Merge ~paelzer/ubuntu/+source/libvirt:fix-pid-duplication-and-more-1997269-1993304-1996176-LUNAR into ubuntu/+source/libvirt:ubuntu/lunar-devel

Proposed by Christian Ehrhardt 
Status: Merged
Merge reported by: Christian Ehrhardt 
Merged at revision: ca8b8e40fc53198ed4a8a708d771066e898f20cf
Proposed branch: ~paelzer/ubuntu/+source/libvirt:fix-pid-duplication-and-more-1997269-1993304-1996176-LUNAR
Merge into: ubuntu/+source/libvirt:ubuntu/lunar-devel
Diff against target: 218 lines (+177/-0)
5 files modified
debian/changelog (+15/-0)
debian/patches/series (+3/-0)
debian/patches/ubuntu/lp-1993304-apparmor-allow-getattr-on-usb-devices.patch (+49/-0)
debian/patches/ubuntu/lp-1996176-nodedev-ignore-EINVAL-from-libudev-in-udevEventHandl.patch (+58/-0)
debian/patches/ubuntu/lp-1997269-fix-swtpm-pid-duplication.patch (+52/-0)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  (community) Approve
Canonical Server Reporter Pending
git-ubuntu import Pending
Review via email: mp+433429@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

[14:57] <lvoytek> [32f->31c] paelzer: The combo upload for libvirt looks good to me. Feel free to use it (re @cpaelzer: lvoytek: if ...)

review: Approve
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index 22a9983..30e4904 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
1libvirt (8.6.0-0ubuntu4) lunar; urgency=medium
2
3 [ Lena Voytek ]
4 * d/p/u/fix-swtpm-pid-duplication.patch: Clean up swtpm pids after a vm
5 shuts down (LP: #1997269)
6
7 [Christian Ehrhardt ]
8 * d/p/u/lp-1993304-apparmor-allow-getattr-on-usb-devices.patch: prevent
9 apparmor denials on USB forwarding (LP: #1993304)
10 * d/p/u/lp-1996176-nodedev-ignore-EINVAL-from-libudev-in-udevEventHandl.patch:
11 tolerate the impact of too large udev data avoiding a busy loop
12 (LP: #1996176)
13
14 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 22 Nov 2022 11:21:30 +0100
15
1libvirt (8.6.0-0ubuntu3) kinetic; urgency=medium16libvirt (8.6.0-0ubuntu3) kinetic; urgency=medium
217
3 * d/p/u/lp-1990499-virt-aa-helper-allow-common-riscv64-loader-paths.patch:18 * d/p/u/lp-1990499-virt-aa-helper-allow-common-riscv64-loader-paths.patch:
diff --git a/debian/patches/series b/debian/patches/series
index c2f6adb..6b0c1f9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -14,6 +14,7 @@ ubuntu/lp-1861125-ubuntu-models.patch
14ubuntu/dnsmasq-as-priv-user14ubuntu/dnsmasq-as-priv-user
15ubuntu/ovmf_paths.patch15ubuntu/ovmf_paths.patch
16ubuntu/wait-for-qemu-kvm.patch16ubuntu/wait-for-qemu-kvm.patch
17ubuntu/lp-1997269-fix-swtpm-pid-duplication.patch
1718
18# Ubuntu Apparmor Changes19# Ubuntu Apparmor Changes
19ubuntu-aa/0020-virt-aa-helper-ubuntu-storage-paths.patch20ubuntu-aa/0020-virt-aa-helper-ubuntu-storage-paths.patch
@@ -26,3 +27,5 @@ ubuntu-aa/lp-1815910-allow-vhost-hotplug.patch
26ubuntu/swtpm-by-swtpm-user.patch27ubuntu/swtpm-by-swtpm-user.patch
27ubuntu/lp-1990499-virt-aa-helper-allow-common-riscv64-loader-paths.patch28ubuntu/lp-1990499-virt-aa-helper-allow-common-riscv64-loader-paths.patch
28ubuntu/lp-1990949-virpcivpd-reduce-errors-in-log-due-to-invalid-VPD.patch29ubuntu/lp-1990949-virpcivpd-reduce-errors-in-log-due-to-invalid-VPD.patch
30ubuntu/lp-1996176-nodedev-ignore-EINVAL-from-libudev-in-udevEventHandl.patch
31ubuntu/lp-1993304-apparmor-allow-getattr-on-usb-devices.patch
diff --git a/debian/patches/ubuntu/lp-1993304-apparmor-allow-getattr-on-usb-devices.patch b/debian/patches/ubuntu/lp-1993304-apparmor-allow-getattr-on-usb-devices.patch
29new file mode 10064432new file mode 100644
index 0000000..ad62376
--- /dev/null
+++ b/debian/patches/ubuntu/lp-1993304-apparmor-allow-getattr-on-usb-devices.patch
@@ -0,0 +1,49 @@
1From d6ecd766aa95028b35b6da0d709721720c75c7c1 Mon Sep 17 00:00:00 2001
2From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
3Date: Thu, 17 Nov 2022 09:35:05 +0100
4Subject: [PATCH] apparmor: allow getattr on usb devices
5
6For the handling of usb we already allow plenty of read access,
7but so far /sys/bus/usb/devices only needed read access to the directory
8to enumerate the symlinks in there that point to the actual entries via
9relative links to ../../../devices/.
10
11But in more recent systemd with updated libraries a program might do
12getattr calls on those symlinks. And while symlinks in apparmor usually
13do not matter, as it is the effective target of an access that has to be
14allowed, here the getattr calls are on the links themselves.
15
16On USB hostdev usage that causes a set of denials like:
17 apparmor="DENIED" operation="getattr" class="file"
18 name="/sys/bus/usb/devices/usb1" comm="qemu-system-x86"
19 requested_mask="r" denied_mask="r" ...
20
21It is safe to read the links, therefore add a rule to allow it to
22the block of rules that covers the usb related access.
23
24Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
25Reviewed-by: Michal Privoznik <mprivozn at redhat.com>
26
27Origin: upstream, https://gitlab.com/libvirt/libvirt/-/commit/d6ecd766aa950
28Bug-Ubuntu: https://bugs.launchpad.net/bugs/1993304
29Last-Update: 2022-11-22
30
31---
32 src/security/apparmor/libvirt-qemu | 1 +
33 1 file changed, 1 insertion(+)
34
35diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
36index 02ee273e7e..d0289b8943 100644
37--- a/src/security/apparmor/libvirt-qemu
38+++ b/src/security/apparmor/libvirt-qemu
39@@ -42,6 +42,7 @@
40
41 # For hostdev access. The actual devices will be added dynamically
42 /sys/bus/usb/devices/ r,
43+ /sys/bus/usb/devices/* r,
44 /sys/devices/**/usb[0-9]*/** r,
45 # libusb needs udev data about usb devices (~equal to content of lsusb -v)
46 /run/udev/data/+usb* r,
47--
482.38.1
49
diff --git a/debian/patches/ubuntu/lp-1996176-nodedev-ignore-EINVAL-from-libudev-in-udevEventHandl.patch b/debian/patches/ubuntu/lp-1996176-nodedev-ignore-EINVAL-from-libudev-in-udevEventHandl.patch
0new file mode 10064450new file mode 100644
index 0000000..16a3e9c
--- /dev/null
+++ b/debian/patches/ubuntu/lp-1996176-nodedev-ignore-EINVAL-from-libudev-in-udevEventHandl.patch
@@ -0,0 +1,58 @@
1From 33a38492b75acb7dbec9b64c41a5dba4acde4240 Mon Sep 17 00:00:00 2001
2From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
3Date: Thu, 10 Nov 2022 10:36:28 +0100
4Subject: [PATCH] nodedev: ignore EINVAL from libudev in udevEventHandleThread
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9Certain udev entries might be of a size that makes libudev emit EINVAL
10which right now leads to udevEventHandleThread exiting. Due to no more
11handling events other elements of libvirt will start pushing for events
12to be consumed which never happens causing a busy loop burning a cpu
13without any gain.
14
15After evaluation of the example case discussed in in #245 and a test
16run ignoring EINVAL it was considered safe to add EINVAL to the ignored
17errnos to not exit udevEventHandleThread giving it more resilience.
18
19The root cause is in systemd and by now was discussed and fixed via
20https://github.com/systemd/systemd/issues/24987, but hardening libvirt
21to be able to better deal with EINVAL returned still is the right thing
22to avoid the reported busy loops on systemd with older systemd versions.
23
24Fixes: https://gitlab.com/libvirt/libvirt/-/issues/245
25
26Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
27Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
28
29Origin: upstream, https://gitlab.com/libvirt/libvirt/-/commit/33a38492b75acb7
30Bug-Ubuntu: https://bugs.launchpad.net/bugs/1996176
31Last-Update: 2022-11-22
32
33---
34 src/node_device/node_device_udev.c | 6 ++++--
35 1 file changed, 4 insertions(+), 2 deletions(-)
36
37diff --git a/src/node_device/node_device_udev.c b/src/node_device/node_device_udev.c
38index 24ef1c25a9..2454cab8f8 100644
39--- a/src/node_device/node_device_udev.c
40+++ b/src/node_device/node_device_udev.c
41@@ -1865,10 +1865,12 @@ udevEventHandleThread(void *opaque G_GNUC_UNUSED)
42 }
43
44 /* POSIX allows both EAGAIN and EWOULDBLOCK to be used
45- * interchangeably when the read would block or timeout was fired
46+ * interchangeably when the read would block or timeout was fired.
47+ * EINVAL might happen on too large udev entries, ignore those for
48+ * the robustness of udevEventHandleThread.
49 */
50 VIR_WARNINGS_NO_WLOGICALOP_EQUAL_EXPR
51- if (errno != EAGAIN && errno != EWOULDBLOCK) {
52+ if (errno != EAGAIN && errno != EWOULDBLOCK && errno != EINVAL) {
53 VIR_WARNINGS_RESET
54 virReportSystemError(errno, "%s",
55 _("failed to receive device from udev "
56--
572.38.1
58
diff --git a/debian/patches/ubuntu/lp-1997269-fix-swtpm-pid-duplication.patch b/debian/patches/ubuntu/lp-1997269-fix-swtpm-pid-duplication.patch
0new file mode 10064459new file mode 100644
index 0000000..ac4dfc9
--- /dev/null
+++ b/debian/patches/ubuntu/lp-1997269-fix-swtpm-pid-duplication.patch
@@ -0,0 +1,52 @@
1Description: Do not keep swtpm pidfile around after stopping qemu vm
2Author: Martin Kletzander <mkletzan@redhat.com>
3Origin: upstream, https://gitlab.com/libvirt/libvirt/-/commit/3c2d06d78e1bd2d9298276b44a6ab09cc3b36e5a
4Bug: https://bugzilla.redhat.com/show_bug.cgi?id=2111301
5Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1997269
6Last-Update: 2022-11-21
7---
8This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
9--- a/src/qemu/qemu_tpm.c
10+++ b/src/qemu/qemu_tpm.c
11@@ -793,28 +793,25 @@
12 g_autofree char *pathname = NULL;
13 g_autofree char *errbuf = NULL;
14 g_autofree char *swtpm_ioctl = virTPMGetSwtpmIoctl();
15+ g_autofree char *pidfile = qemuTPMEmulatorPidFileBuildPath(swtpmStateDir,
16+ shortName);
17
18- if (!swtpm_ioctl)
19- return;
20+ if (swtpm_ioctl &&
21+ (pathname = qemuTPMEmulatorSocketBuildPath(swtpmStateDir, shortName)) &&
22+ virFileExists(pathname)) {
23
24- if (!(pathname = qemuTPMEmulatorSocketBuildPath(swtpmStateDir, shortName)))
25- return;
26+ cmd = virCommandNewArgList(swtpm_ioctl, "--unix", pathname, "-s", NULL);
27
28- if (!virFileExists(pathname))
29- return;
30+ virCommandSetErrorBuffer(cmd, &errbuf);
31
32- cmd = virCommandNew(swtpm_ioctl);
33- if (!cmd)
34- return;
35+ ignore_value(virCommandRun(cmd, NULL));
36
37- virCommandAddArgList(cmd, "--unix", pathname, "-s", NULL);
38+ /* clean up the socket */
39+ unlink(pathname);
40+ }
41
42- virCommandSetErrorBuffer(cmd, &errbuf);
43-
44- ignore_value(virCommandRun(cmd, NULL));
45-
46- /* clean up the socket */
47- unlink(pathname);
48+ if (pidfile)
49+ virPidFileForceCleanupPath(pidfile);
50 }
51
52

Subscribers

People subscribed via source and target branches