On a Tuesday in 2024, Michal Privoznik wrote:
If user requests their virSecret value to be encrypted using
hosts' TPM we can now honour such request as we have all the APIs
ready. The value is still stored in a file (obj->base64File) but
because it was encrypted by TPM it's not readable (even tho
On a Tuesday in 2024, Jiri Denemark wrote:
On Tue, Feb 13, 2024 at 18:48:59 +0100, Jiri Denemark wrote:
I didn't explicitly test mingw builds, but I tested running meson setup
with all combinations, especially with -Dsysctl_config=disabled and not
specifying userfaultfd_sysctl option at all and
There is a case that locking hits a bug and users wants to disable
locking like bug in Linux kernel.
This commit adds option to configure locking for file source.
Signed-off-by: Hiroki Narukawa
---
docs/formatdomain.rst | 5 +
src/conf/domain_conf.c| 8
src/
There is a case that Linux has a bug and unlocking does not work properly like
this:
https://lore.kernel.org/lkml/20230608084609.14245-1-zhangjiachen.jay...@bytedance.com/T/
Especiall in the situation that live migration source node has this kind of
bug, destination must not locking, or otherwis
There is a case that locking hits a bug and users wants to disable
locking like bug in Linux kernel.
This commit adds actual qemu option to the domain conf added in previous
commit.
Signed-off-by: Hiroki Narukawa
---
src/qemu/qemu_block.c | 7 ++
tests/qemublocktest
Hi
On Tue, Feb 13, 2024 at 5:58 PM Markus Armbruster wrote:
>
> Markus Armbruster writes:
>
> > The __linux__ version of qemu_chr_open_pp_fd() tries to claim the
> > parport device with a PPCLAIM ioctl(). On success, it stores the file
> > descriptor in the chardev object, and returns success.
The %meson* macros pass --auto-features=enabled to enable all "auto"
features, which means we have to explicitly disable them.
Signed-off-by: Jiri Denemark
---
Notes:
Pushed as a build breaker.
libvirt.spec.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/libvirt.spec.in b/libvirt.sp
On Tue, Feb 13, 2024 at 18:48:59 +0100, Jiri Denemark wrote:
> On Tue, Feb 13, 2024 at 11:39:26 +0100, Jiri Denemark wrote:
> > This option controls whether the sysctl config for enabling unprivileged
> > userfaultfd will be installed.
> >
> > Signed-off-by: Jiri Denemark
> > ---
> > meson.build
On Tue, Feb 13, 2024 at 11:39:26 +0100, Jiri Denemark wrote:
> This option controls whether the sysctl config for enabling unprivileged
> userfaultfd will be installed.
>
> Signed-off-by: Jiri Denemark
> ---
> meson.build | 8
> meson_options.txt| 1 +
> src/qemu/meson.buil
On Wed, Feb 07, 2024 at 11:22:09 +0100, Peter Krempa wrote:
[...]
> Later today or tomorrow I'll push the already-reviewed patch:
>
>
> https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/FFYC3ZYV5MOWJBKOKMUJTYPPHGNNLOJU/
>
> which will switch over the redirect rule prefix
Signed-off-by: Michal Privoznik
---
NEWS.rst | 6 ++
1 file changed, 6 insertions(+)
diff --git a/NEWS.rst b/NEWS.rst
index 15b0da31b6..9c0e4b4b65 100644
--- a/NEWS.rst
+++ b/NEWS.rst
@@ -30,6 +30,12 @@ v10.1.0 (unreleased)
to resolve names of the connected guests using the name server
If user requests their virSecret value to be encrypted using
hosts' TPM we can now honour such request as we have all the APIs
ready. The value is still stored in a file (obj->base64File) but
because it was encrypted by TPM it's not readable (even though
it's still base64 encoded).
And since we ca
This attribute exists next to @ephemeral and @private attributes
and controls whether the secret value is encrypted using system's
TPM chip before stored on disk. Obviously, it's mutually
exclusive with @ephemeral which forces us to keep the secret
value in memory only.
In the long run, we can eve
The systemd-cred offers a convenient way to talk to host's TPM.
While its original intent is to be used in systemd unit files, it
offers two additional commands: encrypt and decrypt that can be
used independent of the rest of systemd. And these are the ones
we need. They offer a convenient way to e
Secret values are stored effectively in plaintext on a disk and we rely
on file perms to secure them. But with systemd-cred we can use system's
TPM chip and encrypt them.
Such secrets won't be transferable to another system by simply copying
files stored on disk, but: a) that's not recommended way
On a Tuesday in 2024, Michal Privoznik wrote:
Couple of things happening here:
1) add a missing case to our polkit checks
2) modernize XML parsing and formatting, so that the code is prepared
for a new feature I'm working on.
Michal Prívozník (4):
viraccessdriverpolkit: Add missing vtpm case
Markus Armbruster writes:
> The __linux__ version of qemu_chr_open_pp_fd() tries to claim the
> parport device with a PPCLAIM ioctl(). On success, it stores the file
> descriptor in the chardev object, and returns success. On failure, it
> closes the file descriptor, and returns failure.
>
> ch
On a Tuesday in 2024, Jiri Denemark wrote:
Jiri Denemark (3):
qemu: Add support for /dev/userfaultfd
build: Add userfaultfd_sysctl build option
spec: Disable with_userfaultfd_sysctl on Fedora and RHEL-9
libvirt.spec.in| 16 +++
meson.build|
Our virSecret XML is still parsed and formatted using old way
(e.g. virXPathString() + virXXXTypeFromString() combo, or
formatting elements using plain virBufferAsprintf() instead of
virXMLFormatElement()). Modernize the code as it'll make it
easier for future expansion.
Signed-off-by: Michal Priv
The virSecretDefParseUsage() function is called conditionally.
Call it unconditionally and keep pointer to the node as
it'll come handy soon.
Signed-off-by: Michal Privoznik
---
src/conf/secret_conf.c | 23 +++
1 file changed, 15 insertions(+), 8 deletions(-)
diff --git a/s
Convert the field and adjust the XML parsers to use
virXMLPropEnum().
Signed-off-by: Michal Privoznik
---
src/access/viraccessdriverpolkit.c | 4
src/conf/secret_conf.c | 24
src/conf/secret_conf.h | 2 +-
3 files changed, 13 insertions(+),
When adding vtpm virSecret usage type (in v5.6.0-rc1~61) we
forgot to update polkit access check. This limited user's ability
to match secrets in their rules. Add missing case into switch in
virAccessDriverPolkitCheckSecret().
Signed-off-by: Michal Privoznik
---
src/access/viraccessdriverpolkit.
Couple of things happening here:
1) add a missing case to our polkit checks
2) modernize XML parsing and formatting, so that the code is prepared
for a new feature I'm working on.
Michal Prívozník (4):
viraccessdriverpolkit: Add missing vtpm case
secret_conf: Simplify calling of virSecretDe
On 2/9/24 23:13, Jonathon Jongsma wrote:
On 2/7/24 7:39 AM, Boris Fiuczynski wrote:
This public API is implemented for almost all other objects that have
a concept of persistent definition and activatability. Node devices
(mdevs) that can be defined and inactive, it will be useful to be
able to
All supported versions of Fedora and RHEL >= 9.0 support
/dev/userfaultfd.
Signed-off-by: Jiri Denemark
---
libvirt.spec.in | 16
1 file changed, 16 insertions(+)
diff --git a/libvirt.spec.in b/libvirt.spec.in
index 8413e3c19a..6701f7b6e9 100644
--- a/libvirt.spec.in
+++ b/libv
/dev/userfaultfd device is preferred over userfaultfd syscall for
post-copy migrations. Unless qemu driver is configured to disable mount
namespace or to forbid access to /dev/userfaultfd in cgroup_device_acl,
we will copy it to the limited /dev filesystem QEMU will have access to
and label it appr
This option controls whether the sysctl config for enabling unprivileged
userfaultfd will be installed.
Signed-off-by: Jiri Denemark
---
meson.build | 8
meson_options.txt| 1 +
src/qemu/meson.build | 2 +-
3 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/meso
Jiri Denemark (3):
qemu: Add support for /dev/userfaultfd
build: Add userfaultfd_sysctl build option
spec: Disable with_userfaultfd_sysctl on Fedora and RHEL-9
libvirt.spec.in| 16 +++
meson.build| 8 ++
meson_options.txt
On 2/9/24 23:45, Jonathon Jongsma wrote:
On 2/7/24 7:39 AM, Boris Fiuczynski wrote:
Implement the API functions in the node device driver by using
mdevctl modify with the options defined and live.
Instead of increasing the minimum mdevctl version to 1.3.0 in spec file
to ensure support exists in
29 matches
Mail list logo
