Ubuntu
libvirt package

Merge ~paelzer/ubuntu/+source/libvirt:fix-pid-duplication-and-more-1997269-1993304-1996176-KINETIC into ubuntu/+source/libvirt:ubuntu/kinetic-devel

  1. Git
  2. lp:~paelzer/ubuntu/+source/libvirt
  3. fix-pid-duplication-and-more-1997269-1993304-1996176-KINETIC
  4. Merge into ubuntu/kinetic-devel
Proposed by Christian Ehrhardt 
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merged at revision: 0f841ef26199e7890afd2d883b394e386eb35539
Proposed branch: ~paelzer/ubuntu/+source/libvirt:fix-pid-duplication-and-more-1997269-1993304-1996176-KINETIC
Merge into: ubuntu/+source/libvirt:ubuntu/kinetic-devel
Diff against target: 218 lines (+177/-0)
5 files modified
debian/changelog (+15/-0)
debian/patches/series (+3/-0)
debian/patches/ubuntu/lp-1993304-apparmor-allow-getattr-on-usb-devices.patch (+49/-0)
debian/patches/ubuntu/lp-1996176-nodedev-ignore-EINVAL-from-libudev-in-udevEventHandl.patch (+58/-0)
debian/patches/ubuntu/lp-1997269-fix-swtpm-pid-duplication.patch (+52/-0)
Reviewer Review Type Date Requested Status
git-ubuntu bot Approve
Lena Voytek (community) Approve
Canonical Server packageset reviewers Pending
Canonical Server Reporter Pending
Review via email: mp+433443@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

PPA: https://launchpad.net/~paelzer/+archive/ubuntu/libvirt-1997269-1993304-1996176/+packages

Revision history for this message
Lena Voytek (lvoytek) wrote :

My patch matches the original I uploaded. Also finished adding the SRU info to the bug report. The other two patches look good and match what I expect based on their descriptions. LGTM

review: Approve
Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: paelzer, lvoytek
Uploaders: paelzer
MP auto-approved

review: Approve
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Thanks, both PPA builds are fine as well (no FTBFS there as in lunar, as that was due to new libxen which isn't hitting the older releases).

Uploading ...

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Uploading libvirt_8.6.0-0ubuntu3.1.dsc
Uploading libvirt_8.6.0-0ubuntu3.1.debian.tar.xz
Uploading libvirt_8.6.0-0ubuntu3.1_source.buildinfo
Uploading libvirt_8.6.0-0ubuntu3.1_source.changes

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 22a9983..9844888 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,18 @@
6+libvirt (8.6.0-0ubuntu3.1) kinetic; urgency=medium
7+
8+ [ Lena Voytek ]
9+ * d/p/u/fix-swtpm-pid-duplication.patch: Clean up swtpm pids after a vm
10+ shuts down (LP: #1997269)
11+
12+ [Christian Ehrhardt ]
13+ * d/p/u/lp-1993304-apparmor-allow-getattr-on-usb-devices.patch: prevent
14+ apparmor denials on USB forwarding (LP: #1993304)
15+ * d/p/u/lp-1996176-nodedev-ignore-EINVAL-from-libudev-in-udevEventHandl.patch:
16+ tolerate the impact of too large udev data avoiding a busy loop
17+ (LP: #1996176)
18+
19+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 22 Nov 2022 11:21:30 +0100
20+
21 libvirt (8.6.0-0ubuntu3) kinetic; urgency=medium
22
23 * d/p/u/lp-1990499-virt-aa-helper-allow-common-riscv64-loader-paths.patch:
24diff --git a/debian/patches/series b/debian/patches/series
25index c2f6adb..6b0c1f9 100644
26--- a/debian/patches/series
27+++ b/debian/patches/series
28@@ -14,6 +14,7 @@ ubuntu/lp-1861125-ubuntu-models.patch
29 ubuntu/dnsmasq-as-priv-user
30 ubuntu/ovmf_paths.patch
31 ubuntu/wait-for-qemu-kvm.patch
32+ubuntu/lp-1997269-fix-swtpm-pid-duplication.patch
33
34 # Ubuntu Apparmor Changes
35 ubuntu-aa/0020-virt-aa-helper-ubuntu-storage-paths.patch
36@@ -26,3 +27,5 @@ ubuntu-aa/lp-1815910-allow-vhost-hotplug.patch
37 ubuntu/swtpm-by-swtpm-user.patch
38 ubuntu/lp-1990499-virt-aa-helper-allow-common-riscv64-loader-paths.patch
39 ubuntu/lp-1990949-virpcivpd-reduce-errors-in-log-due-to-invalid-VPD.patch
40+ubuntu/lp-1996176-nodedev-ignore-EINVAL-from-libudev-in-udevEventHandl.patch
41+ubuntu/lp-1993304-apparmor-allow-getattr-on-usb-devices.patch
42diff --git a/debian/patches/ubuntu/lp-1993304-apparmor-allow-getattr-on-usb-devices.patch b/debian/patches/ubuntu/lp-1993304-apparmor-allow-getattr-on-usb-devices.patch
43new file mode 100644
44index 0000000..ad62376
45--- /dev/null
46+++ b/debian/patches/ubuntu/lp-1993304-apparmor-allow-getattr-on-usb-devices.patch
47@@ -0,0 +1,49 @@
48+From d6ecd766aa95028b35b6da0d709721720c75c7c1 Mon Sep 17 00:00:00 2001
49+From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
50+Date: Thu, 17 Nov 2022 09:35:05 +0100
51+Subject: [PATCH] apparmor: allow getattr on usb devices
52+
53+For the handling of usb we already allow plenty of read access,
54+but so far /sys/bus/usb/devices only needed read access to the directory
55+to enumerate the symlinks in there that point to the actual entries via
56+relative links to ../../../devices/.
57+
58+But in more recent systemd with updated libraries a program might do
59+getattr calls on those symlinks. And while symlinks in apparmor usually
60+do not matter, as it is the effective target of an access that has to be
61+allowed, here the getattr calls are on the links themselves.
62+
63+On USB hostdev usage that causes a set of denials like:
64+ apparmor="DENIED" operation="getattr" class="file"
65+ name="/sys/bus/usb/devices/usb1" comm="qemu-system-x86"
66+ requested_mask="r" denied_mask="r" ...
67+
68+It is safe to read the links, therefore add a rule to allow it to
69+the block of rules that covers the usb related access.
70+
71+Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
72+Reviewed-by: Michal Privoznik <mprivozn at redhat.com>
73+
74+Origin: upstream, https://gitlab.com/libvirt/libvirt/-/commit/d6ecd766aa950
75+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1993304
76+Last-Update: 2022-11-22
77+
78+---
79+ src/security/apparmor/libvirt-qemu | 1 +
80+ 1 file changed, 1 insertion(+)
81+
82+diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
83+index 02ee273e7e..d0289b8943 100644
84+--- a/src/security/apparmor/libvirt-qemu
85++++ b/src/security/apparmor/libvirt-qemu
86+@@ -42,6 +42,7 @@
87+
88+ # For hostdev access. The actual devices will be added dynamically
89+ /sys/bus/usb/devices/ r,
90++ /sys/bus/usb/devices/* r,
91+ /sys/devices/**/usb[0-9]*/** r,
92+ # libusb needs udev data about usb devices (~equal to content of lsusb -v)
93+ /run/udev/data/+usb* r,
94+--
95+2.38.1
96+
97diff --git a/debian/patches/ubuntu/lp-1996176-nodedev-ignore-EINVAL-from-libudev-in-udevEventHandl.patch b/debian/patches/ubuntu/lp-1996176-nodedev-ignore-EINVAL-from-libudev-in-udevEventHandl.patch
98new file mode 100644
99index 0000000..16a3e9c
100--- /dev/null
101+++ b/debian/patches/ubuntu/lp-1996176-nodedev-ignore-EINVAL-from-libudev-in-udevEventHandl.patch
102@@ -0,0 +1,58 @@
103+From 33a38492b75acb7dbec9b64c41a5dba4acde4240 Mon Sep 17 00:00:00 2001
104+From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
105+Date: Thu, 10 Nov 2022 10:36:28 +0100
106+Subject: [PATCH] nodedev: ignore EINVAL from libudev in udevEventHandleThread
107+MIME-Version: 1.0
108+Content-Type: text/plain; charset=UTF-8
109+Content-Transfer-Encoding: 8bit
110+
111+Certain udev entries might be of a size that makes libudev emit EINVAL
112+which right now leads to udevEventHandleThread exiting. Due to no more
113+handling events other elements of libvirt will start pushing for events
114+to be consumed which never happens causing a busy loop burning a cpu
115+without any gain.
116+
117+After evaluation of the example case discussed in in #245 and a test
118+run ignoring EINVAL it was considered safe to add EINVAL to the ignored
119+errnos to not exit udevEventHandleThread giving it more resilience.
120+
121+The root cause is in systemd and by now was discussed and fixed via
122+https://github.com/systemd/systemd/issues/24987, but hardening libvirt
123+to be able to better deal with EINVAL returned still is the right thing
124+to avoid the reported busy loops on systemd with older systemd versions.
125+
126+Fixes: https://gitlab.com/libvirt/libvirt/-/issues/245
127+
128+Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
129+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
130+
131+Origin: upstream, https://gitlab.com/libvirt/libvirt/-/commit/33a38492b75acb7
132+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1996176
133+Last-Update: 2022-11-22
134+
135+---
136+ src/node_device/node_device_udev.c | 6 ++++--
137+ 1 file changed, 4 insertions(+), 2 deletions(-)
138+
139+diff --git a/src/node_device/node_device_udev.c b/src/node_device/node_device_udev.c
140+index 24ef1c25a9..2454cab8f8 100644
141+--- a/src/node_device/node_device_udev.c
142++++ b/src/node_device/node_device_udev.c
143+@@ -1865,10 +1865,12 @@ udevEventHandleThread(void *opaque G_GNUC_UNUSED)
144+ }
145+
146+ /* POSIX allows both EAGAIN and EWOULDBLOCK to be used
147+- * interchangeably when the read would block or timeout was fired
148++ * interchangeably when the read would block or timeout was fired.
149++ * EINVAL might happen on too large udev entries, ignore those for
150++ * the robustness of udevEventHandleThread.
151+ */
152+ VIR_WARNINGS_NO_WLOGICALOP_EQUAL_EXPR
153+- if (errno != EAGAIN && errno != EWOULDBLOCK) {
154++ if (errno != EAGAIN && errno != EWOULDBLOCK && errno != EINVAL) {
155+ VIR_WARNINGS_RESET
156+ virReportSystemError(errno, "%s",
157+ _("failed to receive device from udev "
158+--
159+2.38.1
160+
161diff --git a/debian/patches/ubuntu/lp-1997269-fix-swtpm-pid-duplication.patch b/debian/patches/ubuntu/lp-1997269-fix-swtpm-pid-duplication.patch
162new file mode 100644
163index 0000000..ac4dfc9
164--- /dev/null
165+++ b/debian/patches/ubuntu/lp-1997269-fix-swtpm-pid-duplication.patch
166@@ -0,0 +1,52 @@
167+Description: Do not keep swtpm pidfile around after stopping qemu vm
168+Author: Martin Kletzander <mkletzan@redhat.com>
169+Origin: upstream, https://gitlab.com/libvirt/libvirt/-/commit/3c2d06d78e1bd2d9298276b44a6ab09cc3b36e5a
170+Bug: https://bugzilla.redhat.com/show_bug.cgi?id=2111301
171+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1997269
172+Last-Update: 2022-11-21
173+---
174+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
175+--- a/src/qemu/qemu_tpm.c
176++++ b/src/qemu/qemu_tpm.c
177+@@ -793,28 +793,25 @@
178+ g_autofree char *pathname = NULL;
179+ g_autofree char *errbuf = NULL;
180+ g_autofree char *swtpm_ioctl = virTPMGetSwtpmIoctl();
181++ g_autofree char *pidfile = qemuTPMEmulatorPidFileBuildPath(swtpmStateDir,
182++ shortName);
183+
184+- if (!swtpm_ioctl)
185+- return;
186++ if (swtpm_ioctl &&
187++ (pathname = qemuTPMEmulatorSocketBuildPath(swtpmStateDir, shortName)) &&
188++ virFileExists(pathname)) {
189+
190+- if (!(pathname = qemuTPMEmulatorSocketBuildPath(swtpmStateDir, shortName)))
191+- return;
192++ cmd = virCommandNewArgList(swtpm_ioctl, "--unix", pathname, "-s", NULL);
193+
194+- if (!virFileExists(pathname))
195+- return;
196++ virCommandSetErrorBuffer(cmd, &errbuf);
197+
198+- cmd = virCommandNew(swtpm_ioctl);
199+- if (!cmd)
200+- return;
201++ ignore_value(virCommandRun(cmd, NULL));
202+
203+- virCommandAddArgList(cmd, "--unix", pathname, "-s", NULL);
204++ /* clean up the socket */
205++ unlink(pathname);
206++ }
207+
208+- virCommandSetErrorBuffer(cmd, &errbuf);
209+-
210+- ignore_value(virCommandRun(cmd, NULL));
211+-
212+- /* clean up the socket */
213+- unlink(pathname);
214++ if (pidfile)
215++ virPidFileForceCleanupPath(pidfile);
216+ }
217+
218+

Subscribers

People subscribed via source and target branches