External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-12-22 05:35:25 +00:00
Code Issues Packages Projects Releases Wiki Activity
Libvirt provides a portable, long term stable C API for managing the virtualization technologies provided by many operating systems. It includes support for QEMU, KVM, Xen, LXC, bhyve, Virtuozzo, VMware vCenter and ESX, VMware Desktop, Hyper-V, VirtualBox and the POWER Hypervisor.
51,023 Commits 67 Branches 629 Tags 865 MiB
C 94.8%
Python 2%
Meson 0.9%
Shell 0.8%
Dockerfile 0.6%
Other 0.8%
da0c363835
Go to file
Andrea Bolognani da0c363835 qemu: Always set labels for TPM state 
Up until this point, we have avoided setting labels for
incoming migration when the TPM state is stored on a shared
filesystem. This seems to make sense, because since the
underlying storage is shared surely the labels will be as
well.

There's one problem, though: when a guest is migrated, the
SELinux context for the destination process is different from
the one of the source process.

We haven't hit any issues with the current approach so far
because NFS doesn't support SELinux, so effectively it doesn't
matter whether relabeling happens or not: even if the SELinux
contexts of the source and target processes are different,
both will be able to access the storage.

Now that it's possible for the local admin to manually mark
exported directories as shared filesystems, however, things
can get problematic.

Consider the case in which one host (mig-one) exports its
local filesystem /srv/nfs/libvirt/swtpm via NFS, and at the
same time bind-mounts it to /var/lib/libvirt/swtpm; another
host (mig-two) mounts the same filesystem to the same
location, this time via NFS. Additionally, in order to
allow migration in both directions, on mig-one the
/var/lib/libvirt/swtpm directory is listed in the
shared_filesystems qemu.conf option.

When migrating from mig-one to mig-two, things work just fine;
going in the opposite direction, however, results in an error:

  # virsh migrate cirros qemu+ssh://mig-one/system
  error: internal error: QEMU unexpectedly closed the monitor (vm='cirros'):
  qemu-system-x86_64: tpm-emulator: Setting the stateblob (type 1) failed with a TPM error 0x1f
  qemu-system-x86_64: error while loading state for instance 0x0 of device 'tpm-emulator'
  qemu-system-x86_64: load of migration failed: Input/output error

This is because the directory on mig-one is considered a
shared filesystem and thus labeling is skipped, resulting in
a SELinux denial.

The solution is quite simple: remove the check and always
relabel. We know that it's okay to do so not just because it
makes the error seen above go away, but also because no such
check currently exists for disks and other types of persistent
storage such as NVRAM files, which always get relabeled.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2024-10-03 13:29:26 +02:00
.ctags.d maint: Add support for .ctags.d 2019-05-31 17:54:28 +02:00
.github/workflows github: Update lockdown message when opening a PR 2024-05-15 12:31:23 +02:00
.gitlab/issue_templates gitlab: issue_template: Remove labelling commands 2022-06-01 12:27:10 +02:00
build-aux virshtest: Prepare for testing against output files 2024-04-02 14:24:30 +02:00
ci ci: adapt to 'dtrace' package split 2024-09-25 16:39:42 +02:00
docs virsh: Add support for VIR_MIGRATE_PARAM_MIGRATE_DISKS_DETECT_ZEROES migration parameter 2024-10-01 12:57:02 +02:00
examples examples: Define _GNU_SOURCE for more examples 2024-02-07 18:01:03 +01:00
include qemu: Introduce and wire in 'VIR_MIGRATE_PARAM_MIGRATE_DISKS_DETECT_ZEROES' 2024-10-01 12:57:02 +02:00
po Translated using Weblate (English (United Kingdom)) 2024-10-02 06:48:27 +02:00
scripts scripts/rpcgen: skip tests if tirpc is not present 2024-05-08 15:57:13 +01:00
src qemu: Always set labels for TPM state 2024-10-03 13:29:26 +02:00
subprojects Move src/keycodemapdb -> subprojects/keycodemapdb 2023-04-17 15:02:38 +02:00
tests qemu: Propagate shared_filesystems 2024-10-03 13:29:26 +02:00
tools virsh: Add support for VIR_MIGRATE_PARAM_MIGRATE_DISKS_DETECT_ZEROES migration parameter 2024-10-01 12:57:02 +02:00
.ctags
.dir-locals.el
.editorconfig Add .editorconfig 2019-09-06 12:47:46 +02:00
.gitattributes Add .gitattributes file 2022-03-17 14:33:12 +01:00
.gitignore Revert ".gitignore: Ignore cscope and other *tags files" 2023-02-08 17:24:31 +01:00
.gitlab_pages_redirects docs: gitlab redirects: Drop '/libvirt' prefix for hosting the web through gitlab pages 2024-02-13 16:56:49 +01:00
.gitlab-ci.yml gitlab: add missing job inheritance for codestyle 2024-06-17 11:36:00 +01:00
.gitmodules Move src/keycodemapdb -> subprojects/keycodemapdb 2023-04-17 15:02:38 +02:00
.gitpublish gitpublish: Tweak prefix 2023-12-05 11:48:28 +01:00
.mailmap mailmap: consolidate my email addresses 2020-10-06 12:05:09 +02:00
AUTHORS.rst.in AUTHORS: change my (Nikolay Shirokovskiy) email 2022-04-06 11:00:53 +03:00
config.h configure: bump min required CLang to 6.0 / XCode 10.0 2022-01-17 10:44:29 +00:00
configmake.h.in meson: generate configmake.h 2020-08-03 09:26:48 +02:00
CONTRIBUTING.rst meson: adjust our documentation to mention meson instead of autoconf 2020-08-03 09:27:09 +02:00
COPYING
COPYING.LESSER
gitdm.config gitdm: add 'ibm' file 2019-10-18 17:32:52 +02:00
libvirt-admin.pc.in
libvirt-lxc.pc.in
libvirt-qemu.pc.in
libvirt.pc.in
libvirt.spec.in meson: options: drop yajl 2024-09-24 08:24:00 +02:00
meson_options.txt meson: options: drop yajl 2024-09-24 08:24:00 +02:00
meson.build Post-release version bump to 10.9.0 2024-10-01 11:06:24 +02:00
NEWS.rst Post-release version bump to 10.9.0 2024-10-01 11:06:24 +02:00
README.rst docs: update docs pointing to old mailing list addrs 2023-10-31 10:04:27 +00:00
run.in run.in: Detect binaries in builddir properly 2024-06-04 14:39:00 +02:00

README.rst

GitLab CI Build Status

CII Best Practices

Translation status

Libvirt API for virtualization

Libvirt provides a portable, long term stable C API for managing the virtualization technologies provided by many operating systems. It includes support for QEMU, KVM, Xen, LXC, bhyve, Virtuozzo, VMware vCenter and ESX, VMware Desktop, Hyper-V, VirtualBox and the POWER Hypervisor.

For some of these hypervisors, it provides a stateful management daemon which runs on the virtualization host allowing access to the API both by non-privileged local users and remote users.

Layered packages provide bindings of the libvirt C API into other languages including Python, Perl, PHP, Go, Java, OCaml, as well as mappings into object systems such as GObject, CIM and SNMP.

Further information about the libvirt project can be found on the website:

https://libvirt.org

License

The libvirt C API is distributed under the terms of GNU Lesser General Public License, version 2.1 (or later). Some parts of the code that are not part of the C library may have the more restrictive GNU General Public License, version 2.0 (or later). See the files COPYING.LESSER and COPYING for full license terms & conditions.

Installation

Instructions on building and installing libvirt can be found on the website:

https://libvirt.org/compiling.html

Contributing

The libvirt project welcomes contributions in many ways. For most components the best way to contribute is to send patches to the primary development mailing list. Further guidance on this can be found on the website:

https://libvirt.org/contribute.html

Contact

The libvirt project has two primary mailing lists:

Further details on contacting the project are available on the website:

https://libvirt.org/contact.html