diff --git a/SOURCES/libvirt-qemu-add-ability-to-set-TLS-priority-string-with-QEMU.patch b/SOURCES/libvirt-qemu-add-ability-to-set-TLS-priority-string-with-QEMU.patch new file mode 100644 index 0000000..bdc8a7c --- /dev/null +++ b/SOURCES/libvirt-qemu-add-ability-to-set-TLS-priority-string-with-QEMU.patch @@ -0,0 +1,690 @@ +From d9935026fcc24f52bf9672962c331b91c002e38a Mon Sep 17 00:00:00 2001 +Message-ID: +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Wed, 16 Jul 2025 16:40:01 +0100 +Subject: [PATCH] qemu: add ability to set TLS priority string with QEMU +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +QEMU will either use the GNUTLS default priority string of "NORMAL", +or on Fedora/RHEL related distros, "@QEMU,SYSTEM", which resolves to +a configuration in /etc/crypto-policies/back-ends/gnutls.config. + +The latter gives the sysadmin the ability to change the priority +string used for GNUTLS at deployment time, either system side, or +exclusively for QEMU, avoiding the hardcoded GNUTLS defaults. + +There are still some limitations to this: + + * Priorities cannot be set for different areas of QEMU + functionality (migration, vnc, nbd, etc) + + * Priorities are fixed at the time when QEMU first + triggers GNUTLS to load its config file, often + immediately at startup. + +We recently uncovered a QEMU bug that causes crashes in live +migration with TLS-1.3, where the easiest workaround is to +change the TLS priorities. We can't change this on the running +QEMU, but fortunately it is possible to change it on the target +QEMU and the TLS handshake will make it take effect on both +src and dst. + +The problem is, while fixing the immediate incoming and outgoing +live migration problems, the workaround will apply to everything +else that QEMU does for the rest of the time that process exists. + +We want to make it possible to set the TLS priorities only for +the current migrations, such that if the target QEMU has a fixed +GNUTLS, it will not have its TLS priorities hobbled for the next +live migration. + +To achieve this we need libvirt to be able to (optionally) set +the TLS priority string with QEMU. While live migration is the +most pressing need, the new qemu.conf parameters are wired up +for every subsystem for greater selectivity in future. + +With this we can activate the GNUTLS workaround for running +QEMU processes by editting qemu.conf and restarting virtqemud, +and later undo this the same way. + +Reviewed-by: Peter Krempa +Signed-off-by: Daniel P. Berrangé +(cherry picked from commit 14e41ac9f365b148e69088c5ffeb565a0f9ba326) +- Added dummy vxhsTLSpriority field and adapted old test data files + +Resolves: https://issues.redhat.com/browse/RHEL-106277 +Signed-off-by: Daniel P. Berrangé +--- + src/conf/storage_source_conf.c | 2 + + src/conf/storage_source_conf.h | 1 + + src/qemu/libvirtd_qemu.aug | 6 +++ + src/qemu/qemu.conf.in | 37 +++++++++++++++++++ + src/qemu/qemu_backup.c | 5 ++- + src/qemu/qemu_blockjob.c | 1 + + src/qemu/qemu_command.c | 15 ++++++-- + src/qemu/qemu_command.h | 1 + + src/qemu/qemu_conf.c | 22 +++++++++++ + src/qemu/qemu_conf.h | 8 ++++ + src/qemu/qemu_domain.c | 3 ++ + src/qemu/qemu_domain.h | 1 + + src/qemu/qemu_hotplug.c | 4 +- + src/qemu/qemu_hotplug.h | 1 + + src/qemu/qemu_migration_params.c | 1 + + src/qemu/test_libvirtd_qemu.aug.in | 6 +++ + ...rk-tlsx509-nbd-hostname.x86_64-latest.args | 2 +- + .../graphics-vnc-tls-secret.x86_64-5.2.0.args | 2 +- + ...graphics-vnc-tls-secret.x86_64-latest.args | 2 +- + ...-tlsx509-secret-chardev.x86_64-latest.args | 2 +- + tests/qemuxmlconftest.c | 6 +++ + 21 files changed, 117 insertions(+), 11 deletions(-) + +diff --git a/src/conf/storage_source_conf.c b/src/conf/storage_source_conf.c +index ca956a1b7c..dc6e6bde32 100644 +--- a/src/conf/storage_source_conf.c ++++ b/src/conf/storage_source_conf.c +@@ -838,6 +838,7 @@ virStorageSourceCopy(const virStorageSource *src, + def->compat = g_strdup(src->compat); + def->tlsAlias = g_strdup(src->tlsAlias); + def->tlsCertdir = g_strdup(src->tlsCertdir); ++ def->tlsPriority = g_strdup(src->tlsPriority); + def->tlsHostname = g_strdup(src->tlsHostname); + def->query = g_strdup(src->query); + def->vdpadev = g_strdup(src->vdpadev); +@@ -1191,6 +1192,7 @@ virStorageSourceClear(virStorageSource *def) + + VIR_FREE(def->tlsAlias); + VIR_FREE(def->tlsCertdir); ++ VIR_FREE(def->tlsPriority); + VIR_FREE(def->tlsHostname); + + VIR_FREE(def->ssh_user); +diff --git a/src/conf/storage_source_conf.h b/src/conf/storage_source_conf.h +index e6cbb93c06..760b60bd40 100644 +--- a/src/conf/storage_source_conf.h ++++ b/src/conf/storage_source_conf.h +@@ -392,6 +392,7 @@ struct _virStorageSource { + * certificate directory with listen and verify bools. */ + char *tlsAlias; + char *tlsCertdir; ++ char *tlsPriority; + + /* TLS hostname override */ + char *tlsHostname; +diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug +index 3f018f39a0..711806b2a8 100644 +--- a/src/qemu/libvirtd_qemu.aug ++++ b/src/qemu/libvirtd_qemu.aug +@@ -30,6 +30,7 @@ module Libvirtd_qemu = + let default_tls_entry = str_entry "default_tls_x509_cert_dir" + | bool_entry "default_tls_x509_verify" + | str_entry "default_tls_x509_secret_uuid" ++ | str_entry "default_tls_priority" + + let vnc_entry = str_entry "vnc_listen" + | bool_entry "vnc_auto_unix_socket" +@@ -37,6 +38,7 @@ module Libvirtd_qemu = + | str_entry "vnc_tls_x509_cert_dir" + | bool_entry "vnc_tls_x509_verify" + | str_entry "vnc_tls_x509_secret_uuid" ++ | str_entry "vnc_tls_priority" + | str_entry "vnc_password" + | bool_entry "vnc_sasl" + | str_entry "vnc_sasl_dir" +@@ -54,15 +56,18 @@ module Libvirtd_qemu = + | str_entry "chardev_tls_x509_cert_dir" + | bool_entry "chardev_tls_x509_verify" + | str_entry "chardev_tls_x509_secret_uuid" ++ | str_entry "chardev_tls_priority" + + let migrate_entry = str_entry "migrate_tls_x509_cert_dir" + | bool_entry "migrate_tls_x509_verify" + | str_entry "migrate_tls_x509_secret_uuid" ++ | str_entry "migrate_tls_priority" + | bool_entry "migrate_tls_force" + + let backup_entry = str_entry "backup_tls_x509_cert_dir" + | bool_entry "backup_tls_x509_verify" + | str_entry "backup_tls_x509_secret_uuid" ++ | str_entry "backup_tls_priority" + + let vxhs_entry = bool_entry "vxhs_tls" + | str_entry "vxhs_tls_x509_cert_dir" +@@ -71,6 +76,7 @@ module Libvirtd_qemu = + let nbd_entry = bool_entry "nbd_tls" + | str_entry "nbd_tls_x509_cert_dir" + | str_entry "nbd_tls_x509_secret_uuid" ++ | str_entry "nbd_tls_priority" + + let nogfx_entry = bool_entry "nographics_allow_host_audio" + +diff --git a/src/qemu/qemu.conf.in b/src/qemu/qemu.conf.in +index 988d176a28..8bf18d06b2 100644 +--- a/src/qemu/qemu.conf.in ++++ b/src/qemu/qemu.conf.in +@@ -62,6 +62,18 @@ + #default_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" + + ++# Libvirt allows QEMU to use its built-in TLS priority by default, ++# however, this allows overriding it at runtime. This is especially ++# useful if TLS priority needs to be changed for an operation run ++# against an existing running QEMU. ++# ++# This must be a valid GNUTLS priority string: ++# ++# https://gnutls.org/manual/html_node/Priority-Strings.html ++# ++#default_tls_priority = "@SYSTEM" ++ ++ + # VNC is configured to listen on 127.0.0.1 by default. + # To make it listen on all public interfaces, uncomment + # this next option. +@@ -127,6 +139,11 @@ + #vnc_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" + + ++# Override QEMU default GNUTLS priority string for VNC ++# ++#vnc_tls_priority = "@SYSTEM" ++ ++ + # The default VNC password. Only 8 bytes are significant for + # VNC passwords. This parameter is only used if the per-domain + # XML config does not already provide a password. To allow +@@ -278,6 +295,11 @@ + #chardev_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" + + ++# Override QEMU default GNUTLS priority string for character devices ++# ++#chardev_tls_priority = "@SYSTEM" ++ ++ + # Enable use of TLS encryption for all VxHS network block devices that + # don't specifically disable. + # +@@ -366,6 +388,11 @@ + #nbd_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" + + ++# Override QEMU default GNUTLS priority string for NBD ++# ++#nbd_tls_priority = "@SYSTEM" ++ ++ + # In order to override the default TLS certificate location for migration + # certificates, supply a valid path to the certificate directory. If the + # provided path does not exist, libvirtd will fail to start. If the path is +@@ -405,6 +432,11 @@ + #migrate_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" + + ++# Override QEMU default GNUTLS priority string for live migration ++# ++#migrate_tls_priority = "@SYSTEM" ++ ++ + # By default TLS is requested using the VIR_MIGRATE_TLS flag, thus not requested + # automatically. Setting 'migate_tls_force' to "1" will prevent any migration + # which is not using VIR_MIGRATE_TLS to ensure higher level of security in +@@ -450,6 +482,11 @@ + #backup_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" + + ++# Override QEMU default GNUTLS priority string for NBD backups ++# ++#backup_tls_priority = "@SYSTEM" ++ ++ + # By default, if no graphical front end is configured, libvirt will disable + # QEMU audio output since directly talking to alsa/pulseaudio may not work + # with various security settings. If you know what you're doing, enable +diff --git a/src/qemu/qemu_backup.c b/src/qemu/qemu_backup.c +index f64639d501..d416f0f0c7 100644 +--- a/src/qemu/qemu_backup.c ++++ b/src/qemu/qemu_backup.c +@@ -725,8 +725,9 @@ qemuBackupBeginPrepareTLS(virDomainObj *vm, + } + + if (qemuBuildTLSx509BackendProps(cfg->backupTLSx509certdir, true, +- cfg->backupTLSx509verify, tlsObjAlias, +- tlsKeySecretAlias, ++ cfg->backupTLSx509verify, ++ cfg->backupTLSpriority, ++ tlsObjAlias, tlsKeySecretAlias, + tlsProps) < 0) + return -1; + +diff --git a/src/qemu/qemu_blockjob.c b/src/qemu/qemu_blockjob.c +index 4e77543fa8..4d94703807 100644 +--- a/src/qemu/qemu_blockjob.c ++++ b/src/qemu/qemu_blockjob.c +@@ -623,6 +623,7 @@ qemuBlockJobCleanStorageSourceRuntime(virStorageSource *src) + VIR_FREE(src->nodenameformat); + VIR_FREE(src->tlsAlias); + VIR_FREE(src->tlsCertdir); ++ VIR_FREE(src->tlsPriority); + } + + +diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c +index 24dac0ce0f..a2cf974e75 100644 +--- a/src/qemu/qemu_command.c ++++ b/src/qemu/qemu_command.c +@@ -1229,6 +1229,7 @@ qemuBuildObjectSecretCommandLine(virCommand *cmd, + * @tlspath: path to the TLS credentials + * @listen: boolean listen for client or server setting + * @verifypeer: boolean to enable peer verification (form of authorization) ++ * @priority: GNUTLS priority string override (optional) + * @alias: alias for the TLS credentials object + * @secalias: if one exists, the alias of the security object for passwordid + * @propsret: json properties to return +@@ -1241,6 +1242,7 @@ int + qemuBuildTLSx509BackendProps(const char *tlspath, + bool isListen, + bool verifypeer, ++ const char *priority, + const char *alias, + const char *secalias, + virJSONValue **propsret) +@@ -1249,6 +1251,7 @@ qemuBuildTLSx509BackendProps(const char *tlspath, + "s:dir", tlspath, + "s:endpoint", (isListen ? "server": "client"), + "b:verify-peer", (isListen ? verifypeer : true), ++ "S:priority", priority, + "S:passwordid", secalias, + NULL) < 0) + return -1; +@@ -1262,6 +1265,7 @@ qemuBuildTLSx509BackendProps(const char *tlspath, + * @tlspath: path to the TLS credentials + * @listen: boolean listen for client or server setting + * @verifypeer: boolean to enable peer verification (form of authorization) ++ * @priority: GNUTLS priority string override (optional) + * @certEncSecretAlias: alias of a 'secret' object for decrypting TLS private key + * (optional) + * @alias: TLS object alias +@@ -1276,14 +1280,15 @@ qemuBuildTLSx509CommandLine(virCommand *cmd, + const char *tlspath, + bool isListen, + bool verifypeer, ++ const char *priority, + const char *certEncSecretAlias, + const char *alias, + virQEMUCaps *qemuCaps) + { + g_autoptr(virJSONValue) props = NULL; + +- if (qemuBuildTLSx509BackendProps(tlspath, isListen, verifypeer, alias, +- certEncSecretAlias, &props) < 0) ++ if (qemuBuildTLSx509BackendProps(tlspath, isListen, verifypeer, priority, ++ alias, certEncSecretAlias, &props) < 0) + return -1; + + if (qemuBuildObjectCommandlineFromJSON(cmd, props, qemuCaps) < 0) +@@ -1326,6 +1331,7 @@ qemuBuildChardevCommand(virCommand *cmd, + if (qemuBuildTLSx509CommandLine(cmd, chrSourcePriv->tlsCertPath, + dev->data.tcp.listen, + chrSourcePriv->tlsVerify, ++ chrSourcePriv->tlsPriority, + tlsCertEncSecAlias, + objalias, qemuCaps) < 0) { + return -1; +@@ -8082,6 +8088,7 @@ qemuBuildGraphicsVNCCommandLine(virQEMUDriverConfig *cfg, + cfg->vncTLSx509certdir, + true, + cfg->vncTLSx509verify, ++ cfg->vncTLSpriority, + secretAlias, + gfxPriv->tlsAlias, + qemuCaps) < 0) +@@ -10933,8 +10940,8 @@ qemuBuildStorageSourceAttachPrepareCommon(virStorageSource *src, + } + + if (src->haveTLS == VIR_TRISTATE_BOOL_YES && +- qemuBuildTLSx509BackendProps(src->tlsCertdir, false, true, src->tlsAlias, +- tlsKeySecretAlias, &data->tlsProps) < 0) ++ qemuBuildTLSx509BackendProps(src->tlsCertdir, false, true, src->tlsPriority, ++ src->tlsAlias, tlsKeySecretAlias, &data->tlsProps) < 0) + return -1; + + return 0; +diff --git a/src/qemu/qemu_command.h b/src/qemu/qemu_command.h +index 76c514b5f7..948a633668 100644 +--- a/src/qemu/qemu_command.h ++++ b/src/qemu/qemu_command.h +@@ -62,6 +62,7 @@ int qemuBuildSecretInfoProps(qemuDomainSecretInfo *secinfo, + int qemuBuildTLSx509BackendProps(const char *tlspath, + bool isListen, + bool verifypeer, ++ const char *priority, + const char *alias, + const char *secalias, + virJSONValue **propsret); +diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c +index 7c15c521c7..93e1f7938b 100644 +--- a/src/qemu/qemu_conf.c ++++ b/src/qemu/qemu_conf.c +@@ -422,6 +422,9 @@ virQEMUDriverConfigLoadDefaultTLSEntry(virQEMUDriverConfig *cfg, + if (virConfGetValueString(conf, "default_tls_x509_secret_uuid", + &cfg->defaultTLSx509secretUUID) < 0) + return -1; ++ if (virConfGetValueString(conf, "default_tls_priority", ++ &cfg->defaultTLSpriority) < 0) ++ return -1; + + return 0; + } +@@ -521,6 +524,9 @@ virQEMUDriverConfigLoadSpecificTLSEntry(virQEMUDriverConfig *cfg, + #val "_tls_x509_secret_uuid", \ + &cfg->val## TLSx509secretUUID) < 0) \ + return -1; \ ++ if ((rv = virConfGetValueString(conf, #val "_tls_priority", \ ++ &cfg->val## TLSpriority)) < 0) \ ++ return -1; \ + } while (0) + + #define GET_CONFIG_TLS_CERTINFO_SERVER(val) \ +@@ -1305,6 +1311,22 @@ virQEMUDriverConfigSetDefaults(virQEMUDriverConfig *cfg) + + #undef SET_TLS_SECRET_UUID_DEFAULT + ++#define SET_TLS_PRIORITY_DEFAULT(val) \ ++ do { \ ++ if (!cfg->val## TLSpriority && \ ++ cfg->defaultTLSpriority) { \ ++ cfg->val## TLSpriority = g_strdup(cfg->defaultTLSpriority); \ ++ } \ ++ } while (0) ++ ++ SET_TLS_PRIORITY_DEFAULT(vnc); ++ SET_TLS_PRIORITY_DEFAULT(chardev); ++ SET_TLS_PRIORITY_DEFAULT(migrate); ++ SET_TLS_PRIORITY_DEFAULT(backup); ++ SET_TLS_PRIORITY_DEFAULT(nbd); ++ ++#undef SET_TLS_PRIORITY_DEFAULT ++ + /* + * If a "SYSCONFDIR" + "pki/libvirt-" exists, then assume someone + * has created a val specific area to place service specific certificates. +diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h +index 42cdb6f883..b650f52262 100644 +--- a/src/qemu/qemu_conf.h ++++ b/src/qemu/qemu_conf.h +@@ -115,6 +115,7 @@ struct _virQEMUDriverConfig { + bool defaultTLSx509verify; + bool defaultTLSx509verifyPresent; + char *defaultTLSx509secretUUID; ++ char *defaultTLSpriority; + + bool vncAutoUnixSocket; + bool vncTLS; +@@ -123,6 +124,7 @@ struct _virQEMUDriverConfig { + bool vncSASL; + char *vncTLSx509certdir; + char *vncTLSx509secretUUID; ++ char *vncTLSpriority; + char *vncListen; + char *vncPassword; + char *vncSASLdir; +@@ -140,25 +142,31 @@ struct _virQEMUDriverConfig { + bool chardevTLSx509verify; + bool chardevTLSx509verifyPresent; + char *chardevTLSx509secretUUID; ++ char *chardevTLSpriority; + + char *migrateTLSx509certdir; + bool migrateTLSx509verify; + bool migrateTLSx509verifyPresent; + char *migrateTLSx509secretUUID; ++ char *migrateTLSpriority; + bool migrateTLSForce; + + char *backupTLSx509certdir; + bool backupTLSx509verify; + bool backupTLSx509verifyPresent; + char *backupTLSx509secretUUID; ++ char *backupTLSpriority; + + bool vxhsTLS; + char *vxhsTLSx509certdir; + char *vxhsTLSx509secretUUID; ++ char *vxhsTLSpriority; /* unused / dummy field to keep ++ * GET_CONFIG_TLS_CERTINFO_COMMON happy */ + + bool nbdTLS; + char *nbdTLSx509certdir; + char *nbdTLSx509secretUUID; ++ char *nbdTLSpriority; + + unsigned int remotePortMin; + unsigned int remotePortMax; +diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c +index 95cca36fe1..de13d45066 100644 +--- a/src/qemu/qemu_domain.c ++++ b/src/qemu/qemu_domain.c +@@ -955,6 +955,7 @@ qemuDomainChrSourcePrivateDispose(void *obj) + qemuDomainChrSourcePrivateClearFDPass(priv); + + g_free(priv->tlsCertPath); ++ g_free(priv->tlsPriority); + + g_free(priv->tlsCredsAlias); + +@@ -8684,6 +8685,7 @@ qemuDomainPrepareChardevSourceOne(virDomainDeviceDef *dev, + + if (charsrc->data.tcp.haveTLS == VIR_TRISTATE_BOOL_YES) { + charpriv->tlsCertPath = g_strdup(data->cfg->chardevTLSx509certdir); ++ charpriv->tlsPriority = g_strdup(data->cfg->chardevTLSpriority); + charpriv->tlsVerify = data->cfg->chardevTLSx509verify; + } + } +@@ -8783,6 +8785,7 @@ qemuProcessPrepareStorageSourceTLSNBD(virStorageSource *src, + + src->tlsAlias = qemuAliasTLSObjFromSrcAlias(parentAlias); + src->tlsCertdir = g_strdup(cfg->nbdTLSx509certdir); ++ src->tlsPriority = g_strdup(cfg->nbdTLSpriority); + + if (cfg->nbdTLSx509secretUUID) { + qemuDomainStorageSourcePrivate *srcpriv = qemuDomainStorageSourcePrivateFetch(src); +diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h +index 79bdc4e8fe..ac08babb92 100644 +--- a/src/qemu/qemu_domain.h ++++ b/src/qemu/qemu_domain.h +@@ -381,6 +381,7 @@ struct _qemuDomainChrSourcePrivate { + + char *tlsCertPath; /* path to certificates if TLS is requested */ + bool tlsVerify; /* whether server should verify client certificates */ ++ char *tlsPriority; /* optional GNUTLS priority string */ + + char *tlsCredsAlias; /* alias of the x509 tls credentials object */ + }; +diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c +index ff09b58bfe..c6704cbebe 100644 +--- a/src/qemu/qemu_hotplug.c ++++ b/src/qemu/qemu_hotplug.c +@@ -1717,6 +1717,7 @@ qemuDomainGetTLSObjects(qemuDomainSecretInfo *secinfo, + const char *tlsCertdir, + bool tlsListen, + bool tlsVerify, ++ const char *tlsPriority, + const char *alias, + virJSONValue **tlsProps, + virJSONValue **secProps) +@@ -1730,7 +1731,7 @@ qemuDomainGetTLSObjects(qemuDomainSecretInfo *secinfo, + secAlias = secinfo->alias; + } + +- if (qemuBuildTLSx509BackendProps(tlsCertdir, tlsListen, tlsVerify, ++ if (qemuBuildTLSx509BackendProps(tlsCertdir, tlsListen, tlsVerify, tlsPriority, + alias, secAlias, tlsProps) < 0) + return -1; + +@@ -1774,6 +1775,7 @@ qemuDomainAddChardevTLSObjects(virQEMUDriver *driver, + cfg->chardevTLSx509certdir, + dev->data.tcp.listen, + cfg->chardevTLSx509verify, ++ cfg->chardevTLSpriority, + *tlsAlias, &tlsProps, &secProps) < 0) + return -1; + +diff --git a/src/qemu/qemu_hotplug.h b/src/qemu/qemu_hotplug.h +index 4fe7f4923e..5d32487047 100644 +--- a/src/qemu/qemu_hotplug.h ++++ b/src/qemu/qemu_hotplug.h +@@ -38,6 +38,7 @@ int qemuDomainGetTLSObjects(qemuDomainSecretInfo *secinfo, + const char *tlsCertdir, + bool tlsListen, + bool tlsVerify, ++ const char *tlsPriority, + const char *alias, + virJSONValue **tlsProps, + virJSONValue **secProps); +diff --git a/src/qemu/qemu_migration_params.c b/src/qemu/qemu_migration_params.c +index 98822012cc..3858cca907 100644 +--- a/src/qemu/qemu_migration_params.c ++++ b/src/qemu/qemu_migration_params.c +@@ -1143,6 +1143,7 @@ qemuMigrationParamsEnableTLS(virQEMUDriver *driver, + if (qemuDomainGetTLSObjects(priv->migSecinfo, + cfg->migrateTLSx509certdir, tlsListen, + cfg->migrateTLSx509verify, ++ cfg->migrateTLSpriority, + *tlsAlias, &tlsProps, &secProps) < 0) + return -1; + +diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qemu.aug.in +index 86b3844d2c..b916af35ee 100644 +--- a/src/qemu/test_libvirtd_qemu.aug.in ++++ b/src/qemu/test_libvirtd_qemu.aug.in +@@ -5,12 +5,14 @@ module Test_libvirtd_qemu = + { "default_tls_x509_cert_dir" = "/etc/pki/qemu" } + { "default_tls_x509_verify" = "1" } + { "default_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" } ++{ "default_tls_priority" = "@SYSTEM" } + { "vnc_listen" = "0.0.0.0" } + { "vnc_auto_unix_socket" = "1" } + { "vnc_tls" = "1" } + { "vnc_tls_x509_cert_dir" = "/etc/pki/libvirt-vnc" } + { "vnc_tls_x509_verify" = "1" } + { "vnc_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" } ++{ "vnc_tls_priority" = "@SYSTEM" } + { "vnc_password" = "XYZ12345" } + { "vnc_sasl" = "1" } + { "vnc_sasl_dir" = "/some/directory/sasl2" } +@@ -26,19 +28,23 @@ module Test_libvirtd_qemu = + { "chardev_tls_x509_cert_dir" = "/etc/pki/libvirt-chardev" } + { "chardev_tls_x509_verify" = "1" } + { "chardev_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" } ++{ "chardev_tls_priority" = "@SYSTEM" } + { "vxhs_tls" = "1" } + { "vxhs_tls_x509_cert_dir" = "/etc/pki/libvirt-vxhs" } + { "vxhs_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" } + { "nbd_tls" = "1" } + { "nbd_tls_x509_cert_dir" = "/etc/pki/libvirt-nbd" } + { "nbd_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" } ++{ "nbd_tls_priority" = "@SYSTEM" } + { "migrate_tls_x509_cert_dir" = "/etc/pki/libvirt-migrate" } + { "migrate_tls_x509_verify" = "1" } + { "migrate_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" } ++{ "migrate_tls_priority" = "@SYSTEM" } + { "migrate_tls_force" = "0" } + { "backup_tls_x509_cert_dir" = "/etc/pki/libvirt-backup" } + { "backup_tls_x509_verify" = "1" } + { "backup_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" } ++{ "backup_tls_priority" = "@SYSTEM" } + { "nographics_allow_host_audio" = "1" } + { "remote_display_port_min" = "5900" } + { "remote_display_port_max" = "65535" } +diff --git a/tests/qemuxmlconfdata/disk-network-tlsx509-nbd-hostname.x86_64-latest.args b/tests/qemuxmlconfdata/disk-network-tlsx509-nbd-hostname.x86_64-latest.args +index 4ee9a0631b..77d38c3020 100644 +--- a/tests/qemuxmlconfdata/disk-network-tlsx509-nbd-hostname.x86_64-latest.args ++++ b/tests/qemuxmlconfdata/disk-network-tlsx509-nbd-hostname.x86_64-latest.args +@@ -28,7 +28,7 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \ + -boot strict=on \ + -device '{"driver":"piix3-usb-uhci","id":"usb","bus":"pci.0","addr":"0x1.0x2"}' \ + -object '{"qom-type":"secret","id":"objlibvirt-1-storage_tls0-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}' \ +--object '{"qom-type":"tls-creds-x509","id":"objlibvirt-1-storage_tls0","dir":"/etc/pki/libvirt-nbd","endpoint":"client","verify-peer":true,"passwordid":"objlibvirt-1-storage_tls0-secret0"}' \ ++-object '{"qom-type":"tls-creds-x509","id":"objlibvirt-1-storage_tls0","dir":"/etc/pki/libvirt-nbd","endpoint":"client","verify-peer":true,"priority":"@SYSTEM:-VERS-TLS1.3","passwordid":"objlibvirt-1-storage_tls0-secret0"}' \ + -blockdev '{"driver":"nbd","server":{"type":"inet","host":"example.com","port":"1234"},"tls-creds":"objlibvirt-1-storage_tls0","tls-hostname":"test-hostname","node-name":"libvirt-1-storage","read-only":false,"cache":{"direct":true,"no-flush":false}}' \ + -device '{"driver":"virtio-blk-pci","bus":"pci.0","addr":"0x7","drive":"libvirt-1-storage","id":"virtio-disk3","bootindex":1,"write-cache":"on"}' \ + -audiodev '{"id":"audio1","driver":"none"}' \ +diff --git a/tests/qemuxmlconfdata/graphics-vnc-tls-secret.x86_64-5.2.0.args b/tests/qemuxmlconfdata/graphics-vnc-tls-secret.x86_64-5.2.0.args +index 11f8b3f4f0..3c3002dd4f 100644 +--- a/tests/qemuxmlconfdata/graphics-vnc-tls-secret.x86_64-5.2.0.args ++++ b/tests/qemuxmlconfdata/graphics-vnc-tls-secret.x86_64-5.2.0.args +@@ -30,7 +30,7 @@ SASL_CONF_PATH=/etc/sasl2 \ + -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 \ + -audiodev '{"id":"audio1","driver":"none"}' \ + -object secret,id=vnc-tls-creds0-secret0,data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \ +--object tls-creds-x509,id=vnc-tls-creds0,dir=/etc/pki/libvirt-vnc,endpoint=server,verify-peer=on,passwordid=vnc-tls-creds0-secret0 \ ++-object tls-creds-x509,id=vnc-tls-creds0,dir=/etc/pki/libvirt-vnc,endpoint=server,verify-peer=on,priority=@SYSTEM:-VERS-TLS1.3,passwordid=vnc-tls-creds0-secret0 \ + -vnc 127.0.0.1:3,tls-creds=vnc-tls-creds0,sasl=on,audiodev=audio1 \ + -device cirrus-vga,id=video0,bus=pci.0,addr=0x2 \ + -sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \ +diff --git a/tests/qemuxmlconfdata/graphics-vnc-tls-secret.x86_64-latest.args b/tests/qemuxmlconfdata/graphics-vnc-tls-secret.x86_64-latest.args +index 50cc8532d1..32d7be1d3b 100644 +--- a/tests/qemuxmlconfdata/graphics-vnc-tls-secret.x86_64-latest.args ++++ b/tests/qemuxmlconfdata/graphics-vnc-tls-secret.x86_64-latest.args +@@ -29,7 +29,7 @@ SASL_CONF_PATH=/etc/sasl2 \ + -device '{"driver":"piix3-usb-uhci","id":"usb","bus":"pci.0","addr":"0x1.0x2"}' \ + -audiodev '{"id":"audio1","driver":"none"}' \ + -object '{"qom-type":"secret","id":"vnc-tls-creds0-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}' \ +--object '{"qom-type":"tls-creds-x509","id":"vnc-tls-creds0","dir":"/etc/pki/libvirt-vnc","endpoint":"server","verify-peer":true,"passwordid":"vnc-tls-creds0-secret0"}' \ ++-object '{"qom-type":"tls-creds-x509","id":"vnc-tls-creds0","dir":"/etc/pki/libvirt-vnc","endpoint":"server","verify-peer":true,"priority":"@SYSTEM:-VERS-TLS1.3","passwordid":"vnc-tls-creds0-secret0"}' \ + -vnc 127.0.0.1:3,tls-creds=vnc-tls-creds0,sasl=on,audiodev=audio1 \ + -device '{"driver":"cirrus-vga","id":"video0","bus":"pci.0","addr":"0x2"}' \ + -sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \ +diff --git a/tests/qemuxmlconfdata/serial-tcp-tlsx509-secret-chardev.x86_64-latest.args b/tests/qemuxmlconfdata/serial-tcp-tlsx509-secret-chardev.x86_64-latest.args +index c227a04112..492d1be626 100644 +--- a/tests/qemuxmlconfdata/serial-tcp-tlsx509-secret-chardev.x86_64-latest.args ++++ b/tests/qemuxmlconfdata/serial-tcp-tlsx509-secret-chardev.x86_64-latest.args +@@ -32,7 +32,7 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \ + -chardev udp,id=charserial0,host=127.0.0.1,port=2222,localaddr=127.0.0.1,localport=1111 \ + -device '{"driver":"isa-serial","chardev":"charserial0","id":"serial0","index":0}' \ + -object '{"qom-type":"secret","id":"charserial1-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}' \ +--object '{"qom-type":"tls-creds-x509","id":"objcharserial1_tls0","dir":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true,"passwordid":"charserial1-secret0"}' \ ++-object '{"qom-type":"tls-creds-x509","id":"objcharserial1_tls0","dir":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true,"priority":"@SYSTEM:-VERS-TLS1.3","passwordid":"charserial1-secret0"}' \ + -chardev socket,id=charserial1,host=127.0.0.1,port=5555,tls-creds=objcharserial1_tls0 \ + -device '{"driver":"isa-serial","chardev":"charserial1","id":"serial1","index":1}' \ + -audiodev '{"id":"audio1","driver":"none"}' \ +diff --git a/tests/qemuxmlconftest.c b/tests/qemuxmlconftest.c +index 049ca630a8..ba19029d95 100644 +--- a/tests/qemuxmlconftest.c ++++ b/tests/qemuxmlconftest.c +@@ -1598,7 +1598,9 @@ mymain(void) + DO_TEST_CAPS_VER("disk-network-tlsx509-nbd", "5.2.0"); + DO_TEST_CAPS_LATEST("disk-network-tlsx509-nbd"); + DO_TEST_CAPS_VER_PARSE_ERROR("disk-network-tlsx509-nbd-hostname", "6.2.0"); ++ driver.config->nbdTLSpriority = g_strdup("@SYSTEM:-VERS-TLS1.3"); + DO_TEST_CAPS_LATEST("disk-network-tlsx509-nbd-hostname"); ++ VIR_FREE(driver.config->nbdTLSpriority); + DO_TEST_CAPS_LATEST("disk-network-http"); + VIR_FREE(driver.config->nbdTLSx509secretUUID); + VIR_FREE(driver.config->vxhsTLSx509secretUUID); +@@ -1714,9 +1716,11 @@ mymain(void) + driver.config->vncTLS = 1; + driver.config->vncTLSx509verify = 1; + DO_TEST_CAPS_LATEST("graphics-vnc-tls"); ++ driver.config->vncTLSpriority = g_strdup("@SYSTEM:-VERS-TLS1.3"); + driver.config->vncTLSx509secretUUID = g_strdup("6fd3f62d-9fe7-4a4e-a869-7acd6376d8ea"); + DO_TEST_CAPS_VER("graphics-vnc-tls-secret", "5.2.0"); + DO_TEST_CAPS_LATEST("graphics-vnc-tls-secret"); ++ VIR_FREE(driver.config->vncTLSpriority); + VIR_FREE(driver.config->vncTLSx509secretUUID); + driver.config->vncSASL = driver.config->vncTLSx509verify = driver.config->vncTLS = 0; + DO_TEST_CAPS_LATEST("graphics-vnc-egl-headless"); +@@ -1865,7 +1869,9 @@ mymain(void) + driver.config->chardevTLSx509verify = 0; + DO_TEST_CAPS_LATEST("serial-tcp-tlsx509-chardev-notls"); + driver.config->chardevTLSx509secretUUID = g_strdup("6fd3f62d-9fe7-4a4e-a869-7acd6376d8ea"); ++ driver.config->chardevTLSpriority = g_strdup("@SYSTEM:-VERS-TLS1.3"); + DO_TEST_CAPS_LATEST("serial-tcp-tlsx509-secret-chardev"); ++ VIR_FREE(driver.config->chardevTLSpriority); + VIR_FREE(driver.config->chardevTLSx509secretUUID); + driver.config->chardevTLS = 0; + DO_TEST_CAPS_LATEST("serial-many-chardev"); +-- +2.50.1 diff --git a/SOURCES/libvirt-qemu-fix-order-of-VNC-TLS-config-entries.patch b/SOURCES/libvirt-qemu-fix-order-of-VNC-TLS-config-entries.patch new file mode 100644 index 0000000..a95d942 --- /dev/null +++ b/SOURCES/libvirt-qemu-fix-order-of-VNC-TLS-config-entries.patch @@ -0,0 +1,84 @@ +From aab5d03bf61c67445ff9294dc872fe5c737c3c92 Mon Sep 17 00:00:00 2001 +Message-ID: +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Wed, 16 Jul 2025 16:32:05 +0100 +Subject: [PATCH] qemu: fix order of VNC TLS config entries +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +For TLS config parameters, the 'verify' option always comes before the +'secret_uuid' option, except in the VNC case which has them reversed. + +Reviewed-by: Peter Krempa +Signed-off-by: Daniel P. Berrangé +(cherry picked from commit 845e1b5138f37dbf91e5b08b7d54d963a6ec0452) + +Resolves: https://issues.redhat.com/browse/RHEL-106277 +Signed-off-by: Daniel P. Berrangé +--- + src/qemu/libvirtd_qemu.aug | 2 +- + src/qemu/qemu.conf.in | 12 ++++++------ + src/qemu/test_libvirtd_qemu.aug.in | 2 +- + 3 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug +index 1377fd89cc..3f018f39a0 100644 +--- a/src/qemu/libvirtd_qemu.aug ++++ b/src/qemu/libvirtd_qemu.aug +@@ -35,8 +35,8 @@ module Libvirtd_qemu = + | bool_entry "vnc_auto_unix_socket" + | bool_entry "vnc_tls" + | str_entry "vnc_tls_x509_cert_dir" +- | str_entry "vnc_tls_x509_secret_uuid" + | bool_entry "vnc_tls_x509_verify" ++ | str_entry "vnc_tls_x509_secret_uuid" + | str_entry "vnc_password" + | bool_entry "vnc_sasl" + | str_entry "vnc_sasl_dir" +diff --git a/src/qemu/qemu.conf.in b/src/qemu/qemu.conf.in +index 89c9b6b913..3365834200 100644 +--- a/src/qemu/qemu.conf.in ++++ b/src/qemu/qemu.conf.in +@@ -101,12 +101,6 @@ + #vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc" + + +-# Uncomment and use the following option to override the default secret +-# UUID provided in the default_tls_x509_secret_uuid parameter. +-# +-#vnc_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" +- +- + # The default TLS configuration only uses certificates for the server + # allowing the client to verify the server's identity and establish + # an encrypted channel. +@@ -125,6 +119,12 @@ + #vnc_tls_x509_verify = 1 + + ++# Uncomment and use the following option to override the default secret ++# UUID provided in the default_tls_x509_secret_uuid parameter. ++# ++#vnc_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" ++ ++ + # The default VNC password. Only 8 bytes are significant for + # VNC passwords. This parameter is only used if the per-domain + # XML config does not already provide a password. To allow +diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qemu.aug.in +index 69fdae215a..86b3844d2c 100644 +--- a/src/qemu/test_libvirtd_qemu.aug.in ++++ b/src/qemu/test_libvirtd_qemu.aug.in +@@ -9,8 +9,8 @@ module Test_libvirtd_qemu = + { "vnc_auto_unix_socket" = "1" } + { "vnc_tls" = "1" } + { "vnc_tls_x509_cert_dir" = "/etc/pki/libvirt-vnc" } +-{ "vnc_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" } + { "vnc_tls_x509_verify" = "1" } ++{ "vnc_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" } + { "vnc_password" = "XYZ12345" } + { "vnc_sasl" = "1" } + { "vnc_sasl_dir" = "/some/directory/sasl2" } +-- +2.50.1 diff --git a/SOURCES/libvirt-qemu-process-Remove-un-updated-qemuProcessStartWarnShmem.patch b/SOURCES/libvirt-qemu-process-Remove-un-updated-qemuProcessStartWarnShmem.patch new file mode 100644 index 0000000..471d1b6 --- /dev/null +++ b/SOURCES/libvirt-qemu-process-Remove-un-updated-qemuProcessStartWarnShmem.patch @@ -0,0 +1,94 @@ +From bc9aaea59652adb0156b68e8cd198759c9eae5b3 Mon Sep 17 00:00:00 2001 +Message-ID: +From: Peter Krempa +Date: Tue, 11 Mar 2025 09:04:18 +0100 +Subject: [PATCH] qemu: process: Remove un-updated 'qemuProcessStartWarnShmem' + +The checks in qemuProcessStartWarnShmem are no longer current. Since +previous patch made it fatal for vhost-user interfaces to be configured +without shared memory this warning code can be deleted. + +Resolves: https://issues.redhat.com/browse/RHEL-80533 +Signed-off-by: Peter Krempa +Reviewed-by: Michal Privoznik +(cherry picked from commit 080c7fd341619a3d1986a00265addaf45b63aacf) + +https://issues.redhat.com/browse/RHEL-106504 +--- + src/qemu/qemu_process.c | 54 ----------------------------------------- + 1 file changed, 54 deletions(-) + +diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c +index 8bddb415ac..24d0049c43 100644 +--- a/src/qemu/qemu_process.c ++++ b/src/qemu/qemu_process.c +@@ -5427,56 +5427,6 @@ qemuProcessMakeDir(virQEMUDriver *driver, + } + + +-static void +-qemuProcessStartWarnShmem(virDomainObj *vm) +-{ +- size_t i; +- bool check_shmem = false; +- bool shmem = vm->def->nshmems; +- +- /* +- * For vhost-user to work, the domain has to have some type of +- * shared memory configured. We're not the proper ones to judge +- * whether shared hugepages or shm are enough and will be in the +- * future, so we'll just warn in case neither is configured. +- * Moreover failing would give the false illusion that libvirt is +- * really checking that everything works before running the domain +- * and not only we are unable to do that, but it's also not our +- * aim to do so. +- */ +- for (i = 0; i < vm->def->nnets; i++) { +- if (virDomainNetGetActualType(vm->def->nets[i]) == +- VIR_DOMAIN_NET_TYPE_VHOSTUSER) { +- check_shmem = true; +- break; +- } +- } +- +- if (!check_shmem) +- return; +- +- /* +- * This check is by no means complete. We merely check +- * whether there are *some* hugepages enabled and *some* NUMA +- * nodes with shared memory access. +- */ +- if (!shmem && vm->def->mem.nhugepages) { +- for (i = 0; i < virDomainNumaGetNodeCount(vm->def->numa); i++) { +- if (virDomainNumaGetNodeMemoryAccessMode(vm->def->numa, i) == +- VIR_DOMAIN_MEMORY_ACCESS_SHARED) { +- shmem = true; +- break; +- } +- } +- } +- +- if (!shmem) { +- VIR_WARN("Detected vhost-user interface without any shared memory, " +- "the interface might not be operational"); +- } +-} +- +- + static int + qemuProcessStartValidateGraphics(virDomainObj *vm) + { +@@ -5711,10 +5661,6 @@ qemuProcessStartValidate(virQEMUDriver *driver, + if (qemuProcessStartValidateTSC(driver, vm) < 0) + return -1; + +- VIR_DEBUG("Checking for any possible (non-fatal) issues"); +- +- qemuProcessStartWarnShmem(vm); +- + return 0; + } + +-- +2.50.1 diff --git a/SOURCES/libvirt-qemu-sanitize-blank-lines-in-config-file.patch b/SOURCES/libvirt-qemu-sanitize-blank-lines-in-config-file.patch new file mode 100644 index 0000000..5ec08b6 --- /dev/null +++ b/SOURCES/libvirt-qemu-sanitize-blank-lines-in-config-file.patch @@ -0,0 +1,326 @@ +From 45c1847b67d0d2996a67e65a017e1ce51b682ecc Mon Sep 17 00:00:00 2001 +Message-ID: <45c1847b67d0d2996a67e65a017e1ce51b682ecc.1754419285.git.jdenemar@redhat.com> +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Wed, 16 Jul 2025 16:30:52 +0100 +Subject: [PATCH] qemu: sanitize blank lines in config file +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We mostly use 2 blank lines between config file entries to +improve readability. Fix where we don't do that. + +Reviewed-by: Peter Krempa +Signed-off-by: Daniel P. Berrangé +(cherry picked from commit 0b9cfa791f2bd135ea36fe03fd1a8d6c8bf5e3d6) + +Resolves: https://issues.redhat.com/browse/RHEL-106277 +Signed-off-by: Daniel P. Berrangé +--- + src/qemu/qemu.conf.in | 41 ++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 38 insertions(+), 3 deletions(-) + +diff --git a/src/qemu/qemu.conf.in b/src/qemu/qemu.conf.in +index 3365834200..988d176a28 100644 +--- a/src/qemu/qemu.conf.in ++++ b/src/qemu/qemu.conf.in +@@ -48,7 +48,7 @@ + # + #default_tls_x509_verify = 1 + +-# ++ + # Libvirt assumes the server-key.pem file is unencrypted by default. + # To use an encrypted server-key.pem file, the password to decrypt + # the PEM file is required. This can be provided by creating a secret +@@ -71,6 +71,7 @@ + # + #vnc_listen = "0.0.0.0" + ++ + # Enable this option to have VNC served over an automatically created + # unix socket. This prevents unprivileged access from users on the + # host machine, though most VNC clients do not support it. +@@ -81,6 +82,7 @@ + # + #vnc_auto_unix_socket = 1 + ++ + # Enable use of TLS encryption on the VNC server. This requires + # a VNC client which supports the VeNCrypt protocol extension. + # Examples include vinagre, virt-viewer, virt-manager and vencrypt +@@ -222,6 +224,7 @@ + # + #spice_sasl = 1 + ++ + # The default SASL configuration file is located in /etc/sasl2/ + # When running libvirtd unprivileged, it may be desirable to + # override the configs in this location. Set this parameter to +@@ -229,6 +232,7 @@ + # + #spice_sasl_dir = "/some/directory/sasl2" + ++ + # Enable use of TLS encryption on the chardev TCP transports. + # + # It is necessary to setup CA and issue a server certificate +@@ -468,6 +472,7 @@ + #remote_display_port_min = 5900 + #remote_display_port_max = 65535 + ++ + # VNC WebSocket port policies, same rules apply as with remote display + # ports. VNC WebSockets use similar display <-> port mappings, with + # the exception being that ports start from 5700 instead of 5900. +@@ -475,6 +480,7 @@ + #remote_websocket_port_min = 5700 + #remote_websocket_port_max = 65535 + ++ + # The default security driver is SELinux. If SELinux is disabled + # on the host, then the security driver will automatically disable + # itself. If you wish to disable QEMU SELinux security driver while +@@ -492,15 +498,18 @@ + # + #security_driver = "selinux" + ++ + # If set to non-zero, then the default security labeling + # will make guests confined. If set to zero, then guests + # will be unconfined by default. Defaults to 1. + #security_default_confined = 1 + ++ + # If set to non-zero, then attempts to create unconfined + # guests will be blocked. Defaults to 0. + #security_require_confined = 1 + ++ + # The user for QEMU processes run by the system instance. It can be + # specified as a user name or as a user id. The qemu driver will try to + # parse this value first as a name and then, if the name doesn't exist, +@@ -518,20 +527,24 @@ + # + #user = "@QEMU_USER@" + ++ + # The group for QEMU processes run by the system instance. It can be + # specified in a similar way to user. + #group = "@QEMU_GROUP@" + ++ + # Whether libvirt should dynamically change file ownership + # to match the configured user/group above. Defaults to 1. + # Set to 0 to disable file ownership changes. + #dynamic_ownership = 1 + ++ + # Whether libvirt should remember and restore the original + # ownership over files it is relabeling. Defaults to 1, set + # to 0 to disable the feature. + #remember_owner = 1 + ++ + # What cgroup controllers to make use of with QEMU guests + # + # - 'cpu' - use for scheduler tunables +@@ -553,6 +566,7 @@ + # + #cgroup_controllers = [ "cpu", "devices", "memory", "blkio", "cpuset", "cpuacct" ] + ++ + # This is the basic set of devices allowed / required by + # all virtual machines. + # +@@ -612,12 +626,14 @@ + #dump_image_format = "raw" + #snapshot_image_format = "raw" + ++ + # When a domain is configured to be auto-dumped when libvirtd receives a + # watchdog event from qemu guest, libvirtd will save dump files in directory + # specified by auto_dump_path. Default value is /var/lib/libvirt/qemu/dump + # + #auto_dump_path = "/var/lib/libvirt/qemu/dump" + ++ + # When a domain is configured to be auto-dumped, enabling this flag + # has the same effect as using the VIR_DUMP_BYPASS_CACHE flag with the + # virDomainCoreDump API. That is, the system will avoid using the +@@ -626,6 +642,7 @@ + # + #auto_dump_bypass_cache = 0 + ++ + # When a domain is configured to be auto-started, enabling this flag + # has the same effect as using the VIR_DOMAIN_START_BYPASS_CACHE flag + # with the virDomainCreateWithFlags API. That is, the system will +@@ -634,6 +651,7 @@ + # + #auto_start_bypass_cache = 0 + ++ + # If provided by the host and a hugetlbfs mount point is configured, + # a guest may request huge page backing. When this mount point is + # unspecified here, determination of a host mount point in /proc/mounts +@@ -682,6 +700,7 @@ + #max_processes = 0 + #max_files = 0 + ++ + # If max_threads_per_process is set to a positive integer, libvirt + # will use it to set the maximum number of threads that can be + # created by a qemu process. Some VM configurations can result in +@@ -692,6 +711,7 @@ + # + #max_threads_per_process = 0 + ++ + # If max_core is set to a non-zero integer, then QEMU will be + # permitted to create core dumps when it crashes, provided its + # RAM size is smaller than the limit set. +@@ -716,6 +736,7 @@ + # + #max_core = "unlimited" + ++ + # Determine if guest RAM is included in QEMU core dumps. By + # default guest RAM will be excluded if a new enough QEMU is + # present and host kernel supports it. Setting this to '1' will +@@ -726,6 +747,7 @@ + # + #dump_guest_core = 1 + ++ + # mac_filter enables MAC addressed based filtering on bridge ports. + # This currently requires ebtables to be installed. + # +@@ -755,6 +777,7 @@ + # + #max_queued = 0 + ++ + ################################################################### + # Keepalive protocol: + # This allows qemu driver to detect broken connections to remote +@@ -778,7 +801,6 @@ + #keepalive_count = 5 + + +- + # Use seccomp syscall filtering sandbox in QEMU. + # 1 == filter enabled, 0 == filter disabled + # +@@ -813,7 +835,6 @@ + #migration_port_max = 49215 + + +- + # Timestamp QEMU's log messages (if QEMU supports it) + # + # Defaults to 1. +@@ -853,6 +874,7 @@ + # "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd" + #] + ++ + # The backend to use for handling stdout/stderr output from + # QEMU processes. + # +@@ -868,6 +890,7 @@ + # + #stdio_handler = "logd" + ++ + # QEMU gluster libgfapi log level, debug levels are 0-9, with 9 being the + # most verbose, and 0 representing no debugging output. + # +@@ -888,6 +911,7 @@ + # + #gluster_debug_level = 9 + ++ + # virtiofsd debug + # + # Whether to enable the debugging output of the virtiofsd daemon. +@@ -895,6 +919,7 @@ + # + #virtiofsd_debug = 1 + ++ + # To enhance security, QEMU driver is capable of creating private namespaces + # for each domain started. Well, so far only "mount" namespace is supported. If + # enabled it means qemu process is unable to see all the devices on the system, +@@ -903,24 +928,29 @@ + # by default. + #namespaces = [ "mount" ] + ++ + # This directory is used for memoryBacking source if configured as file. + # NOTE: big files will be stored here + #memory_backing_dir = "/var/lib/libvirt/qemu/ram" + ++ + # Path to the SCSI persistent reservations helper. This helper is + # used whenever are enabled for SCSI LUN devices. + # If this is not an absolute path, the program will be searched for + # in $PATH as well as a few additional directories. + #pr_helper = "qemu-pr-helper" + ++ + # Path to the SLIRP networking helper. + #slirp_helper = "/usr/bin/slirp-helper" + ++ + # Path to the dbus-daemon + # If this is not an absolute path, the program will be searched for + # in $PATH. + #dbus_daemon = "dbus-daemon" + ++ + # User for the swtpm TPM Emulator + # + # Default is 'tss'; this is the same user that tcsd (TrouSerS) installs +@@ -929,6 +959,7 @@ + #swtpm_user = "tss" + #swtpm_group = "tss" + ++ + # For debugging and testing purposes it's sometimes useful to be able to disable + # libvirt behaviour based on the capabilities of the qemu process. This option + # allows to do so. DO _NOT_ use in production and beaware that the behaviour +@@ -936,6 +967,7 @@ + # + #capability_filters = [ "capname" ] + ++ + # 'deprecation_behavior' setting controls how the qemu process behaves towards + # deprecated commands and arguments used by libvirt. + # +@@ -967,6 +999,7 @@ + # + #deprecation_behavior = "none" + ++ + # If this is set then QEMU and its threads will run in a separate scheduling + # group meaning no other process will share Hyper Threads of a single core with + # QEMU. Each QEMU has its own group. +@@ -983,6 +1016,7 @@ + # scheduling group + #sched_core = "none" + ++ + # Using nbdkit to access remote disk sources + # + # If this is set then libvirt will use nbdkit to access remote disk sources +@@ -994,6 +1028,7 @@ + # + #storage_use_nbdkit = @USE_NBDKIT_DEFAULT@ + ++ + # libvirt will normally prevent migration if the storage backing the VM is not + # on a shared filesystems. Sometimes, however, the storage *is* shared despite + # not being detected as such: for example, this is the case when one of the +-- +2.50.1 diff --git a/SOURCES/libvirt-qemuValidateDomainDeviceDefNetwork-Require-shared-memory-for-all-vhost-user-interfaces.patch b/SOURCES/libvirt-qemuValidateDomainDeviceDefNetwork-Require-shared-memory-for-all-vhost-user-interfaces.patch new file mode 100644 index 0000000..a2fbed2 --- /dev/null +++ b/SOURCES/libvirt-qemuValidateDomainDeviceDefNetwork-Require-shared-memory-for-all-vhost-user-interfaces.patch @@ -0,0 +1,62 @@ +From 3c84583ea0d1d1d4e1ca7c0dd228c60538b8270a Mon Sep 17 00:00:00 2001 +Message-ID: <3c84583ea0d1d1d4e1ca7c0dd228c60538b8270a.1754419286.git.jdenemar@redhat.com> +From: Peter Krempa +Date: Tue, 11 Mar 2025 09:01:12 +0100 +Subject: [PATCH] qemuValidateDomainDeviceDefNetwork: Require shared memory for + all vhost-user interfaces + +Currently we produce only a warning into the log if a non-passt +vhost-user interface is configured with shared memory. + +Since we do make it fatal with all other vhost-user types, fix the check +to trigger also for normal-vhost-user interfaces. + +Since passt-based vhost-user interfaces are checked separately the check +will no longer be required. + +Signed-off-by: Peter Krempa +Reviewed-by: Michal Privoznik +(cherry picked from commit 0d20632179e1a61903f30986215bef53b0f912f6) + +https://issues.redhat.com/browse/RHEL-106504 +--- + src/qemu/qemu_validate.c | 9 +++------ + .../net-vhostuser-passt-no-shmem.x86_64-latest.err | 2 +- + 2 files changed, 4 insertions(+), 7 deletions(-) + +diff --git a/src/qemu/qemu_validate.c b/src/qemu/qemu_validate.c +index 289a3f94cc..3572dd70cb 100644 +--- a/src/qemu/qemu_validate.c ++++ b/src/qemu/qemu_validate.c +@@ -1805,12 +1805,6 @@ qemuValidateDomainDeviceDefNetwork(const virDomainNetDef *net, + return -1; + } + +- if (net->type == VIR_DOMAIN_NET_TYPE_VHOSTUSER && +- net->backend.type == VIR_DOMAIN_NET_BACKEND_PASST) { +- if (qemuValidateDomainDefVhostUserRequireSharedMemory(def, "interface type=\"vhostuser\" backend type=\"passt\"") < 0) +- return -1; +- } +- + if (net->type == VIR_DOMAIN_NET_TYPE_VDPA) { + if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_NETDEV_VHOST_VDPA)) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", +@@ -1834,6 +1828,9 @@ qemuValidateDomainDeviceDefNetwork(const virDomainNetDef *net, + _("'reconnect' attribute is not supported when source mode='server' for ")); + return -1; + } ++ ++ if (qemuValidateDomainDefVhostUserRequireSharedMemory(def, "interface") < 0) ++ return -1; + } + + if (!virDomainNetIsVirtioModel(net)) { +diff --git a/tests/qemuxmlconfdata/net-vhostuser-passt-no-shmem.x86_64-latest.err b/tests/qemuxmlconfdata/net-vhostuser-passt-no-shmem.x86_64-latest.err +index 274af5c722..babde17518 100644 +--- a/tests/qemuxmlconfdata/net-vhostuser-passt-no-shmem.x86_64-latest.err ++++ b/tests/qemuxmlconfdata/net-vhostuser-passt-no-shmem.x86_64-latest.err +@@ -1 +1 @@ +-unsupported configuration: 'interface type="vhostuser" backend type="passt"' requires shared memory ++unsupported configuration: 'interface' requires shared memory +-- +2.50.1 diff --git a/SOURCES/libvirt-qemuxmlconftest-Include-shared-memory-net-vhostuser-test-cases.patch b/SOURCES/libvirt-qemuxmlconftest-Include-shared-memory-net-vhostuser-test-cases.patch new file mode 100644 index 0000000..1ba0a75 --- /dev/null +++ b/SOURCES/libvirt-qemuxmlconftest-Include-shared-memory-net-vhostuser-test-cases.patch @@ -0,0 +1,144 @@ +From 4b43cc2ee96aefe625ca2f377cab56132b15b84f Mon Sep 17 00:00:00 2001 +Message-ID: <4b43cc2ee96aefe625ca2f377cab56132b15b84f.1754419286.git.jdenemar@redhat.com> +From: Peter Krempa +Date: Tue, 11 Mar 2025 09:01:03 +0100 +Subject: [PATCH] qemuxmlconftest: Include shared memory 'net-vhostuser' test + cases + +The vhost-user protocol requires shared memory support to work properly. + +Our test XMLs didn't have it configured as for interface the check if +shared memory is present only produces a warning instead of a proper +error. + +Upcoming patches will be moving the check to become fatal so the test +cases need to be fixed first. + +Signed-off-by: Peter Krempa +Reviewed-by: Michal Privoznik +(cherry picked from commit 779a975355dcb34898abaefdf8968c214a66ebf1) + +https://issues.redhat.com/browse/RHEL-106504 +--- + tests/qemuxmlconfdata/net-vhostuser-fail.x86_64-latest.xml | 3 +++ + tests/qemuxmlconfdata/net-vhostuser-fail.xml | 3 +++ + tests/qemuxmlconfdata/net-vhostuser-multiq.x86_64-latest.args | 2 +- + tests/qemuxmlconfdata/net-vhostuser-multiq.x86_64-latest.xml | 3 +++ + tests/qemuxmlconfdata/net-vhostuser-multiq.xml | 3 +++ + tests/qemuxmlconfdata/net-vhostuser.x86_64-latest.args | 2 +- + tests/qemuxmlconfdata/net-vhostuser.x86_64-latest.xml | 3 +++ + tests/qemuxmlconfdata/net-vhostuser.xml | 3 +++ + 8 files changed, 20 insertions(+), 2 deletions(-) + +diff --git a/tests/qemuxmlconfdata/net-vhostuser-fail.x86_64-latest.xml b/tests/qemuxmlconfdata/net-vhostuser-fail.x86_64-latest.xml +index 60e591001d..ce1ebf9462 100644 +--- a/tests/qemuxmlconfdata/net-vhostuser-fail.x86_64-latest.xml ++++ b/tests/qemuxmlconfdata/net-vhostuser-fail.x86_64-latest.xml +@@ -3,6 +3,9 @@ + c7a5fdbd-edaf-9455-926a-d65c16db1809 + 219136 + 219136 ++ ++ ++ + 1 + + hvm +diff --git a/tests/qemuxmlconfdata/net-vhostuser-fail.xml b/tests/qemuxmlconfdata/net-vhostuser-fail.xml +index d50589af6f..b6b0b977d5 100644 +--- a/tests/qemuxmlconfdata/net-vhostuser-fail.xml ++++ b/tests/qemuxmlconfdata/net-vhostuser-fail.xml +@@ -3,6 +3,9 @@ + c7a5fdbd-edaf-9455-926a-d65c16db1809 + 219136 + 219136 ++ ++ ++ + 1 + + hvm +diff --git a/tests/qemuxmlconfdata/net-vhostuser-multiq.x86_64-latest.args b/tests/qemuxmlconfdata/net-vhostuser-multiq.x86_64-latest.args +index 922758a034..4ea3d4eebd 100644 +--- a/tests/qemuxmlconfdata/net-vhostuser-multiq.x86_64-latest.args ++++ b/tests/qemuxmlconfdata/net-vhostuser-multiq.x86_64-latest.args +@@ -14,7 +14,7 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \ + -accel tcg \ + -cpu qemu64 \ + -m size=219136k \ +--object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":224395264}' \ ++-object '{"qom-type":"memory-backend-file","id":"pc.ram","mem-path":"/var/lib/libvirt/qemu/ram/-1-QEMUGuest1/pc.ram","share":true,"x-use-canonical-path-for-ramblock-id":false,"size":224395264}' \ + -overcommit mem-lock=off \ + -smp 1,sockets=1,cores=1,threads=1 \ + -uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \ +diff --git a/tests/qemuxmlconfdata/net-vhostuser-multiq.x86_64-latest.xml b/tests/qemuxmlconfdata/net-vhostuser-multiq.x86_64-latest.xml +index 5c2cf70a4b..93524c2864 100644 +--- a/tests/qemuxmlconfdata/net-vhostuser-multiq.x86_64-latest.xml ++++ b/tests/qemuxmlconfdata/net-vhostuser-multiq.x86_64-latest.xml +@@ -3,6 +3,9 @@ + c7a5fdbd-edaf-9455-926a-d65c16db1809 + 219136 + 219136 ++ ++ ++ + 1 + + hvm +diff --git a/tests/qemuxmlconfdata/net-vhostuser-multiq.xml b/tests/qemuxmlconfdata/net-vhostuser-multiq.xml +index ed492ea41a..fa324c9d17 100644 +--- a/tests/qemuxmlconfdata/net-vhostuser-multiq.xml ++++ b/tests/qemuxmlconfdata/net-vhostuser-multiq.xml +@@ -3,6 +3,9 @@ + c7a5fdbd-edaf-9455-926a-d65c16db1809 + 219136 + 219136 ++ ++ ++ + 1 + + hvm +diff --git a/tests/qemuxmlconfdata/net-vhostuser.x86_64-latest.args b/tests/qemuxmlconfdata/net-vhostuser.x86_64-latest.args +index bc1de8c8ed..f5925c77fe 100644 +--- a/tests/qemuxmlconfdata/net-vhostuser.x86_64-latest.args ++++ b/tests/qemuxmlconfdata/net-vhostuser.x86_64-latest.args +@@ -14,7 +14,7 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \ + -accel tcg \ + -cpu qemu64 \ + -m size=219136k \ +--object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":224395264}' \ ++-object '{"qom-type":"memory-backend-file","id":"pc.ram","mem-path":"/var/lib/libvirt/qemu/ram/-1-QEMUGuest1/pc.ram","share":true,"x-use-canonical-path-for-ramblock-id":false,"size":224395264}' \ + -overcommit mem-lock=off \ + -smp 1,sockets=1,cores=1,threads=1 \ + -uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \ +diff --git a/tests/qemuxmlconfdata/net-vhostuser.x86_64-latest.xml b/tests/qemuxmlconfdata/net-vhostuser.x86_64-latest.xml +index c77d46147e..44bebef2c8 100644 +--- a/tests/qemuxmlconfdata/net-vhostuser.x86_64-latest.xml ++++ b/tests/qemuxmlconfdata/net-vhostuser.x86_64-latest.xml +@@ -3,6 +3,9 @@ + c7a5fdbd-edaf-9455-926a-d65c16db1809 + 219136 + 219136 ++ ++ ++ + 1 + + hvm +diff --git a/tests/qemuxmlconfdata/net-vhostuser.xml b/tests/qemuxmlconfdata/net-vhostuser.xml +index e55a30a54f..91d1abc027 100644 +--- a/tests/qemuxmlconfdata/net-vhostuser.xml ++++ b/tests/qemuxmlconfdata/net-vhostuser.xml +@@ -3,6 +3,9 @@ + c7a5fdbd-edaf-9455-926a-d65c16db1809 + 219136 + 219136 ++ ++ ++ + 1 + + hvm +-- +2.50.1 diff --git a/SPECS/libvirt.spec b/SPECS/libvirt.spec index 4a713ab..45aa853 100644 --- a/SPECS/libvirt.spec +++ b/SPECS/libvirt.spec @@ -293,7 +293,7 @@ Summary: Library providing a simple virtualization API Name: libvirt Version: 10.10.0 -Release: 7.6%{?dist}%{?extra_release}.alma.1 +Release: 7.7%{?dist}%{?extra_release}.alma.1 License: GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND OFL-1.1 URL: https://libvirt.org/ @@ -410,6 +410,12 @@ Patch106: libvirt-virsh-add-disable-deprecated-features-flag-to-domcapabilities. Patch107: libvirt-conf-add-deprecated_features-attribute.patch Patch108: libvirt-qemuPrepareNVRAMFile-Fix-NVRAM-image-conversion-check.patch Patch109: libvirt-esx-Allow-specifying-different-CA-bundle-for-remote-connections.patch +Patch110: libvirt-qemu-fix-order-of-VNC-TLS-config-entries.patch +Patch111: libvirt-qemu-sanitize-blank-lines-in-config-file.patch +Patch112: libvirt-qemu-add-ability-to-set-TLS-priority-string-with-QEMU.patch +Patch113: libvirt-qemuxmlconftest-Include-shared-memory-net-vhostuser-test-cases.patch +Patch114: libvirt-qemuValidateDomainDeviceDefNetwork-Require-shared-memory-for-all-vhost-user-interfaces.patch +Patch115: libvirt-qemu-process-Remove-un-updated-qemuProcessStartWarnShmem.patch Requires: libvirt-daemon = %{version}-%{release} @@ -2735,9 +2741,17 @@ exit 0 %endif %changelog -* Thu Aug 07 2025 Eduard Abdullin - 10.10.0-7.6.alma.1 +* Wed Sep 17 2025 Eduard Abdullin - 10.10.0-7.7.alma.1 - Enable building for ppc64le +* Tue Aug 5 2025 Jiri Denemark - 10.10.0-7.7.el9_6 +- qemu: fix order of VNC TLS config entries (RHEL-106277) +- qemu: sanitize blank lines in config file (RHEL-106277) +- qemu: add ability to set TLS priority string with QEMU (RHEL-106277) +- qemuxmlconftest: Include shared memory 'net-vhostuser' test cases (RHEL-106504) +- qemuValidateDomainDeviceDefNetwork: Require shared memory for all vhost-user interfaces (RHEL-106504) +- qemu: process: Remove un-updated 'qemuProcessStartWarnShmem' (RHEL-106504) + * Fri Jul 18 2025 Jiri Denemark - 10.10.0-7.6.el9_6 - esx: Allow specifying different CA bundle for remote connections (RHEL-98292)