After previous cleanup this function is no longer used and thus
can be dropped.
Signed-off-by: Michal Privoznik
---
src/qemu/qemu_security.c | 77
src/qemu/qemu_security.h | 9 -
2 files changed, 86 deletions(-)
diff --git
When starting swtpm binary, the qemuSecurityStartTPMEmulator() is
called which sets seclabel on the TPM state and then uses
qemuSecurityCommandRun() to execute the swtpm binary with proper
seclabel. Well, the aim is to ditch
qemuSecurityStartTPMEmulator() because it entangles two distinct
Currently, qemuSecurityCleanupTPMEmulator() returns nothing which
means a caller (well, there's only one - qemuExtTPMStop()) can't
produce a warning when restoring seclabels on TPM state failed.
True, qemuSecurityCleanupTPMEmulator() does report a warning
itself, but only in one specific error
There are some network FSs (ceph, CIFS) that propagate XATTTs
properly and thus SELinux labels too. In such case using dynamic
seclabels would get in the way of migration as new seclabel is
assigned to the domain on the destination and thus two processes
with different labels (the source and the
If swtpm binary fails to start after successful exec() (e.g. it
fails to initialize itself), the seclabels set in
qemuSecurityStartTPMEmulator() are not restored. This is due to
lacking qemuSecurityRestoreTPMLabels() call in the error path.
Signed-off-by: Michal Privoznik
---
Now that we have qemuSecurityRestoreTPMLabels() we might as well
have qemuSecuritySetTPMLabels(). The aim here is to remove
qemuSecurityStartTPMEmulator() which couples two separate things
into a single function call.
Therefore, introduce qemuSecuritySetTPMLabels() which does only
set seclabels
*** BLURB HERE ***
Michal Prívozník (7):
qemu_security: Rework qemuSecurityCleanupTPMEmulator()
qemu_security: Rename qemuSecurityCleanupTPMEmulator()
qemu_security: Introduce qemuSecuritySetTPMLabels()
qemu_tpm: Restore TPM labels on failed start
qemu_tpm: Open code
The qemuSecurityCleanupTPMEmulator() function calls
virSecurityManagerRestoreTPMLabels() and thus the proper name is
qemuSecurityRestoreTPMLabels(). Rename it.
Signed-off-by: Michal Privoznik
---
src/qemu/qemu_security.c | 6 +++---
src/qemu/qemu_security.h | 6 +++---
src/qemu/qemu_tpm.c
Xen supports only subset of libvirt's sound devices, and starting with
Xen 4.17 it is enforced by libxl. Verify it early.
Signed-off-by: Marek Marczykowski-Górecki
---
src/libxl/libxl_domain.c | 21 +
1 file changed, 21 insertions(+)
diff --git a/src/libxl/libxl_domain.c
Xen 4.17 has strict parsing of 'soundhw' option that allows only
specific values (instead of passing through any value directly to
qemu's -soundhw option, it uses -device now). For 'intel-hda' audio
device, it requires "hda" string. "hda" works with older libxl too.
Other supported models are the
On 12/15/22 18:42, Marek Marczykowski-Górecki wrote:
Xen 4.17 has strict parsing of 'soundhw' option that allows only
specific values (instead of passing through any value directly to
qemu's -soundhw option, it uses -device now). For 'intel-hda' audio
device, it requires "hda" string. "hda"
Signed-off-by: Jim Fehlig
---
docs/kbase/rpm-deployment.rst | 38 ---
1 file changed, 31 insertions(+), 7 deletions(-)
diff --git a/docs/kbase/rpm-deployment.rst b/docs/kbase/rpm-deployment.rst
index 7685ee1291..7f38052ceb 100644
---
Remove the libvirt-daemon dependency from the various
libvirt-daemon- subpackages, replacing it with a set of the
new sub subpackages providing the same functionality.
Signed-off-by: Jim Fehlig
---
libvirt.spec.in | 22 +++---
1 file changed, 19 insertions(+), 3 deletions(-)
To avoid needlessly installing the monolithic daemon, replace the
libvirt-daemon dependency with libvirt-daemon-common. The common
subpackage contains all the utilities (e.g. virt-admin) and files
used by other daemons.
Signed-off-by: Jim Fehlig
Reviewed-by: Daniel P. Berrangé
---
Both drivers use numad via virNumaGetAutoPlacementAdvice.
Signed-off-by: Jim Fehlig
---
libvirt.spec.in | 6 ++
1 file changed, 6 insertions(+)
diff --git a/libvirt.spec.in b/libvirt.spec.in
index 4a57a948cc..503549dc04 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -763,6 +763,9 @@
Both the nodedev and lxc drivers can load kernel modules. Add a
module-init-tools dependency to the drivers.
Signed-off-by: Jim Fehlig
---
libvirt.spec.in | 4
1 file changed, 4 insertions(+)
diff --git a/libvirt.spec.in b/libvirt.spec.in
index 9e70518566..4a57a948cc 100644
---
Introduce a new subpackage libvirt-daemon-common and move virt-admin,
virt-host-validate, virt-ssh-helper, libvirt-guests and miscellaneous
files/directories to it. Also move common dependencies to the new
subpackage. These files, utilities, and dependecies are used by other
core libvirt daemons
The new name "libvirt-daemon-plugin-sanlock" provides consistency with the
newly introduced "libvirt-daemon-plugin-lockd" subpackage.
It's also a good opportunity to taking ownership of
%{_libdir}/libvirt/lock-driver/, removing the need for a dependency on the
libvirt-daemon package.
Introduce the libvirt-daemon-plugin-lockd subpackage to provide the
client-side lockd plugin for virtlockd.
Signed-off-by: Jim Fehlig
Reviewed-by: Daniel P. Berrangé
---
libvirt.spec.in | 15 ++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/libvirt.spec.in
Signed-off-by: Jim Fehlig
Reviewed-by: Daniel P. Berrangé
Reviewed-by: Andrea Bolognani
---
libvirt.spec.in | 56 ++---
1 file changed, 39 insertions(+), 17 deletions(-)
diff --git a/libvirt.spec.in b/libvirt.spec.in
index d303cac9df..ee12720b72
Signed-off-by: Jim Fehlig
Reviewed-by: Daniel P. Berrangé
Reviewed-by: Andrea Bolognani
---
libvirt.spec.in | 53 +++--
1 file changed, 38 insertions(+), 15 deletions(-)
diff --git a/libvirt.spec.in b/libvirt.spec.in
index 33398b2877..d303cac9df
Signed-off-by: Jim Fehlig
Reviewed-by: Daniel P. Berrangé
Reviewed-by: Andrea Bolognani
---
libvirt.spec.in | 61 +++--
1 file changed, 44 insertions(+), 17 deletions(-)
diff --git a/libvirt.spec.in b/libvirt.spec.in
index 6b8acf252e..33398b2877
This is V3 of
https://listman.redhat.com/archives/libvir-list/2022-December/236337.html
The end goal is to remove the libvirt-dameon dependency on the various
libvirt-daemon-driver-foo subpackages, allowing installation of a
modular daemon configuration without the traditional monolithic
On 12/15/22 15:37, Jiri Denemark wrote:
> See 3/4 for details.
>
> Jiri Denemark (4):
> conf: Drop virDomainJobOperation parameter from virDomainObjIsPostcopy
> conf: Add job parameter to virDomainObjIsFailedPostcopy
> qemu: Remember failed post-copy migration in job
>
On 12/19/22 10:03, Peter Krempa wrote:
> Semantically we need to handle one of the keys in the top level object
> spearately, thus skipping it in nested objects doesn't make sense.
>
> Peter Krempa (2):
> virqemu: Don't strip the requested key from nested objects
> util: qemu: Remove
On Tue, Dec 20, 2022 at 09:27:10AM +0100, Michal Privoznik wrote:
> I'm kind of convinced that we want to do this, but also it's a
> significant change in the behaviour of the daemon, hence RFC prefix.
>
> This stemmed from a discussion with a user who wants us to use something
> more secure than
On Tue, Dec 20, 2022 at 09:27:11AM +0100, Michal Privoznik wrote:
> Our secret driver divides secrets into two groups: ephemeral
> (stored only in memory) and persistent (stored on disk). Now, the
> aim of ephemeral secrets is to define them shortly before being
> used and then undefine them. But
Our secret driver divides secrets into two groups: ephemeral
(stored only in memory) and persistent (stored on disk). Now, the
aim of ephemeral secrets is to define them shortly before being
used and then undefine them. But 'shortly before being used' is a
very vague time frame. And since we
I'm kind of convinced that we want to do this, but also it's a
significant change in the behaviour of the daemon, hence RFC prefix.
This stemmed from a discussion with a user who wants us to use something
more secure than base64 encoded secret values stored on a disk. They
suggested storing the
29 matches
Mail list logo