Re: [libvirt] [PATCH] apparmor: support finer-grained ptrace checks

On 09/22/2017 04:55 PM, Jim Fehlig wrote: On 09/22/2017 03:25 PM, Jamie Strandboge wrote: On Fri, 2017-09-22 at 15:04 -0600, Jim Fehlig wrote: Using kernel 4.13, apparmor 2.11, and the current libvirt.git profiles, simply starting libvirtd results in the following denial type=AVC

[libvirt] [PATCH V3] apparmor: support ptrace checks

Kernel 4.13 introduced finer-grained ptrace checks https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.13.2=290f458a4f16f9cf6cb6562b249e69fe1c3c3a07 With kernel 4.13 and apparmor 2.11, simply starting libvirtd results in the following apparmor denial type=AVC

Re: [libvirt] [PATCH] apparmor: support finer-grained ptrace checks

On 09/22/2017 03:25 PM, Jamie Strandboge wrote: On Fri, 2017-09-22 at 15:04 -0600, Jim Fehlig wrote: Using kernel 4.13, apparmor 2.11, and the current libvirt.git profiles, simply starting libvirtd results in the following denial type=AVC msg=audit(1506112085.645:954): apparmor="DENIED"

Re: [libvirt] [PATCH V2] apparmor: support ptrace checks

On 09/22/2017 03:15 PM, Jim Fehlig wrote: Kernel 4.13 introduced finer-grained ptrace checks https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.13.2=290f458a4f16f9cf6cb6562b249e69fe1c3c3a07 With kernel 4.13 and apparmor 2.11, simply starting libvirtd results

Re: [libvirt] [PATCH] apparmor: support finer-grained ptrace checks

On Fri, 2017-09-22 at 15:04 -0600, Jim Fehlig wrote: > > Using kernel 4.13, apparmor 2.11, and the current libvirt.git profiles, > simply > starting libvirtd results in the following denial > > type=AVC msg=audit(1506112085.645:954): apparmor="DENIED" operation="ptrace" >

[libvirt] [PATCH V2] apparmor: support ptrace checks

Kernel 4.13 introduced finer-grained ptrace checks https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.13.2=290f458a4f16f9cf6cb6562b249e69fe1c3c3a07 With kernel 4.13 and apparmor 2.11, simply starting libvirtd results in the following apparmor denial type=AVC

Re: [libvirt] [PATCH] apparmor: support finer-grained ptrace checks

On 09/22/2017 06:52 AM, Guido Günther wrote: Hi Jim, On Wed, Sep 20, 2017 at 11:17:06AM -0600, Jim Fehlig wrote: On 09/20/2017 08:57 AM, Jim Fehlig wrote: On 09/20/2017 12:51 AM, Guido Günther wrote: Hi Jim, On Mon, Sep 18, 2017 at 02:06:13PM -0600, Jim Fehlig wrote: Kernel 4.13 introduced

Re: [libvirt] [PATCH libvirt-cim 1/2] maint: Rename autoconfiscate.sh to autogen.sh

On Fri, 2017-09-22 at 12:58 -0400, John Ferlan wrote: > By killing it - I was thinking more along the lines of removing it from > our CI infrastructure and just letting the repo sit silently without > updates, but that ship sailed today. We could still remove it from the > CI mix as if something

Re: [libvirt] [PATCH libvirt-cim 1/2] maint: Rename autoconfiscate.sh to autogen.sh

On 09/22/2017 12:47 PM, Andrea Bolognani wrote: > On Fri, 2017-09-22 at 17:17 +0100, Daniel P. Berrange wrote: >>> libvirt-cim has it's own mailing list (libvirt-...@redhat.com) and >>> achives: https://www.redhat.com/archives/libvirt-cim/index.html. >>> >>> The last email there (april 2015) and

Re: [libvirt] [PATCH libvirt-cim 1/2] maint: Rename autoconfiscate.sh to autogen.sh

On Fri, 2017-09-22 at 17:17 +0100, Daniel P. Berrange wrote: > > libvirt-cim has it's own mailing list (libvirt-...@redhat.com) and > > achives: https://www.redhat.com/archives/libvirt-cim/index.html. > > > > The last email there (april 2015) and last patch (aug 2014) - I venture > > to say

[libvirt] [PATCH v2 5/6] libvirtaio: keep track of the current implementation

Since 7534c19 it is not possible to register event implementation twice. Instead, allow for retrieving the current one, should it be needed afterwards. Signed-off-by: Wojtek Porczyk --- libvirtaio.py | 16 ++-- 1 file changed, 14 insertions(+), 2

Re: [libvirt] [PATCH libvirt-cim 1/2] maint: Rename autoconfiscate.sh to autogen.sh

On Fri, Sep 22, 2017 at 10:08:44AM -0400, John Ferlan wrote: > > > On 09/22/2017 09:28 AM, Andrea Bolognani wrote: > > While the "autoconfiscate" name is very clever and cute, the > > de-facto standard name for this kind of script is "autogen", and > > deviating from it means having to

[libvirt] [PATCH v2 3/6] libvirtaio: do not double-add callbacks

This was a harmless bug, without any impact, but it is wrong to manage the collection of callbacks from it's members. Signed-off-by: Wojtek Porczyk --- libvirtaio.py | 9 - 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/libvirtaio.py

Re: [libvirt] [PATCH] apparmor: support finer-grained ptrace checks

On Fri, 2017-09-22 at 17:46 +0200, Guido Günther wrote: ... > What I don't understand yet is why we have in libvirt-lxc: > > > diff --git a/examples/apparmor/libvirt-lxc b/examples/apparmor/libvirt-lxc > > index 4bfb503aa..0db137de0 100644 > > --- a/examples/apparmor/libvirt-lxc > > +++

[libvirt] [PATCH v2 6/6] libvirtaio: add .drain() coroutine

The intended use is to ensure that the implementation is empty, which is one way to ensure that all connections were properly closed and file descriptors reclaimed. Signed-off-by: Wojtek Porczyk --- libvirtaio.py | 36 ++-- 1 file

[libvirt] [PATCH v2 4/6] libvirtaio: fix closing of the objects

- Descriptor.close() was a dead code, never used. - TimeoutCallback.close(), as a cleanup function, should have called super() as last statement, not first Signed-off-by: Wojtek Porczyk --- libvirtaio.py | 7 +-- 1 file changed, 1 insertion(+), 6

[libvirt] [PATCH v2 1/6] libvirtaio: add more debug logging

This logging is helpful for tracing problems with unclosed connections and leaking file descriptors. Signed-off-by: Wojtek Porczyk --- libvirtaio.py | 33 + 1 file changed, 25 insertions(+), 8 deletions(-) diff --git a/libvirtaio.py

[libvirt] [PATCH v2 0/6] libvirt-python/libvirtaio patches for 3.8.0

Hi libvirt-list, I'd like to submit a second iteration of libvirtaio series for 3.8.0. There are some improvements to have better control over closing connections, which are important in test suites which repeatedly open and close connections. Also there are some minor bugfixes and better

[libvirt] [PATCH v2 2/6] libvirtaio: cache the list of callbacks when calling

When the callback causes something that results in changes wrt registered handles, python aborts iteration. Relevant error message: Exception in callback None() handle: Traceback (most recent call last): File "/usr/lib64/python3.5/asyncio/events.py", line 126, in _run

Re: [libvirt] [PATCH libvirt-ci] libvirt-cim: Deal with autoconfiscate.sh rename

On Fri, Sep 22, 2017 at 05:27:33PM +0200, Andrea Bolognani wrote: > The new name is the more standard autogen.sh. Still not > enough to switch to autotools-*-job, but it's something. > > Signed-off-by: Andrea Bolognani > --- > The relevant patch[1] has been ACKed[2] but not

Re: [libvirt] [PATCH] apparmor: support finer-grained ptrace checks

Hi, On Fri, Sep 22, 2017 at 10:29:22AM -0500, Jamie Strandboge wrote: > On Fri, 2017-09-22 at 14:52 +0200, Guido Günther wrote: > > > + ptrace, > > > > ^^^ > > > > This single line is enough to make things work for me on 4.13. AFAIK > > dbus mediation is not upstream yet and I think unix

Re: [libvirt] [PATCH] apparmor: support finer-grained ptrace checks

On 22.09.2017 14:52, Guido Günther wrote: > Hi Jim, > On Wed, Sep 20, 2017 at 11:17:06AM -0600, Jim Fehlig wrote: >> On 09/20/2017 08:57 AM, Jim Fehlig wrote: >>> On 09/20/2017 12:51 AM, Guido Günther wrote: Hi Jim, On Mon, Sep 18, 2017 at 02:06:13PM -0600, Jim Fehlig wrote: > Kernel

Re: [libvirt] [PATCH] apparmor: support finer-grained ptrace checks

On Fri, 2017-09-22 at 14:52 +0200, Guido Günther wrote: > > + ptrace, > > ^^^ > > This single line is enough to make things work for me on 4.13. AFAIK > dbus mediation is not upstream yet and I think unix socket and signal > support is neither. Should we drop these for now (the syntax and >

[libvirt] [PATCH libvirt-ci] libvirt-cim: Deal with autoconfiscate.sh rename

The new name is the more standard autogen.sh. Still not enough to switch to autotools-*-job, but it's something. Signed-off-by: Andrea Bolognani --- The relevant patch[1] has been ACKed[2] but not pushed yet, because I figured it's better to have the CI setup updated first.

Re: [libvirt] [PATCH v2 11/14] qemu: Add disk secret object hash table to _qemuDomainObjPrivate

On 09/22/2017 05:44 AM, Peter Krempa wrote: > On Fri, Sep 15, 2017 at 20:30:14 -0400, John Ferlan wrote: >> Currently when an AES secret object is added to the domain for >> either a network disk, a LUKS encryption secret, or for a SCSI >> hostdev there is no way for domain restart to be able to

Re: [libvirt] [PATCH v2 06/14] qemu: Introduce privateData for _virStorageSource

On 09/21/2017 10:31 AM, Peter Krempa wrote: > On Fri, Sep 15, 2017 at 20:30:09 -0400, John Ferlan wrote: >> Since the secret information is really _virStorageSource specific >> piece of data, let's create a privateData object for _virStorageSource >> and move the @secinfo from

Re: [libvirt] [PATCH libvirt-cim 1/2] maint: Rename autoconfiscate.sh to autogen.sh

On Fri, 2017-09-22 at 10:08 -0400, John Ferlan wrote: > libvirt-cim has it's own mailing list (libvirt-...@redhat.com) and > achives: https://www.redhat.com/archives/libvirt-cim/index.html. Fair enough, my bad for not noticing. > The last email there (april 2015) and last patch (aug 2014) - I

Re: [libvirt] [PATCH 3/4] qemu: hot-plug of watchdog

On 09/12/2017 04:23 PM, John Ferlan wrote: > > > On 09/05/2017 07:45 AM, Michal Privoznik wrote: >> https://bugzilla.redhat.com/show_bug.cgi?id=1447169 >> >> Once again, since domain can have at most one watchdog it >> simplifies things a bit. However, since we must be able to set >> the

Re: [libvirt] [PATCH libvirt-cim 1/2] maint: Rename autoconfiscate.sh to autogen.sh

On 09/22/2017 09:28 AM, Andrea Bolognani wrote: > While the "autoconfiscate" name is very clever and cute, the > de-facto standard name for this kind of script is "autogen", and > deviating from it means having to special-case the libvirt-cim > project when, for example, setting up a CI

Re: [libvirt] [PATCH libvirt-cim 0/2] Small improvements

On 09/22/2017 03:28 PM, Andrea Bolognani wrote: > The first patch will make it possible to have a nicer CI setup. > > The second one is just something that I couldn't help fixing > while preparing the first one :) > > Andrea Bolognani (2): > maint: Rename autoconfiscate.sh to autogen.sh >

[libvirt] [PATCH] numa: avoid failure in nodememstats on non-NUMA systems

libvirt reports a fake NUMA topology in virConnectGetCapabilities even if built without numactl support. The fake NUMA topology consists of a single cell representing the host's cpu and memory resources. Currently this is the case for ARM and s390[x] RPM builds. A client iterating over NUMA cells

[libvirt] [PATCH libvirt-cim 0/2] Small improvements

The first patch will make it possible to have a nicer CI setup. The second one is just something that I couldn't help fixing while preparing the first one :) Andrea Bolognani (2): maint: Rename autoconfiscate.sh to autogen.sh README: Point to git repository README

Re: [libvirt] [PATCH] apparmor: support finer-grained ptrace checks

Hi Jim, On Wed, Sep 20, 2017 at 11:17:06AM -0600, Jim Fehlig wrote: > On 09/20/2017 08:57 AM, Jim Fehlig wrote: > > On 09/20/2017 12:51 AM, Guido Günther wrote: > > > Hi Jim, > > > On Mon, Sep 18, 2017 at 02:06:13PM -0600, Jim Fehlig wrote: > > > > Kernel 4.13 introduced finer-grained ptrace

[libvirt] [PATCH libvirt-cim 2/2] README: Point to git repository

The Mercurial repositories are no more, so update the pointer. Signed-off-by: Andrea Bolognani --- README | 9 ++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/README b/README index d3e9172..09e0059 100644 --- a/README +++ b/README @@ -9,7 +9,7 @@

[libvirt] [PATCH libvirt-cim 1/2] maint: Rename autoconfiscate.sh to autogen.sh

While the "autoconfiscate" name is very clever and cute, the de-facto standard name for this kind of script is "autogen", and deviating from it means having to special-case the libvirt-cim project when, for example, setting up a CI environment. Signed-off-by: Andrea Bolognani

[libvirt] [PATCH] libvirt_nss.c: Fix typo in aiforaf()

In my previous commit of b1d87f9ad96f I've made a typo breaking the FreeBSD build. s/ipAaddr/ipAddr/ Signed-off-by: Michal Privoznik --- Pushed under trivial & build breaker rules. This time I've even tested it on my FreeBSD machine. tools/nss/libvirt_nss.c | 4 ++-- 1

Re: [libvirt] [PATCH] apparmor: delete profile on VM shutdown

Hi, On Tue, Sep 19, 2017 at 10:36:03PM -0600, Jim Fehlig wrote: > On 09/18/2017 01:24 PM, Guido Günther wrote: > > instead of only unloading it. This makes sure old profiles don't pile up > > in /etc/apparmor.d/libvirt and we get updates to modified templates on > > VM restart. > > Makes sense.

Re: [libvirt] [PATCH v2 14/14] qemu: Use secret objects to pass iSCSI passwords

On Fri, Sep 15, 2017 at 20:30:17 -0400, John Ferlan wrote: > https://bugzilla.redhat.com/show_bug.cgi?id=1425757 > > The blockdev-add code provides a mechanism to sanely provide user > and password-secret arguments for iscsi without placing them on the > command line to be viewable by a 'ps -ef'

Re: [libvirt] [PATCH v2 12/14] qemu: Get capabilities to use iscsi password-secret argument

On Fri, Sep 15, 2017 at 20:30:15 -0400, John Ferlan wrote: > Add the capability to use the blockdev-add query-qmp-schema option > to find the 'password-secret' parameter that will allow the iSCSI > code to use the master secret object (a/k/a AES) to encrypt the AES is a name of the cipher, not an

Re: [libvirt] [PATCH v2 13/14] util: Add iSCSI auth/password-secret processing

On Fri, Sep 15, 2017 at 20:30:16 -0400, John Ferlan wrote: > Generate the example for the iSCSI auth/password-secret similar to > what's done for RBD. > > Signed-off-by: John Ferlan > --- > src/util/virstoragefile.c | 30 ++ >

Re: [libvirt] [PATCH v2 11/14] qemu: Add disk secret object hash table to _qemuDomainObjPrivate

On Fri, Sep 15, 2017 at 20:30:14 -0400, John Ferlan wrote: > Currently when an AES secret object is added to the domain for > either a network disk, a LUKS encryption secret, or for a SCSI > hostdev there is no way for domain restart to be able to connect > or determine which secret by secrettype

Re: [libvirt] [PATCH v1 4/7] qemu: Allow regeneration of aliases

On 09/21/2017 07:18 PM, Daniel P. Berrange wrote: > On Thu, Sep 21, 2017 at 06:05:19PM +0200, Peter Krempa wrote: >> On Thu, Sep 21, 2017 at 16:47:08 +0200, Michal Privoznik wrote: >>> In the near future the qemuAssignDeviceAliases() function is >>> going to be called multiple times: once at the

Re: [libvirt] [PATCH v1 4/7] qemu: Allow regeneration of aliases

On Fri, Sep 22, 2017 at 10:25:46AM +0200, Peter Krempa wrote: > On Fri, Sep 22, 2017 at 10:18:02 +0200, Michal Privoznik wrote: > > On 09/21/2017 07:18 PM, Daniel P. Berrange wrote: > > > On Thu, Sep 21, 2017 at 06:05:19PM +0200, Peter Krempa wrote: > > >> On Thu, Sep 21, 2017 at 16:47:08 +0200,

Re: [libvirt] [PATCH 0/2] qemu: don't update cpu unconditionally for migratable flag

On 22.09.2017 09:46, Jiri Denemark wrote: > On Thu, Sep 21, 2017 at 16:39:37 +0300, Nikolay Shirokovskiy wrote: >> First patch is just a refactoring. >> >> Nikolay Shirokovskiy (2): >> qemu: make explicit that formatting migratable imposes secure >> qemu: don't update cpu unconditionally for

Re: [libvirt] [PATCH v1 4/7] qemu: Allow regeneration of aliases

On Fri, Sep 22, 2017 at 10:18:02 +0200, Michal Privoznik wrote: > On 09/21/2017 07:18 PM, Daniel P. Berrange wrote: > > On Thu, Sep 21, 2017 at 06:05:19PM +0200, Peter Krempa wrote: > >> On Thu, Sep 21, 2017 at 16:47:08 +0200, Michal Privoznik wrote: > >>> In the near future the

Re: [libvirt] [PATCH v2] util: Fix stack smashing in virNetDevGetFamilyId

On Thu, Sep 21, 2017 at 15:25:37 -0400, John Ferlan wrote: > > > On 09/21/2017 01:57 PM, Laine Stump wrote: > > After commit 8708ca01c0d libvirtd consistently aborts with "stack > > smashing detected" when nodedev driver is initialized. > > > > This is caused by nlmsg_parse() being told that

Re: [libvirt] [PATCH 0/2] A few cleanups related to qemuDomainDefFormat*

On 21.09.2017 17:34, Jiri Denemark wrote: > On Thu, Sep 21, 2017 at 15:23:06 +0200, Jiri Denemark wrote: >> Jiri Denemark (2): >> qemu: Fix error checking in qemuDomainDefFormatXMLInternal >> qemu: Use qemuDomainDefFormatXML in qemuDomainDefCopy >> >> src/qemu/qemu_domain.c | 16

Re: [libvirt] [PATCH 2/2] qemu: don't update cpu unconditionally for migratable flag

On 21.09.2017 18:50, Peter Krempa wrote: > On Thu, Sep 21, 2017 at 17:32:33 +0300, Nikolay Shirokovskiy wrote: >> >> >> On 21.09.2017 17:24, Jiri Denemark wrote: >>> On Thu, Sep 21, 2017 at 16:39:39 +0300, Nikolay Shirokovskiy wrote: Imagine if we use 'virsh dumpxml --migratable' for

Re: [libvirt] [PATCH] tests: Add QEMU 2.10.0 capabilities test for s390x

On 09/21/2017 09:35 PM, John Ferlan wrote: On 09/19/2017 10:06 AM, Boris Fiuczynski wrote: Adding s390x qemu caps test for qemu version 2.10.0. Signed-off-by: Boris Fiuczynski --- .../qemucapabilitiesdata/caps_2.10.0.s390x.replies | 16441 +++

Re: [libvirt] [PATCH 0/2] qemu: don't update cpu unconditionally for migratable flag

On Thu, Sep 21, 2017 at 16:39:37 +0300, Nikolay Shirokovskiy wrote: > First patch is just a refactoring. > > Nikolay Shirokovskiy (2): > qemu: make explicit that formatting migratable imposes secure > qemu: don't update cpu unconditionally for migratable flag > > src/qemu/qemu_domain.c

Re: [libvirt] [PATCH 0/2] A few cleanups related to qemuDomainDefFormat*

On Thu, Sep 21, 2017 at 16:34:24 +0200, Jiri Denemark wrote: > On Thu, Sep 21, 2017 at 15:23:06 +0200, Jiri Denemark wrote: > > Jiri Denemark (2): > > qemu: Fix error checking in qemuDomainDefFormatXMLInternal > > qemu: Use qemuDomainDefFormatXML in qemuDomainDefCopy > > > >

Re: [libvirt] [PATCH 1/2] qemu: make explicit that formatting migratable imposes secure

On 21.09.2017 17:32, Jiri Denemark wrote: > On Thu, Sep 21, 2017 at 16:39:38 +0300, Nikolay Shirokovskiy wrote: >> qemu code always set VIR_DOMAIN_XML_SECURE flags when >> VIR_DOMAIN_XML_MIGRATABLE >> is set. At the same time qemu code itself does not analyse >> VIR_DOMAIN_XML_SECURE >>