Fix TPM2 passthrough (bz #1486240)

Fix spice GL qemu:///system rendernode permissions (bz #1460804)
Fix on_reboot=destroy setting (bz #1476866)
Fix disk images in /dev/shm (bz #1482146)
This commit is contained in:
Cole Robinson 2017-09-15 19:04:20 -04:00
parent e5075407b1
commit faf5df2081
20 changed files with 448 additions and 52 deletions

View File

@ -1,35 +0,0 @@
From: Cole Robinson <crobinso@redhat.com>
Date: Tue, 30 May 2017 18:35:04 -0400
Subject: [PATCH] daemon: Don't run if in a Fedora live VM
Only start libvirtd if not in a VM OR if not in a Fedora live env,
via systemd unit conditions. It checks Fedora live env by looking
for the rd.live.image option on the kernel command line.
Roundabout way to prevent the 'default' network killing connectivity
of the livecd running in a VM
https://bugzilla.redhat.com/show_bug.cgi?id=1146232
Not upstream, will likely need some kind of different permanent solution
---
daemon/libvirtd.service.in | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/daemon/libvirtd.service.in b/daemon/libvirtd.service.in
index fbaf02f3b..86ee988fa 100644
--- a/daemon/libvirtd.service.in
+++ b/daemon/libvirtd.service.in
@@ -16,6 +16,12 @@ After=local-fs.target
After=remote-fs.target
Documentation=man:libvirtd(8)
Documentation=http://libvirt.org
+# This says, start libvirtd if not in a VM OR if not in a Fedora live env
+# Roundabout way to prevent the 'default' network killing connectivity
+# of the livecd running in a VM
+# https://bugzilla.redhat.com/show_bug.cgi?id=1146232
+ConditionVirtualization=|0
+ConditionKernelCommandLine=|!rd.live.image
[Service]
Type=notify

View File

@ -0,0 +1,34 @@
From: Stefan Berger <stefanb@linux.vnet.ibm.com>
Date: Thu, 29 Jun 2017 14:01:11 -0400
Subject: [PATCH] tpm: Use /dev/null for cancel path if none was found
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
TPM 2 does not implement sysfs files for cancellation of commands.
We therefore use /dev/null for the cancel path passed to QEMU.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Tested-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
(cherry picked from commit dfbb15b75433e520fb1b905c1c3e28753e53e4a5)
---
src/util/virtpm.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/src/util/virtpm.c b/src/util/virtpm.c
index 6d9b0657a..d5c10da38 100644
--- a/src/util/virtpm.c
+++ b/src/util/virtpm.c
@@ -61,9 +61,7 @@ virTPMCreateCancelPath(const char *devpath)
VIR_FREE(path);
}
if (!path)
- virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
- _("No usable sysfs TPM cancel file could be "
- "found"));
+ ignore_value(VIR_STRDUP(path, "/dev/null"));
} else {
virReportError(VIR_ERR_INTERNAL_ERROR,
_("TPM device path %s is invalid"), devpath);

View File

@ -0,0 +1,108 @@
From: Cole Robinson <crobinso@redhat.com>
Date: Sun, 27 Aug 2017 11:23:47 -0400
Subject: [PATCH] security: add MANAGER_MOUNT_NAMESPACE flag
The VIR_SECURITY_MANAGER_MOUNT_NAMESPACE flag informs the DAC driver
if mount namespaces are in use for the VM. Will be used for future
changes.
Wire it up in the qemu driver
(cherry picked from commit 321031e482425dfeae0f125cdac6df870f079efd)
---
src/qemu/qemu_driver.c | 2 ++
src/security/security_dac.c | 10 ++++++++++
src/security/security_dac.h | 3 +++
src/security/security_manager.c | 4 +++-
src/security/security_manager.h | 1 +
5 files changed, 19 insertions(+), 1 deletion(-)
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index ce844bb04..555a1009b 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -417,6 +417,8 @@ qemuSecurityInit(virQEMUDriverPtr driver)
if (virQEMUDriverIsPrivileged(driver)) {
if (cfg->dynamicOwnership)
flags |= VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP;
+ if (virBitmapIsBitSet(cfg->namespaces, QEMU_DOMAIN_NS_MOUNT))
+ flags |= VIR_SECURITY_MANAGER_MOUNT_NAMESPACE;
if (!(mgr = qemuSecurityNewDAC(QEMU_DRIVER_NAME,
cfg->user,
cfg->group,
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 922e48494..1f8d279bf 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -57,6 +57,7 @@ struct _virSecurityDACData {
gid_t *groups;
int ngroups;
bool dynamicOwnership;
+ bool mountNamespace;
char *baselabel;
virSecurityManagerDACChownCallback chownCallback;
};
@@ -238,6 +239,15 @@ virSecurityDACSetDynamicOwnership(virSecurityManagerPtr mgr,
}
void
+virSecurityDACSetMountNamespace(virSecurityManagerPtr mgr,
+ bool mountNamespace)
+{
+ virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+ priv->mountNamespace = mountNamespace;
+}
+
+
+void
virSecurityDACSetChownCallback(virSecurityManagerPtr mgr,
virSecurityManagerDACChownCallback chownCallback)
{
diff --git a/src/security/security_dac.h b/src/security/security_dac.h
index 846cefbb5..97681c961 100644
--- a/src/security/security_dac.h
+++ b/src/security/security_dac.h
@@ -32,6 +32,9 @@ int virSecurityDACSetUserAndGroup(virSecurityManagerPtr mgr,
void virSecurityDACSetDynamicOwnership(virSecurityManagerPtr mgr,
bool dynamic);
+void virSecurityDACSetMountNamespace(virSecurityManagerPtr mgr,
+ bool mountNamespace);
+
void virSecurityDACSetChownCallback(virSecurityManagerPtr mgr,
virSecurityManagerDACChownCallback chownCallback);
diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index 6c777db1e..b2d04d4b9 100644
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -146,7 +146,8 @@ virSecurityManagerNewDAC(const char *virtDriver,
virSecurityManagerPtr mgr;
virCheckFlags(VIR_SECURITY_MANAGER_NEW_MASK |
- VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP, NULL);
+ VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP |
+ VIR_SECURITY_MANAGER_MOUNT_NAMESPACE, NULL);
mgr = virSecurityManagerNewDriver(&virSecurityDriverDAC,
virtDriver,
@@ -161,6 +162,7 @@ virSecurityManagerNewDAC(const char *virtDriver,
}
virSecurityDACSetDynamicOwnership(mgr, flags & VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP);
+ virSecurityDACSetMountNamespace(mgr, flags & VIR_SECURITY_MANAGER_MOUNT_NAMESPACE);
virSecurityDACSetChownCallback(mgr, chownCallback);
return mgr;
diff --git a/src/security/security_manager.h b/src/security/security_manager.h
index 238e66cd0..96937a892 100644
--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
@@ -36,6 +36,7 @@ typedef enum {
VIR_SECURITY_MANAGER_REQUIRE_CONFINED = 1 << 2,
VIR_SECURITY_MANAGER_PRIVILEGED = 1 << 3,
VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP = 1 << 4,
+ VIR_SECURITY_MANAGER_MOUNT_NAMESPACE = 1 << 5,
} virSecurityManagerNewFlags;
# define VIR_SECURITY_MANAGER_NEW_MASK \

View File

@ -0,0 +1,101 @@
From: Cole Robinson <crobinso@redhat.com>
Date: Mon, 17 Jul 2017 08:57:57 -0400
Subject: [PATCH] security: dac: relabel spice rendernode
For a logged in user this a path like /dev/dri/renderD128 will have
default ownership root:video which won't work for the qemu:qemu user,
so we need to chown it.
We only do this when mount namespaces are enabled in the qemu driver,
so the chown'ing doesn't interfere with other users of the shared
render node path
https://bugzilla.redhat.com/show_bug.cgi?id=1460804
(cherry picked from commit 98931187eefdec6f2dea5cb82ab6d23a3ffa6634)
---
src/security/security_dac.c | 58 +++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 58 insertions(+)
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 1f8d279bf..5f13bcee8 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -1380,6 +1380,54 @@ virSecurityDACRestoreTPMFileLabel(virSecurityManagerPtr mgr,
static int
+virSecurityDACSetGraphicsLabel(virSecurityManagerPtr mgr,
+ virDomainDefPtr def,
+ virDomainGraphicsDefPtr gfx)
+
+{
+ virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+ virSecurityLabelDefPtr seclabel;
+ uid_t user;
+ gid_t group;
+
+ /* Skip chowning the shared render file if namespaces are disabled */
+ if (!priv->mountNamespace)
+ return 0;
+
+ seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
+ if (seclabel && !seclabel->relabel)
+ return 0;
+
+ if (virSecurityDACGetIds(seclabel, priv, &user, &group, NULL, NULL) < 0)
+ return -1;
+
+ if (gfx->type == VIR_DOMAIN_GRAPHICS_TYPE_SPICE &&
+ gfx->data.spice.gl == VIR_TRISTATE_BOOL_YES &&
+ gfx->data.spice.rendernode) {
+ if (virSecurityDACSetOwnership(priv, NULL,
+ gfx->data.spice.rendernode,
+ user, group) < 0)
+ return -1;
+ }
+
+ return 0;
+}
+
+
+static int
+virSecurityDACRestoreGraphicsLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+ virDomainDefPtr def ATTRIBUTE_UNUSED,
+ virDomainGraphicsDefPtr gfx ATTRIBUTE_UNUSED)
+
+{
+ /* The only graphics labelling we do is dependent on mountNamespaces,
+ in which case 'restoring' the label doesn't actually accomplish
+ anything, so there's nothing to do here */
+ return 0;
+}
+
+
+static int
virSecurityDACSetInputLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def,
virDomainInputDefPtr input)
@@ -1489,6 +1537,11 @@ virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
rc = -1;
}
+ for (i = 0; i < def->ngraphics; i++) {
+ if (virSecurityDACRestoreGraphicsLabel(mgr, def, def->graphics[i]) < 0)
+ return -1;
+ }
+
for (i = 0; i < def->ninputs; i++) {
if (virSecurityDACRestoreInputLabel(mgr, def, def->inputs[i]) < 0)
rc = -1;
@@ -1602,6 +1655,11 @@ virSecurityDACSetAllLabel(virSecurityManagerPtr mgr,
return -1;
}
+ for (i = 0; i < def->ngraphics; i++) {
+ if (virSecurityDACSetGraphicsLabel(mgr, def, def->graphics[i]) < 0)
+ return -1;
+ }
+
for (i = 0; i < def->ninputs; i++) {
if (virSecurityDACSetInputLabel(mgr, def, def->inputs[i]) < 0)
return -1;

View File

@ -0,0 +1,63 @@
From: Michal Privoznik <mprivozn@redhat.com>
Date: Mon, 31 Jul 2017 16:55:58 +0200
Subject: [PATCH] qemu: Honour <on_reboot/>
https://bugzilla.redhat.com/show_bug.cgi?id=1476866
For some reason, we completely ignore <on_reboot/> setting for
domains. The implementation is simply not there. It never was.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
(cherry picked from commit 3ee9bdbe351c0b80d4c469571ef31df3f1b148ea)
---
src/qemu/qemu_process.c | 27 ++++++++++++++++++++++++---
1 file changed, 24 insertions(+), 3 deletions(-)
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 992a7174b..7588212ba 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -487,6 +487,7 @@ qemuProcessHandleReset(qemuMonitorPtr mon ATTRIBUTE_UNUSED,
virObjectEventPtr event;
qemuDomainObjPrivatePtr priv;
virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver);
+ int ret = -1;
virObjectLock(vm);
@@ -498,12 +499,32 @@ qemuProcessHandleReset(qemuMonitorPtr mon ATTRIBUTE_UNUSED,
if (virDomainSaveStatus(driver->xmlopt, cfg->stateDir, vm, driver->caps) < 0)
VIR_WARN("Failed to save status on vm %s", vm->def->name);
- virObjectUnlock(vm);
+ if (vm->def->onReboot == VIR_DOMAIN_LIFECYCLE_DESTROY ||
+ vm->def->onReboot == VIR_DOMAIN_LIFECYCLE_PRESERVE) {
- qemuDomainEventQueue(driver, event);
+ if (qemuDomainObjBeginJob(driver, vm, QEMU_JOB_MODIFY) < 0)
+ goto cleanup;
+
+ if (!virDomainObjIsActive(vm)) {
+ VIR_DEBUG("Ignoring RESET event from inactive domain %s",
+ vm->def->name);
+ goto endjob;
+ }
+
+ qemuProcessStop(driver, vm, VIR_DOMAIN_SHUTOFF_DESTROYED,
+ QEMU_ASYNC_JOB_NONE, 0);
+ virDomainAuditStop(vm, "destroyed");
+ qemuDomainRemoveInactive(driver, vm);
+ endjob:
+ qemuDomainObjEndJob(driver, vm);
+ }
+ ret = 0;
+ cleanup:
+ virObjectUnlock(vm);
+ qemuDomainEventQueue(driver, event);
virObjectUnref(cfg);
- return 0;
+ return ret;
}

View File

@ -0,0 +1,113 @@
From: Michal Privoznik <mprivozn@redhat.com>
Date: Thu, 27 Apr 2017 16:29:21 +0200
Subject: [PATCH] qemuDomainBuildNamespace: Move /dev/* mountpoints later
When setting up mount namespace for a qemu domain the following
steps are executed:
1) get list of mountpoints under /dev/
2) move them to /var/run/libvirt/qemu/$domName.ext
3) start constructing new device tree under /var/run/libvirt/qemu/$domName.dev
4) move the mountpoint of the new device tree to /dev
5) restore original mountpoints from step 2)
Note the problem with this approach is that if some device in step
3) requires access to a mountpoint from step 2) it will fail as
the mountpoint is not there anymore. For instance consider the
following domain disk configuration:
<disk type='file' device='disk'>
<driver name='qemu' type='raw'/>
<source file='/dev/shm/vhostmd0'/>
<target dev='vdb' bus='virtio'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x0a' function='0x0'/>
</disk>
In this case operation fails as we are unable to create vhostmd0
in the new device tree because after step 2) there is no /dev/shm
anymore. Leave aside fact that we shouldn't try to create devices
living in other mountpoints. That's a separate bug that will be
addressed later.
Currently, the order described above is rearranged to:
1) get list of mountpoints under /dev/
2) start constructing new device tree under /var/run/libvirt/qemu/$domName.dev
3) move them to /var/run/libvirt/qemu/$domName.ext
4) move the mountpoint of the new device tree to /dev
5) restore original mountpoints from step 3)
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Cedric Bosdonnat <cbosdonnat@suse.com>
(cherry picked from commit a7cc039dc796f541793955598377807af48341fb)
(cherry picked from commit 469bf7cb7a44a0798c63e4b5e4682d8e38bce66e)
---
src/qemu/qemu_domain.c | 48 ++++++++++++++++++++++++------------------------
1 file changed, 24 insertions(+), 24 deletions(-)
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index 4a127cedf..64f18f493 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -7854,6 +7854,30 @@ qemuDomainBuildNamespace(virQEMUDriverConfigPtr cfg,
if (qemuDomainSetupDev(cfg, mgr, vm, devPath) < 0)
goto cleanup;
+ if (qemuDomainSetupAllDisks(cfg, vm, devPath) < 0)
+ goto cleanup;
+
+ if (qemuDomainSetupAllHostdevs(cfg, vm, devPath) < 0)
+ goto cleanup;
+
+ if (qemuDomainSetupAllMemories(cfg, vm, devPath) < 0)
+ goto cleanup;
+
+ if (qemuDomainSetupAllChardevs(cfg, vm, devPath) < 0)
+ goto cleanup;
+
+ if (qemuDomainSetupTPM(cfg, vm, devPath) < 0)
+ goto cleanup;
+
+ if (qemuDomainSetupAllGraphics(cfg, vm, devPath) < 0)
+ goto cleanup;
+
+ if (qemuDomainSetupAllInputs(cfg, vm, devPath) < 0)
+ goto cleanup;
+
+ if (qemuDomainSetupAllRNGs(cfg, vm, devPath) < 0)
+ goto cleanup;
+
/* Save some mount points because we want to share them with the host */
for (i = 0; i < ndevMountsPath; i++) {
struct stat sb;
@@ -7881,30 +7905,6 @@ qemuDomainBuildNamespace(virQEMUDriverConfigPtr cfg,
goto cleanup;
}
- if (qemuDomainSetupAllDisks(cfg, vm, devPath) < 0)
- goto cleanup;
-
- if (qemuDomainSetupAllHostdevs(cfg, vm, devPath) < 0)
- goto cleanup;
-
- if (qemuDomainSetupAllMemories(cfg, vm, devPath) < 0)
- goto cleanup;
-
- if (qemuDomainSetupAllChardevs(cfg, vm, devPath) < 0)
- goto cleanup;
-
- if (qemuDomainSetupTPM(cfg, vm, devPath) < 0)
- goto cleanup;
-
- if (qemuDomainSetupAllGraphics(cfg, vm, devPath) < 0)
- goto cleanup;
-
- if (qemuDomainSetupAllInputs(cfg, vm, devPath) < 0)
- goto cleanup;
-
- if (qemuDomainSetupAllRNGs(cfg, vm, devPath) < 0)
- goto cleanup;
-
if (virFileMoveMount(devPath, "/dev") < 0)
goto cleanup;

View File

@ -240,7 +240,7 @@
Summary: Library providing a simple virtualization API
Name: libvirt
Version: 3.2.1
Release: 5%{?dist}%{?extra_release}
Release: 6%{?dist}%{?extra_release}
License: LGPLv2+
Group: Development/Libraries
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@ -255,24 +255,21 @@ Source: http://libvirt.org/sources/%{?mainturl}libvirt-%{version}.tar.xz
Patch0001: 0001-tests-Check-default-GIC-version-for-aarch64-virt-TCG.patch
Patch0002: 0002-qemu-Use-GICv2-for-aarch64-virt-TCG-guests.patch
Patch0003: 0003-gic-Remove-VIR_GIC_VERSION_DEFAULT.patch
# Don't run libvirtd in live environment, to avoid network collision (bz
# #1146232)
Patch0004: 0004-daemon-Don-t-run-if-in-a-Fedora-live-VM.patch
# Fix resuming qemu VMs suspended before libvirt 3.2.0
Patch0005: 0005-Revert-qemu-propagate-bridge-MTU-into-qemu-host_mtu-.patch
Patch0004: 0004-Revert-qemu-propagate-bridge-MTU-into-qemu-host_mtu-.patch
# Fix issues with AMD CPU models, and some others
Patch0006: 0006-cpu-Introduce-virCPUCopyMigratable.patch
Patch0007: 0007-qemu-Move-common-code-in-virQEMUCapsInitCPUModel-one.patch
Patch0008: 0008-qemu-Add-migratable-parameter-to-virQEMUCapsInitCPUM.patch
Patch0009: 0009-qemu-Introduce-virQEMUCapsSetHostModel.patch
Patch0010: 0010-qemu-Move-qemuCaps-CPU-data-copying-into-a-separate-.patch
Patch0011: 0011-qemu-Introduce-virQEMUCapsHostCPUDataClear.patch
Patch0012: 0012-qemu-Move-qemuCaps-host-CPU-data-in-a-struct.patch
Patch0013: 0013-qemu-Prepare-qemuCaps-for-multiple-host-CPU-defs.patch
Patch0014: 0014-qemu-Pass-migratable-host-CPU-model-to-virCPUUpdate.patch
Patch0015: 0015-cpu-Drop-feature-filtering-from-virCPUUpdate.patch
Patch0016: 0016-cpu-Introduce-virCPUGetHostIsSupported.patch
Patch0017: 0017-qemu-Use-more-data-for-comparing-CPUs.patch
Patch0005: 0005-cpu-Introduce-virCPUCopyMigratable.patch
Patch0006: 0006-qemu-Move-common-code-in-virQEMUCapsInitCPUModel-one.patch
Patch0007: 0007-qemu-Add-migratable-parameter-to-virQEMUCapsInitCPUM.patch
Patch0008: 0008-qemu-Introduce-virQEMUCapsSetHostModel.patch
Patch0009: 0009-qemu-Move-qemuCaps-CPU-data-copying-into-a-separate-.patch
Patch0010: 0010-qemu-Introduce-virQEMUCapsHostCPUDataClear.patch
Patch0011: 0011-qemu-Move-qemuCaps-host-CPU-data-in-a-struct.patch
Patch0012: 0012-qemu-Prepare-qemuCaps-for-multiple-host-CPU-defs.patch
Patch0013: 0013-qemu-Pass-migratable-host-CPU-model-to-virCPUUpdate.patch
Patch0014: 0014-cpu-Drop-feature-filtering-from-virCPUUpdate.patch
Patch0015: 0015-cpu-Introduce-virCPUGetHostIsSupported.patch
Patch0016: 0016-qemu-Use-more-data-for-comparing-CPUs.patch
# Enable ZFS storage driver (bz #1471912)
Patch0101: 0101-spec-Add-support-for-building-the-zfs-storage-driver.patch
@ -281,6 +278,15 @@ Patch0101: 0101-spec-Add-support-for-building-the-zfs-storage-driver.patch
Patch0102: 0102-Avoid-hidden-cgroup-mount-points.patch
# disk driver name=... should be optional (bz #1473091)
Patch0103: 0103-docs-schema-make-disk-driver-name-attribute-optional.patch
# Fix TPM2 passthrough (bz #1486240)
Patch0104: 0104-tpm-Use-dev-null-for-cancel-path-if-none-was-found.patch
# Fix spice GL qemu:///system rendernode permissions (bz #1460804)
Patch0105: 0105-security-add-MANAGER_MOUNT_NAMESPACE-flag.patch
Patch0106: 0106-security-dac-relabel-spice-rendernode.patch
# Fix on_reboot=destroy setting (bz #1476866)
Patch0107: 0107-qemu-Honour-on_reboot.patch
# Fix disk images in /dev/shm (bz #1482146)
Patch0108: 0108-qemuDomainBuildNamespace-Move-dev-mountpoints-later.patch
Requires: libvirt-daemon = %{version}-%{release}
Requires: libvirt-daemon-config-network = %{version}-%{release}
@ -2148,6 +2154,12 @@ exit 0
%changelog
* Fri Sep 15 2017 Cole Robinson <crobinso@redhat.com> - 3.2.1-6
- Fix TPM2 passthrough (bz #1486240)
- Fix spice GL qemu:///system rendernode permissions (bz #1460804)
- Fix on_reboot=destroy setting (bz #1476866)
- Fix disk images in /dev/shm (bz #1482146)
* Fri Aug 04 2017 Cole Robinson <crobinso@redhat.com> - 3.2.1-5
- Enable ZFS storage driver (bz #1471912)
- Don't use cgroup mount points from /proc/mounts that are hidden (bz