rpms/libvirt
6
0
Fork 1
Code Issues Pull Requests Releases Activity

Enable building for ppc64le

Browse Source
This commit is contained in:
Eduard Abdullin 2025-09-03 02:36:19 +00:00 committed by root
commit e2c020dc36
22 changed files with 12 additions and 3320 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

176
libvirt-cgroup-Plumb-the-daemonDomainShutdown-parameter-of-virSystemdCreateMachine-to-drivers.patch
View File

@ -1,176 +0,0 @@
From 5ef229b0035c34fd9b67183d6f0a2b810cc47907 Mon Sep 17 00:00:00 2001
Message-ID: <5ef229b0035c34fd9b67183d6f0a2b810cc47907.1752837271.git.jdenemar@redhat.com>
From: Peter Krempa <pkrempa@redhat.com>
Date: Fri, 27 Jun 2025 14:47:10 +0200
Subject: [PATCH] cgroup: Plumb the 'daemonDomainShutdown' parameter of
'virSystemdCreateMachine' to drivers
Plumb the new argument across the cgroup helpers up to the domain driver
code.
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
(cherry picked from commit fe57a6deaa8ab83ffdb8ed73104196e4b1421893)
https://issues.redhat.com/browse/RHEL-95361
---
src/ch/ch_process.c | 2 ++
src/hypervisor/domain_cgroup.c | 4 ++++
src/hypervisor/domain_cgroup.h | 1 +
src/lxc/lxc_cgroup.c | 1 +
src/qemu/qemu_cgroup.c | 1 +
src/util/vircgroup.c | 6 +++++-
src/util/vircgroup.h | 1 +
7 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/src/ch/ch_process.c b/src/ch/ch_process.c
index 95c808cb41..cc84823fdc 100644
--- a/src/ch/ch_process.c
+++ b/src/ch/ch_process.c
@@ -973,6 +973,7 @@ virCHProcessStart(virCHDriver *driver,
cfg->cgroupControllers,
0, /*maxThreadsPerProc*/
priv->driver->privileged,
+ false,
priv->machineName) < 0)
goto cleanup;
@@ -1147,6 +1148,7 @@ virCHProcessStartRestore(virCHDriver *driver, virDomainObj *vm, const char *from
cfg->cgroupControllers,
0, /*maxThreadsPerProc*/
priv->driver->privileged,
+ false,
priv->machineName) < 0)
goto cleanup;
diff --git a/src/hypervisor/domain_cgroup.c b/src/hypervisor/domain_cgroup.c
index fecc0f7966..8787165f48 100644
--- a/src/hypervisor/domain_cgroup.c
+++ b/src/hypervisor/domain_cgroup.c
@@ -351,6 +351,7 @@ virDomainCgroupInitCgroup(const char *prefix,
int cgroupControllers,
unsigned int maxThreadsPerProc,
bool privileged,
+ bool daemonDomainShutdown,
char *machineName)
{
if (!privileged)
@@ -384,6 +385,7 @@ virDomainCgroupInitCgroup(const char *prefix,
vm->def->resource->partition,
cgroupControllers,
maxThreadsPerProc,
+ daemonDomainShutdown,
cgroup) < 0) {
if (virCgroupNewIgnoreError())
return 0;
@@ -513,6 +515,7 @@ virDomainCgroupSetupCgroup(const char *prefix,
int cgroupControllers,
unsigned int maxThreadsPerProc,
bool privileged,
+ bool daemonDomainShutdown,
char *machineName)
{
if (vm->pid == 0) {
@@ -529,6 +532,7 @@ virDomainCgroupSetupCgroup(const char *prefix,
cgroupControllers,
maxThreadsPerProc,
privileged,
+ daemonDomainShutdown,
machineName) < 0)
return -1;
diff --git a/src/hypervisor/domain_cgroup.h b/src/hypervisor/domain_cgroup.h
index 6e5c98004e..7769572a2c 100644
--- a/src/hypervisor/domain_cgroup.h
+++ b/src/hypervisor/domain_cgroup.h
@@ -71,6 +71,7 @@ virDomainCgroupSetupCgroup(const char *prefix,
int cgroupControllers,
unsigned int maxThreadsPerProc,
bool privileged,
+ bool daemonDomainShutdown,
char *machineName);
void
virDomainCgroupEmulatorAllNodesDataFree(virCgroupEmulatorAllNodesData *data);
diff --git a/src/lxc/lxc_cgroup.c b/src/lxc/lxc_cgroup.c
index 7c889667ba..f566a5468e 100644
--- a/src/lxc/lxc_cgroup.c
+++ b/src/lxc/lxc_cgroup.c
@@ -400,6 +400,7 @@ virCgroup *virLXCCgroupCreate(virDomainDef *def,
def->resource->partition,
-1,
0,
+ false,
&cgroup) < 0)
return NULL;
diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
index 48af467bf9..04d6370011 100644
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -919,6 +919,7 @@ qemuSetupCgroup(virDomainObj *vm,
cfg->cgroupControllers,
cfg->maxThreadsPerProc,
priv->driver->privileged,
+ false,
priv->machineName) < 0)
return -1;
diff --git a/src/util/vircgroup.c b/src/util/vircgroup.c
index fc5dca4858..532a7e5690 100644
--- a/src/util/vircgroup.c
+++ b/src/util/vircgroup.c
@@ -1274,6 +1274,7 @@ virCgroupNewMachineSystemd(const char *name,
const char *partition,
int controllers,
unsigned int maxthreads,
+ bool daemonDomainShutdown,
virCgroup **group)
{
int rv;
@@ -1294,7 +1295,7 @@ virCgroupNewMachineSystemd(const char *name,
nicindexes,
partition,
maxthreads,
- false)) < 0)
+ daemonDomainShutdown)) < 0)
return rv;
if (controllers != -1)
@@ -1407,6 +1408,7 @@ virCgroupNewMachine(const char *name,
const char *partition,
int controllers,
unsigned int maxthreads,
+ bool daemonDomainShutdown,
virCgroup **group)
{
int rv;
@@ -1424,6 +1426,7 @@ virCgroupNewMachine(const char *name,
partition,
controllers,
maxthreads,
+ daemonDomainShutdown,
group)) == 0)
return 0;
@@ -3144,6 +3147,7 @@ virCgroupNewMachine(const char *name G_GNUC_UNUSED,
const char *partition G_GNUC_UNUSED,
int controllers G_GNUC_UNUSED,
unsigned int maxthreads G_GNUC_UNUSED,
+ bool daemonDomainShutdown G_GNUC_UNUSED,
virCgroup **group G_GNUC_UNUSED)
{
virReportSystemError(ENXIO, "%s",
diff --git a/src/util/vircgroup.h b/src/util/vircgroup.h
index adf3850b22..2a7aa3306c 100644
--- a/src/util/vircgroup.h
+++ b/src/util/vircgroup.h
@@ -101,6 +101,7 @@ int virCgroupNewMachine(const char *name,
const char *partition,
int controllers,
unsigned int maxthreads,
+ bool daemonDomainShutdown,
virCgroup **group)
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2)
ATTRIBUTE_NONNULL(3);
--
2.50.1

68
libvirt-cgroup-Unexport-virDomainCgroupInitCgroup.patch
View File

@ -1,68 +0,0 @@
From c7889487359bff14c6d4b236055acfee68da66ae Mon Sep 17 00:00:00 2001
Message-ID: <c7889487359bff14c6d4b236055acfee68da66ae.1752837271.git.jdenemar@redhat.com>
From: Peter Krempa <pkrempa@redhat.com>
Date: Thu, 26 Jun 2025 18:24:06 +0200
Subject: [PATCH] cgroup: Unexport 'virDomainCgroupInitCgroup'
The function is called just from one place within the module where it's
defined.
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
(cherry picked from commit 3e0859566a164f640e75889d08241844b5e61bf8)
https://issues.redhat.com/browse/RHEL-95361
---
src/hypervisor/domain_cgroup.c | 2 +-
src/hypervisor/domain_cgroup.h | 10 ----------
src/libvirt_private.syms | 1 -
3 files changed, 1 insertion(+), 12 deletions(-)
diff --git a/src/hypervisor/domain_cgroup.c b/src/hypervisor/domain_cgroup.c
index fda495faf5..fecc0f7966 100644
--- a/src/hypervisor/domain_cgroup.c
+++ b/src/hypervisor/domain_cgroup.c
@@ -342,7 +342,7 @@ virDomainCgroupSetupCpuCgroup(virDomainObj *vm,
}
-int
+static int
virDomainCgroupInitCgroup(const char *prefix,
virDomainObj *vm,
size_t nnicindexes,
diff --git a/src/hypervisor/domain_cgroup.h b/src/hypervisor/domain_cgroup.h
index f8d261a080..6e5c98004e 100644
--- a/src/hypervisor/domain_cgroup.h
+++ b/src/hypervisor/domain_cgroup.h
@@ -52,16 +52,6 @@ virDomainCgroupSetupCpusetCgroup(virCgroup *cgroup);
int
virDomainCgroupSetupCpuCgroup(virDomainObj *vm,
virCgroup *cgroup);
-int
-virDomainCgroupInitCgroup(const char *prefix,
- virDomainObj *vm,
- size_t nnicindexes,
- int *nicindexes,
- virCgroup **cgroup,
- int cgroupControllers,
- unsigned int maxThreadsPerProc,
- bool privileged,
- char *machineName);
void
virDomainCgroupRestoreCgroupState(virDomainObj *vm,
virCgroup *cgroup);
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index a8ebf9efd8..8f1489ecc8 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -1641,7 +1641,6 @@ virSetConnectStorage;
virDomainCgroupConnectCgroup;
virDomainCgroupEmulatorAllNodesAllow;
virDomainCgroupEmulatorAllNodesRestore;
-virDomainCgroupInitCgroup;
virDomainCgroupRemoveCgroup;
virDomainCgroupSetMemoryLimitParameters;
virDomainCgroupSetupBlkio;
--
2.50.1

325
libvirt-hypervisor-Split-out-individual-steps-out-of-virDomainDriverAutoShutdown.patch
View File

@ -1,325 +0,0 @@
From bbb7dceccc95c5329fed28d71b35264a0cdf2b3c Mon Sep 17 00:00:00 2001
Message-ID: <bbb7dceccc95c5329fed28d71b35264a0cdf2b3c.1752837271.git.jdenemar@redhat.com>
From: Peter Krempa <pkrempa@redhat.com>
Date: Tue, 1 Jul 2025 16:11:12 +0200
Subject: [PATCH] hypervisor: Split out individual steps out of
virDomainDriverAutoShutdown
'virDomainDriverAutoShutdown' grew into an unwieldy function. Extract
the code for each of the save/shutdown/poweroff steps into helpers and
call them.
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
(cherry picked from commit e13e9b46f62d4d9f0aad33983fda39c5f3f7e645)
https://issues.redhat.com/browse/RHEL-95196
---
src/hypervisor/domain_driver.c | 285 +++++++++++++++++++--------------
1 file changed, 161 insertions(+), 124 deletions(-)
diff --git a/src/hypervisor/domain_driver.c b/src/hypervisor/domain_driver.c
index 353b8875ec..cce6c64d1b 100644
--- a/src/hypervisor/domain_driver.c
+++ b/src/hypervisor/domain_driver.c
@@ -738,6 +738,164 @@ virDomainDriverAutoShutdownActive(virDomainDriverAutoShutdownConfig *cfg)
}
+static void
+virDomainDriverAutoShutdownDoSave(virDomainPtr *domains,
+ bool *transient,
+ size_t numDomains,
+ virDomainDriverAutoShutdownConfig *cfg)
+{
+ g_autofree unsigned int *flags = g_new0(unsigned int, numDomains);
+ size_t i;
+
+ if (cfg->trySave == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_NONE)
+ return;
+
+ for (i = 0; i < numDomains; i++) {
+ int state;
+
+ if ((transient[i] && cfg->trySave == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_PERSISTENT) ||
+ (!transient[i] && cfg->trySave == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_TRANSIENT))
+ continue;
+
+ virSystemdNotifyStatus("Suspending '%s' (%zu of %zu)",
+ virDomainGetName(domains[i]), i + 1, numDomains);
+ VIR_INFO("Suspending '%s'", virDomainGetName(domains[i]));
+
+ /*
+ * Pause all VMs to make them stop dirtying pages,
+ * so save is quicker. We remember if any VMs were
+ * paused so we can restore that on resume.
+ */
+ flags[i] = VIR_DOMAIN_SAVE_RUNNING;
+ if (virDomainGetState(domains[i], &state, NULL, 0) == 0) {
+ if (state == VIR_DOMAIN_PAUSED)
+ flags[i] = VIR_DOMAIN_SAVE_PAUSED;
+ }
+ if (cfg->saveBypassCache)
+ flags[i] |= VIR_DOMAIN_SAVE_BYPASS_CACHE;
+
+ if (flags[i] & VIR_DOMAIN_SAVE_RUNNING)
+ virDomainSuspend(domains[i]);
+ }
+
+ for (i = 0; i < numDomains; i++) {
+ virSystemdNotifyStatus("Saving '%s' (%zu of %zu)",
+ virDomainGetName(domains[i]), i + 1, numDomains);
+ VIR_INFO("Saving '%s'", virDomainGetName(domains[i]));
+
+ if (virDomainManagedSave(domains[i], flags[i]) < 0) {
+ VIR_WARN("auto-shutdown: unable to perform managed save of '%s': %s",
+ domains[i]->name,
+ virGetLastErrorMessage());
+ if (flags[i] & VIR_DOMAIN_SAVE_RUNNING)
+ virDomainResume(domains[i]);
+ continue;
+ }
+ virObjectUnref(domains[i]);
+ domains[i] = NULL;
+ }
+}
+
+
+static void
+virDomainDriverAutoShutdownDoShutdown(virDomainPtr *domains,
+ bool *transient,
+ size_t numDomains,
+ virDomainDriverAutoShutdownConfig *cfg)
+{
+ GTimer *timer = NULL;
+ size_t i;
+
+ if (cfg->tryShutdown == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_NONE)
+ return;
+
+ for (i = 0; i < numDomains; i++) {
+ if (domains[i] == NULL)
+ continue;
+
+ if ((transient[i] && cfg->tryShutdown == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_PERSISTENT) ||
+ (!transient[i] && cfg->tryShutdown == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_TRANSIENT))
+ continue;
+
+ virSystemdNotifyStatus("Shutting down '%s' (%zu of %zu)",
+ virDomainGetName(domains[i]), i + 1, numDomains);
+ VIR_INFO("Shutting down '%s'", virDomainGetName(domains[i]));
+
+ if (virDomainShutdown(domains[i]) < 0) {
+ VIR_WARN("auto-shutdown: unable to request graceful shutdown of '%s': %s",
+ domains[i]->name,
+ virGetLastErrorMessage());
+ break;
+ }
+ }
+
+ timer = g_timer_new();
+ virSystemdNotifyStatus("Waiting %u secs for VM shutdown completion",
+ cfg->waitShutdownSecs);
+ VIR_INFO("Waiting %u secs for VM shutdown completion", cfg->waitShutdownSecs);
+ while (1) {
+ bool anyRunning = false;
+ for (i = 0; i < numDomains; i++) {
+ if (!domains[i])
+ continue;
+
+ if ((transient[i] && cfg->tryShutdown == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_PERSISTENT) ||
+ (!transient[i] && cfg->tryShutdown == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_TRANSIENT))
+ continue;
+
+ if (virDomainIsActive(domains[i]) == 1) {
+ anyRunning = true;
+ } else {
+ virObjectUnref(domains[i]);
+ domains[i] = NULL;
+ }
+ }
+
+ if (!anyRunning)
+ break;
+ if (g_timer_elapsed(timer, NULL) > cfg->waitShutdownSecs)
+ break;
+ g_usleep(1000*500);
+ }
+ g_timer_destroy(timer);
+}
+
+
+static void
+virDomainDriverAutoShutdownDoPoweroff(virDomainPtr *domains,
+ bool *transient,
+ size_t numDomains,
+ virDomainDriverAutoShutdownConfig *cfg)
+{
+ size_t i;
+
+ if (cfg->poweroff == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_NONE)
+ return;
+
+ for (i = 0; i < numDomains; i++) {
+ if (domains[i] == NULL)
+ continue;
+
+ if ((transient[i] && cfg->poweroff == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_PERSISTENT) ||
+ (!transient[i] && cfg->poweroff == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_TRANSIENT))
+ continue;
+
+ virSystemdNotifyStatus("Destroying '%s' (%zu of %zu)",
+ virDomainGetName(domains[i]), i + 1, numDomains);
+ VIR_INFO("Destroying '%s'", virDomainGetName(domains[i]));
+ /*
+ * NB might fail if we gave up on waiting for
+ * virDomainShutdown, but it then completed anyway,
+ * hence we're not checking for failure
+ */
+ virDomainDestroy(domains[i]);
+
+ virObjectUnref(domains[i]);
+ domains[i] = NULL;
+ }
+}
+
+
void
virDomainDriverAutoShutdown(virDomainDriverAutoShutdownConfig *cfg)
{
@@ -816,130 +974,9 @@ virDomainDriverAutoShutdown(virDomainDriverAutoShutdownConfig *cfg)
}
}
- if (cfg->trySave != VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_NONE) {
- g_autofree unsigned int *flags = g_new0(unsigned int, numDomains);
- for (i = 0; i < numDomains; i++) {
- int state;
-
- if ((transient[i] && cfg->trySave == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_PERSISTENT) ||
- (!transient[i] && cfg->trySave == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_TRANSIENT))
- continue;
-
- virSystemdNotifyStatus("Suspending '%s' (%zu of %d)",
- virDomainGetName(domains[i]), i + 1, numDomains);
- VIR_INFO("Suspending '%s'", virDomainGetName(domains[i]));
-
- /*
- * Pause all VMs to make them stop dirtying pages,
- * so save is quicker. We remember if any VMs were
- * paused so we can restore that on resume.
- */
- flags[i] = VIR_DOMAIN_SAVE_RUNNING;
- if (virDomainGetState(domains[i], &state, NULL, 0) == 0) {
- if (state == VIR_DOMAIN_PAUSED)
- flags[i] = VIR_DOMAIN_SAVE_PAUSED;
- }
- if (cfg->saveBypassCache)
- flags[i] |= VIR_DOMAIN_SAVE_BYPASS_CACHE;
-
- if (flags[i] & VIR_DOMAIN_SAVE_RUNNING)
- virDomainSuspend(domains[i]);
- }
-
- for (i = 0; i < numDomains; i++) {
- virSystemdNotifyStatus("Saving '%s' (%zu of %d)",
- virDomainGetName(domains[i]), i + 1, numDomains);
- VIR_INFO("Saving '%s'", virDomainGetName(domains[i]));
-
- if (virDomainManagedSave(domains[i], flags[i]) < 0) {
- VIR_WARN("auto-shutdown: unable to perform managed save of '%s': %s",
- domains[i]->name,
- virGetLastErrorMessage());
- if (flags[i] & VIR_DOMAIN_SAVE_RUNNING)
- virDomainResume(domains[i]);
- continue;
- }
- virObjectUnref(domains[i]);
- domains[i] = NULL;
- }
- }
-
- if (cfg->tryShutdown != VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_NONE) {
- GTimer *timer = NULL;
- for (i = 0; i < numDomains; i++) {
- if (domains[i] == NULL)
- continue;
-
- if ((transient[i] && cfg->tryShutdown == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_PERSISTENT) ||
- (!transient[i] && cfg->tryShutdown == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_TRANSIENT))
- continue;
-
- virSystemdNotifyStatus("Shutting down '%s' (%zu of %d)",
- virDomainGetName(domains[i]), i + 1, numDomains);
- VIR_INFO("Shutting down '%s'", virDomainGetName(domains[i]));
-
- if (virDomainShutdown(domains[i]) < 0) {
- VIR_WARN("auto-shutdown: unable to request graceful shutdown of '%s': %s",
- domains[i]->name,
- virGetLastErrorMessage());
- break;
- }
- }
-
- timer = g_timer_new();
- virSystemdNotifyStatus("Waiting %u secs for VM shutdown completion",
- cfg->waitShutdownSecs);
- VIR_INFO("Waiting %u secs for VM shutdown completion", cfg->waitShutdownSecs);
- while (1) {
- bool anyRunning = false;
- for (i = 0; i < numDomains; i++) {
- if (!domains[i])
- continue;
-
- if ((transient[i] && cfg->tryShutdown == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_PERSISTENT) ||
- (!transient[i] && cfg->tryShutdown == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_TRANSIENT))
- continue;
-
- if (virDomainIsActive(domains[i]) == 1) {
- anyRunning = true;
- } else {
- virObjectUnref(domains[i]);
- domains[i] = NULL;
- }
- }
-
- if (!anyRunning)
- break;
- if (g_timer_elapsed(timer, NULL) > cfg->waitShutdownSecs)
- break;
- g_usleep(1000*500);
- }
- g_timer_destroy(timer);
- }
-
- if (cfg->poweroff != VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_NONE) {
- for (i = 0; i < numDomains; i++) {
- if (domains[i] == NULL)
- continue;
-
- if ((transient[i] && cfg->poweroff == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_PERSISTENT) ||
- (!transient[i] && cfg->poweroff == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_TRANSIENT))
- continue;
-
- virSystemdNotifyStatus("Destroying '%s' (%zu of %d)",
- virDomainGetName(domains[i]), i + 1, numDomains);
- VIR_INFO("Destroying '%s'", virDomainGetName(domains[i]));
- /*
- * NB might fail if we gave up on waiting for
- * virDomainShutdown, but it then completed anyway,
- * hence we're not checking for failure
- */
- virDomainDestroy(domains[i]);
-
- virObjectUnref(domains[i]);
- domains[i] = NULL;
- }
- }
+ virDomainDriverAutoShutdownDoSave(domains, transient, numDomains, cfg);
+ virDomainDriverAutoShutdownDoShutdown(domains, transient, numDomains, cfg);
+ virDomainDriverAutoShutdownDoPoweroff(domains, transient, numDomains, cfg);
virSystemdNotifyStatus("Processed %d domains", numDomains);
VIR_INFO("Processed %d domains", numDomains);
--
2.50.1

77
libvirt-hypervisor-domain-Extract-logic-for-auto-shutdown-to-virDomainDriverAutoShutdownActive.patch
View File

@ -1,77 +0,0 @@
From 8ebd4e7c38291929f8a6c481b768a4d8355ea19c Mon Sep 17 00:00:00 2001
Message-ID: <8ebd4e7c38291929f8a6c481b768a4d8355ea19c.1752837271.git.jdenemar@redhat.com>
From: Peter Krempa <pkrempa@redhat.com>
Date: Fri, 27 Jun 2025 15:22:22 +0200
Subject: [PATCH] hypervisor: domain: Extract logic for auto shutdown to
virDomainDriverAutoShutdownActive
Extract the checker that determines whether the daemon auto shutdown
functionality is active to a separate helper
'virDomainDriverAutoShutdownActive'.
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
(cherry picked from commit bb51963bb173b28dacb6a1374712b1344e9a61c2)
https://issues.redhat.com/browse/RHEL-95361
---
src/hypervisor/domain_driver.c | 13 ++++++++++---
src/hypervisor/domain_driver.h | 1 +
src/libvirt_private.syms | 1 +
3 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/src/hypervisor/domain_driver.c b/src/hypervisor/domain_driver.c
index 62bbe176ae..353b8875ec 100644
--- a/src/hypervisor/domain_driver.c
+++ b/src/hypervisor/domain_driver.c
@@ -729,6 +729,15 @@ virDomainDriverAutoStart(virDomainObjList *domains,
}
+bool
+virDomainDriverAutoShutdownActive(virDomainDriverAutoShutdownConfig *cfg)
+{
+ return cfg->trySave != VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_NONE ||
+ cfg->tryShutdown != VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_NONE ||
+ cfg->poweroff != VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_NONE;
+}
+
+
void
virDomainDriverAutoShutdown(virDomainDriverAutoShutdownConfig *cfg)
{
@@ -773,9 +782,7 @@ virDomainDriverAutoShutdown(virDomainDriverAutoShutdownConfig *cfg)
}
/* Short-circuit if all actions are disabled */
- if (cfg->trySave == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_NONE &&
- cfg->tryShutdown == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_NONE &&
- cfg->poweroff == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_NONE)
+ if (!virDomainDriverAutoShutdownActive(cfg))
return;
if (!(conn = virConnectOpen(cfg->uri)))
diff --git a/src/hypervisor/domain_driver.h b/src/hypervisor/domain_driver.h
index d90466b942..af1c4eaed6 100644
--- a/src/hypervisor/domain_driver.h
+++ b/src/hypervisor/domain_driver.h
@@ -116,4 +116,5 @@ typedef struct _virDomainDriverAutoShutdownConfig {
bool autoRestore;
} virDomainDriverAutoShutdownConfig;
+bool virDomainDriverAutoShutdownActive(virDomainDriverAutoShutdownConfig *cfg);
void virDomainDriverAutoShutdown(virDomainDriverAutoShutdownConfig *cfg);
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 8f1489ecc8..1b9be478e4 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -1658,6 +1658,7 @@ virDomainCgroupSetupVcpuBW;
# hypervisor/domain_driver.h
virDomainDriverAddIOThreadCheck;
virDomainDriverAutoShutdown;
+virDomainDriverAutoShutdownActive;
virDomainDriverAutoShutdownScopeTypeFromString;
virDomainDriverAutoShutdownScopeTypeToString;
virDomainDriverAutoStart;
--
2.50.1

44
libvirt-kbase-tlscerts-Drop-encryption_key-feature-request.patch
View File

@ -1,44 +0,0 @@
From c50a7108b0090fdce43c7f9d0cef9c905c989cc5 Mon Sep 17 00:00:00 2001
Message-ID: <c50a7108b0090fdce43c7f9d0cef9c905c989cc5.1752837271.git.jdenemar@redhat.com>
From: Peter Krempa <pkrempa@redhat.com>
Date: Tue, 1 Jul 2025 13:46:59 +0200
Subject: [PATCH] kbase: tlscerts: Drop 'encryption_key' feature request
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
As TLS 1.3 performs key exchange separately from the algorithm used to
verify authenticity, the certificates for libvirt's use of TLS don't
need to require the 'encryption_key' feature any more.
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
(cherry picked from commit 3da460236968be1c67a38a01711d46cb257a7125)
https://issues.redhat.com/browse/RHEL-100711
---
docs/kbase/tlscerts.rst | 2 --
1 file changed, 2 deletions(-)
diff --git a/docs/kbase/tlscerts.rst b/docs/kbase/tlscerts.rst
index e4aa5bb3c9..215d454998 100644
--- a/docs/kbase/tlscerts.rst
+++ b/docs/kbase/tlscerts.rst
@@ -204,7 +204,6 @@ define the server as follows:
ip_address = 2001:cafe::74
ip_address = fe20::24
tls_www_server
- encryption_key
signing_key
The 'cn' field should refer to the fully qualified public hostname of the
@@ -298,7 +297,6 @@ briefly cover the steps.
organization = Libvirt Project
cn = client1
tls_www_client
- encryption_key
signing_key
and sign by doing:
--
2.50.1

93
libvirt-qemu-Fix-auto-shutdown-of-qemu-VMs-by-the-qemu-driver.patch
View File

@ -1,93 +0,0 @@
From 79f9281a8d3dcd15b2332e2e4f599617d47b5fd0 Mon Sep 17 00:00:00 2001
Message-ID: <79f9281a8d3dcd15b2332e2e4f599617d47b5fd0.1752837271.git.jdenemar@redhat.com>
From: Peter Krempa <pkrempa@redhat.com>
Date: Fri, 27 Jun 2025 16:10:03 +0200
Subject: [PATCH] qemu: Fix auto-shutdown of qemu VMs by the qemu driver
When auto-shutdown via the qemu driver is requested (rather than via
libvirt guests) we need to start the VMs in a way that they will be kept
around for libvirt to terminate them. This involves inverting the
dependancy relationship for the machined unit file.
Since the setup is done at startup of the VM, add a disclaimer to
qemu.conf that switching between the two modes with VMs running will not
work properly.
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
(cherry picked from commit 82963fdcb67742fad3066d31f2bd9b14c8153574)
https://issues.redhat.com/browse/RHEL-95361
---
src/qemu/qemu.conf.in | 15 ++++++++++++++-
src/qemu/qemu_cgroup.c | 8 +++++++-
2 files changed, 21 insertions(+), 2 deletions(-)
diff --git a/src/qemu/qemu.conf.in b/src/qemu/qemu.conf.in
index 221bfa8095..6358a45ae2 100644
--- a/src/qemu/qemu.conf.in
+++ b/src/qemu/qemu.conf.in
@@ -663,7 +663,10 @@
# implemented for transient VMs.
#
# If 'libvirt-guests.service' is enabled, then this must be
-# set to 'none' for system daemons to avoid dueling actions
+# set to 'none' for system daemons to avoid dueling actions.
+# Warning: Switching between 'libvirt-guests.service' and this option
+# causes VMs running at that point to misbehave on host shutdown unless
+# they are restarted, or saved and restored.
#auto_shutdown_try_save = "persistent"
# As above, but with a graceful shutdown action instead of
@@ -675,6 +678,9 @@
#
# If 'libvirt-guests.service' is enabled, then this must be
# set to 'none' for system daemons to avoid dueling actions
+# Warning: Switching between 'libvirt-guests.service' and this option
+# causes VMs running at that point to misbehave on host shutdown unless
+# they are restarted, or saved and restored.
#auto_shutdown_try_shutdown = "all"
# As above, but with a forced poweroff instead of managed
@@ -687,6 +693,13 @@
#
# If 'libvirt-guests.service' is enabled, then this must be
# set to 'none' for system daemons to avoid dueling actions
+#
+# Warning: Switching between 'libvirt-guests.service' and this option
+# causes VMs running at that point to misbehave on host shutdown unless
+# they are restarted, or saved and restored.
+#
+# When using any 'auto_shutdown_try_save', 'auto_shutdown_try_shutdown' this
+# feature should to be enabled as well to ensure proper cleanup of the VMs.
#auto_shutdown_poweroff = "all"
# How may seconds to wait for running VMs to gracefully shutdown
diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
index 04d6370011..25e42ebfc6 100644
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -910,6 +910,12 @@ qemuSetupCgroup(virDomainObj *vm,
{
qemuDomainObjPrivate *priv = vm->privateData;
g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(priv->driver);
+ /* When users wants to auto-shutdown the VMs via the qemu daemon itself
+ * we need to instruct machined to create dependencies for the units
+ * in such way that the VMs will not be killed before the auto shutdown
+ * code is reached.
+ */
+ bool daemonAutoShutdown = virDomainDriverAutoShutdownActive(&cfg->autoShutdown);
if (virDomainCgroupSetupCgroup("qemu",
vm,
@@ -919,7 +925,7 @@ qemuSetupCgroup(virDomainObj *vm,
cfg->cgroupControllers,
cfg->maxThreadsPerProc,
priv->driver->privileged,
- false,
+ daemonAutoShutdown,
priv->machineName) < 0)
return -1;
--
2.50.1

667
libvirt-qemu-add-ability-to-set-TLS-priority-string-with-QEMU.patch
View File

@ -1,667 +0,0 @@
From 5daae8778ba7b7232faf4788ef49891820e2510f Mon Sep 17 00:00:00 2001
Message-ID: <5daae8778ba7b7232faf4788ef49891820e2510f.1754404628.git.jdenemar@redhat.com>
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Wed, 16 Jul 2025 16:40:01 +0100
Subject: [PATCH] qemu: add ability to set TLS priority string with QEMU
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
QEMU will either use the GNUTLS default priority string of "NORMAL",
or on Fedora/RHEL related distros, "@QEMU,SYSTEM", which resolves to
a configuration in /etc/crypto-policies/back-ends/gnutls.config.
The latter gives the sysadmin the ability to change the priority
string used for GNUTLS at deployment time, either system side, or
exclusively for QEMU, avoiding the hardcoded GNUTLS defaults.
There are still some limitations to this:
* Priorities cannot be set for different areas of QEMU
functionality (migration, vnc, nbd, etc)
* Priorities are fixed at the time when QEMU first
triggers GNUTLS to load its config file, often
immediately at startup.
We recently uncovered a QEMU bug that causes crashes in live
migration with TLS-1.3, where the easiest workaround is to
change the TLS priorities. We can't change this on the running
QEMU, but fortunately it is possible to change it on the target
QEMU and the TLS handshake will make it take effect on both
src and dst.
The problem is, while fixing the immediate incoming and outgoing
live migration problems, the workaround will apply to everything
else that QEMU does for the rest of the time that process exists.
We want to make it possible to set the TLS priorities only for
the current migrations, such that if the target QEMU has a fixed
GNUTLS, it will not have its TLS priorities hobbled for the next
live migration.
To achieve this we need libvirt to be able to (optionally) set
the TLS priority string with QEMU. While live migration is the
most pressing need, the new qemu.conf parameters are wired up
for every subsystem for greater selectivity in future.
With this we can activate the GNUTLS workaround for running
QEMU processes by editting qemu.conf and restarting virtqemud,
and later undo this the same way.
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 14e41ac9f365b148e69088c5ffeb565a0f9ba326)
Resolves: https://issues.redhat.com/browse/RHEL-104382
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
src/conf/storage_source_conf.c | 2 +
src/conf/storage_source_conf.h | 1 +
src/qemu/libvirtd_qemu.aug | 6 +++
src/qemu/qemu.conf.in | 37 +++++++++++++++++++
src/qemu/qemu_backup.c | 5 ++-
src/qemu/qemu_blockjob.c | 1 +
src/qemu/qemu_command.c | 15 ++++++--
src/qemu/qemu_command.h | 1 +
src/qemu/qemu_conf.c | 22 +++++++++++
src/qemu/qemu_conf.h | 6 +++
src/qemu/qemu_domain.c | 3 ++
src/qemu/qemu_domain.h | 1 +
src/qemu/qemu_hotplug.c | 4 +-
src/qemu/qemu_hotplug.h | 1 +
src/qemu/qemu_migration_params.c | 1 +
src/qemu/test_libvirtd_qemu.aug.in | 6 +++
...rk-tlsx509-nbd-hostname.x86_64-latest.args | 2 +-
...graphics-vnc-tls-secret.x86_64-latest.args | 2 +-
...-tlsx509-secret-chardev.x86_64-latest.args | 2 +-
tests/qemuxmlconftest.c | 6 +++
20 files changed, 114 insertions(+), 10 deletions(-)
diff --git a/src/conf/storage_source_conf.c b/src/conf/storage_source_conf.c
index 8a063be244..8bab116d89 100644
--- a/src/conf/storage_source_conf.c
+++ b/src/conf/storage_source_conf.c
@@ -832,6 +832,7 @@ virStorageSourceCopy(const virStorageSource *src,
def->compat = g_strdup(src->compat);
def->tlsAlias = g_strdup(src->tlsAlias);
def->tlsCertdir = g_strdup(src->tlsCertdir);
+ def->tlsPriority = g_strdup(src->tlsPriority);
def->tlsHostname = g_strdup(src->tlsHostname);
def->query = g_strdup(src->query);
def->vdpadev = g_strdup(src->vdpadev);
@@ -1185,6 +1186,7 @@ virStorageSourceClear(virStorageSource *def)
VIR_FREE(def->tlsAlias);
VIR_FREE(def->tlsCertdir);
+ VIR_FREE(def->tlsPriority);
VIR_FREE(def->tlsHostname);
VIR_FREE(def->ssh_user);
diff --git a/src/conf/storage_source_conf.h b/src/conf/storage_source_conf.h
index ebddf28cd6..a0d5acdb09 100644
--- a/src/conf/storage_source_conf.h
+++ b/src/conf/storage_source_conf.h
@@ -396,6 +396,7 @@ struct _virStorageSource {
* certificate directory with listen and verify bools. */
char *tlsAlias;
char *tlsCertdir;
+ char *tlsPriority;
/* TLS hostname override */
char *tlsHostname;
diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug
index d36baed6fc..772d4dcabe 100644
--- a/src/qemu/libvirtd_qemu.aug
+++ b/src/qemu/libvirtd_qemu.aug
@@ -30,6 +30,7 @@ module Libvirtd_qemu =
let default_tls_entry = str_entry "default_tls_x509_cert_dir"
| bool_entry "default_tls_x509_verify"
| str_entry "default_tls_x509_secret_uuid"
+ | str_entry "default_tls_priority"
let vnc_entry = str_entry "vnc_listen"
| bool_entry "vnc_auto_unix_socket"
@@ -37,6 +38,7 @@ module Libvirtd_qemu =
| str_entry "vnc_tls_x509_cert_dir"
| bool_entry "vnc_tls_x509_verify"
| str_entry "vnc_tls_x509_secret_uuid"
+ | str_entry "vnc_tls_priority"
| str_entry "vnc_password"
| bool_entry "vnc_sasl"
| str_entry "vnc_sasl_dir"
@@ -59,15 +61,18 @@ module Libvirtd_qemu =
| str_entry "chardev_tls_x509_cert_dir"
| bool_entry "chardev_tls_x509_verify"
| str_entry "chardev_tls_x509_secret_uuid"
+ | str_entry "chardev_tls_priority"
let migrate_entry = str_entry "migrate_tls_x509_cert_dir"
| bool_entry "migrate_tls_x509_verify"
| str_entry "migrate_tls_x509_secret_uuid"
+ | str_entry "migrate_tls_priority"
| bool_entry "migrate_tls_force"
let backup_entry = str_entry "backup_tls_x509_cert_dir"
| bool_entry "backup_tls_x509_verify"
| str_entry "backup_tls_x509_secret_uuid"
+ | str_entry "backup_tls_priority"
(* support for vxhs was removed from qemu and the examples were dopped from *)
(* qemu.conf but these need to stay *)
@@ -78,6 +83,7 @@ module Libvirtd_qemu =
let nbd_entry = bool_entry "nbd_tls"
| str_entry "nbd_tls_x509_cert_dir"
| str_entry "nbd_tls_x509_secret_uuid"
+ | str_entry "nbd_tls_priority"
let nogfx_entry = bool_entry "nographics_allow_host_audio"
diff --git a/src/qemu/qemu.conf.in b/src/qemu/qemu.conf.in
index 76cbe1a72d..b0fb30d74f 100644
--- a/src/qemu/qemu.conf.in
+++ b/src/qemu/qemu.conf.in
@@ -62,6 +62,18 @@
#default_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+# Libvirt allows QEMU to use its built-in TLS priority by default,
+# however, this allows overriding it at runtime. This is especially
+# useful if TLS priority needs to be changed for an operation run
+# against an existing running QEMU.
+#
+# This must be a valid GNUTLS priority string:
+#
+# https://gnutls.org/manual/html_node/Priority-Strings.html
+#
+#default_tls_priority = "@SYSTEM"
+
+
# VNC is configured to listen on 127.0.0.1 by default.
# To make it listen on all public interfaces, uncomment
# this next option.
@@ -127,6 +139,11 @@
#vnc_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+# Override QEMU default GNUTLS priority string for VNC
+#
+#vnc_tls_priority = "@SYSTEM"
+
+
# The default VNC password. Only 8 bytes are significant for
# VNC passwords. This parameter is only used if the per-domain
# XML config does not already provide a password. To allow
@@ -306,6 +323,11 @@
#chardev_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+# Override QEMU default GNUTLS priority string for character devices
+#
+#chardev_tls_priority = "@SYSTEM"
+
+
# The support for VxHS network block protocol was removed in qemu-5.2 and
# thus also dropped from libvirt's qemu driver. The following options which
# were used to configure the TLS certificates for VxHS are thus ignored.
@@ -358,6 +380,11 @@
#nbd_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+# Override QEMU default GNUTLS priority string for NBD
+#
+#nbd_tls_priority = "@SYSTEM"
+
+
# In order to override the default TLS certificate location for migration
# certificates, supply a valid path to the certificate directory. If the
# provided path does not exist, libvirtd will fail to start. If the path is
@@ -397,6 +424,11 @@
#migrate_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+# Override QEMU default GNUTLS priority string for live migration
+#
+#migrate_tls_priority = "@SYSTEM"
+
+
# By default TLS is requested using the VIR_MIGRATE_TLS flag, thus not requested
# automatically. Setting 'migate_tls_force' to "1" will prevent any migration
# which is not using VIR_MIGRATE_TLS to ensure higher level of security in
@@ -442,6 +474,11 @@
#backup_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+# Override QEMU default GNUTLS priority string for NBD backups
+#
+#backup_tls_priority = "@SYSTEM"
+
+
# By default, if no graphical front end is configured, libvirt will disable
# QEMU audio output since directly talking to alsa/pulseaudio may not work
# with various security settings. If you know what you're doing, enable
diff --git a/src/qemu/qemu_backup.c b/src/qemu/qemu_backup.c
index fb3558d280..1f43479b5e 100644
--- a/src/qemu/qemu_backup.c
+++ b/src/qemu/qemu_backup.c
@@ -728,8 +728,9 @@ qemuBackupBeginPrepareTLS(virDomainObj *vm,
}
if (qemuBuildTLSx509BackendProps(cfg->backupTLSx509certdir, true,
- cfg->backupTLSx509verify, tlsObjAlias,
- tlsKeySecretAlias,
+ cfg->backupTLSx509verify,
+ cfg->backupTLSpriority,
+ tlsObjAlias, tlsKeySecretAlias,
tlsProps) < 0)
return -1;
diff --git a/src/qemu/qemu_blockjob.c b/src/qemu/qemu_blockjob.c
index c7462e2838..315b742053 100644
--- a/src/qemu/qemu_blockjob.c
+++ b/src/qemu/qemu_blockjob.c
@@ -624,6 +624,7 @@ qemuBlockJobCleanStorageSourceRuntime(virStorageSource *src)
VIR_FREE(src->nodenameformat);
VIR_FREE(src->tlsAlias);
VIR_FREE(src->tlsCertdir);
+ VIR_FREE(src->tlsPriority);
}
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 202f2dfaca..662d6299f8 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -1263,6 +1263,7 @@ qemuBuildObjectSecretCommandLine(virCommand *cmd,
* @tlspath: path to the TLS credentials
* @listen: boolean listen for client or server setting
* @verifypeer: boolean to enable peer verification (form of authorization)
+ * @priority: GNUTLS priority string override (optional)
* @alias: alias for the TLS credentials object
* @secalias: if one exists, the alias of the security object for passwordid
* @propsret: json properties to return
@@ -1275,6 +1276,7 @@ int
qemuBuildTLSx509BackendProps(const char *tlspath,
bool isListen,
bool verifypeer,
+ const char *priority,
const char *alias,
const char *secalias,
virJSONValue **propsret)
@@ -1283,6 +1285,7 @@ qemuBuildTLSx509BackendProps(const char *tlspath,
"s:dir", tlspath,
"s:endpoint", (isListen ? "server": "client"),
"b:verify-peer", (isListen ? verifypeer : true),
+ "S:priority", priority,
"S:passwordid", secalias,
NULL) < 0)
return -1;
@@ -1296,6 +1299,7 @@ qemuBuildTLSx509BackendProps(const char *tlspath,
* @tlspath: path to the TLS credentials
* @listen: boolean listen for client or server setting
* @verifypeer: boolean to enable peer verification (form of authorization)
+ * @priority: GNUTLS priority string override (optional)
* @certEncSecretAlias: alias of a 'secret' object for decrypting TLS private key
* (optional)
* @alias: TLS object alias
@@ -1309,13 +1313,14 @@ qemuBuildTLSx509CommandLine(virCommand *cmd,
const char *tlspath,
bool isListen,
bool verifypeer,
+ const char *priority,
const char *certEncSecretAlias,
const char *alias)
{
g_autoptr(virJSONValue) props = NULL;
- if (qemuBuildTLSx509BackendProps(tlspath, isListen, verifypeer, alias,
- certEncSecretAlias, &props) < 0)
+ if (qemuBuildTLSx509BackendProps(tlspath, isListen, verifypeer, priority,
+ alias, certEncSecretAlias, &props) < 0)
return -1;
if (qemuBuildObjectCommandlineFromJSON(cmd, props) < 0)
@@ -1357,6 +1362,7 @@ qemuBuildChardevCommand(virCommand *cmd,
if (qemuBuildTLSx509CommandLine(cmd, chrSourcePriv->tlsCertPath,
dev->data.tcp.listen,
chrSourcePriv->tlsVerify,
+ chrSourcePriv->tlsPriority,
tlsCertEncSecAlias,
objalias) < 0) {
return -1;
@@ -8347,6 +8353,7 @@ qemuBuildGraphicsVNCCommandLine(virQEMUDriverConfig *cfg,
cfg->vncTLSx509certdir,
true,
cfg->vncTLSx509verify,
+ cfg->vncTLSpriority,
secretAlias,
gfxPriv->tlsAlias) < 0)
return -1;
@@ -11188,8 +11195,8 @@ qemuBuildStorageSourceAttachPrepareCommon(virStorageSource *src,
}
if (src->haveTLS == VIR_TRISTATE_BOOL_YES &&
- qemuBuildTLSx509BackendProps(src->tlsCertdir, false, true, src->tlsAlias,
- tlsKeySecretAlias, &data->tlsProps) < 0)
+ qemuBuildTLSx509BackendProps(src->tlsCertdir, false, true, src->tlsPriority,
+ src->tlsAlias, tlsKeySecretAlias, &data->tlsProps) < 0)
return -1;
return 0;
diff --git a/src/qemu/qemu_command.h b/src/qemu/qemu_command.h
index 574dffdc96..ad068f1f16 100644
--- a/src/qemu/qemu_command.h
+++ b/src/qemu/qemu_command.h
@@ -67,6 +67,7 @@ int
qemuBuildTLSx509BackendProps(const char *tlspath,
bool isListen,
bool verifypeer,
+ const char *priority,
const char *alias,
const char *secalias,
virJSONValue **propsret);
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index 482e19b502..088904eb12 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -454,6 +454,9 @@ virQEMUDriverConfigLoadDefaultTLSEntry(virQEMUDriverConfig *cfg,
if (virConfGetValueString(conf, "default_tls_x509_secret_uuid",
&cfg->defaultTLSx509secretUUID) < 0)
return -1;
+ if (virConfGetValueString(conf, "default_tls_priority",
+ &cfg->defaultTLSpriority) < 0)
+ return -1;
return 0;
}
@@ -566,6 +569,9 @@ virQEMUDriverConfigLoadSpecificTLSEntry(virQEMUDriverConfig *cfg,
#val "_tls_x509_secret_uuid", \
&cfg->val## TLSx509secretUUID) < 0) \
return -1; \
+ if ((rv = virConfGetValueString(conf, #val "_tls_priority", \
+ &cfg->val## TLSpriority)) < 0) \
+ return -1; \
} while (0)
#define GET_CONFIG_TLS_CERTINFO_SERVER(val) \
@@ -1441,6 +1447,22 @@ virQEMUDriverConfigSetDefaults(virQEMUDriverConfig *cfg)
#undef SET_TLS_SECRET_UUID_DEFAULT
+#define SET_TLS_PRIORITY_DEFAULT(val) \
+ do { \
+ if (!cfg->val## TLSpriority && \
+ cfg->defaultTLSpriority) { \
+ cfg->val## TLSpriority = g_strdup(cfg->defaultTLSpriority); \
+ } \
+ } while (0)
+
+ SET_TLS_PRIORITY_DEFAULT(vnc);
+ SET_TLS_PRIORITY_DEFAULT(chardev);
+ SET_TLS_PRIORITY_DEFAULT(migrate);
+ SET_TLS_PRIORITY_DEFAULT(backup);
+ SET_TLS_PRIORITY_DEFAULT(nbd);
+
+#undef SET_TLS_PRIORITY_DEFAULT
+
/*
* If a "SYSCONFDIR" + "pki/libvirt-<val>" exists, then assume someone
* has created a val specific area to place service specific certificates.
diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
index ff376aed4d..192ddd0cbd 100644
--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@@ -117,6 +117,7 @@ struct _virQEMUDriverConfig {
bool defaultTLSx509verify;
bool defaultTLSx509verifyPresent;
char *defaultTLSx509secretUUID;
+ char *defaultTLSpriority;
bool vncAutoUnixSocket;
bool vncTLS;
@@ -125,6 +126,7 @@ struct _virQEMUDriverConfig {
bool vncSASL;
char *vncTLSx509certdir;
char *vncTLSx509secretUUID;
+ char *vncTLSpriority;
char *vncListen;
char *vncPassword;
char *vncSASLdir;
@@ -147,21 +149,25 @@ struct _virQEMUDriverConfig {
bool chardevTLSx509verify;
bool chardevTLSx509verifyPresent;
char *chardevTLSx509secretUUID;
+ char *chardevTLSpriority;
char *migrateTLSx509certdir;
bool migrateTLSx509verify;
bool migrateTLSx509verifyPresent;
char *migrateTLSx509secretUUID;
+ char *migrateTLSpriority;
bool migrateTLSForce;
char *backupTLSx509certdir;
bool backupTLSx509verify;
bool backupTLSx509verifyPresent;
char *backupTLSx509secretUUID;
+ char *backupTLSpriority;
bool nbdTLS;
char *nbdTLSx509certdir;
char *nbdTLSx509secretUUID;
+ char *nbdTLSpriority;
unsigned int remotePortMin;
unsigned int remotePortMax;
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index 0d2548d8d4..ddc065d8f4 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -955,6 +955,7 @@ qemuDomainChrSourcePrivateDispose(void *obj)
qemuDomainChrSourcePrivateClearFDPass(priv);
g_free(priv->tlsCertPath);
+ g_free(priv->tlsPriority);
g_free(priv->tlsCredsAlias);
@@ -8777,6 +8778,7 @@ qemuDomainPrepareChardevSourceOne(virDomainDeviceDef *dev,
if (charsrc->data.tcp.haveTLS == VIR_TRISTATE_BOOL_YES) {
charpriv->tlsCertPath = g_strdup(data->cfg->chardevTLSx509certdir);
+ charpriv->tlsPriority = g_strdup(data->cfg->chardevTLSpriority);
charpriv->tlsVerify = data->cfg->chardevTLSx509verify;
}
}
@@ -8842,6 +8844,7 @@ qemuProcessPrepareStorageSourceTLSNBD(virStorageSource *src,
src->tlsAlias = qemuAliasTLSObjFromSrcAlias(parentAlias);
src->tlsCertdir = g_strdup(cfg->nbdTLSx509certdir);
+ src->tlsPriority = g_strdup(cfg->nbdTLSpriority);
if (cfg->nbdTLSx509secretUUID) {
qemuDomainStorageSourcePrivate *srcpriv = qemuDomainStorageSourcePrivateFetch(src);
diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h
index c7287eb669..22cad50f55 100644
--- a/src/qemu/qemu_domain.h
+++ b/src/qemu/qemu_domain.h
@@ -384,6 +384,7 @@ struct _qemuDomainChrSourcePrivate {
char *tlsCertPath; /* path to certificates if TLS is requested */
bool tlsVerify; /* whether server should verify client certificates */
+ char *tlsPriority; /* optional GNUTLS priority string */
char *tlsCredsAlias; /* alias of the x509 tls credentials object */
};
diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c
index 67a2464ce4..79922f27c7 100644
--- a/src/qemu/qemu_hotplug.c
+++ b/src/qemu/qemu_hotplug.c
@@ -1744,6 +1744,7 @@ qemuDomainGetTLSObjects(qemuDomainSecretInfo *secinfo,
const char *tlsCertdir,
bool tlsListen,
bool tlsVerify,
+ const char *tlsPriority,
const char *alias,
virJSONValue **tlsProps,
virJSONValue **secProps)
@@ -1757,7 +1758,7 @@ qemuDomainGetTLSObjects(qemuDomainSecretInfo *secinfo,
secAlias = secinfo->alias;
}
- if (qemuBuildTLSx509BackendProps(tlsCertdir, tlsListen, tlsVerify,
+ if (qemuBuildTLSx509BackendProps(tlsCertdir, tlsListen, tlsVerify, tlsPriority,
alias, secAlias, tlsProps) < 0)
return -1;
@@ -1801,6 +1802,7 @@ qemuDomainAddChardevTLSObjects(virQEMUDriver *driver,
cfg->chardevTLSx509certdir,
dev->data.tcp.listen,
cfg->chardevTLSx509verify,
+ cfg->chardevTLSpriority,
*tlsAlias, &tlsProps, &secProps) < 0)
return -1;
diff --git a/src/qemu/qemu_hotplug.h b/src/qemu/qemu_hotplug.h
index de75bf9225..fb0b5b6cd7 100644
--- a/src/qemu/qemu_hotplug.h
+++ b/src/qemu/qemu_hotplug.h
@@ -41,6 +41,7 @@ qemuDomainGetTLSObjects(qemuDomainSecretInfo *secinfo,
const char *tlsCertdir,
bool tlsListen,
bool tlsVerify,
+ const char *tlsPriority,
const char *alias,
virJSONValue **tlsProps,
virJSONValue **secProps);
diff --git a/src/qemu/qemu_migration_params.c b/src/qemu/qemu_migration_params.c
index 17d08f4aa5..b79bbad5c2 100644
--- a/src/qemu/qemu_migration_params.c
+++ b/src/qemu/qemu_migration_params.c
@@ -1208,6 +1208,7 @@ qemuMigrationParamsEnableTLS(virQEMUDriver *driver,
if (qemuDomainGetTLSObjects(priv->migSecinfo,
cfg->migrateTLSx509certdir, tlsListen,
cfg->migrateTLSx509verify,
+ cfg->migrateTLSpriority,
*tlsAlias, &tlsProps, &secProps) < 0)
return -1;
diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qemu.aug.in
index e461fcc9df..1fa0e2206e 100644
--- a/src/qemu/test_libvirtd_qemu.aug.in
+++ b/src/qemu/test_libvirtd_qemu.aug.in
@@ -5,12 +5,14 @@ module Test_libvirtd_qemu =
{ "default_tls_x509_cert_dir" = "/etc/pki/qemu" }
{ "default_tls_x509_verify" = "1" }
{ "default_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
+{ "default_tls_priority" = "@SYSTEM" }
{ "vnc_listen" = "0.0.0.0" }
{ "vnc_auto_unix_socket" = "1" }
{ "vnc_tls" = "1" }
{ "vnc_tls_x509_cert_dir" = "/etc/pki/libvirt-vnc" }
{ "vnc_tls_x509_verify" = "1" }
{ "vnc_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
+{ "vnc_tls_priority" = "@SYSTEM" }
{ "vnc_password" = "XYZ12345" }
{ "vnc_sasl" = "1" }
{ "vnc_sasl_dir" = "/some/directory/sasl2" }
@@ -30,19 +32,23 @@ module Test_libvirtd_qemu =
{ "chardev_tls_x509_cert_dir" = "/etc/pki/libvirt-chardev" }
{ "chardev_tls_x509_verify" = "1" }
{ "chardev_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
+{ "chardev_tls_priority" = "@SYSTEM" }
{ "vxhs_tls" = "1" }
{ "vxhs_tls_x509_cert_dir" = "/etc/pki/libvirt-vxhs" }
{ "vxhs_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
{ "nbd_tls" = "1" }
{ "nbd_tls_x509_cert_dir" = "/etc/pki/libvirt-nbd" }
{ "nbd_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
+{ "nbd_tls_priority" = "@SYSTEM" }
{ "migrate_tls_x509_cert_dir" = "/etc/pki/libvirt-migrate" }
{ "migrate_tls_x509_verify" = "1" }
{ "migrate_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
+{ "migrate_tls_priority" = "@SYSTEM" }
{ "migrate_tls_force" = "0" }
{ "backup_tls_x509_cert_dir" = "/etc/pki/libvirt-backup" }
{ "backup_tls_x509_verify" = "1" }
{ "backup_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
+{ "backup_tls_priority" = "@SYSTEM" }
{ "nographics_allow_host_audio" = "1" }
{ "remote_display_port_min" = "5900" }
{ "remote_display_port_max" = "65535" }
diff --git a/tests/qemuxmlconfdata/disk-network-tlsx509-nbd-hostname.x86_64-latest.args b/tests/qemuxmlconfdata/disk-network-tlsx509-nbd-hostname.x86_64-latest.args
index 4ee9a0631b..77d38c3020 100644
--- a/tests/qemuxmlconfdata/disk-network-tlsx509-nbd-hostname.x86_64-latest.args
+++ b/tests/qemuxmlconfdata/disk-network-tlsx509-nbd-hostname.x86_64-latest.args
@@ -28,7 +28,7 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \
-boot strict=on \
-device '{"driver":"piix3-usb-uhci","id":"usb","bus":"pci.0","addr":"0x1.0x2"}' \
-object '{"qom-type":"secret","id":"objlibvirt-1-storage_tls0-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}' \
--object '{"qom-type":"tls-creds-x509","id":"objlibvirt-1-storage_tls0","dir":"/etc/pki/libvirt-nbd","endpoint":"client","verify-peer":true,"passwordid":"objlibvirt-1-storage_tls0-secret0"}' \
+-object '{"qom-type":"tls-creds-x509","id":"objlibvirt-1-storage_tls0","dir":"/etc/pki/libvirt-nbd","endpoint":"client","verify-peer":true,"priority":"@SYSTEM:-VERS-TLS1.3","passwordid":"objlibvirt-1-storage_tls0-secret0"}' \
-blockdev '{"driver":"nbd","server":{"type":"inet","host":"example.com","port":"1234"},"tls-creds":"objlibvirt-1-storage_tls0","tls-hostname":"test-hostname","node-name":"libvirt-1-storage","read-only":false,"cache":{"direct":true,"no-flush":false}}' \
-device '{"driver":"virtio-blk-pci","bus":"pci.0","addr":"0x7","drive":"libvirt-1-storage","id":"virtio-disk3","bootindex":1,"write-cache":"on"}' \
-audiodev '{"id":"audio1","driver":"none"}' \
diff --git a/tests/qemuxmlconfdata/graphics-vnc-tls-secret.x86_64-latest.args b/tests/qemuxmlconfdata/graphics-vnc-tls-secret.x86_64-latest.args
index 50cc8532d1..32d7be1d3b 100644
--- a/tests/qemuxmlconfdata/graphics-vnc-tls-secret.x86_64-latest.args
+++ b/tests/qemuxmlconfdata/graphics-vnc-tls-secret.x86_64-latest.args
@@ -29,7 +29,7 @@ SASL_CONF_PATH=/etc/sasl2 \
-device '{"driver":"piix3-usb-uhci","id":"usb","bus":"pci.0","addr":"0x1.0x2"}' \
-audiodev '{"id":"audio1","driver":"none"}' \
-object '{"qom-type":"secret","id":"vnc-tls-creds0-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}' \
--object '{"qom-type":"tls-creds-x509","id":"vnc-tls-creds0","dir":"/etc/pki/libvirt-vnc","endpoint":"server","verify-peer":true,"passwordid":"vnc-tls-creds0-secret0"}' \
+-object '{"qom-type":"tls-creds-x509","id":"vnc-tls-creds0","dir":"/etc/pki/libvirt-vnc","endpoint":"server","verify-peer":true,"priority":"@SYSTEM:-VERS-TLS1.3","passwordid":"vnc-tls-creds0-secret0"}' \
-vnc 127.0.0.1:3,tls-creds=vnc-tls-creds0,sasl=on,audiodev=audio1 \
-device '{"driver":"cirrus-vga","id":"video0","bus":"pci.0","addr":"0x2"}' \
-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \
diff --git a/tests/qemuxmlconfdata/serial-tcp-tlsx509-secret-chardev.x86_64-latest.args b/tests/qemuxmlconfdata/serial-tcp-tlsx509-secret-chardev.x86_64-latest.args
index c227a04112..492d1be626 100644
--- a/tests/qemuxmlconfdata/serial-tcp-tlsx509-secret-chardev.x86_64-latest.args
+++ b/tests/qemuxmlconfdata/serial-tcp-tlsx509-secret-chardev.x86_64-latest.args
@@ -32,7 +32,7 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \
-chardev udp,id=charserial0,host=127.0.0.1,port=2222,localaddr=127.0.0.1,localport=1111 \
-device '{"driver":"isa-serial","chardev":"charserial0","id":"serial0","index":0}' \
-object '{"qom-type":"secret","id":"charserial1-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}' \
--object '{"qom-type":"tls-creds-x509","id":"objcharserial1_tls0","dir":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true,"passwordid":"charserial1-secret0"}' \
+-object '{"qom-type":"tls-creds-x509","id":"objcharserial1_tls0","dir":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true,"priority":"@SYSTEM:-VERS-TLS1.3","passwordid":"charserial1-secret0"}' \
-chardev socket,id=charserial1,host=127.0.0.1,port=5555,tls-creds=objcharserial1_tls0 \
-device '{"driver":"isa-serial","chardev":"charserial1","id":"serial1","index":1}' \
-audiodev '{"id":"audio1","driver":"none"}' \
diff --git a/tests/qemuxmlconftest.c b/tests/qemuxmlconftest.c
index 6ad4d90934..1fbfd25e83 100644
--- a/tests/qemuxmlconftest.c
+++ b/tests/qemuxmlconftest.c
@@ -1596,7 +1596,9 @@ mymain(void)
driver.config->nbdTLSx509secretUUID = g_strdup("6fd3f62d-9fe7-4a4e-a869-7acd6376d8ea");
DO_TEST_CAPS_LATEST("disk-network-tlsx509-nbd");
DO_TEST_CAPS_VER_PARSE_ERROR("disk-network-tlsx509-nbd-hostname", "6.2.0");
+ driver.config->nbdTLSpriority = g_strdup("@SYSTEM:-VERS-TLS1.3");
DO_TEST_CAPS_LATEST("disk-network-tlsx509-nbd-hostname");
+ VIR_FREE(driver.config->nbdTLSpriority);
DO_TEST_CAPS_LATEST("disk-network-http");
VIR_FREE(driver.config->nbdTLSx509secretUUID);
DO_TEST_CAPS_LATEST("disk-network-ssh");
@@ -1723,8 +1725,10 @@ mymain(void)
driver.config->vncTLS = 1;
driver.config->vncTLSx509verify = 1;
DO_TEST_CAPS_LATEST("graphics-vnc-tls");
+ driver.config->vncTLSpriority = g_strdup("@SYSTEM:-VERS-TLS1.3");
driver.config->vncTLSx509secretUUID = g_strdup("6fd3f62d-9fe7-4a4e-a869-7acd6376d8ea");
DO_TEST_CAPS_LATEST("graphics-vnc-tls-secret");
+ VIR_FREE(driver.config->vncTLSpriority);
VIR_FREE(driver.config->vncTLSx509secretUUID);
driver.config->vncSASL = driver.config->vncTLSx509verify = driver.config->vncTLS = 0;
DO_TEST_CAPS_LATEST("graphics-vnc-egl-headless");
@@ -1874,7 +1878,9 @@ mymain(void)
driver.config->chardevTLSx509verify = 0;
DO_TEST_CAPS_LATEST("serial-tcp-tlsx509-chardev-notls");
driver.config->chardevTLSx509secretUUID = g_strdup("6fd3f62d-9fe7-4a4e-a869-7acd6376d8ea");
+ driver.config->chardevTLSpriority = g_strdup("@SYSTEM:-VERS-TLS1.3");
DO_TEST_CAPS_LATEST("serial-tcp-tlsx509-secret-chardev");
+ VIR_FREE(driver.config->chardevTLSpriority);
VIR_FREE(driver.config->chardevTLSx509secretUUID);
driver.config->chardevTLS = 0;
DO_TEST_CAPS_LATEST("serial-many-chardev");
--
2.50.1

137
libvirt-qemu-conf-Store-autoShutdown-config-in-virDomainDriverAutoShutdownConfig.patch
View File

@ -1,137 +0,0 @@
From 44d1e39ed66596dfb8d2d4046aa5b0aa91d6dc88 Mon Sep 17 00:00:00 2001
Message-ID: <44d1e39ed66596dfb8d2d4046aa5b0aa91d6dc88.1752837271.git.jdenemar@redhat.com>
From: Peter Krempa <pkrempa@redhat.com>
Date: Fri, 27 Jun 2025 15:13:35 +0200
Subject: [PATCH] qemu: conf: Store 'autoShutdown' config in
virDomainDriverAutoShutdownConfig
Rather than having a bunch of extra variables save the configuration of
the daemon auto shutdown in virDomainDriverAutoShutdownConfig which is
also used when initiating the shutdown.
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
(cherry picked from commit c8adb8537b947f76a0be85e9c28de85e351d6b51)
https://issues.redhat.com/browse/RHEL-95361
---
src/qemu/qemu_conf.c | 30 +++++++++++++++---------------
src/qemu/qemu_conf.h | 7 +------
src/qemu/qemu_driver.c | 12 +++---------
3 files changed, 19 insertions(+), 30 deletions(-)
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index 9bf12fc179..482e19b502 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -320,15 +320,15 @@ virQEMUDriverConfig *virQEMUDriverConfigNew(bool privileged,
*
* XXX, or query if libvirt-guests.service is enabled perhaps ?
*/
- cfg->autoShutdownTrySave = VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_NONE;
- cfg->autoShutdownTryShutdown = VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_NONE;
- cfg->autoShutdownPoweroff = VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_NONE;
+ cfg->autoShutdown.trySave = VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_NONE;
+ cfg->autoShutdown.tryShutdown = VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_NONE;
+ cfg->autoShutdown.poweroff = VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_NONE;
} else {
- cfg->autoShutdownTrySave = VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_PERSISTENT;
- cfg->autoShutdownTryShutdown = VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_ALL;
- cfg->autoShutdownPoweroff = VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_ALL;
+ cfg->autoShutdown.trySave = VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_PERSISTENT;
+ cfg->autoShutdown.tryShutdown = VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_ALL;
+ cfg->autoShutdown.poweroff = VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_ALL;
}
- cfg->autoShutdownRestore = true;
+ cfg->autoShutdown.autoRestore = true;
return g_steal_pointer(&cfg);
}
@@ -719,11 +719,11 @@ virQEMUDriverConfigLoadSaveEntry(virQEMUDriverConfig *cfg,
autoShutdownTrySave);
return -1;
}
- cfg->autoShutdownTrySave = autoShutdownVal;
+ cfg->autoShutdown.trySave = autoShutdownVal;
}
- if (cfg->autoShutdownTrySave == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_ALL ||
- cfg->autoShutdownTrySave == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_TRANSIENT) {
+ if (cfg->autoShutdown.trySave == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_ALL ||
+ cfg->autoShutdown.trySave == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_TRANSIENT) {
virReportError(VIR_ERR_INVALID_ARG, "%s",
_("managed save cannot be requested for transient domains"));
return -1;
@@ -740,7 +740,7 @@ virQEMUDriverConfigLoadSaveEntry(virQEMUDriverConfig *cfg,
autoShutdownTryShutdown);
return -1;
}
- cfg->autoShutdownTryShutdown = autoShutdownVal;
+ cfg->autoShutdown.tryShutdown = autoShutdownVal;
}
if (virConfGetValueString(conf, "auto_shutdown_poweroff", &autoShutdownPoweroff) < 0)
@@ -754,16 +754,16 @@ virQEMUDriverConfigLoadSaveEntry(virQEMUDriverConfig *cfg,
autoShutdownPoweroff);
return -1;
}
- cfg->autoShutdownPoweroff = autoShutdownVal;
+ cfg->autoShutdown.poweroff = autoShutdownVal;
}
if (virConfGetValueUInt(conf, "auto_shutdown_wait",
- &cfg->autoShutdownWait) < 0)
+ &cfg->autoShutdown.waitShutdownSecs) < 0)
return -1;
- if (virConfGetValueBool(conf, "auto_shutdown_restore", &cfg->autoShutdownRestore) < 0)
+ if (virConfGetValueBool(conf, "auto_shutdown_restore", &cfg->autoShutdown.autoRestore) < 0)
return -1;
if (virConfGetValueBool(conf, "auto_save_bypass_cache",
- &cfg->autoSaveBypassCache) < 0)
+ &cfg->autoShutdown.saveBypassCache) < 0)
return -1;
return 0;
diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
index 1ce9dbe4a8..ff376aed4d 100644
--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@@ -208,12 +208,7 @@ struct _virQEMUDriverConfig {
bool autoDumpBypassCache;
bool autoStartBypassCache;
unsigned int autoStartDelayMS;
- virDomainDriverAutoShutdownScope autoShutdownTrySave;
- virDomainDriverAutoShutdownScope autoShutdownTryShutdown;
- virDomainDriverAutoShutdownScope autoShutdownPoweroff;
- unsigned int autoShutdownWait;
- bool autoShutdownRestore;
- bool autoSaveBypassCache;
+ virDomainDriverAutoShutdownConfig autoShutdown;
char *lockManagerName;
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 9b583ad7aa..4dbd5ec2fc 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -964,15 +964,9 @@ static int
qemuStateStop(void)
{
g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(qemu_driver);
- virDomainDriverAutoShutdownConfig ascfg = {
- .uri = cfg->uri,
- .trySave = cfg->autoShutdownTrySave,
- .tryShutdown = cfg->autoShutdownTryShutdown,
- .poweroff = cfg->autoShutdownPoweroff,
- .waitShutdownSecs = cfg->autoShutdownWait,
- .saveBypassCache = cfg->autoSaveBypassCache,
- .autoRestore = cfg->autoShutdownRestore,
- };
+ virDomainDriverAutoShutdownConfig ascfg = cfg->autoShutdown;
+
+ ascfg.uri = cfg->uri;
virDomainDriverAutoShutdown(&ascfg);
--
2.50.1

84
libvirt-qemu-fix-order-of-VNC-TLS-config-entries.patch
View File

@ -1,84 +0,0 @@
From 18e04d47dc99d44eb6e1e81f820f1634694a51e9 Mon Sep 17 00:00:00 2001
Message-ID: <18e04d47dc99d44eb6e1e81f820f1634694a51e9.1754404628.git.jdenemar@redhat.com>
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Wed, 16 Jul 2025 16:32:05 +0100
Subject: [PATCH] qemu: fix order of VNC TLS config entries
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
For TLS config parameters, the 'verify' option always comes before the
'secret_uuid' option, except in the VNC case which has them reversed.
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 845e1b5138f37dbf91e5b08b7d54d963a6ec0452)
Resolves: https://issues.redhat.com/browse/RHEL-104382
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
src/qemu/libvirtd_qemu.aug | 2 +-
src/qemu/qemu.conf.in | 12 ++++++------
src/qemu/test_libvirtd_qemu.aug.in | 2 +-
3 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug
index e1e479d72c..d36baed6fc 100644
--- a/src/qemu/libvirtd_qemu.aug
+++ b/src/qemu/libvirtd_qemu.aug
@@ -35,8 +35,8 @@ module Libvirtd_qemu =
| bool_entry "vnc_auto_unix_socket"
| bool_entry "vnc_tls"
| str_entry "vnc_tls_x509_cert_dir"
- | str_entry "vnc_tls_x509_secret_uuid"
| bool_entry "vnc_tls_x509_verify"
+ | str_entry "vnc_tls_x509_secret_uuid"
| str_entry "vnc_password"
| bool_entry "vnc_sasl"
| str_entry "vnc_sasl_dir"
diff --git a/src/qemu/qemu.conf.in b/src/qemu/qemu.conf.in
index 6358a45ae2..9bb52b5927 100644
--- a/src/qemu/qemu.conf.in
+++ b/src/qemu/qemu.conf.in
@@ -101,12 +101,6 @@
#vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc"
-# Uncomment and use the following option to override the default secret
-# UUID provided in the default_tls_x509_secret_uuid parameter.
-#
-#vnc_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
-
-
# The default TLS configuration only uses certificates for the server
# allowing the client to verify the server's identity and establish
# an encrypted channel.
@@ -125,6 +119,12 @@
#vnc_tls_x509_verify = 1
+# Uncomment and use the following option to override the default secret
+# UUID provided in the default_tls_x509_secret_uuid parameter.
+#
+#vnc_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+
+
# The default VNC password. Only 8 bytes are significant for
# VNC passwords. This parameter is only used if the per-domain
# XML config does not already provide a password. To allow
diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qemu.aug.in
index 88d1a6aca1..e461fcc9df 100644
--- a/src/qemu/test_libvirtd_qemu.aug.in
+++ b/src/qemu/test_libvirtd_qemu.aug.in
@@ -9,8 +9,8 @@ module Test_libvirtd_qemu =
{ "vnc_auto_unix_socket" = "1" }
{ "vnc_tls" = "1" }
{ "vnc_tls_x509_cert_dir" = "/etc/pki/libvirt-vnc" }
-{ "vnc_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
{ "vnc_tls_x509_verify" = "1" }
+{ "vnc_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
{ "vnc_password" = "XYZ12345" }
{ "vnc_sasl" = "1" }
{ "vnc_sasl_dir" = "/some/directory/sasl2" }
--
2.50.1

404
libvirt-qemu-sanitize-blank-lines-in-config-file.patch
View File

@ -1,404 +0,0 @@
From f8d6bc01e680b8c226270d100230a92a611f771d Mon Sep 17 00:00:00 2001
Message-ID: <f8d6bc01e680b8c226270d100230a92a611f771d.1754404628.git.jdenemar@redhat.com>
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Wed, 16 Jul 2025 16:30:52 +0100
Subject: [PATCH] qemu: sanitize blank lines in config file
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
We mostly use 2 blank lines between config file entries to
improve readability. Fix where we don't do that.
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 0b9cfa791f2bd135ea36fe03fd1a8d6c8bf5e3d6)
Resolves: https://issues.redhat.com/browse/RHEL-104382
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
src/qemu/qemu.conf.in | 51 ++++++++++++++++++++++++++++++++++++++++---
1 file changed, 48 insertions(+), 3 deletions(-)
diff --git a/src/qemu/qemu.conf.in b/src/qemu/qemu.conf.in
index 9bb52b5927..76cbe1a72d 100644
--- a/src/qemu/qemu.conf.in
+++ b/src/qemu/qemu.conf.in
@@ -48,7 +48,7 @@
#
#default_tls_x509_verify = 1
-#
+
# Libvirt assumes the server-key.pem file is unencrypted by default.
# To use an encrypted server-key.pem file, the password to decrypt
# the PEM file is required. This can be provided by creating a secret
@@ -71,6 +71,7 @@
#
#vnc_listen = "0.0.0.0"
+
# Enable this option to have VNC served over an automatically created
# unix socket. This prevents unprivileged access from users on the
# host machine, though most VNC clients do not support it.
@@ -81,6 +82,7 @@
#
#vnc_auto_unix_socket = 1
+
# Enable use of TLS encryption on the VNC server. This requires
# a VNC client which supports the VeNCrypt protocol extension.
# Examples include vinagre, virt-viewer, virt-manager and vencrypt
@@ -222,6 +224,7 @@
#
#spice_sasl = 1
+
# The default SASL configuration file is located in /etc/sasl2/
# When running libvirtd unprivileged, it may be desirable to
# override the configs in this location. Set this parameter to
@@ -229,6 +232,7 @@
#
#spice_sasl_dir = "/some/directory/sasl2"
+
# RDP is configured to listen on 127.0.0.1 by default.
# To make it listen on all public interfaces, uncomment
# this next option.
@@ -242,11 +246,13 @@
#
#rdp_tls_x509_cert_dir = "/etc/pki/libvirt-rdp"
+
# The default RDP username. This parameter is only used if the
# per-domain XML config does not already provide a username.
#
#rdp_username = "user"
+
# The default RDP password. This parameter is only used if the
# per-domain XML config does not already provide a password.
# By default, RDP server will not allow password-less connections.
@@ -254,6 +260,7 @@
#
#rdp_password = "RDP12345"
+
# Enable use of TLS encryption on the chardev TCP transports.
#
# It is necessary to setup CA and issue a server certificate
@@ -457,6 +464,7 @@
#remote_display_port_min = 5900
#remote_display_port_max = 65535
+
# VNC WebSocket port policies, same rules apply as with remote display
# ports. VNC WebSockets use similar display <-> port mappings, with
# the exception being that ports start from 5700 instead of 5900.
@@ -464,6 +472,7 @@
#remote_websocket_port_min = 5700
#remote_websocket_port_max = 65535
+
# The default security driver is SELinux. If SELinux is disabled
# on the host, then the security driver will automatically disable
# itself. If you wish to disable QEMU SELinux security driver while
@@ -481,15 +490,18 @@
#
#security_driver = "selinux"
+
# If set to non-zero, then the default security labeling
# will make guests confined. If set to zero, then guests
# will be unconfined by default. Defaults to 1.
#security_default_confined = 1
+
# If set to non-zero, then attempts to create unconfined
# guests will be blocked. Defaults to 0.
#security_require_confined = 1
+
# The user for QEMU processes run by the system instance. It can be
# specified as a user name or as a user id. The qemu driver will try to
# parse this value first as a name and then, if the name doesn't exist,
@@ -507,10 +519,12 @@
#
#user = "@QEMU_USER@"
+
# The group for QEMU processes run by the system instance. It can be
# specified in a similar way to user.
#group = "@QEMU_GROUP@"
+
# Whether libvirt should dynamically change file ownership
# to match the configured user/group above. Defaults to 1.
#
@@ -526,11 +540,13 @@
# Set to 0 to disable file ownership changes globally in the qemu driver.
#dynamic_ownership = 1
+
# Whether libvirt should remember and restore the original
# ownership over files it is relabeling. Defaults to 1, set
# to 0 to disable the feature.
#remember_owner = 1
+
# What cgroup controllers to make use of with QEMU guests
#
# - 'cpu' - use for scheduler tunables
@@ -552,6 +568,7 @@
#
#cgroup_controllers = [ "cpu", "devices", "memory", "blkio", "cpuset", "cpuacct" ]
+
# This is the basic set of devices allowed / required by
# all virtual machines.
#
@@ -618,12 +635,14 @@
#dump_image_format = "raw"
#snapshot_image_format = "raw"
+
# When a domain is configured to be auto-dumped when libvirtd receives a
# watchdog event from qemu guest, libvirtd will save dump files in directory
# specified by auto_dump_path. Default value is /var/lib/libvirt/qemu/dump
#
#auto_dump_path = "/var/lib/libvirt/qemu/dump"
+
# When a domain is configured to be auto-dumped, enabling this flag
# has the same effect as using the VIR_DUMP_BYPASS_CACHE flag with the
# virDomainCoreDump API. That is, the system will avoid using the
@@ -632,6 +651,7 @@
#
#auto_dump_bypass_cache = 0
+
# When a domain is configured to be auto-started, enabling this flag
# has the same effect as using the VIR_DOMAIN_START_BYPASS_CACHE flag
# with the virDomainCreateWithFlags API. That is, the system will
@@ -640,11 +660,13 @@
#
#auto_start_bypass_cache = 0
+
# Delay in milliseconds between initiating the startup for
# each VM, during autostart
#
#auto_start_delay = 0
+
# The settings for auto shutdown actions accept one of
# four possible options:
#
@@ -669,6 +691,7 @@
# they are restarted, or saved and restored.
#auto_shutdown_try_save = "persistent"
+
# As above, but with a graceful shutdown action instead of
# managed save. If managed save is enabled, shutdown will
# be tried only on failure to perform managed save.
@@ -683,6 +706,7 @@
# they are restarted, or saved and restored.
#auto_shutdown_try_shutdown = "all"
+
# As above, but with a forced poweroff instead of managed
# save. If managed save or graceful shutdown are enabled,
# forced poweroff will be tried only on failure of the
@@ -702,16 +726,19 @@
# feature should to be enabled as well to ensure proper cleanup of the VMs.
#auto_shutdown_poweroff = "all"
+
# How may seconds to wait for running VMs to gracefully shutdown
# when 'auto_shutdown_try_shutdown' is enabled. If set to 0
# then an arbitrary built-in default value will be used (which
# is currently 30 secs)
#auto_shutdown_wait = 30
+
# Whether VMs that are automatically powered off or saved during
# host shutdown, should be set to restore on next boot
#auto_shutdown_restore = 1
+
# When a domain is configured to be auto-saved on shutdown, enabling
# this flag has the same effect as using the VIR_DOMAIN_SAVE_BYPASS_CACHE
# flag with the virDomainManagedSave API. That is, the system will
@@ -720,6 +747,7 @@
#
#auto_save_bypass_cache = 0
+
# If provided by the host and a hugetlbfs mount point is configured,
# a guest may request huge page backing. When this mount point is
# unspecified here, determination of a host mount point in /proc/mounts
@@ -768,6 +796,7 @@
#max_processes = 0
#max_files = 0
+
# If max_threads_per_process is set to a positive integer, libvirt
# will use it to set the maximum number of threads that can be
# created by a qemu process. Some VM configurations can result in
@@ -778,6 +807,7 @@
#
#max_threads_per_process = 0
+
# If max_core is set to a non-zero integer, then QEMU will be
# permitted to create core dumps when it crashes, provided its
# RAM size is smaller than the limit set.
@@ -804,6 +834,7 @@
#
#max_core = "unlimited"
+
# Determine if guest RAM is included in QEMU core dumps. By
# default guest RAM will be excluded on Linux platforms,
# and included on all other patforms. Setting this to '1' will
@@ -814,6 +845,7 @@
#
#dump_guest_core = 1
+
# mac_filter enables MAC addressed based filtering on bridge ports.
# This currently requires ebtables to be installed.
#
@@ -843,6 +875,7 @@
#
#max_queued = 0
+
###################################################################
# Keepalive protocol:
# This allows qemu driver to detect broken connections to remote
@@ -866,7 +899,6 @@
#keepalive_count = 5
-
# Use seccomp syscall filtering sandbox in QEMU.
# 1 == filter enabled, 0 == filter disabled
#
@@ -901,7 +933,6 @@
#migration_port_max = 49215
-
# Timestamp QEMU's log messages (if QEMU supports it)
#
# Defaults to 1.
@@ -941,6 +972,7 @@
# "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd"
#]
+
# The backend to use for handling stdout/stderr output from
# QEMU processes.
#
@@ -956,6 +988,7 @@
#
#stdio_handler = "logd"
+
# QEMU gluster libgfapi log level, debug levels are 0-9, with 9 being the
# most verbose, and 0 representing no debugging output.
#
@@ -976,6 +1009,7 @@
#
#gluster_debug_level = 9
+
# virtiofsd debug
#
# Whether to enable the debugging output of the virtiofsd daemon.
@@ -983,6 +1017,7 @@
#
#virtiofsd_debug = 1
+
# To enhance security, QEMU driver is capable of creating private namespaces
# for each domain started. Well, so far only "mount" namespace is supported. If
# enabled it means qemu process is unable to see all the devices on the system,
@@ -991,16 +1026,19 @@
# by default.
#namespaces = [ "mount" ]
+
# This directory is used for memoryBacking source if configured as file.
# NOTE: big files will be stored here
#memory_backing_dir = "/var/lib/libvirt/qemu/ram"
+
# Path to the SCSI persistent reservations helper. This helper is
# used whenever <reservations/> are enabled for SCSI LUN devices.
# If this is not an absolute path, the program will be searched for
# in $PATH as well as a few additional directories.
#pr_helper = "qemu-pr-helper"
+
# Path to the SLIRP networking helper.
#slirp_helper = "/usr/bin/slirp-helper"
@@ -1010,11 +1048,13 @@
# in $PATH.
#qemu_rdp = "qemu-rdp"
+
# Path to the dbus-daemon
# If this is not an absolute path, the program will be searched for
# in $PATH.
#dbus_daemon = "dbus-daemon"
+
# User for the swtpm TPM Emulator
#
# Default is 'tss'; this is the same user that tcsd (TrouSerS) installs
@@ -1023,6 +1063,7 @@
#swtpm_user = "tss"
#swtpm_group = "tss"
+
# For debugging and testing purposes it's sometimes useful to be able to disable
# libvirt behaviour based on the capabilities of the qemu process. This option
# allows to do so. DO _NOT_ use in production and beaware that the behaviour
@@ -1030,6 +1071,7 @@
#
#capability_filters = [ "capname" ]
+
# 'deprecation_behavior' setting controls how the qemu process behaves towards
# deprecated commands and arguments used by libvirt.
#
@@ -1061,6 +1103,7 @@
#
#deprecation_behavior = "none"
+
# If this is set then QEMU and its threads will run in a separate scheduling
# group meaning no other process will share Hyper Threads of a single core with
# QEMU. Each QEMU has its own group.
@@ -1077,6 +1120,7 @@
# scheduling group
#sched_core = "none"
+
# Using nbdkit to access remote disk sources
#
# If this is set then libvirt will use nbdkit to access remote disk sources
@@ -1088,6 +1132,7 @@
#
#storage_use_nbdkit = @USE_NBDKIT_DEFAULT@
+
# libvirt will normally prevent migration if the storage backing the VM is not
# on a shared filesystems. Sometimes, however, the storage *is* shared despite
# not being detected as such: for example, this is the case when one of the
--
2.50.1

43
libvirt-qemu_tpm-Do-not-use-persistent-definition-during-pre-start-checks.patch
View File

@ -1,43 +0,0 @@
From 49a0c4d4d371eb030090e0172144bce00b6e1044 Mon Sep 17 00:00:00 2001
Message-ID: <49a0c4d4d371eb030090e0172144bce00b6e1044.1753438163.git.jdenemar@redhat.com>
From: Martin Kletzander <mkletzan@redhat.com>
Date: Fri, 18 Jul 2025 14:47:58 +0200
Subject: [PATCH] qemu_tpm: Do not use persistent definition during pre-start
checks
Commit 3451987fca7c used the persistent TPM Definition in both calls to
qemuTPMVirCommandSwtpmAddTPMState() but in one of the two cases it
might've been NULL and what's more, it is not the right definition which
should've been used. Change that to @tpm which is the current
definition. The other call does not have access to the current
definition and is only called during updating the profile. But for the
sake of fewer future mistakes, keep the other one as is because there is
no issue with calling it that way and adding logic that just skips the
extra check on NULL could mistake someone in the future.
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
(cherry picked from commit 3a39cfacc36b26be559ab6217fce2a44a2b15159)
Resolves: https://issues.redhat.com/browse/RHEL-80155
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
---
src/qemu/qemu_tpm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
index cdbd6e3993..2e5ec823b2 100644
--- a/src/qemu/qemu_tpm.c
+++ b/src/qemu/qemu_tpm.c
@@ -852,7 +852,7 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDef *tpm,
virCommandAddArgFormat(cmd, "type=unixio,path=%s,mode=0600",
tpm->data.emulator.source->data.nix.path);
- qemuTPMVirCommandSwtpmAddTPMState(cmd, &tpm->data.emulator, persistentTPMDef, cfg);
+ qemuTPMVirCommandSwtpmAddTPMState(cmd, &tpm->data.emulator, tpm, cfg);
virCommandAddArg(cmd, "--log");
if (tpm->data.emulator.debug != 0)
--
2.50.1

108
libvirt-qemu_tpm-Extract-per-TPM-functionality-from-qemuTPMDomainHasSharedStorage.patch
View File

@ -1,108 +0,0 @@
From 6361cb03d2bada54287e20b979e26e3b3a7c793d Mon Sep 17 00:00:00 2001
Message-ID: <6361cb03d2bada54287e20b979e26e3b3a7c793d.1752837271.git.jdenemar@redhat.com>
From: Martin Kletzander <mkletzan@redhat.com>
Date: Thu, 17 Jul 2025 11:54:22 +0200
Subject: [PATCH] qemu_tpm: Extract per-TPM functionality from
qemuTPMDomainHasSharedStorage
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This way we can do the check for a particular TPM also elsewhere in the
code, especially in places where we're dealing with only one TPM. The
semantics is changed a little bit in a way that the function will check
all the TPMs as opposed to stopping on the first one which is of the
emulator type, but since a domain can currently only have one of these
it was not an issue.
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
(cherry picked from commit 6c6b6b2b4133f3d6be643416cc3756d940d22ddc)
Resolves: https://issues.redhat.com/browse/RHEL-80155
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
---
src/qemu/qemu_tpm.c | 59 ++++++++++++++++++++++++++-------------------
1 file changed, 34 insertions(+), 25 deletions(-)
diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
index 8c104ab1b3..855d732e60 100644
--- a/src/qemu/qemu_tpm.c
+++ b/src/qemu/qemu_tpm.c
@@ -205,6 +205,40 @@ qemuTPMEmulatorCreateStorage(virDomainTPMDef *tpm,
}
+static bool
+qemuTPMHasSharedStorage(const virQEMUDriverConfig *cfg,
+ const virDomainTPMDef *tpm)
+{
+ switch (tpm->type) {
+ case VIR_DOMAIN_TPM_TYPE_EMULATOR:
+ return virFileIsSharedFS(tpm->data.emulator.source_path,
+ cfg->sharedFilesystems) == 1;
+ case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
+ case VIR_DOMAIN_TPM_TYPE_EXTERNAL:
+ case VIR_DOMAIN_TPM_TYPE_LAST:
+ break;
+ }
+
+ return false;
+}
+
+
+bool
+qemuTPMDomainHasSharedStorage(virQEMUDriver *driver,
+ virDomainDef *def)
+{
+ g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
+ size_t i;
+
+ for (i = 0; i < def->ntpms; i++) {
+ if (qemuTPMHasSharedStorage(cfg, def->tpms[i]))
+ return true;
+ }
+
+ return false;
+}
+
+
/**
* qemuTPMEmulatorDeleteStorage:
* @tpm: TPM definition
@@ -1218,31 +1252,6 @@ qemuTPMEmulatorStart(virQEMUDriver *driver,
}
-bool
-qemuTPMDomainHasSharedStorage(virQEMUDriver *driver,
- virDomainDef *def)
-{
- g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
- size_t i;
-
- for (i = 0; i < def->ntpms; i++) {
- virDomainTPMDef *tpm = def->tpms[i];
-
- switch (tpm->type) {
- case VIR_DOMAIN_TPM_TYPE_EMULATOR:
- return virFileIsSharedFS(tpm->data.emulator.source_path,
- cfg->sharedFilesystems) == 1;
- case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
- case VIR_DOMAIN_TPM_TYPE_EXTERNAL:
- case VIR_DOMAIN_TPM_TYPE_LAST:
- break;
- }
- }
-
- return false;
-}
-
-
bool
qemuTPMCanMigrateSharedStorage(virDomainDef *def)
{
--
2.50.1

67
libvirt-qemu_tpm-Only-warn-about-missing-locking-feature-on-shared-filesystems.patch
View File

@ -1,67 +0,0 @@
From 0a38abe57db307e11f28710fd33b10b7dd2988b2 Mon Sep 17 00:00:00 2001
Message-ID: <0a38abe57db307e11f28710fd33b10b7dd2988b2.1752837271.git.jdenemar@redhat.com>
From: Martin Kletzander <mkletzan@redhat.com>
Date: Thu, 17 Jul 2025 11:58:32 +0200
Subject: [PATCH] qemu_tpm: Only warn about missing locking feature on shared
filesystems
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The warning pollutes the logs and might give a bad impression on someone
reading them even though the locking is not always needed. This way we
at least limit the logging in unnecessary cases.
Resolves: https://issues.redhat.com/browse/RHEL-80155
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
(cherry picked from commit 3451987fca7c89a1aa9c5b0701471b6bc23dda3d)
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
---
src/qemu/qemu_tpm.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
index 855d732e60..cdbd6e3993 100644
--- a/src/qemu/qemu_tpm.c
+++ b/src/qemu/qemu_tpm.c
@@ -660,12 +660,16 @@ qemuTPMVirCommandSwtpmAddEncryption(virCommand *cmd,
static void
qemuTPMVirCommandSwtpmAddTPMState(virCommand *cmd,
- const virDomainTPMEmulatorDef *emulator)
+ const virDomainTPMEmulatorDef *emulator,
+ const virDomainTPMDef *tpmDef,
+ const virQEMUDriverConfig *cfg)
{
const char *lock = ",lock";
if (!virTPMSwtpmCapsGet(VIR_TPM_SWTPM_FEATURE_TPMSTATE_OPT_LOCK)) {
- VIR_WARN("This swtpm version doesn't support explicit locking");
+ if (qemuTPMHasSharedStorage(cfg, tpmDef))
+ VIR_WARN("This swtpm version doesn't support explicit locking");
+
lock = "";
}
@@ -721,7 +725,7 @@ qemuTPMEmulatorUpdateProfileName(virDomainTPMEmulatorDef *emulator,
virCommandAddArgList(cmd, "socket", "--print-info", "0x20", "--tpm2", NULL);
- qemuTPMVirCommandSwtpmAddTPMState(cmd, emulator);
+ qemuTPMVirCommandSwtpmAddTPMState(cmd, emulator, persistentTPMDef, cfg);
if (qemuTPMVirCommandSwtpmAddEncryption(cmd, emulator, swtpm) < 0)
return -1;
@@ -848,7 +852,7 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDef *tpm,
virCommandAddArgFormat(cmd, "type=unixio,path=%s,mode=0600",
tpm->data.emulator.source->data.nix.path);
- qemuTPMVirCommandSwtpmAddTPMState(cmd, &tpm->data.emulator);
+ qemuTPMVirCommandSwtpmAddTPMState(cmd, &tpm->data.emulator, persistentTPMDef, cfg);
virCommandAddArg(cmd, "--log");
if (tpm->data.emulator.debug != 0)
--
2.50.1

92
libvirt-qemu_tpm-Rename-qemuTPMHasSharedStorage-qemuTPMDomainHasSharedStorage.patch
View File

@ -1,92 +0,0 @@
From d8c8f0d4f82ddbb3f3a59b11b9bd1373e8d82c3d Mon Sep 17 00:00:00 2001
Message-ID: <d8c8f0d4f82ddbb3f3a59b11b9bd1373e8d82c3d.1752837271.git.jdenemar@redhat.com>
From: Martin Kletzander <mkletzan@redhat.com>
Date: Thu, 17 Jul 2025 11:51:39 +0200
Subject: [PATCH] qemu_tpm: Rename qemuTPMHasSharedStorage ->
qemuTPMDomainHasSharedStorage
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The function deals with the whole domain and the part that handles one
TPM will be useful elsewhere and hence extracted later. This rename
makes it possible for the new function to use the original name of this
renamed one.
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
(cherry picked from commit 05c5aabb475595249ed1eeca1b6f65b21edc0041)
Resolves: https://issues.redhat.com/browse/RHEL-80155
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
---
src/qemu/qemu_migration.c | 2 +-
src/qemu/qemu_tpm.c | 8 ++++----
src/qemu/qemu_tpm.h | 4 ++--
3 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c
index 2400750ee4..090ac8ae1e 100644
--- a/src/qemu/qemu_migration.c
+++ b/src/qemu/qemu_migration.c
@@ -1721,7 +1721,7 @@ qemuMigrationSrcIsAllowed(virDomainObj *vm,
}
}
- if (qemuTPMHasSharedStorage(driver, vm->def) &&
+ if (qemuTPMDomainHasSharedStorage(driver, vm->def) &&
!qemuTPMCanMigrateSharedStorage(vm->def)) {
virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s",
_("the running swtpm does not support migration with shared storage"));
diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
index b2f76e6b8b..8c104ab1b3 100644
--- a/src/qemu/qemu_tpm.c
+++ b/src/qemu/qemu_tpm.c
@@ -1150,7 +1150,7 @@ qemuTPMEmulatorStart(virQEMUDriver *driver,
virCommandSetPidFile(cmd, pidfile);
virCommandSetErrorFD(cmd, &errfd);
- if (incomingMigration && qemuTPMHasSharedStorage(driver, vm->def)) {
+ if (incomingMigration && qemuTPMDomainHasSharedStorage(driver, vm->def)) {
/* If the TPM is being migrated over shared storage, we can't
* lock all files before labeling them: the source swtpm
* process is still holding on to the lock file, and it will
@@ -1219,8 +1219,8 @@ qemuTPMEmulatorStart(virQEMUDriver *driver,
bool
-qemuTPMHasSharedStorage(virQEMUDriver *driver,
- virDomainDef *def)
+qemuTPMDomainHasSharedStorage(virQEMUDriver *driver,
+ virDomainDef *def)
{
g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
size_t i;
@@ -1346,7 +1346,7 @@ qemuExtTPMStop(virQEMUDriver *driver,
return;
qemuTPMEmulatorStop(cfg->swtpmStateDir, shortName);
- if (migration && qemuTPMHasSharedStorage(driver, vm->def))
+ if (migration && qemuTPMDomainHasSharedStorage(driver, vm->def))
restoreTPMStateLabel = false;
if (qemuSecurityRestoreTPMLabels(driver, vm, restoreTPMStateLabel, false) < 0)
diff --git a/src/qemu/qemu_tpm.h b/src/qemu/qemu_tpm.h
index f0f16392a1..2d633fe36b 100644
--- a/src/qemu/qemu_tpm.h
+++ b/src/qemu/qemu_tpm.h
@@ -61,8 +61,8 @@ int qemuExtTPMSetupCgroup(virQEMUDriver *driver,
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3)
G_GNUC_WARN_UNUSED_RESULT;
-bool qemuTPMHasSharedStorage(virQEMUDriver *driver,
- virDomainDef *def)
+bool qemuTPMDomainHasSharedStorage(virQEMUDriver *driver,
+ virDomainDef *def)
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2)
G_GNUC_WARN_UNUSED_RESULT;
--
2.50.1

239
libvirt-tests-virnettls-test-Drop-use-of-GNUTLS_KEY_KEY_ENCIPHERMENT.patch
View File

@ -1,239 +0,0 @@
From a926ee49aeab039d02bffd27034b1410f37f323b Mon Sep 17 00:00:00 2001
Message-ID: <a926ee49aeab039d02bffd27034b1410f37f323b.1752837271.git.jdenemar@redhat.com>
From: Peter Krempa <pkrempa@redhat.com>
Date: Tue, 1 Jul 2025 13:48:00 +0200
Subject: [PATCH] tests: virnettls*test: Drop use of
GNUTLS_KEY_KEY_ENCIPHERMENT
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
It's not needed with TLS 1.3 any more.
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
(cherry picked from commit e67952b0e612c9ad3c3eec8bb692589602953ee8)
https://issues.redhat.com/browse/RHEL-100711
---
tests/virnettlscontexttest.c | 36 ++++++++++++++++++------------------
tests/virnettlssessiontest.c | 14 +++++++-------
2 files changed, 25 insertions(+), 25 deletions(-)
diff --git a/tests/virnettlscontexttest.c b/tests/virnettlscontexttest.c
index 2311524db8..48bdefdd76 100644
--- a/tests/virnettlscontexttest.c
+++ b/tests/virnettlscontexttest.c
@@ -156,13 +156,13 @@ mymain(void)
TLS_CERT_REQ(servercertreq, cacertreq,
"UK", "libvirt.org", NULL, NULL, NULL, NULL,
true, true, false,
- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
+ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
0, 0);
TLS_CERT_REQ(clientcertreq, cacertreq,
"UK", "libvirt", NULL, NULL, NULL, NULL,
true, true, false,
- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
+ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
0, 0);
@@ -182,7 +182,7 @@ mymain(void)
TLS_CERT_REQ(servercert1req, cacert1req,
"UK", "libvirt.org", NULL, NULL, NULL, NULL,
true, true, false,
- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
+ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
0, 0);
@@ -196,7 +196,7 @@ mymain(void)
TLS_CERT_REQ(servercert2req, cacert2req,
"UK", "libvirt.org", NULL, NULL, NULL, NULL,
true, true, false,
- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
+ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
0, 0);
@@ -210,7 +210,7 @@ mymain(void)
TLS_CERT_REQ(servercert3req, cacert3req,
"UK", "libvirt.org", NULL, NULL, NULL, NULL,
true, true, false,
- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
+ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
0, 0);
@@ -230,7 +230,7 @@ mymain(void)
TLS_CERT_REQ(servercert4req, cacert4req,
"UK", "libvirt.org", NULL, NULL, NULL, NULL,
true, true, false,
- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
+ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
0, 0);
/* no-basic */
@@ -243,7 +243,7 @@ mymain(void)
TLS_CERT_REQ(servercert5req, cacert5req,
"UK", "libvirt.org", NULL, NULL, NULL, NULL,
true, true, false,
- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
+ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
0, 0);
/* Key usage:dig-sig:critical */
@@ -256,7 +256,7 @@ mymain(void)
TLS_CERT_REQ(servercert6req, cacert6req,
"UK", "libvirt.org", NULL, NULL, NULL, NULL,
true, true, false,
- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
+ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
0, 0);
@@ -284,7 +284,7 @@ mymain(void)
TLS_CERT_REQ(servercert8req, cacertreq,
"UK", "libvirt", NULL, NULL, NULL, NULL,
true, true, false,
- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT | GNUTLS_KEY_KEY_CERT_SIGN,
+ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_CERT_SIGN,
false, false, NULL, NULL,
0, 0);
/* usage:cert-sign:not-critical */
@@ -372,7 +372,7 @@ mymain(void)
TLS_CERT_REQ(clientcert2req, cacertreq,
"UK", "libvirt", NULL, NULL, NULL, NULL,
true, true, false,
- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT | GNUTLS_KEY_KEY_CERT_SIGN,
+ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_CERT_SIGN,
false, false, NULL, NULL,
0, 0);
/* usage:cert-sign:not-critical */
@@ -459,19 +459,19 @@ mymain(void)
TLS_CERT_REQ(servercertexpreq, cacertexpreq,
"UK", "libvirt.org", NULL, NULL, NULL, NULL,
true, true, false,
- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
+ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
0, 0);
TLS_CERT_REQ(servercertexp1req, cacertreq,
"UK", "libvirt", NULL, NULL, NULL, NULL,
true, true, false,
- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
+ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
0, -1);
TLS_CERT_REQ(clientcertexp1req, cacertreq,
"UK", "libvirt", NULL, NULL, NULL, NULL,
true, true, false,
- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
+ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
0, -1);
@@ -491,19 +491,19 @@ mymain(void)
TLS_CERT_REQ(servercertnewreq, cacertnewreq,
"UK", "libvirt", NULL, NULL, NULL, NULL,
true, true, false,
- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
+ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
0, 0);
TLS_CERT_REQ(servercertnew1req, cacertreq,
"UK", "libvirt", NULL, NULL, NULL, NULL,
true, true, false,
- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
+ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
1, 2);
TLS_CERT_REQ(clientcertnew1req, cacertreq,
"UK", "libvirt", NULL, NULL, NULL, NULL,
true, true, false,
- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
+ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
1, 2);
@@ -538,13 +538,13 @@ mymain(void)
TLS_CERT_REQ(servercertlevel3areq, cacertlevel2areq,
"UK", "libvirt.org", NULL, NULL, NULL, NULL,
true, true, false,
- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
+ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
0, 0);
TLS_CERT_REQ(clientcertlevel2breq, cacertlevel1breq,
"UK", "libvirt client level 2b", NULL, NULL, NULL, NULL,
true, true, false,
- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
+ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
0, 0);
diff --git a/tests/virnettlssessiontest.c b/tests/virnettlssessiontest.c
index 285cde57d8..459e17c52c 100644
--- a/tests/virnettlssessiontest.c
+++ b/tests/virnettlssessiontest.c
@@ -314,20 +314,20 @@ mymain(void)
TLS_CERT_REQ(servercertreq, cacertreq,
"UK", "libvirt.org", NULL, NULL, NULL, NULL,
true, true, false,
- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
+ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
0, 0);
TLS_CERT_REQ(clientcertreq, cacertreq,
"UK", "libvirt", NULL, NULL, NULL, NULL,
true, true, false,
- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
+ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
0, 0);
TLS_CERT_REQ(clientcertaltreq, altcacertreq,
"UK", "libvirt", NULL, NULL, NULL, NULL,
true, true, false,
- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
+ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
0, 0);
@@ -342,14 +342,14 @@ mymain(void)
TLS_CERT_REQ(servercertalt1req, cacertreq,
"UK", "libvirt.org", "www.libvirt.org", "libvirt.org", "192.168.122.1", "fec0::dead:beaf",
true, true, false,
- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
+ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
0, 0);
/* This intentionally doesn't replicate */
TLS_CERT_REQ(servercertalt2req, cacertreq,
"UK", "libvirt.org", "www.libvirt.org", "wiki.libvirt.org", "192.168.122.1", "fec0::dead:beaf",
true, true, false,
- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
+ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
0, 0);
@@ -433,13 +433,13 @@ mymain(void)
TLS_CERT_REQ(servercertlevel3areq, cacertlevel2areq,
"UK", "libvirt.org", NULL, NULL, NULL, NULL,
true, true, false,
- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
+ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
0, 0);
TLS_CERT_REQ(clientcertlevel2breq, cacertlevel1breq,
"UK", "libvirt client level 2b", NULL, NULL, NULL, NULL,
true, true, false,
- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
+ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
0, 0);
--
2.50.1

85
libvirt-tls-Don-t-require-keyEncipherment-to-be-enabled-altoghther.patch
View File

@ -1,85 +0,0 @@
From 5e7f9ff3044baee5c4528dd68b4e74c852abcf04 Mon Sep 17 00:00:00 2001
Message-ID: <5e7f9ff3044baee5c4528dd68b4e74c852abcf04.1752837271.git.jdenemar@redhat.com>
From: Peter Krempa <pkrempa@redhat.com>
Date: Mon, 30 Jun 2025 19:19:42 +0200
Subject: [PATCH] tls: Don't require 'keyEncipherment' to be enabled altoghther
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Key encipherment is required only for RSA key exchange algorithm. With
TLS 1.3 this is not even used as RSA is used only for authentication.
Since we can't really check when it's required ahead of time drop the
check completely. GnuTLS will moan if it will not be able to use RSA
key exchange.
In commit 11867b0224a2 I tried to relax the check for some eliptic
curve algorithm that explicitly forbid it. Based on the above the proper
solution is to completely remove it.
Resolves: https://issues.redhat.com/browse/RHEL-100711
Fixes: 11867b0224a2b8dc34755ff0ace446b6842df1c1
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
(cherry picked from commit 8cecd3249e5fa5478a7c53567971b4d969274ea3)
https://issues.redhat.com/browse/RHEL-100711
---
src/rpc/virnettlscert.c | 34 ++++------------------------------
1 file changed, 4 insertions(+), 30 deletions(-)
diff --git a/src/rpc/virnettlscert.c b/src/rpc/virnettlscert.c
index f197995633..6a723c1ed4 100644
--- a/src/rpc/virnettlscert.c
+++ b/src/rpc/virnettlscert.c
@@ -128,8 +128,10 @@ static int virNetTLSCertCheckKeyUsage(gnutls_x509_crt_t cert,
VIR_DEBUG("Cert %s key usage status %d usage %d critical %u", certFile, status, usage, critical);
if (status < 0) {
if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
- usage = isCA ? GNUTLS_KEY_KEY_CERT_SIGN :
- GNUTLS_KEY_DIGITAL_SIGNATURE|GNUTLS_KEY_KEY_ENCIPHERMENT;
+ if (isCA)
+ usage = GNUTLS_KEY_KEY_CERT_SIGN;
+ else
+ usage = GNUTLS_KEY_DIGITAL_SIGNATURE;
} else {
virReportError(VIR_ERR_SYSTEM_ERROR,
_("Unable to query certificate %1$s key usage %2$s"),
@@ -162,34 +164,6 @@ static int virNetTLSCertCheckKeyUsage(gnutls_x509_crt_t cert,
certFile);
}
}
- if (!(usage & GNUTLS_KEY_KEY_ENCIPHERMENT)) {
- int alg = gnutls_x509_crt_get_pk_algorithm(cert, NULL);
-
- /* Per RFC8813 [1] which amends RFC5580 [2] ECDSA, ECDH, and ECMQV
- * algorithms must not have 'keyEncipherment' present.
- *
- * [1] https://datatracker.ietf.org/doc/rfc8813/
- * [2] https://datatracker.ietf.org/doc/rfc5480
- */
-
- switch (alg) {
- case GNUTLS_PK_ECDSA:
- case GNUTLS_PK_ECDH_X25519:
- case GNUTLS_PK_ECDH_X448:
- break;
-
- default:
- if (critical) {
- virReportError(VIR_ERR_SYSTEM_ERROR,
- _("Certificate %1$s usage does not permit key encipherment"),
- certFile);
- return -1;
- } else {
- VIR_WARN("Certificate %s usage does not permit key encipherment",
- certFile);
- }
- }
- }
}
return 0;
--
2.50.1

332
libvirt-virDomainDriverAutoShutdown-Refactor-selection-logic-for-VMs.patch
View File

@ -1,332 +0,0 @@
From 518d76ea990261580c502657e4bf7b9dea22b21e Mon Sep 17 00:00:00 2001
Message-ID: <518d76ea990261580c502657e4bf7b9dea22b21e.1752837271.git.jdenemar@redhat.com>
From: Peter Krempa <pkrempa@redhat.com>
Date: Tue, 1 Jul 2025 17:19:46 +0200
Subject: [PATCH] virDomainDriverAutoShutdown: Refactor selection logic for VMs
Decide separately and record what shutdown modes are to be applied on
given VM object rather than spreading out the logic through the code.
This centralization simplifies the conditions in the worker functions
and also:
- provides easy way to check if the auto-shutdown code will be acting
on domain object (will be used to fix attempt to auto-restore of
VMs which were not selected to be acted on
- will simplify further work where the desired shutdown action will be
picked per-VM
This refactor also fixes a bug where if restoring of the state is
applied also on VMs that are not selected for action based on current
logic.
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
(cherry picked from commit 1c2295fbafab12cb3f943aab8bd015e167cad533)
https://issues.redhat.com/browse/RHEL-95196
---
src/hypervisor/domain_driver.c | 178 +++++++++++++++++++--------------
1 file changed, 101 insertions(+), 77 deletions(-)
diff --git a/src/hypervisor/domain_driver.c b/src/hypervisor/domain_driver.c
index d8ccee40d5..88fb87023a 100644
--- a/src/hypervisor/domain_driver.c
+++ b/src/hypervisor/domain_driver.c
@@ -738,25 +738,32 @@ virDomainDriverAutoShutdownActive(virDomainDriverAutoShutdownConfig *cfg)
}
+enum {
+ VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_MODE_SAVE = 1 << 1,
+ VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_MODE_SHUTDOWN = 1 << 2,
+ VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_MODE_POWEROFF = 1 << 3,
+ VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_MODE_RESTORE = 1 << 4,
+} virDomainDriverAutoShutdownModeFlag;
+
+
static void
virDomainDriverAutoShutdownDoSave(virDomainPtr *domains,
- bool *transient,
+ unsigned int *modes,
size_t numDomains,
virDomainDriverAutoShutdownConfig *cfg)
{
g_autofree unsigned int *flags = g_new0(unsigned int, numDomains);
+ bool hasSave = false;
size_t i;
- if (cfg->trySave == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_NONE)
- return;
-
for (i = 0; i < numDomains; i++) {
int state;
- if ((transient[i] && cfg->trySave == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_PERSISTENT) ||
- (!transient[i] && cfg->trySave == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_TRANSIENT))
+ if (!(modes[i] & VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_MODE_SAVE))
continue;
+ hasSave = true;
+
virSystemdNotifyStatus("Suspending '%s' (%zu of %zu)",
virDomainGetName(domains[i]), i + 1, numDomains);
VIR_INFO("Suspending '%s'", virDomainGetName(domains[i]));
@@ -778,9 +785,11 @@ virDomainDriverAutoShutdownDoSave(virDomainPtr *domains,
virDomainSuspend(domains[i]);
}
+ if (!hasSave)
+ return;
+
for (i = 0; i < numDomains; i++) {
- if ((transient[i] && cfg->trySave == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_PERSISTENT) ||
- (!transient[i] && cfg->trySave == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_TRANSIENT))
+ if (!(modes[i] & VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_MODE_SAVE))
continue;
virSystemdNotifyStatus("Saving '%s' (%zu of %zu)",
@@ -795,31 +804,27 @@ virDomainDriverAutoShutdownDoSave(virDomainPtr *domains,
virDomainResume(domains[i]);
continue;
}
- virObjectUnref(domains[i]);
- domains[i] = NULL;
+
+ modes[i] = 0;
}
}
static void
virDomainDriverAutoShutdownDoShutdown(virDomainPtr *domains,
- bool *transient,
+ unsigned int *modes,
size_t numDomains,
virDomainDriverAutoShutdownConfig *cfg)
{
GTimer *timer = NULL;
+ bool hasShutdown = false;
size_t i;
- if (cfg->tryShutdown == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_NONE)
- return;
-
for (i = 0; i < numDomains; i++) {
- if (domains[i] == NULL)
+ if (!(modes[i] & VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_MODE_SHUTDOWN))
continue;
- if ((transient[i] && cfg->tryShutdown == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_PERSISTENT) ||
- (!transient[i] && cfg->tryShutdown == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_TRANSIENT))
- continue;
+ hasShutdown = true;
virSystemdNotifyStatus("Shutting down '%s' (%zu of %zu)",
virDomainGetName(domains[i]), i + 1, numDomains);
@@ -833,25 +838,24 @@ virDomainDriverAutoShutdownDoShutdown(virDomainPtr *domains,
}
}
+ if (!hasShutdown)
+ return;
+
timer = g_timer_new();
virSystemdNotifyStatus("Waiting %u secs for VM shutdown completion",
cfg->waitShutdownSecs);
VIR_INFO("Waiting %u secs for VM shutdown completion", cfg->waitShutdownSecs);
+
while (1) {
bool anyRunning = false;
for (i = 0; i < numDomains; i++) {
- if (!domains[i])
- continue;
-
- if ((transient[i] && cfg->tryShutdown == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_PERSISTENT) ||
- (!transient[i] && cfg->tryShutdown == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_TRANSIENT))
+ if (!(modes[i] & VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_MODE_SHUTDOWN))
continue;
if (virDomainIsActive(domains[i]) == 1) {
anyRunning = true;
} else {
- virObjectUnref(domains[i]);
- domains[i] = NULL;
+ modes[i] = 0;
}
}
@@ -867,21 +871,13 @@ virDomainDriverAutoShutdownDoShutdown(virDomainPtr *domains,
static void
virDomainDriverAutoShutdownDoPoweroff(virDomainPtr *domains,
- bool *transient,
- size_t numDomains,
- virDomainDriverAutoShutdownConfig *cfg)
+ unsigned int *modes,
+ size_t numDomains)
{
size_t i;
- if (cfg->poweroff == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_NONE)
- return;
-
for (i = 0; i < numDomains; i++) {
- if (domains[i] == NULL)
- continue;
-
- if ((transient[i] && cfg->poweroff == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_PERSISTENT) ||
- (!transient[i] && cfg->poweroff == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_TRANSIENT))
+ if (!(modes[i] & VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_MODE_POWEROFF))
continue;
virSystemdNotifyStatus("Destroying '%s' (%zu of %zu)",
@@ -894,11 +890,49 @@ virDomainDriverAutoShutdownDoPoweroff(virDomainPtr *domains,
*/
virDomainDestroy(domains[i]);
- virObjectUnref(domains[i]);
- domains[i] = NULL;
+ modes[i] = 0;
}
}
+static unsigned int
+virDomainDriverAutoShutdownGetMode(virDomainPtr domain,
+ virDomainDriverAutoShutdownConfig *cfg)
+{
+ unsigned int mode = 0;
+
+ if (virDomainIsPersistent(domain) != 0) {
+ if (cfg->trySave == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_ALL ||
+ cfg->trySave == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_PERSISTENT)
+ mode |= VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_MODE_SAVE;
+
+ if (cfg->tryShutdown == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_ALL ||
+ cfg->tryShutdown == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_PERSISTENT)
+ mode |= VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_MODE_SHUTDOWN;
+
+ if (cfg->poweroff == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_ALL ||
+ cfg->poweroff == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_PERSISTENT)
+ mode |= VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_MODE_POWEROFF;
+
+ /* Don't restore VMs which weren't selected for auto-shutdown */
+ if (mode != 0 && cfg->autoRestore)
+ mode |= VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_MODE_RESTORE;
+ } else {
+ if (cfg->tryShutdown == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_ALL ||
+ cfg->tryShutdown == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_TRANSIENT)
+ mode |= VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_MODE_SHUTDOWN;
+
+ if (cfg->poweroff == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_ALL ||
+ cfg->poweroff == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_TRANSIENT)
+ mode |= VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_MODE_POWEROFF;
+
+ if (cfg->autoRestore)
+ VIR_DEBUG("Cannot auto-restore transient VM '%s'",
+ virDomainGetName(domain));
+ }
+
+ return mode;
+}
+
void
virDomainDriverAutoShutdown(virDomainDriverAutoShutdownConfig *cfg)
@@ -907,7 +941,7 @@ virDomainDriverAutoShutdown(virDomainDriverAutoShutdownConfig *cfg)
int numDomains = 0;
size_t i;
virDomainPtr *domains = NULL;
- g_autofree bool *transient = NULL;
+ g_autofree unsigned int *modes = NULL;
VIR_DEBUG("Run autoshutdown uri=%s trySave=%s tryShutdown=%s poweroff=%s waitShutdownSecs=%u saveBypassCache=%d autoRestore=%d",
cfg->uri,
@@ -948,58 +982,48 @@ virDomainDriverAutoShutdown(virDomainDriverAutoShutdownConfig *cfg)
return;
if (!(conn = virConnectOpen(cfg->uri)))
- goto cleanup;
+ return;
if ((numDomains = virConnectListAllDomains(conn,
&domains,
VIR_CONNECT_LIST_DOMAINS_ACTIVE)) < 0)
- goto cleanup;
+ return;
VIR_DEBUG("Auto shutdown with %d running domains", numDomains);
- transient = g_new0(bool, numDomains);
- for (i = 0; i < numDomains; i++) {
- if (virDomainIsPersistent(domains[i]) == 0)
- transient[i] = true;
+ modes = g_new0(unsigned int, numDomains);
- if (cfg->autoRestore) {
- if (transient[i]) {
- VIR_DEBUG("Cannot auto-restore transient VM %s",
- virDomainGetName(domains[i]));
- } else {
- VIR_DEBUG("Mark %s for autostart on next boot",
- virDomainGetName(domains[i]));
- if (virDomainSetAutostartOnce(domains[i], 1) < 0) {
- VIR_WARN("Unable to mark domain '%s' for auto restore: %s",
- virDomainGetName(domains[i]),
- virGetLastErrorMessage());
- }
+ for (i = 0; i < numDomains; i++) {
+ modes[i] = virDomainDriverAutoShutdownGetMode(domains[i], cfg);
+
+ if (modes[i] == 0) {
+ /* VM wasn't selected for any of the shutdown modes. There's not
+ * much we can do about that as the host is powering off, logging
+ * at least lets admins know */
+ VIR_WARN("auto-shutdown: domain '%s' not successfully shut off by any action",
+ domains[i]->name);
+ }
+
+ if (modes[i] & VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_MODE_RESTORE) {
+ VIR_DEBUG("Mark '%s' for autostart on next boot",
+ virDomainGetName(domains[i]));
+ if (virDomainSetAutostartOnce(domains[i], 1) < 0) {
+ VIR_WARN("Unable to mark domain '%s' for auto restore: %s",
+ virDomainGetName(domains[i]),
+ virGetLastErrorMessage());
}
}
}
- virDomainDriverAutoShutdownDoSave(domains, transient, numDomains, cfg);
- virDomainDriverAutoShutdownDoShutdown(domains, transient, numDomains, cfg);
- virDomainDriverAutoShutdownDoPoweroff(domains, transient, numDomains, cfg);
+ virDomainDriverAutoShutdownDoSave(domains, modes, numDomains, cfg);
+ virDomainDriverAutoShutdownDoShutdown(domains, modes, numDomains, cfg);
+ virDomainDriverAutoShutdownDoPoweroff(domains, modes, numDomains);
virSystemdNotifyStatus("Processed %d domains", numDomains);
VIR_INFO("Processed %d domains", numDomains);
- cleanup:
- if (domains) {
- /* Anything non-NULL in this list indicates none of
- * the configured ations were successful in processing
- * the domain. There's not much we can do about that
- * as the host is powering off, logging at least lets
- * admins know
- */
- for (i = 0; i < numDomains; i++) {
- if (domains[i] == NULL)
- continue;
- VIR_WARN("auto-shutdown: domain '%s' not successfully shut off by any action",
- domains[i]->name);
- virObjectUnref(domains[i]);
- }
- VIR_FREE(domains);
- }
+ for (i = 0; i < numDomains; i++)
+ virObjectUnref(domains[i]);
+
+ VIR_FREE(domains);
}
--
2.50.1

41
libvirt-virDomainDriverAutoShutdownDoSave-Don-t-attempt-to-save-transient-VMs.patch
View File

@ -1,41 +0,0 @@
From ec623715d2716db078a0248925506d4d75d7fd57 Mon Sep 17 00:00:00 2001
Message-ID: <ec623715d2716db078a0248925506d4d75d7fd57.1752837271.git.jdenemar@redhat.com>
From: Peter Krempa <pkrempa@redhat.com>
Date: Thu, 3 Jul 2025 14:18:46 +0200
Subject: [PATCH] virDomainDriverAutoShutdownDoSave: Don't attempt to save
transient VMs
Commit 84bb136c31e added code that intended to skip the save of
transient domains but did so only in the setup part where we pause the
VMS. The second loop that actually attempts to save the VM was not
modified so we'd still try saving them:
Jul 03 14:15:13 andariel virtqemud[247210]: auto-shutdown: unable to perform managed save of 'cd3': Requested operation is not valid: cannot do managed save for transient domain
Fixes: 84bb136c31e
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
(cherry picked from commit e1f84ca87e20c64999d3e6e1daccbd86dda743ef)
https://issues.redhat.com/browse/RHEL-95196
---
src/hypervisor/domain_driver.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/hypervisor/domain_driver.c b/src/hypervisor/domain_driver.c
index cce6c64d1b..d8ccee40d5 100644
--- a/src/hypervisor/domain_driver.c
+++ b/src/hypervisor/domain_driver.c
@@ -779,6 +779,10 @@ virDomainDriverAutoShutdownDoSave(virDomainPtr *domains,
}
for (i = 0; i < numDomains; i++) {
+ if ((transient[i] && cfg->trySave == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_PERSISTENT) ||
+ (!transient[i] && cfg->trySave == VIR_DOMAIN_DRIVER_AUTO_SHUTDOWN_SCOPE_TRANSIENT))
+ continue;
+
virSystemdNotifyStatus("Saving '%s' (%zu of %zu)",
virDomainGetName(domains[i]), i + 1, numDomains);
VIR_INFO("Saving '%s'", virDomainGetName(domains[i]));
--
2.50.1

178
libvirt-virSystemdCreateMachine-Add-flag-to-invert-machined-unit-dependencies.patch
View File

@ -1,178 +0,0 @@
From aa234d4ed710432af8aac8fbe79d5cf80ae2b1f6 Mon Sep 17 00:00:00 2001
Message-ID: <aa234d4ed710432af8aac8fbe79d5cf80ae2b1f6.1752837271.git.jdenemar@redhat.com>
From: Peter Krempa <pkrempa@redhat.com>
Date: Thu, 26 Jun 2025 17:35:17 +0200
Subject: [PATCH] virSystemdCreateMachine: Add flag to invert machined unit
dependencies
The existing dependency order of the 'machined' unit file for the domain
we're starting ("After libvirtd/virtqemud"->thus shuts down *before* the
daemon) is intended to work with 'libvirt-guests.service' which requires
the daemon to be around to shut down the VMs.
If we want to use the integrated auto shutdown done by the daemon itself
we need to be able to instruct the domains (thus the corresponding
machined units to shut down *after* virtqemud/libvirt.
This means that we need to be able to invert the ordering relationship
to "Before".
This patch adds a parameter to virSystemdCreateMachine so that when
starting the VM we'll be able to tell the daemon to use the proper
relationship.
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
(cherry picked from commit 9b12b7e85914dd3d0874dfcd0f6abc0925e3325f)
https://issues.redhat.com/browse/RHEL-95361
---
src/util/vircgroup.c | 3 ++-
src/util/virsystemd.c | 27 +++++++++++++++++++++------
src/util/virsystemd.h | 3 ++-
tests/virsystemdtest.c | 15 +++++++++------
4 files changed, 34 insertions(+), 14 deletions(-)
diff --git a/src/util/vircgroup.c b/src/util/vircgroup.c
index 1daa95e178..fc5dca4858 100644
--- a/src/util/vircgroup.c
+++ b/src/util/vircgroup.c
@@ -1293,7 +1293,8 @@ virCgroupNewMachineSystemd(const char *name,
nnicindexes,
nicindexes,
partition,
- maxthreads)) < 0)
+ maxthreads,
+ false)) < 0)
return rv;
if (controllers != -1)
diff --git a/src/util/virsystemd.c b/src/util/virsystemd.c
index 4f8424ae32..bd174c683e 100644
--- a/src/util/virsystemd.c
+++ b/src/util/virsystemd.c
@@ -358,6 +358,8 @@ virSystemdGetMachineUnitByPID(pid_t pid)
* @nicindexes: list of network interface indexes
* @partition: name of the slice to place the machine in
* @maxthreads: maximum number of threads the VM process can use
+ * @daemonDomainShutdown: shutdown of domains on host shutdown is done by the
+ * daemon instead of the libvirt-guests script
*
* Returns 0 on success, -1 on fatal error, or -2 if systemd-machine is not available
*/
@@ -370,7 +372,8 @@ int virSystemdCreateMachine(const char *name,
size_t nnicindexes,
int *nicindexes,
const char *partition,
- unsigned int maxthreads)
+ unsigned int maxthreads,
+ bool daemonDomainShutdown)
{
int rc;
GDBusConnection *conn;
@@ -462,11 +465,23 @@ int virSystemdCreateMachine(const char *name,
uuid, 16, sizeof(unsigned char));
gnicindexes = g_variant_new_fixed_array(G_VARIANT_TYPE("i"),
nicindexes, nnicindexes, sizeof(int));
- gprops = g_variant_new_parsed("[('Slice', <%s>),"
- " ('After', <['libvirtd.service', %s]>),"
- " ('Before', <['virt-guest-shutdown.target']>)]",
- slicename,
- servicename);
+
+ if (daemonDomainShutdown) {
+ /* When domains are shut down by the daemon rather than the
+ * "libvirt-guests" script we need ensure that their unit
+ * is ordered so that it's shutdown after the libvirt daemon itself */
+ gprops = g_variant_new_parsed("[('Slice', <%s>),"
+ " ('Before', <['libvirtd.service', %s]>)]",
+ slicename,
+ servicename);
+ } else {
+ gprops = g_variant_new_parsed("[('Slice', <%s>),"
+ " ('After', <['libvirtd.service', %s]>),"
+ " ('Before', <['virt-guest-shutdown.target']>)]",
+ slicename,
+ servicename);
+ }
+
message = g_variant_new("(s@ayssus@ai@a(sv))",
name,
guuid,
diff --git a/src/util/virsystemd.h b/src/util/virsystemd.h
index 98460dbc3a..620d9a9645 100644
--- a/src/util/virsystemd.h
+++ b/src/util/virsystemd.h
@@ -40,7 +40,8 @@ int virSystemdCreateMachine(const char *name,
size_t nnicindexes,
int *nicindexes,
const char *partition,
- unsigned int maxthreads);
+ unsigned int maxthreads,
+ bool daemonDomainShutdown);
int virSystemdTerminateMachine(const char *name);
diff --git a/tests/virsystemdtest.c b/tests/virsystemdtest.c
index 004b0549ce..24c118a409 100644
--- a/tests/virsystemdtest.c
+++ b/tests/virsystemdtest.c
@@ -170,7 +170,8 @@ static int testCreateContainer(const void *opaque G_GNUC_UNUSED)
123,
true,
0, NULL,
- "highpriority.slice", 0) < 0) {
+ "highpriority.slice", 0,
+ false) < 0) {
fprintf(stderr, "%s", "Failed to create LXC machine\n");
return -1;
}
@@ -203,7 +204,9 @@ static int testCreateMachine(const void *opaque G_GNUC_UNUSED)
123,
false,
0, NULL,
- NULL, 0) < 0) {
+ NULL,
+ 0,
+ true) < 0) {
fprintf(stderr, "%s", "Failed to create KVM machine\n");
return -1;
}
@@ -240,7 +243,7 @@ static int testCreateNoSystemd(const void *opaque G_GNUC_UNUSED)
123,
false,
0, NULL,
- NULL, 0)) == 0) {
+ NULL, 0, false)) == 0) {
g_unsetenv("FAIL_NO_SERVICE");
fprintf(stderr, "%s", "Unexpected create machine success\n");
return -1;
@@ -274,7 +277,7 @@ static int testCreateSystemdNotRunning(const void *opaque G_GNUC_UNUSED)
123,
false,
0, NULL,
- NULL, 0)) == 0) {
+ NULL, 0, false)) == 0) {
g_unsetenv("FAIL_NOT_REGISTERED");
fprintf(stderr, "%s", "Unexpected create machine success\n");
return -1;
@@ -308,7 +311,7 @@ static int testCreateBadSystemd(const void *opaque G_GNUC_UNUSED)
123,
false,
0, NULL,
- NULL, 0)) == 0) {
+ NULL, 0, false)) == 0) {
g_unsetenv("FAIL_BAD_SERVICE");
fprintf(stderr, "%s", "Unexpected create machine success\n");
return -1;
@@ -343,7 +346,7 @@ static int testCreateNetwork(const void *opaque G_GNUC_UNUSED)
123,
true,
nnicindexes, nicindexes,
- "highpriority.slice", 2) < 0) {
+ "highpriority.slice", 2, false) < 0) {
fprintf(stderr, "%s", "Failed to create LXC machine\n");
return -1;
}
--
2.50.1

32
libvirt-virSystemdCreateMachine-Document-maxthreds.patch
View File

@ -1,32 +0,0 @@
From a979205ad19aafc0cea99f66debff32704882fa4 Mon Sep 17 00:00:00 2001
Message-ID: <a979205ad19aafc0cea99f66debff32704882fa4.1752837271.git.jdenemar@redhat.com>
From: Peter Krempa <pkrempa@redhat.com>
Date: Thu, 26 Jun 2025 17:20:21 +0200
Subject: [PATCH] virSystemdCreateMachine: Document @maxthreds
The parameter overrides the maximum number of threads for the machine.
Fixes: d5572f62e32
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
(cherry picked from commit 0df20b69c8c235946a307ee9b031002d69137852)
https://issues.redhat.com/browse/RHEL-95361
---
src/util/virsystemd.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/util/virsystemd.c b/src/util/virsystemd.c
index 92d2890360..4f8424ae32 100644
--- a/src/util/virsystemd.c
+++ b/src/util/virsystemd.c
@@ -357,6 +357,7 @@ virSystemdGetMachineUnitByPID(pid_t pid)
* @nnicindexes: number of network interface indexes in list
* @nicindexes: list of network interface indexes
* @partition: name of the slice to place the machine in
+ * @maxthreads: maximum number of threads the VM process can use
*
* Returns 0 on success, -1 on fatal error, or -2 if systemd-machine is not available
*/
--
2.50.1

38
libvirt.spec
View File

@ -292,8 +292,8 @@
Summary: Library providing a simple virtualization API
Name: libvirt
Version: 11.5.0
Release: 4%{?dist}%{?extra_release}.alma.1
Version: 11.7.0
Release: 1%{?dist}%{?extra_release}.alma.1
License: GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND OFL-1.1
URL: https://libvirt.org/
@ -301,27 +301,6 @@ URL: https://libvirt.org/
%define mainturl stable_updates/
%endif
Source: https://download.libvirt.org/%{?mainturl}libvirt-%{version}.tar.xz
Patch1: libvirt-virSystemdCreateMachine-Document-maxthreds.patch
Patch2: libvirt-cgroup-Unexport-virDomainCgroupInitCgroup.patch
Patch3: libvirt-qemu-conf-Store-autoShutdown-config-in-virDomainDriverAutoShutdownConfig.patch
Patch4: libvirt-hypervisor-domain-Extract-logic-for-auto-shutdown-to-virDomainDriverAutoShutdownActive.patch
Patch5: libvirt-virSystemdCreateMachine-Add-flag-to-invert-machined-unit-dependencies.patch
Patch6: libvirt-cgroup-Plumb-the-daemonDomainShutdown-parameter-of-virSystemdCreateMachine-to-drivers.patch
Patch7: libvirt-qemu-Fix-auto-shutdown-of-qemu-VMs-by-the-qemu-driver.patch
Patch8: libvirt-hypervisor-Split-out-individual-steps-out-of-virDomainDriverAutoShutdown.patch
Patch9: libvirt-virDomainDriverAutoShutdownDoSave-Don-t-attempt-to-save-transient-VMs.patch
Patch10: libvirt-virDomainDriverAutoShutdown-Refactor-selection-logic-for-VMs.patch
Patch11: libvirt-tls-Don-t-require-keyEncipherment-to-be-enabled-altoghther.patch
Patch12: libvirt-kbase-tlscerts-Drop-encryption_key-feature-request.patch
Patch13: libvirt-tests-virnettls-test-Drop-use-of-GNUTLS_KEY_KEY_ENCIPHERMENT.patch
Patch14: libvirt-qemu_tpm-Rename-qemuTPMHasSharedStorage-qemuTPMDomainHasSharedStorage.patch
Patch15: libvirt-qemu_tpm-Extract-per-TPM-functionality-from-qemuTPMDomainHasSharedStorage.patch
Patch16: libvirt-qemu_tpm-Only-warn-about-missing-locking-feature-on-shared-filesystems.patch
Patch17: libvirt-qemu_tpm-Do-not-use-persistent-definition-during-pre-start-checks.patch
Patch18: libvirt-qemu-fix-order-of-VNC-TLS-config-entries.patch
Patch19: libvirt-qemu-sanitize-blank-lines-in-config-file.patch
Patch20: libvirt-qemu-add-ability-to-set-TLS-priority-string-with-QEMU.patch
Requires: libvirt-daemon = %{version}-%{release}
Requires: libvirt-daemon-config-network = %{version}-%{release}
@ -1184,9 +1163,6 @@ MinGW Windows libvirt virtualization library.
%prep
%autosetup -S git_am -N
%autopatch
%build
%if 0%{?fedora} >= %{min_fedora} || 0%{?rhel} >= %{min_rhel}
%define supported_platform 1
@ -2496,6 +2472,9 @@ exit 0
%{_unitdir}/virtchd.service
%{_unitdir}/virtchd.socket
%{_libdir}/libvirt/connection-driver/libvirt_driver_ch.so
%config(noreplace) %{_sysconfdir}/libvirt/ch.conf
%{_datadir}/augeas/lenses/libvirtd_ch.aug
%{_datadir}/augeas/lenses/tests/test_libvirtd_ch.aug
%endif
%files client
@ -2716,9 +2695,14 @@ exit 0
%endif
%changelog
* Wed Aug 06 2025 Eduard Abdullin <eabdullin@almalinux.org> - 11.5.0-4.alma.1
* Wed Sep 03 2025 Eduard Abdullin <eabdullin@almalinux.org> - 11.7.0-1.alma.1
- Enable building for ppc64le
* Tue Sep 2 2025 Jiri Denemark <jdenemar@redhat.com> - 11.7.0-1
- Rebased to libvirt-11.7.0 (RHEL-104238)
- The rebase also fixes the following bugs:
RHEL-72006, RHEL-110191
* Tue Aug 5 2025 Jiri Denemark <jdenemar@redhat.com> - 11.5.0-4
- qemu: fix order of VNC TLS config entries (RHEL-104382)
- qemu: sanitize blank lines in config file (RHEL-104382)

2
sources
View File

@ -1 +1 @@
SHA512 (libvirt-11.5.0.tar.xz) = 76faa65ca747cb1f302847edecb76eb1cf53fd608779ccd96c8b1f909f56a709ff8f2a6c286ac1f29433adf5b11f3175bdbf3d98033fd512f139e915a6939d7e
SHA512 (libvirt-11.7.0.tar.xz) = 69b5ad14aeabe28dd265dc83dfb63ac4d9956bfa9c67fa1d9cf7ebd4e13354cd3266bbb8941efe7347962bad432c84d10d4c48f70f74a18087ba5dfe17d6365f