CVE-2017-1000256: libvirt: TLS certificate verification disabled for clients (bz #1503687)
Fix qemu image locking with shared disks (bz #1513447)
This commit is contained in:
parent
7042f56045
commit
c23de3143a
|
@ -42,10 +42,11 @@ index ca7a6af6d..507be44a2 100644
|
|||
char *baselabel;
|
||||
virSecurityManagerDACChownCallback chownCallback;
|
||||
};
|
||||
@@ -238,6 +239,15 @@ virSecurityDACSetDynamicOwnership(virSecurityManagerPtr mgr,
|
||||
@@ -237,6 +238,15 @@ virSecurityDACSetDynamicOwnership(virSecurityManagerPtr mgr,
|
||||
priv->dynamicOwnership = dynamicOwnership;
|
||||
}
|
||||
|
||||
void
|
||||
+void
|
||||
+virSecurityDACSetMountNamespace(virSecurityManagerPtr mgr,
|
||||
+ bool mountNamespace)
|
||||
+{
|
||||
|
@ -54,10 +55,9 @@ index ca7a6af6d..507be44a2 100644
|
|||
+}
|
||||
+
|
||||
+
|
||||
+void
|
||||
void
|
||||
virSecurityDACSetChownCallback(virSecurityManagerPtr mgr,
|
||||
virSecurityManagerDACChownCallback chownCallback)
|
||||
{
|
||||
diff --git a/src/security/security_dac.h b/src/security/security_dac.h
|
||||
index 846cefbb5..97681c961 100644
|
||||
--- a/src/security/security_dac.h
|
||||
|
|
|
@ -20,10 +20,11 @@ diff --git a/src/security/security_dac.c b/src/security/security_dac.c
|
|||
index 507be44a2..349dbe81d 100644
|
||||
--- a/src/security/security_dac.c
|
||||
+++ b/src/security/security_dac.c
|
||||
@@ -1381,6 +1381,54 @@ virSecurityDACRestoreTPMFileLabel(virSecurityManagerPtr mgr,
|
||||
@@ -1380,6 +1380,54 @@ virSecurityDACRestoreTPMFileLabel(virSecurityManagerPtr mgr,
|
||||
}
|
||||
|
||||
|
||||
static int
|
||||
+static int
|
||||
+virSecurityDACSetGraphicsLabel(virSecurityManagerPtr mgr,
|
||||
+ virDomainDefPtr def,
|
||||
+ virDomainGraphicsDefPtr gfx)
|
||||
|
@ -71,10 +72,9 @@ index 507be44a2..349dbe81d 100644
|
|||
+}
|
||||
+
|
||||
+
|
||||
+static int
|
||||
static int
|
||||
virSecurityDACSetInputLabel(virSecurityManagerPtr mgr,
|
||||
virDomainDefPtr def,
|
||||
virDomainInputDefPtr input)
|
||||
@@ -1491,6 +1539,11 @@ virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
|
||||
rc = -1;
|
||||
}
|
||||
|
|
|
@ -0,0 +1,72 @@
|
|||
From: "Daniel P. Berrange" <berrange@redhat.com>
|
||||
Date: Thu, 5 Oct 2017 17:54:28 +0100
|
||||
Subject: [PATCH] qemu: ensure TLS clients always verify the server certificate
|
||||
|
||||
The default_tls_x509_verify (and related) parameters in qemu.conf
|
||||
control whether the QEMU TLS servers request & verify certificates
|
||||
from clients. This works as a simple access control system for
|
||||
servers by requiring the CA to issue certs to permitted clients.
|
||||
This use of client certificates is disabled by default, since it
|
||||
requires extra work to issue client certificates.
|
||||
|
||||
Unfortunately the code was using this configuration parameter when
|
||||
setting up both TLS clients and servers in QEMU. The result was that
|
||||
TLS clients for character devices and disk devices had verification
|
||||
turned off, meaning they would ignore errors while validating the
|
||||
server certificate.
|
||||
|
||||
This allows for trivial MITM attacks between client and server,
|
||||
as any certificate returned by the attacker will be accepted by
|
||||
the client.
|
||||
|
||||
This is assigned CVE-2017-1000256 / LSN-2017-0002
|
||||
|
||||
Reviewed-by: Eric Blake <eblake@redhat.com>
|
||||
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
|
||||
(cherry picked from commit 441d3eb6d1be940a67ce45a286602a967601b157)
|
||||
(cherry picked from commit dc6c41798d1eb5c52c75365ffa22f7672709dfa7)
|
||||
---
|
||||
src/qemu/qemu_command.c | 2 +-
|
||||
tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args | 2 +-
|
||||
.../qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args | 2 +-
|
||||
3 files changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
|
||||
index 9a27987d4..ae78cd17e 100644
|
||||
--- a/src/qemu/qemu_command.c
|
||||
+++ b/src/qemu/qemu_command.c
|
||||
@@ -718,7 +718,7 @@ qemuBuildTLSx509BackendProps(const char *tlspath,
|
||||
if (virJSONValueObjectCreate(propsret,
|
||||
"s:dir", path,
|
||||
"s:endpoint", (isListen ? "server": "client"),
|
||||
- "b:verify-peer", verifypeer,
|
||||
+ "b:verify-peer", (isListen ? verifypeer : true),
|
||||
NULL) < 0)
|
||||
goto cleanup;
|
||||
|
||||
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
|
||||
index 5aff7734e..ab5f7e27f 100644
|
||||
--- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
|
||||
+++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
|
||||
@@ -26,7 +26,7 @@ server,nowait \
|
||||
localport=1111 \
|
||||
-device isa-serial,chardev=charserial0,id=serial0 \
|
||||
-object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\
|
||||
-endpoint=client,verify-peer=no \
|
||||
+endpoint=client,verify-peer=yes \
|
||||
-chardev socket,id=charserial1,host=127.0.0.1,port=5555,\
|
||||
tls-creds=objcharserial1_tls0 \
|
||||
-device isa-serial,chardev=charserial1,id=serial1 \
|
||||
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
|
||||
index 91f1fe0cd..2567abbfa 100644
|
||||
--- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
|
||||
+++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
|
||||
@@ -31,7 +31,7 @@ localport=1111 \
|
||||
data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
|
||||
keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
|
||||
-object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\
|
||||
-endpoint=client,verify-peer=no,passwordid=charserial1-secret0 \
|
||||
+endpoint=client,verify-peer=yes,passwordid=charserial1-secret0 \
|
||||
-chardev socket,id=charserial1,host=127.0.0.1,port=5555,\
|
||||
tls-creds=objcharserial1_tls0 \
|
||||
-device isa-serial,chardev=charserial1,id=serial1 \
|
|
@ -0,0 +1,177 @@
|
|||
From: Peter Krempa <pkrempa@redhat.com>
|
||||
Date: Wed, 15 Nov 2017 13:15:57 +0100
|
||||
Subject: [PATCH] qemu: Move snapshot disk validation functions into one
|
||||
|
||||
Move the code so that both the new image and old image can be verified
|
||||
in the same function.
|
||||
|
||||
(cherry picked from commit 8ffdeed455650557df531aafc66c20b31bd4e0c4)
|
||||
---
|
||||
src/qemu/qemu_driver.c | 91 ++++++++++++++++++++------------------------------
|
||||
1 file changed, 36 insertions(+), 55 deletions(-)
|
||||
|
||||
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
|
||||
index 1f9264639..57f0c2bf4 100644
|
||||
--- a/src/qemu/qemu_driver.c
|
||||
+++ b/src/qemu/qemu_driver.c
|
||||
@@ -13793,17 +13793,19 @@ qemuDomainSnapshotCreateActiveInternal(virConnectPtr conn,
|
||||
|
||||
|
||||
static int
|
||||
-qemuDomainSnapshotPrepareDiskExternalBackingInactive(virDomainDiskDefPtr disk)
|
||||
+qemuDomainSnapshotPrepareDiskExternalInactive(virDomainSnapshotDiskDefPtr snapdisk,
|
||||
+ virDomainDiskDefPtr domdisk)
|
||||
{
|
||||
- int actualType = virStorageSourceGetActualType(disk->src);
|
||||
+ int domDiskType = virStorageSourceGetActualType(domdisk->src);
|
||||
+ int snapDiskType = virStorageSourceGetActualType(snapdisk->src);
|
||||
|
||||
- switch ((virStorageType) actualType) {
|
||||
+ switch ((virStorageType) domDiskType) {
|
||||
case VIR_STORAGE_TYPE_BLOCK:
|
||||
case VIR_STORAGE_TYPE_FILE:
|
||||
- return 0;
|
||||
+ break;
|
||||
|
||||
case VIR_STORAGE_TYPE_NETWORK:
|
||||
- switch ((virStorageNetProtocol) disk->src->protocol) {
|
||||
+ switch ((virStorageNetProtocol) domdisk->src->protocol) {
|
||||
case VIR_STORAGE_NET_PROTOCOL_NONE:
|
||||
case VIR_STORAGE_NET_PROTOCOL_NBD:
|
||||
case VIR_STORAGE_NET_PROTOCOL_RBD:
|
||||
@@ -13820,7 +13822,7 @@ qemuDomainSnapshotPrepareDiskExternalBackingInactive(virDomainDiskDefPtr disk)
|
||||
virReportError(VIR_ERR_INTERNAL_ERROR,
|
||||
_("external inactive snapshots are not supported on "
|
||||
"'network' disks using '%s' protocol"),
|
||||
- virStorageNetProtocolTypeToString(disk->src->protocol));
|
||||
+ virStorageNetProtocolTypeToString(domdisk->src->protocol));
|
||||
return -1;
|
||||
}
|
||||
break;
|
||||
@@ -13831,7 +13833,23 @@ qemuDomainSnapshotPrepareDiskExternalBackingInactive(virDomainDiskDefPtr disk)
|
||||
case VIR_STORAGE_TYPE_LAST:
|
||||
virReportError(VIR_ERR_INTERNAL_ERROR,
|
||||
_("external inactive snapshots are not supported on "
|
||||
- "'%s' disks"), virStorageTypeToString(actualType));
|
||||
+ "'%s' disks"), virStorageTypeToString(domDiskType));
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ switch ((virStorageType) snapDiskType) {
|
||||
+ case VIR_STORAGE_TYPE_BLOCK:
|
||||
+ case VIR_STORAGE_TYPE_FILE:
|
||||
+ break;
|
||||
+
|
||||
+ case VIR_STORAGE_TYPE_NETWORK:
|
||||
+ case VIR_STORAGE_TYPE_DIR:
|
||||
+ case VIR_STORAGE_TYPE_VOLUME:
|
||||
+ case VIR_STORAGE_TYPE_NONE:
|
||||
+ case VIR_STORAGE_TYPE_LAST:
|
||||
+ virReportError(VIR_ERR_INTERNAL_ERROR,
|
||||
+ _("external inactive snapshots are not supported on "
|
||||
+ "'%s' disks"), virStorageTypeToString(snapDiskType));
|
||||
return -1;
|
||||
}
|
||||
|
||||
@@ -13840,33 +13858,27 @@ qemuDomainSnapshotPrepareDiskExternalBackingInactive(virDomainDiskDefPtr disk)
|
||||
|
||||
|
||||
static int
|
||||
-qemuDomainSnapshotPrepareDiskExternalBackingActive(virDomainDiskDefPtr disk)
|
||||
+qemuDomainSnapshotPrepareDiskExternalActive(virDomainSnapshotDiskDefPtr snapdisk,
|
||||
+ virDomainDiskDefPtr domdisk)
|
||||
{
|
||||
- if (disk->device == VIR_DOMAIN_DISK_DEVICE_LUN) {
|
||||
+ int actualType = virStorageSourceGetActualType(snapdisk->src);
|
||||
+
|
||||
+ if (domdisk->device == VIR_DOMAIN_DISK_DEVICE_LUN) {
|
||||
virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
|
||||
_("external active snapshots are not supported on scsi "
|
||||
"passthrough devices"));
|
||||
return -1;
|
||||
}
|
||||
|
||||
- return 0;
|
||||
-}
|
||||
-
|
||||
-
|
||||
-static int
|
||||
-qemuDomainSnapshotPrepareDiskExternalOverlayActive(virDomainSnapshotDiskDefPtr disk)
|
||||
-{
|
||||
- int actualType = virStorageSourceGetActualType(disk->src);
|
||||
-
|
||||
switch ((virStorageType) actualType) {
|
||||
case VIR_STORAGE_TYPE_BLOCK:
|
||||
case VIR_STORAGE_TYPE_FILE:
|
||||
- return 0;
|
||||
+ break;
|
||||
|
||||
case VIR_STORAGE_TYPE_NETWORK:
|
||||
- switch ((virStorageNetProtocol) disk->src->protocol) {
|
||||
+ switch ((virStorageNetProtocol) snapdisk->src->protocol) {
|
||||
case VIR_STORAGE_NET_PROTOCOL_GLUSTER:
|
||||
- return 0;
|
||||
+ break;
|
||||
|
||||
case VIR_STORAGE_NET_PROTOCOL_NONE:
|
||||
case VIR_STORAGE_NET_PROTOCOL_NBD:
|
||||
@@ -13883,7 +13895,7 @@ qemuDomainSnapshotPrepareDiskExternalOverlayActive(virDomainSnapshotDiskDefPtr d
|
||||
virReportError(VIR_ERR_INTERNAL_ERROR,
|
||||
_("external active snapshots are not supported on "
|
||||
"'network' disks using '%s' protocol"),
|
||||
- virStorageNetProtocolTypeToString(disk->src->protocol));
|
||||
+ virStorageNetProtocolTypeToString(snapdisk->src->protocol));
|
||||
return -1;
|
||||
|
||||
}
|
||||
@@ -13903,31 +13915,6 @@ qemuDomainSnapshotPrepareDiskExternalOverlayActive(virDomainSnapshotDiskDefPtr d
|
||||
}
|
||||
|
||||
|
||||
-static int
|
||||
-qemuDomainSnapshotPrepareDiskExternalOverlayInactive(virDomainSnapshotDiskDefPtr disk)
|
||||
-{
|
||||
- int actualType = virStorageSourceGetActualType(disk->src);
|
||||
-
|
||||
- switch ((virStorageType) actualType) {
|
||||
- case VIR_STORAGE_TYPE_BLOCK:
|
||||
- case VIR_STORAGE_TYPE_FILE:
|
||||
- return 0;
|
||||
-
|
||||
- case VIR_STORAGE_TYPE_NETWORK:
|
||||
- case VIR_STORAGE_TYPE_DIR:
|
||||
- case VIR_STORAGE_TYPE_VOLUME:
|
||||
- case VIR_STORAGE_TYPE_NONE:
|
||||
- case VIR_STORAGE_TYPE_LAST:
|
||||
- virReportError(VIR_ERR_INTERNAL_ERROR,
|
||||
- _("external inactive snapshots are not supported on "
|
||||
- "'%s' disks"), virStorageTypeToString(actualType));
|
||||
- return -1;
|
||||
- }
|
||||
-
|
||||
- return 0;
|
||||
-}
|
||||
-
|
||||
-
|
||||
static int
|
||||
qemuDomainSnapshotPrepareDiskExternal(virConnectPtr conn,
|
||||
virDomainDiskDefPtr disk,
|
||||
@@ -13945,16 +13932,10 @@ qemuDomainSnapshotPrepareDiskExternal(virConnectPtr conn,
|
||||
if (virStorageTranslateDiskSourcePool(conn, disk) < 0)
|
||||
return -1;
|
||||
|
||||
- if (qemuDomainSnapshotPrepareDiskExternalBackingInactive(disk) < 0)
|
||||
- return -1;
|
||||
-
|
||||
- if (qemuDomainSnapshotPrepareDiskExternalOverlayInactive(snapdisk) < 0)
|
||||
+ if (qemuDomainSnapshotPrepareDiskExternalInactive(snapdisk, disk) < 0)
|
||||
return -1;
|
||||
} else {
|
||||
- if (qemuDomainSnapshotPrepareDiskExternalBackingActive(disk) < 0)
|
||||
- return -1;
|
||||
-
|
||||
- if (qemuDomainSnapshotPrepareDiskExternalOverlayActive(snapdisk) < 0)
|
||||
+ if (qemuDomainSnapshotPrepareDiskExternalActive(snapdisk, disk) < 0)
|
||||
return -1;
|
||||
}
|
||||
|
|
@ -0,0 +1,55 @@
|
|||
From: Peter Krempa <pkrempa@redhat.com>
|
||||
Date: Tue, 14 Nov 2017 15:34:46 +0100
|
||||
Subject: [PATCH] qemu: block: Add function to check if storage source allows
|
||||
concurrent access
|
||||
|
||||
Storage source format backing a shared device (e.g. running a cluster
|
||||
filesystem) needs to support the sharing so that metadata are not
|
||||
corrupted. Add a central function for checking this.
|
||||
|
||||
(cherry picked from commit 1fc3cd8731640aefc48bbd9fc489f21cb99c6f67)
|
||||
---
|
||||
src/qemu/qemu_block.c | 15 +++++++++++++++
|
||||
src/qemu/qemu_block.h | 3 +++
|
||||
2 files changed, 18 insertions(+)
|
||||
|
||||
diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c
|
||||
index 7fb12ea5a..4c0a5eb78 100644
|
||||
--- a/src/qemu/qemu_block.c
|
||||
+++ b/src/qemu/qemu_block.c
|
||||
@@ -379,6 +379,21 @@ qemuBlockGetNodeData(virJSONValuePtr data)
|
||||
}
|
||||
|
||||
|
||||
+/**
|
||||
+ * qemuBlockStorageSourceSupportsConcurrentAccess:
|
||||
+ * @src: disk storage source
|
||||
+ *
|
||||
+ * Returns true if the given storage format supports concurrent access from two
|
||||
+ * separate processes.
|
||||
+ */
|
||||
+bool
|
||||
+qemuBlockStorageSourceSupportsConcurrentAccess(virStorageSourcePtr src)
|
||||
+{
|
||||
+ /* no need to check in backing chain since only RAW storage supports this */
|
||||
+ return src->format == VIR_STORAGE_FILE_RAW;
|
||||
+}
|
||||
+
|
||||
+
|
||||
/**
|
||||
* qemuBlockStorageSourceBuildHostsJSONSocketAddress:
|
||||
* @src: disk storage source
|
||||
diff --git a/src/qemu/qemu_block.h b/src/qemu/qemu_block.h
|
||||
index f0a2c9aa7..ebf3149ce 100644
|
||||
--- a/src/qemu/qemu_block.h
|
||||
+++ b/src/qemu/qemu_block.h
|
||||
@@ -53,6 +53,9 @@ qemuBlockNodeNamesDetect(virQEMUDriverPtr driver,
|
||||
virHashTablePtr
|
||||
qemuBlockGetNodeData(virJSONValuePtr data);
|
||||
|
||||
+bool
|
||||
+qemuBlockStorageSourceSupportsConcurrentAccess(virStorageSourcePtr src);
|
||||
+
|
||||
virJSONValuePtr
|
||||
qemuBlockStorageSourceGetBackendProps(virStorageSourcePtr src);
|
||||
|
|
@ -0,0 +1,146 @@
|
|||
From: Peter Krempa <pkrempa@redhat.com>
|
||||
Date: Tue, 14 Nov 2017 15:37:09 +0100
|
||||
Subject: [PATCH] qemu: domain: Reject shared disk access if backing format
|
||||
does not support it
|
||||
|
||||
Disk sharing between two VMs may corrupt the images if the format driver
|
||||
does not support it. Check that the user declared use of a supported
|
||||
storage format when they want to share the disk.
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1511480
|
||||
(cherry picked from commit 3b03a27cd00c2f032661d2bf8905795425752fc7)
|
||||
---
|
||||
src/qemu/qemu_domain.c | 29 +++++++++++++++++++++-
|
||||
.../qemuxml2argv-disk-drive-shared-qcow.xml | 28 +++++++++++++++++++++
|
||||
.../qemuxml2argv-disk-drive-shared.args | 2 +-
|
||||
.../qemuxml2argv-disk-drive-shared.xml | 2 +-
|
||||
tests/qemuxml2argvtest.c | 1 +
|
||||
5 files changed, 59 insertions(+), 3 deletions(-)
|
||||
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared-qcow.xml
|
||||
|
||||
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
|
||||
index b98ffffae..42d17c1b0 100644
|
||||
--- a/src/qemu/qemu_domain.c
|
||||
+++ b/src/qemu/qemu_domain.c
|
||||
@@ -25,6 +25,7 @@
|
||||
|
||||
#include "qemu_domain.h"
|
||||
#include "qemu_alias.h"
|
||||
+#include "qemu_block.h"
|
||||
#include "qemu_cgroup.h"
|
||||
#include "qemu_command.h"
|
||||
#include "qemu_process.h"
|
||||
@@ -3299,6 +3300,29 @@ qemuDomainRedirdevDefValidate(const virDomainRedirdevDef *def)
|
||||
}
|
||||
|
||||
|
||||
+static int
|
||||
+qemuDomainDeviceDefValidateDisk(const virDomainDiskDef *disk)
|
||||
+{
|
||||
+ if (disk->src->shared && !disk->src->readonly) {
|
||||
+ if (disk->src->format <= VIR_STORAGE_FILE_AUTO) {
|
||||
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
|
||||
+ _("shared access for disk '%s' requires use of "
|
||||
+ "explicitly specified disk format"), disk->dst);
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ if (!qemuBlockStorageSourceSupportsConcurrentAccess(disk->src)) {
|
||||
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
|
||||
+ _("shared access for disk '%s' requires use of "
|
||||
+ "supported storage format"), disk->dst);
|
||||
+ return -1;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+
|
||||
static int
|
||||
qemuDomainDeviceDefValidate(const virDomainDeviceDef *dev,
|
||||
const virDomainDef *def ATTRIBUTE_UNUSED,
|
||||
@@ -3308,7 +3332,10 @@ qemuDomainDeviceDefValidate(const virDomainDeviceDef *dev,
|
||||
virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver);
|
||||
int ret = -1;
|
||||
|
||||
- if (dev->type == VIR_DOMAIN_DEVICE_NET) {
|
||||
+ if (dev->type == VIR_DOMAIN_DEVICE_DISK) {
|
||||
+ if (qemuDomainDeviceDefValidateDisk(dev->data.disk) < 0)
|
||||
+ goto cleanup;
|
||||
+ } else if (dev->type == VIR_DOMAIN_DEVICE_NET) {
|
||||
const virDomainNetDef *net = dev->data.net;
|
||||
|
||||
if (net->guestIP.nroutes || net->guestIP.nips) {
|
||||
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared-qcow.xml b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared-qcow.xml
|
||||
new file mode 100644
|
||||
index 000000000..ca88a944b
|
||||
--- /dev/null
|
||||
+++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared-qcow.xml
|
||||
@@ -0,0 +1,28 @@
|
||||
+<domain type='qemu'>
|
||||
+ <name>QEMUGuest1</name>
|
||||
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
|
||||
+ <memory unit='KiB'>219136</memory>
|
||||
+ <currentMemory unit='KiB'>219136</currentMemory>
|
||||
+ <vcpu placement='static'>1</vcpu>
|
||||
+ <os>
|
||||
+ <type arch='i686' machine='pc'>hvm</type>
|
||||
+ <boot dev='hd'/>
|
||||
+ </os>
|
||||
+ <clock offset='utc'/>
|
||||
+ <on_poweroff>destroy</on_poweroff>
|
||||
+ <on_reboot>restart</on_reboot>
|
||||
+ <on_crash>destroy</on_crash>
|
||||
+ <devices>
|
||||
+ <emulator>/usr/bin/qemu-system-i686</emulator>
|
||||
+ <disk type='block' device='disk'>
|
||||
+ <driver name='qemu' type='qcow2'/>
|
||||
+ <source dev='/dev/HostVG/QEMUGuest1'/>
|
||||
+ <target dev='hda' bus='ide'/>
|
||||
+ <shareable/>
|
||||
+ <address type='drive' controller='0' bus='0' target='0' unit='0'/>
|
||||
+ </disk>
|
||||
+ <controller type='usb' index='0'/>
|
||||
+ <controller type='ide' index='0'/>
|
||||
+ <memballoon model='virtio'/>
|
||||
+ </devices>
|
||||
+</domain>
|
||||
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared.args b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared.args
|
||||
index 502157bf8..326fde1b3 100644
|
||||
--- a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared.args
|
||||
+++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared.args
|
||||
@@ -19,7 +19,7 @@ server,nowait \
|
||||
-no-acpi \
|
||||
-boot c \
|
||||
-usb \
|
||||
--drive file=/dev/HostVG/QEMUGuest1,format=qcow2,if=none,id=drive-ide0-0-0,\
|
||||
+-drive file=/dev/HostVG/QEMUGuest1,format=raw,if=none,id=drive-ide0-0-0,\
|
||||
serial=XYZXYZXYZYXXYZYZYXYZY,cache=none \
|
||||
-device ide-drive,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0 \
|
||||
-drive file=/dev/HostVG/QEMUGuest2,format=raw,if=none,media=cdrom,\
|
||||
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared.xml b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared.xml
|
||||
index 9f7472378..677c2b0b7 100644
|
||||
--- a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared.xml
|
||||
+++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared.xml
|
||||
@@ -15,7 +15,7 @@
|
||||
<devices>
|
||||
<emulator>/usr/bin/qemu-system-i686</emulator>
|
||||
<disk type='block' device='disk'>
|
||||
- <driver name='qemu' type='qcow2'/>
|
||||
+ <driver name='qemu' type='raw'/>
|
||||
<source dev='/dev/HostVG/QEMUGuest1'/>
|
||||
<target dev='hda' bus='ide'/>
|
||||
<shareable/>
|
||||
diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
|
||||
index 18f06e5aa..93f892229 100644
|
||||
--- a/tests/qemuxml2argvtest.c
|
||||
+++ b/tests/qemuxml2argvtest.c
|
||||
@@ -895,6 +895,7 @@ mymain(void)
|
||||
QEMU_CAPS_DRIVE_BOOT);
|
||||
DO_TEST("disk-drive-shared",
|
||||
QEMU_CAPS_DRIVE_SERIAL);
|
||||
+ DO_TEST_PARSE_ERROR("disk-drive-shared-qcow", NONE);
|
||||
DO_TEST("disk-drive-error-policy-stop",
|
||||
QEMU_CAPS_MONITOR_JSON);
|
||||
DO_TEST("disk-drive-error-policy-enospace",
|
|
@ -0,0 +1,63 @@
|
|||
From: Peter Krempa <pkrempa@redhat.com>
|
||||
Date: Wed, 15 Nov 2017 13:41:01 +0100
|
||||
Subject: [PATCH] qemu: snapshot: Disallow snapshot of unsupported shared disks
|
||||
|
||||
Creating a snapshot would introduce a possibly unsupported member for
|
||||
sharing into the backing chain. Add a check to prevent that from
|
||||
happening.
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1511480
|
||||
(cherry picked from commit 9b2fbfa6f6b535b9f41a7503531d43d86d7a8868)
|
||||
---
|
||||
src/qemu/qemu_driver.c | 24 ++++++++++++++++++++++++
|
||||
1 file changed, 24 insertions(+)
|
||||
|
||||
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
|
||||
index 57f0c2bf4..91119a494 100644
|
||||
--- a/src/qemu/qemu_driver.c
|
||||
+++ b/src/qemu/qemu_driver.c
|
||||
@@ -13792,6 +13792,24 @@ qemuDomainSnapshotCreateActiveInternal(virConnectPtr conn,
|
||||
}
|
||||
|
||||
|
||||
+static int
|
||||
+qemuDomainSnapshotPrepareDiskShared(virDomainSnapshotDiskDefPtr snapdisk,
|
||||
+ virDomainDiskDefPtr domdisk)
|
||||
+{
|
||||
+ if (!domdisk->src->shared || domdisk->src->readonly)
|
||||
+ return 0;
|
||||
+
|
||||
+ if (!qemuBlockStorageSourceSupportsConcurrentAccess(snapdisk->src)) {
|
||||
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
|
||||
+ _("shared access for disk '%s' requires use of "
|
||||
+ "supported storage format"), domdisk->dst);
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+
|
||||
static int
|
||||
qemuDomainSnapshotPrepareDiskExternalInactive(virDomainSnapshotDiskDefPtr snapdisk,
|
||||
virDomainDiskDefPtr domdisk)
|
||||
@@ -13853,6 +13871,9 @@ qemuDomainSnapshotPrepareDiskExternalInactive(virDomainSnapshotDiskDefPtr snapdi
|
||||
return -1;
|
||||
}
|
||||
|
||||
+ if (qemuDomainSnapshotPrepareDiskShared(snapdisk, domdisk) < 0)
|
||||
+ return -1;
|
||||
+
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -13911,6 +13932,9 @@ qemuDomainSnapshotPrepareDiskExternalActive(virDomainSnapshotDiskDefPtr snapdisk
|
||||
return -1;
|
||||
}
|
||||
|
||||
+ if (qemuDomainSnapshotPrepareDiskShared(snapdisk, domdisk) < 0)
|
||||
+ return -1;
|
||||
+
|
||||
return 0;
|
||||
}
|
||||
|
|
@ -0,0 +1,34 @@
|
|||
From: Peter Krempa <pkrempa@redhat.com>
|
||||
Date: Wed, 15 Nov 2017 14:33:11 +0100
|
||||
Subject: [PATCH] qemu: Disallow pivot of shared disks to unsupported storage
|
||||
|
||||
Pivoting to a unsupported storage type might break the assumption that
|
||||
shared disks will not corrupt metadata.
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1511480
|
||||
(cherry picked from commit 2b41c86294786c07f53afa633fe3dce703debc3c)
|
||||
---
|
||||
src/qemu/qemu_driver.c | 10 ++++++++++
|
||||
1 file changed, 10 insertions(+)
|
||||
|
||||
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
|
||||
index 91119a494..208ccc9bc 100644
|
||||
--- a/src/qemu/qemu_driver.c
|
||||
+++ b/src/qemu/qemu_driver.c
|
||||
@@ -16325,6 +16325,16 @@ qemuDomainBlockPivot(virQEMUDriverPtr driver,
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
+ /* When pivoting to a shareable disk we need to make sure that the disk can
|
||||
+ * be safely shared, since block copy might have changed the format. */
|
||||
+ if (disk->src->shared && !disk->src->readonly &&
|
||||
+ !qemuBlockStorageSourceSupportsConcurrentAccess(disk->mirror)) {
|
||||
+ virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s",
|
||||
+ _("can't pivot a shared disk to a storage volume not "
|
||||
+ "supporting sharing"));
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
+
|
||||
/* For active commit, the mirror is part of the already labeled
|
||||
* chain. For blockcopy, we previously labeled only the top-level
|
||||
* image; but if the user is reusing an external image that
|
|
@ -0,0 +1,126 @@
|
|||
From: Peter Krempa <pkrempa@redhat.com>
|
||||
Date: Wed, 15 Nov 2017 15:02:58 +0100
|
||||
Subject: [PATCH] qemu: caps: Add capability for 'share-rw' disk option
|
||||
|
||||
'share-rw' for the disk device configures qemu to allow concurrent
|
||||
access to the backing storage.
|
||||
|
||||
The capability is checked in various supported disk frontend buses since
|
||||
it does not make sense to partially backport it.
|
||||
|
||||
(cherry picked from commit 860a3c4bea1d24773d8a495f213d5de3ac48a462)
|
||||
---
|
||||
src/qemu/qemu_capabilities.c | 14 ++++++++++++++
|
||||
src/qemu/qemu_capabilities.h | 10 ++++++++++
|
||||
tests/qemucapabilitiesdata/caps_2.9.0.ppc64le.xml | 1 +
|
||||
tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml | 1 +
|
||||
tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml | 1 +
|
||||
5 files changed, 27 insertions(+)
|
||||
|
||||
diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
|
||||
index e7ea6f47c..2de84715e 100644
|
||||
--- a/src/qemu/qemu_capabilities.c
|
||||
+++ b/src/qemu/qemu_capabilities.c
|
||||
@@ -439,6 +439,16 @@ VIR_ENUM_IMPL(virQEMUCaps, QEMU_CAPS_LAST,
|
||||
"virtio-net.tx_queue_size",
|
||||
"chardev-reconnect",
|
||||
"virtio-gpu.max_outputs",
|
||||
+
|
||||
+ /* 270 */
|
||||
+ "vxhs",
|
||||
+ "virtio-blk.num-queues",
|
||||
+ "machine.pseries.resize-hpt",
|
||||
+ "vmcoreinfo",
|
||||
+ "spapr-vty",
|
||||
+
|
||||
+ /* 275 */
|
||||
+ "disk-share-rw",
|
||||
);
|
||||
|
||||
|
||||
@@ -1702,6 +1712,7 @@ static struct virQEMUCapsStringFlags virQEMUCapsObjectPropsVirtioBlk[] = {
|
||||
{ "event_idx", QEMU_CAPS_VIRTIO_BLK_EVENT_IDX },
|
||||
{ "scsi", QEMU_CAPS_VIRTIO_BLK_SCSI },
|
||||
{ "logical_block_size", QEMU_CAPS_BLOCKIO },
|
||||
+ { "share-rw", QEMU_CAPS_DISK_SHARE_RW },
|
||||
};
|
||||
|
||||
static struct virQEMUCapsStringFlags virQEMUCapsObjectPropsVirtioNet[] = {
|
||||
@@ -1732,10 +1743,12 @@ static struct virQEMUCapsStringFlags virQEMUCapsObjectPropsVfioPCI[] = {
|
||||
static struct virQEMUCapsStringFlags virQEMUCapsObjectPropsSCSIDisk[] = {
|
||||
{ "channel", QEMU_CAPS_SCSI_DISK_CHANNEL },
|
||||
{ "wwn", QEMU_CAPS_SCSI_DISK_WWN },
|
||||
+ { "share-rw", QEMU_CAPS_DISK_SHARE_RW },
|
||||
};
|
||||
|
||||
static struct virQEMUCapsStringFlags virQEMUCapsObjectPropsIDEDrive[] = {
|
||||
{ "wwn", QEMU_CAPS_IDE_DRIVE_WWN },
|
||||
+ { "share-rw", QEMU_CAPS_DISK_SHARE_RW },
|
||||
};
|
||||
|
||||
static struct virQEMUCapsStringFlags virQEMUCapsObjectPropsPiix4PM[] = {
|
||||
@@ -1766,6 +1779,7 @@ static struct virQEMUCapsStringFlags virQEMUCapsObjectPropsQ35PCIHost[] = {
|
||||
|
||||
static struct virQEMUCapsStringFlags virQEMUCapsObjectPropsUSBStorage[] = {
|
||||
{ "removable", QEMU_CAPS_USB_STORAGE_REMOVABLE },
|
||||
+ { "share-rw", QEMU_CAPS_DISK_SHARE_RW },
|
||||
};
|
||||
|
||||
static struct virQEMUCapsStringFlags virQEMUCapsObjectPropsKVMPit[] = {
|
||||
diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h
|
||||
index f32687d4a..9c92d6b46 100644
|
||||
--- a/src/qemu/qemu_capabilities.h
|
||||
+++ b/src/qemu/qemu_capabilities.h
|
||||
@@ -426,6 +426,16 @@ typedef enum {
|
||||
QEMU_CAPS_CHARDEV_RECONNECT, /* -chardev reconnect */
|
||||
QEMU_CAPS_VIRTIO_GPU_MAX_OUTPUTS, /* -device virtio-(vga|gpu-*),max-outputs= */
|
||||
|
||||
+ /* 270 */
|
||||
+ QEMU_CAPS_VXHS, /* -drive file.driver=vxhs via query-qmp-schema */
|
||||
+ QEMU_CAPS_VIRTIO_BLK_NUM_QUEUES, /* virtio-blk-*.num-queues */
|
||||
+ QEMU_CAPS_MACHINE_PSERIES_RESIZE_HPT, /* -machine pseries,resize-hpt */
|
||||
+ QEMU_CAPS_DEVICE_VMCOREINFO, /* -device vmcoreinfo */
|
||||
+ QEMU_CAPS_DEVICE_SPAPR_VTY, /* -device spapr-vty */
|
||||
+
|
||||
+ /* 275 */
|
||||
+ QEMU_CAPS_DISK_SHARE_RW, /* share-rw=on for concurrent disk access */
|
||||
+
|
||||
QEMU_CAPS_LAST /* this must always be the last item */
|
||||
} virQEMUCapsFlags;
|
||||
|
||||
diff --git a/tests/qemucapabilitiesdata/caps_2.9.0.ppc64le.xml b/tests/qemucapabilitiesdata/caps_2.9.0.ppc64le.xml
|
||||
index a373a6db6..9551907c6 100644
|
||||
--- a/tests/qemucapabilitiesdata/caps_2.9.0.ppc64le.xml
|
||||
+++ b/tests/qemucapabilitiesdata/caps_2.9.0.ppc64le.xml
|
||||
@@ -172,6 +172,7 @@
|
||||
<flag name='vnc-multi-servers'/>
|
||||
<flag name='chardev-reconnect'/>
|
||||
<flag name='virtio-gpu.max_outputs'/>
|
||||
+ <flag name='disk-share-rw'/>
|
||||
<version>2009000</version>
|
||||
<kvmVersion>0</kvmVersion>
|
||||
<package> (v2.9.0)</package>
|
||||
diff --git a/tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml b/tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml
|
||||
index e80782cfb..0a6fbd077 100644
|
||||
--- a/tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml
|
||||
+++ b/tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml
|
||||
@@ -137,6 +137,7 @@
|
||||
<flag name='vnc-multi-servers'/>
|
||||
<flag name='chardev-reconnect'/>
|
||||
<flag name='virtio-gpu.max_outputs'/>
|
||||
+ <flag name='disk-share-rw'/>
|
||||
<version>2009000</version>
|
||||
<kvmVersion>0</kvmVersion>
|
||||
<package></package>
|
||||
diff --git a/tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml b/tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml
|
||||
index 3641d0332..1294ebdb3 100644
|
||||
--- a/tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml
|
||||
+++ b/tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml
|
||||
@@ -220,6 +220,7 @@
|
||||
<flag name='vnc-multi-servers'/>
|
||||
<flag name='chardev-reconnect'/>
|
||||
<flag name='virtio-gpu.max_outputs'/>
|
||||
+ <flag name='disk-share-rw'/>
|
||||
<version>2009000</version>
|
||||
<kvmVersion>0</kvmVersion>
|
||||
<package> (v2.9.0)</package>
|
|
@ -0,0 +1,133 @@
|
|||
From: Peter Krempa <pkrempa@redhat.com>
|
||||
Date: Wed, 15 Nov 2017 15:21:14 +0100
|
||||
Subject: [PATCH] qemu: command: Mark <shared/> disks as such in qemu
|
||||
|
||||
Qemu has now an internal mechanism for locking images to fix specific
|
||||
cases of disk corruption. This requires libvirt to mark the image as
|
||||
shared so that qemu lifts certain restrictions.
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1378242
|
||||
(cherry picked from commit 28907b0043fbf71085a798372ab9c816ba043b93)
|
||||
---
|
||||
src/qemu/qemu_command.c | 4 +++
|
||||
.../qemuxml2argv-disk-drive-shared-locking.args | 32 +++++++++++++++++
|
||||
.../qemuxml2argv-disk-drive-shared-locking.xml | 42 ++++++++++++++++++++++
|
||||
tests/qemuxml2argvtest.c | 2 ++
|
||||
4 files changed, 80 insertions(+)
|
||||
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared-locking.args
|
||||
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared-locking.xml
|
||||
|
||||
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
|
||||
index ae78cd17e..883525752 100644
|
||||
--- a/src/qemu/qemu_command.c
|
||||
+++ b/src/qemu/qemu_command.c
|
||||
@@ -2075,6 +2075,10 @@ qemuBuildDriveDevStr(const virDomainDef *def,
|
||||
goto error;
|
||||
}
|
||||
|
||||
+ if (disk->src->shared &&
|
||||
+ virQEMUCapsGet(qemuCaps, QEMU_CAPS_DISK_SHARE_RW))
|
||||
+ virBufferAddLit(&opt, ",share-rw=on");
|
||||
+
|
||||
if (!(drivealias = qemuAliasFromDisk(disk)))
|
||||
goto error;
|
||||
virBufferAsprintf(&opt, ",drive=%s,id=%s", drivealias, disk->info.alias);
|
||||
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared-locking.args b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared-locking.args
|
||||
new file mode 100644
|
||||
index 000000000..cdf17f26d
|
||||
--- /dev/null
|
||||
+++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared-locking.args
|
||||
@@ -0,0 +1,32 @@
|
||||
+LC_ALL=C \
|
||||
+PATH=/bin \
|
||||
+HOME=/home/test \
|
||||
+USER=test \
|
||||
+LOGNAME=test \
|
||||
+QEMU_AUDIO_DRV=none \
|
||||
+/usr/bin/qemu-system-i686 \
|
||||
+-name QEMUGuest1 \
|
||||
+-S \
|
||||
+-M pc \
|
||||
+-m 214 \
|
||||
+-smp 1,sockets=1,cores=1,threads=1 \
|
||||
+-uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \
|
||||
+-nographic \
|
||||
+-nodefaults \
|
||||
+-chardev socket,id=charmonitor,path=/tmp/lib/domain--1-QEMUGuest1/monitor.sock,\
|
||||
+server,nowait \
|
||||
+-mon chardev=charmonitor,id=monitor,mode=readline \
|
||||
+-no-acpi \
|
||||
+-boot c \
|
||||
+-device virtio-scsi-pci,id=scsi0,bus=pci.0,addr=0x3 \
|
||||
+-usb \
|
||||
+-drive file=/dev/ide,format=raw,if=none,id=drive-ide0-0-0,cache=none \
|
||||
+-device ide-drive,bus=ide.0,unit=0,share-rw=on,drive=drive-ide0-0-0,\
|
||||
+id=ide0-0-0 \
|
||||
+-drive file=/dev/scsi,format=raw,if=none,id=drive-scsi0-0-0-0,cache=none \
|
||||
+-device scsi-disk,bus=scsi0.0,channel=0,scsi-id=0,lun=0,share-rw=on,\
|
||||
+drive=drive-scsi0-0-0-0,id=scsi0-0-0-0 \
|
||||
+-drive file=/dev/virtio,format=raw,if=none,id=drive-virtio-disk0,cache=none \
|
||||
+-device virtio-blk-pci,bus=pci.0,addr=0x4,share-rw=on,drive=drive-virtio-disk0,\
|
||||
+id=virtio-disk0 \
|
||||
+-device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5
|
||||
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared-locking.xml b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared-locking.xml
|
||||
new file mode 100644
|
||||
index 000000000..dd48857a3
|
||||
--- /dev/null
|
||||
+++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-shared-locking.xml
|
||||
@@ -0,0 +1,42 @@
|
||||
+<domain type='qemu'>
|
||||
+ <name>QEMUGuest1</name>
|
||||
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
|
||||
+ <memory unit='KiB'>219136</memory>
|
||||
+ <currentMemory unit='KiB'>219136</currentMemory>
|
||||
+ <vcpu placement='static'>1</vcpu>
|
||||
+ <os>
|
||||
+ <type arch='i686' machine='pc'>hvm</type>
|
||||
+ <boot dev='hd'/>
|
||||
+ </os>
|
||||
+ <clock offset='utc'/>
|
||||
+ <on_poweroff>destroy</on_poweroff>
|
||||
+ <on_reboot>restart</on_reboot>
|
||||
+ <on_crash>destroy</on_crash>
|
||||
+ <devices>
|
||||
+ <emulator>/usr/bin/qemu-system-i686</emulator>
|
||||
+ <disk type='block' device='disk'>
|
||||
+ <driver name='qemu' type='raw'/>
|
||||
+ <source dev='/dev/ide'/>
|
||||
+ <target dev='hda' bus='ide'/>
|
||||
+ <shareable/>
|
||||
+ <address type='drive' controller='0' bus='0' target='0' unit='0'/>
|
||||
+ </disk>
|
||||
+ <disk type='block' device='disk'>
|
||||
+ <driver name='qemu' type='raw'/>
|
||||
+ <source dev='/dev/scsi'/>
|
||||
+ <target dev='sda' bus='scsi'/>
|
||||
+ <shareable/>
|
||||
+ <address type='drive' controller='0' bus='0' target='0' unit='0'/>
|
||||
+ </disk>
|
||||
+ <disk type='block' device='disk'>
|
||||
+ <driver name='qemu' type='raw'/>
|
||||
+ <source dev='/dev/virtio'/>
|
||||
+ <target dev='vda' bus='virtio'/>
|
||||
+ <shareable/>
|
||||
+ </disk>
|
||||
+ <controller type='usb' index='0'/>
|
||||
+ <controller type='ide' index='0'/>
|
||||
+ <controller type='scsi' index='0' model='virtio-scsi'/>
|
||||
+ <memballoon model='virtio'/>
|
||||
+ </devices>
|
||||
+</domain>
|
||||
diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
|
||||
index 93f892229..9585fdb70 100644
|
||||
--- a/tests/qemuxml2argvtest.c
|
||||
+++ b/tests/qemuxml2argvtest.c
|
||||
@@ -896,6 +896,8 @@ mymain(void)
|
||||
DO_TEST("disk-drive-shared",
|
||||
QEMU_CAPS_DRIVE_SERIAL);
|
||||
DO_TEST_PARSE_ERROR("disk-drive-shared-qcow", NONE);
|
||||
+ DO_TEST("disk-drive-shared-locking",
|
||||
+ QEMU_CAPS_VIRTIO_SCSI, QEMU_CAPS_DISK_SHARE_RW);
|
||||
DO_TEST("disk-drive-error-policy-stop",
|
||||
QEMU_CAPS_MONITOR_JSON);
|
||||
DO_TEST("disk-drive-error-policy-enospace",
|
18
libvirt.spec
18
libvirt.spec
|
@ -240,7 +240,7 @@
|
|||
Summary: Library providing a simple virtualization API
|
||||
Name: libvirt
|
||||
Version: 3.7.0
|
||||
Release: 2%{?dist}%{?extra_release}
|
||||
Release: 3%{?dist}%{?extra_release}
|
||||
License: LGPLv2+
|
||||
Group: Development/Libraries
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
|
||||
|
@ -256,6 +256,17 @@ Patch0001: 0001-tpm-Use-dev-null-for-cancel-path-if-none-was-found.patch
|
|||
# Fix spice GL qemu:///system rendernode permissions (bz #1460804)
|
||||
Patch0002: 0002-security-add-MANAGER_MOUNT_NAMESPACE-flag.patch
|
||||
Patch0003: 0003-security-dac-relabel-spice-rendernode.patch
|
||||
# CVE-2017-1000256: libvirt: TLS certificate verification disabled for
|
||||
# clients (bz #1503687)
|
||||
Patch0004: 0004-qemu-ensure-TLS-clients-always-verify-the-server-cer.patch
|
||||
# Fix qemu image locking with shared disks (bz #1513447)
|
||||
Patch0005: 0005-qemu-Move-snapshot-disk-validation-functions-into-on.patch
|
||||
Patch0006: 0006-qemu-block-Add-function-to-check-if-storage-source-a.patch
|
||||
Patch0007: 0007-qemu-domain-Reject-shared-disk-access-if-backing-for.patch
|
||||
Patch0008: 0008-qemu-snapshot-Disallow-snapshot-of-unsupported-share.patch
|
||||
Patch0009: 0009-qemu-Disallow-pivot-of-shared-disks-to-unsupported-s.patch
|
||||
Patch0010: 0010-qemu-caps-Add-capability-for-share-rw-disk-option.patch
|
||||
Patch0011: 0011-qemu-command-Mark-shared-disks-as-such-in-qemu.patch
|
||||
|
||||
Requires: libvirt-daemon = %{version}-%{release}
|
||||
Requires: libvirt-daemon-config-network = %{version}-%{release}
|
||||
|
@ -2127,6 +2138,11 @@ exit 0
|
|||
|
||||
|
||||
%changelog
|
||||
* Mon Dec 04 2017 Cole Robinson <crobinso@redhat.com> - 3.7.0-3
|
||||
- CVE-2017-1000256: libvirt: TLS certificate verification disabled for
|
||||
clients (bz #1503687)
|
||||
- Fix qemu image locking with shared disks (bz #1513447)
|
||||
|
||||
* Fri Sep 15 2017 Cole Robinson <crobinso@redhat.com> - 3.7.0-2
|
||||
- Fix TPM2 passthrough (bz #1486240)
|
||||
- Fix spice GL qemu:///system rendernode permissions (bz #1460804)
|
||||
|
|
Loading…
Reference in New Issue