rpms/libvirt
6
0
Fork 1
Code Issues Pull Requests Releases Activity

Enable building for ppc64le

Browse Source
This commit is contained in:
Eduard Abdullin 2025-09-17 07:56:12 +00:00 committed by root
commit f0cf9afeb6
7 changed files with 1416 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

690
SOURCES/libvirt-qemu-add-ability-to-set-TLS-priority-string-with-QEMU.patch Normal file
View File

@ -0,0 +1,690 @@
From d9935026fcc24f52bf9672962c331b91c002e38a Mon Sep 17 00:00:00 2001
Message-ID: <d9935026fcc24f52bf9672962c331b91c002e38a.1754419285.git.jdenemar@redhat.com>
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Wed, 16 Jul 2025 16:40:01 +0100
Subject: [PATCH] qemu: add ability to set TLS priority string with QEMU
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
QEMU will either use the GNUTLS default priority string of "NORMAL",
or on Fedora/RHEL related distros, "@QEMU,SYSTEM", which resolves to
a configuration in /etc/crypto-policies/back-ends/gnutls.config.
The latter gives the sysadmin the ability to change the priority
string used for GNUTLS at deployment time, either system side, or
exclusively for QEMU, avoiding the hardcoded GNUTLS defaults.
There are still some limitations to this:
* Priorities cannot be set for different areas of QEMU
functionality (migration, vnc, nbd, etc)
* Priorities are fixed at the time when QEMU first
triggers GNUTLS to load its config file, often
immediately at startup.
We recently uncovered a QEMU bug that causes crashes in live
migration with TLS-1.3, where the easiest workaround is to
change the TLS priorities. We can't change this on the running
QEMU, but fortunately it is possible to change it on the target
QEMU and the TLS handshake will make it take effect on both
src and dst.
The problem is, while fixing the immediate incoming and outgoing
live migration problems, the workaround will apply to everything
else that QEMU does for the rest of the time that process exists.
We want to make it possible to set the TLS priorities only for
the current migrations, such that if the target QEMU has a fixed
GNUTLS, it will not have its TLS priorities hobbled for the next
live migration.
To achieve this we need libvirt to be able to (optionally) set
the TLS priority string with QEMU. While live migration is the
most pressing need, the new qemu.conf parameters are wired up
for every subsystem for greater selectivity in future.
With this we can activate the GNUTLS workaround for running
QEMU processes by editting qemu.conf and restarting virtqemud,
and later undo this the same way.
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 14e41ac9f365b148e69088c5ffeb565a0f9ba326)
- Added dummy vxhsTLSpriority field and adapted old test data files
Resolves: https://issues.redhat.com/browse/RHEL-106277
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
src/conf/storage_source_conf.c | 2 +
src/conf/storage_source_conf.h | 1 +
src/qemu/libvirtd_qemu.aug | 6 +++
src/qemu/qemu.conf.in | 37 +++++++++++++++++++
src/qemu/qemu_backup.c | 5 ++-
src/qemu/qemu_blockjob.c | 1 +
src/qemu/qemu_command.c | 15 ++++++--
src/qemu/qemu_command.h | 1 +
src/qemu/qemu_conf.c | 22 +++++++++++
src/qemu/qemu_conf.h | 8 ++++
src/qemu/qemu_domain.c | 3 ++
src/qemu/qemu_domain.h | 1 +
src/qemu/qemu_hotplug.c | 4 +-
src/qemu/qemu_hotplug.h | 1 +
src/qemu/qemu_migration_params.c | 1 +
src/qemu/test_libvirtd_qemu.aug.in | 6 +++
...rk-tlsx509-nbd-hostname.x86_64-latest.args | 2 +-
.../graphics-vnc-tls-secret.x86_64-5.2.0.args | 2 +-
...graphics-vnc-tls-secret.x86_64-latest.args | 2 +-
...-tlsx509-secret-chardev.x86_64-latest.args | 2 +-
tests/qemuxmlconftest.c | 6 +++
21 files changed, 117 insertions(+), 11 deletions(-)
diff --git a/src/conf/storage_source_conf.c b/src/conf/storage_source_conf.c
index ca956a1b7c..dc6e6bde32 100644
--- a/src/conf/storage_source_conf.c
+++ b/src/conf/storage_source_conf.c
@@ -838,6 +838,7 @@ virStorageSourceCopy(const virStorageSource *src,
def->compat = g_strdup(src->compat);
def->tlsAlias = g_strdup(src->tlsAlias);
def->tlsCertdir = g_strdup(src->tlsCertdir);
+ def->tlsPriority = g_strdup(src->tlsPriority);
def->tlsHostname = g_strdup(src->tlsHostname);
def->query = g_strdup(src->query);
def->vdpadev = g_strdup(src->vdpadev);
@@ -1191,6 +1192,7 @@ virStorageSourceClear(virStorageSource *def)
VIR_FREE(def->tlsAlias);
VIR_FREE(def->tlsCertdir);
+ VIR_FREE(def->tlsPriority);
VIR_FREE(def->tlsHostname);
VIR_FREE(def->ssh_user);
diff --git a/src/conf/storage_source_conf.h b/src/conf/storage_source_conf.h
index e6cbb93c06..760b60bd40 100644
--- a/src/conf/storage_source_conf.h
+++ b/src/conf/storage_source_conf.h
@@ -392,6 +392,7 @@ struct _virStorageSource {
* certificate directory with listen and verify bools. */
char *tlsAlias;
char *tlsCertdir;
+ char *tlsPriority;
/* TLS hostname override */
char *tlsHostname;
diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug
index 3f018f39a0..711806b2a8 100644
--- a/src/qemu/libvirtd_qemu.aug
+++ b/src/qemu/libvirtd_qemu.aug
@@ -30,6 +30,7 @@ module Libvirtd_qemu =
let default_tls_entry = str_entry "default_tls_x509_cert_dir"
| bool_entry "default_tls_x509_verify"
| str_entry "default_tls_x509_secret_uuid"
+ | str_entry "default_tls_priority"
let vnc_entry = str_entry "vnc_listen"
| bool_entry "vnc_auto_unix_socket"
@@ -37,6 +38,7 @@ module Libvirtd_qemu =
| str_entry "vnc_tls_x509_cert_dir"
| bool_entry "vnc_tls_x509_verify"
| str_entry "vnc_tls_x509_secret_uuid"
+ | str_entry "vnc_tls_priority"
| str_entry "vnc_password"
| bool_entry "vnc_sasl"
| str_entry "vnc_sasl_dir"
@@ -54,15 +56,18 @@ module Libvirtd_qemu =
| str_entry "chardev_tls_x509_cert_dir"
| bool_entry "chardev_tls_x509_verify"
| str_entry "chardev_tls_x509_secret_uuid"
+ | str_entry "chardev_tls_priority"
let migrate_entry = str_entry "migrate_tls_x509_cert_dir"
| bool_entry "migrate_tls_x509_verify"
| str_entry "migrate_tls_x509_secret_uuid"
+ | str_entry "migrate_tls_priority"
| bool_entry "migrate_tls_force"
let backup_entry = str_entry "backup_tls_x509_cert_dir"
| bool_entry "backup_tls_x509_verify"
| str_entry "backup_tls_x509_secret_uuid"
+ | str_entry "backup_tls_priority"
let vxhs_entry = bool_entry "vxhs_tls"
| str_entry "vxhs_tls_x509_cert_dir"
@@ -71,6 +76,7 @@ module Libvirtd_qemu =
let nbd_entry = bool_entry "nbd_tls"
| str_entry "nbd_tls_x509_cert_dir"
| str_entry "nbd_tls_x509_secret_uuid"
+ | str_entry "nbd_tls_priority"
let nogfx_entry = bool_entry "nographics_allow_host_audio"
diff --git a/src/qemu/qemu.conf.in b/src/qemu/qemu.conf.in
index 988d176a28..8bf18d06b2 100644
--- a/src/qemu/qemu.conf.in
+++ b/src/qemu/qemu.conf.in
@@ -62,6 +62,18 @@
#default_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+# Libvirt allows QEMU to use its built-in TLS priority by default,
+# however, this allows overriding it at runtime. This is especially
+# useful if TLS priority needs to be changed for an operation run
+# against an existing running QEMU.
+#
+# This must be a valid GNUTLS priority string:
+#
+# https://gnutls.org/manual/html_node/Priority-Strings.html
+#
+#default_tls_priority = "@SYSTEM"
+
+
# VNC is configured to listen on 127.0.0.1 by default.
# To make it listen on all public interfaces, uncomment
# this next option.
@@ -127,6 +139,11 @@
#vnc_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+# Override QEMU default GNUTLS priority string for VNC
+#
+#vnc_tls_priority = "@SYSTEM"
+
+
# The default VNC password. Only 8 bytes are significant for
# VNC passwords. This parameter is only used if the per-domain
# XML config does not already provide a password. To allow
@@ -278,6 +295,11 @@
#chardev_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+# Override QEMU default GNUTLS priority string for character devices
+#
+#chardev_tls_priority = "@SYSTEM"
+
+
# Enable use of TLS encryption for all VxHS network block devices that
# don't specifically disable.
#
@@ -366,6 +388,11 @@
#nbd_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+# Override QEMU default GNUTLS priority string for NBD
+#
+#nbd_tls_priority = "@SYSTEM"
+
+
# In order to override the default TLS certificate location for migration
# certificates, supply a valid path to the certificate directory. If the
# provided path does not exist, libvirtd will fail to start. If the path is
@@ -405,6 +432,11 @@
#migrate_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+# Override QEMU default GNUTLS priority string for live migration
+#
+#migrate_tls_priority = "@SYSTEM"
+
+
# By default TLS is requested using the VIR_MIGRATE_TLS flag, thus not requested
# automatically. Setting 'migate_tls_force' to "1" will prevent any migration
# which is not using VIR_MIGRATE_TLS to ensure higher level of security in
@@ -450,6 +482,11 @@
#backup_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+# Override QEMU default GNUTLS priority string for NBD backups
+#
+#backup_tls_priority = "@SYSTEM"
+
+
# By default, if no graphical front end is configured, libvirt will disable
# QEMU audio output since directly talking to alsa/pulseaudio may not work
# with various security settings. If you know what you're doing, enable
diff --git a/src/qemu/qemu_backup.c b/src/qemu/qemu_backup.c
index f64639d501..d416f0f0c7 100644
--- a/src/qemu/qemu_backup.c
+++ b/src/qemu/qemu_backup.c
@@ -725,8 +725,9 @@ qemuBackupBeginPrepareTLS(virDomainObj *vm,
}
if (qemuBuildTLSx509BackendProps(cfg->backupTLSx509certdir, true,
- cfg->backupTLSx509verify, tlsObjAlias,
- tlsKeySecretAlias,
+ cfg->backupTLSx509verify,
+ cfg->backupTLSpriority,
+ tlsObjAlias, tlsKeySecretAlias,
tlsProps) < 0)
return -1;
diff --git a/src/qemu/qemu_blockjob.c b/src/qemu/qemu_blockjob.c
index 4e77543fa8..4d94703807 100644
--- a/src/qemu/qemu_blockjob.c
+++ b/src/qemu/qemu_blockjob.c
@@ -623,6 +623,7 @@ qemuBlockJobCleanStorageSourceRuntime(virStorageSource *src)
VIR_FREE(src->nodenameformat);
VIR_FREE(src->tlsAlias);
VIR_FREE(src->tlsCertdir);
+ VIR_FREE(src->tlsPriority);
}
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 24dac0ce0f..a2cf974e75 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -1229,6 +1229,7 @@ qemuBuildObjectSecretCommandLine(virCommand *cmd,
* @tlspath: path to the TLS credentials
* @listen: boolean listen for client or server setting
* @verifypeer: boolean to enable peer verification (form of authorization)
+ * @priority: GNUTLS priority string override (optional)
* @alias: alias for the TLS credentials object
* @secalias: if one exists, the alias of the security object for passwordid
* @propsret: json properties to return
@@ -1241,6 +1242,7 @@ int
qemuBuildTLSx509BackendProps(const char *tlspath,
bool isListen,
bool verifypeer,
+ const char *priority,
const char *alias,
const char *secalias,
virJSONValue **propsret)
@@ -1249,6 +1251,7 @@ qemuBuildTLSx509BackendProps(const char *tlspath,
"s:dir", tlspath,
"s:endpoint", (isListen ? "server": "client"),
"b:verify-peer", (isListen ? verifypeer : true),
+ "S:priority", priority,
"S:passwordid", secalias,
NULL) < 0)
return -1;
@@ -1262,6 +1265,7 @@ qemuBuildTLSx509BackendProps(const char *tlspath,
* @tlspath: path to the TLS credentials
* @listen: boolean listen for client or server setting
* @verifypeer: boolean to enable peer verification (form of authorization)
+ * @priority: GNUTLS priority string override (optional)
* @certEncSecretAlias: alias of a 'secret' object for decrypting TLS private key
* (optional)
* @alias: TLS object alias
@@ -1276,14 +1280,15 @@ qemuBuildTLSx509CommandLine(virCommand *cmd,
const char *tlspath,
bool isListen,
bool verifypeer,
+ const char *priority,
const char *certEncSecretAlias,
const char *alias,
virQEMUCaps *qemuCaps)
{
g_autoptr(virJSONValue) props = NULL;
- if (qemuBuildTLSx509BackendProps(tlspath, isListen, verifypeer, alias,
- certEncSecretAlias, &props) < 0)
+ if (qemuBuildTLSx509BackendProps(tlspath, isListen, verifypeer, priority,
+ alias, certEncSecretAlias, &props) < 0)
return -1;
if (qemuBuildObjectCommandlineFromJSON(cmd, props, qemuCaps) < 0)
@@ -1326,6 +1331,7 @@ qemuBuildChardevCommand(virCommand *cmd,
if (qemuBuildTLSx509CommandLine(cmd, chrSourcePriv->tlsCertPath,
dev->data.tcp.listen,
chrSourcePriv->tlsVerify,
+ chrSourcePriv->tlsPriority,
tlsCertEncSecAlias,
objalias, qemuCaps) < 0) {
return -1;
@@ -8082,6 +8088,7 @@ qemuBuildGraphicsVNCCommandLine(virQEMUDriverConfig *cfg,
cfg->vncTLSx509certdir,
true,
cfg->vncTLSx509verify,
+ cfg->vncTLSpriority,
secretAlias,
gfxPriv->tlsAlias,
qemuCaps) < 0)
@@ -10933,8 +10940,8 @@ qemuBuildStorageSourceAttachPrepareCommon(virStorageSource *src,
}
if (src->haveTLS == VIR_TRISTATE_BOOL_YES &&
- qemuBuildTLSx509BackendProps(src->tlsCertdir, false, true, src->tlsAlias,
- tlsKeySecretAlias, &data->tlsProps) < 0)
+ qemuBuildTLSx509BackendProps(src->tlsCertdir, false, true, src->tlsPriority,
+ src->tlsAlias, tlsKeySecretAlias, &data->tlsProps) < 0)
return -1;
return 0;
diff --git a/src/qemu/qemu_command.h b/src/qemu/qemu_command.h
index 76c514b5f7..948a633668 100644
--- a/src/qemu/qemu_command.h
+++ b/src/qemu/qemu_command.h
@@ -62,6 +62,7 @@ int qemuBuildSecretInfoProps(qemuDomainSecretInfo *secinfo,
int qemuBuildTLSx509BackendProps(const char *tlspath,
bool isListen,
bool verifypeer,
+ const char *priority,
const char *alias,
const char *secalias,
virJSONValue **propsret);
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index 7c15c521c7..93e1f7938b 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -422,6 +422,9 @@ virQEMUDriverConfigLoadDefaultTLSEntry(virQEMUDriverConfig *cfg,
if (virConfGetValueString(conf, "default_tls_x509_secret_uuid",
&cfg->defaultTLSx509secretUUID) < 0)
return -1;
+ if (virConfGetValueString(conf, "default_tls_priority",
+ &cfg->defaultTLSpriority) < 0)
+ return -1;
return 0;
}
@@ -521,6 +524,9 @@ virQEMUDriverConfigLoadSpecificTLSEntry(virQEMUDriverConfig *cfg,
#val "_tls_x509_secret_uuid", \
&cfg->val## TLSx509secretUUID) < 0) \
return -1; \
+ if ((rv = virConfGetValueString(conf, #val "_tls_priority", \
+ &cfg->val## TLSpriority)) < 0) \
+ return -1; \
} while (0)
#define GET_CONFIG_TLS_CERTINFO_SERVER(val) \
@@ -1305,6 +1311,22 @@ virQEMUDriverConfigSetDefaults(virQEMUDriverConfig *cfg)
#undef SET_TLS_SECRET_UUID_DEFAULT
+#define SET_TLS_PRIORITY_DEFAULT(val) \
+ do { \
+ if (!cfg->val## TLSpriority && \
+ cfg->defaultTLSpriority) { \
+ cfg->val## TLSpriority = g_strdup(cfg->defaultTLSpriority); \
+ } \
+ } while (0)
+
+ SET_TLS_PRIORITY_DEFAULT(vnc);
+ SET_TLS_PRIORITY_DEFAULT(chardev);
+ SET_TLS_PRIORITY_DEFAULT(migrate);
+ SET_TLS_PRIORITY_DEFAULT(backup);
+ SET_TLS_PRIORITY_DEFAULT(nbd);
+
+#undef SET_TLS_PRIORITY_DEFAULT
+
/*
* If a "SYSCONFDIR" + "pki/libvirt-<val>" exists, then assume someone
* has created a val specific area to place service specific certificates.
diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
index 42cdb6f883..b650f52262 100644
--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@@ -115,6 +115,7 @@ struct _virQEMUDriverConfig {
bool defaultTLSx509verify;
bool defaultTLSx509verifyPresent;
char *defaultTLSx509secretUUID;
+ char *defaultTLSpriority;
bool vncAutoUnixSocket;
bool vncTLS;
@@ -123,6 +124,7 @@ struct _virQEMUDriverConfig {
bool vncSASL;
char *vncTLSx509certdir;
char *vncTLSx509secretUUID;
+ char *vncTLSpriority;
char *vncListen;
char *vncPassword;
char *vncSASLdir;
@@ -140,25 +142,31 @@ struct _virQEMUDriverConfig {
bool chardevTLSx509verify;
bool chardevTLSx509verifyPresent;
char *chardevTLSx509secretUUID;
+ char *chardevTLSpriority;
char *migrateTLSx509certdir;
bool migrateTLSx509verify;
bool migrateTLSx509verifyPresent;
char *migrateTLSx509secretUUID;
+ char *migrateTLSpriority;
bool migrateTLSForce;
char *backupTLSx509certdir;
bool backupTLSx509verify;
bool backupTLSx509verifyPresent;
char *backupTLSx509secretUUID;
+ char *backupTLSpriority;
bool vxhsTLS;
char *vxhsTLSx509certdir;
char *vxhsTLSx509secretUUID;
+ char *vxhsTLSpriority; /* unused / dummy field to keep
+ * GET_CONFIG_TLS_CERTINFO_COMMON happy */
bool nbdTLS;
char *nbdTLSx509certdir;
char *nbdTLSx509secretUUID;
+ char *nbdTLSpriority;
unsigned int remotePortMin;
unsigned int remotePortMax;
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index 95cca36fe1..de13d45066 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -955,6 +955,7 @@ qemuDomainChrSourcePrivateDispose(void *obj)
qemuDomainChrSourcePrivateClearFDPass(priv);
g_free(priv->tlsCertPath);
+ g_free(priv->tlsPriority);
g_free(priv->tlsCredsAlias);
@@ -8684,6 +8685,7 @@ qemuDomainPrepareChardevSourceOne(virDomainDeviceDef *dev,
if (charsrc->data.tcp.haveTLS == VIR_TRISTATE_BOOL_YES) {
charpriv->tlsCertPath = g_strdup(data->cfg->chardevTLSx509certdir);
+ charpriv->tlsPriority = g_strdup(data->cfg->chardevTLSpriority);
charpriv->tlsVerify = data->cfg->chardevTLSx509verify;
}
}
@@ -8783,6 +8785,7 @@ qemuProcessPrepareStorageSourceTLSNBD(virStorageSource *src,
src->tlsAlias = qemuAliasTLSObjFromSrcAlias(parentAlias);
src->tlsCertdir = g_strdup(cfg->nbdTLSx509certdir);
+ src->tlsPriority = g_strdup(cfg->nbdTLSpriority);
if (cfg->nbdTLSx509secretUUID) {
qemuDomainStorageSourcePrivate *srcpriv = qemuDomainStorageSourcePrivateFetch(src);
diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h
index 79bdc4e8fe..ac08babb92 100644
--- a/src/qemu/qemu_domain.h
+++ b/src/qemu/qemu_domain.h
@@ -381,6 +381,7 @@ struct _qemuDomainChrSourcePrivate {
char *tlsCertPath; /* path to certificates if TLS is requested */
bool tlsVerify; /* whether server should verify client certificates */
+ char *tlsPriority; /* optional GNUTLS priority string */
char *tlsCredsAlias; /* alias of the x509 tls credentials object */
};
diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c
index ff09b58bfe..c6704cbebe 100644
--- a/src/qemu/qemu_hotplug.c
+++ b/src/qemu/qemu_hotplug.c
@@ -1717,6 +1717,7 @@ qemuDomainGetTLSObjects(qemuDomainSecretInfo *secinfo,
const char *tlsCertdir,
bool tlsListen,
bool tlsVerify,
+ const char *tlsPriority,
const char *alias,
virJSONValue **tlsProps,
virJSONValue **secProps)
@@ -1730,7 +1731,7 @@ qemuDomainGetTLSObjects(qemuDomainSecretInfo *secinfo,
secAlias = secinfo->alias;
}
- if (qemuBuildTLSx509BackendProps(tlsCertdir, tlsListen, tlsVerify,
+ if (qemuBuildTLSx509BackendProps(tlsCertdir, tlsListen, tlsVerify, tlsPriority,
alias, secAlias, tlsProps) < 0)
return -1;
@@ -1774,6 +1775,7 @@ qemuDomainAddChardevTLSObjects(virQEMUDriver *driver,
cfg->chardevTLSx509certdir,
dev->data.tcp.listen,
cfg->chardevTLSx509verify,
+ cfg->chardevTLSpriority,
*tlsAlias, &tlsProps, &secProps) < 0)
return -1;
diff --git a/src/qemu/qemu_hotplug.h b/src/qemu/qemu_hotplug.h
index 4fe7f4923e..5d32487047 100644
--- a/src/qemu/qemu_hotplug.h
+++ b/src/qemu/qemu_hotplug.h
@@ -38,6 +38,7 @@ int qemuDomainGetTLSObjects(qemuDomainSecretInfo *secinfo,
const char *tlsCertdir,
bool tlsListen,
bool tlsVerify,
+ const char *tlsPriority,
const char *alias,
virJSONValue **tlsProps,
virJSONValue **secProps);
diff --git a/src/qemu/qemu_migration_params.c b/src/qemu/qemu_migration_params.c
index 98822012cc..3858cca907 100644
--- a/src/qemu/qemu_migration_params.c
+++ b/src/qemu/qemu_migration_params.c
@@ -1143,6 +1143,7 @@ qemuMigrationParamsEnableTLS(virQEMUDriver *driver,
if (qemuDomainGetTLSObjects(priv->migSecinfo,
cfg->migrateTLSx509certdir, tlsListen,
cfg->migrateTLSx509verify,
+ cfg->migrateTLSpriority,
*tlsAlias, &tlsProps, &secProps) < 0)
return -1;
diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qemu.aug.in
index 86b3844d2c..b916af35ee 100644
--- a/src/qemu/test_libvirtd_qemu.aug.in
+++ b/src/qemu/test_libvirtd_qemu.aug.in
@@ -5,12 +5,14 @@ module Test_libvirtd_qemu =
{ "default_tls_x509_cert_dir" = "/etc/pki/qemu" }
{ "default_tls_x509_verify" = "1" }
{ "default_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
+{ "default_tls_priority" = "@SYSTEM" }
{ "vnc_listen" = "0.0.0.0" }
{ "vnc_auto_unix_socket" = "1" }
{ "vnc_tls" = "1" }
{ "vnc_tls_x509_cert_dir" = "/etc/pki/libvirt-vnc" }
{ "vnc_tls_x509_verify" = "1" }
{ "vnc_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
+{ "vnc_tls_priority" = "@SYSTEM" }
{ "vnc_password" = "XYZ12345" }
{ "vnc_sasl" = "1" }
{ "vnc_sasl_dir" = "/some/directory/sasl2" }
@@ -26,19 +28,23 @@ module Test_libvirtd_qemu =
{ "chardev_tls_x509_cert_dir" = "/etc/pki/libvirt-chardev" }
{ "chardev_tls_x509_verify" = "1" }
{ "chardev_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
+{ "chardev_tls_priority" = "@SYSTEM" }
{ "vxhs_tls" = "1" }
{ "vxhs_tls_x509_cert_dir" = "/etc/pki/libvirt-vxhs" }
{ "vxhs_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
{ "nbd_tls" = "1" }
{ "nbd_tls_x509_cert_dir" = "/etc/pki/libvirt-nbd" }
{ "nbd_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
+{ "nbd_tls_priority" = "@SYSTEM" }
{ "migrate_tls_x509_cert_dir" = "/etc/pki/libvirt-migrate" }
{ "migrate_tls_x509_verify" = "1" }
{ "migrate_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
+{ "migrate_tls_priority" = "@SYSTEM" }
{ "migrate_tls_force" = "0" }
{ "backup_tls_x509_cert_dir" = "/etc/pki/libvirt-backup" }
{ "backup_tls_x509_verify" = "1" }
{ "backup_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
+{ "backup_tls_priority" = "@SYSTEM" }
{ "nographics_allow_host_audio" = "1" }
{ "remote_display_port_min" = "5900" }
{ "remote_display_port_max" = "65535" }
diff --git a/tests/qemuxmlconfdata/disk-network-tlsx509-nbd-hostname.x86_64-latest.args b/tests/qemuxmlconfdata/disk-network-tlsx509-nbd-hostname.x86_64-latest.args
index 4ee9a0631b..77d38c3020 100644
--- a/tests/qemuxmlconfdata/disk-network-tlsx509-nbd-hostname.x86_64-latest.args
+++ b/tests/qemuxmlconfdata/disk-network-tlsx509-nbd-hostname.x86_64-latest.args
@@ -28,7 +28,7 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \
-boot strict=on \
-device '{"driver":"piix3-usb-uhci","id":"usb","bus":"pci.0","addr":"0x1.0x2"}' \
-object '{"qom-type":"secret","id":"objlibvirt-1-storage_tls0-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}' \
--object '{"qom-type":"tls-creds-x509","id":"objlibvirt-1-storage_tls0","dir":"/etc/pki/libvirt-nbd","endpoint":"client","verify-peer":true,"passwordid":"objlibvirt-1-storage_tls0-secret0"}' \
+-object '{"qom-type":"tls-creds-x509","id":"objlibvirt-1-storage_tls0","dir":"/etc/pki/libvirt-nbd","endpoint":"client","verify-peer":true,"priority":"@SYSTEM:-VERS-TLS1.3","passwordid":"objlibvirt-1-storage_tls0-secret0"}' \
-blockdev '{"driver":"nbd","server":{"type":"inet","host":"example.com","port":"1234"},"tls-creds":"objlibvirt-1-storage_tls0","tls-hostname":"test-hostname","node-name":"libvirt-1-storage","read-only":false,"cache":{"direct":true,"no-flush":false}}' \
-device '{"driver":"virtio-blk-pci","bus":"pci.0","addr":"0x7","drive":"libvirt-1-storage","id":"virtio-disk3","bootindex":1,"write-cache":"on"}' \
-audiodev '{"id":"audio1","driver":"none"}' \
diff --git a/tests/qemuxmlconfdata/graphics-vnc-tls-secret.x86_64-5.2.0.args b/tests/qemuxmlconfdata/graphics-vnc-tls-secret.x86_64-5.2.0.args
index 11f8b3f4f0..3c3002dd4f 100644
--- a/tests/qemuxmlconfdata/graphics-vnc-tls-secret.x86_64-5.2.0.args
+++ b/tests/qemuxmlconfdata/graphics-vnc-tls-secret.x86_64-5.2.0.args
@@ -30,7 +30,7 @@ SASL_CONF_PATH=/etc/sasl2 \
-device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 \
-audiodev '{"id":"audio1","driver":"none"}' \
-object secret,id=vnc-tls-creds0-secret0,data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
--object tls-creds-x509,id=vnc-tls-creds0,dir=/etc/pki/libvirt-vnc,endpoint=server,verify-peer=on,passwordid=vnc-tls-creds0-secret0 \
+-object tls-creds-x509,id=vnc-tls-creds0,dir=/etc/pki/libvirt-vnc,endpoint=server,verify-peer=on,priority=@SYSTEM:-VERS-TLS1.3,passwordid=vnc-tls-creds0-secret0 \
-vnc 127.0.0.1:3,tls-creds=vnc-tls-creds0,sasl=on,audiodev=audio1 \
-device cirrus-vga,id=video0,bus=pci.0,addr=0x2 \
-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \
diff --git a/tests/qemuxmlconfdata/graphics-vnc-tls-secret.x86_64-latest.args b/tests/qemuxmlconfdata/graphics-vnc-tls-secret.x86_64-latest.args
index 50cc8532d1..32d7be1d3b 100644
--- a/tests/qemuxmlconfdata/graphics-vnc-tls-secret.x86_64-latest.args
+++ b/tests/qemuxmlconfdata/graphics-vnc-tls-secret.x86_64-latest.args
@@ -29,7 +29,7 @@ SASL_CONF_PATH=/etc/sasl2 \
-device '{"driver":"piix3-usb-uhci","id":"usb","bus":"pci.0","addr":"0x1.0x2"}' \
-audiodev '{"id":"audio1","driver":"none"}' \
-object '{"qom-type":"secret","id":"vnc-tls-creds0-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}' \
--object '{"qom-type":"tls-creds-x509","id":"vnc-tls-creds0","dir":"/etc/pki/libvirt-vnc","endpoint":"server","verify-peer":true,"passwordid":"vnc-tls-creds0-secret0"}' \
+-object '{"qom-type":"tls-creds-x509","id":"vnc-tls-creds0","dir":"/etc/pki/libvirt-vnc","endpoint":"server","verify-peer":true,"priority":"@SYSTEM:-VERS-TLS1.3","passwordid":"vnc-tls-creds0-secret0"}' \
-vnc 127.0.0.1:3,tls-creds=vnc-tls-creds0,sasl=on,audiodev=audio1 \
-device '{"driver":"cirrus-vga","id":"video0","bus":"pci.0","addr":"0x2"}' \
-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \
diff --git a/tests/qemuxmlconfdata/serial-tcp-tlsx509-secret-chardev.x86_64-latest.args b/tests/qemuxmlconfdata/serial-tcp-tlsx509-secret-chardev.x86_64-latest.args
index c227a04112..492d1be626 100644
--- a/tests/qemuxmlconfdata/serial-tcp-tlsx509-secret-chardev.x86_64-latest.args
+++ b/tests/qemuxmlconfdata/serial-tcp-tlsx509-secret-chardev.x86_64-latest.args
@@ -32,7 +32,7 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \
-chardev udp,id=charserial0,host=127.0.0.1,port=2222,localaddr=127.0.0.1,localport=1111 \
-device '{"driver":"isa-serial","chardev":"charserial0","id":"serial0","index":0}' \
-object '{"qom-type":"secret","id":"charserial1-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}' \
--object '{"qom-type":"tls-creds-x509","id":"objcharserial1_tls0","dir":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true,"passwordid":"charserial1-secret0"}' \
+-object '{"qom-type":"tls-creds-x509","id":"objcharserial1_tls0","dir":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true,"priority":"@SYSTEM:-VERS-TLS1.3","passwordid":"charserial1-secret0"}' \
-chardev socket,id=charserial1,host=127.0.0.1,port=5555,tls-creds=objcharserial1_tls0 \
-device '{"driver":"isa-serial","chardev":"charserial1","id":"serial1","index":1}' \
-audiodev '{"id":"audio1","driver":"none"}' \
diff --git a/tests/qemuxmlconftest.c b/tests/qemuxmlconftest.c
index 049ca630a8..ba19029d95 100644
--- a/tests/qemuxmlconftest.c
+++ b/tests/qemuxmlconftest.c
@@ -1598,7 +1598,9 @@ mymain(void)
DO_TEST_CAPS_VER("disk-network-tlsx509-nbd", "5.2.0");
DO_TEST_CAPS_LATEST("disk-network-tlsx509-nbd");
DO_TEST_CAPS_VER_PARSE_ERROR("disk-network-tlsx509-nbd-hostname", "6.2.0");
+ driver.config->nbdTLSpriority = g_strdup("@SYSTEM:-VERS-TLS1.3");
DO_TEST_CAPS_LATEST("disk-network-tlsx509-nbd-hostname");
+ VIR_FREE(driver.config->nbdTLSpriority);
DO_TEST_CAPS_LATEST("disk-network-http");
VIR_FREE(driver.config->nbdTLSx509secretUUID);
VIR_FREE(driver.config->vxhsTLSx509secretUUID);
@@ -1714,9 +1716,11 @@ mymain(void)
driver.config->vncTLS = 1;
driver.config->vncTLSx509verify = 1;
DO_TEST_CAPS_LATEST("graphics-vnc-tls");
+ driver.config->vncTLSpriority = g_strdup("@SYSTEM:-VERS-TLS1.3");
driver.config->vncTLSx509secretUUID = g_strdup("6fd3f62d-9fe7-4a4e-a869-7acd6376d8ea");
DO_TEST_CAPS_VER("graphics-vnc-tls-secret", "5.2.0");
DO_TEST_CAPS_LATEST("graphics-vnc-tls-secret");
+ VIR_FREE(driver.config->vncTLSpriority);
VIR_FREE(driver.config->vncTLSx509secretUUID);
driver.config->vncSASL = driver.config->vncTLSx509verify = driver.config->vncTLS = 0;
DO_TEST_CAPS_LATEST("graphics-vnc-egl-headless");
@@ -1865,7 +1869,9 @@ mymain(void)
driver.config->chardevTLSx509verify = 0;
DO_TEST_CAPS_LATEST("serial-tcp-tlsx509-chardev-notls");
driver.config->chardevTLSx509secretUUID = g_strdup("6fd3f62d-9fe7-4a4e-a869-7acd6376d8ea");
+ driver.config->chardevTLSpriority = g_strdup("@SYSTEM:-VERS-TLS1.3");
DO_TEST_CAPS_LATEST("serial-tcp-tlsx509-secret-chardev");
+ VIR_FREE(driver.config->chardevTLSpriority);
VIR_FREE(driver.config->chardevTLSx509secretUUID);
driver.config->chardevTLS = 0;
DO_TEST_CAPS_LATEST("serial-many-chardev");
--
2.50.1

84
SOURCES/libvirt-qemu-fix-order-of-VNC-TLS-config-entries.patch Normal file
View File

@ -0,0 +1,84 @@
From aab5d03bf61c67445ff9294dc872fe5c737c3c92 Mon Sep 17 00:00:00 2001
Message-ID: <aab5d03bf61c67445ff9294dc872fe5c737c3c92.1754419285.git.jdenemar@redhat.com>
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Wed, 16 Jul 2025 16:32:05 +0100
Subject: [PATCH] qemu: fix order of VNC TLS config entries
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
For TLS config parameters, the 'verify' option always comes before the
'secret_uuid' option, except in the VNC case which has them reversed.
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 845e1b5138f37dbf91e5b08b7d54d963a6ec0452)
Resolves: https://issues.redhat.com/browse/RHEL-106277
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
src/qemu/libvirtd_qemu.aug | 2 +-
src/qemu/qemu.conf.in | 12 ++++++------
src/qemu/test_libvirtd_qemu.aug.in | 2 +-
3 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug
index 1377fd89cc..3f018f39a0 100644
--- a/src/qemu/libvirtd_qemu.aug
+++ b/src/qemu/libvirtd_qemu.aug
@@ -35,8 +35,8 @@ module Libvirtd_qemu =
| bool_entry "vnc_auto_unix_socket"
| bool_entry "vnc_tls"
| str_entry "vnc_tls_x509_cert_dir"
- | str_entry "vnc_tls_x509_secret_uuid"
| bool_entry "vnc_tls_x509_verify"
+ | str_entry "vnc_tls_x509_secret_uuid"
| str_entry "vnc_password"
| bool_entry "vnc_sasl"
| str_entry "vnc_sasl_dir"
diff --git a/src/qemu/qemu.conf.in b/src/qemu/qemu.conf.in
index 89c9b6b913..3365834200 100644
--- a/src/qemu/qemu.conf.in
+++ b/src/qemu/qemu.conf.in
@@ -101,12 +101,6 @@
#vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc"
-# Uncomment and use the following option to override the default secret
-# UUID provided in the default_tls_x509_secret_uuid parameter.
-#
-#vnc_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
-
-
# The default TLS configuration only uses certificates for the server
# allowing the client to verify the server's identity and establish
# an encrypted channel.
@@ -125,6 +119,12 @@
#vnc_tls_x509_verify = 1
+# Uncomment and use the following option to override the default secret
+# UUID provided in the default_tls_x509_secret_uuid parameter.
+#
+#vnc_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+
+
# The default VNC password. Only 8 bytes are significant for
# VNC passwords. This parameter is only used if the per-domain
# XML config does not already provide a password. To allow
diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qemu.aug.in
index 69fdae215a..86b3844d2c 100644
--- a/src/qemu/test_libvirtd_qemu.aug.in
+++ b/src/qemu/test_libvirtd_qemu.aug.in
@@ -9,8 +9,8 @@ module Test_libvirtd_qemu =
{ "vnc_auto_unix_socket" = "1" }
{ "vnc_tls" = "1" }
{ "vnc_tls_x509_cert_dir" = "/etc/pki/libvirt-vnc" }
-{ "vnc_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
{ "vnc_tls_x509_verify" = "1" }
+{ "vnc_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
{ "vnc_password" = "XYZ12345" }
{ "vnc_sasl" = "1" }
{ "vnc_sasl_dir" = "/some/directory/sasl2" }
--
2.50.1

94
SOURCES/libvirt-qemu-process-Remove-un-updated-qemuProcessStartWarnShmem.patch Normal file
View File

@ -0,0 +1,94 @@
From bc9aaea59652adb0156b68e8cd198759c9eae5b3 Mon Sep 17 00:00:00 2001
Message-ID: <bc9aaea59652adb0156b68e8cd198759c9eae5b3.1754419286.git.jdenemar@redhat.com>
From: Peter Krempa <pkrempa@redhat.com>
Date: Tue, 11 Mar 2025 09:04:18 +0100
Subject: [PATCH] qemu: process: Remove un-updated 'qemuProcessStartWarnShmem'
The checks in qemuProcessStartWarnShmem are no longer current. Since
previous patch made it fatal for vhost-user interfaces to be configured
without shared memory this warning code can be deleted.
Resolves: https://issues.redhat.com/browse/RHEL-80533
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
(cherry picked from commit 080c7fd341619a3d1986a00265addaf45b63aacf)
https://issues.redhat.com/browse/RHEL-106504
---
src/qemu/qemu_process.c | 54 -----------------------------------------
1 file changed, 54 deletions(-)
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 8bddb415ac..24d0049c43 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -5427,56 +5427,6 @@ qemuProcessMakeDir(virQEMUDriver *driver,
}
-static void
-qemuProcessStartWarnShmem(virDomainObj *vm)
-{
- size_t i;
- bool check_shmem = false;
- bool shmem = vm->def->nshmems;
-
- /*
- * For vhost-user to work, the domain has to have some type of
- * shared memory configured. We're not the proper ones to judge
- * whether shared hugepages or shm are enough and will be in the
- * future, so we'll just warn in case neither is configured.
- * Moreover failing would give the false illusion that libvirt is
- * really checking that everything works before running the domain
- * and not only we are unable to do that, but it's also not our
- * aim to do so.
- */
- for (i = 0; i < vm->def->nnets; i++) {
- if (virDomainNetGetActualType(vm->def->nets[i]) ==
- VIR_DOMAIN_NET_TYPE_VHOSTUSER) {
- check_shmem = true;
- break;
- }
- }
-
- if (!check_shmem)
- return;
-
- /*
- * This check is by no means complete. We merely check
- * whether there are *some* hugepages enabled and *some* NUMA
- * nodes with shared memory access.
- */
- if (!shmem && vm->def->mem.nhugepages) {
- for (i = 0; i < virDomainNumaGetNodeCount(vm->def->numa); i++) {
- if (virDomainNumaGetNodeMemoryAccessMode(vm->def->numa, i) ==
- VIR_DOMAIN_MEMORY_ACCESS_SHARED) {
- shmem = true;
- break;
- }
- }
- }
-
- if (!shmem) {
- VIR_WARN("Detected vhost-user interface without any shared memory, "
- "the interface might not be operational");
- }
-}
-
-
static int
qemuProcessStartValidateGraphics(virDomainObj *vm)
{
@@ -5711,10 +5661,6 @@ qemuProcessStartValidate(virQEMUDriver *driver,
if (qemuProcessStartValidateTSC(driver, vm) < 0)
return -1;
- VIR_DEBUG("Checking for any possible (non-fatal) issues");
-
- qemuProcessStartWarnShmem(vm);
-
return 0;
}
--
2.50.1

326
SOURCES/libvirt-qemu-sanitize-blank-lines-in-config-file.patch Normal file
View File

@ -0,0 +1,326 @@
From 45c1847b67d0d2996a67e65a017e1ce51b682ecc Mon Sep 17 00:00:00 2001
Message-ID: <45c1847b67d0d2996a67e65a017e1ce51b682ecc.1754419285.git.jdenemar@redhat.com>
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Wed, 16 Jul 2025 16:30:52 +0100
Subject: [PATCH] qemu: sanitize blank lines in config file
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
We mostly use 2 blank lines between config file entries to
improve readability. Fix where we don't do that.
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 0b9cfa791f2bd135ea36fe03fd1a8d6c8bf5e3d6)
Resolves: https://issues.redhat.com/browse/RHEL-106277
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
src/qemu/qemu.conf.in | 41 ++++++++++++++++++++++++++++++++++++++---
1 file changed, 38 insertions(+), 3 deletions(-)
diff --git a/src/qemu/qemu.conf.in b/src/qemu/qemu.conf.in
index 3365834200..988d176a28 100644
--- a/src/qemu/qemu.conf.in
+++ b/src/qemu/qemu.conf.in
@@ -48,7 +48,7 @@
#
#default_tls_x509_verify = 1
-#
+
# Libvirt assumes the server-key.pem file is unencrypted by default.
# To use an encrypted server-key.pem file, the password to decrypt
# the PEM file is required. This can be provided by creating a secret
@@ -71,6 +71,7 @@
#
#vnc_listen = "0.0.0.0"
+
# Enable this option to have VNC served over an automatically created
# unix socket. This prevents unprivileged access from users on the
# host machine, though most VNC clients do not support it.
@@ -81,6 +82,7 @@
#
#vnc_auto_unix_socket = 1
+
# Enable use of TLS encryption on the VNC server. This requires
# a VNC client which supports the VeNCrypt protocol extension.
# Examples include vinagre, virt-viewer, virt-manager and vencrypt
@@ -222,6 +224,7 @@
#
#spice_sasl = 1
+
# The default SASL configuration file is located in /etc/sasl2/
# When running libvirtd unprivileged, it may be desirable to
# override the configs in this location. Set this parameter to
@@ -229,6 +232,7 @@
#
#spice_sasl_dir = "/some/directory/sasl2"
+
# Enable use of TLS encryption on the chardev TCP transports.
#
# It is necessary to setup CA and issue a server certificate
@@ -468,6 +472,7 @@
#remote_display_port_min = 5900
#remote_display_port_max = 65535
+
# VNC WebSocket port policies, same rules apply as with remote display
# ports. VNC WebSockets use similar display <-> port mappings, with
# the exception being that ports start from 5700 instead of 5900.
@@ -475,6 +480,7 @@
#remote_websocket_port_min = 5700
#remote_websocket_port_max = 65535
+
# The default security driver is SELinux. If SELinux is disabled
# on the host, then the security driver will automatically disable
# itself. If you wish to disable QEMU SELinux security driver while
@@ -492,15 +498,18 @@
#
#security_driver = "selinux"
+
# If set to non-zero, then the default security labeling
# will make guests confined. If set to zero, then guests
# will be unconfined by default. Defaults to 1.
#security_default_confined = 1
+
# If set to non-zero, then attempts to create unconfined
# guests will be blocked. Defaults to 0.
#security_require_confined = 1
+
# The user for QEMU processes run by the system instance. It can be
# specified as a user name or as a user id. The qemu driver will try to
# parse this value first as a name and then, if the name doesn't exist,
@@ -518,20 +527,24 @@
#
#user = "@QEMU_USER@"
+
# The group for QEMU processes run by the system instance. It can be
# specified in a similar way to user.
#group = "@QEMU_GROUP@"
+
# Whether libvirt should dynamically change file ownership
# to match the configured user/group above. Defaults to 1.
# Set to 0 to disable file ownership changes.
#dynamic_ownership = 1
+
# Whether libvirt should remember and restore the original
# ownership over files it is relabeling. Defaults to 1, set
# to 0 to disable the feature.
#remember_owner = 1
+
# What cgroup controllers to make use of with QEMU guests
#
# - 'cpu' - use for scheduler tunables
@@ -553,6 +566,7 @@
#
#cgroup_controllers = [ "cpu", "devices", "memory", "blkio", "cpuset", "cpuacct" ]
+
# This is the basic set of devices allowed / required by
# all virtual machines.
#
@@ -612,12 +626,14 @@
#dump_image_format = "raw"
#snapshot_image_format = "raw"
+
# When a domain is configured to be auto-dumped when libvirtd receives a
# watchdog event from qemu guest, libvirtd will save dump files in directory
# specified by auto_dump_path. Default value is /var/lib/libvirt/qemu/dump
#
#auto_dump_path = "/var/lib/libvirt/qemu/dump"
+
# When a domain is configured to be auto-dumped, enabling this flag
# has the same effect as using the VIR_DUMP_BYPASS_CACHE flag with the
# virDomainCoreDump API. That is, the system will avoid using the
@@ -626,6 +642,7 @@
#
#auto_dump_bypass_cache = 0
+
# When a domain is configured to be auto-started, enabling this flag
# has the same effect as using the VIR_DOMAIN_START_BYPASS_CACHE flag
# with the virDomainCreateWithFlags API. That is, the system will
@@ -634,6 +651,7 @@
#
#auto_start_bypass_cache = 0
+
# If provided by the host and a hugetlbfs mount point is configured,
# a guest may request huge page backing. When this mount point is
# unspecified here, determination of a host mount point in /proc/mounts
@@ -682,6 +700,7 @@
#max_processes = 0
#max_files = 0
+
# If max_threads_per_process is set to a positive integer, libvirt
# will use it to set the maximum number of threads that can be
# created by a qemu process. Some VM configurations can result in
@@ -692,6 +711,7 @@
#
#max_threads_per_process = 0
+
# If max_core is set to a non-zero integer, then QEMU will be
# permitted to create core dumps when it crashes, provided its
# RAM size is smaller than the limit set.
@@ -716,6 +736,7 @@
#
#max_core = "unlimited"
+
# Determine if guest RAM is included in QEMU core dumps. By
# default guest RAM will be excluded if a new enough QEMU is
# present and host kernel supports it. Setting this to '1' will
@@ -726,6 +747,7 @@
#
#dump_guest_core = 1
+
# mac_filter enables MAC addressed based filtering on bridge ports.
# This currently requires ebtables to be installed.
#
@@ -755,6 +777,7 @@
#
#max_queued = 0
+
###################################################################
# Keepalive protocol:
# This allows qemu driver to detect broken connections to remote
@@ -778,7 +801,6 @@
#keepalive_count = 5
-
# Use seccomp syscall filtering sandbox in QEMU.
# 1 == filter enabled, 0 == filter disabled
#
@@ -813,7 +835,6 @@
#migration_port_max = 49215
-
# Timestamp QEMU's log messages (if QEMU supports it)
#
# Defaults to 1.
@@ -853,6 +874,7 @@
# "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd"
#]
+
# The backend to use for handling stdout/stderr output from
# QEMU processes.
#
@@ -868,6 +890,7 @@
#
#stdio_handler = "logd"
+
# QEMU gluster libgfapi log level, debug levels are 0-9, with 9 being the
# most verbose, and 0 representing no debugging output.
#
@@ -888,6 +911,7 @@
#
#gluster_debug_level = 9
+
# virtiofsd debug
#
# Whether to enable the debugging output of the virtiofsd daemon.
@@ -895,6 +919,7 @@
#
#virtiofsd_debug = 1
+
# To enhance security, QEMU driver is capable of creating private namespaces
# for each domain started. Well, so far only "mount" namespace is supported. If
# enabled it means qemu process is unable to see all the devices on the system,
@@ -903,24 +928,29 @@
# by default.
#namespaces = [ "mount" ]
+
# This directory is used for memoryBacking source if configured as file.
# NOTE: big files will be stored here
#memory_backing_dir = "/var/lib/libvirt/qemu/ram"
+
# Path to the SCSI persistent reservations helper. This helper is
# used whenever <reservations/> are enabled for SCSI LUN devices.
# If this is not an absolute path, the program will be searched for
# in $PATH as well as a few additional directories.
#pr_helper = "qemu-pr-helper"
+
# Path to the SLIRP networking helper.
#slirp_helper = "/usr/bin/slirp-helper"
+
# Path to the dbus-daemon
# If this is not an absolute path, the program will be searched for
# in $PATH.
#dbus_daemon = "dbus-daemon"
+
# User for the swtpm TPM Emulator
#
# Default is 'tss'; this is the same user that tcsd (TrouSerS) installs
@@ -929,6 +959,7 @@
#swtpm_user = "tss"
#swtpm_group = "tss"
+
# For debugging and testing purposes it's sometimes useful to be able to disable
# libvirt behaviour based on the capabilities of the qemu process. This option
# allows to do so. DO _NOT_ use in production and beaware that the behaviour
@@ -936,6 +967,7 @@
#
#capability_filters = [ "capname" ]
+
# 'deprecation_behavior' setting controls how the qemu process behaves towards
# deprecated commands and arguments used by libvirt.
#
@@ -967,6 +999,7 @@
#
#deprecation_behavior = "none"
+
# If this is set then QEMU and its threads will run in a separate scheduling
# group meaning no other process will share Hyper Threads of a single core with
# QEMU. Each QEMU has its own group.
@@ -983,6 +1016,7 @@
# scheduling group
#sched_core = "none"
+
# Using nbdkit to access remote disk sources
#
# If this is set then libvirt will use nbdkit to access remote disk sources
@@ -994,6 +1028,7 @@
#
#storage_use_nbdkit = @USE_NBDKIT_DEFAULT@
+
# libvirt will normally prevent migration if the storage backing the VM is not
# on a shared filesystems. Sometimes, however, the storage *is* shared despite
# not being detected as such: for example, this is the case when one of the
--
2.50.1

62
SOURCES/libvirt-qemuValidateDomainDeviceDefNetwork-Require-shared-memory-for-all-vhost-user-interfaces.patch Normal file
View File

@ -0,0 +1,62 @@
From 3c84583ea0d1d1d4e1ca7c0dd228c60538b8270a Mon Sep 17 00:00:00 2001
Message-ID: <3c84583ea0d1d1d4e1ca7c0dd228c60538b8270a.1754419286.git.jdenemar@redhat.com>
From: Peter Krempa <pkrempa@redhat.com>
Date: Tue, 11 Mar 2025 09:01:12 +0100
Subject: [PATCH] qemuValidateDomainDeviceDefNetwork: Require shared memory for
all vhost-user interfaces
Currently we produce only a warning into the log if a non-passt
vhost-user interface is configured with shared memory.
Since we do make it fatal with all other vhost-user types, fix the check
to trigger also for normal-vhost-user interfaces.
Since passt-based vhost-user interfaces are checked separately the check
will no longer be required.
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
(cherry picked from commit 0d20632179e1a61903f30986215bef53b0f912f6)
https://issues.redhat.com/browse/RHEL-106504
---
src/qemu/qemu_validate.c | 9 +++------
.../net-vhostuser-passt-no-shmem.x86_64-latest.err | 2 +-
2 files changed, 4 insertions(+), 7 deletions(-)
diff --git a/src/qemu/qemu_validate.c b/src/qemu/qemu_validate.c
index 289a3f94cc..3572dd70cb 100644
--- a/src/qemu/qemu_validate.c
+++ b/src/qemu/qemu_validate.c
@@ -1805,12 +1805,6 @@ qemuValidateDomainDeviceDefNetwork(const virDomainNetDef *net,
return -1;
}
- if (net->type == VIR_DOMAIN_NET_TYPE_VHOSTUSER &&
- net->backend.type == VIR_DOMAIN_NET_BACKEND_PASST) {
- if (qemuValidateDomainDefVhostUserRequireSharedMemory(def, "interface type=\"vhostuser\" backend type=\"passt\"") < 0)
- return -1;
- }
-
if (net->type == VIR_DOMAIN_NET_TYPE_VDPA) {
if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_NETDEV_VHOST_VDPA)) {
virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
@@ -1834,6 +1828,9 @@ qemuValidateDomainDeviceDefNetwork(const virDomainNetDef *net,
_("'reconnect' attribute is not supported when source mode='server' for <interface type='vhostuser'>"));
return -1;
}
+
+ if (qemuValidateDomainDefVhostUserRequireSharedMemory(def, "interface") < 0)
+ return -1;
}
if (!virDomainNetIsVirtioModel(net)) {
diff --git a/tests/qemuxmlconfdata/net-vhostuser-passt-no-shmem.x86_64-latest.err b/tests/qemuxmlconfdata/net-vhostuser-passt-no-shmem.x86_64-latest.err
index 274af5c722..babde17518 100644
--- a/tests/qemuxmlconfdata/net-vhostuser-passt-no-shmem.x86_64-latest.err
+++ b/tests/qemuxmlconfdata/net-vhostuser-passt-no-shmem.x86_64-latest.err
@@ -1 +1 @@
-unsupported configuration: 'interface type="vhostuser" backend type="passt"' requires shared memory
+unsupported configuration: 'interface' requires shared memory
--
2.50.1

144
SOURCES/libvirt-qemuxmlconftest-Include-shared-memory-net-vhostuser-test-cases.patch Normal file
View File

@ -0,0 +1,144 @@
From 4b43cc2ee96aefe625ca2f377cab56132b15b84f Mon Sep 17 00:00:00 2001
Message-ID: <4b43cc2ee96aefe625ca2f377cab56132b15b84f.1754419286.git.jdenemar@redhat.com>
From: Peter Krempa <pkrempa@redhat.com>
Date: Tue, 11 Mar 2025 09:01:03 +0100
Subject: [PATCH] qemuxmlconftest: Include shared memory 'net-vhostuser' test
cases
The vhost-user protocol requires shared memory support to work properly.
Our test XMLs didn't have it configured as for interface the check if
shared memory is present only produces a warning instead of a proper
error.
Upcoming patches will be moving the check to become fatal so the test
cases need to be fixed first.
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
(cherry picked from commit 779a975355dcb34898abaefdf8968c214a66ebf1)
https://issues.redhat.com/browse/RHEL-106504
---
tests/qemuxmlconfdata/net-vhostuser-fail.x86_64-latest.xml | 3 +++
tests/qemuxmlconfdata/net-vhostuser-fail.xml | 3 +++
tests/qemuxmlconfdata/net-vhostuser-multiq.x86_64-latest.args | 2 +-
tests/qemuxmlconfdata/net-vhostuser-multiq.x86_64-latest.xml | 3 +++
tests/qemuxmlconfdata/net-vhostuser-multiq.xml | 3 +++
tests/qemuxmlconfdata/net-vhostuser.x86_64-latest.args | 2 +-
tests/qemuxmlconfdata/net-vhostuser.x86_64-latest.xml | 3 +++
tests/qemuxmlconfdata/net-vhostuser.xml | 3 +++
8 files changed, 20 insertions(+), 2 deletions(-)
diff --git a/tests/qemuxmlconfdata/net-vhostuser-fail.x86_64-latest.xml b/tests/qemuxmlconfdata/net-vhostuser-fail.x86_64-latest.xml
index 60e591001d..ce1ebf9462 100644
--- a/tests/qemuxmlconfdata/net-vhostuser-fail.x86_64-latest.xml
+++ b/tests/qemuxmlconfdata/net-vhostuser-fail.x86_64-latest.xml
@@ -3,6 +3,9 @@
<uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
<memory unit='KiB'>219136</memory>
<currentMemory unit='KiB'>219136</currentMemory>
+ <memoryBacking>
+ <access mode='shared'/>
+ </memoryBacking>
<vcpu placement='static'>1</vcpu>
<os>
<type arch='x86_64' machine='pc'>hvm</type>
diff --git a/tests/qemuxmlconfdata/net-vhostuser-fail.xml b/tests/qemuxmlconfdata/net-vhostuser-fail.xml
index d50589af6f..b6b0b977d5 100644
--- a/tests/qemuxmlconfdata/net-vhostuser-fail.xml
+++ b/tests/qemuxmlconfdata/net-vhostuser-fail.xml
@@ -3,6 +3,9 @@
<uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
<memory unit='KiB'>219136</memory>
<currentMemory unit='KiB'>219136</currentMemory>
+ <memoryBacking>
+ <access mode='shared'/>
+ </memoryBacking>
<vcpu placement='static'>1</vcpu>
<os>
<type arch='x86_64' machine='pc'>hvm</type>
diff --git a/tests/qemuxmlconfdata/net-vhostuser-multiq.x86_64-latest.args b/tests/qemuxmlconfdata/net-vhostuser-multiq.x86_64-latest.args
index 922758a034..4ea3d4eebd 100644
--- a/tests/qemuxmlconfdata/net-vhostuser-multiq.x86_64-latest.args
+++ b/tests/qemuxmlconfdata/net-vhostuser-multiq.x86_64-latest.args
@@ -14,7 +14,7 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \
-accel tcg \
-cpu qemu64 \
-m size=219136k \
--object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":224395264}' \
+-object '{"qom-type":"memory-backend-file","id":"pc.ram","mem-path":"/var/lib/libvirt/qemu/ram/-1-QEMUGuest1/pc.ram","share":true,"x-use-canonical-path-for-ramblock-id":false,"size":224395264}' \
-overcommit mem-lock=off \
-smp 1,sockets=1,cores=1,threads=1 \
-uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \
diff --git a/tests/qemuxmlconfdata/net-vhostuser-multiq.x86_64-latest.xml b/tests/qemuxmlconfdata/net-vhostuser-multiq.x86_64-latest.xml
index 5c2cf70a4b..93524c2864 100644
--- a/tests/qemuxmlconfdata/net-vhostuser-multiq.x86_64-latest.xml
+++ b/tests/qemuxmlconfdata/net-vhostuser-multiq.x86_64-latest.xml
@@ -3,6 +3,9 @@
<uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
<memory unit='KiB'>219136</memory>
<currentMemory unit='KiB'>219136</currentMemory>
+ <memoryBacking>
+ <access mode='shared'/>
+ </memoryBacking>
<vcpu placement='static'>1</vcpu>
<os>
<type arch='x86_64' machine='pc'>hvm</type>
diff --git a/tests/qemuxmlconfdata/net-vhostuser-multiq.xml b/tests/qemuxmlconfdata/net-vhostuser-multiq.xml
index ed492ea41a..fa324c9d17 100644
--- a/tests/qemuxmlconfdata/net-vhostuser-multiq.xml
+++ b/tests/qemuxmlconfdata/net-vhostuser-multiq.xml
@@ -3,6 +3,9 @@
<uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
<memory unit='KiB'>219136</memory>
<currentMemory unit='KiB'>219136</currentMemory>
+ <memoryBacking>
+ <access mode='shared'/>
+ </memoryBacking>
<vcpu placement='static'>1</vcpu>
<os>
<type arch='x86_64' machine='pc'>hvm</type>
diff --git a/tests/qemuxmlconfdata/net-vhostuser.x86_64-latest.args b/tests/qemuxmlconfdata/net-vhostuser.x86_64-latest.args
index bc1de8c8ed..f5925c77fe 100644
--- a/tests/qemuxmlconfdata/net-vhostuser.x86_64-latest.args
+++ b/tests/qemuxmlconfdata/net-vhostuser.x86_64-latest.args
@@ -14,7 +14,7 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \
-accel tcg \
-cpu qemu64 \
-m size=219136k \
--object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":224395264}' \
+-object '{"qom-type":"memory-backend-file","id":"pc.ram","mem-path":"/var/lib/libvirt/qemu/ram/-1-QEMUGuest1/pc.ram","share":true,"x-use-canonical-path-for-ramblock-id":false,"size":224395264}' \
-overcommit mem-lock=off \
-smp 1,sockets=1,cores=1,threads=1 \
-uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \
diff --git a/tests/qemuxmlconfdata/net-vhostuser.x86_64-latest.xml b/tests/qemuxmlconfdata/net-vhostuser.x86_64-latest.xml
index c77d46147e..44bebef2c8 100644
--- a/tests/qemuxmlconfdata/net-vhostuser.x86_64-latest.xml
+++ b/tests/qemuxmlconfdata/net-vhostuser.x86_64-latest.xml
@@ -3,6 +3,9 @@
<uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
<memory unit='KiB'>219136</memory>
<currentMemory unit='KiB'>219136</currentMemory>
+ <memoryBacking>
+ <access mode='shared'/>
+ </memoryBacking>
<vcpu placement='static'>1</vcpu>
<os>
<type arch='x86_64' machine='pc'>hvm</type>
diff --git a/tests/qemuxmlconfdata/net-vhostuser.xml b/tests/qemuxmlconfdata/net-vhostuser.xml
index e55a30a54f..91d1abc027 100644
--- a/tests/qemuxmlconfdata/net-vhostuser.xml
+++ b/tests/qemuxmlconfdata/net-vhostuser.xml
@@ -3,6 +3,9 @@
<uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
<memory unit='KiB'>219136</memory>
<currentMemory unit='KiB'>219136</currentMemory>
+ <memoryBacking>
+ <access mode='shared'/>
+ </memoryBacking>
<vcpu placement='static'>1</vcpu>
<os>
<type arch='x86_64' machine='pc'>hvm</type>
--
2.50.1

18
SPECS/libvirt.spec
View File

@ -293,7 +293,7 @@
Summary: Library providing a simple virtualization API
Name: libvirt
Version: 10.10.0
Release: 7.6%{?dist}%{?extra_release}.alma.1
Release: 7.7%{?dist}%{?extra_release}.alma.1
License: GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND OFL-1.1
URL: https://libvirt.org/
@ -410,6 +410,12 @@ Patch106: libvirt-virsh-add-disable-deprecated-features-flag-to-domcapabilities.
Patch107: libvirt-conf-add-deprecated_features-attribute.patch
Patch108: libvirt-qemuPrepareNVRAMFile-Fix-NVRAM-image-conversion-check.patch
Patch109: libvirt-esx-Allow-specifying-different-CA-bundle-for-remote-connections.patch
Patch110: libvirt-qemu-fix-order-of-VNC-TLS-config-entries.patch
Patch111: libvirt-qemu-sanitize-blank-lines-in-config-file.patch
Patch112: libvirt-qemu-add-ability-to-set-TLS-priority-string-with-QEMU.patch
Patch113: libvirt-qemuxmlconftest-Include-shared-memory-net-vhostuser-test-cases.patch
Patch114: libvirt-qemuValidateDomainDeviceDefNetwork-Require-shared-memory-for-all-vhost-user-interfaces.patch
Patch115: libvirt-qemu-process-Remove-un-updated-qemuProcessStartWarnShmem.patch
Requires: libvirt-daemon = %{version}-%{release}
@ -2735,9 +2741,17 @@ exit 0
%endif
%changelog
* Thu Aug 07 2025 Eduard Abdullin <eabdullin@almalinux.org> - 10.10.0-7.6.alma.1
* Wed Sep 17 2025 Eduard Abdullin <eabdullin@almalinux.org> - 10.10.0-7.7.alma.1
- Enable building for ppc64le
* Tue Aug 5 2025 Jiri Denemark <jdenemar@redhat.com> - 10.10.0-7.7.el9_6
- qemu: fix order of VNC TLS config entries (RHEL-106277)
- qemu: sanitize blank lines in config file (RHEL-106277)
- qemu: add ability to set TLS priority string with QEMU (RHEL-106277)
- qemuxmlconftest: Include shared memory 'net-vhostuser' test cases (RHEL-106504)
- qemuValidateDomainDeviceDefNetwork: Require shared memory for all vhost-user interfaces (RHEL-106504)
- qemu: process: Remove un-updated 'qemuProcessStartWarnShmem' (RHEL-106504)
* Fri Jul 18 2025 Jiri Denemark <jdenemar@redhat.com> - 10.10.0-7.6.el9_6
- esx: Allow specifying different CA bundle for remote connections (RHEL-98292)