1737,32 +1737,37 @@ virProcessGetStat(pid_t pid,
#ifdef __linux__
int
virProcessGetStatInfo(unsigned long long *cpuTime,
+ unsigned long long *userTime,
+ unsigned long long *sysTime,
int *lastCpu,
long *vm_rss,
pid_t pid,
pid_t tid)
{
g_auto(GStrv) proc_stat = virProcessGetStat(pid, tid);
- unsigned long long usertime = 0, systime = 0;
+ unsigned long long utime = 0;
+ unsigned long long stime = 0;
+ const unsigned long long jiff2nsec = 1000ull * 1000ull * 1000ull /
+ (unsigned long long) sysconf(_SC_CLK_TCK);
long rss = 0;
int cpu = 0;
if (!proc_stat ||
- virStrToLong_ullp(proc_stat[VIR_PROCESS_STAT_UTIME], NULL, 10, &usertime) < 0 ||
- virStrToLong_ullp(proc_stat[VIR_PROCESS_STAT_STIME], NULL, 10, &systime) < 0 ||
+ virStrToLong_ullp(proc_stat[VIR_PROCESS_STAT_UTIME], NULL, 10, &utime) < 0 ||
+ virStrToLong_ullp(proc_stat[VIR_PROCESS_STAT_STIME], NULL, 10, &stime) < 0 ||
virStrToLong_l(proc_stat[VIR_PROCESS_STAT_RSS], NULL, 10, &rss) < 0 ||
virStrToLong_i(proc_stat[VIR_PROCESS_STAT_PROCESSOR], NULL, 10, &cpu) < 0) {
VIR_WARN("cannot parse process status data");
}
- /* We got jiffies
- * We want nanoseconds
- * _SC_CLK_TCK is jiffies per second
- * So calculate thus....
- */
+ utime *= jiff2nsec;
+ stime *= jiff2nsec;
if (cpuTime)
- *cpuTime = 1000ull * 1000ull * 1000ull * (usertime + systime)
- / (unsigned long long) sysconf(_SC_CLK_TCK);
+ *cpuTime = utime + stime;
+ if (userTime)
+ *userTime = utime;
+ if (sysTime)
+ *sysTime = stime;
if (lastCpu)
*lastCpu = cpu;
@@ -1771,7 +1776,7 @@ virProcessGetStatInfo(unsigned long long *cpuTime,
VIR_DEBUG("Got status for %d/%d user=%llu sys=%llu cpu=%d rss=%ld",
- (int) pid, tid, usertime, systime, cpu, rss);
+ (int) pid, tid, utime, stime, cpu, rss);
return 0;
}
@@ -1844,6 +1849,8 @@ virProcessGetSchedInfo(unsigned long long *cpuWait,
#else
int
virProcessGetStatInfo(unsigned long long *cpuTime,
+ unsigned long long *userTime,
+ unsigned long long *sysTime,
int *lastCpu,
long *vm_rss,
pid_t pid G_GNUC_UNUSED,
@@ -1853,6 +1860,10 @@ virProcessGetStatInfo(unsigned long long *cpuTime,
* platforms, so just report neutral values */
if (cpuTime)
*cpuTime = 0;
+ if (userTime)
+ *userTime = 0;
+ if (sysTime)
+ *sysTime = 0;
if (lastCpu)
*lastCpu = 0;
if (vm_rss)
diff --git a/src/util/virprocess.h b/src/util/virprocess.h
index 086fbe0e4d..f5a4a4e508 100644
--- a/src/util/virprocess.h
+++ b/src/util/virprocess.h
@@ -195,6 +195,8 @@ typedef enum {
int virProcessNamespaceAvailable(unsigned int ns);
int virProcessGetStatInfo(unsigned long long *cpuTime,
+ unsigned long long *userTime,
+ unsigned long long *sysTime,
int *lastCpu,
long *vm_rss,
pid_t pid,
--
2.39.0

View File

@ -0,0 +1,124 @@
From 38ad84afdbeab479d0beee24e7bef87a64db1ce3 Mon Sep 17 00:00:00 2001
Message-Id: <38ad84afdbeab479d0beee24e7bef87a64db1ce3@dist-git>
From: Peter Krempa <pkrempa@redhat.com>
Date: Thu, 1 Dec 2022 13:32:07 +0100
Subject: [PATCH] util: json: Split out array->strinlist conversion from
virJSONValueObjectGetStringArray
Introduce virJSONValueArrayToStringList which does only the conversion
from an array to a stringlist.
This will allow refactoring the callers to be more careful in case when
they want to handle the existance of the member in the parent object
differently.
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
(cherry picked from commit 6765bdeaf7e9cbdb4c39d47f3b77fb28a498408a)
https://bugzilla.redhat.com/show_bug.cgi?id=2154410
---
src/libvirt_private.syms | 1 +
src/util/virjson.c | 43 ++++++++++++++++++++++------------------
src/util/virjson.h | 2 ++
3 files changed, 27 insertions(+), 19 deletions(-)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 76bcc64eb0..288310b75a 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -2543,6 +2543,7 @@ virJSONValueArrayForeachSteal;
virJSONValueArrayGet;
virJSONValueArraySize;
virJSONValueArraySteal;
+virJSONValueArrayToStringList;
virJSONValueCopy;
virJSONValueFree;
virJSONValueFromString;
diff --git a/src/util/virjson.c b/src/util/virjson.c
index 53f8cdff95..fcbc173ffa 100644
--- a/src/util/virjson.c
+++ b/src/util/virjson.c
@@ -1316,10 +1316,7 @@ virJSONValueObjectStealObject(virJSONValue *object,
char **
virJSONValueObjectGetStringArray(virJSONValue *object, const char *key)
{
- g_auto(GStrv) ret = NULL;
virJSONValue *data;
- size_t n;
- size_t i;
data = virJSONValueObjectGetArray(object, key);
if (!data) {
@@ -1329,32 +1326,40 @@ virJSONValueObjectGetStringArray(virJSONValue *object, const char *key)
return NULL;
}
- n = virJSONValueArraySize(data);
- ret = g_new0(char *, n + 1);
+ return virJSONValueArrayToStringList(data);
+}
+
+
+/**
+ * virJSONValueArrayToStringList:
+ * @data: a JSON array containing strings to convert
+ *
+ * Converts @data a JSON array containing strings to a NULL-terminated string
+ * list. @data must be a JSON array. In case @data is doesn't contain only
+ * strings an error is reported.
+ */
+char **
+virJSONValueArrayToStringList(virJSONValue *data)
+{
+ size_t n = virJSONValueArraySize(data);
+ g_auto(GStrv) ret = g_new0(char *, n + 1);
+ size_t i;
+
for (i = 0; i < n; i++) {
virJSONValue *child = virJSONValueArrayGet(data, i);
- const char *tmp;
- if (!child) {
- virReportError(VIR_ERR_INTERNAL_ERROR,
- _("%s array element is missing item %zu"),
- key, i);
+ if (!child ||
+ !(ret[i] = g_strdup(virJSONValueGetString(child)))) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("JSON string array contains non-string element"));
return NULL;
}
-
- if (!(tmp = virJSONValueGetString(child))) {
- virReportError(VIR_ERR_INTERNAL_ERROR,
- _("%s array element does not contain a string"),
- key);
- return NULL;
- }
-
- ret[i] = g_strdup(tmp);
}
return g_steal_pointer(&ret);
}
+
/**
* virJSONValueObjectForeachKeyValue:
* @object: JSON object to iterate
diff --git a/src/util/virjson.h b/src/util/virjson.h
index aced48a538..c9f83ab2bc 100644
--- a/src/util/virjson.h
+++ b/src/util/virjson.h
@@ -172,6 +172,8 @@ virJSONValueObjectGetString(virJSONValue *object,
char **
virJSONValueObjectGetStringArray(virJSONValue *object,
const char *key);
+char **
+virJSONValueArrayToStringList(virJSONValue *data);
const char *
virJSONValueObjectGetStringOrNumber(virJSONValue *object,
const char *key);
--
2.39.0

View File

@ -227,7 +227,7 @@
Summary: Library providing a simple virtualization API
Name: libvirt
Version: 8.5.0
Release: 7%{?dist}%{?extra_release}
Release: 7.4%{?dist}%{?extra_release}.alma
License: LGPLv2+
URL: https://libvirt.org/
@ -270,6 +270,18 @@ Patch31: libvirt-qemu-don-t-call-qemuMigrationSrcIsAllowedHostdev-from-qemuMigra
Patch32: libvirt-rpc-Pass-OPENSSL_CONF-through-to-ssh-invocations.patch
Patch33: libvirt-qemu_process-Destroy-domain-s-namespace-after-killing-QEMU.patch
Patch34: libvirt-security_selinux-Don-t-ignore-NVMe-disks-when-setting-image-label.patch
Patch35: libvirt-nodedev-wait-a-bit-longer-for-new-node-devices.patch
Patch36: libvirt-kbase-Document-QEMU-private-mount-NS-limitations.patch
Patch37: libvirt-qemu_namespace-Tolerate-missing-ACLs-when-creating-a-path-in-namespace.patch
Patch38: libvirt-qemu_namespace-Fix-a-corner-case-in-qemuDomainGetPreservedMounts.patch
Patch39: libvirt-qemu_namespace-Introduce-qemuDomainNamespaceSetupPath.patch
Patch40: libvirt-qemu_process.c-Propagate-hugetlbfs-mounts-on-reconnect.patch
Patch41: libvirt-qemuProcessReconnect-Don-t-build-memory-paths.patch
Patch42: libvirt-util-json-Split-out-array-strinlist-conversion-from-virJSONValueObjectGetStringArray.patch
Patch43: libvirt-qemuAgentGetDisks-Don-t-use-virJSONValueObjectGetStringArray-for-optional-data.patch
Patch44: libvirt-util-Extend-virProcessGetStatInfo-for-sysTime-and-userTime.patch
Patch45: libvirt-qemu-Implement-qemuDomainGetStatsCpu-fallback-for-qemu-session.patch
Patch46: libvirt-tools-Fix-install_mode-for-some-scripts.patch
Requires: libvirt-daemon = %{version}-%{release}
@ -2176,9 +2188,30 @@ exit 0
%changelog
* Mon Dec 19 2022 Eduard Abdullin <eabdullin@almalinux.org> - 8.5.0-7.alma
* Mon Dec 19 2022 Eduard Abdullin <eabdullin@almalinux.org> - 8.5.0-7.4.el9_1.alma
- Enable for ppc64le
* Tue Jan 31 2023 Jiri Denemark <jdenemar@redhat.com> - 8.5.0-7.4.el9_1
- tools: Fix install_mode for some scripts (rhbz#2158208)
* Thu Jan 5 2023 Jiri Denemark <jdenemar@redhat.com> - 8.5.0-7.3.el9_1
- util: json: Split out array->strinlist conversion from virJSONValueObjectGetStringArray (rhbz#2154410)
- qemuAgentGetDisks: Don't use virJSONValueObjectGetStringArray for optional data (rhbz#2154410)
- util: Extend virProcessGetStatInfo() for sysTime and userTime (rhbz#2157094)
- qemu: Implement qemuDomainGetStatsCpu fallback for qemu:///session (rhbz#2157094)
- RHEL: rpminspect: Disable abidiff inspection
* Wed Dec 14 2022 Jiri Denemark <jdenemar@redhat.com> - 8.5.0-7.2.el9_1
- kbase: Document QEMU private mount NS limitations (rhbz#2152083)
- qemu_namespace: Tolerate missing ACLs when creating a path in namespace (rhbz#2152083)
- qemu_namespace: Fix a corner case in qemuDomainGetPreservedMounts() (rhbz#2152083)
- qemu_namespace: Introduce qemuDomainNamespaceSetupPath() (rhbz#2152083)
- qemu_process.c: Propagate hugetlbfs mounts on reconnect (rhbz#2152083)
- qemuProcessReconnect: Don't build memory paths (rhbz#2152083)
* Fri Nov 11 2022 Jiri Denemark <jdenemar@redhat.com> - 8.5.0-7.1.el9_1
- nodedev: wait a bit longer for new node devices (rhbz#2141364)
* Mon Sep 26 2022 Jiri Denemark <jdenemar@redhat.com> - 8.5.0-7
- security_selinux: Don't ignore NVMe disks when setting image label (rhbz#2121441)