[Pkg-libvirt-commits] [Git][libvirt-team/libvirt][debian/bookworm] 2 commits: patches: Add backports
Andrea Bolognani (@abologna)
gitlab at salsa.debian.org
Wed Oct 30 21:50:00 GMT 2024
Andrea Bolognani pushed to branch debian/bookworm at Libvirt Packaging Team / libvirt
Commits:
275099d9 by Andrea Bolognani at 2024-10-21T12:25:42+02:00
patches: Add backports
Specifically:
* backport/apparmor-Allow-running-i686-VMs-on-Debian-12.patch
- Closes: #1030926
* backport/qemu_process-Skip-over-non-virtio-non-TAP-NIC-[...]
- Prevents certain guests from becoming unbootable or
disappearing during upgrade
- - - - -
315d9c70 by Andrea Bolognani at 2024-10-21T13:52:54+02:00
Document changes and release 9.0.0-4+deb12u2
- - - - -
5 changed files:
- debian/changelog
- + debian/patches/backport/apparmor-Allow-running-i686-VMs-on-Debian-12.patch
- + debian/patches/backport/qemu_process-Skip-over-non-virtio-non-TAP-NIC-models-when.patch
- debian/patches/debian/apparmor_profiles_local_include.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,14 @@
+libvirt (9.0.0-4+deb12u2) bookworm; urgency=medium
+
+ * [275099d] patches: Add backports
+ - backport/apparmor-Allow-running-i686-VMs-on-Debian-12.patch
+ - Closes: #1030926
+ - backport/qemu_process-Skip-over-non-virtio-non-TAP-NIC-[...]
+ - Prevents certain guests from becoming unbootable or
+ disappearing during upgrade
+
+ -- Andrea Bolognani <eof at kiyuko.org> Mon, 21 Oct 2024 13:51:48 +0200
+
libvirt (9.0.0-4+deb12u1) bookworm; urgency=medium
[ Cyril Brulebois ]
=====================================
debian/patches/backport/apparmor-Allow-running-i686-VMs-on-Debian-12.patch
=====================================
@@ -0,0 +1,37 @@
+From: Andrea Bolognani <abologna at redhat.com>
+Date: Tue, 15 Oct 2024 11:50:36 +0200
+Subject: apparmor: Allow running i686 VMs on Debian 12
+
+In Debian 12, the qemu-system-i386 binary in /usr/bin is a wrapper
+script, with the actual executable living in /usr/libexec instead.
+This makes it impossible to run i686 VMs when AppArmor is enabled.
+
+Allow running the actual binary.
+
+https://bugs.debian.org/1030926
+
+Signed-off-by: Andrea Bolognani <abologna at redhat.com>
+Reviewed-by: Jim Fehlig <jfehlig at suse.com>
+(cherry picked from commit 81493d8eb6ec5d3f063b0b5770df33ed656d6766)
+
+Forwarded: not-needed
+Origin: https://gitlab.com/libvirt/libvirt/-/commit/81493d8eb6ec5d3f063b0b5770df33ed656d6766
+Bugs-Debian: https://bugs.debian.org/1030926
+---
+ src/security/apparmor/libvirt-qemu | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
+index d0289b8..ed96f6e 100644
+--- a/src/security/apparmor/libvirt-qemu
++++ b/src/security/apparmor/libvirt-qemu
+@@ -171,6 +171,9 @@
+ /usr/bin/qemu-system-xtensaeb rmix,
+ /usr/bin/qemu-unicore32 rmix,
+ /usr/bin/qemu-x86_64 rmix,
++ # Debian 12 has a wrapper script in /usr/bin while the actual
++ # binary lives in /usr/libexec (Debian: #1030926)
++ /usr/libexec/qemu-system-i386 rmix,
+ # for Debian/Ubuntu qemu-block-extra / RPMs qemu-block-* (LP: #1554761)
+ /usr/{lib,lib64}/qemu/*.so mr,
+ /usr/lib/@{multiarch}/qemu/*.so mr,
=====================================
debian/patches/backport/qemu_process-Skip-over-non-virtio-non-TAP-NIC-models-when.patch
=====================================
@@ -0,0 +1,80 @@
+From: Michal Privoznik <mprivozn at redhat.com>
+Date: Tue, 23 Jan 2024 17:20:42 +0100
+Subject: qemu_process: Skip over non-virtio non-TAP NIC models when
+ refreshing rx-filter
+
+After guest is started, or we are reconnecting to already running
+one (after daemon restart), qemuProcessRefreshRxFilters() is
+called to refresh rx-filters (basically MAC addresses of guest
+NICs) as they might have changed while we were not running (for
+the case when reconnecting to an already running guest), or we
+need to enable them by running a command (for freshly started
+guest - see processNicRxFilterChangedEvent()).
+
+Now, our XML parser allowed trustGuestRxFilters attribute for all
+types and models of <interface/> while in reality, only virtio
+model AND TUN/TAP based types can see MAC address changes. For
+other combinations, QEMU reports an error.
+
+This all means that when the daemon is restarted and it
+reconnects to a guest with, well invalid configuration, or when
+such guest is restored from a saved image, or migrated then we
+issue the monitor command, to which QEMU replies with an error
+which is then propagated to users:
+
+ error: internal error: unable to execute QEMU command 'query-rx-filter': invalid net client name: hostdev0
+
+While on one hand users should fix their configuration (and after
+v10.0.0-rc1~123 they can do that even on live domains), libvirt
+can also has some logic built in that prevent issuing the command
+in the first place (for obviously wrong cases).
+
+Fixes: 060d4c83ef436cf56abfad51a4d64c39448e199d
+Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
+Reviewed-by: Peter Krempa <pkrempa at redhat.com>
+(cherry picked from commit bee5301afa55a28090c0262f34c84762120bf878)
+
+Forwarded: not-needed
+Origin: https://gitlab.com/libvirt/libvirt/-/commit/bee5301afa55a28090c0262f34c84762120bf878
+---
+ src/qemu/qemu_process.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
+index 0c408ee..9ca3bdb 100644
+--- a/src/qemu/qemu_process.c
++++ b/src/qemu/qemu_process.c
+@@ -7991,6 +7991,33 @@ qemuProcessRefreshRxFilters(virDomainObj *vm,
+ if (!virDomainNetGetActualTrustGuestRxFilters(def))
+ continue;
+
++ /* rx-filters are supported only for virtio model and TUN/TAP based
++ * types. */
++ if (def->model != VIR_DOMAIN_NET_MODEL_VIRTIO)
++ continue;
++
++ switch (virDomainNetGetActualType(def)) {
++ case VIR_DOMAIN_NET_TYPE_ETHERNET:
++ case VIR_DOMAIN_NET_TYPE_NETWORK:
++ case VIR_DOMAIN_NET_TYPE_BRIDGE:
++ case VIR_DOMAIN_NET_TYPE_DIRECT:
++ break;
++ case VIR_DOMAIN_NET_TYPE_USER:
++ case VIR_DOMAIN_NET_TYPE_VHOSTUSER:
++ case VIR_DOMAIN_NET_TYPE_SERVER:
++ case VIR_DOMAIN_NET_TYPE_CLIENT:
++ case VIR_DOMAIN_NET_TYPE_MCAST:
++ case VIR_DOMAIN_NET_TYPE_INTERNAL:
++ case VIR_DOMAIN_NET_TYPE_HOSTDEV:
++ case VIR_DOMAIN_NET_TYPE_UDP:
++ case VIR_DOMAIN_NET_TYPE_VDPA:
++ case VIR_DOMAIN_NET_TYPE_NULL:
++ case VIR_DOMAIN_NET_TYPE_VDS:
++ case VIR_DOMAIN_NET_TYPE_LAST:
++ default:
++ continue;
++ }
++
+ if (qemuDomainSyncRxFilter(vm, def, asyncJob) < 0)
+ return -1;
+ }
=====================================
debian/patches/debian/apparmor_profiles_local_include.patch
=====================================
@@ -24,10 +24,10 @@ index 0c8b812..72278b5 100644
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/abstractions/libvirt-lxc>
diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
-index d0289b8..9c541f9 100644
+index ed96f6e..4f7a43a 100644
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
-@@ -254,3 +254,6 @@
+@@ -257,3 +257,6 @@
# required for QEMU accessing UEFI nvram variables
owner /var/lib/libvirt/qemu/nvram/*_VARS.fd rwk,
owner /var/lib/libvirt/qemu/nvram/*_VARS.ms.fd rwk,
=====================================
debian/patches/series
=====================================
@@ -16,6 +16,8 @@ backport/Fix-off-by-one-error-in-udevListInterfacesByStatus.patch
backport/remote-check-for-negative-array-lengths-before-allocation.patch
backport/interface-fix-udev_device_get_sysattr_value-return-value-.patch
backport/qemu-domain-Fix-logic-when-tainting-domain.patch
+backport/qemu_process-Skip-over-non-virtio-non-TAP-NIC-models-when.patch
+backport/apparmor-Allow-running-i686-VMs-on-Debian-12.patch
forward/Skip-vircgrouptest.patch
forward/Reduce-udevadm-settle-timeout-to-10-seconds.patch
forward/Pass-GPG_TTY-env-var-to-the-ssh-binary.patch
View it on GitLab: https://salsa.debian.org/libvirt-team/libvirt/-/compare/3a1d9f2053a2eadb9b0dd803f6e8e252f5ce7ff0...315d9c7042f1e09cd7a185c4a6cce204f6d8261d
--
View it on GitLab: https://salsa.debian.org/libvirt-team/libvirt/-/compare/3a1d9f2053a2eadb9b0dd803f6e8e252f5ce7ff0...315d9c7042f1e09cd7a185c4a6cce204f6d8261d
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-libvirt-commits/attachments/20241030/a2e3b39e/attachment-0001.htm>
More information about the Pkg-libvirt-commits
mailing list