[Libvir] big-endian support for libvirt - introduce GUEST_HANDLE infrastructure ?

as the the valid 0x. P.S. Thanks Hollis for the simple example code -- Grüsse / regards, Christian Ehrhardt IBM Linux Technology Center, Open Virtualization +49 7031/16-3385 [EMAIL PROTECTED] [EMAIL PROTECTED] IBM Deutschland Entwicklung GmbH Vorsitzender des Aufsichtsrats: Johann

Re: [Libvir] big-endian support for libvirt - introduce GUEST_HANDLE infrastructure ?

, there are related tracebacks in xend.log *change number of cpu's *create virtual network -- Grüsse / regards, Christian Ehrhardt IBM Linux Technology Center, Open Virtualization +49 7031/16-3385 [EMAIL PROTECTED] [EMAIL PROTECTED] IBM Deutschland Entwicklung GmbH Vorsitzender des Aufsichtsrats

Re: [Libvir] big-endian support for libvirt - introduce GUEST_HANDLE infrastructure ?

- used size for the padding and I like that kind of readability. -- Grüsse / regards, Christian Ehrhardt IBM Linux Technology Center, Open Virtualization +49 7031/16-3385 [EMAIL PROTECTED] [EMAIL PROTECTED] IBM Deutschland Entwicklung GmbH Vorsitzender des Aufsichtsrats: Johann Weihen

Re: [Libvir] big-endian support for libvirt - introduce GUEST_HANDLE infrastructure ?

Daniel Veillard wrote: On Wed, Jul 11, 2007 at 02:11:38PM +0200, Christian Ehrhardt wrote: [...] yes the only potential problem would be with other architectures where __BIG_ENDIAN__ is defined and where the relative size of pointers and long would be different. We can change

Re: [Libvir] big-endian support for libvirt - introduce GUEST_HANDLE infrastructure ?

Hollis Blanchard wrote: On Wed, 2007-07-11 at 15:48 +0200, Christian Ehrhardt wrote: thanks a lot ! Does this fix all the libvirt proper platform issues (i.e. independantly of possible xen specific ones) ? Yes it fixes them as far as they are currently known to me. As I wrote

Re: [libvirt] [PATCH] fix parsing security labels from virt-aa-helper

Sorry, I seem to become a pest more than I'd like to, but my timer on this thread expired again :-) Was the feedback I gave to the questions last week ok to understand the case and maybe reproduce to achieve a ack or do we need to discuss more? ​ -- libvir-list mailing list libvir-list@redhat.com

Re: [libvirt] [PATCH v2] virt-aa-helper: fix parsing security labels

ewed discussion. -- Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] tests: adapt to gnutls change in dname en-/decoding

tions are changed to return the original non-fully compliant with RFC4514 string format, while the new ones return the compliant string by default. This allows applications which relied on the previous format to continue functioning without changes. -- Christian Ehrhardt Software Engine

[libvirt] [PATCH] tests: adapt to gnutls change in dname en-/decoding

version dependent definition of the wildcard strings used by the tests (older gnutls versions require the old order). Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com> --- tests/virnettlssessiontest.c | 28 1 file changed, 28 insertions(+) diff

[libvirt] fix for recent gnutls behavior change

- if anyone want to reproduce - can be found on https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1641615 But the primary purpose of the cover letter is a call to everybody to think if that change could imply the need for more changes in libvirt than just to make the tests work again. Christian

Re: [libvirt] [PATCH] fix parsing security labels from virt-aa-helper

On Mon, Nov 21, 2016 at 9:03 AM, Guido Günther wrote: > This should be shortened and clarified (see the other part of the > thread). IMHO the root cause is that we parse the active domain XML but > the live part of the seclabel is not filled in yet. > Ok, reasonable to keep

[libvirt] [PATCH v2] virt-aa-helper: fix parsing security labels

lid apparmor profile Updates: v2 - simplified and clarified commit message - make the flag skip all secabel parsing - shorten the new flag name fixes: dfbc9a83 ("apparmor: QEMU monitor socket moved") Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com> --- src/c

Re: [libvirt] [PATCH] fix parsing security labels from virt-aa-helper

Sorry to bother, but "ping" for the list and adding some more people to CC - for review or comments on this. -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] fix parsing security labels from virt-aa-helper

On Mon, Oct 31, 2016 at 11:32 AM, Christian Ehrhardt < christian.ehrha...@canonical.com> wrote: > But that turned out to break non apparmor seclabels as well as apparmor > seclabels in xmls without labels. > FYI - For a bit extra info on the case, debugging it and in general

[libvirt] [PATCH] fix parsing security labels from virt-aa-helper

stcase with virt-aa-helper on xml file: virt-aa-helper -d -r -p 0 -u libvirt- < your-guest.xml virt-aa-helper: error: could not parse XML virt-aa-helper: error: could not get VM definition (That should have printed a valid apparmor profile) Signed-off-by: Christian Ehrhardt <christian.ehrha

Re: [libvirt] [PATCH] fix parsing security labels from virt-aa-helper

On Thu, Nov 3, 2016 at 6:15 PM, Guido Günther <a...@sigxcpu.org> wrote: Thanks for your feedback Guido! On Mon, Oct 31, 2016 at 11:32:44AM +0100, Christian Ehrhardt wrote: > > When parsing labels virt-aa-helper does no more pass > > VIR_DOMAIN_DEF_PARSE_INACTIVE due to d

Re: [libvirt] [PATCH] AppArmor: allow QEMU to set_process_name.

Acked-by: Christian Ehrhardt <christian.ehrha...@canonical.co> That (just FYI) is also equivalent to https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1615550 On Mon, Dec 12, 2016 at 11:59 AM, intrigeri <intrigeri+libv...@boum.org> wrote: > https://bugzilla.redhat.com/

Re: [libvirt] [PATCH] AppArmor policy: support merged-/usr.

idea who to cc. Given that you come from a Debian point of view if I read mails correctly you might want to add "Guido Günther <a...@sigxcpu.org>" for example. Other than that it is down to waiting and sometimes pinging for response. Also for both patches here my Acked-by: Chris

Re: [libvirt] [PATCH] AppArmor: allow QEMU to set_process_name.

nux/man-pages/man5/proc.5.html Quoting from there: "... A thread may modify *its* comm value, or that of any of other thread *in the same thread group* ..." -- Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] AppArmor: allow QEMU to set_process_name.

explicit TID instead of a pattern. I'm convinced you confirmed your fix working, but I wonder if might want to consider the "owner" part we had. CCing a few people who were involved on the old patch. -- Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd -- libvir-list ma

[libvirt] Loosing lxc guests when restarting libvirt

F virsh define /tmp/smoke-lxc.xml virsh start sl virsh list --all # is running now /etc/init.d/libvirtd restart virsh list --all # is no more running, but it should Way more background and detail can be found at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848317 -- Christian Ehrhardt Softwa

Re: [libvirt] [PATCH] apparmor: pass attach_disconnected

Ha intrigeri beat me by 3 minutes with feedback :-) Tested it as well over lunch time, working for me too now: That said: Acked-by Christian Ehrhardt <christian.ehrha...@canonical.com> On Mon, Dec 19, 2016 at 2:35 PM, intrigeri <intrigeri+libv...@boum.org> wrote: > Hi, &g

[libvirt] [RFC] qemu: monitor: do not report error on shutdown

If a shutdown is expected because it was triggered via libvirt we can also expect the monitor to close. In those cases do not report an internal error like: "internal error: End of file from qemu monitor" Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com&g

Re: [libvirt] [RFC] qemu: monitor: do not report error on shutdown

On Thu, Mar 9, 2017 at 10:54 AM, Christian Ehrhardt < christian.ehrha...@canonical.com> wrote: > In those cases do not report an > internal error like: > "internal error: End of file from qemu monitor" > There is some extra background on the issue that shall be f

[libvirt] [PATCH] virt-aa-helper: locking disk files for qemu 2.10

s now get that permission, but no other rules are changed, example: - "/var/lib/uvtool/libvirt/images/kvmguest-artful-normal-a2.qcow" rw, + "/var/lib/uvtool/libvirt/images/kvmguest-artful-normal-a2.qcow" rwk Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonic

Re: [libvirt] [PATCH] virt-aa-helper: locking disk files for qemu 2.10

On Thu, Aug 10, 2017 at 11:19 AM, Christian Ehrhardt < christian.ehrha...@canonical.com> wrote: > Testing qemu-2.10-rc2 shows issues like: > qemu-system-x86_64: -drive file=/var/lib/uvtool/libvirt/images/kvmguest- > \ > artful-normal.qcow,format=qcow2,if=none,id=drive-virtio

Re: [libvirt] [PATCH] virt-aa-helper: locking disk files for qemu 2.10

Ping - opinions on this or is it ready to be committed? On this reply setting Guido on CC as he has experience on apparmor patches in libvirt and commit rights. On Fri, Aug 11, 2017 at 8:58 PM, intrigeri <intrigeri+libv...@boum.org> wrote: > Hi, > > Christian Ehrhardt: >

[libvirt] [PATCH] virt-aa-helper: locking loader/nvram for qemu 2.10

ck" [...] name="/home/ubuntu/vm-start-stop/vms/7936-0_CODE.fd" name="/var/lib/uvtool/libvirt/images/kvmguest-artful-normal.qcow" [...] comm="qemu-system-aarch64" requested_mask="k" denied_mask="k" The profile needs to allow locking for load

Re: [libvirt] [PATCH] virt-aa-helper: locking loader/nvram for qemu 2.10

a v2 which states so more explicitly. On Thu, Aug 17, 2017 at 1:23 PM, Michal Privoznik <mpriv...@redhat.com> wrote: > On 08/17/2017 10:55 AM, Christian Ehrhardt wrote: > > Testing qemu-2.10-rc3 shows issues like: > > qemu-system-aarch64: -drive file=/home/ubuntu/vm-start

[libvirt] [PATCH] libxl: fix cdrom default driver name

, add that as the default attribute just as it was added in the past. Example of the verification error: $ virt-xml-validate mytest.xml Relax-NG validity error : Extra element devices in interleave Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com> --- src

[libvirt] backingStore info adding late breaks virt-aa-helper

ng store info added. But as outlined above, at the point virt-aa-helper runs now the necessary backingStore data seems to be missing. I couldn't find the related change or a way to fix it so far, so any hints are welcome. -- Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd -- libvir-list

Re: [libvirt] Xen device section defaults miss name='qemu'

On Sat, Jul 15, 2017 at 12:27 AM, Jim Fehlig <jfeh...@suse.com> wrote: > On 07/11/2017 08:15 AM, Christian Ehrhardt wrote: > >> >> What happens is that before the changes this auto-added a driver section >> like: >> >> But now it does only add >&

Re: [libvirt] backingStore info adding late breaks virt-aa-helper

On said example: Libvirt 2.5: Breakpoint 1, 0x3fffb7c77ba8 in virDomainDiskDefForeachPath (disk=0x200ab490, ignoreOpenFailure=true, iter=0x20011dc0 , opaque=0x3fffef70) at ../../../src/conf/domain_conf.c:24851 $1 = (virStorageSourcePtr) 0x200ab630 (gdb) p disk->src->path $2 = 0x200a9ff0

Re: [libvirt] backingStore info adding late breaks virt-aa-helper

Hi, I was mislead by my former assumption on the lifecycle. As virt-aa-helper gets his xml passed into stdin. I captured that and found that in both cases it had the same content. Below steps to reproduce based on that: Test -Xml: kvmguest-artful-normal-a2

Re: [libvirt] backingStore info adding late breaks virt-aa-helper

On Mon, Jul 17, 2017 at 8:17 PM, Christian Ehrhardt < christian.ehrha...@canonical.com> wrote: > > So it is the parsing of the XML into objects I have to track down. > Maybe it is even some Ubuntu Delta that no more correctly matches. > Will run on build from upstream master a

[libvirt] Xen device section defaults miss name='qemu'

ou if you could take a look into this? -- Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] Xen device section defaults miss name='qemu'

​Not sure how stupid it might be so clearly just a very humble RFC, but the following seems to work for me: Therefore no nicely polished patch, but just inline diff --- a/src/libxl/libxl_domain.c +++ b/src/libxl/libxl_domain.c @@ -367,8 +367,9 @@ int actual_type =

Re: [libvirt] backingStore info adding late breaks virt-aa-helper

On Mon, Jul 17, 2017 at 8:40 PM, Christian Ehrhardt < christian.ehrha...@canonical.com> wrote: > > > On Mon, Jul 17, 2017 at 8:17 PM, Christian Ehrhardt < > christian.ehrha...@canonical.com> wrote: >> >> So it is the parsing of the XML into objects I have to

Re: [libvirt] [PATCH] security: apparmor: Properly link with storage driver in helper program

s you won't need all three, but I happily give them all to you :-) Thanks a lot Peter! Acked-by: Christian Ehrhardt <christian.ehrha...@canonical.com> Reported-by: Christian Ehrhardt <christian.ehrha...@canonical.com> Tested-by: Christian Ehrhardt <christian.ehrha...@canonical.com>

Re: [libvirt] [PATCH] apparmor, libvirt-qemu: Allow QEMU to gather information about available host resources.

We had the same rule for some time, it just is ordered later in our submission stack and not yet pushed by me or Stefan for review. But since we have the same rules for quite some time working fine I'm clearly acking that. Thanks intrigeri! Acked-by: Christian Ehrhardt <christian.eh

Re: [libvirt] [PATCH] storage: use 0711 as the default perms for dirs

or now I'm just rewording in regard to this and resubmit to the thread. -- Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

[libvirt] [PATCH v2] storage: use 0711 as the default perms for dirs

From: Serge Hallyn <serge.hal...@ubuntu.com> There should be no need to make dir based pools world/group readable. So use 0711, not 0755, as the default perms for storage dirs. Updates in v2: - adapt commit wording to mention dropping group readable as well Signed-off-by: Christian Eh

Re: [libvirt] [PATCH v2] storage: use 0711 as the default perms for dirs

thank you a lot! Since we are about to submit a bigger pile of apparmor changes that hint might certainly be handy the next days/weeks. -- Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] storage: use 0711 as the default perms for dirs

PM spec - thanks Daniel to point this out. It is 711 on Ubuntu as well for quite some time now. Both together make this even less likely to have hidden drawbacks. -- Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

[libvirt] [PATCH] safer default storage dir permissions

Hi, while cleaning out patchs that we held for a while on top of libvirt I found this patch of Serge (thanks!) which I think would make just as much sense in the upstream project itself. Or in case the discussion might unveil why it might not make sense, that would also be a win for us to adapt.

[libvirt] [PATCH] storage: use 0711 as the default perms for dirs

From: Serge Hallyn <serge.hal...@ubuntu.com> There should be no need to make dir based pools world readable. So use 0711, not 0755, as the default perms for storage dirs. Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com> --- docs/formatstorage.html.in | 2 +-

Re: [libvirt] [PATCH 8/8] apparmor, libvirt-qemu: Add ppc64el related changes

On Fri, May 19, 2017 at 9:55 AM, Guido Günther wrote: > LGTM but I don't know much about PPC64, it's SLOF and where the device > tree should be located. > Hi those paths for SLOF are the default one for Debian/Ubuntu at least. $ dpkg -L qemu-slof /. /usr /usr/share

Re: [libvirt] [PATCH 01/10] virt-aa-helper: Ask for no deny rule for readonly disk elements

d explaiantions. See especially [1] for some reasoning for 'R' in general. [1]: http://libvirt.org/git/?p=libvirt.git;a=commit;h=c726af2d5a2248f0dad01201b2fc5231fbd4c20f [2]: http://libvirt.org/git/?p=libvirt.git;a=commit;h=cedd2ab28262db62976b351dbf2a0f8d9f88ca9e -- Christian Ehrhardt Software E

Re: [libvirt] [PATCH 07/10] apparmor, libvirt-qemu: Allow access to ceph config

On Fri, Jun 2, 2017 at 12:57 PM, Guido Günther wrote: > Shouldn't this only be added when ceph is in use? > Cheers, > -- Guido > Yeah it is part of a category of rules where in a perfect world we would wirte virt-aa-helper code for each of them. In this particular case I

Re: [libvirt] [PATCH 08/10] apparmor, libvirt-qemu: Allow macvtap access

anularily via virt-aa-helper - but otherwise please let me know - I'll then add it to a bunch of issues of the category "needs to be done in virt-aa-helper" which I already track. -- Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd -- libvir-list mailing list

Re: [libvirt] [PATCH] qemu: Add AAVMF32 to the list of known UEFIs

> +VIR_STRDUP(cfg->firmwares[2]->nvram, > VIR_QEMU_OVMF_SEC_NVRAM_PATH) < 0 || > +VIR_STRDUP(cfg->firmwares[3]->name, > VIR_QEMU_AAVMF32_LOADER_PATH) < 0 || > +VIR_STRDUP(cfg->firmwares[3]->nvram, > VIR_QEMU_AAVMF32_NVRAM_PATH) < 0) > goto error; > #endif > > -- > 2.11.0 > > -- > libvir-list mailing list > libvir-list@redhat.com > https://www.redhat.com/mailman/listinfo/libvir-list > -- Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

[libvirt] How to implement pool support in virt-aa-helper?

]: http://paste.ubuntu.com/25570670/ [2]: http://paste.ubuntu.com/25570673/ [3]: http://paste.ubuntu.com/25570720/ -- Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

[libvirt] [PATCH 2/4] virt-aa-helper: fix libusb access to udev usb data

using now as a workaround. Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com> --- examples/apparmor/libvirt-qemu | 3 +++ 1 file changed, 3 insertions(+) diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index dcfb1a5..b341e31 100644 --- a/examples/

[libvirt] [PATCH 1/4] virt-aa-helper: fix paths for usb hostdevs

uncondtionally sets virHostdevFindUSBDevice mandatory attribute as adding an apparmor rule for a device not found makes no sense no matter what startup policy it has set. Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com> --- src/security/virt-aa-helper.c | 4 1 file changed, 4 insert

[libvirt] [PATCH 3/4] virt-aa-helper: allow spaces in vm names

schema should do so. Apparmor rules are in quotes, so a space in a path based on the name works. Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com> --- src/security/virt-aa-helper.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/security/virt-aa-he

[libvirt] [PATCH 4/4] virt-aa-helper: put static rules in quotes

To avoid any issues later on if paths ever change (unlikely but possible) and to match the style of other generated rules the paths of the static rules have to be quoted as well. Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com> --- src/security/virt-aa-helper.c | 6 +++

[libvirt] [PATCH 0/4] misc virt-aa-helper fixes

to that and submit them today. Christian Ehrhardt (4): virt-aa-helper: fix paths for usb hostdevs virt-aa-helper: fix libusb access to udev usb data virt-aa-helper: allow spaces in vm names virt-aa-helper: put static rules in quotes examples/apparmor/libvirt-qemu | 3 +++ src/security/virt-aa-helper.c

Re: [libvirt] [PATCH 1/4] virt-aa-helper: fix paths for usb hostdevs

On Fri, Sep 29, 2017 at 4:58 PM, Michal Privoznik <mpriv...@redhat.com> wrote: > On 09/20/2017 04:59 PM, Christian Ehrhardt wrote: > > If users only specified vendor (the common case) then parsing > > the xml via virDomainHostdevSubsysUSBDefParseXML would only set these. >

Re: [libvirt] [PATCH V3] apparmor: support ptrace checks

eer=unconfined, > > > + ptrace (trace) peer=/usr/sbin/libvirtd, > > > + ptrace (trace) peer=libvirt-*, > > > + > > > > This works here too! And I can even drop the first rule (ptrace (trace) > > peer=unconfined) and things still work (and from reading the profile and > > Jamies explanations it should work without it). Can you check if that > > works for you too? Otherwise: > > > > Reviewed-By: Guido Günther <a...@sigxcpu.org> > > I've pushed that patch as is since without the unconfined ptrace we're > seeing denials with gnome-boxes and virsh. > Cheers, > -- Guido > > > > > > > ># Very lenient profile for libvirtd since we want to first focus on > confining > > ># the guests. Guests will have a very restricted profile. > > >/ r, > > > -- > > > 2.14.1 > > > > > > > -- > > libvir-list mailing list > > libvir-list@redhat.com > > https://www.redhat.com/mailman/listinfo/libvir-list > > > > -- > libvir-list mailing list > libvir-list@redhat.com > https://www.redhat.com/mailman/listinfo/libvir-list > -- Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] gnulib tests in libvirt broken by newer glibc 2.26

gards, > Daniel > -- > |: https://berrange.com -o-https://www.flickr.com/photos/ > dberrange :| > |: https://libvirt.org -o- > https://fstop138.berrange.com :| > |: https://entangle-photo.org-o-https://www.instagram.com/ > dberrange :| > --

Re: [libvirt] gnulib tests in libvirt broken by newer glibc 2.26

I did an in-place replacement of gnulib to the latest from gnulib upstream but the issue stays. So for the time being i'd assume it is not yet solved there. On Wed, Sep 27, 2017 at 11:36 PM, Christian Ehrhardt < christian.ehrha...@canonical.com> wrote: > Hi, >

[libvirt] gnulib tests in libvirt broken by newer glibc 2.26

ld not get the example to fail without libvirt (OTOH I'm sure it would). Therefore I'm reaching out to you for your help and experience on the build system what could be done. [1]: https://sourceware.org/ml/libc-alpha/2017-04/msg00115.html -- Christian Ehrhardt Software Engineer, Ubuntu Server Can

Re: [libvirt] gnulib tests in libvirt broken by newer glibc 2.26

On Thu, Sep 28, 2017 at 12:25 AM, Eric Blake <ebl...@redhat.com> wrote: > [adding gnulib] > > On 09/27/2017 04:36 PM, Christian Ehrhardt wrote: > > Hi, > > there seems to be an incompatibility to the last glibc due to [1]. > > Gnulib needs to be updated to track

Re: [libvirt] gnulib tests in libvirt broken by newer glibc 2.26

On Thu, Sep 28, 2017 at 2:05 PM, Christian Ehrhardt < christian.ehrha...@canonical.com> wrote: > > > On Thu, Sep 28, 2017 at 12:25 AM, Eric Blake <ebl...@redhat.com> wrote: > >> [adding gnulib] >> > > [...] > >> > then libvirt needs to pi

Re: [libvirt] [PATCH] virnetdaemon: Don't deadlock when talking to D-Bus

t; now and have it locked already (in > virNetDaemonAddShutdownInhibition()) > > Signed-off-by: Michal Privoznik <mpriv...@redhat.com> > > Change builds fine (on top of 3.6) and seems to fix the issue. Survived 20 minutes in my stress loop, which it never did before. Tested-by: Christian Ehrhardt <chri

Re: [libvirt] [PATCH 0/4] misc virt-aa-helper fixes

Hi, just a ping to ask if anybody could take a look to review this set of smaller changes? On Wed, Sep 20, 2017 at 4:59 PM, Christian Ehrhardt < christian.ehrha...@canonical.com> wrote: > Hi, > this was mostly created by clearing old libvirt bugs in Ubuntu. > USB passthrough so

[libvirt] [PATCH 1/2] Increase default file handle limits for virtlogd

by default we should raise the limit to 16k. Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com> --- src/logging/virtlogd.service.in | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/logging/virtlogd.service.in b/src/logging/virtlogd.service.in

[libvirt] [PATCH 0/2] Further Increase default file handle limits

y have to be tweaked in really uncommon cases. Christian Ehrhardt (2): Increase default file handle limits for virtlogd Increase default file handle limits for virtlockd src/locking/virtlockd.service.in | 4 ++-- src/logging/virtlogd.service.in | 6 -- 2 files changed, 6 insertions(+), 4 del

[libvirt] [PATCH 2/2] Increase default file handle limits for virtlockd

The assumption so far was an average of 4 disks per guest. But some architectures, like s390x, still often use plenty of smaller disks. To include those in the considerations an assumption of an average of 10 disks is more reasonable. Signed-off-by: Christian Ehrhardt <christian.eh

[libvirt] Qemu capability probes lifecycle should be tied to libvirtd

rrect" to stop the processes on a libvirtd stop? [1]: http://paste.ubuntu.com/26208661/ [2]: http://paste.ubuntu.com/26208664/ P.S. I discussed this on IRC last Friday, but other than Michael confirming the current state there was no further traction on the discussion yet. -- Christian Ehrhard

Re: [libvirt] Qemu capability probes lifecycle should be tied to libvirtd

On Mon, Dec 18, 2017 at 3:35 PM, Daniel P. Berrange <berra...@redhat.com> wrote: > On Mon, Dec 18, 2017 at 03:22:57PM +0100, Christian Ehrhardt wrote: >> Hi, >> on libvirt 3.10 I see a set of qemu processes used for capability >> probing [1] (in my case 8x x86_64 a

[libvirt] [PATCH] apparmor: allow unix stream for p2p migrations

For now the lack of a profile on the peer as well as comm not being a conditional on rules do not allow to filter further. Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com> --- examples/apparmor/usr.sbin.libvirtd | 3 +++ 1 file changed, 3 insertions(+) diff --git a/e

Re: [libvirt] [PATCH] Let virt-manager 1.4.0+ work to access console of VM

>> >> + >> >> + # allow connect with openGraphicsFD to work >> >> + unix (send, receive) type=stream peer=(label=/usr/sbin/libvirtd), >> > >> > Shouldn't this only be added via virt-aa-helper when a corresponding >> > console is in u

[libvirt] [PATCH 04/12] apparmor, libvirt-qemu: Allow read access to max_mem_regions

From: Serge Hallyn Allows read access to /sys/module/vhost/parameters/max_mem_regions. Bug-Ubuntu: https://bugs.launchpad.net/bugs/1531564 Signed-off-by: Stefan Bader --- examples/apparmor/libvirt-qemu | 2 ++ 1 file changed, 2

[libvirt] [PATCH 10/12] apparmor, libvirtd: Allow ixr to /var/lib/libvirt/virtd*

From: Jamie Strandboge This is required for the ebtables functionality added in libvirt 0.8.0. Signed-off-by: Stefan Bader --- examples/apparmor/usr.sbin.libvirtd | 4 1 file changed, 4 insertions(+) diff --git

[libvirt] [PATCH 03/12] apparmor, libvirt-qemu: Allow read access to sysfs system info

From: Jamie Strandboge Newer qemu wants to read /sys/devices/system/node/ /sys/devices/system/cpu/ /sys/devices/system/node/node[0-9]*/meminfo Signed-off-by: Stefan Bader --- examples/apparmor/libvirt-qemu | 4 1 file changed, 4 insertions(+)

[libvirt] [PATCH 02/12] apparmor, libvirt-qemu: Silence lttng related deny messages

From: Stefan Bader <stefan.ba...@canonical.com> Prevent denial messages related to attempted reads on lttng files from spamming the logs. Bug-Ubuntu: https://bugs.launchpad.net/bugs/1432644 Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com> Signed-off-by:

[libvirt] [PATCH 00/12] Various apparmor related changes (part )

submit for your consideration into 3.11. Christian Ehrhardt (3): apparmor, libvirt-qemu: add default pki path of lbvirt-spice apparmor, libvirt-qemu: add generic base vfio device apparmor, libvirt-qemu: qemu won't call qemu-nbd Jamie Strandboge (5): apparmor, libvirt-qemu: Allow read

Re: [libvirt] [PATCH 00/12] Various apparmor related changes (part )

I beg your pardon - too much open edit's at once - should have been "part 3" in the subject :-) -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

[libvirt] [PATCH 12/12] apparmor, virt-aa-helper: Allow access to /sys/bus/usb/devices

From: Jamie Strandboge Required to generate correct profiles when using usb passthrough. Bug-Ubuntu: https://bugs.launchpad.net/bugs/565691 Signed-off-by: Stefan Bader --- examples/apparmor/usr.lib.libvirt.virt-aa-helper | 2 ++ 1 file changed, 2

[libvirt] [PATCH 01/12] apparmor, libvirt-qemu: Allow use of sgabios

From: Serge Hallyn Bug-Ubuntu: https://bugs.launchpad.net/bugs/1393548 Signed-off-by: Stefan Bader --- examples/apparmor/libvirt-qemu | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/apparmor/libvirt-qemu

[libvirt] [PATCH 09/12] apparmor, libvirt-qemu: qemu won't call qemu-nbd

While libvirtd might do so, qemu itself as a guest will not need to call qemu-nbd so remove it from the profile. Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com> Signed-off-by: Stefan Bader <stefan.ba...@canonical.com> --- examples/apparmor/libvirt-qemu | 1 - 1

[libvirt] [PATCH 11/12] apparmor, virt-aa-helper: Allow access to ecryptfs files

From: Jamie Strandboge Bug-Ubuntu: https://bugs.launchpad.net/bugs/591769 Signed-off-by: Stefan Bader --- examples/apparmor/usr.lib.libvirt.virt-aa-helper | 4 1 file changed, 4 insertions(+) diff --git

[libvirt] [PATCH 08/12] apparmor, libvirt-qemu: add generic base vfio device

id=64055 ouid=0 Bug-Ubuntu: https://bugs.launchpad.net/bugs/1678322 Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com> Signed-off-by: Stefan Bader <stefan.ba...@canonical.com> --- examples/apparmor/libvirt-qemu | 3 +++ 1 file changed, 3 insertions(+) diff --git a/e

[libvirt] [PATCH 06/12] apparmor, libvirt-qemu: Allow access to hugepage mounts

From: Serge Hallyn Allows owner access to hugepage mounts (both, the old and new systemd variant). Bug-Ubuntu: https://bugs.launchpad.net/bugs/1250216 Bug-Ubuntu: https://bugs.launchpad.net/bugs/1524737 Signed-off-by: Stefan Bader ---

[libvirt] [PATCH 05/12] apparmor, libvirt-qemu: Allow qemu-block-extra libraries

From: Jamie Strandboge <ja...@ubuntu.com> Allows (multi-arch enabled) access to libraries under the /usr/lib/@{multiarch}/qemu/*.so path in the Debian/Ubuntu qemu-block-extra package. Bug-Ubuntu: https://bugs.launchpad.net/bugs/1554761 Signed-off-by: Christian Ehrhardt <christ

[libvirt] [PATCH 07/12] apparmor, libvirt-qemu: add default pki path of lbvirt-spice

://bugs.launchpad.net/bugs/1690140 Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com> --- examples/apparmor/libvirt-qemu | 4 1 file changed, 4 insertions(+) diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index bb30530..5d811f9 100644 --- a/examples/ap

[libvirt] [PATCH] apparmor: add ptrace/mediation rules for unconfined guests

he road with "policy namespaces with scope and view control + stacking" This is more a use-case addition than a fix to the following two changes: - 3b1d19e6 AppArmor: add rules needed with additional mediation features - b482925c apparmor: support ptrace checks Signed-off-

Re: [libvirt] [PATCH 05/12] apparmor, libvirt-qemu: Allow qemu-block-extra libraries

On Tue, Dec 19, 2017 at 5:09 PM, Jamie Strandboge <ja...@canonical.com> wrote: > On Tue, 2017-12-19 at 16:03 +0100, Christian Ehrhardt wrote: >> From: Jamie Strandboge <ja...@ubuntu.com> >> >> Allows (multi-arch enabled) access to libraries under the >&g

[libvirt] [PATCH v2] apparmor, libvirt-qemu: Allow qemu-block-extra libraries

554761 Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com> --- examples/apparmor/libvirt-qemu | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index 91d0e02..34a564f 100644 --- a/examp

[libvirt] [PATCH v2] apparmor, virt-aa-helper: Allow access to /sys/bus/usb/devices

From: Jamie Strandboge <ja...@ubuntu.com> Required to generate correct profiles when using usb passthrough. Bug-Ubuntu: https://bugs.launchpad.net/bugs/565691 Signed-off-by: Stefan Bader <stefan.ba...@canonical.com> Signed-off-by: Christian Ehrhardt <christian.ehrha...@canon

Re: [libvirt] [PATCH 03/12] apparmor, libvirt-qemu: Allow read access to sysfs system info

On Wed, Dec 20, 2017 at 10:35 AM, intrigeri <intrigeri+libv...@boum.org> wrote: > Hi, > > Christian Ehrhardt: >> diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu >> index 651d841..b9e45bd 100644 >> --- a/examples/apparmor/libvirt-qemu &

Re: [libvirt] [PATCH 07/12] apparmor, libvirt-qemu: add default pki path of lbvirt-spice

On Wed, Dec 20, 2017 at 10:45 AM, intrigeri wrote: > Jamie Strandboge: >>> + # for use by libvirt-spice (LP: #1690140) >>> + /etc/pki/libvirt-spice/ r, >>> + /etc/pki/libvirt-spice/** r, > >> +1 to apply > > +1 as well, although I'd prefer some minor refactoring to

Re: [libvirt] [PATCH 11/12] apparmor, virt-aa-helper: Allow access to ecryptfs files

On Wed, Dec 20, 2017 at 10:50 AM, intrigeri <intrigeri+libv...@boum.org> wrote: > Jamie Strandboge: >> On Tue, 2017-12-19 at 16:03 +0100, Christian Ehrhardt wrote: >>> + # Alow access to ecryptfs files (LP: #591769) >>> + @{HOME}/.Private/** mrwlk, >&g

Re: [libvirt] [PATCH 04/12] apparmor, libvirt-qemu: Allow read access to max_mem_regions

On Wed, Dec 20, 2017 at 10:35 AM, intrigeri <intrig...@boum.org> wrote: > Christian Ehrhardt: >> Allows read access to /sys/module/vhost/parameters/max_mem_regions. > > Same as patch 03, already done back in August. Yes, thank for doing so (also same reason)! TL;

[libvirt] [PATCH v2] apparmor, libvirt-qemu: add default pki path of libvirt-spice

places we have to cover PKI access into one. Bug-Ubuntu: https://bugs.launchpad.net/bugs/1690140 Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com> --- examples/apparmor/libvirt-qemu | 13 + 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/examples/ap

Re: [libvirt] [PATCH 08/12] apparmor, libvirt-qemu: add generic base vfio device

On Tue, Dec 19, 2017 at 5:26 PM, Jamie Strandboge <ja...@canonical.com> wrote: > On Tue, 2017-12-19 at 16:03 +0100, Christian Ehrhardt wrote: >> vfio devices are generated on the fly, but the generic base is >> missing. >> >> The base vfio has not much func

Re: [libvirt] [PATCH 02/12] apparmor, libvirt-qemu: Silence lttng related deny messages

On Wed, Dec 20, 2017 at 10:30 AM, intrigeri <intrigeri+libv...@boum.org> wrote: > Hi, > > Christian Ehrhardt: >> --- a/examples/apparmor/libvirt-qemu >> +++ b/examples/apparmor/libvirt-qemu >> @@ -191,3 +191,7 @@ >>/sys/devices/system/node/ r, >>

[libvirt] [PATCH 1/2] apparmor: allow qemu to read max_segments

a symlink path we need to translate that for apparmor from "/sys/dev/block/*/queue/max_segments" to "/sys/devices/**/block/*/queue/max_segments" Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com> --- examples/apparmor/libvirt-qemu | 3 +++ 1 file

[libvirt] [PATCH 0/2] Misc apparmor fixes

://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1729626 Christian Ehrhardt (2): apparmor: allow qemu to read max_segments apparmor, virt-aa-helper: allow ipv6 examples/apparmor/libvirt-qemu | 3 +++ examples/apparmor/usr.lib.libvirt.virt-aa-helper | 1 + 2 files changed, 4

  1   2   3   4   5   >