Ubuntu
qemu package

Merge ~paelzer/ubuntu/+source/qemu:groovy-merge-pick-5.0-14 into ubuntu/+source/qemu:ubuntu/groovy-devel

  1. Git
  2. lp:~paelzer/ubuntu/+source/qemu
  3. groovy-merge-pick-5.0-14
  4. Merge into ubuntu/groovy-devel
Proposed by Christian Ehrhardt 
Status: Merged
Approved by: Christian Ehrhardt 
Approved revision: dab4e218ab8bff5e5b81393c08a9c7a1e3279edc
Merge reported by: Christian Ehrhardt 
Merged at revision: 1dea878593449839e9244d33abfd190673f46806
Proposed branch: ~paelzer/ubuntu/+source/qemu:groovy-merge-pick-5.0-14
Merge into: ubuntu/+source/qemu:ubuntu/groovy-devel
Diff against target: 150 lines (+105/-0)
5 files modified
debian/changelog (+10/-0)
debian/patches/lp-1890154-s390x-protvirt-allow-to-IPL-secure-guests-with-no-re.patch (+52/-0)
debian/patches/series (+2/-0)
debian/patches/ubuntu/lp-1883984-target-s390x-Fix-SQXBR.patch (+37/-0)
debian/rules (+4/-0)
Reviewer Review Type Date Requested Status
Rafael David Tinoco (community) Approve
Canonical Server Pending
Canonical Server packageset reviewers Pending
Review via email: mp+388545@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

PPA: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/4175/+packages

Minor, but worthwile fixes for groovy (one CVE, one follow up to the further modularization).

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Adding one more fix for our minimal xen delta in a minute ...

~paelzer/ubuntu/+source/qemu:groovy-merge-pick-5.0-14 updated
38edad2... by Christian Ehrhardt 

d/rules: xen: compat links (LP: #1890005)

libxen-dev reports where to find the qemu binaries as if they
would have been built with xen. Obviously this isn't the case
but tools like libvirt will rely on the output of libxen-dev.

To avoid users having to modify the guest defaults provide a
symlink from the expected place to where qemu packaging
places it.

Note: we can't just place the binary there as that would kill
plenty of apparmor assumptions in libvirt.

Signed-off-by: Christian Ehrhardt <email address hidden>

6cf35f5... by Christian Ehrhardt 

d/p/ubuntu/lp-1883984-target-s390x-Fix-SQXBR.patch: avoid crash on SQXBR (LP: #1883984)

Signed-off-by: Christian Ehrhardt <email address hidden>

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

And a breakage on s390x - this doesn't seem to stop ...

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Forgot to mention here.
The module fix isn't needed for us since it is only needed after "1f9685e build all modules since there are modules anyway, no need to hack them in d/rules" which I have postponed to 21.04 for reasons just like that.

Taken the commit out of the presented MR

Revision history for this message
Rafael David Tinoco (rafaeldtinoco) wrote :

# CHECKLIST
----------------------------
 [.] changelog entry correct
 [.] targeted to correct codename
 [.] version number is correct
 [.] update-maintainer has been run before
 ----
 [.] changes forwarded upstream/debian (if appropriate)
 [.] patches match what was proposed upstream
 ----
 [.] patches correctly included in debian/patches/series?
 [!] patches have correct DEP3 metadata
 - small typo in commit 15b2a2e318:
   - "...xen sepcific qemu binary in the qemu-default"
 ----
 [.] relying on PPA only for build check ?
 [.] if relying on PPA, did it install correctly ?
 ----
 [-] was autopkgtest tested ?
 ----
 [-] is this a SRU ?
 [-] if a SRU, does the public bug have a template ?
 [-] is this a bundle of fixes ?
 [-] is this a single fix ?
 ----
 [-] if single fix, was testcase provided ?
 [-] if single fix, and testcase provided, could I reproduce it ?
 [-] if single fix, and testcase provided, did it work ?
 ----
 [.] is this a MERGE ?
 [.] if MERGE, is there a public bug referred ?
 [.] if MERGE, does it add/remove existing packages ?
 [.] if MERGE, does it bump library SONAME ?
----------------------------
 [.] = ok | [x] = not ok | [?] = question | [!] = note | [-] = n/a
----------------------------

# comments:

dab4e218ab changelog: xen and s390x-emu fixes for groovy (LP: #1890005) (LP: #1883984)
5a51f1f398 d/p/ubuntu/lp-1883984-target-s390x-Fix-SQXBR.patch: avoid crash on SQXBR (LP: #1883984)
15b2a2e318 xen: place binary in the path xen-devel & libvirt expect it

# changelog:

qemu (1:5.0-5ubuntu4) groovy; urgency=medium

  * xen: place binary in the path xen-devel and libvirt expect it
    (LP: #1890005)
  * d/p/ubuntu/lp-1883984-target-s390x-Fix-SQXBR.patch: avoid crash on
    SQXBR (LP: #1883984)

# files touched:

$ git log -3 -p | diffstat
 changelog | 9 +++++++++
 control | 1 -
 control-in | 1 -
 patches/series | 1 +
 patches/ubuntu/lp-1883984-target-s390x-Fix-SQXBR.patch | 37 +++++++++++++++++++++++++++++++++++++
 rules | 13 ++++++-------
 6 files changed, 53 insertions(+), 9 deletions(-)

review: Approve
Revision history for this message
Rafael David Tinoco (rafaeldtinoco) wrote :

+1 after minimum typo fix in patch git log desc.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

I also did a full upgrade on my xen host and tried xen with virt-manager without the former symlink workaround in place.

The new qemu-system-x86-xen slots into place nicely:.

ubuntu@ubuntu:~$ virsh capabilities | grep emu
      <emulator>/usr/lib/xen-4.11/bin/qemu-system-i386</emulator>
      <emulator>/usr/lib/xen-4.11/bin/qemu-system-i386</emulator>
      <emulator>/usr/lib/xen-4.11/bin/qemu-system-i386</emulator>
      <emulator>/usr/lib/xen-4.11/bin/qemu-system-i386</emulator>
      <emulator>/usr/lib/xen-4.11/bin/qemu-system-i386</emulator>
      <emulator>/usr/lib/xen-4.11/bin/qemu-system-i386</emulator>
ubuntu@ubuntu:~$ ll /usr/lib/xen-4.11/bin/qemu-system-i386
-rwxr-xr-x 1 root root 15355976 Aug 3 05:15 /usr/lib/xen-4.11/bin/qemu-system-i386*

But - then all of the apparmor isolation will fall apart.
As it will not allow this path to be executed.

Aug 04 06:31:13 ubuntu audit[115176]: AVC apparmor="DENIED" operation="exec" profile="libvirtd" name="/usr/lib/xen-4.11/bin/qemu-system-i386" pid=115176 comm="libvirtd" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
Aug 04 06:31:13 ubuntu kernel: audit: type=1400 audit(1596522673.656:146): apparmor="DENIED" operation="exec" profile="libvirtd" name="/usr/lib/xen-4.11/bin/qemu-system-i386" pid=115176 comm="libvirtd" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
Aug 04 06:31:13 ubuntu libvirtd[85510]: internal error: Child process (/usr/lib/xen-4.11/bin/qemu-system-i386 -help) unexpected exit status 126: libvirt: error : cannot execute binary /usr/lib/xen-4.11/bin/qemu-system-i386: Permission denied

So we want to keep things much more than they already are - but with a symlink in place (as my manual workaround was).

~paelzer/ubuntu/+source/qemu:groovy-merge-pick-5.0-14 updated
4d0ba8d... by Christian Ehrhardt 

d/p/lp-1890154-*: fix -no-reboot on s390x secure boot (LP: #1890154)

Signed-off-by: Christian Ehrhardt <email address hidden>

1dea878... by Christian Ehrhardt 

changelog: fix -no-reboot on s390x secure boot (LP: #1890154)

Signed-off-by: Christian Ehrhardt <email address hidden>

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

And another fix for s390x - clean fix directly form IBM.
This week keeps on giving ...

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

ubuntu@ubuntu:~$ ll /usr/lib/xen-4.11/bin/qemu-system-*
lrwxrwxrwx 1 root root 29 Aug 3 05:15 /usr/lib/xen-4.11/bin/qemu-system-i386 -> ../../../bin/qemu-system-i386*
lrwxrwxrwx 1 root root 31 Aug 3 05:15 /usr/lib/xen-4.11/bin/qemu-system-x86_64 -> ../../../bin/qemu-system-x86_64*

Working well now:
ubuntu@ubuntu:~$ virsh dumpxml ubuntu20.04 | grep emul
    <emulator>/usr/lib/xen-4.11/bin/qemu-system-i386</emulator>

ubuntu@ubuntu:~$ virsh start ubuntu20.04
Domain ubuntu20.04 started

So the xen cleanup to match the expected defaults are good.
Builds are also good and the other patches are small and work fine.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/qemu
 * [new tag] upload/1%5.0-5ubuntu4 -> upload/1%5.0-5ubuntu4

Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading qemu_5.0-5ubuntu4.dsc: done.
  Uploading qemu_5.0-5ubuntu4.debian.tar.xz: done.
  Uploading qemu_5.0-5ubuntu4_source.buildinfo: done.
  Uploading qemu_5.0-5ubuntu4_source.changes: done.
Successfully uploaded packages.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

this migrated

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index d2f09cf..ea3bc89 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
1qemu (1:5.0-5ubuntu4) groovy; urgency=medium
2
3 * xen: provide compat links to what libxen-dev reports where to find
4 the binaries (LP: #1890005)
5 * d/p/ubuntu/lp-1883984-target-s390x-Fix-SQXBR.patch: avoid crash on
6 SQXBR (LP: #1883984)
7 * d/p/lp-1890154-*: fix -no-reboot on s390x secure boot (LP: #1890154)
8
9 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 03 Aug 2020 07:15:28 +0200
10
1qemu (1:5.0-5ubuntu3) groovy; urgency=medium11qemu (1:5.0-5ubuntu3) groovy; urgency=medium
212
3 * d/p/ubuntu/lp-1887763-*: fix TCG sizing that OOMed many small CI13 * d/p/ubuntu/lp-1887763-*: fix TCG sizing that OOMed many small CI
diff --git a/debian/patches/lp-1890154-s390x-protvirt-allow-to-IPL-secure-guests-with-no-re.patch b/debian/patches/lp-1890154-s390x-protvirt-allow-to-IPL-secure-guests-with-no-re.patch
4new file mode 10064414new file mode 100644
index 0000000..0f25ca9
--- /dev/null
+++ b/debian/patches/lp-1890154-s390x-protvirt-allow-to-IPL-secure-guests-with-no-re.patch
@@ -0,0 +1,52 @@
1From d1bb69db4ceb6897ef6a17bf263146b53a123632 Mon Sep 17 00:00:00 2001
2From: Christian Borntraeger <borntraeger@de.ibm.com>
3Date: Tue, 21 Jul 2020 06:32:02 -0400
4Subject: [PATCH] s390x/protvirt: allow to IPL secure guests with -no-reboot
5
6Right now, -no-reboot prevents secure guests from running. This is
7correct from an implementation point of view, as we have modeled the
8transition from non-secure to secure as a program directed IPL. From
9a user perspective, this is not the behavior of least surprise.
10
11We should implement the IPL into protected mode similar to the
12functions that we use for kdump/kexec. In other words, we do not stop
13here when -no-reboot is specified on the command line. Like function 0
14or function 1, function 10 is not a classic reboot. For example, it
15can only be called once. Before calling it a second time, a real
16reboot/reset must happen in-between. So function code 10 is more or
17less a state transition reset, but not a "standard" reset or reboot.
18
19Fixes: 4d226deafc44 ("s390x: protvirt: Support unpack facility")
20Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
21Reviewed-by: Janosch Frank <frankja@linux.ibm.com>
22Reviewed-by: David Hildenbrand <david@redhat.com>
23Acked-by: Viktor Mihajlovski <mihajlov@linux.ibm.com>
24Message-Id: <20200721103202.30610-1-borntraeger@de.ibm.com>
25[CH: tweaked description]
26Signed-off-by: Cornelia Huck <cohuck@redhat.com>
27
28Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=d1bb69db4ceb6897ef6a17bf263146b53a123632
29Bug-Ubuntu: https://bugs.launchpad.net/bugs/1890154
30Last-Update: 2020-08-05
31
32---
33 hw/s390x/ipl.c | 3 ++-
34 1 file changed, 2 insertions(+), 1 deletion(-)
35
36diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c
37index d46b1f094f..3d2652d75a 100644
38--- a/hw/s390x/ipl.c
39+++ b/hw/s390x/ipl.c
40@@ -630,7 +630,8 @@ void s390_ipl_reset_request(CPUState *cs, enum s390_reset reset_type)
41 }
42 }
43 if (reset_type == S390_RESET_MODIFIED_CLEAR ||
44- reset_type == S390_RESET_LOAD_NORMAL) {
45+ reset_type == S390_RESET_LOAD_NORMAL ||
46+ reset_type == S390_RESET_PV) {
47 /* ignore -no-reboot, send no event */
48 qemu_system_reset_request(SHUTDOWN_CAUSE_SUBSYSTEM_RESET);
49 } else {
50--
512.27.0
52
diff --git a/debian/patches/series b/debian/patches/series
index 58c5039..c1c26c4 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -71,3 +71,5 @@ ubuntu/lp-1835546-s390x-pv-Fix-KVM_PV_PREP_RESET-command-wrapper-name.patch
71ubuntu/virtio-net-fix-rsc_ext-compat-handling.patch71ubuntu/virtio-net-fix-rsc_ext-compat-handling.patch
72ubuntu/lp-1887763-util-add-qemu_get_host_physmem-utility-function.patch72ubuntu/lp-1887763-util-add-qemu_get_host_physmem-utility-function.patch
73ubuntu/lp-1887763-accel-tcg-better-handle-memory-constrained-systems.patch73ubuntu/lp-1887763-accel-tcg-better-handle-memory-constrained-systems.patch
74ubuntu/lp-1883984-target-s390x-Fix-SQXBR.patch
75lp-1890154-s390x-protvirt-allow-to-IPL-secure-guests-with-no-re.patch
diff --git a/debian/patches/ubuntu/lp-1883984-target-s390x-Fix-SQXBR.patch b/debian/patches/ubuntu/lp-1883984-target-s390x-Fix-SQXBR.patch
74new file mode 10064476new file mode 100644
index 0000000..34fb95c
--- /dev/null
+++ b/debian/patches/ubuntu/lp-1883984-target-s390x-Fix-SQXBR.patch
@@ -0,0 +1,37 @@
1From 9bf728a09bf7509b27543664f9cca6f4f337f608 Mon Sep 17 00:00:00 2001
2From: Richard Henderson <richard.henderson@linaro.org>
3Date: Fri, 19 Jun 2020 21:21:40 -0700
4Subject: [PATCH] target/s390x: Fix SQXBR
5
6The output is 128-bit, and thus requires a pair of 64-bit temps.
7
8Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
9Reviewed-by: David Hildenbrand <david@redhat.com>
10Buglink: https://bugs.launchpad.net/bugs/1883984
11Message-Id: <20200620042140.42070-1-richard.henderson@linaro.org>
12Signed-off-by: Cornelia Huck <cohuck@redhat.com>
13
14Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=9bf728a09bf7509b27543664f9cca6f4f337f608
15Bug-Ubuntu: https://bugs.launchpad.net/bugs/1883984
16Last-Update: 2020-08-03
17
18---
19 target/s390x/insn-data.def | 2 +-
20 1 file changed, 1 insertion(+), 1 deletion(-)
21
22diff --git a/target/s390x/insn-data.def b/target/s390x/insn-data.def
23index 91ddaedd84..d79ae9e3f1 100644
24--- a/target/s390x/insn-data.def
25+++ b/target/s390x/insn-data.def
26@@ -798,7 +798,7 @@
27 /* SQUARE ROOT */
28 F(0xb314, SQEBR, RRE, Z, 0, e2, new, e1, sqeb, 0, IF_BFP)
29 F(0xb315, SQDBR, RRE, Z, 0, f2, new, f1, sqdb, 0, IF_BFP)
30- F(0xb316, SQXBR, RRE, Z, x2h, x2l, new, x1, sqxb, 0, IF_BFP)
31+ F(0xb316, SQXBR, RRE, Z, x2h, x2l, new_P, x1, sqxb, 0, IF_BFP)
32 F(0xed14, SQEB, RXE, Z, 0, m2_32u, new, e1, sqeb, 0, IF_BFP)
33 F(0xed15, SQDB, RXE, Z, 0, m2_64, new, f1, sqdb, 0, IF_BFP)
34
35--
362.27.0
37
diff --git a/debian/rules b/debian/rules
index 0fa1f5b..87afc09 100755
--- a/debian/rules
+++ b/debian/rules
@@ -17,6 +17,7 @@ libdir = /usr/lib/${DEB_HOST_MULTIARCH}
17ifeq ($(shell dpkg-vendor --derives-from Ubuntu && echo yes),yes)17ifeq ($(shell dpkg-vendor --derives-from Ubuntu && echo yes),yes)
18VENDOR := UBUNTU18VENDOR := UBUNTU
19DEB_BUILD_PARALLEL = yes19DEB_BUILD_PARALLEL = yes
20XENBINPATH := $(shell pkg-config --variable libexec_bin xenlight)
20else21else
21VENDOR := DEBIAN22VENDOR := DEBIAN
22endif23endif
@@ -299,6 +300,9 @@ ifneq ($(filter $(DEB_HOST_ARCH),amd64 i386),)
299 echo ".so man1/qemu-system.1" > debian/qemu-system-x86-xen/usr/share/man/man1/qemu-system-x86_64.1300 echo ".so man1/qemu-system.1" > debian/qemu-system-x86-xen/usr/share/man/man1/qemu-system-x86_64.1
300 echo ".so man1/qemu-system.1" > debian/qemu-system-x86-xen/usr/share/man/man1/qemu-system-i386.1301 echo ".so man1/qemu-system.1" > debian/qemu-system-x86-xen/usr/share/man/man1/qemu-system-i386.1
301 dh_link -pqemu-system-x86-xen usr/share/doc/qemu-system-common usr/share/doc/qemu-system-x86-xen/common302 dh_link -pqemu-system-x86-xen usr/share/doc/qemu-system-common usr/share/doc/qemu-system-x86-xen/common
303 # compat links to what libxen-dev reports where to find the binaries
304 dh_link -pqemu-system-x86-xen /usr/bin/qemu-system-i386 ${XENBINPATH}/qemu-system-i386
305 dh_link -pqemu-system-x86-xen /usr/bin/qemu-system-x86_64 ${XENBINPATH}/qemu-system-x86_64
302endif306endif
303endif307endif
304308

Subscribers

People subscribed via source and target branches