Merge ~paelzer/ubuntu/+source/libvirt:merge-6.6.0-groovy into ~paelzer/ubuntu/+source/libvirt:merge-6.6.0-mergebase

Tags to help review the merge:
- merge-6.6.0-groovy/split/6.0.0-0ubuntu10
- merge-6.6.0-groovy/logical/6.0.0-0ubuntu10
Branch:
- merge-6.6.0-mergebase
  use this as the base for the review (ignore LP please)
  We work in Debian to get more things in there, so it will slightly
  change. But for the review use this as the base to review.
- merge-6.6.0-groovy
  The proposed branch

range-diff will be very noisy as there was a lot of wrap-and-sort going on.
That makes everything appear changed, but mostly are no-ops.

I've had regression tests running and found further issues.
All fixed or soon-to-be-fixed by now.

Overall 7 apparmor changes upstreamed and 4 new upstream fixes IIRC.

The Debian unstable upload for 6.6 is planned soon which will give further
test exposure.

One Debian uploaded I'll do a final re-base and edit this MP to match things.
But given how many changes this has it might be worth to start review now.

I'll try to finish the review tomorrow morning (my morning).

Updated a few patches to the latest state as of upstream/debian acceptance

Also rebased on the latest Debian experimental that this will eventually be.
That allowed me to drop a few more of the changes already.
The old merge state is in tag "merge-6.6.0-groovy/merge-v1"
The new merge is the branch "merge-6.6.0-groovy" itself which I force pushed.
I moved "merge-6.6.0-mergebase" to match that new "salsa/debian/experimental" that I used.

Further experiments with ZFS/RBD on Risc also showed that we can now build them allowing to drop one more change.

Also I started another round of tests (except ppc which has no machine free atm) on the latest build.

Overall changelog looks good and no major changes should be made. I have taken
note of some typos and/or missing entries that could, or could not, make sense
for you to change.

Note: - search for TODO keyword to find actionable items

--------

TODO: missing changelog entries:

ad8c54a76d - d/control: make libvirt-daemon-driver-storage-rbd a recommend inste
03604151e5 * SECURITY UPDATE: privilege escalation via incorrect socket permissi
875cb82db4 d/p/ubuntu/lp-1861125-*: Add extension for Ubuntu specific machine ty
0e20e39ae3 d/control: drop mdevctl to a suggest until (LP 1889248) is ready

libvirt (6.6.0-2ubuntu1) groovy; urgency=medium

  * Merge with Debian 6.6.0-1 from experimental

    Among many other new features and fixes this includes fixes for:
    (LP: #1874647) - Stale libvirt cache leads to VM startup failures
    (LP: #1869796) - bad ordering and dependent restarts of services/sockets

    Remaining changes:

    - d/control, d/rules: Disable rbd and zfs on riscv64 where they are unavailable (LP 1872952)
67901169b6 d/p/ubuntu-aa/lp-1847361-load-versioned-module.patch: allow loading versioned modules aft>
    - d/p/ubuntu-aa/lp-1847361-load-versioned-module.patch: allow loading versioned modules after qemu package upgrades (LP 1847361)
0ceb2041a2 libvirt-uri.sh: default libvirt URI on Xen dom0
    - libvirt-uri.sh: Automatically switch default libvirt URI for users via user profile (xen URI on dom0, qemu:///system otherwise)

04b0e75a32 disable libssh2 support (universe dependency)

    - Disable libssh2 support (universe dependency)

7298283fce disable firewalld support (universe dependency)

    - Disable firewalld support (universe dependency)

2f287795eb set qemu-group to kvm (for compat with older ubuntu)

    - Set qemu-group to kvm (for compat with older ubuntu)

a1fdd55e08 Add apport package-hook

    - Additional apport package-hook

acd80701a8 Create autostart default network.

    - Autostart default bridged network (As upstream does, but not Debian).
      In addition to just enabling it our solution provides:
      + do not autostart if subnet is already taken (e.g. in guests).
      + iterate some alternative subnets before giving up

01482fc398 Allow-libvirt-group-to-access-the-socket
c8bff4a40c - d/libvirt-daemon-system.postinst: add users in sudo to the libvirt group

    - d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch: This is the group based access to libvirt functions as it was used in Ubuntu for quite long.
      + d/p/ubuntu/daemon-augeas-fix-expected.patch fix some related tests due to the group access change.
      + d/libvirt-daemon-system.postinst: add users in sudo to the libvirt group.

3bc9fc096d - d/p/ubuntu/parallel-shutdown.patch: shut guests down in parallel

    - ubuntu/parallel-shutdown.patch: set parallel shutdown by default.

302eb29c1f Update README.Debian with Ubuntu changes

    - Update README.Debian with Ubuntu changes

    - Enable some additional features on ppc64el and s390x (for arch parity)
      + systemtap, zfs, numa and numad on s390x.
      + systemtap on ppc64el.

0d6a03a7b0 - d/p/ubuntu/ubuntu_machine_type.patch: accept ubuntu types as pci440fx

    - d/p/ubuntu...

Related to some patches highlighted as actionable items in previous comment.. here are some comments:

# OBS 01:

The commit:

commit fd2c9ec380
Author: Christian Ehrhardt <email address hidden>
Date: Thu Aug 10 06:56:04 2017

    apparmor, libvirt-qemu: Allow read access to

    Note: accepted upstream will be in 6.7

    Signed-off-by: Christian Ehrhardt <email address hidden>

has an incomplete git log and a note saying that it is accepted upstream.

it includes:

+ubuntu-aa/0003-apparmor-libvirt-qemu-Allow-read-access-to-overcommi.patch

saying:

+Forwarded: no (part of continuous upstreaming effort)

Could be replaced by upstream patch:

commit e16967fd6e
Author: Jamie Strandboge <email address hidden>
Date: Mon Aug 3 08:41:33 2020

    apparmor: read only access to overcommit_memory

    Allow qemu to read @{PROC}/sys/vm/overcommit_memory.
    This is read on guest start-up and (as read-only) not a
    critical secret that has to stay hidden.

    Signed-off-by: Christian Ehrhardt <email address hidden>
    Signed-off-by: Stefan Bader <email address hidden>
    Signed-off-by: Jamie Strandboge <email address hidden>
    Reviewed-by: Andrea Bolognani <email address hidden>

With no DEP3/changes needed.

# OBS 02:

The same thing applies to commit:

commit 91c39e7fba
Author: Christian Ehrhardt <email address hidden>
Date: Thu Aug 10 06:57:59 2017

    apparmor, libvirt-qemu: Allow owner read access to

    Note: accepted upstream will be in 6.7

    Signed-off-by: Christian Ehrhardt <email address hidden>

also with an incomplete git log and a note.

it includes:

+ubuntu-aa/0007-apparmor-libvirt-qemu-Allow-owner-read-access-to-PRO.patch

saying:

+Forwarded: no (part of continuous upstreaming effort)

Could be replace by upstream patch:

commit 7c5ef98c00
Author: Stefan Bader <email address hidden>
Date: Mon Aug 3 08:44:27 2020

    apparmor: qemu access to @{PROC}/*/auxv for hw_cap

    On some architectures (ppc, s390x, sparc, arm) qemu will read auxv
    to detect hardware capabilities via qemu_getauxval.

    Allow that access read-only for the entry owned by the current
    qemu process.

    Signed-off-by: Christian Ehrhardt <email address hidden>
    Signed-off-by: Stefan Bader <email address hidden>
    Reviewed-by: Andrea Bolognani <email address hidden>
    Acked-by: Jamie Strandboge <email address hidden>

With no DEP3/changes needed.

# OBS 03:

In the same line... the commit:

commit 67901169b6
Author: Christian Ehrhardt <email address hidden>
Date: Tue Mar 10 04:58:01 2020

    d/p/ubuntu-aa/lp-1847361-load-versioned-module.patch: allow loading versioned modules after qemu

    Note: accepted upstream will be in 6.7

    Signed-off-by: Christian Ehrhardt <email address hidden>

including:

+ubuntu-aa/lp-1847361-load-versioned-module.patch

Could be replaced by:

commit 3ef2af8ed3
Author: Christian Ehrhardt <email address hidden>
Date: Mon Aug 3 09:03:19 2020

    apparmor: let qemu load old shared objects after upgrades

    Since [1] qemu can after upgrade fall back to pre-upgrade modules
    to still be able to dynamically load qemu-module based features.

    The paths for these modules are pre-defined by the code and should
    be allowed to be mapped and loaded from which will allow packagers
    avoiding the inability of late feature load [2] after package upgrades.

    [1]: https://github.com/qemu/qemu/commit/bd83c861
    [2]: https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1847361

    Signed-off-by: Christian Ehrhardt <email address hidden>
    Acked-by: Jamie Strandboge <email address hidden>
    Reviewed-by: Andrea Bolognani <email address hidden>
    Reviewed-by: Daniel P. Berrangé <berrange redhat com>

# OBS 04:

In changelog, we have:

libvirt (6.6.0-1) UNRELEASED; urgency=medium

Is this okay ? I used:

open-iscsi (2.1.1-1) experimental; urgency=medium

for unreleased (but merged) version, in my case.

Lintian is good for source and binaries. I'll let you handle the functional tests. All looks good and feel free to merge after deciding to address, or not, the items I have brought to your attention (definitely not blockers for anything).

Regression tests completed with the latest build, this time all works without errors.
Thanks for the review, I need to go through this review feedback to complete - thanks!

In 03604151e5 I mentioned why this doesn't get an extra CL entry.
It is essentially just a fixup an a logical change that is in the changelog (commit will also be squashed on next merge).

For 875cb82db4:
This was formerly part of
  137 - d/p/ubuntu/lp-1861125-*: fix non host-model migrations from old machine
  138 types (LP 1861125)
We only retained the minor bit that is for Ubuntu downstream only.
I added a line for it.

0e20e39ae3 has a CL entry in the "Added section already"

ad8c54a76d is a great catch, I've forgotten about it. This actually will be dropped now.
Added to CL and reverted the change.

Patches fd2c9ec380 and 91c39e7fba will be gone on the next merge anyway and the commit message holds the details. You are right I could add the "origin" statement here, but that would actually be wrong - the "origin" is this patch in ubuntu, just now it got applied and that I forward it is in "Forwarded: no (part of continuous upstreaming effort)".
Well I guess an Applied-Upstream tag would match best.
There were actually three more of that kind which I marked as well - and two more of Debian which I didn't touch.
The 9p typo OTOH isn't important IMHO.

The typo in d8e3efc690 isn't important either as it will be gone next merge (I upstreamed this).

And finally - I'm waiting for Debian to upload 6.6 - then I'll rebase to that and due to that I'll get the UNRELEASED out of the changelog.

Ok- thanks a lot - now tests and review are good.
Just waiting on the Debian upload to happen.

In Debian we now have put everything together, I'll do a last rebase, rebuild retest.
If nothing interesting comes up I'll upload otherwise I'll speak up here for a re-review of the changes I needed.

FYI - rebase and build without any unexpected u-turns.
Tests are running atm

Ok, all tests look good, uploading.

To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/libvirt
 * [new tag] upload/6.6.0-1ubuntu1 -> upload/6.6.0-1ubuntu1

Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading libvirt_6.6.0-1ubuntu1.dsc: done.
  Uploading libvirt_6.6.0.orig.tar.xz: done.
  Uploading libvirt_6.6.0.orig.tar.xz.asc: done.
  Uploading libvirt_6.6.0-1ubuntu1.debian.tar.xz: done.
  Uploading libvirt_6.6.0-1ubuntu1_source.buildinfo: done.
  Uploading libvirt_6.6.0-1ubuntu1_source.changes: done.
Successfully uploaded packages.

Lovely - I built this 13 times in Launchpad the last two weeks.
Now on the actual upload I see FTBFS :-/

But it seems to be build-infra and not libvirt that breaks.

Never the less - merged from the MP POV