[Pkg-libvirt-maintainers] Bug#1085711: bookworm-pu: package libvirt/9.0.0-4+deb12u2
Andrea Bolognani
eof at kiyuko.org
Mon Oct 21 23:22:32 BST 2024
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: libvirt at packages.debian.org
Control: affects -1 + src:libvirt
[ Reason ]
The update addresses two issues: the first one is
* https://bugs.debian.org/1030926
while the other one isn't tracked on the BTS but has been reported to
the upstream user list as
* https://lists.libvirt.org/archives/list/users@lists.libvirt.org/thread/QZ43KUTWO5UY2FLC5BMKKHA7CCCKJ3HI/
In both cases, the solution is a clean cherry-pick of a fix that has
already been committed upstream.
[ Impact ]
If the update is not approved, i386 VMs will continue not working on
Debian 12 unless AppArmor is disabled, and certain (admittedly
uncommon) configurations will result in unbootable or even
disappearing guests, particularly when upgrading from Debian 11.
[ Tests ]
The update was manually tested.
I have also inspected the changes and confirmed that they make sense.
For one of the backported patches, I am the original author.
[ Risks ]
The fixes are small and targeted, and have already been validated
upstream. libvirt has an extremely high bar for breaking backwards
compatibility, so the risk of that being an issue is very low.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in stable
[ ] the issue is verified as fixed in unstable
About the last point. One of the issues (i386 VMs not working with
AppArmor) doesn't actually reproduce in unstable, because the
triggering factor is /usr/bin/qemu-system-i386 being a wrapper
script, and that was only the case in Debian 12.
The backported change is not in unstable right now, but will be once
10.9.0-1 is uploaded. This will happen in early November, right after
the upstream release is published.
It doesn't seem worthwhile to upload to unstable only to add a
backport that is effectively a no-op for that version, or to delay
the update until 12.9. Hopefully the Release Team agrees with this
rationale.
Cheers.
--
Andrea Bolognani <eof at kiyuko.org>
Resistance is futile, you will be garbage collected.
-------------- next part --------------
diff -Nru libvirt-9.0.0/debian/changelog libvirt-9.0.0/debian/changelog
--- libvirt-9.0.0/debian/changelog 2024-08-24 16:05:45.000000000 +0200
+++ libvirt-9.0.0/debian/changelog 2024-10-21 13:51:48.000000000 +0200
@@ -1,3 +1,14 @@
+libvirt (9.0.0-4+deb12u2) bookworm; urgency=medium
+
+ * [275099d] patches: Add backports
+ - backport/apparmor-Allow-running-i686-VMs-on-Debian-12.patch
+ - Closes: #1030926
+ - backport/qemu_process-Skip-over-non-virtio-non-TAP-NIC-[...]
+ - Prevents certain guests from becoming unbootable or
+ disappearing during upgrade
+
+ -- Andrea Bolognani <eof at kiyuko.org> Mon, 21 Oct 2024 13:51:48 +0200
+
libvirt (9.0.0-4+deb12u1) bookworm; urgency=medium
[ Cyril Brulebois ]
diff -Nru libvirt-9.0.0/debian/patches/backport/apparmor-Allow-running-i686-VMs-on-Debian-12.patch libvirt-9.0.0/debian/patches/backport/apparmor-Allow-running-i686-VMs-on-Debian-12.patch
--- libvirt-9.0.0/debian/patches/backport/apparmor-Allow-running-i686-VMs-on-Debian-12.patch 1970-01-01 01:00:00.000000000 +0100
+++ libvirt-9.0.0/debian/patches/backport/apparmor-Allow-running-i686-VMs-on-Debian-12.patch 2024-10-21 13:51:48.000000000 +0200
@@ -0,0 +1,37 @@
+From: Andrea Bolognani <abologna at redhat.com>
+Date: Tue, 15 Oct 2024 11:50:36 +0200
+Subject: apparmor: Allow running i686 VMs on Debian 12
+
+In Debian 12, the qemu-system-i386 binary in /usr/bin is a wrapper
+script, with the actual executable living in /usr/libexec instead.
+This makes it impossible to run i686 VMs when AppArmor is enabled.
+
+Allow running the actual binary.
+
+https://bugs.debian.org/1030926
+
+Signed-off-by: Andrea Bolognani <abologna at redhat.com>
+Reviewed-by: Jim Fehlig <jfehlig at suse.com>
+(cherry picked from commit 81493d8eb6ec5d3f063b0b5770df33ed656d6766)
+
+Forwarded: not-needed
+Origin: https://gitlab.com/libvirt/libvirt/-/commit/81493d8eb6ec5d3f063b0b5770df33ed656d6766
+Bugs-Debian: https://bugs.debian.org/1030926
+---
+ src/security/apparmor/libvirt-qemu | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
+index d0289b8..ed96f6e 100644
+--- a/src/security/apparmor/libvirt-qemu
++++ b/src/security/apparmor/libvirt-qemu
+@@ -171,6 +171,9 @@
+ /usr/bin/qemu-system-xtensaeb rmix,
+ /usr/bin/qemu-unicore32 rmix,
+ /usr/bin/qemu-x86_64 rmix,
++ # Debian 12 has a wrapper script in /usr/bin while the actual
++ # binary lives in /usr/libexec (Debian: #1030926)
++ /usr/libexec/qemu-system-i386 rmix,
+ # for Debian/Ubuntu qemu-block-extra / RPMs qemu-block-* (LP: #1554761)
+ /usr/{lib,lib64}/qemu/*.so mr,
+ /usr/lib/@{multiarch}/qemu/*.so mr,
diff -Nru libvirt-9.0.0/debian/patches/backport/qemu_process-Skip-over-non-virtio-non-TAP-NIC-models-when.patch libvirt-9.0.0/debian/patches/backport/qemu_process-Skip-over-non-virtio-non-TAP-NIC-models-when.patch
--- libvirt-9.0.0/debian/patches/backport/qemu_process-Skip-over-non-virtio-non-TAP-NIC-models-when.patch 1970-01-01 01:00:00.000000000 +0100
+++ libvirt-9.0.0/debian/patches/backport/qemu_process-Skip-over-non-virtio-non-TAP-NIC-models-when.patch 2024-10-21 13:51:48.000000000 +0200
@@ -0,0 +1,80 @@
+From: Michal Privoznik <mprivozn at redhat.com>
+Date: Tue, 23 Jan 2024 17:20:42 +0100
+Subject: qemu_process: Skip over non-virtio non-TAP NIC models when
+ refreshing rx-filter
+
+After guest is started, or we are reconnecting to already running
+one (after daemon restart), qemuProcessRefreshRxFilters() is
+called to refresh rx-filters (basically MAC addresses of guest
+NICs) as they might have changed while we were not running (for
+the case when reconnecting to an already running guest), or we
+need to enable them by running a command (for freshly started
+guest - see processNicRxFilterChangedEvent()).
+
+Now, our XML parser allowed trustGuestRxFilters attribute for all
+types and models of <interface/> while in reality, only virtio
+model AND TUN/TAP based types can see MAC address changes. For
+other combinations, QEMU reports an error.
+
+This all means that when the daemon is restarted and it
+reconnects to a guest with, well invalid configuration, or when
+such guest is restored from a saved image, or migrated then we
+issue the monitor command, to which QEMU replies with an error
+which is then propagated to users:
+
+ error: internal error: unable to execute QEMU command 'query-rx-filter': invalid net client name: hostdev0
+
+While on one hand users should fix their configuration (and after
+v10.0.0-rc1~123 they can do that even on live domains), libvirt
+can also has some logic built in that prevent issuing the command
+in the first place (for obviously wrong cases).
+
+Fixes: 060d4c83ef436cf56abfad51a4d64c39448e199d
+Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
+Reviewed-by: Peter Krempa <pkrempa at redhat.com>
+(cherry picked from commit bee5301afa55a28090c0262f34c84762120bf878)
+
+Forwarded: not-needed
+Origin: https://gitlab.com/libvirt/libvirt/-/commit/bee5301afa55a28090c0262f34c84762120bf878
+---
+ src/qemu/qemu_process.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
+index 0c408ee..9ca3bdb 100644
+--- a/src/qemu/qemu_process.c
++++ b/src/qemu/qemu_process.c
+@@ -7991,6 +7991,33 @@ qemuProcessRefreshRxFilters(virDomainObj *vm,
+ if (!virDomainNetGetActualTrustGuestRxFilters(def))
+ continue;
+
++ /* rx-filters are supported only for virtio model and TUN/TAP based
++ * types. */
++ if (def->model != VIR_DOMAIN_NET_MODEL_VIRTIO)
++ continue;
++
++ switch (virDomainNetGetActualType(def)) {
++ case VIR_DOMAIN_NET_TYPE_ETHERNET:
++ case VIR_DOMAIN_NET_TYPE_NETWORK:
++ case VIR_DOMAIN_NET_TYPE_BRIDGE:
++ case VIR_DOMAIN_NET_TYPE_DIRECT:
++ break;
++ case VIR_DOMAIN_NET_TYPE_USER:
++ case VIR_DOMAIN_NET_TYPE_VHOSTUSER:
++ case VIR_DOMAIN_NET_TYPE_SERVER:
++ case VIR_DOMAIN_NET_TYPE_CLIENT:
++ case VIR_DOMAIN_NET_TYPE_MCAST:
++ case VIR_DOMAIN_NET_TYPE_INTERNAL:
++ case VIR_DOMAIN_NET_TYPE_HOSTDEV:
++ case VIR_DOMAIN_NET_TYPE_UDP:
++ case VIR_DOMAIN_NET_TYPE_VDPA:
++ case VIR_DOMAIN_NET_TYPE_NULL:
++ case VIR_DOMAIN_NET_TYPE_VDS:
++ case VIR_DOMAIN_NET_TYPE_LAST:
++ default:
++ continue;
++ }
++
+ if (qemuDomainSyncRxFilter(vm, def, asyncJob) < 0)
+ return -1;
+ }
diff -Nru libvirt-9.0.0/debian/patches/debian/apparmor_profiles_local_include.patch libvirt-9.0.0/debian/patches/debian/apparmor_profiles_local_include.patch
--- libvirt-9.0.0/debian/patches/debian/apparmor_profiles_local_include.patch 2024-08-24 16:05:45.000000000 +0200
+++ libvirt-9.0.0/debian/patches/debian/apparmor_profiles_local_include.patch 2024-10-21 13:51:48.000000000 +0200
@@ -24,10 +24,10 @@
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/abstractions/libvirt-lxc>
diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
-index d0289b8..9c541f9 100644
+index ed96f6e..4f7a43a 100644
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
-@@ -254,3 +254,6 @@
+@@ -257,3 +257,6 @@
# required for QEMU accessing UEFI nvram variables
owner /var/lib/libvirt/qemu/nvram/*_VARS.fd rwk,
owner /var/lib/libvirt/qemu/nvram/*_VARS.ms.fd rwk,
diff -Nru libvirt-9.0.0/debian/patches/series libvirt-9.0.0/debian/patches/series
--- libvirt-9.0.0/debian/patches/series 2024-08-24 16:05:45.000000000 +0200
+++ libvirt-9.0.0/debian/patches/series 2024-10-21 13:51:48.000000000 +0200
@@ -16,6 +16,8 @@
backport/remote-check-for-negative-array-lengths-before-allocation.patch
backport/interface-fix-udev_device_get_sysattr_value-return-value-.patch
backport/qemu-domain-Fix-logic-when-tainting-domain.patch
+backport/qemu_process-Skip-over-non-virtio-non-TAP-NIC-models-when.patch
+backport/apparmor-Allow-running-i686-VMs-on-Debian-12.patch
forward/Skip-vircgrouptest.patch
forward/Reduce-udevadm-settle-timeout-to-10-seconds.patch
forward/Pass-GPG_TTY-env-var-to-the-ssh-binary.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-libvirt-maintainers/attachments/20241022/74c20c08/attachment.sig>
More information about the Pkg-libvirt-maintainers
mailing list