Change logs for libvirt source package in Artful

  • libvirt (3.6.0-1ubuntu6.7) artful; urgency=medium
    
      * Fix nwfilters that set CTRL_IP_LEARNING set to dhcp failing with "An error
        occurred, but the cause is unknown" due to a buffer being too small
        for pcap with TPACKET_V3 enabled (LP: #1758037)
        - debian/patches/ubuntu/lp-1758037-nwfilter-increase-pcap-buffer-size.patch
    
     -- Christian Ehrhardt <email address hidden>  Fri, 11 May 2018 07:35:09 +0200
  • libvirt (3.6.0-1ubuntu6.6) artful; urgency=medium
    
      * Fix clean shut down of guests on system shutdown (LP: #1764668)
        - d/p/ubuntu/lp-1764668-do-not-report-unknown-guests.patch
        - d/p/ubuntu/lp-1764668-fix-check_guests_shutdown-loop.patch
    
     -- Christian Ehrhardt <email address hidden>  Wed, 25 Apr 2018 09:24:08 +0200
  • libvirt (3.6.0-1ubuntu6.5) artful; urgency=medium
    
      * d/p/ubuntu/lp1688508-fix-variable-scope-in-in-check_guests_shutdown.patch:
        backport further upstream fixes that were identified on verification.
        Together with the former change this fixes (LP: #1688508)
    
    libvirt (3.6.0-1ubuntu6.4) artful; urgency=medium
    
      * d/p/ubuntu/lp1688508-tools-avoid-text-spilling-into-variables.patch:
        avoid hanging on shutdown (LP: #1688508)
    
     -- Christian Ehrhardt <email address hidden>  Tue, 03 Apr 2018 16:23:04 +0200
  • libvirt (3.6.0-1ubuntu6.4) artful; urgency=medium
    
      * d/p/ubuntu/lp1688508-tools-avoid-text-spilling-into-variables.patch:
        avoid hanging on shutdown (LP: #1688508)
    
     -- Dariusz Gadomski <email address hidden>  Mon, 26 Feb 2018 14:30:44 +0100
  • libvirt (3.6.0-1ubuntu6.3) artful-security; urgency=medium
    
      [ Leonidas S. Barbosa ]
      * SECURITY UPDATE: resource exhaustion resulting in DoS
        - debian/patches/CVE-2018-5748.patch: avoid DoS reading from
          QEMU monitor in src/qemu/qemu_monitor.c.
        - CVE-2018-5748
      * SECURITY UPDATE: Failure to validate SSL/TLS certificates
        - debian/patches/CVE-2017-1000256.patch: ensure TLS clients always verify
          the server certificate in src/qemu/qemu_command.c.
        - CVE-2017-1000256
    
      [ Marc Deslauriers ]
      * SECURITY UPDATE: code injection via libnss_dns.so
        - debian/patches/CVE-2018-6764-1.patch: determine the hostname on
          startup in src/util/virlog.c.
        - debian/patches/CVE-2018-6764-2.patch: fix syntax-check in
          src/util/virlog.c.
        - debian/patches/CVE-2018-6764-3.patch: fix deadlock obtaining hostname
          in cfg.mk, src/util/virlog.c.
        - CVE-2018-6764
    
     -- Marc Deslauriers <email address hidden>  Fri, 16 Feb 2018 07:51:15 -0500
  • libvirt (3.6.0-1ubuntu6.2) artful-security; urgency=medium
    
      * SECURITY UPDATE: Add support for Spectre mitigations
        - debian/patches/CVE-2017-5715-microcode*.patch: include x86 microcode
          version in virsh capabilities and force update if the microcode
          does not match.
        - debian/patches/CVE-2017-5715-ibrs*.patch: add CPU features for
          indirect branch prediction protection and add new *-IBRS CPU models.
        - debian/control: add Breaks to get updated qemu with new CPU models.
        - CVE-2017-5715
    
     -- Marc Deslauriers <email address hidden>  Thu, 01 Feb 2018 15:00:14 -0500
  • libvirt (3.6.0-1ubuntu6) artful; urgency=medium
    
      * d/p/ubuntu-aa/0037-virt-aa-helper...: grant locking permission on append
        files (LP: #1726804)
      * d/p/ubuntu-aa/0038-virt-aa-helper-fix-paths-for-usb-hostdevs.patch:
        fix path generation for USB host devices (LP: #1552241)
      * d/p/ubuntu-aa/0039-virt-aa-helper-fix-libusb-access-to-udev-usb-data.patch:
        generate valid rules on usb passthrough (LP: #1686324)
    
     -- Christian Ehrhardt <email address hidden>  Tue, 24 Oct 2017 14:30:34 +0200
  • libvirt (3.6.0-1ubuntu5) artful; urgency=medium
    
      * d/p/u/gnulib-getopt-posix-Fix-build-failure-when-using-ac_cv_head.patch:
        fix FTBFS with glibc 2.26 (LP: #1718668)
    
     -- Christian Ehrhardt <email address hidden>  Thu, 28 Sep 2017 08:18:10 -0400
  • libvirt (3.6.0-1ubuntu4) artful; urgency=medium
    
      * d/p/avoid-double-locking.patch: fix a deadlock that could occur when
        libvirtd interactions raced with dbus causing a deadlock (LP: #1714254).
    
     -- Christian Ehrhardt <email address hidden>  Fri, 01 Sep 2017 10:29:35 +0200
  • libvirt (3.6.0-1ubuntu3) artful; urgency=medium
    
      * No change rebuild for Qemu 2.10 and Xen 4.9
    
     -- Christian Ehrhardt <email address hidden>  Mon, 21 Aug 2017 10:34:13 +0200
  • libvirt (3.6.0-1ubuntu2) artful; urgency=medium
    
      * d/p/ubuntu-aa/0036-virt-aa-helper-locking-loader-nvram-for-qemu-2.10.patch:
        for compatibility with the behavior of qemu 2.10 this adds locking
        permission to rules generated for loader/nvram (LP: #1710960)
    
     -- Christian Ehrhardt <email address hidden>  Thu, 17 Aug 2017 10:00:19 +0200
  • libvirt (3.6.0-1ubuntu1) artful; urgency=medium
    
      * Merged with Debian unstable (3.6)
        This closes several bugs:
        - aarch64: improved chardev handling (LP: #1697610)
        - Forbid locking memory without memtune (LP: #1708305)
      * Remaining changes:
        - Disable sheepdog (universe dependency)
        - Disable libssh2 support (universe dependency)
        - Disable firewalld support (universe dependency)
        - Disable selinux
        - Set qemu-group to kvm (for compat with older ubuntu)
        - Regularly clear AppArmor profiles for vms that no longer exist
        - Additional apport package-hook
        - Modifications to adapt for our delayed switch away from libvirt-bin (can
          be dropped >18.04).
          + d/p/ubuntu/libvirtd-service-add-bin-alias.patch: systemd: define alias
            to old service name so that old references work
          + d/p/ubuntu/libvirtd-init-add-bin-alias.patch: sysv init: define alias
            to old service name so that old references work
          + d/control: transitional package with the old name and maintainer
            scripts to handle the transition
        - Backwards compatible handling of group rename (can be dropped >18.04).
        - config details and autostart of default bridged network. Creating that is
          now the default in general, yet our solution provides the following on
          top as of today:
          + nat only on some ports <port start='1024' end='65535'/>
          + autostart the default network by default
          + do not autostart if 192.168.122.0 is already taken (e.g. in containers)
        - d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch: This is
          the group based access to libvirt functions as it was used in Ubuntu
          for quite long.
          + d/p/ubuntu/daemon-augeas-fix-expected.patch fix some related tests
            due to the group access change.
        - ubuntu/parallel-shutdown.patch: set parallel shutdown by default.
        - d/p/ubuntu/enable-kvm-spice.patch: compat with older Ubuntu qemu/kvm
          which provided a separate kvm-spice.
        - d/p/ubuntu/storage-disable-gluster-test: gluster not enabled, skip test
        - d/p/ubuntu/ubuntu-libxl-qemu-path.patch: this change was split. The
          section that adapts the path of the emulator to the Debian/Ubuntu
          packaging is kept.
        - d/p/ubuntu/ubuntu-libxl-Fix-up-VRAM-to-minimum-requirements.patch: auto
          set VRAM to minimum requirements
        - d/p/ubuntu/xen-default-uri.patch: set default URI on xen hosts
        - Add libxl log directory
        - libvirt-uri.sh: Automatically switch default libvirt URI for users on
          Xen dom0 via user profile (was missing on changelogs before)
        - d/p/ubuntu/apibuild-skip-libvirt-common.h: drop libvirt-common.h from
          included_files to avoid build failures due to duplicate definitions.
        - Update README.Debian with Ubuntu changes
        - Convert libvirt0, libnss_libvirt and libvirt-dev to multi-arch.
        - Enable some additional features on ppc64el and s390x (for arch parity)
          + systemtap, zfs, numa and numad on s390x.
          + systemtap on ppc64el.
        - fix conffile upgrade handling to avoid obsolete files
          and inactive duplicates (LP 1694159)
        - d/t/control, d/t/smoke-qemu-session: fixup smoke-qemu-session by making
          vmlinuz available and accessible (Debian bug 848314)
        - d/test/smoke-lxc workaround for debbug 848317/867379
        - d/t/control, d/t/smoke-lxc: fix up lxc smoke test (Debian bug 848317)
        - Extended handling of apparmor profiles - clear lost profiles via cron
        - Add dnsmasq configuration to work with system wide dnsmasq (drop >18.04,
          no more UCA onto Xenial then which has global dnsmasq by default).
        - d/p/ubuntu/ubuntu_machine_type.patch: accept ubuntu types as pci440fx
        - conffile handling of files dropped in 3.5 (can be dropped >18.04)
          + /etc/init.d/virtlockd was sysv init only
          + /etc/apparmor.d/local/usr.sbin.libvirtd and
            /etc/apparmor.d/local/usr.lib.libvirt.virt-aa-helper are now generated
            by dh_apparmor as needed
        - Reworked apparmor Delta, especially the more complex delta is dropped
          now, also our former delta is now split into logical pieces, has
          improved comments and is part of a continuous upstreaming effort.
          Listing related remaining changes:
          + d/p/0001-apparmor-Allow-pygrub-to-run-on-Debian-Ubuntu.patch: apparmor:
            Allow pygrub to run on Debian/Ubuntu
          + d/p/0002-apparmor-libvirt-qemu-Allow-macvtap-access.patch: apparmor,
            libvirt-qemu: Allow macvtap access
          + d/p/0003-apparmor-libvirt-qemu-Allow-read-access-to-overcommi.patch:
            apparmor, libvirt-qemu: Allow read access to overcommit_memory
          + d/p/0004-apparmor-Explicit-deny-for-setpcap.patch: apparmor: Explicit
            deny for setpcap
          + d/p/0005-apparmor-libvirt-qemu-Allow-use-of-sgabios.patch: apparmor,
            libvirt-qemu: Allow use of sgabios
          + d/p/0006-apparmor-libvirt-qemu-Silence-lttng-related-deny-mes.patch:
            apparmor, libvirt-qemu: Silence lttng related deny messages
          + d/p/0007-apparmor-libvirt-qemu-Allow-owner-read-access-to-PRO.patch:
            apparmor, libvirt-qemu: Allow owner read access to @{PROC}/*/auxv
          + d/p/0008-apparmor-libvirt-qemu-Allow-read-access-to-sysfs-sys.patch:
            apparmor, libvirt-qemu: Allow read access to sysfs system info
          + d/p/0009-apparmor-libvirt-qemu-Allow-read-access-to-max_mem_r.patch:
            apparmor, libvirt-qemu: Allow read access to max_mem_regions
          + d/p/0010-apparmor-libvirt-qemu-Allow-qemu-block-extra-librari.patch:
            apparmor, libvirt-qemu: Allow qemu-block-extra libraries
          + d/p/0011-apparmor-libvirt-qemu-Allow-access-to-hugepage-mount.patch:
            apparmor, libvirt-qemu: Allow access to hugepage mounts
          + d/p/0012-apparmor-libvirtd-Allow-access-to-netlink-sockets.patch:
            apparmor, libvirtd: Allow access to netlink sockets
          + d/p/0013-apparmor-Add-rules-for-mediation-support.patch:
            apparmor: Add rules for mediation support
          + d/p/0014-apparmor-virt-aa-helper-Improve-comment-about-backin.patch:
            apparmor, virt-aa-helper: Improve comment about backing store
          + d/p/0015-apparmor-virt-aa-helper-Allow-access-to-ecryptfs-fil.patch:
            apparmor, virt-aa-helper: Allow access to ecryptfs files
          + d/p/0016-apparmor-libvirtd-Allow-ixr-to-var-lib-libvirt-virtd.patch:
            apparmor, libvirtd: Allow ixr to /var/lib/libvirt/virtd*
          + d/p/0017-apparmor-virt-aa-helper-Allow-access-to-tmp-director.patch:
            apparmor, virt-aa-helper: Allow access to tmp directories
          + d/p/0018-apparmor-virt-aa-helper-Add-ipv6-network-policy.patch:
            apparmor, virt-aa-helper: Add ipv6 network policy
          + d/p/0019-apparmor-virt-aa-helper-Allow-access-to-sys-bus-usb-.patch:
            apparmor, virt-aa-helper: Allow access to /sys/bus/usb/devices
          + d/p/0020-apparmor-virt-aa-helper-Allow-various-storage-pools-.patch:
            apparmor, virt-aa-helper: Allow various storage pools and image
            locations
          + d/p/0021-apparmor-virt-aa-helper-Add-openvswitch-support.patch:
            apparmor, virt-aa-helper: Add openvswitch support
          + d/p/0022-apparmor-drop-references-to-qemu-kvm.patch: apparmor: drop
            references to qemu-kvm
          + d/p/0023-apparmor-qemu-won-t-call-qemu-nbd.patch: apparmor: qemu
            won't call qemu-nbd
          + d/p/0024-apparmor-virt-aa-helper-Allow-access-to-name-service.patch:
            apparmor, virt-aa-helper: Allow access to name services
          + d/p/0025-apparmor-fix-newer-virt-manager-1.4.0.patch: Add Apparmor
            permissions so virt-manager 1.4.0 viewing works (LP 1668681).
          + d/p/0026-apparmor-add-generic-base-vfio-device.patch: apparmor: add
            /dev/vfio for vf (hot) attach (LP 1680384).
          + d/p/0027-apparmor-allow-reading-cmdline-of-shutdown-signal.patch:
            apparmor: allow to parse cmdline of the pid that send the shutdown
            signal (LP 1680384).
          + d/p/0028-apparmor-add-default-pki-path-of-lbvirt-spice.patch:
            apparmor: add default pki path of lbvirt-spice (LP 1690140)
          + d/p/0029-appmor-libvirt-qemu-Add-9p-support.patch: appmor,
            libvirt-qemu: Add 9p support
          + d/p/0030-virt-aa-helper-Complete-9p-support.patch: virt-aa-helper:
            add l to 9p file options.
          + d/p/0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch:
            virt-aa-helper: Ask for no deny rule for readonly disk (renamed and
            reworded, was virt-aa-helper-no-explicity-deny-for-basefiles.patch)
          + d/p/0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch:
            apparmor, libvirt-qemu: Allow reading charm-specific ceph config
          + d/p/0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch: allow
            commands executed by ubuntu only kvm wrapper on ppc64el (LP 1686621).
          + d/p/0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch:
            apparmor, virt-aa-helper: access for snapped nova
      * Dropped Changes (Upstream):
        - d/p/ubuntu/fix-libxl-default-driver-name.patch: avoid an issue with
          default driver entries missing name='qemu'.
        - d/p/u/aa-helper-Properly-link-with-storage-driver.patch (LP 1704782)
          Fix to be able to follow BackinStorage chains when creating per
          guest apparmor rules.
      * Dropped Changes (In Debian):
        - Enable esx support
          + Add build-dep to libcurl4-gnutls-dev (required for esx)
      * Added Changes:
        - d/p/ubuntu-aa/0035-virt-aa-helper-locking-disk-files-for-qemu-2.10.patch:
          for compatibility with the behavior of qemu 2.10 this adds locking
          permission to rules generated for disk files (LP: #1709818)
    
     -- Christian Ehrhardt <email address hidden>  Thu, 10 Aug 2017 12:44:47 +0200
  • libvirt (3.5.0-1ubuntu3) artful; urgency=medium
    
      * Refresh changes to match they way they were accepted upstream
        - d/p/u/aa-helper-Properly-link-with-storage-driver.patch add commit
          reference now that it is in git.
        - d/p/u/fix-libxl-default-driver-name.patch: instead of addin the
          name this is now fixed by relaxing the schema.
    
     -- Christian Ehrhardt <email address hidden>  Wed, 19 Jul 2017 12:48:39 +0200
  • libvirt (3.5.0-1ubuntu2) artful; urgency=medium
    
      * d/p/u/aa-helper-Properly-link-with-storage-driver.patch (LP: #1704782)
        Fix to be able to follow BackinStorage chains when creating per
        guest apparmor rules.
    
     -- Christian Ehrhardt <email address hidden>  Tue, 18 Jul 2017 16:34:57 +0200
  • libvirt (3.5.0-1ubuntu1) artful; urgency=medium
    
      * Merged with Debian unstable (3.5)
        This closes several bugs:
        - improved handling of host-model since libvirt 3.2 (LP: #1673467)
        - Adding POWER9 cpu model to cpu_map.xml (LP: #1690209)
      * Remaining changes:
        - Disable sheepdog (universe dependency)
        - Disable libssh2 support (universe dependency)
        - Disable firewalld support (universe dependency)
        - Disable selinux
        - Enable esx support
          + Add build-dep to libcurl4-gnutls-dev (required for esx)
        - Set qemu-group to kvm (for compat with older ubuntu)
        - Regularly clear AppArmor profiles for vms that no longer exist
        - Additional apport package-hook
        - Modifications to adapt for our delayed switch away from libvirt-bin (can
          be dropped >18.04).
          + d/p/ubuntu/libvirtd-service-add-bin-alias.patch: systemd: define alias
            to old service name so that old references work
          + d/p/ubuntu/libvirtd-init-add-bin-alias.patch: sysv init: define alias
            to old service name so that old references work
          + d/control: transitional package with the old name and maintainer
            scripts to handle the transition
        - Backwards compatible handling of group rename (can be dropped >18.04).
        - config details and autostart of default bridged network. Creating that is
          now the default in general, yet our solution provides the following on
          top as of today:
          + nat only on some ports <port start='1024' end='65535'/>
          + autostart the default network by default
          + do not autostart if 192.168.122.0 is already taken (e.g. in containers)
        - d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch: This is
          the group based access to libvirt functions as it was used in Ubuntu
          for quite long.
          + d/p/ubuntu/daemon-augeas-fix-expected.patch fix some related tests
            due to the group access change.
        - ubuntu/parallel-shutdown.patch: set parallel shutdown by default.
        - d/p/ubuntu/enable-kvm-spice.patch: compat with older Ubuntu qemu/kvm
          which provided a separate kvm-spice.
        - d/p/ubuntu/storage-disable-gluster-test: gluster not enabled, skip test
        - d/p/ubuntu/ubuntu-libxl-qemu-path.patch: this change was split. The
          section that adapts the path of the emulator to the Debian/Ubuntu
          packaging is kept.
        - d/p/ubuntu/ubuntu-libxl-Fix-up-VRAM-to-minimum-requirements.patch: auto
          set VRAM to minimum requirements
        - d/p/ubuntu/xen-default-uri.patch: set default URI on xen hosts
        - Add libxl log directory
        - libvirt-uri.sh: Automatically switch default libvirt URI for users on
          Xen dom0 via user profile (was missing on changelogs before)
        - d/p/ubuntu/apibuild-skip-libvirt-common.h: drop libvirt-common.h from
          included_files to avoid build failures due to duplicate definitions.
        - Update README.Debian with Ubuntu changes
        - Convert libvirt0, libnss_libvirt and libvirt-dev to multi-arch.
        - Enable some additional features on ppc64el and s390x (for arch parity)
          + systemtap, zfs, numa and numad on s390x.
          + systemtap on ppc64el.
        - fix conffile upgrade handling to avoid obsolete files
          and inactive duplicates (LP 1694159)
        - d/t/control, d/t/smoke-qemu-session: fixup smoke-qemu-session by making
          vmlinuz available and accessible (Debian bug 848314)
        - d/t/control, d/t/smoke-lxc: fix up lxc smoke test (Debian bug 848317)
        - Extended handling of apparmor profiles - clear lost profiles via cron
        - Add dnsmasq configuration to work with system wide dnsmasq (drop >18.04,
          no more UCA onto Xenial then which has global dnsmasq by default).
        - Reworked apparmor Delta, especially the more complex delta is dropped
          now, also our former delta is now split into logical pieces, has
          improved comments and is part of a continuous upstreaming effort.
          Listing related remaining changes:
          + d/p/0001-apparmor-Allow-pygrub-to-run-on-Debian-Ubuntu.patch: apparmor:
            Allow pygrub to run on Debian/Ubuntu
          + d/p/0002-apparmor-libvirt-qemu-Allow-macvtap-access.patch: apparmor,
            libvirt-qemu: Allow macvtap access
          + d/p/0003-apparmor-libvirt-qemu-Allow-read-access-to-overcommi.patch:
            apparmor, libvirt-qemu: Allow read access to overcommit_memory
          + d/p/0004-apparmor-Explicit-deny-for-setpcap.patch: apparmor: Explicit
            deny for setpcap
          + d/p/0005-apparmor-libvirt-qemu-Allow-use-of-sgabios.patch: apparmor,
            libvirt-qemu: Allow use of sgabios
          + d/p/0006-apparmor-libvirt-qemu-Silence-lttng-related-deny-mes.patch:
            apparmor, libvirt-qemu: Silence lttng related deny messages
          + d/p/0007-apparmor-libvirt-qemu-Allow-owner-read-access-to-PRO.patch:
            apparmor, libvirt-qemu: Allow owner read access to @{PROC}/*/auxv
          + d/p/0008-apparmor-libvirt-qemu-Allow-read-access-to-sysfs-sys.patch:
            apparmor, libvirt-qemu: Allow read access to sysfs system info
          + d/p/0009-apparmor-libvirt-qemu-Allow-read-access-to-max_mem_r.patch:
            apparmor, libvirt-qemu: Allow read access to max_mem_regions
          + d/p/0010-apparmor-libvirt-qemu-Allow-qemu-block-extra-librari.patch:
            apparmor, libvirt-qemu: Allow qemu-block-extra libraries
          + d/p/0011-apparmor-libvirt-qemu-Allow-access-to-hugepage-mount.patch:
            apparmor, libvirt-qemu: Allow access to hugepage mounts
          + d/p/0012-apparmor-libvirtd-Allow-access-to-netlink-sockets.patch:
            apparmor, libvirtd: Allow access to netlink sockets
          + d/p/0013-apparmor-Add-rules-for-mediation-support.patch:
            apparmor: Add rules for mediation support
          + d/p/0014-apparmor-virt-aa-helper-Improve-comment-about-backin.patch:
            apparmor, virt-aa-helper: Improve comment about backing store
          + d/p/0015-apparmor-virt-aa-helper-Allow-access-to-ecryptfs-fil.patch:
            apparmor, virt-aa-helper: Allow access to ecryptfs files
          + d/p/0016-apparmor-libvirtd-Allow-ixr-to-var-lib-libvirt-virtd.patch:
            apparmor, libvirtd: Allow ixr to /var/lib/libvirt/virtd*
          + d/p/0017-apparmor-virt-aa-helper-Allow-access-to-tmp-director.patch:
            apparmor, virt-aa-helper: Allow access to tmp directories
          + d/p/0018-apparmor-virt-aa-helper-Add-ipv6-network-policy.patch:
            apparmor, virt-aa-helper: Add ipv6 network policy
          + d/p/0019-apparmor-virt-aa-helper-Allow-access-to-sys-bus-usb-.patch:
            apparmor, virt-aa-helper: Allow access to /sys/bus/usb/devices
          + d/p/0020-apparmor-virt-aa-helper-Allow-various-storage-pools-.patch:
            apparmor, virt-aa-helper: Allow various storage pools and image
            locations
          + d/p/0021-apparmor-virt-aa-helper-Add-openvswitch-support.patch:
            apparmor, virt-aa-helper: Add openvswitch support
          + d/p/0022-apparmor-drop-references-to-qemu-kvm.patch: apparmor: drop
            references to qemu-kvm
          + d/p/0023-apparmor-qemu-won-t-call-qemu-nbd.patch: apparmor: qemu
            won't call qemu-nbd
          + d/p/0024-apparmor-virt-aa-helper-Allow-access-to-name-service.patch:
            apparmor, virt-aa-helper: Allow access to name services
          + d/p/0025-apparmor-fix-newer-virt-manager-1.4.0.patch: Add Apparmor
            permissions so virt-manager 1.4.0 viewing works (LP 1668681).
          + d/p/0026-apparmor-add-generic-base-vfio-device.patch: apparmor: add
            /dev/vfio for vf (hot) attach (LP 1680384).
          + d/p/0027-apparmor-allow-reading-cmdline-of-shutdown-signal.patch:
            apparmor: allow to parse cmdline of the pid that send the shutdown
            signal (LP 1680384).
          + (28 is a new patch, listed in added changes)
          + d/p/0029-appmor-libvirt-qemu-Add-9p-support.patch: appmor,
            libvirt-qemu: Add 9p support
          + d/p/0030-virt-aa-helper-Complete-9p-support.patch: virt-aa-helper:
            add l to 9p file options.
          + d/p/0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch:
            virt-aa-helper: Ask for no deny rule for readonly disk (renamed and
            reworded, was virt-aa-helper-no-explicity-deny-for-basefiles.patch)
          + d/p/0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch:
            apparmor, libvirt-qemu: Allow reading charm-specific ceph config
          + d/p/0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch: allow
            commands executed by ubuntu only kvm wrapper on ppc64el (LP 1686621).
          + d/p/0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch:
            apparmor, virt-aa-helper: access for snapped nova
        - remaining but updated to match the latest release
          + d/p/Disable-use-of-namespaces-by-default.patch (Debian change)
          + d/p/Reduce-udevadm-settle-timeout-to-10-seconds.patch (Debian change)
          + d/p/debian/apparmor_profiles_local_include.patch Include local
            apparmor profile (Debian change)
          + d/p/ubuntu/ubuntu_machine_type.patch: accept ubuntu types as pci440fx
          + d/test/smoke-lxc workaround for debbug 848317/867379
      * Dropped Changes (Upstream):
        - Add missing apparmor rule for debug-threads feature (LP 1615550).
        - Add new block device types to virt-aa-helpers profile (LP 1641618)
        - d/p/ubuntu/storage-default-permission-mode-to-0711: safer default perms
          for storage dirs like /var/lib/libvirt/images.
        - d/p/ubuntu/libvirtd-service-nolimit.patch: remove proc/file/task limits
          to support huge systems.
        - d/p/ubuntu/libvirtd-service-set-notifyaccess.patch: set NotifyAccess=all
          in libvirtd.service (-d not allowed to be specified, everything else
          upstream so drop delta; LP 1574566).
        - d/p/ubuntu/qemu_process-spice-don-t-release-used-port.patch: qemu_process
          spice: don't release used port (LP 1697729).
        - d/p/ubuntu/virsh-maxvcpu-fall-back-to-old-command.patch: virsh: maxvcpus:
          Always fall back to the old command if domain caps fail (LP 1674298)
        - d/p/ubuntu/qemu-Allow-empty-script-path-to-interface.patch: in the past
          it was possible to have <script path=''/> which now fails - fix to match
          the old behavior (LP 1665698)
        - Reworked apparmor Delta and started upstreaming, listing related
          changes dropped:
          + Apparmor feature parsing to depend on new apparmor features which
            appear in different versions across distributions (no more needed
            >=Xenial, allows to now separate changes and upstream more easily).
          + d/p/ubuntu/Ensure-disk-names-follow-the-disk-name-regex.patch:
            guarantee disk spec is following the defined regex (LP 1665410).
          + d/p/ubuntu/virt-aa-helper-add-guest-agent-rule.patch: add
            virt-aa-helper rule allowing all private channel access.
          + d/p/ubuntu/virt-aa-helper-apparmor-allow-usr-share-AAVMF-too.patch:
            virt-aa-helper to allow access to aarch64 UEFI images.
          + d/rules, apparmor: include and install local apparmor profiles (This
            is now done by dh_apparmor automatically)
          + add local apparmor override templates (provided by dh_apparmor now)
          + Fix name resolution calls from virt-aa-helper profile (LP 1546674).
          + virt-aa-helper, apparmor: allow /usr/share/OVMF/ too
          + virt-aa-helper: Generalize test for firmware paths
          + apparmor, virt-aa-helper: Allow aarch64 UEFI.
          + apparmor, libvirt-qemu: Add ppc64el related changes
          + apparmor, libvirtd: Allow libxl-save-helper to run on Debian/Ubuntu
          + apparmor, libvirt-qemu: Allow access to ceph config
          + apparmor, libvirt-qemu: Allow access to certificates used by libvirt-vnc
          + apparmor, virt-aa-helper: Explicit denies for host devices
          + apparmor, virt-aa-helper: Allow access to libnl-3 config files
          + apparmor, libvirt-qemu: allow access to pt_chown for pty consoles
      * Dropped Changes (In Debian):
        - d/rules: debhelper start virtlogd.socket
        - d/p/ubuntu/Debianize-virtlogd-service.patch: Adapt config file location
          for Debian based systems.
        - Additional debian/bug-presubj
        - Extended handling of apparmor profiles - reload and remove in maintainer
          scripts (dh_apparmor* now generate these snippets)
      * Dropped Changes (no SysV anymore):
        - Add sysvinit script for virtlockd
        - Wait on socket in sysvinit script
        - d/rules: dh_installinit virtlockd (was part of "Cleanup systemd
          debhelper"
        - d/p/ubuntu/Debianize-virtlockd-init.patch: Fix default config path in
          virtlockd.init for Debian based systems.
      * Dropped Changes (other reasons):
        - d/p/ubuntu/dnsmasq-as-priv-user: configuration to run as extra user
          This used group libvirt instead of nobody which makes it worse; Needs
          to be fixed upstream (LP: #1690729).
          + d/p/ubuntu/disable-network-test.patch: disable test failing due to
            dnsmasq changes.
        - Add .gitignore for .pc
        - we keep lxc support as Debian does, but stop adding delta. It feels
          somewhat less maintained than e.g. libvirt for qemu. Also for secure
          and comfortable container management lxd is clearly preferred. The
          delta caused more issues than it solved so deliver libvirt-lxc as-is
          and drop the related delta.
          + d/p/ubuntu/9031-enable-lxc-apparmor: enable apparmor confinement of
            containers by default.
          + d/p/ubuntu/9032-lxc-allow-no-security-driver: allow empty sec driver
            for libvirt-lxc.
        - The following xen changes are no more required with current versions
          + d/p/ubuntu/ubuntu-libxl-hvmloader-path.patch: Fallback for libxl
            xen paths (LP 1459603)
          + d/p/ubuntu/ubuntu-libxl-qemu-path.patch: this change was split. The
            section about compat to the very old qemu-dm name is no more needed.
          + d/p/ubuntu/libxl-fix-test-data.patch and
            d/p/ubuntu/fix-xen-xml-in-tests.patch: updated and unified into the
            former one + also updated the maintainer notes to ease updating.
          + d/p/ubuntu/libxl-no-dm-check.patch: Stop calling emulator to identify
            device-model
      * Added Changes:
        - d/p/0028-apparmor-add-default-pki-path-of-lbvirt-spice.patch:
          apparmor: add default pki path of lbvirt-spice (LP: #1690140)
        - conffile handling of files dropped in 3.5 (can be dropped >18.04)
          + /etc/init.d/virtlockd was sysv init only
          + /etc/apparmor.d/local/usr.sbin.libvirtd and
            /etc/apparmor.d/local/usr.lib.libvirt.virt-aa-helper are now generated
            by dh_apparmor as needed
        - d/p/ubuntu/fix-libxl-default-driver-name.patch: avoid an issue with
          default driver entries missing name='qemu'.
    
     -- Christian Ehrhardt <email address hidden>  Thu, 06 Jul 2017 15:43:17 +0200
  • libvirt (2.5.0-3ubuntu11) artful; urgency=medium
    
      * d/p/ubuntu/0004-apparmor-apply-ubuntu-delta.patch: Adjust to also allow
        access to snapshots in nova-hypervisor snap's $SNAP_COMMON directory
        (LP: #1644507).
    
     -- Corey Bryant <email address hidden>  Wed, 05 Jul 2017 13:55:19 -0400
  • libvirt (2.5.0-3ubuntu10) artful; urgency=medium
    
      * d/p/ubuntu/0004-apparmor-apply-ubuntu-delta.patch: Allow access to base
        images stored in nova-hypervisor snap's $SNAP_COMMON directory, enabling
        use of the libvirt deb from the nova-hypervisor snap (LP: #1644507).
    
     -- Corey Bryant <email address hidden>  Thu, 22 Jun 2017 14:29:39 -0400
  • libvirt (2.5.0-3ubuntu9) artful; urgency=medium
    
      * d/p/ubuntu/qemu_process-spice-don-t-release-used-port.patch: qemu_process
        spice: don't release used port (LP: #1697729) - upstream in libvirt 3.1.
    
     -- Christian Ehrhardt <email address hidden>  Wed, 14 Jun 2017 14:49:16 +0200
  • libvirt (2.5.0-3ubuntu8) artful; urgency=medium
    
      * fix conffile upgrade handling to avoid obsolete files
        and inactive duplicates (LP: #1694159)
        - d/libvirt-daemon-system.maintscript: revert to Debian content
        - d/libvirt-bin.maintscript: add missing rm_conffile related to
          dropping upstart.
        - d/libvirt-bin.maintscript: add missing rm of conffiles due
          to re-aligning with debian package names since yakkety.
        - d/libvirt-bin.maintscript: for LTS->LTS upgraders try to move and retain
          custom changes.
        - d/libvirt-bin.maintscript: for upgraders from yakkety or later remove
          the (now duplicate) conffiles, but retain custom changes in backups if
          they exist
        - d/libvirt-bin.preinst: drop manual mv of conffiles which lacked
          retaining changes and upgrade-abort handling.
        - d/libvirt-bin.preinst: handle upgrades up to the latest predecessor
          possible before yakkety.
        - d/libvirt-bin.preinst: fixup the combination of rm+mv conffile in case
          the package is upgrading from pre yakkety.
        - d/libvirt-daemon-system.postinst: clean up old dnsmasq enablement symlink
          if unmodified.
    
     -- Christian Ehrhardt <email address hidden>  Wed, 31 May 2017 14:29:51 +0200
  • libvirt (2.5.0-3ubuntu7) artful; urgency=medium
    
      * debian/patches/ubuntu/apparmor-ppcwrapper.patch: update to add missing
        colon (LP: #1686621).
    
     -- Christian Ehrhardt <email address hidden>  Thu, 27 Apr 2017 13:16:05 +0200
  • libvirt (2.5.0-3ubuntu6) artful; urgency=medium
    
      * Add missing apparmor profile entries (LP: #1680384)
        - debian/patches/ubuntu/apparmor-vfio.patch: apparmor: add /dev/vfio
          for vf (hot) attach
        - debian/patches/ubuntu/apparmor-ppcwrapper.patch: apparmor: allow
          extra tools executed by kvm.powerpc
        - debian/patches/ubuntu/apparmor-shutdown.patch: apparmor: allow to
          parse cmdline of the pid that send the shutdown signal
    
     -- Christian Ehrhardt <email address hidden>  Tue, 25 Apr 2017 14:10:06 +0200
  • libvirt (2.5.0-3ubuntu5) zesty; urgency=medium
    
      * d/p/ubuntu/virsh-maxvcpu-fall-back-to-old-command.patch: virsh: maxvcpus:
        Always fall back to the old command if domain caps fail (LP: #1674298)
    
     -- Christian Ehrhardt <email address hidden>  Tue, 21 Mar 2017 08:02:37 +0100