diff -Nru libvirt-1.2.2/debian/apparmor/libvirt-qemu libvirt-1.2.2/debian/apparmor/libvirt-qemu --- libvirt-1.2.2/debian/apparmor/libvirt-qemu 2014-04-03 06:53:25.000000000 +0000 +++ libvirt-1.2.2/debian/apparmor/libvirt-qemu 2017-09-06 07:56:41.000000000 +0000 @@ -17,6 +17,10 @@ # atm, so just silence the denial until libcap-ng works right. LP: #522845 deny capability setpcap, + # for 9p + capability fsetid, + capability fowner, + network inet stream, network inet6 stream, @@ -74,7 +78,9 @@ /usr/share/proll/** r, /usr/share/vgabios/** r, /usr/share/seabios/** r, + /usr/share/misc/sgabios.bin r, /usr/share/ovmf/** r, + /usr/share/slof/** r, # access PKI infrastructure /etc/pki/libvirt-vnc/** r, @@ -142,3 +148,14 @@ signal (receive) peer=/usr/sbin/libvirtd, ptrace (tracedby) peer=/usr/sbin/libvirtd, + + # for ppc device-tree access + @{PROC}/device-tree/ r, + @{PROC}/device-tree/** r, + /sys/firmware/devicetree/** r, + + # allow access to charm-specific ceph config (see lp#1403648) + /var/lib/charm/ceph/ceph.conf r, + # workaround LP: #1403648 by allowing read access to the directory. This will be removed in future releases + /tmp/ r, + /var/tmp/ r, diff -Nru libvirt-1.2.2/debian/apparmor/usr.sbin.libvirtd libvirt-1.2.2/debian/apparmor/usr.sbin.libvirtd --- libvirt-1.2.2/debian/apparmor/usr.sbin.libvirtd 2014-04-03 06:53:25.000000000 +0000 +++ libvirt-1.2.2/debian/apparmor/usr.sbin.libvirtd 2017-09-06 07:56:41.000000000 +0000 @@ -28,6 +28,9 @@ capability ipc_lock, capability audit_write, + # Needed for vfio + capability sys_resource, + network inet stream, network inet dgram, network inet6 stream, @@ -49,6 +52,8 @@ /usr/sbin/* PUx, /lib/udev/scsi_id PUx, /usr/lib/xen-common/bin/xen-toolstack PUx, + /usr/lib/xen-*/bin/pygrub PUx, + /usr/lib/xen-*/bin/libxl-save-helper PUx, # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to # write and run an ebtables script. diff -Nru libvirt-1.2.2/debian/changelog libvirt-1.2.2/debian/changelog --- libvirt-1.2.2/debian/changelog 2014-04-14 16:04:00.000000000 +0000 +++ libvirt-1.2.2/debian/changelog 2019-05-16 19:56:45.000000000 +0000 @@ -1,3 +1,280 @@ +libvirt (1.2.2-0ubuntu13.1.28) trusty-security; urgency=medium + + * SECURITY UPDATE: Add support for md-clear functionality + - debian/patches/md-clear.patch: Define md-clear CPUID bit in + src/cpu/cpu_map.xml. + - CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 + + -- Steve Beattie Thu, 16 May 2019 12:56:28 -0700 + +libvirt (1.2.2-0ubuntu13.1.27) trusty-security; urgency=medium + + * SECURITY UPDATE: QEMU monitor DoS + - debian/patches/CVE-2018-1064.patch: add size limit to + src/qemu/qemu_agent.c. + - CVE-2018-1064 + * SECURITY UPDATE: Speculative Store Bypass + - debian/patches/CVE-2018-3639-1.patch: define the 'ssbd' CPUID feature + bit in src/cpu/cpu_map.xml. + - debian/patches/CVE-2018-3639-2.patch: define the 'virt-ssbd' CPUID + feature bit in src/cpu/cpu_map.xml. + - CVE-2018-3639 + + -- Marc Deslauriers Wed, 23 May 2018 14:23:45 -0400 + +libvirt (1.2.2-0ubuntu13.1.26) trusty-security; urgency=medium + + * SECURITY UPDATE: resource exhaustion resulting in DoS + - debian/patches/CVE-2018-5748.patch: avoid DoS reading from + QEMU monitor in src/qemu/qemu_monitor.c. + - CVE-2018-5748 + * SECURITY UPDATE: Bypass authentication + - debian/patches/CVE-2016-5008.patch: let empty default VNC + password work as documented in src/qemu/qemu_hotplug.c. + - CVE-2016-5008 + + -- Leonidas S. Barbosa Fri, 16 Feb 2018 07:51:15 -0500 + +libvirt (1.2.2-0ubuntu13.1.25) trusty-security; urgency=medium + + * SECURITY UPDATE: Add support for Spectre mitigations + - debian/patches/CVE-2017-5715-ibrs*.patch: add CPU features for + indirect branch prediction protection and add new *-IBRS CPU models. + - debian/control: add Breaks to get updated qemu with new CPU models. + - CVE-2017-5715 + + -- Marc Deslauriers Thu, 01 Feb 2018 15:00:47 -0500 + +libvirt (1.2.2-0ubuntu13.1.23) trusty; urgency=medium + + * d/libvirt-bin.init, d/libvirt-bin.upstart: fix waiting for the libvirt + socket (LP: #1571209) + - avoid timing out on slow systems (only stop when service is stopped) + - fix whitespace damage formerly added to d/libvirt-bin.init + - no more long sleep without announcing to log + - check socket and service status more often for lower latency on changes + - fix check if unix_sock_dir path is set in /etc/libvirt/libvirtd.conf + - fix the upstart service name that is checked + + -- Christian Ehrhardt Thu, 07 Sep 2017 14:22:45 +0200 + +libvirt (1.2.2-0ubuntu13.1.22) trusty; urgency=medium + + * fix guest channel support (LP: #1393842). + - d/p/virt-aa-helper-add-trusty-guest-agent-rule.patch: add apparmor rule + for channels within guest namespace. + - d/libvirt-bin.postinst: create channel directories if needed. + + -- Christian Ehrhardt Mon, 28 Aug 2017 12:14:08 +0200 + +libvirt (1.2.2-0ubuntu13.1.21) trusty; urgency=medium + + * d/libvirt-bin.postinst: call apparmor_parser with options to + ignore the apparmor cache and rebuild it, otherwise old apparmor + rules are used and this might break upgrades (LP: #1707400) + + -- Andreas Hasenack Tue, 01 Aug 2017 11:58:38 -0300 + +libvirt (1.2.2-0ubuntu13.1.20) trusty; urgency=medium + + [ Rafael David Tinoco ] + * d/p/reject-blockcommit-of-active-layer.patch: + Block commit code isn't ready for QEMU 2.0 and has to be blocked. + This avoids virsh to hang forever on blackcommit jobs. + (LP: #1317491) + + -- Christian Ehrhardt Wed, 22 Feb 2017 09:44:02 +0100 + +libvirt (1.2.2-0ubuntu13.1.17) trusty; urgency=medium + + * d/p/fix-util-don-t-fail-if-no-portdata-is-found.patch: + make ovs-vsctl not raise error if there's no portData available. + (LP: #1540537). + + -- Jorge Niedbalski Thu, 04 Feb 2016 16:58:31 +0100 + +libvirt (1.2.2-0ubuntu13.1.16) trusty-security; urgency=medium + + * SECURITY UPDATE: denial of service via incorrect ACL check handling + - debian/patches/CVE-2014-8136.patch: properly unlock vm on failed ACL + check in src/qemu/qemu_driver.c. + - CVE-2014-8136 + * SECURITY UPDATE: VNC password leak via snapshots and save images + - debian/patches/CVE-2015-0236.patch: check ACLs when dumping security + info in src/qemu/qemu_driver.c, src/remote/remote_protocol.x. + - CVE-2015-0236 + * SECURITY UPDATE: ACL bypass using storage pool directory traversal + - debian/patches/CVE-2015-5313.patch: filter filesystem volume names in + src/storage/storage_backend_fs.c. + - CVE-2015-5313 + * This package does _not_ contain the changes from 1.2.2-0ubuntu13.1.15 + in trusty-proposed. + + -- Marc Deslauriers Fri, 08 Jan 2016 10:03:14 -0500 + +libvirt (1.2.2-0ubuntu13.1.14) trusty; urgency=medium + + [ Seyeong Kim ] + * d/p/fix_libvirtd_killed_by_sigsegv.patch: fix incorrect backport + (LP: #1464175) + + -- Chris J Arges Wed, 08 Jul 2015 10:52:41 -0500 + +libvirt (1.2.2-0ubuntu13.1.13) trusty; urgency=medium + + [ Seyeong Kim ] + * virObjectUnref() libvirtd killed by SIGSEGV (LP: #1464175) + - upstream, util: identity: Harden virIdentitySetCurrent() + - upstream, daemon: Clear fake domain def object that is used to check + ACL prior to use + - upstream, rpc: Don't unref identity object while callbacks still can + be executed + + [ Edward Hope-Morley ] + * Add post-start to upstart (/etc/init/libvirt-bin.conf) and + sysv (/etc/init.d/libvirt-bin) to ensure libvirt-sock + created before up (LP: #1455608) + + * Re-enable Support-incoming-migration-from-13.10-hosts.patch. (LP: #1425619) + + -- Chris J Arges Wed, 01 Jul 2015 09:07:08 -0500 + +libvirt (1.2.2-0ubuntu13.1.12) trusty-proposed; urgency=medium + + * Drop Support-incoming-migration-from-13.10-hosts.patch as it failed + verification. + + -- Serge Hallyn Thu, 18 Jun 2015 14:21:06 -0500 + +libvirt (1.2.2-0ubuntu13.1.11) trusty-proposed; urgency=medium + + * Support-incoming-migration-from-13.10-hosts.patch (LP: #1425619) + * qemu-filterref-crash.patch: fix crash when removing filterref from + interfaces (LP: #1448205) + * storage_backend_rbd-correct-arg-order-to-rbd_create3: fix reversed + arguments to rbd_create3. (LP: #1447030) + + -- Serge Hallyn Wed, 13 May 2015 11:06:11 -0500 + +libvirt (1.2.2-0ubuntu13.1.10) trusty-proposed; urgency=medium + + * 9035-qemu-snapshot-save-persistent-domain-config: upstream fix for a + regression where persistent domain config was not saved after an external + snapshot. (LP: #1403841) + * 9036-dont-fail-without-cpu-model.patch: fix virsh safe with cpu mode = + host-passthrough (LP: #1262641) + + -- Serge Hallyn Tue, 10 Feb 2015 14:34:16 -0600 + +libvirt (1.2.2-0ubuntu13.1.9) trusty-proposed; urgency=medium + + * apparmor libvirt-qemu template: allow reading charm-specific ceph config + and allow reading under /tmp and /var/tmp (for SRU only) (LP: #1403648) + * numa-cgroups-fix-cpuset-mems-init.patch - cherrypicked, refreshed patch + (by Richard Laager) to fix failure to start on numa node 1 (LP: #1404388) + * libvirt-qemu: add r to sgabios.bin (LP: #1393548) + + -- Serge Hallyn Tue, 06 Jan 2015 10:39:15 -0600 + +libvirt (1.2.2-0ubuntu13.1.8) trusty-proposed; urgency=medium + + * complete the 9p support: (LP: #1378434) + - libvirt-qemu: add fowner and fsetid + - virt-aa-helper: add 'l' to 9p file options + * libvirt-qemu apparmor template: add /sys/firmware/devicetree/** r + (LP: #1374554) + * add mising apparmor permissions for slof (LP: #1374554) + + -- Serge Hallyn Tue, 11 Nov 2014 16:39:22 -0600 + +libvirt (1.2.2-0ubuntu13.1.7) trusty-security; urgency=medium + + * SECURITY UPDATE: denial of service via virConnectListAllDomains + - debian/patches/CVE-2014-3633.patch: fix domain deadlock in + src/conf/domain_conf.c. + - CVE-2014-3633 + * SECURITY UPDATE: xml information leak with read-only connections + - debian/patches/CVE-2014-7823.patch: check for migratable flag in + src/libvirt.c, src/remote/remote_protocol.x. + - CVE-2014-3657 + + -- Marc Deslauriers Mon, 10 Nov 2014 19:48:54 -0500 + +libvirt (1.2.2-0ubuntu13.1.6) trusty-proposed; urgency=medium + + * 9029-ovs-delete-port-if-it-exists-when-adding-new-one: cherrypick commit + 33445ce from upstream (LP: #1343262) + * fix migration failure with ssh password authentication (LP: #1365947) + - 9030-virsh-add-keepalive-in-new-vshconnect-fn + - 9031-cmdmigrate-move-vshconnect-before-vshwatchjob + - 9032-virsh-initialize-vsh-data-in-cmdmigrate + * libvirt-bin.postinst: check for confiles whichhave been removed rather + than fail package install (LP: #1375910) + * Support incoming migration from 12.04 hosts (LP: #1374622) + - debian/patches/support-incoming-qemu-kvm: add a flag to + /etc/libvirt/qemu.conf to specify whether pc-1.0 came from a 12.04 host + - Add a note in README.Debian. + + -- Serge Hallyn Tue, 30 Sep 2014 13:54:31 -0500 + +libvirt (1.2.2-0ubuntu13.1.5) trusty-security; urgency=medium + + * SECURITY UPDATE: denial of service and possible information disclosure + via crafted XML document + - debian/patches/CVE-2014-0179.patch: don't expand entities when + parsing XML in src/util/virxml.c. + - CVE-2014-0179 + - CVE-2014-5177 + * SECURITY UPDATE: denial of service or information disclosure via + virDomainGetBlockIoTune + - debian/patches/CVE-2014-3633.patch: use correct definition when + looking up disk in src/qemu/qemu_driver.c. + - CVE-2014-3633 + + -- Marc Deslauriers Mon, 29 Sep 2014 15:27:53 -0400 + +libvirt (1.2.2-0ubuntu13.1.4) trusty-proposed; urgency=medium + + * debian/apparmor/usr.sbin.libvirtd - add cap-sys-resource to fully + fix (LP: #1276719) + + -- Serge Hallyn Thu, 07 Aug 2014 12:46:22 -0500 + +libvirt (1.2.2-0ubuntu13.1.3) trusty-proposed; urgency=medium + + * 9026-fix-apparmor-profile-for-vfio-pci-passthrough - allow VFIO passthrough + (LP: #1276719) + * 9027-virt-aa-helper-allow-access-to-vhost-net - allow access to + /dev/vhost-net if domain needs it (LP: #1322568) + + -- Serge Hallyn Thu, 31 Jul 2014 20:14:22 +0000 + +libvirt (1.2.2-0ubuntu13.1.2) trusty; urgency=low + + * debian/apparmor/usr.sbin.libvirtd: allow libvirtd to run + libxl-save-helper (required for save restore through libxl). + (LP: #1334195) + * debian/apparmor/usr.sbin.libvirtd: allow pygrub to be run + (LP: #1326003) + * debian/patches/libxl-Support-PV-consoles.patch + Enable console support for PV guests (LP: #1334738) + + -- Stefan Bader Thu, 26 Jun 2014 16:03:42 +0200 + +libvirt (1.2.2-0ubuntu13.1.1) trusty-proposed; urgency=medium + + * debian/apparmor/libvirt-qemu: add device-tree access for ppc + (LP: #1321365) + + -- Serge Hallyn Thu, 05 Jun 2014 11:26:22 -0500 + +libvirt (1.2.2-0ubuntu13.1) trusty-proposed; urgency=medium + + * debian/control: change apparmor dependency into an inverse conflicts, + so that libvirt can continue to be used without apparmor. (LP: #1304167) + + -- Serge Hallyn Thu, 17 Apr 2014 10:42:08 -0500 + libvirt (1.2.2-0ubuntu13) trusty; urgency=medium * Add a dependency on the new apparmor to make sure we have the new diff -Nru libvirt-1.2.2/debian/control libvirt-1.2.2/debian/control --- libvirt-1.2.2/debian/control 2014-04-14 16:03:25.000000000 +0000 +++ libvirt-1.2.2/debian/control 2018-01-31 14:43:29.000000000 +0000 @@ -56,7 +56,6 @@ Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends}, adduser, - apparmor (>= 2.8.95~2430-0ubuntu4), bridge-utils, cgroup-lite | cgroup-bin, dnsmasq-base (>= 2.46-1), @@ -77,7 +76,12 @@ parted, pm-utils Suggests: policykit-1 (>= 0.105-3ubuntu3), apparmor, qemu-kvm | qemu (>= 0.9.1), radvd -Breaks: xen-utils-4.1, xen-utils-4.3 +Breaks: + xen-utils-4.1, + xen-utils-4.3, + qemu-kvm (<< 2.0.0+dfsg-2ubuntu1.38~), + qemu (<< 2.0.0+dfsg-2ubuntu1.38~) +Conflicts: apparmor (<< 2.8.95~2430-0ubuntu4) Description: programs for the libvirt library Libvirt is a C toolkit to interact with the virtualization capabilities of recent versions of Linux (and other OSes). The library aims at providing diff -Nru libvirt-1.2.2/debian/libvirt-bin.init libvirt-1.2.2/debian/libvirt-bin.init --- libvirt-1.2.2/debian/libvirt-bin.init 2012-12-05 22:37:34.000000000 +0000 +++ libvirt-1.2.2/debian/libvirt-bin.init 2017-09-07 12:22:45.000000000 +0000 @@ -87,6 +87,28 @@ return 0 } +wait_on_sockfile() { + unix_sock_dir="/var/run/libvirt" + eval "$(grep '^unix_sock_dir' /etc/libvirt/libvirtd.conf | tr -d ' ')" + sockfile=${unix_sock_dir}/libvirt-sock + count=0 + while [ ! -S $sockfile ] ; do + # report to wait after 4 seconds (uncommon) and then every 60 seconds + if [ "$((count % 60))" = "3" ]; then + echo "waiting for ${sockfile}." + fi + if ! running ; then + # stop/restart/force-stop event triggered before sockfile is created + echo "service requested to stop, exit wait_on_sockfile" + exit 1 + fi + count=$((count+1)) + sleep 1 + done + echo "$sockfile ready." + return 0 +} + case "$1" in start) if check_start_libvirtd_option; then @@ -99,6 +121,7 @@ rm -f /var/run/libvirtd.pid start-stop-daemon --start --quiet --pidfile $PIDFILE \ --exec $DAEMON -- $libvirtd_opts + wait_on_sockfile if running; then log_end_msg 0 else diff -Nru libvirt-1.2.2/debian/libvirt-bin.postinst libvirt-1.2.2/debian/libvirt-bin.postinst --- libvirt-1.2.2/debian/libvirt-bin.postinst 2014-04-08 17:54:32.000000000 +0000 +++ libvirt-1.2.2/debian/libvirt-bin.postinst 2017-09-07 06:21:11.000000000 +0000 @@ -130,31 +130,39 @@ " SANLOCK_DIR="/var/lib/libvirt/sanlock" - QEMU_CONF="/etc/libvirt/qemu.conf" + QEMU_CONF="/etc/libvirt/qemu.conf" for dir in ${ROOT_DIRS}; do if ! dpkg-statoverride --list "${dir}" >/dev/null 2>&1; then - chown root:root "${dir}" - chmod 0711 "${dir}" + if [ -d "${dir}" ]; then + chown root:root "${dir}" + chmod 0711 "${dir}" + fi fi done for dir in ${QEMU_DIRS}; do if ! dpkg-statoverride --list "${dir}" >/dev/null 2>&1; then - chown libvirt-qemu:kvm "${dir}" - chmod 0750 "${dir}" + if [ -d "${dir}" ]; then + chown libvirt-qemu:kvm "${dir}" + chmod 0750 "${dir}" + fi fi done if ! dpkg-statoverride --list "${SANLOCK_DIR}" >/dev/null 2>&1; then - chown root:root "${SANLOCK_DIR}" - chmod 0700 "${SANLOCK_DIR}" + if [ -d "${SANLOCK_DIR}" ]; then + chown root:root "${SANLOCK_DIR}" + chmod 0700 "${SANLOCK_DIR}" + fi fi - if ! dpkg-statoverride --list "${QEMU_CONF}" >/dev/null 2>&1; then - chown root:root "${QEMU_CONF}" - chmod 0600 "${QEMU_CONF}" - fi + if ! dpkg-statoverride --list "${QEMU_CONF}" >/dev/null 2>&1; then + if [ -f "${QEMU_CONF}" ]; then + chown root:root "${QEMU_CONF}" + chmod 0600 "${QEMU_CONF}" + fi + fi } @@ -188,7 +196,7 @@ for p in usr.sbin.libvirtd usr.lib.libvirt.virt-aa-helper ; do profile="/etc/apparmor.d/$p" if [ -f "$profile" ] && aa-status --enabled 2>/dev/null; then - apparmor_parser -r "$profile" || true + apparmor_parser -r -T -W "$profile" || true fi done @@ -215,6 +223,13 @@ set_autostart fi + # bug 1393842: libvirt doesn't create the directories for channels as needed + # But if a user already had created the dirs keep them as is + if [ ! -d /var/lib/libvirt/qemu/channel ]; then + mkdir -p /var/lib/libvirt/qemu/channel/target + chown -R libvirt-qemu:kvm /var/lib/libvirt/qemu/channel + fi + ;; abort-upgrade|abort-remove|abort-deconfigure) diff -Nru libvirt-1.2.2/debian/libvirt-bin.upstart libvirt-1.2.2/debian/libvirt-bin.upstart --- libvirt-1.2.2/debian/libvirt-bin.upstart 2012-12-05 22:37:34.000000000 +0000 +++ libvirt-1.2.2/debian/libvirt-bin.upstart 2017-09-07 12:22:45.000000000 +0000 @@ -24,6 +24,26 @@ rm -f /var/run/libvirtd.pid end script +post-start script + unix_sock_dir="/var/run/libvirt" + eval "$(grep '^unix_sock_dir' /etc/libvirt/libvirtd.conf | tr -d ' ')" + sockfile=${unix_sock_dir}/libvirt-sock + count=0 + while [ ! -S ${sockfile} ] ; do + # report to wait after 4 seconds (uncommon) and then every 60 seconds + if [ "$((count % 60))" = "3" ]; then + echo "waiting for ${sockfile}" + fi + if initctl status libvirt-bin | grep -qE "(stop|respawn)/"; then + echo "service requested to stop, exit post start socket check" + exit 1 + fi + count=$((count+1)) + sleep 1 + done + echo "$sockfile ready." +end script + pre-stop script [ -r /etc/default/libvirt-bin ] && . /etc/default/libvirt-bin diff -Nru libvirt-1.2.2/debian/patches/9026-fix-apparmor-profile-for-vfio-pci-passthrough libvirt-1.2.2/debian/patches/9026-fix-apparmor-profile-for-vfio-pci-passthrough --- libvirt-1.2.2/debian/patches/9026-fix-apparmor-profile-for-vfio-pci-passthrough 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-1.2.2/debian/patches/9026-fix-apparmor-profile-for-vfio-pci-passthrough 2017-09-06 07:56:41.000000000 +0000 @@ -0,0 +1,85 @@ +commit 74e86b6b2521881808bb93290bcebcb469ab7820 +Author: Cédric Bosdonnat +Date: Tue Mar 25 12:48:26 2014 +0100 + + Fix apparmor profile to make vfio pci passthrough work + + See lp#1276719 for the bug description. As virt-aa-helper doesn't know + the VFIO groups to use for the guest, allow access to all + /dev/vfio/[0-9]* and /dev/vfio/vfio files if there is a potential need + for vfio + + Signed-off-by: Eric Blake + +Index: libvirt-1.2.2/examples/apparmor/libvirt-qemu +=================================================================== +--- libvirt-1.2.2.orig/examples/apparmor/libvirt-qemu ++++ libvirt-1.2.2/examples/apparmor/libvirt-qemu +@@ -110,6 +110,7 @@ + /usr/bin/qemu-sparc32plus rmix, + /usr/bin/qemu-sparc64 rmix, + /usr/bin/qemu-x86_64 rmix, ++ /usr/lib/qemu/block-curl.so mr, + + # for save and resume + /bin/dash rmix, +Index: libvirt-1.2.2/examples/apparmor/usr.sbin.libvirtd +=================================================================== +--- libvirt-1.2.2.orig/examples/apparmor/usr.sbin.libvirtd ++++ libvirt-1.2.2/examples/apparmor/usr.sbin.libvirtd +@@ -25,6 +25,9 @@ + capability fsetid, + capability audit_write, + ++ # Needed for vfio ++ capability sys_resource, ++ + network inet stream, + network inet dgram, + network inet6 stream, +Index: libvirt-1.2.2/src/security/virt-aa-helper.c +=================================================================== +--- libvirt-1.2.2.orig/src/security/virt-aa-helper.c ++++ libvirt-1.2.2/src/security/virt-aa-helper.c +@@ -2,7 +2,7 @@ + /* + * virt-aa-helper: wrapper program used by AppArmor security driver. + * +- * Copyright (C) 2010-2013 Red Hat, Inc. ++ * Copyright (C) 2010-2014 Red Hat, Inc. + * Copyright (C) 2009-2011 Canonical Ltd. + * + * This library is free software; you can redistribute it and/or +@@ -900,6 +900,7 @@ get_files(vahControl * ctl) + size_t i; + char *uuid; + char uuidstr[VIR_UUID_STRING_BUFLEN]; ++ bool needsVfio = false; + + /* verify uuid is same as what we were given on the command line */ + virUUIDFormat(ctl->def->uuid, uuidstr); +@@ -1041,6 +1042,12 @@ get_files(vahControl * ctl) + dev->source.subsys.u.pci.addr.slot, + dev->source.subsys.u.pci.addr.function); + ++ virDomainHostdevSubsysPciBackendType backend = dev->source.subsys.u.pci.backend; ++ if (backend == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_VFIO || ++ backend == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_DEFAULT) { ++ needsVfio = true; ++ } ++ + if (pci == NULL) + continue; + +@@ -1069,6 +1076,11 @@ get_files(vahControl * ctl) + } + } + ++ if (needsVfio) { ++ virBufferAddLit(&buf, " /dev/vfio/vfio rw,\n"); ++ virBufferAddLit(&buf, " /dev/vfio/[0-9]* rw,\n"); ++ } ++ + if (ctl->newfile) + if (vah_add_file(&buf, ctl->newfile, "rw") != 0) + goto cleanup; diff -Nru libvirt-1.2.2/debian/patches/9027-virt-aa-helper-allow-access-to-vhost-net libvirt-1.2.2/debian/patches/9027-virt-aa-helper-allow-access-to-vhost-net --- libvirt-1.2.2/debian/patches/9027-virt-aa-helper-allow-access-to-vhost-net 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-1.2.2/debian/patches/9027-virt-aa-helper-allow-access-to-vhost-net 2017-09-06 07:56:41.000000000 +0000 @@ -0,0 +1,48 @@ +commit c7abe7448c746cf0e3a6b7fab80e083afba5d5ae +Author: Serge Hallyn +Date: Wed Jun 18 03:20:59 2014 +0000 + + virt-aa-helper: allow access to /dev/vhost-net if needed + + Only allow the access if it is a KVM domain which has a NIC which wants + non-userspace networking. + + This addresses https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1322568 + + Signed-off-by: Serge Hallyn + +Index: libvirt-1.2.2/src/security/virt-aa-helper.c +=================================================================== +--- libvirt-1.2.2.orig/src/security/virt-aa-helper.c ++++ libvirt-1.2.2/src/security/virt-aa-helper.c +@@ -900,7 +900,7 @@ get_files(vahControl * ctl) + size_t i; + char *uuid; + char uuidstr[VIR_UUID_STRING_BUFLEN]; +- bool needsVfio = false; ++ bool needsVfio = false, needsvhost = false; + + /* verify uuid is same as what we were given on the command line */ + virUUIDFormat(ctl->def->uuid, uuidstr); +@@ -1076,6 +1076,21 @@ get_files(vahControl * ctl) + } + } + ++ if (ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) { ++ for (i = 0; i < ctl->def->nnets; i++) { ++ virDomainNetDefPtr net = ctl->def->nets[i]; ++ if (net && net->model) { ++ if (net->driver.virtio.name == VIR_DOMAIN_NET_BACKEND_TYPE_QEMU) ++ continue; ++ if (STRNEQ(net->model, "virtio")) ++ continue; ++ } ++ needsvhost = true; ++ } ++ } ++ if (needsvhost) ++ virBufferAddLit(&buf, " /dev/vhost-net rw,\n"); ++ + if (needsVfio) { + virBufferAddLit(&buf, " /dev/vfio/vfio rw,\n"); + virBufferAddLit(&buf, " /dev/vfio/[0-9]* rw,\n"); diff -Nru libvirt-1.2.2/debian/patches/9029-ovs-delete-port-if-it-exists-when-adding-new-one libvirt-1.2.2/debian/patches/9029-ovs-delete-port-if-it-exists-when-adding-new-one --- libvirt-1.2.2/debian/patches/9029-ovs-delete-port-if-it-exists-when-adding-new-one 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-1.2.2/debian/patches/9029-ovs-delete-port-if-it-exists-when-adding-new-one 2017-09-06 07:56:41.000000000 +0000 @@ -0,0 +1,38 @@ +commit 33445ce8446d9d061a1620cd8ec5e81fcca127d9 +Author: Chunhe Li +Date: Mon Jul 14 12:37:50 2014 +0200 + + openvswitch: Delete port if it exists while adding a new one + + If the openvswitch service is stopped, and is followed by destroying a + VM, the openvswitch bridge translates into a state where it doesn't + recover the port configuration. While it successfully fetches data + from the internal DB, since the corresponding virtual interface does + not exists anymore the whole recovery process fails leaving restarted + VM with inability to connect to the bridge. The following set of + commands will trigger the problem: + + virsh start vm + service openvswitch-switch stop + virsh destroy vm + service openvswitch-switch start + virsh start vm + + Signed-off-by: Chunhe Li + Signed-off-by: Michal Privoznik + +diff --git a/src/util/virnetdevopenvswitch.c b/src/util/virnetdevopenvswitch.c +index 9bcbfb1..8ea1def 100644 +--- a/src/util/virnetdevopenvswitch.c ++++ b/src/util/virnetdevopenvswitch.c +@@ -84,8 +84,8 @@ int virNetDevOpenvswitchAddPort(const char *brname, const char *ifname, + + cmd = virCommandNew(OVSVSCTL); + +- virCommandAddArgList(cmd, "--timeout=5", "--", "--may-exist", "add-port", +- brname, ifname, NULL); ++ virCommandAddArgList(cmd, "--timeout=5", "--", "--if-exists", "del-port", ++ ifname, "--", "add-port", brname, ifname, NULL); + + if (virtVlan && virtVlan->nTags > 0) { + diff -Nru libvirt-1.2.2/debian/patches/9030-virsh-add-keepalive-in-new-vshconnect-fn libvirt-1.2.2/debian/patches/9030-virsh-add-keepalive-in-new-vshconnect-fn --- libvirt-1.2.2/debian/patches/9030-virsh-add-keepalive-in-new-vshconnect-fn 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-1.2.2/debian/patches/9030-virsh-add-keepalive-in-new-vshconnect-fn 2017-09-06 07:56:41.000000000 +0000 @@ -0,0 +1,253 @@ +commit 676cb4f4e762b8682a06c6dab1f690fbcd939550 +Author: Martin Kletzander +Date: Thu Mar 6 17:20:11 2014 +0100 + + virsh: Add keepalive in new vshConnect function + + Introducing keepalive similarly to Guannan around 2 years ago. Since + we want to introduce keepalive for every connection, it makes sense to + wrap the connecting function into new virsh one that can deal + keepalive as well. + + Function vshConnect() is now used for connecting and keepalive added + in that function (if possible) helps preventing long waits e.g. while + nework goes down during migration. + + This patch also adds the options for keepalive tuning into virsh and + fails connecting only when keepalives are explicitly requested and + cannot be set (whether it is due to missing support in connected + driver or remote server). If not explicitely requested, a debug + message is printed (hence the addition to virsh-optparse test). + + Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1073506 + Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=822839 + + Signed-off-by: Martin Kletzander + +Index: libvirt-1.2.2/tests/virsh-optparse +=================================================================== +--- libvirt-1.2.2.orig/tests/virsh-optparse ++++ libvirt-1.2.2/tests/virsh-optparse +@@ -1,7 +1,7 @@ + #!/bin/sh + # Ensure that virsh option parsing doesn't regress + +-# Copyright (C) 2011-2012 Red Hat, Inc. ++# Copyright (C) 2011-2012, 2014 Red Hat, Inc. + + # This program is free software: you can redistribute it and/or modify + # it under the terms of the GNU General Public License as published by +@@ -65,7 +65,7 @@ for args in \ + '--count 2 test' \ + '--count=2 test' \ + ; do +- virsh -d0 -c $test_url setvcpus $args >out 2>>err || fail=1 ++ virsh -k0 -d0 -c $test_url setvcpus $args >out 2>>err || fail=1 + LC_ALL=C sort out | compare exp-out - || fail=1 + done + +Index: libvirt-1.2.2/tools/virsh-domain.c +=================================================================== +--- libvirt-1.2.2.orig/tools/virsh-domain.c ++++ libvirt-1.2.2/tools/virsh-domain.c +@@ -8777,7 +8777,7 @@ doMigrate(void *opaque) + virConnectPtr dconn = NULL; + virDomainPtr ddom = NULL; + +- dconn = virConnectOpenAuth(desturi, virConnectAuthPtrDefault, 0); ++ dconn = vshConnect(ctl, desturi, false); + if (!dconn) + goto out; + +Index: libvirt-1.2.2/tools/virsh.c +=================================================================== +--- libvirt-1.2.2.orig/tools/virsh.c ++++ libvirt-1.2.2/tools/virsh.c +@@ -315,6 +315,46 @@ vshCatchDisconnect(virConnectPtr conn AT + disconnected++; + } + ++/* Main Function which should be used for connecting. ++ * This function properly handles keepalive settings. */ ++virConnectPtr ++vshConnect(vshControl *ctl, const char *uri, bool readonly) ++{ ++ virConnectPtr c = NULL; ++ int interval = 5; /* Default */ ++ int count = 6; /* Default */ ++ bool keepalive_forced = false; ++ ++ if (ctl->keepalive_interval >= 0) { ++ interval = ctl->keepalive_interval; ++ keepalive_forced = true; ++ } ++ if (ctl->keepalive_count >= 0) { ++ count = ctl->keepalive_count; ++ keepalive_forced = true; ++ } ++ ++ c = virConnectOpenAuth(uri, virConnectAuthPtrDefault, ++ readonly ? VIR_CONNECT_RO : 0); ++ if (!c) ++ return NULL; ++ ++ if (interval > 0 && ++ virConnectSetKeepAlive(c, interval, count) != 0) { ++ if (keepalive_forced) { ++ vshError(ctl, "%s", ++ _("Cannot setup keepalive on connection " ++ "as requested, disconnecting")); ++ virConnectClose(c); ++ return NULL; ++ } ++ vshDebug(ctl, VSH_ERR_INFO, "%s", ++ _("Failed to setup keepalive on connection\n")); ++ } ++ ++ return c; ++} ++ + /* + * vshReconnect: + * +@@ -340,9 +380,8 @@ vshReconnect(vshControl *ctl) + "disconnect from the hypervisor")); + } + +- ctl->conn = virConnectOpenAuth(ctl->name, +- virConnectAuthPtrDefault, +- ctl->readonly ? VIR_CONNECT_RO : 0); ++ ctl->conn = vshConnect(ctl, ctl->name, ctl->readonly); ++ + if (!ctl->conn) { + if (disconnected) + vshError(ctl, "%s", _("Failed to reconnect to the hypervisor")); +@@ -417,8 +456,7 @@ cmdConnect(vshControl *ctl, const vshCmd + ctl->useSnapshotOld = false; + ctl->readonly = ro; + +- ctl->conn = virConnectOpenAuth(ctl->name, virConnectAuthPtrDefault, +- ctl->readonly ? VIR_CONNECT_RO : 0); ++ ctl->conn = vshConnect(ctl, ctl->name, ctl->readonly); + + if (!ctl->conn) { + vshError(ctl, "%s", _("Failed to connect to the hypervisor")); +@@ -3113,6 +3151,10 @@ vshUsage(void) + " -r | --readonly connect readonly\n" + " -d | --debug=NUM debug level [0-4]\n" + " -h | --help this help\n" ++ " -k | --keepalive-interval=NUM\n" ++ " keepalive interval in seconds, 0 for disable\n" ++ " -K | --keepalive-count=NUM\n" ++ " number of possible missed keepalive messages\n" + " -q | --quiet quiet mode\n" + " -t | --timing print timing information\n" + " -l | --log=FILE output logging to file\n" +@@ -3302,12 +3344,14 @@ vshAllowedEscapeChar(char c) + static bool + vshParseArgv(vshControl *ctl, int argc, char **argv) + { +- int arg, len, debug; ++ int arg, len, debug, keepalive; + size_t i; + int longindex = -1; + struct option opt[] = { + {"debug", required_argument, NULL, 'd'}, + {"help", no_argument, NULL, 'h'}, ++ {"keepalive-interval", required_argument, NULL, 'k'}, ++ {"keepalive-count", required_argument, NULL, 'K'}, + {"quiet", no_argument, NULL, 'q'}, + {"timing", no_argument, NULL, 't'}, + {"version", optional_argument, NULL, 'v'}, +@@ -3321,7 +3365,7 @@ vshParseArgv(vshControl *ctl, int argc, + /* Standard (non-command) options. The leading + ensures that no + * argument reordering takes place, so that command options are + * not confused with top-level virsh options. */ +- while ((arg = getopt_long(argc, argv, "+:d:hqtc:vVrl:e:", opt, &longindex)) != -1) { ++ while ((arg = getopt_long(argc, argv, "+:d:hk:K:qtc:vVrl:e:", opt, &longindex)) != -1) { + switch (arg) { + case 'd': + if (virStrToLong_i(optarg, NULL, 10, &debug) < 0) { +@@ -3361,6 +3405,24 @@ vshParseArgv(vshControl *ctl, int argc, + case 'r': + ctl->readonly = true; + break; ++ case 'k': ++ if (virStrToLong_i(optarg, NULL, 0, &keepalive) < 0 || ++ keepalive < 0) { ++ vshError(ctl, _("option -%s requires a positive numeric argument"), ++ longindex == -1 ? "-k" : "--keepalive-interval"); ++ exit(EXIT_FAILURE); ++ } ++ ctl->keepalive_interval = keepalive; ++ break; ++ case 'K': ++ if (virStrToLong_i(optarg, NULL, 0, &keepalive) < 0 || ++ keepalive < 0) { ++ vshError(ctl, _("option -%s requires a positive numeric argument"), ++ longindex == -1 ? "-K" : "--keepalive-count"); ++ exit(EXIT_FAILURE); ++ } ++ ctl->keepalive_count = keepalive; ++ break; + case 'l': + vshCloseLogFile(ctl); + ctl->logfile = vshStrdup(ctl, optarg); +@@ -3490,6 +3552,11 @@ main(int argc, char **argv) + ctl->log_fd = -1; /* Initialize log file descriptor */ + ctl->debug = VSH_DEBUG_DEFAULT; + ctl->escapeChar = "^]"; /* Same default as telnet */ ++ ++ /* In order to distinguish default from setting to 0 */ ++ ctl->keepalive_interval = -1; ++ ctl->keepalive_count = -1; ++ + ctl->eventPipe[0] = -1; + ctl->eventPipe[1] = -1; + ctl->eventTimerId = -1; +Index: libvirt-1.2.2/tools/virsh.h +=================================================================== +--- libvirt-1.2.2.orig/tools/virsh.h ++++ libvirt-1.2.2/tools/virsh.h +@@ -249,6 +249,9 @@ struct _vshControl { + const char *escapeChar; /* String representation of + console escape character */ + ++ int keepalive_interval; /* Client keepalive interval */ ++ int keepalive_count; /* Client keepalive count */ ++ + # ifndef WIN32 + struct termios termattr; /* settings of the tty terminal */ + # endif +@@ -269,6 +272,8 @@ void vshOutputLogFile(vshControl *ctl, i + ATTRIBUTE_FMT_PRINTF(3, 0); + void vshCloseLogFile(vshControl *ctl); + ++virConnectPtr vshConnect(vshControl *ctl, const char *uri, bool readonly); ++ + const char *vshCmddefGetInfo(const vshCmdDef *cmd, const char *info); + const vshCmdDef *vshCmddefSearch(const char *cmdname); + bool vshCmddefHelp(vshControl *ctl, const char *name); +Index: libvirt-1.2.2/tools/virsh.pod +=================================================================== +--- libvirt-1.2.2.orig/tools/virsh.pod ++++ libvirt-1.2.2/tools/virsh.pod +@@ -78,6 +78,18 @@ Enable debug messages at integer I + environment variable below for the description of each I. + ++=item B<-k>, B<--keepalive-interval> I ++ ++Set an I (in seconds) for sending keepalive messages to ++check whether connection to the server is still alive. Setting the ++interval to 0 disables client keepalive mechanism. ++ ++=item B<-K>, B<--keepalive-count> I ++ ++Set a number of times keepalive message can be sent without getting an ++answer from the server without marking the connection dead. There is ++no effect to this setting in case the I is set to 0. ++ + =item B<-l>, B<--log> I + + Output logging details to I. diff -Nru libvirt-1.2.2/debian/patches/9031-cmdmigrate-move-vshconnect-before-vshwatchjob libvirt-1.2.2/debian/patches/9031-cmdmigrate-move-vshconnect-before-vshwatchjob --- libvirt-1.2.2/debian/patches/9031-cmdmigrate-move-vshconnect-before-vshwatchjob 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-1.2.2/debian/patches/9031-cmdmigrate-move-vshconnect-before-vshwatchjob 2017-09-06 07:56:41.000000000 +0000 @@ -0,0 +1,107 @@ +commit 7eabd5503e3de147b703c1a1e6dff81cdc46d1e7 +Author: Chunyan Liu +Date: Fri Aug 8 16:44:36 2014 +0800 + + cmdMigrate: move vshConnect before vshWatchJob + + A possible fix to issue: + http://www.redhat.com/archives/libvir-list/2014-August/thread.html#00227 + + While doing migration on KVM host, found problem sometimes: + VM is already running on the target host and disappears from source + host, but 'virsh migrate' command line hangs, cannot exit normally. + If pressing "ENTER" key, it will exit. + + The code hangs at tools/virsh-domain.c: cmdMigrate + ->vshWatchJob->poll(): + poll() is trying to select pipe_fd, which is used to receive message + from doMigrate thread. In debugging, found that doMigrate finishes + and at the end it does call safewrite() to write the retval ('0' or + '1') to pipe_fd, and the write is completed. But cmdMigrate poll() + cannot get the event. If pressing "ENTER" key, poll() can get the + event and select pipe_fd, then command line can exit. + + In current code, authentication thread which is called by vshConnect + will use stdin, and at the same time, in cmdMigrate main process, + poll() is listening to stdin, that probably affect poll() to get + pipe_fd event. Better to move authentication before vshWatchJob. With + this change, above problem does not exist. + + Signed-off-by: Chunyan Liu + +Index: libvirt-1.2.2/tools/virsh-domain.c +=================================================================== +--- libvirt-1.2.2.orig/tools/virsh-domain.c ++++ libvirt-1.2.2/tools/virsh-domain.c +@@ -8663,6 +8663,7 @@ doMigrate(void *opaque) + virTypedParameterPtr params = NULL; + int nparams = 0; + int maxparams = 0; ++ virConnectPtr dconn = data->dconn; + + sigemptyset(&sigmask); + sigaddset(&sigmask, SIGINT); +@@ -8774,18 +8775,12 @@ doMigrate(void *opaque) + ret = '0'; + } else { + /* For traditional live migration, connect to the destination host directly. */ +- virConnectPtr dconn = NULL; + virDomainPtr ddom = NULL; + +- dconn = vshConnect(ctl, desturi, false); +- if (!dconn) +- goto out; +- + if ((ddom = virDomainMigrate3(dom, dconn, params, nparams, flags))) { + virDomainFree(ddom); + ret = '0'; + } +- virConnectClose(dconn); + } + + out: +@@ -8847,6 +8842,23 @@ cmdMigrate(vshControl *ctl, const vshCmd + data.cmd = cmd; + data.writefd = p[1]; + ++ if (vshCommandOptBool(cmd, "p2p") || vshCommandOptBool(cmd, "direct")) { ++ data.dconn = NULL; ++ } else { ++ /* For traditional live migration, connect to the destination host. */ ++ virConnectPtr dconn = NULL; ++ const char *desturi = NULL; ++ ++ if (vshCommandOptStringReq(ctl, cmd, "desturi", &desturi) < 0) ++ goto cleanup; ++ ++ dconn = vshConnect(ctl, desturi, false); ++ if (!dconn) ++ goto cleanup; ++ ++ data.dconn = dconn; ++ } ++ + if (virThreadCreate(&workerThread, + true, + doMigrate, +@@ -8858,6 +8870,8 @@ cmdMigrate(vshControl *ctl, const vshCmd + virThreadJoin(&workerThread); + + cleanup: ++ if (data.dconn) ++ virConnectClose(data.dconn); + virDomainFree(dom); + VIR_FORCE_CLOSE(p[0]); + VIR_FORCE_CLOSE(p[1]); +Index: libvirt-1.2.2/tools/virsh.h +=================================================================== +--- libvirt-1.2.2.orig/tools/virsh.h ++++ libvirt-1.2.2/tools/virsh.h +@@ -362,6 +362,7 @@ struct _vshCtrlData { + vshControl *ctl; + const vshCmd *cmd; + int writefd; ++ virConnectPtr dconn; + }; + + /* error handling */ diff -Nru libvirt-1.2.2/debian/patches/9032-virsh-initialize-vsh-data-in-cmdmigrate libvirt-1.2.2/debian/patches/9032-virsh-initialize-vsh-data-in-cmdmigrate --- libvirt-1.2.2/debian/patches/9032-virsh-initialize-vsh-data-in-cmdmigrate 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-1.2.2/debian/patches/9032-virsh-initialize-vsh-data-in-cmdmigrate 2017-09-06 07:56:41.000000000 +0000 @@ -0,0 +1,24 @@ +commit c285ffc4c2f042941acc44406bdd442252d1b0aa +Author: Ján Tomko +Date: Tue Aug 26 13:18:43 2014 +0200 + + virsh: Initialize vshData in cmdMigrate + + If the virConnect did not succeeed, we called + virConnectClose on uninitialized data. + + Introduced by commit 7eabd55. + +Index: libvirt-1.2.2/tools/virsh-domain.c +=================================================================== +--- libvirt-1.2.2.orig/tools/virsh-domain.c ++++ libvirt-1.2.2/tools/virsh-domain.c +@@ -8817,7 +8817,7 @@ cmdMigrate(vshControl *ctl, const vshCmd + bool functionReturn = false; + int timeout = 0; + bool live_flag = false; +- vshCtrlData data; ++ vshCtrlData data = { .dconn = NULL }; + + if (!(dom = vshCommandOptDomain(ctl, cmd, NULL))) + return false; diff -Nru libvirt-1.2.2/debian/patches/9034-complete-9p-support libvirt-1.2.2/debian/patches/9034-complete-9p-support --- libvirt-1.2.2/debian/patches/9034-complete-9p-support 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-1.2.2/debian/patches/9034-complete-9p-support 2017-09-06 07:56:41.000000000 +0000 @@ -0,0 +1,18 @@ +Description: virt-aa-helper: add l to 9p file options +Author: Serge Hallyn +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1378434 +Forwarded: no + +Index: libvirt-1.2.2/src/security/virt-aa-helper.c +=================================================================== +--- libvirt-1.2.2.orig/src/security/virt-aa-helper.c ++++ libvirt-1.2.2/src/security/virt-aa-helper.c +@@ -1071,7 +1071,7 @@ get_files(vahControl * ctl) + ctl->def->fss[i]->src){ + virDomainFSDefPtr fs = ctl->def->fss[i]; + +- if (vah_add_path(&buf, fs->src, fs->readonly ? "r" : "rw", true) != 0) ++ if (vah_add_path(&buf, fs->src, fs->readonly ? "r" : "rwl", true) != 0) + goto cleanup; + } + } diff -Nru libvirt-1.2.2/debian/patches/9035-qemu-snapshot-save-persistent-domain-config libvirt-1.2.2/debian/patches/9035-qemu-snapshot-save-persistent-domain-config --- libvirt-1.2.2/debian/patches/9035-qemu-snapshot-save-persistent-domain-config 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-1.2.2/debian/patches/9035-qemu-snapshot-save-persistent-domain-config 2017-09-06 07:56:41.000000000 +0000 @@ -0,0 +1,42 @@ +commit 9036b31aeddb63db198576b8eaba331df105c0c6 +Author: Peter Krempa +Date: Mon Jun 30 13:44:26 2014 +0200 + + qemu: snapshot: Save persistent domain config when taking external snapshot + + Commit 55bbb011b965c7962933604c70f61cef45e8ec04 introduced a regression + where we forgot to save the persistent domain configuration after an + external snapshot. This would make libvirt forget the snapshots and + effectively revert to the previous state in the following scenario: + + 1) Start VM + 2) Take snapshot + 3) Destroy VM + 4) Restart libvirtd + + Also fix spurious blank line added by patch mentioned above. + +diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c +index d34da6f..775f6ab 100644 +--- a/src/qemu/qemu_driver.c ++++ b/src/qemu/qemu_driver.c +@@ -13126,8 +13126,10 @@ qemuDomainSnapshotCreateDiskActive(virQEMUDriverPtr driver, + int indx = virDomainDiskIndexByName(vm->newDef, + vm->def->disks[i]->dst, + false); +- if (indx >= 0) ++ if (indx >= 0) { + persistDisk = vm->newDef->disks[indx]; ++ persist = true; ++ } + } + + ret = qemuDomainSnapshotCreateSingleDiskActive(driver, vm, +@@ -13173,7 +13175,6 @@ qemuDomainSnapshotCreateDiskActive(virQEMUDriverPtr driver, + persistDisk = vm->newDef->disks[indx]; + persist = true; + } +- + } + + qemuDomainSnapshotUndoSingleDiskActive(driver, vm, diff -Nru libvirt-1.2.2/debian/patches/9036-dont-fail-without-cpu-model.patch libvirt-1.2.2/debian/patches/9036-dont-fail-without-cpu-model.patch --- libvirt-1.2.2/debian/patches/9036-dont-fail-without-cpu-model.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-1.2.2/debian/patches/9036-dont-fail-without-cpu-model.patch 2017-09-06 07:56:41.000000000 +0000 @@ -0,0 +1,22 @@ +Index: libvirt-1.2.1/src/conf/cpu_conf.c +=================================================================== +--- libvirt-1.2.1.orig/src/conf/cpu_conf.c 2013-12-03 20:44:44.000000000 +0400 ++++ libvirt-1.2.1/src/conf/cpu_conf.c 2014-01-17 15:33:37.493590025 +0400 +@@ -361,7 +361,8 @@ + goto error; + + if (n > 0) { +- if (!def->model && def->mode != VIR_CPU_MODE_HOST_MODEL) { ++ if (!def->model && def->mode != VIR_CPU_MODE_HOST_MODEL ++ && def->mode != VIR_CPU_MODE_HOST_PASSTHROUGH) { + virReportError(VIR_ERR_XML_ERROR, "%s", + _("Non-empty feature list specified without " + "CPU model")); +@@ -576,6 +577,7 @@ + + if (!def->model && + def->mode != VIR_CPU_MODE_HOST_MODEL && ++ def->mode != VIR_CPU_MODE_HOST_PASSTHROUGH && + def->nfeatures) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("Non-empty feature list specified without CPU model")); diff -Nru libvirt-1.2.2/debian/patches/CVE-2014-0179.patch libvirt-1.2.2/debian/patches/CVE-2014-0179.patch --- libvirt-1.2.2/debian/patches/CVE-2014-0179.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-1.2.2/debian/patches/CVE-2014-0179.patch 2017-09-06 07:56:41.000000000 +0000 @@ -0,0 +1,39 @@ +From d6b27d3e4c40946efa79e91d134616b41b1666c4 Mon Sep 17 00:00:00 2001 +From: Daniel P. Berrange +Date: Tue, 15 Apr 2014 11:20:29 +0100 +Subject: [PATCH] LSN-2014-0003: Don't expand entities when parsing XML + +If the XML_PARSE_NOENT flag is passed to libxml2, then any +entities in the input document will be fully expanded. This +allows the user to read arbitrary files on the host machine +by creating an entity pointing to a local file. Removing +the XML_PARSE_NOENT flag means that any entities are left +unchanged by the parser, or expanded to "" by the XPath +APIs. + +Signed-off-by: Daniel P. Berrange +--- + src/util/virxml.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/util/virxml.c b/src/util/virxml.c +index 9f00f62..34af64a 100644 +--- a/src/util/virxml.c ++++ b/src/util/virxml.c +@@ -746,11 +746,11 @@ virXMLParseHelper(int domcode, + + if (filename) { + xml = xmlCtxtReadFile(pctxt, filename, NULL, +- XML_PARSE_NOENT | XML_PARSE_NONET | ++ XML_PARSE_NONET | + XML_PARSE_NOWARNING); + } else { + xml = xmlCtxtReadDoc(pctxt, BAD_CAST xmlStr, url, NULL, +- XML_PARSE_NOENT | XML_PARSE_NONET | ++ XML_PARSE_NONET | + XML_PARSE_NOWARNING); + } + if (!xml) +-- +1.7.1 + diff -Nru libvirt-1.2.2/debian/patches/CVE-2014-3633.patch libvirt-1.2.2/debian/patches/CVE-2014-3633.patch --- libvirt-1.2.2/debian/patches/CVE-2014-3633.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-1.2.2/debian/patches/CVE-2014-3633.patch 2017-09-06 07:56:41.000000000 +0000 @@ -0,0 +1,43 @@ +From 3e745e8f775dfe6f64f18b5c2fe4791b35d3546b Mon Sep 17 00:00:00 2001 +From: Peter Krempa +Date: Thu, 11 Sep 2014 16:35:53 +0200 +Subject: [PATCH] CVE-2014-3633: qemu: blkiotune: Use correct definition when looking up disk + +Live definition was used to look up the disk index while persistent one +was indexed leading to a crash in qemuDomainGetBlockIoTune. Use the +correct def and report a nice error. + +Unfortunately it's accessible via read-only connection, though it can +only crash libvirtd in the cases where the guest is hot-plugging disks +without reflecting those changes to the persistent definition. So +avoiding hotplug, or doing hotplug where persistent is always modified +alongside live definition, will avoid the out-of-bounds access. + +Introduced in: eca96694a7f992be633d48d5ca03cedc9bbc3c9aa (v0.9.8) +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1140724 +Reported-by: Luyao Huang +Signed-off-by: Peter Krempa +--- + src/qemu/qemu_driver.c | 8 ++++++-- + 1 files changed, 6 insertions(+), 2 deletions(-) + +Index: libvirt-1.2.2/src/qemu/qemu_driver.c +=================================================================== +--- libvirt-1.2.2.orig/src/qemu/qemu_driver.c 2014-09-29 15:27:04.000947230 -0400 ++++ libvirt-1.2.2/src/qemu/qemu_driver.c 2014-09-29 15:27:04.000947230 -0400 +@@ -15713,9 +15713,13 @@ + } + + if (flags & VIR_DOMAIN_AFFECT_CONFIG) { +- int idx = virDomainDiskIndexByName(vm->def, disk, true); +- if (idx < 0) ++ int idx = virDomainDiskIndexByName(persistentDef, disk, true); ++ if (idx < 0) { ++ virReportError(VIR_ERR_INVALID_ARG, ++ _("disk '%s' was not found in the domain config"), ++ disk); + goto endjob; ++ } + reply = persistentDef->disks[idx]->blkdeviotune; + } + diff -Nru libvirt-1.2.2/debian/patches/CVE-2014-3657.patch libvirt-1.2.2/debian/patches/CVE-2014-3657.patch --- libvirt-1.2.2/debian/patches/CVE-2014-3657.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-1.2.2/debian/patches/CVE-2014-3657.patch 2017-09-06 07:56:41.000000000 +0000 @@ -0,0 +1,29 @@ +From fc22b2e74890873848b43fffae43025d22053669 Mon Sep 17 00:00:00 2001 +From: Pavel Hrdina +Date: Mon, 22 Sep 2014 18:19:07 +0200 +Subject: [PATCH] domain_conf: fix domain deadlock + +If you use public api virConnectListAllDomains() with second parameter +set to NULL to get only the number of domains you will lock out all +other operations with domains. + +Introduced by commit 2c680804. + +Signed-off-by: Pavel Hrdina +--- + src/conf/domain_conf.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +Index: libvirt-1.2.2/src/conf/domain_conf.c +=================================================================== +--- libvirt-1.2.2.orig/src/conf/domain_conf.c 2014-11-10 19:48:32.001702781 -0500 ++++ libvirt-1.2.2/src/conf/domain_conf.c 2014-11-10 19:48:31.993702727 -0500 +@@ -19112,7 +19112,7 @@ + /* just count the machines */ + if (!data->domains) { + data->ndomains++; +- return; ++ goto cleanup; + } + + if (!(dom = virGetDomain(data->conn, vm->def->name, vm->def->uuid))) { diff -Nru libvirt-1.2.2/debian/patches/CVE-2014-7823.patch libvirt-1.2.2/debian/patches/CVE-2014-7823.patch --- libvirt-1.2.2/debian/patches/CVE-2014-7823.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-1.2.2/debian/patches/CVE-2014-7823.patch 2017-09-06 07:56:41.000000000 +0000 @@ -0,0 +1,62 @@ +Backport of: + +From b1674ad5a97441b7e1bd5f5ebaff498ef2fbb11b Mon Sep 17 00:00:00 2001 +From: Eric Blake +Date: Fri, 31 Oct 2014 22:14:07 -0600 +Subject: [PATCH] CVE-2014-7823: dumpxml: security hole with migratable flag + +Commit 28f8dfd (v1.0.0) introduced a security hole: in at least +the qemu implementation of virDomainGetXMLDesc, the use of the +flag VIR_DOMAIN_XML_MIGRATABLE (which is usable from a read-only +connection) triggers the implicit use of VIR_DOMAIN_XML_SECURE +prior to calling qemuDomainFormatXML. However, the use of +VIR_DOMAIN_XML_SECURE is supposed to be restricted to read-write +clients only. This patch treats the migratable flag as requiring +the same permissions, rather than analyzing what might break if +migratable xml no longer includes secret information. + +Fortunately, the information leak is low-risk: all that is gated +by the VIR_DOMAIN_XML_SECURE flag is the VNC connection password; +but VNC passwords are already weak (FIPS forbids their use, and +on a non-FIPS machine, anyone stupid enough to trust a max-8-byte +password sent in plaintext over the network deserves what they +get). SPICE offers better security than VNC, and all other +secrets are properly protected by use of virSecret associations +rather than direct output in domain XML. + +* src/remote/remote_protocol.x (REMOTE_PROC_DOMAIN_GET_XML_DESC): +Tighten rules on use of migratable flag. +* src/libvirt-domain.c (virDomainGetXMLDesc): Likewise. + +Signed-off-by: Eric Blake +--- + src/libvirt-domain.c | 3 ++- + src/remote/remote_protocol.x | 1 + + 2 files changed, 3 insertions(+), 1 deletions(-) + +Index: libvirt-1.2.2/src/libvirt.c +=================================================================== +--- libvirt-1.2.2.orig/src/libvirt.c 2014-11-10 19:48:44.549787076 -0500 ++++ libvirt-1.2.2/src/libvirt.c 2014-11-10 19:48:44.537786995 -0500 +@@ -4251,7 +4251,8 @@ + virCheckDomainReturn(domain, NULL); + conn = domain->conn; + +- if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) { ++ if ((conn->flags & VIR_CONNECT_RO) && ++ (flags & (VIR_DOMAIN_XML_SECURE | VIR_DOMAIN_XML_MIGRATABLE))) { + virReportError(VIR_ERR_OPERATION_DENIED, "%s", + _("virDomainGetXMLDesc with secure flag")); + goto error; +Index: libvirt-1.2.2/src/remote/remote_protocol.x +=================================================================== +--- libvirt-1.2.2.orig/src/remote/remote_protocol.x 2014-11-10 19:48:44.549787076 -0500 ++++ libvirt-1.2.2/src/remote/remote_protocol.x 2014-11-10 19:48:44.545787049 -0500 +@@ -3098,6 +3098,7 @@ + * @generate: both + * @acl: domain:read + * @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE ++ * @acl: domain:read_secure:VIR_DOMAIN_XML_MIGRATABLE + */ + REMOTE_PROC_DOMAIN_GET_XML_DESC = 14, + diff -Nru libvirt-1.2.2/debian/patches/CVE-2014-8136.patch libvirt-1.2.2/debian/patches/CVE-2014-8136.patch --- libvirt-1.2.2/debian/patches/CVE-2014-8136.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-1.2.2/debian/patches/CVE-2014-8136.patch 2017-09-06 07:56:41.000000000 +0000 @@ -0,0 +1,46 @@ +From f5a151754f2080598049baf5d68282f183a30f5c Mon Sep 17 00:00:00 2001 +From: Peter Krempa +Date: Mon, 8 Dec 2014 19:25:21 +0100 +Subject: [PATCH] qemu: migration: Unlock vm on failed ACL check in protocol v2 APIs + +Avoid leaving the domain locked on a failed ACL check in +qemuDomainMigratePerform() and qemuDomainMigrateFinish2(). + +Introduced in commit abf75aea247e (Add ACL checks into the QEMU driver). + +(cherry picked from commit 2bdcd29c713dfedd813c89f56ae98f6f3898313d) +--- + src/qemu/qemu_driver.c | 8 ++++++-- + 1 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c +index eb82643..9afec73 100644 +--- a/src/qemu/qemu_driver.c ++++ b/src/qemu/qemu_driver.c +@@ -10622,8 +10622,10 @@ qemuDomainMigratePerform(virDomainPtr dom, + if (!(vm = qemuDomObjFromDomain(dom))) + goto cleanup; + +- if (virDomainMigratePerformEnsureACL(dom->conn, vm->def) < 0) ++ if (virDomainMigratePerformEnsureACL(dom->conn, vm->def) < 0) { ++ virObjectUnlock(vm); + goto cleanup; ++ } + + if (flags & VIR_MIGRATE_PEER2PEER) { + dconnuri = uri; +@@ -10670,8 +10672,10 @@ qemuDomainMigrateFinish2(virConnectPtr dconn, + goto cleanup; + } + +- if (virDomainMigrateFinish2EnsureACL(dconn, vm->def) < 0) ++ if (virDomainMigrateFinish2EnsureACL(dconn, vm->def) < 0) { ++ virObjectUnlock(vm); + goto cleanup; ++ } + + /* Do not use cookies in v2 protocol, since the cookie + * length was not sufficiently large, causing failures +-- +1.7.1 + diff -Nru libvirt-1.2.2/debian/patches/CVE-2015-0236.patch libvirt-1.2.2/debian/patches/CVE-2015-0236.patch --- libvirt-1.2.2/debian/patches/CVE-2015-0236.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-1.2.2/debian/patches/CVE-2015-0236.patch 2017-09-06 07:56:41.000000000 +0000 @@ -0,0 +1,47 @@ +Description: fix VNC password leak via snapshots and save images +Origin: upstream, http://libvirt.org/git/?p=libvirt.git;a=commit;h=e99c25ca63c695a63b4c9b91ee956be4fb660772 +Origin: upstream, http://libvirt.org/git/?p=libvirt.git;a=commit;h=8107c1e3694ba4685960ec09868076379718f037 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776065 + +Index: libvirt-1.2.2/src/qemu/qemu_driver.c +=================================================================== +--- libvirt-1.2.2.orig/src/qemu/qemu_driver.c 2016-01-08 10:01:49.859605491 -0500 ++++ libvirt-1.2.2/src/qemu/qemu_driver.c 2016-01-08 10:02:34.080092542 -0500 +@@ -5552,7 +5552,7 @@ + if (fd < 0) + goto cleanup; + +- if (virDomainSaveImageGetXMLDescEnsureACL(conn, def) < 0) ++ if (virDomainSaveImageGetXMLDescEnsureACL(conn, def, flags) < 0) + goto cleanup; + + ret = qemuDomainDefFormatXML(driver, def, flags); +@@ -13776,7 +13776,7 @@ + if (!(vm = qemuDomObjFromSnapshot(snapshot))) + goto cleanup; + +- if (virDomainSnapshotGetXMLDescEnsureACL(snapshot->domain->conn, vm->def) < 0) ++ if (virDomainSnapshotGetXMLDescEnsureACL(snapshot->domain->conn, vm->def, flags) < 0) + goto cleanup; + + if (!(snap = qemuSnapObjFromSnapshot(vm, snapshot))) +Index: libvirt-1.2.2/src/remote/remote_protocol.x +=================================================================== +--- libvirt-1.2.2.orig/src/remote/remote_protocol.x 2016-01-08 09:40:22.000000000 -0500 ++++ libvirt-1.2.2/src/remote/remote_protocol.x 2016-01-08 10:02:34.080092542 -0500 +@@ -4291,6 +4291,7 @@ + * @generate: both + * @priority: high + * @acl: domain:read ++ * @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE + */ + REMOTE_PROC_DOMAIN_SNAPSHOT_GET_XML_DESC = 186, + +@@ -4621,6 +4622,7 @@ + * @generate: both + * @priority: high + * @acl: domain:read ++ * @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE + */ + REMOTE_PROC_DOMAIN_SAVE_IMAGE_GET_XML_DESC = 235, + diff -Nru libvirt-1.2.2/debian/patches/CVE-2015-5313.patch libvirt-1.2.2/debian/patches/CVE-2015-5313.patch --- libvirt-1.2.2/debian/patches/CVE-2015-5313.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-1.2.2/debian/patches/CVE-2015-5313.patch 2017-09-06 07:56:41.000000000 +0000 @@ -0,0 +1,74 @@ +From 6542e643024ca4272f14e9052b3786378f6eec62 Mon Sep 17 00:00:00 2001 +From: Eric Blake +Date: Tue, 8 Dec 2015 17:46:31 -0700 +Subject: [PATCH] CVE-2015-5313: storage: don't allow '/' in filesystem volume names + +The libvirt file system storage driver determines what file to +act on by concatenating the pool location with the volume name. +If a user is able to pick names like "../../../etc/passwd", then +they can escape the bounds of the pool. For that matter, +virStoragePoolListVolumes() doesn't descend into subdirectories, +so a user really shouldn't use a name with a slash. + +Normally, only privileged users can coerce libvirt into creating +or opening existing files using the virStorageVol APIs; and such +users already have full privilege to create any domain XML (so it +is not an escalation of privilege). But in the case of +fine-grained ACLs, it is feasible that a user can be granted +storage_vol:create but not domain:write, and it violates +assumptions if such a user can abuse libvirt to access files +outside of the storage pool. + +Therefore, prevent all use of volume names that contain "/", +whether or not such a name is actually attempting to escape the +pool. + +This changes things from: + +$ virsh vol-create-as default ../../../../../../etc/haha --capacity 128 +Vol ../../../../../../etc/haha created +$ rm /etc/haha + +to: + +$ virsh vol-create-as default ../../../../../../etc/haha --capacity 128 +error: Failed to create vol ../../../../../../etc/haha +error: Requested operation is not valid: volume name '../../../../../../etc/haha' cannot contain '/' + +Signed-off-by: Eric Blake +(cherry picked from commit 034e47c338b13a95cf02106a3af912c1c5f818d7) +--- + src/storage/storage_backend_fs.c | 10 +++++++++- + 1 files changed, 9 insertions(+), 1 deletions(-) + +diff --git a/src/storage/storage_backend_fs.c b/src/storage/storage_backend_fs.c +index 4d69f74..8b5e70b 100644 +--- a/src/storage/storage_backend_fs.c ++++ b/src/storage/storage_backend_fs.c +@@ -1,7 +1,7 @@ + /* + * storage_backend_fs.c: storage backend for FS and directory handling + * +- * Copyright (C) 2007-2014 Red Hat, Inc. ++ * Copyright (C) 2007-2015 Red Hat, Inc. + * Copyright (C) 2007-2008 Daniel P. Berrange + * + * This library is free software; you can redistribute it and/or +@@ -1001,6 +1001,14 @@ virStorageBackendFileSystemVolCreate(virConnectPtr conn ATTRIBUTE_UNUSED, + + vol->type = VIR_STORAGE_VOL_FILE; + ++ /* Volumes within a directory pools are not recursive; do not ++ * allow escape to ../ or a subdir */ ++ if (strchr(vol->name, '/')) { ++ virReportError(VIR_ERR_OPERATION_INVALID, ++ _("volume name '%s' cannot contain '/'"), vol->name); ++ return -1; ++ } ++ + VIR_FREE(vol->target.path); + if (virAsprintf(&vol->target.path, "%s/%s", + pool->def->target.path, +-- +1.7.1 + diff -Nru libvirt-1.2.2/debian/patches/CVE-2016-5008.patch libvirt-1.2.2/debian/patches/CVE-2016-5008.patch --- libvirt-1.2.2/debian/patches/CVE-2016-5008.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-1.2.2/debian/patches/CVE-2016-5008.patch 2018-01-19 18:32:23.000000000 +0000 @@ -0,0 +1,66 @@ +Backported of: + +From bb848feec0f3f10e92dd8e5231ae7aa89b5598f3 Mon Sep 17 00:00:00 2001 +From: Jiri Denemark +Date: Tue, 28 Jun 2016 14:39:58 +0200 +Subject: [PATCH] qemu: Let empty default VNC password work as documented + +CVE-2016-5008 + +Setting an empty graphics password is documented as a way to disable +VNC/SPICE access, but QEMU does not always behaves like that. VNC would +happily accept the empty password. Let's enforce the behavior by setting +password expiration to "now". + +https://bugzilla.redhat.com/show_bug.cgi?id=1180092 + +Signed-off-by: Jiri Denemark +diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c +index 69a1976..afec597 100644 +--- a/src/qemu/qemu_hotplug.c ++++ b/src/qemu/qemu_hotplug.c +@@ -3501,6 +3501,7 @@ qemuDomainChangeGraphicsPasswords(virQEMUDriverPtr driver, + time_t now = time(NULL); + char expire_time [64]; + const char *connected = NULL; ++ const char *password; + int ret = -1; + virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver); + +@@ -3508,15 +3509,13 @@ qemuDomainChangeGraphicsPasswords(virQEMUDriverPtr driver, + ret = 0; + goto cleanup; + } ++ password = auth->passwd ? auth->passwd : defaultPasswd; + + if (auth->connected) + connected = virDomainGraphicsAuthConnectedTypeToString(auth->connected); + + qemuDomainObjEnterMonitor(driver, vm); +- ret = qemuMonitorSetPassword(priv->mon, +- type, +- auth->passwd ? auth->passwd : defaultPasswd, +- connected); ++ ret = qemuMonitorSetPassword(priv->mon, type, password, connected); + + if (ret == -2) { + if (type != VIR_DOMAIN_GRAPHICS_TYPE_VNC) { +@@ -3524,14 +3523,15 @@ qemuDomainChangeGraphicsPasswords(virQEMUDriverPtr driver, + _("Graphics password only supported for VNC")); + ret = -1; + } else { +- ret = qemuMonitorSetVNCPassword(priv->mon, +- auth->passwd ? auth->passwd : defaultPasswd); ++ ret = qemuMonitorSetVNCPassword(priv->mon, password); + } + } + if (ret != 0) + goto end_job; + +- if (auth->expires) { ++ if (password[0] == '\0') { ++ snprintf(expire_time, sizeof(expire_time), "now"); ++ } else if (auth->expires) { + time_t lifetime = auth->validTo - now; + if (lifetime <= 0) + snprintf(expire_time, sizeof(expire_time), "now"); diff -Nru libvirt-1.2.2/debian/patches/CVE-2017-5715-ibrs-1.patch libvirt-1.2.2/debian/patches/CVE-2017-5715-ibrs-1.patch --- libvirt-1.2.2/debian/patches/CVE-2017-5715-ibrs-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-1.2.2/debian/patches/CVE-2017-5715-ibrs-1.patch 2018-01-25 19:09:43.000000000 +0000 @@ -0,0 +1,43 @@ +Backport of: + +From 8b605530e80a13b44d8a05f5718a3edab18d3ff5 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Tue, 12 Dec 2017 16:23:42 +0100 +Subject: [PATCH] cpu: add CPU features for indirect branch prediction + protection + +Added in QEMU commits TBD and TBD. + +Signed-off-by: Paolo Bonzini +Signed-off-by: Jiri Denemark +Reviewed-by: Pavel Hrdina +--- + src/cpu/cpu_map.xml | 8 ++++++++ + 1 file changed, 8 insertions(+) + +Index: libvirt-1.2.2/src/cpu/cpu_map.xml +=================================================================== +--- libvirt-1.2.2.orig/src/cpu/cpu_map.xml 2018-01-25 14:09:41.062210162 -0500 ++++ libvirt-1.2.2/src/cpu/cpu_map.xml 2018-01-25 14:09:41.058210156 -0500 +@@ -287,6 +287,9 @@ + + + ++ ++ ++ + + + +@@ -327,6 +330,11 @@ + + + ++ ++ ++ ++ ++ + + + diff -Nru libvirt-1.2.2/debian/patches/CVE-2017-5715-ibrs-2.patch libvirt-1.2.2/debian/patches/CVE-2017-5715-ibrs-2.patch --- libvirt-1.2.2/debian/patches/CVE-2017-5715-ibrs-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-1.2.2/debian/patches/CVE-2017-5715-ibrs-2.patch 2018-01-25 19:12:25.000000000 +0000 @@ -0,0 +1,43 @@ +Backport of: + +From 6b7e7d1cc24a28a9f5ece8626f807189647d14b4 Mon Sep 17 00:00:00 2001 +From: Jiri Denemark +Date: Mon, 8 Jan 2018 20:53:25 +0100 +Subject: [PATCH] cpu: Add Nehalem-IBRS CPU model + +This is a variant of Nehalem with indirect branch prediction protection. +The only difference between Nehalem and Nehalem-IBRS is the added +"spec-ctrl" feature. + +Thus the diff matches QEMU, but the new CPU model itself is different. +The QEMU's versions of both models contain "vme" feature, while this +feature is missing in libvirt's models. While we can't change the +existing Nehalem CPU model, we could add "vme" to Nehalem-IBRS to make +it similar to QEMU, but doing so would fool our CPU detecting code so +that any Nehalem CPU with "vme" feature would be detected as +Nehalem-IBRS CPU without spec-ctrl. Not adding "vme" to Nehalem-IBRS is +safe as QEMU will just provide the feature anyway, which matches what +happens with Nehalem (and new enough machine types). + +Signed-off-by: Jiri Denemark +Reviewed-by: Pavel Hrdina +--- + src/cpu/cpu_map.xml | 37 +++++++++++++++++++++++++++++++++++++ + 1 file changed, 37 insertions(+) + +Index: libvirt-1.2.2/src/cpu/cpu_map.xml +=================================================================== +--- libvirt-1.2.2.orig/src/cpu/cpu_map.xml 2018-01-25 14:11:48.602367288 -0500 ++++ libvirt-1.2.2/src/cpu/cpu_map.xml 2018-01-25 14:12:14.966399008 -0500 +@@ -488,6 +488,11 @@ + + + ++ ++ ++ ++ ++ + + + diff -Nru libvirt-1.2.2/debian/patches/CVE-2017-5715-ibrs-3.patch libvirt-1.2.2/debian/patches/CVE-2017-5715-ibrs-3.patch --- libvirt-1.2.2/debian/patches/CVE-2017-5715-ibrs-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-1.2.2/debian/patches/CVE-2017-5715-ibrs-3.patch 2018-01-25 19:12:51.000000000 +0000 @@ -0,0 +1,40 @@ +Backport of: + +From 2e3b220a874e558e54678afd7cf49466fe605e09 Mon Sep 17 00:00:00 2001 +From: Jiri Denemark +Date: Mon, 8 Jan 2018 20:53:25 +0100 +Subject: [PATCH] cpu: Add Westmere-IBRS CPU model + +This is a variant of Westmere with indirect branch prediction +protection. The only difference between Westmere and Westmere-IBRS is +the added "spec-ctrl" feature. + +The Westmere-IBRS model in QEMU is a bit different since Westmere got +several additional features since we added it in cpu_map.xml: + arat, pclmuldq, vme + +Adding them only to the -IBRS variant would confuse our CPU detection +code. + +Signed-off-by: Jiri Denemark +Reviewed-by: Pavel Hrdina +--- + src/cpu/cpu_map.xml | 38 ++++++++++++++++++++++++++++++++++++++ + 1 file changed, 38 insertions(+) + +Index: libvirt-1.2.2/src/cpu/cpu_map.xml +=================================================================== +--- libvirt-1.2.2.orig/src/cpu/cpu_map.xml 2018-01-25 14:12:26.630412968 -0500 ++++ libvirt-1.2.2/src/cpu/cpu_map.xml 2018-01-25 14:12:46.738436930 -0500 +@@ -498,6 +498,11 @@ + + + ++ ++ ++ ++ ++ + + + diff -Nru libvirt-1.2.2/debian/patches/CVE-2017-5715-ibrs-4.patch libvirt-1.2.2/debian/patches/CVE-2017-5715-ibrs-4.patch --- libvirt-1.2.2/debian/patches/CVE-2017-5715-ibrs-4.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-1.2.2/debian/patches/CVE-2017-5715-ibrs-4.patch 2018-01-25 19:13:07.000000000 +0000 @@ -0,0 +1,40 @@ +Backport of: + +From 30b381cfdd5e92e5afa6de09f0fe533353e71d07 Mon Sep 17 00:00:00 2001 +From: Jiri Denemark +Date: Mon, 8 Jan 2018 20:53:25 +0100 +Subject: [PATCH] cpu: Add SandyBridge-IBRS CPU model + +This is a variant of SandyBridge with indirect branch prediction +protection. The only difference between SandyBridge and SandyBridge-IBRS +is the added "spec-ctrl" feature. + +The SandyBridge-IBRS model in QEMU is a bit different since SandyBridge +got several additional features since we added it in cpu_map.xml: + arat, vme, xsaveopt + +Adding them only to the -IBRS variant would confuse our CPU detection +code. + +Signed-off-by: Jiri Denemark +Reviewed-by: Pavel Hrdina +--- + src/cpu/cpu_map.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 44 insertions(+) + +Index: libvirt-1.2.2/src/cpu/cpu_map.xml +=================================================================== +--- libvirt-1.2.2.orig/src/cpu/cpu_map.xml 2018-01-25 14:12:52.758444079 -0500 ++++ libvirt-1.2.2/src/cpu/cpu_map.xml 2018-01-25 14:12:52.754444074 -0500 +@@ -513,6 +513,11 @@ + + + ++ ++ ++ ++ ++ + + + diff -Nru libvirt-1.2.2/debian/patches/CVE-2017-5715-ibrs-7.patch libvirt-1.2.2/debian/patches/CVE-2017-5715-ibrs-7.patch --- libvirt-1.2.2/debian/patches/CVE-2017-5715-ibrs-7.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-1.2.2/debian/patches/CVE-2017-5715-ibrs-7.patch 2018-01-25 19:15:52.000000000 +0000 @@ -0,0 +1,40 @@ +Backport of: + +From 7f83eefa9e6940c83579d31941efd07fab1b90c8 Mon Sep 17 00:00:00 2001 +From: Jiri Denemark +Date: Mon, 8 Jan 2018 20:53:25 +0100 +Subject: [PATCH] cpu: Add Haswell-IBRS CPU model + +This is a variant of Haswell with indirect branch prediction protection. +The only difference between Haswell and Haswell-IBRS is the added +"spec-ctrl" feature. + +The Haswell-IBRS model in QEMU is a bit different since Haswell got +several additional features since we added it in cpu_map.xml: + arat, abm, f16c, rdrand, vme, xsaveopt + +Adding them only to the -IBRS variant would confuse our CPU detection +code. + +Signed-off-by: Jiri Denemark +Reviewed-by: Pavel Hrdina +--- + src/cpu/cpu_map.xml | 56 +++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 56 insertions(+) + +Index: libvirt-1.2.2/src/cpu/cpu_map.xml +=================================================================== +--- libvirt-1.2.2.orig/src/cpu/cpu_map.xml 2018-01-25 14:15:10.610604971 -0500 ++++ libvirt-1.2.2/src/cpu/cpu_map.xml 2018-01-25 14:15:43.086642177 -0500 +@@ -534,6 +534,11 @@ + + + ++ ++ ++ ++ ++ + + + diff -Nru libvirt-1.2.2/debian/patches/CVE-2018-1064.patch libvirt-1.2.2/debian/patches/CVE-2018-1064.patch --- libvirt-1.2.2/debian/patches/CVE-2018-1064.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-1.2.2/debian/patches/CVE-2018-1064.patch 2018-05-23 17:29:59.000000000 +0000 @@ -0,0 +1,56 @@ +From fbf31e1a4cd19d6f6e33e0937a009775cd7d9513 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Daniel=20P.=20Berrang=C3=A9?= +Date: Thu, 1 Mar 2018 14:55:26 +0000 +Subject: [PATCH] qemu: avoid denial of service reading from QEMU guest agent (CVE-2018-1064) +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +We read from the agent until seeing a \r\n pair to indicate a completed +reply or event. To avoid memory denial-of-service though, we must have a +size limit on amount of data we buffer. 10 MB is large enough that it +ought to cope with normal agent replies, and small enough that we're not +consuming unreasonable mem. + +This is identical to the flaw we had reading from the QEMU monitor +as CVE-2018-5748, so rather embarrassing that we forgot to fix +the agent code at the same time. + +Signed-off-by: Daniel P. Berrangé +--- + src/qemu/qemu_agent.c | 15 +++++++++++++++ + 1 files changed, 15 insertions(+), 0 deletions(-) + +Index: libvirt-1.2.2/src/qemu/qemu_agent.c +=================================================================== +--- libvirt-1.2.2.orig/src/qemu/qemu_agent.c 2018-05-23 13:29:57.581695228 -0400 ++++ libvirt-1.2.2/src/qemu/qemu_agent.c 2018-05-23 13:29:57.577695222 -0400 +@@ -50,6 +50,15 @@ + #define DEBUG_IO 0 + #define DEBUG_RAW_IO 0 + ++/* We read from QEMU until seeing a \r\n pair to indicate a ++ * completed reply or event. To avoid memory denial-of-service ++ * though, we must have a size limit on amount of data we ++ * buffer. 10 MB is large enough that it ought to cope with ++ * normal QEMU replies, and small enough that we're not ++ * consuming unreasonable mem. ++ */ ++#define QEMU_AGENT_MAX_RESPONSE (10 * 1024 * 1024) ++ + /* When you are the first to uncomment this, + * don't forget to uncomment the corresponding + * part in qemuAgentIOProcessEvent as well. +@@ -515,6 +524,12 @@ qemuAgentIORead(qemuAgentPtr mon) + int ret = 0; + + if (avail < 1024) { ++ if (mon->bufferLength >= QEMU_AGENT_MAX_RESPONSE) { ++ virReportSystemError(ERANGE, ++ _("No complete agent response found in %d bytes"), ++ QEMU_AGENT_MAX_RESPONSE); ++ return -1; ++ } + if (VIR_REALLOC_N(mon->buffer, + mon->bufferLength + 1024) < 0) + return -1; diff -Nru libvirt-1.2.2/debian/patches/CVE-2018-3639-1.patch libvirt-1.2.2/debian/patches/CVE-2018-3639-1.patch --- libvirt-1.2.2/debian/patches/CVE-2018-3639-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-1.2.2/debian/patches/CVE-2018-3639-1.patch 2018-05-23 17:30:02.000000000 +0000 @@ -0,0 +1,34 @@ +Backport of: + +From 1dbca2eccad58d91a5fd33962854f1a653638182 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Daniel=20P.=20Berrang=C3=A9?= +Date: Mon, 21 May 2018 23:05:07 +0100 +Subject: [PATCH] cpu: define the 'ssbd' CPUID feature bit (CVE-2018-3639) +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +New microcode introduces the "Speculative Store Bypass Disable" +CPUID feature bit. This needs to be exposed to guest OS to allow +them to protect against CVE-2018-3639. + +Signed-off-by: Daniel P. Berrangé +Reviewed-by: Jiri Denemark +--- + src/cpu/cpu_map.xml | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +Index: libvirt-1.3.1/src/cpu/cpu_map.xml +=================================================================== +--- libvirt-1.3.1.orig/src/cpu/cpu_map.xml 2018-05-23 13:26:38.793441472 -0400 ++++ libvirt-1.3.1/src/cpu/cpu_map.xml 2018-05-23 13:27:04.497473996 -0400 +@@ -290,6 +290,9 @@ + + + ++ ++ ++ + + + diff -Nru libvirt-1.2.2/debian/patches/CVE-2018-3639-2.patch libvirt-1.2.2/debian/patches/CVE-2018-3639-2.patch --- libvirt-1.2.2/debian/patches/CVE-2018-3639-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-1.2.2/debian/patches/CVE-2018-3639-2.patch 2018-05-23 17:30:10.000000000 +0000 @@ -0,0 +1,44 @@ +Backport of: + +From 9267342206ce17f6933d57a3128cdc504d5945c9 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Daniel=20P.=20Berrang=C3=A9?= +Date: Mon, 21 May 2018 23:05:08 +0100 +Subject: [PATCH] cpu: define the 'virt-ssbd' CPUID feature bit (CVE-2018-3639) +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Some AMD processors only support a non-architectural means of +enabling Speculative Store Bypass Disable. To allow simplified +handling in virtual environments, hypervisors will expose an +architectural definition through CPUID bit 0x80000008_EBX[25]. +This needs to be exposed to guest OS running on AMD x86 hosts to +allow them to protect against CVE-2018-3639. + +Note that since this CPUID bit won't be present in the host CPUID +results on physical hosts, it will not be enabled automatically +in guests configured with "host-model" CPU unless using QEMU +version >= 2.9.0. Thus for older versions of QEMU, this feature +must be manually enabled using policy=force. Guests using the +"host-passthrough" CPU mode do not need special handling. + +Signed-off-by: Daniel P. Berrangé +Reviewed-by: Jiri Denemark +--- + src/cpu/cpu_map.xml | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +Index: libvirt-1.2.2/src/cpu/cpu_map.xml +=================================================================== +--- libvirt-1.2.2.orig/src/cpu/cpu_map.xml 2018-05-23 13:30:08.085708761 -0400 ++++ libvirt-1.2.2/src/cpu/cpu_map.xml 2018-05-23 13:30:08.081708756 -0400 +@@ -337,6 +337,9 @@ + + + ++ ++ ++ + + + diff -Nru libvirt-1.2.2/debian/patches/CVE-2018-5748.patch libvirt-1.2.2/debian/patches/CVE-2018-5748.patch --- libvirt-1.2.2/debian/patches/CVE-2018-5748.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-1.2.2/debian/patches/CVE-2018-5748.patch 2018-01-19 17:37:02.000000000 +0000 @@ -0,0 +1,49 @@ +From bc251ea91bcfddd2622fce6bce701a438b2e7276 Mon Sep 17 00:00:00 2001 +From: Daniel P. Berrange +Date: Tue, 16 Jan 2018 17:00:11 +0000 +Subject: [PATCH] qemu: avoid denial of service reading from QEMU monitor (CVE-2018-5748) + +We read from QEMU until seeing a \r\n pair to indicate a completed reply +or event. To avoid memory denial-of-service though, we must have a size +limit on amount of data we buffer. 10 MB is large enough that it ought +to cope with normal QEMU replies, and small enough that we're not +consuming unreasonable mem. + +Signed-off-by: Daniel P. Berrange +--- + src/qemu/qemu_monitor.c | 15 +++++++++++++++ + 1 files changed, 15 insertions(+), 0 deletions(-) + +Index: libvirt-1.2.2/src/qemu/qemu_monitor.c +=================================================================== +--- libvirt-1.2.2.orig/src/qemu/qemu_monitor.c ++++ libvirt-1.2.2/src/qemu/qemu_monitor.c +@@ -51,6 +51,15 @@ + #define DEBUG_IO 0 + #define DEBUG_RAW_IO 0 + ++/* We read from QEMU until seeing a \r\n pair to indicate a ++ * completed reply or event. To avoid memory denial-of-service ++ * though, we must have a size limit on amount of data we ++ * buffer. 10 MB is large enough that it ought to cope with ++ * normal QEMU replies, and small enough that we're not ++ * consuming unreasonable mem. ++ */ ++#define QEMU_MONITOR_MAX_RESPONSE (10 * 1024 * 1024) ++ + struct _qemuMonitor { + virObjectLockable parent; + +@@ -533,6 +542,12 @@ qemuMonitorIORead(qemuMonitorPtr mon) + int ret = 0; + + if (avail < 1024) { ++ if (mon->bufferLength >= QEMU_MONITOR_MAX_RESPONSE) { ++ virReportSystemError(ERANGE, ++ _("No complete monitor response found in %d bytes"), ++ QEMU_MONITOR_MAX_RESPONSE); ++ return -1; ++ } + if (VIR_REALLOC_N(mon->buffer, + mon->bufferLength + 1024) < 0) + return -1; diff -Nru libvirt-1.2.2/debian/patches/fix_libvirtd_killed_by_sigsegv.patch libvirt-1.2.2/debian/patches/fix_libvirtd_killed_by_sigsegv.patch --- libvirt-1.2.2/debian/patches/fix_libvirtd_killed_by_sigsegv.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-1.2.2/debian/patches/fix_libvirtd_killed_by_sigsegv.patch 2017-09-06 07:56:41.000000000 +0000 @@ -0,0 +1,63 @@ +Description: virObjectUnref() libvirtd killed by SIGSEGV + While memory load is high, libvirtd could be crashed(segfault) if you + command something ( destroy, migrate, etc ) + +Author: Peter Krempa + +Origin: upstream, http://libvirt.org/git/?p=libvirt.git;a=commitdiff;h=ad886fa6c8ebc321a0386a75c187d315111cf1f3 + upstream, http://libvirt.org/git/?p=libvirt.git;a=commitdiff;h=6ca857c7c8a1f7b571132d6c7fff5a06301a5e9a + upstream, http://libvirt.org/git/?p=libvirt.git;a=commitdiff;h=a98129c0ee52b6a8fdd39988a6d090057f149ae9 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1464175 +Last-Update: 2015-07-08 +Index: libvirt-1.2.2/daemon/remote.c +=================================================================== +--- libvirt-1.2.2.orig/daemon/remote.c ++++ libvirt-1.2.2/daemon/remote.c +@@ -143,6 +143,7 @@ remoteRelayDomainEventCheckACL(virNetSer + /* For now, we just create a virDomainDef with enough contents to + * satisfy what viraccessdriverpolkit.c references. This is a bit + * fragile, but I don't know of anything better. */ ++ memset(&def, 0, sizeof(def)); + def.name = dom->name; + memcpy(def.uuid, dom->uuid, VIR_UUID_BUFLEN); + +Index: libvirt-1.2.2/src/rpc/virnetserverclient.c +=================================================================== +--- libvirt-1.2.2.orig/src/rpc/virnetserverclient.c ++++ libvirt-1.2.2/src/rpc/virnetserverclient.c +@@ -910,12 +910,12 @@ void virNetServerClientDispose(void *obj + PROBE(RPC_SERVER_CLIENT_DISPOSE, + "client=%p", client); + +- virObjectUnref(client->identity); +- + if (client->privateData && + client->privateDataFreeFunc) + client->privateDataFreeFunc(client->privateData); + ++ virObjectUnref(client->identity); ++ + #if WITH_SASL + virObjectUnref(client->sasl); + #endif +Index: libvirt-1.2.2/src/util/viridentity.c +=================================================================== +--- libvirt-1.2.2.orig/src/util/viridentity.c ++++ libvirt-1.2.2/src/util/viridentity.c +@@ -110,14 +110,15 @@ int virIdentitySetCurrent(virIdentityPtr + return -1; + + old = virThreadLocalGet(&virIdentityCurrent); +- virObjectUnref(old); + + if (virThreadLocalSet(&virIdentityCurrent, + virObjectRef(ident)) < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("Unable to set thread local identity")); ++ virObjectUnref(ident); + return -1; + } ++ virObjectUnref(old); + + return 0; + } diff -Nru libvirt-1.2.2/debian/patches/fix-util-don-t-fail-if-no-portdata-is-found.patch libvirt-1.2.2/debian/patches/fix-util-don-t-fail-if-no-portdata-is-found.patch --- libvirt-1.2.2/debian/patches/fix-util-don-t-fail-if-no-portdata-is-found.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-1.2.2/debian/patches/fix-util-don-t-fail-if-no-portdata-is-found.patch 2017-09-06 07:56:41.000000000 +0000 @@ -0,0 +1,88 @@ +|From 25df57db73adc3e610193ee1fcdd202c47ba471d Mon Sep 17 00:00:00 2001 +|From: zhang bo +|Date: Thu, 5 Mar 2015 10:01:50 +0800 +|Subject: [PATCH] util: don't fail if no PortData is found while getting +| migrateData +| +|Introduced by f6a2f97e +| +|Problem Description: +|After multiple times of migrating a domain, which has an ovs interface with no portData set, +|with non-shared disk, nbd ports got overflowed. +| +|The steps to reproduce the problem: +|1 define and start a domain with its network configured as: +| +| +| +| +| +| +| +|2 do not set the network's portData. +|3 migrate(ToURI2) it with flag 91(1011011), which means: +| VIR_MIGRATE_LIVE +| VIR_MIGRATE_PEER2PEER +| VIR_MIGRATE_PERSIST_DEST +| VIR_MIGRATE_UNDEFINE_SOURCE +| VIR_MIGRATE_NON_SHARED_DISK +|4 migrate success, but we got an error log in libvirtd.log: +| error : virCommandWait:2423 : internal error: Child process (ovs-vsctl --timeout=5 get Interface +| vnet1 external_ids:PortData) unexpected exit status 1: ovs-vsctl: no key "PortData" in Interface +| record "vnet1" column external_ids +|5 migrate it back, migrate it , migrate it back, ....... +|6 nbd port got overflowed. +| +|The reasons for the problem is : +|1 virNetDevOpenvswitchGetMigrateData() takes it as wrong if no portData is available for the ovs +| interface of a domain. (We think it's not appropriate, as portData is just OPTIONAL) +|2 in func qemuMigrationBakeCookie(), it fails in qemuMigrationCookieAddNetwork(), and returns with -1. +| qemuMigrationCookieAddNBD() is not called thereafter, and mig->nbd is still NULL. +|3 However, qemuMigrationRun() just *WARN* if qemuMigrationBakeCookie() fails, migration still successes. +| cookie is NULL, it's not baked on the src side. +|4 On the destination side, it would alloc a port first and then free the nbd port in COOKIE. +| But the cookie is NULL due to qemuMigrationCookieAddNetwork() failure at src side. thus the nbd port +| is not freed. +| +|In this patch, we add "--if-exists" option to make ovs-vsctl not raise error if there's no portData available. +|Further more, because portData may be NULL in the cookie at the dest side, check it before setting portData. +| +|Signed-off-by: Zhou Yimin +|Signed-off-by: Zhang Bo + +--- + +Origin: upstream, https://github.com/libvirt/libvirt/commit/25df57db73adc3e610193ee1fcdd202c47ba471d +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1540537 + +--- libvirt-1.2.2.orig/src/util/virnetdevopenvswitch.c ++++ libvirt-1.2.2/src/util/virnetdevopenvswitch.c +@@ -30,6 +30,7 @@ + #include "virerror.h" + #include "virmacaddr.h" + #include "virstring.h" ++#include "virlog.h" + + #define VIR_FROM_THIS VIR_FROM_NONE + +@@ -208,7 +209,7 @@ int virNetDevOpenvswitchGetMigrateData(c + virCommandPtr cmd = NULL; + int ret = -1; + +- cmd = virCommandNewArgList(OVSVSCTL, "--timeout=5", "get", "Interface", ++ cmd = virCommandNewArgList(OVSVSCTL, "--timeout=5", "--if-exists", "get", "Interface", + ifname, "external_ids:PortData", NULL); + + virCommandSetOutputBuffer(cmd, migrate); +@@ -243,6 +244,11 @@ int virNetDevOpenvswitchSetMigrateData(c + virCommandPtr cmd = NULL; + int ret = -1; + ++ if (!migrate) { ++ VIR_DEBUG("No OVS port data for interface %s", ifname); ++ return 0; ++ } ++ + cmd = virCommandNewArgList(OVSVSCTL, "--timeout=5", "set", + "Interface", ifname, NULL); + virCommandAddArgFormat(cmd, "external_ids:PortData=%s", migrate); diff -Nru libvirt-1.2.2/debian/patches/libxl-Support-PV-consoles.patch libvirt-1.2.2/debian/patches/libxl-Support-PV-consoles.patch --- libvirt-1.2.2/debian/patches/libxl-Support-PV-consoles.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-1.2.2/debian/patches/libxl-Support-PV-consoles.patch 2017-09-06 07:56:41.000000000 +0000 @@ -0,0 +1,77 @@ +From 657cb1e44d90bab451256616f9d98fb4439a080c Mon Sep 17 00:00:00 2001 +From: Ian Campbell +Date: Fri, 25 Apr 2014 16:54:20 +0100 +Subject: [PATCH] libxl: Support PV consoles + +Currently the driver only exposes the ability to connect to the serial console +of a Xen guest, which doesn't work for a PV guest. Since for an HVM guest the +serial devices are duplicated as consoles it is sufficient to just use the +console devices unconditionally. + +Tested with the following bit of config XML: + + + ... + + + + + + + +I have observed and tested this on ARM but I believe it also applies to x86 PV +guests. + +Signed-off-by: Ian Campbell +Cc: Jim Fehlig +Cc: Dario Faggioli +Cc: Clark Laughlin + +BugLink: http://bugs.launchpad.net/bugs/1334738 + +(cherry-picked from commit 657cb1e44d90bab451256616f9d98fb4439a080c upstream) +Signed-off-by: Stefan Bader +--- + src/libxl/libxl_driver.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/src/libxl/libxl_driver.c b/src/libxl/libxl_driver.c +index a6ae8a1..e5ed0f2 100644 +--- a/src/libxl/libxl_driver.c ++++ b/src/libxl/libxl_driver.c +@@ -3780,6 +3780,7 @@ libxlDomainOpenConsole(virDomainPtr dom, + { + virDomainObjPtr vm = NULL; + int ret = -1; ++ libxl_console_type console_type; + virDomainChrDefPtr chr = NULL; + libxlDomainObjPrivatePtr priv; + char *console = NULL; +@@ -3807,8 +3808,8 @@ libxlDomainOpenConsole(virDomainPtr dom, + + priv = vm->privateData; + +- if (vm->def->nserials) +- chr = vm->def->serials[0]; ++ if (vm->def->nconsoles) ++ chr = vm->def->consoles[0]; + + if (!chr) { + virReportError(VIR_ERR_INTERNAL_ERROR, +@@ -3824,7 +3825,12 @@ libxlDomainOpenConsole(virDomainPtr dom, + goto cleanup; + } + +- ret = libxl_primary_console_get_tty(priv->ctx, vm->def->id, &console); ++ console_type = ++ (chr->targetType == VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_SERIAL ? ++ LIBXL_CONSOLE_TYPE_SERIAL : LIBXL_CONSOLE_TYPE_PV); ++ ++ ret = libxl_console_get_tty(priv->ctx, vm->def->id, chr->target.port, ++ console_type, &console); + if (ret) + goto cleanup; + +-- +1.7.9.5 + diff -Nru libvirt-1.2.2/debian/patches/md-clear.patch libvirt-1.2.2/debian/patches/md-clear.patch --- libvirt-1.2.2/debian/patches/md-clear.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-1.2.2/debian/patches/md-clear.patch 2019-05-16 19:56:03.000000000 +0000 @@ -0,0 +1,42 @@ +Backport of: + +From 538d873571d7a682852dc1d70e5f4478f4d64e85 Mon Sep 17 00:00:00 2001 +From: Jiri Denemark +Date: Fri, 5 Apr 2019 15:11:20 +0200 +Subject: [PATCH] cpu_map: Define md-clear CPUID bit +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 + +The bit is set when microcode provides the mechanism to invoke a flush +of various exploitable CPU buffers by invoking the VERW instruction. + +Signed-off-by: Paolo Bonzini +Signed-off-by: Jiri Denemark +Reviewed-by: Daniel P. Berrangé +--- + src/cpu_map/x86_features.xml | 3 +++ + .../x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml | 2 +- + .../x86_64-cpuid-Xeon-E3-1225-v5-guest.xml | 1 + + .../x86_64-cpuid-Xeon-E3-1225-v5-host.xml | 1 + + .../x86_64-cpuid-Xeon-E3-1225-v5-json.xml | 1 + + .../x86_64-cpuid-Xeon-Platinum-8268-guest.xml | 1 + + .../x86_64-cpuid-Xeon-Platinum-8268-host.xml | 1 + + 7 files changed, 9 insertions(+), 1 deletions(-) + +Index: libvirt-1.3.1/src/cpu/cpu_map.xml +=================================================================== +--- libvirt-1.3.1.orig/src/cpu/cpu_map.xml 2019-05-14 15:12:09.891761528 -0400 ++++ libvirt-1.3.1/src/cpu/cpu_map.xml 2019-05-14 15:13:02.328081630 -0400 +@@ -287,6 +287,9 @@ + + + ++ ++ ++ + + + diff -Nru libvirt-1.2.2/debian/patches/numa-cgroups-fix-cpuset-mems-init.patch libvirt-1.2.2/debian/patches/numa-cgroups-fix-cpuset-mems-init.patch --- libvirt-1.2.2/debian/patches/numa-cgroups-fix-cpuset-mems-init.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-1.2.2/debian/patches/numa-cgroups-fix-cpuset-mems-init.patch 2017-09-06 07:56:41.000000000 +0000 @@ -0,0 +1,131 @@ +commit aa668fccf078bf9833047776549a5a06435cf470 +Author: Martin Kletzander +Date: Tue Jul 8 09:53:06 2014 +0200 + + qemu: split out cpuset.mems setting + + Signed-off-by: Martin Kletzander + +commit 7e72ac787848b7434c9359a57c1e2789d92350f8 +Author: Martin Kletzander +Date: Tue Jul 8 09:59:49 2014 +0200 + + qemu: leave restricting cpuset.mems after initialization + + When domain is started with numatune memory mode strict and the + nodeset does not include host NUMA node with DMA and DMA32 zones, KVM + initialization fails. This is because cgroup restrict even kernel + allocations. We are already doing numa_set_membind() which does the + same thing, only it does not restrict kernel allocations. + + This patch leaves the userspace numa_set_membind() in place and moves + the cpuset.mems setting after the point where monitor comes up, but + before vcpu and emulator sub-groups are created. + + Signed-off-by: Martin Kletzander + +Index: libvirt-1.2.2/src/qemu/qemu_cgroup.c +=================================================================== +--- libvirt-1.2.2.orig/src/qemu/qemu_cgroup.c 2015-01-06 06:47:37.434342510 -0600 ++++ libvirt-1.2.2/src/qemu/qemu_cgroup.c 2015-01-06 06:49:01.738018370 -0600 +@@ -574,13 +574,11 @@ + + + static int +-qemuSetupCpusetCgroup(virDomainObjPtr vm, +- virBitmapPtr nodemask, +- virCapsPtr caps) ++qemuSetupCpusetMems(virDomainObjPtr vm, ++ virBitmapPtr nodemask) + { + qemuDomainObjPrivatePtr priv = vm->privateData; + char *mem_mask = NULL; +- char *cpu_mask = NULL; + int ret = -1; + + if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_CPUSET)) +@@ -607,6 +605,25 @@ + goto cleanup; + } + ++ ret = 0; ++ cleanup: ++ VIR_FREE(mem_mask); ++ return ret; ++} ++ ++ ++static int ++qemuSetupCpusetCgroup(virDomainObjPtr vm, ++ virBitmapPtr nodemask, ++ virCapsPtr caps) ++{ ++ qemuDomainObjPrivatePtr priv = vm->privateData; ++ char *cpu_mask = NULL; ++ int ret = -1; ++ ++ if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_CPUSET)) ++ return 0; ++ + if (vm->def->cpumask || + (vm->def->placement_mode == VIR_DOMAIN_CPU_PLACEMENT_MODE_AUTO)) { + +@@ -632,7 +649,6 @@ + + ret = 0; + cleanup: +- VIR_FREE(mem_mask); + VIR_FREE(cpu_mask); + return ret; + } +@@ -801,6 +817,13 @@ + } + + int ++qemuSetupCgroupPostInit(virDomainObjPtr vm, ++ virBitmapPtr nodemask) ++{ ++ return qemuSetupCpusetMems(vm, nodemask); ++} ++ ++int + qemuSetupCgroupVcpuBW(virCgroupPtr cgroup, + unsigned long long period, + long long quota) +Index: libvirt-1.2.2/src/qemu/qemu_cgroup.h +=================================================================== +--- libvirt-1.2.2.orig/src/qemu/qemu_cgroup.h 2015-01-06 06:47:37.434342510 -0600 ++++ libvirt-1.2.2/src/qemu/qemu_cgroup.h 2015-01-06 06:47:37.434342510 -0600 +@@ -1,7 +1,7 @@ + /* + * qemu_cgroup.h: QEMU cgroup management + * +- * Copyright (C) 2006-2007, 2009-2013 Red Hat, Inc. ++ * Copyright (C) 2006-2007, 2009-2014 Red Hat, Inc. + * Copyright (C) 2006 Daniel P. Berrange + * + * This library is free software; you can redistribute it and/or +@@ -44,6 +44,8 @@ + int qemuSetupCgroup(virQEMUDriverPtr driver, + virDomainObjPtr vm, + virBitmapPtr nodemask); ++int qemuSetupCgroupPostInit(virDomainObjPtr vm, ++ virBitmapPtr nodemask); + int qemuSetupCgroupVcpuBW(virCgroupPtr cgroup, + unsigned long long period, + long long quota); +Index: libvirt-1.2.2/src/qemu/qemu_process.c +=================================================================== +--- libvirt-1.2.2.orig/src/qemu/qemu_process.c 2015-01-06 06:47:37.434342510 -0600 ++++ libvirt-1.2.2/src/qemu/qemu_process.c 2015-01-06 06:47:37.434342510 -0600 +@@ -4039,6 +4039,10 @@ + if (!qemuProcessVerifyGuestCPU(driver, vm)) + goto cleanup; + ++ VIR_DEBUG("Setting up post-init cgroup restrictions"); ++ if (qemuSetupCgroupPostInit(vm, nodemask) < 0) ++ goto cleanup; ++ + VIR_DEBUG("Detecting VCPU PIDs"); + if (qemuProcessDetectVcpuPIDs(driver, vm) < 0) + goto cleanup; diff -Nru libvirt-1.2.2/debian/patches/qemu-filterref-crash.patch libvirt-1.2.2/debian/patches/qemu-filterref-crash.patch --- libvirt-1.2.2/debian/patches/qemu-filterref-crash.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-1.2.2/debian/patches/qemu-filterref-crash.patch 2017-09-06 07:56:41.000000000 +0000 @@ -0,0 +1,28 @@ +If a domain network interface that contains a is modified +"live" using "virsh update-device --live", libvirtd would crash. This +was because the code supporting live update of an interface's +filterref was assuming that a filterref might be added or modified, +but didn't account for removing the filterref, resulting in a null +dereference of the filter name. + +Introduced with commit 258fb278, which was first in libvirt v1.0.1. + +This addresses https://bugzilla.redhat.com/show_bug.cgi?id=1093301 +--- + src/qemu/qemu_hotplug.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +Index: libvirt-1.2.2/src/qemu/qemu_hotplug.c +=================================================================== +--- libvirt-1.2.2.orig/src/qemu/qemu_hotplug.c ++++ libvirt-1.2.2/src/qemu/qemu_hotplug.c +@@ -1814,7 +1814,8 @@ qemuDomainChangeNetFilter(virConnectPtr + + virDomainConfNWFilterTeardown(olddev); + +- if (virDomainConfNWFilterInstantiate(conn, vm->def->uuid, newdev) < 0) { ++ if (newdev->filter && ++ virDomainConfNWFilterInstantiate(conn, vm->def->uuid, newdev) < 0) { + virErrorPtr errobj; + + virReportError(VIR_ERR_OPERATION_FAILED, diff -Nru libvirt-1.2.2/debian/patches/reject-blockcommit-of-active-layer.patch libvirt-1.2.2/debian/patches/reject-blockcommit-of-active-layer.patch --- libvirt-1.2.2/debian/patches/reject-blockcommit-of-active-layer.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-1.2.2/debian/patches/reject-blockcommit-of-active-layer.patch 2017-09-06 07:56:41.000000000 +0000 @@ -0,0 +1,47 @@ +Description: qemu: reject rather than hang on blockcommit of active layer + +qemu 2.0 added the ability to commit the active layer, but slightly +differently than what libvirt had been anticipating in its +implementation of the virDomainBlockCommit call. As a result, if +you attempt to do a 'virsh blockcommit $dom vda', qemu gets into a +state where it is waiting on libvirt to end the job, while libvirt +is waiting on qemu to end the job, and the guest is effectively +hung with regards to further commands for that block device. + +I have patches coming down the pipeline that will add full support +for blockcommit of the active layer when coupled with qemu 2.0 or +later; but they depend on Peter's improvements to block job handling +and form enough of a new feature that they are not ready for +inclusion in the 1.2.5 release. So for now, just reject the +attempt, rather than letting the user get stuck. This is no worse +than the behavior of qemu 1.7 rejecting the job. + +* src/qemu/qemu_driver.c (qemuDomainBlockCommit): Reject active +commit. + +Signed-off-by: Eric Blake + +Origin: upstream, commit: e6bcbcd32c70ae394e7b6a530012fe8b07a59b5d +Bug-Ubuntu: https://launchpad.net/bugs/1317491 +Reviewed-By: Rafael David Tinoco +Last-Update: 2017-02-22 + +--- libvirt-1.2.2.orig/src/qemu/qemu_driver.c ++++ libvirt-1.2.2/src/qemu/qemu_driver.c +@@ -15341,6 +15341,16 @@ qemuDomainBlockCommit(virDomainPtr dom, + top, path); + goto endjob; + } ++ ++ /* FIXME: qemu 2.0 supports active commit, but as a two-stage ++ * process; qemu 2.1 is further improving active commit. We need ++ * to start supporting it in libvirt. */ ++ if (top_meta == disk->backingChain) { ++ virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s", ++ _("committing the active layer not supported yet")); ++ goto endjob; ++ } ++ + if (!top_meta || !top_meta->backingStore) { + virReportError(VIR_ERR_INVALID_ARG, + _("top '%s' in chain for '%s' has no backing file"), diff -Nru libvirt-1.2.2/debian/patches/series libvirt-1.2.2/debian/patches/series --- libvirt-1.2.2/debian/patches/series 2014-04-08 17:55:15.000000000 +0000 +++ libvirt-1.2.2/debian/patches/series 2019-05-16 19:56:03.000000000 +0000 @@ -26,3 +26,40 @@ libxl-set-disk-format-for-cdrom.patch libxl-set-vfb0-data-in-build-config.patch libxl-support-sexpr-in-native-to-XML-conversion.patch +libxl-Support-PV-consoles.patch +9026-fix-apparmor-profile-for-vfio-pci-passthrough +9027-virt-aa-helper-allow-access-to-vhost-net +CVE-2014-0179.patch +CVE-2014-3633.patch +9029-ovs-delete-port-if-it-exists-when-adding-new-one +9030-virsh-add-keepalive-in-new-vshconnect-fn +9031-cmdmigrate-move-vshconnect-before-vshwatchjob +9032-virsh-initialize-vsh-data-in-cmdmigrate +support-incoming-qemu-kvm +CVE-2014-3657.patch +CVE-2014-7823.patch +9034-complete-9p-support +numa-cgroups-fix-cpuset-mems-init.patch +9035-qemu-snapshot-save-persistent-domain-config +9036-dont-fail-without-cpu-model.patch +Support-incoming-migration-from-13.10-hosts.patch +qemu-filterref-crash.patch +storage_backend_rbd-correct-arg-order-to-rbd_create3 +fix_libvirtd_killed_by_sigsegv.patch +CVE-2014-8136.patch +CVE-2015-0236.patch +CVE-2015-5313.patch +fix-util-don-t-fail-if-no-portdata-is-found.patch +reject-blockcommit-of-active-layer.patch +virt-aa-helper-add-trusty-guest-agent-rule.patch +CVE-2017-5715-ibrs-1.patch +CVE-2017-5715-ibrs-2.patch +CVE-2017-5715-ibrs-3.patch +CVE-2017-5715-ibrs-4.patch +CVE-2017-5715-ibrs-7.patch +CVE-2018-5748.patch +CVE-2016-5008.patch +CVE-2018-1064.patch +CVE-2018-3639-1.patch +CVE-2018-3639-2.patch +md-clear.patch diff -Nru libvirt-1.2.2/debian/patches/storage_backend_rbd-correct-arg-order-to-rbd_create3 libvirt-1.2.2/debian/patches/storage_backend_rbd-correct-arg-order-to-rbd_create3 --- libvirt-1.2.2/debian/patches/storage_backend_rbd-correct-arg-order-to-rbd_create3 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-1.2.2/debian/patches/storage_backend_rbd-correct-arg-order-to-rbd_create3 2017-09-06 07:56:41.000000000 +0000 @@ -0,0 +1,26 @@ +commit 4cd508ba4fc3cc33c72629fe8b9012e73d8dd8bf +Author: Steven McDonald +Date: Tue Apr 29 12:19:01 2014 +1000 + + storage_backend_rbd: Correct argument order to rbd_create3 + + The stripe_unit and stripe_count arguments are passed to rbd_create3 in + the wrong order, resulting in a stripe size of 1 byte with 4194304 + stripes on newly created RBD volumes. + + https://bugzilla.redhat.com/show_bug.cgi?id=1092208 + Signed-off-by: Steven McDonald + +Index: libvirt-1.2.2/src/storage/storage_backend_rbd.c +=================================================================== +--- libvirt-1.2.2.orig/src/storage/storage_backend_rbd.c ++++ libvirt-1.2.2/src/storage/storage_backend_rbd.c +@@ -491,7 +491,7 @@ static int virStorageBackendRBDCreateIma + uint64_t stripe_unit = 4194304; + + if (rbd_create3(io, name, capacity, features, &order, +- stripe_count, stripe_unit) < 0) { ++ stripe_unit, stripe_count) < 0) { + #else + if (rbd_create(io, name, capacity, &order) < 0) { + #endif diff -Nru libvirt-1.2.2/debian/patches/Support-incoming-migration-from-13.10-hosts.patch libvirt-1.2.2/debian/patches/Support-incoming-migration-from-13.10-hosts.patch --- libvirt-1.2.2/debian/patches/Support-incoming-migration-from-13.10-hosts.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-1.2.2/debian/patches/Support-incoming-migration-from-13.10-hosts.patch 2017-09-06 07:56:41.000000000 +0000 @@ -0,0 +1,30 @@ +Index: libvirt-1.2.2/src/qemu/qemu_migration.c +=================================================================== +--- libvirt-1.2.2.orig/src/qemu/qemu_migration.c ++++ libvirt-1.2.2/src/qemu/qemu_migration.c +@@ -2109,6 +2109,13 @@ static char + VIR_STRDUP(def->os.machine, "pc-1.0-precise") < 0) + goto cleanup; + } ++ if (STREQ_NULLABLE(vm->def->os.machine, "pc-i440fx-1.5")) { ++ VIR_FREE(vm->def->os.machine); ++ VIR_FREE(def->os.machine); ++ if (VIR_STRDUP(vm->def->os.machine, "pc-i440fx-1.5-saucy") < 0 || ++ VIR_STRDUP(def->os.machine, "pc-i440fx-1.5-saucy") < 0) ++ goto cleanup; ++ } + } + + rv = qemuDomainDefFormatLive(driver, def, false, true); +@@ -2447,6 +2454,11 @@ qemuMigrationPrepareAny(virQEMUDriverPtr + if (VIR_STRDUP(vm->def->os.machine, "pc-1.0-precise") < 0) + goto endjob; + } ++ if (STREQ_NULLABLE(vm->def->os.machine, "pc-i440fx-1.5")) { ++ VIR_FREE(vm->def->os.machine); ++ if (VIR_STRDUP(vm->def->os.machine, "pc-i440fx-1.5-saucy") < 0) ++ goto endjob; ++ } + } + + /* Start the QEMU daemon, with the same command-line arguments plus diff -Nru libvirt-1.2.2/debian/patches/support-incoming-qemu-kvm libvirt-1.2.2/debian/patches/support-incoming-qemu-kvm --- libvirt-1.2.2/debian/patches/support-incoming-qemu-kvm 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-1.2.2/debian/patches/support-incoming-qemu-kvm 2017-09-06 07:56:41.000000000 +0000 @@ -0,0 +1,84 @@ +Description: Support incoming migration from 12.04 + This implements a new flag in /etc/libvirt/qemu.conf, + 'allow_incoming_qemukvm', default false. When true, then any + incoming migration of machine type pc-1.0 is assumed to come from + qemu-kvm in precise. + This depends on the qemu patch by Alex Bligh. +Author: Serge Hallyn +Forwarded: no +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1291321 + +Changelog: + oct 6 2014 [seh]: rename assume_incoming_qemukvm to allow_incoming_qemukvm. + +Index: libvirt-1.2.2/src/qemu/qemu_conf.c +=================================================================== +--- libvirt-1.2.2.orig/src/qemu/qemu_conf.c ++++ libvirt-1.2.2/src/qemu/qemu_conf.c +@@ -229,6 +229,8 @@ virQEMUDriverConfigPtr virQEMUDriverConf + cfg->migrationPortMin = QEMU_MIGRATION_PORT_MIN; + cfg->migrationPortMax = QEMU_MIGRATION_PORT_MAX; + ++ cfg->allow_incoming_qemukvm = false; ++ + #if defined HAVE_MNTENT_H && defined HAVE_GETMNTENT_R + /* For privileged driver, try and find hugepage mount automatically. + * Non-privileged driver requires admin to create a dir for the +@@ -352,6 +354,7 @@ int virQEMUDriverConfigLoadFile(virQEMUD + goto cleanup; \ + } + ++ GET_VALUE_BOOL("allow_incoming_qemukvm", cfg->allow_incoming_qemukvm); + GET_VALUE_BOOL("vnc_auto_unix_socket", cfg->vncAutoUnixSocket); + GET_VALUE_BOOL("vnc_tls", cfg->vncTLS); + GET_VALUE_BOOL("vnc_tls_x509_verify", cfg->vncTLSx509verify); +Index: libvirt-1.2.2/src/qemu/qemu_conf.h +=================================================================== +--- libvirt-1.2.2.orig/src/qemu/qemu_conf.h ++++ libvirt-1.2.2/src/qemu/qemu_conf.h +@@ -164,6 +164,9 @@ struct _virQEMUDriverConfig { + char *migrationAddress; + int migrationPortMin; + int migrationPortMax; ++ ++ /* Whether incoming pc-1.0 migration should come from qemu-kvm */ ++ bool allow_incoming_qemukvm; + }; + + /* Main driver state */ +Index: libvirt-1.2.2/src/qemu/qemu_migration.c +=================================================================== +--- libvirt-1.2.2.orig/src/qemu/qemu_migration.c ++++ libvirt-1.2.2/src/qemu/qemu_migration.c +@@ -2101,6 +2101,16 @@ static char + if (!qemuDomainDefCheckABIStability(driver, vm->def, def)) + goto cleanup; + ++ if (driver->config->allow_incoming_qemukvm) { ++ if (STREQ_NULLABLE(vm->def->os.machine, "pc-1.0")) { ++ VIR_FREE(vm->def->os.machine); ++ VIR_FREE(def->os.machine); ++ if (VIR_STRDUP(vm->def->os.machine, "pc-1.0-precise") < 0 || ++ VIR_STRDUP(def->os.machine, "pc-1.0-precise") < 0) ++ goto cleanup; ++ } ++ } ++ + rv = qemuDomainDefFormatLive(driver, def, false, true); + } else { + rv = qemuDomainDefFormatLive(driver, vm->def, false, true); +@@ -2431,6 +2441,14 @@ qemuMigrationPrepareAny(virQEMUDriverPtr + goto endjob; + } + ++ if (driver->config->allow_incoming_qemukvm) { ++ if (STREQ_NULLABLE(vm->def->os.machine, "pc-1.0")) { ++ VIR_FREE(vm->def->os.machine); ++ if (VIR_STRDUP(vm->def->os.machine, "pc-1.0-precise") < 0) ++ goto endjob; ++ } ++ } ++ + /* Start the QEMU daemon, with the same command-line arguments plus + * -incoming $migrateFrom + */ diff -Nru libvirt-1.2.2/debian/patches/virt-aa-helper-add-trusty-guest-agent-rule.patch libvirt-1.2.2/debian/patches/virt-aa-helper-add-trusty-guest-agent-rule.patch --- libvirt-1.2.2/debian/patches/virt-aa-helper-add-trusty-guest-agent-rule.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-1.2.2/debian/patches/virt-aa-helper-add-trusty-guest-agent-rule.patch 2017-09-07 06:21:11.000000000 +0000 @@ -0,0 +1,31 @@ +Description: virt-aa-helper: add a rule allowing all private channel access + +The older libvirt in Trusty creates some channels under a namespace that +is not covered by virt-aa-helper. But since the scheme of these +channel files is known a rule can be added that still name-spaces per guest. +So always allow rw to things under that directory. + +In latter Ubuntu releases the path changes and in even latter ones the delta +is dropped as the paths generated by libvirt now match those created by +virt-aa-helper. + +Forwarded: no (solved by proper namespaceing and new virt-aa-helper rules) +Author: Christian Ehrhardt +Original-Author: Serge Hallyn +Origin: https://git.launchpad.net/~libvirt-maintainers/ubuntu/+source/libvirt/tree/debian/patches/ubuntu/virt-aa-helper-add-guest-agent-rule.patch?h=ubuntu/xenial +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1393842 +Last-Update: 2017-08-28 + +--- a/src/security/virt-aa-helper.c ++++ b/src/security/virt-aa-helper.c +@@ -973,6 +973,10 @@ get_files(vahControl * ctl) + ctl->def->parallels[i]->source.type) != 0) + goto cleanup; + ++ virBufferAsprintf(&buf, " # for qemu guest agent channel\n"); ++ virBufferAsprintf(&buf, " owner \"/var/lib/libvirt/qemu/channel/target/%s.**\" rw,\n", ++ ctl->def->name); ++ + for (i = 0; i < ctl->def->nchannels; i++) + if (ctl->def->channels[i] && + (ctl->def->channels[i]->source.type == VIR_DOMAIN_CHR_TYPE_PTY || diff -Nru libvirt-1.2.2/debian/README.Debian libvirt-1.2.2/debian/README.Debian --- libvirt-1.2.2/debian/README.Debian 2013-02-13 15:47:55.000000000 +0000 +++ libvirt-1.2.2/debian/README.Debian 2017-09-06 07:56:41.000000000 +0000 @@ -210,3 +210,19 @@ libvirt-migrate-qemu-machinetype program to do it for them. -- Serge Hallyn Tue, 22 May 2012 17:34:00 +0000 + +QEMU/kvm pc-1.0 Machine Type migration +=============================== +In 14.04 Ubuntu switched from the qemu-kvm source tree to the qemu source tree. +The pc-1.0 machine type in the two source trees differed. This made +live migration of a pc-1.0 machine type guest from a 12.04 host to a 14.04 +host fail. Fixing this transparently is impossible at this point as it +would break migration from pc-1.0 machine type VMs started in 14.04. + +To work around this, a flag in /etc/libvirt/qemu.conf, +"allow_incoming_qemu_kvm", can be set to 1 to tell libvirt to use the new +pc-1.0-precise machine type. This matches what was called pc-1.0 on 12.04 +hosts. Leave this option 0 (or undefined) to accept migration of a pc-1.0 +VM coming from a 14.04 host. + + -- Serge Hallyn Mon, 06 Oct 2014 17:11:54 -0500