libvirt (8.0.0-1ubuntu7.10) jammy-security; urgency=medium * SECURITY UPDATE: off-by-one in udevListInterfacesByStatus() - debian/patches/CVE-2024-1441.patch: properly check count in src/interface/interface_backend_udev.c. - CVE-2024-1441 * SECURITY UPDATE: crash in RPC library - debian/patches/CVE-2024-2494.patch: check values in src/remote/remote_daemon_dispatch.c, src/rpc/gendispatch.pl. - CVE-2024-2494 * SECURITY UPDATE: null pointer deref in udevConnectListAllInterfaces() - debian/patches/CVE-2024-2496.patch: fix udev_device_get_sysattr_value return value check in src/interface/interface_backend_udev.c. - CVE-2024-2496 -- Marc Deslauriers Fri, 12 Apr 2024 13:48:21 -0400 libvirt (8.0.0-1ubuntu7.9) jammy; urgency=medium * d/p/u/lp2059272-qemu-Fix-potential-crash-during-driver-cleanup.patch: On QEMU driver cleanup, release (stop) the worker thread pool _first_, before other data used by possibly running worker threads (LP: #2059272) -- Mauricio Faria de Oliveira Wed, 27 Mar 2024 12:47:46 -0300 libvirt (8.0.0-1ubuntu7.8) jammy; urgency=medium * d/p/u/lp-2028057-*, d/libvirt0.install: Add named types and definitions, along with QEMU alias syncing for Intel SapphireRapids (LP: #2028057) -- Lena Voytek Wed, 29 Nov 2023 14:52:52 -0700 libvirt (8.0.0-1ubuntu7.7) jammy; urgency=medium * When attempting to launch a VM with SGX enabled, there is an error reported that prevents VMs from being launched. Backport fix that fixes the main cause of that issue, which is the QOM_CPU_PATH macro and qom-get behavior (LP: #1982896). - d/p/b/qemu-monitor-json-get-cpux86-data-unexport.patch - d/p/b/qemu-process-update-and-verify-cpu-refactor-cleanup.patch - d/p/b/qemu-monitor-do-not-hardcode-qom-path-of-first-cpu.patch - d/p/b/qemu-domain-store-qompath-in-qemudomainvcpuprivate.patch - d/p/b/qemu-process-move-cpu-flag-querying-after-code-probing-cpus.patch - d/p/b/qemu-process-move-call-to-qemuprocessrefreshcpu-after-cpu-probe.patch - d/p/b/qemu-process-do-not-use-hardcoded-qom-path-for-cpu-for-probing-flags.patch -- Michal Maloszewski Fri, 04 Aug 2023 10:42:25 +0200 libvirt (8.0.0-1ubuntu7.6) jammy; urgency=medium * d/p/u/lp-2024114-Avoid-memleak-in-virNodeDeviceGetPCIVPDDynamicCap.patch: fix memory leak PCI devices with VPD data (LP: #2024114) -- Rafael Lopez Tue, 20 Jun 2023 11:54:15 +1000 libvirt (8.0.0-1ubuntu7.5) jammy-security; urgency=medium * SECURITY UPDATE: DoS via nwfilter driver - debian/patches/CVE-2022-0897.patch: fix crash when counting number of network filters in src/nwfilter/nwfilter_driver.c. - CVE-2022-0897 * SECURITY UPDATE: DoS via memleak in SR-IOV PCI device capabilities - debian/patches/CVE-2023-2700.patch: resolve leak in virPCIVirtualFunctionList cleanup in src/util/virpci.c. - CVE-2023-2700 -- Marc Deslauriers Fri, 26 May 2023 10:08:33 -0400 libvirt (8.0.0-1ubuntu7.4) jammy; urgency=medium * d/p/u/lp-1993304-apparmor-allow-getattr-on-usb-devices.patch: prevent apparmor denials on USB forwarding (LP: #1993304) * d/p/u/lp-1996176-nodedev-ignore-EINVAL-from-libudev-in-udevEventHandl.patch: tolerate the impact of too large udev data avoiding a busy loop (LP: #1996176) -- Christian Ehrhardt Tue, 22 Nov 2022 15:59:28 +0100 libvirt (8.0.0-1ubuntu7.3) jammy; urgency=medium * d/p/u/lp-1990499-virt-aa-helper-allow-common-riscv64-loader-paths.patch: easen the use of riscv64 through libvirt (LP: #1990499) -- Christian Ehrhardt Tue, 04 Oct 2022 08:33:14 +0200 libvirt (8.0.0-1ubuntu7.2) jammy; urgency=medium * d/p/u/lp-1989078-apparmor-Allow-locking-AAVMF-firmware.patch: allow arm64 to lock its OVMF resources (LP: #1989078) -- Christian Ehrhardt Thu, 08 Sep 2022 12:00:39 +0200 libvirt (8.0.0-1ubuntu7.1) jammy; urgency=medium * d/p/u/lp-1972075-Allow-VM-to-read-sysfs-PCI-config-revision-files.patch: apparmor allow new paths used for GL accelerated video (LP: #1972075) -- Christian Ehrhardt Thu, 19 May 2022 08:14:48 +0200 libvirt (8.0.0-1ubuntu7) jammy; urgency=medium * d/p/ubuntu-aa/0035-apparmor-separate-swtpm-rules.patch: Patch the libvirtd and libvirt-qemu apparmor profiles to allow swtpm to use its own profile (LP: #1968187) -- Lena Voytek Tue, 12 Apr 2022 10:04:05 -0700 libvirt (8.0.0-1ubuntu6) jammy; urgency=medium * d/control: recommend swtpm-tools (LP: #1948748) -- Christian Ehrhardt Mon, 04 Apr 2022 07:30:15 +0200 libvirt (8.0.0-1ubuntu5) jammy; urgency=medium * apparmor: Fix QEMU access for UEFI variable files. Backported from upstream master commit 7aec69b7fb9d0c. (Closes: #1006324, LP: #1962035) Refresh apparmor_profiles_local_include.patch to resolve the conflict. -- Martin Pitt Wed, 09 Mar 2022 13:43:40 +0100 libvirt (8.0.0-1ubuntu4) jammy; urgency=medium * No-change rebuild against libwireshark15. -- Steve Langasek Mon, 07 Mar 2022 18:34:34 +0000 libvirt (8.0.0-1ubuntu3) jammy; urgency=medium * Revert "d/rules, d/libvirt-daemon-system.{postinst,prerm}: never stop system services and sockets." Due to the fix being in debhelper we no more need this mitigation now. (LP: #1959054) -- Christian Ehrhardt Thu, 17 Feb 2022 10:08:01 +0100 libvirt (8.0.0-1ubuntu2) jammy; urgency=medium * No-change rebuild to update maintainer scripts, see LP: 1959054 -- Dave Jones Wed, 16 Feb 2022 17:04:47 +0000 libvirt (8.0.0-1ubuntu1) jammy; urgency=medium * Merge 8.0.0 from Debian unstable (LP: #1946869) Among many other fixes and improvements this fixes ceph usage in regard to apparmor (LP: #1588576) Remaining changes: - libvirt-uri.sh: Automatically switch default libvirt URI for users via user profile (xen URI on dom0, qemu:///system otherwise) [contains lintian fixups of 6.6.0-1ubuntu1] - Disable libssh2 support (universe dependency) - d/control: add libzfslinux-dev to build-deps - d/control: drop libvirt-lxc, vbox and xen drivers to suggest - d/control: breaks replaces for augeas lenses move in 6.0.0-1 (follows Debian, droppable >22.04) - debian/patches/ubuntu/ovmf_paths.patch: adjust paths to secboot.fd UEFI Secure Boot enabled variants of the OVMF firmware and variable store for the paths where we ship these files in Ubuntu. - Set qemu-group to kvm (for compat with older ubuntu) - Additional apport package-hook - Autostart default bridged network (As upstream does, but not Debian). In addition to just enabling it our solution provides: + do not autostart if subnet is already taken (e.g. in guests). + iterate some alternative subnets before giving up - d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch: This is the group based access to libvirt functions as it was used in Ubuntu for quite a long time. + d/p/ubuntu/daemon-augeas-fix-expected.patch fix some related tests due to the group access change. + d/libvirt-daemon-system.postinst: add users in sudo to the libvirt group. - d/p/u/parallel-shutdown.patch: set parallel shutdown by default. - Update README.Debian with Ubuntu changes - d/p/ubuntu/ubuntu_machine_type.patch: accept ubuntu types as pci440fx - fix autopkgtests (LP 1899180) + d/t/control, d/t/smoke-qemu-session: fixup smoke-qemu-session by making vmlinuz available and accessible (Debian bug 848314) + d/t/control: fix smoke-qemu-session by ensuring the service will run installing libvirt-daemon-system + d/t/smoke-lxc: fix smoke-lxc by ignoring potential issues on destroy as long as the following undefine succeeds + d/t/smoke-lxc: use systemd instead of sysV to restart the service + d/t/control, d/t/smoke-lxc: retry service restart and skip test if failing; This was flaky on some release/architectures + d/t/smoke-lxc: retry check_domain being flaky on arm64 - dnsmasq related enhancements [now contains dnsmasq-as-priv-user of 6.6.0-1ubuntu1] + run dnsmasq as libvirt-dnsmasq (LP: 1743718) + d/libvirt-daemon-system.postinst: add libvirt-dnsmasq user and group + d/libvirt-daemon-system.postrm: remove libvirt-dnsmasq user and group on purge + d/p/ubuntu/dnsmasq-as-priv-user: write dnsmasq config with user libvirt-dnsmasq and adapt the self tests to expect that config + d/libvirt-daemon-system.postinst: fix old libvirt-dnsmasq users group + Add dnsmasq configuration to work with system wide dnsmasq-base - d/p/ubuntu/set-default-machine-to-ubuntu.patch: to select default machine type correctly with newer qemu/libvirt - d/p/ubuntu/lp-1861125-ubuntu-models: recognize Ubuntu models for (LP 1861125) fixups - d/p/ubuntu/wait-for-qemu-kvm.patch - avoid hangs on startup (LP 1887592) - Apparmor Delta that is Ubuntu specific or yet to be upstreamed split into logical pieces. File names in debian/patches/ubuntu-aa/: + 0020-virt-aa-helper-ubuntu-storage-paths.patch: apparmor, virt-aa-helper: Allow various storage pools and image locations + 0029-appmor-libvirt-qemu-Add-9p-support.patch: appmor, libvirt-qemu: Add 9p support + 0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch: virt-aa-helper: Ask for no deny rule for readonly disk (renamed and reworded, was virt-aa-helper-no-explicity-deny-for-basefiles.patch) + 0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch: apparmor, libvirt-qemu: Allow reading charm-specific ceph config + 0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch: allow commands executed by ubuntu only kvm wrapper on ppc64el (LP 1686621 LP 1680384 LP 1784023) + 0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch: apparmor, virt-aa-helper: access for snapped nova + lp-1815910-allow-vhost-net.patch: avoid apparmor issues with vhost-net/vhost-vsock/vhost-scsi hotplug (LP: 1815910) - libvirt should not use user/group tss for swtpm (LP 1948880) + d/libvirt-daemon-system.postinst: own swtpm logdir by user swtpm + d/p/u/swtpm-by-swtpm-user.patch: change default spawned swtpm processes to user swtpm + d/p/u/swtpm-by-swtpm-user.patch: adapt expected self test results + d/control: suggest swtpm-tools + d/libvirt-daemon-system.postinst: create user/group swtpm if not present due to swtpm-tools (LP 1951975) * Dropped changes [in Debian now]: - d/control: add libtirpc for rpc.h with glibc >=2.32 - various patch refreshes and .symbols updated from 7.0.0 - 7.6.0 - debian/rules: disable the netcf backend. (LP: 1764314) - d/libvirt-clients.install: completions no more are symlinked to vsh - d/rules: disable the now auto-built vstorage backend - not-installed: split daemon man pages are no yet installed - d/rules: disable the new Cloud Hypervisor driver - d/rules: enable more features explicitly - d/rules: use apparmor_profiles=enabled instead of the now rejected value true - rules: Explicitly set remote_default_mode - rules: Rework installation of AppArmor-related files - d/control, d/rules: enable libssh (LP 1939416) * Dropped changes [upstream now]: - d/p/u/lp-1913266-*: add vsock options to be usable with s390x secure execution (LP 1913266) - d/p/u/lp-1927519-virt-aa-helper-Purge-profile-if-corrupted.patch: avoid issues due to corrupted apparmor profiles (LP 1927519) - Toleration for qemu >=6.0 handling of props (LP 1932264) - Persistent vfio-ccw device assignments (LP 1887929) * Dropped changes [no more needed]: - remove Debian debian/Revert-m4-virt-xdr-rewrite-XDR-check.patch as with recent ubuntu glibx 2.32 it is breaking the build - update d/p/debian/Revert-m4-virt-xdr-rewrite-XDR-check.patch: to detect XDR functions from glibc - d/t/smoke-lxc: skip before systemd 248 due to a known bug (LP 1934966) - d/t/smoke-lxc: skip if cgroup v1&v2 are present (systemd 248 was not enough) * Added changes: - d/p/u/dnsmasq-as-priv-user: update for 8.0.0 - Add recent upstream fixes to 8.0 + d/p/backport/qemuDomainSetupDisk-Initialize-targetPaths.patch to work in containers like LXD (without guest start would hang). + d/p/backport/util-fix-syslog-facility-value.patch to ensure logs get passed to syslog/journal correctly. - d/rules, d/libvirt-daemon-system.{postinst,postrm}: never stop libvirt system services and sockets (LP: #1959054). This allows to unblock some transitions that wait on libvirt now; The intention is that it is fixed in debhelper and libvirt reverts this change before jammy release. -- Christian Ehrhardt Mon, 24 Jan 2022 08:49:08 +0100 libvirt (8.0.0-1) unstable; urgency=medium * [a26cc81] New upstream version 8.0.0 * [9f18b0d] patches: Drop backports * [7ea1214] patches: Add backport/qemu-fix-inactive-snapshot-revert.patch * [9454a95] patches: Add backport/Revert-report-error-when-[...].patch * [ec3b590] control: Drop dependency on radvd - libvirt no longer uses it * [19eb356] control: Drop build dependency on parted - The parted binary is only needed at runtime -- Andrea Bolognani Sat, 22 Jan 2022 19:22:57 +0100 libvirt (7.10.0-3) unstable; urgency=medium * [16b245a] control: Improve multiarch support - Mark libvirt-{daemon-system-systemd,doc} as Multi-Arch: foreign - Mark libvirt-wireshark as Multi-Arch: same - Mark libvirt-daemon-driver-* as Multi-Arch: no * [ef19843] control: Move Recommends on LVM to -daemon package - It's used by the storage driver, not the client library * [a10f605] control: Update Uploaders field - Add Andrea Bolognani, remove Laurent Léonard * [c74efcb] control: Drop obsolete version constraints - They're satisfied on our expected backport targets (Debian 11 and Ubuntu 20.04) * [1ad0b3a] control: Drop all Pre-Depends - They're not necessary on our expected backport targets -- Andrea Bolognani Sun, 09 Jan 2022 11:28:35 +0100 libvirt (7.10.0-2) unstable; urgency=medium * Team upload [ Andrea Bolognani ] * [26f63eb] control: Build-Depend on python3:any to fix cross-building * [b14268f] patches: Backport fix for CVE-2021-4147 [ Joachim Falk ] * [9ae5f14] Fix reboot command for LXC containers (Closes: #991773) -- Andrea Bolognani Wed, 29 Dec 2021 10:37:15 +0100 libvirt (7.10.0-1) unstable; urgency=medium * Team upload * [0817e92] New upstream version 7.10.0 * [2d2fb25] patches: Drop backported patches -- Andrea Bolognani Wed, 08 Dec 2021 00:24:01 +0100 libvirt (7.9.0-1) unstable; urgency=medium * Team upload * [2c54c68] New upstream version 7.9.0 - Closes: #994061 - Fixes FTBFS (Closes: #997108) * [6ca05a9] patches: Update ZFS enablement patches - Replace the Debian-specific patch debian/Set-defaults-for-zfs-tools.patch with backported upstream patches backport/meson-Enable-ZFS-storage-backend-even-more-often.patch backport/meson-Stop-looking-up-ZFS-programs-at-build-time.patch * [32a1e7b] patches: Add backport/wireshark-Switch-to-tvb_bytes_to_str.patch - Needed to build against Wireshark 3.6.0 * [30fdaae] libvirt-daemon-system: Make QEMU cache directory root-owned - Recent changes in libvirt make it possible to be more strict * [8c2f99b] tests: No longer skip smoke-lxc with both cgroups v1&v2 present - The bug that made this workaround necessary has been resolved * [803bd5a] control: Bump Standards-Version to 4.6.0 - No changes needed -- Andrea Bolognani Mon, 06 Dec 2021 21:56:00 +0100 libvirt (7.6.0-0ubuntu3) jammy; urgency=medium * d/libvirt-daemon-system.postinst: create user/group swtpm if not present due to swtpm-tools (LP: #1951975) -- Christian Ehrhardt Wed, 24 Nov 2021 07:50:53 +0100 libvirt (7.6.0-0ubuntu2) jammy; urgency=medium * d/p/u/lp-1927519-virt-aa-helper-Purge-profile-if-corrupted.patch: avoid issues due to corrupted apparmor profiles (LP: #1927519) * libvirt should not use user/group tss for swtpm (LP: #1948880) - d/libvirt-daemon-system.postinst: own swtpm logdir by user swtpm - d/p/u/swtpm-by-swtpm-user.patch: change default spawned swtpm processes to user swtpm - d/p/u/swtpm-by-swtpm-user.patch: adapt expected self test results - d/control: suggest swtpm-tools -- Christian Ehrhardt Thu, 11 Nov 2021 12:11:38 +0100 libvirt (7.6.0-0ubuntu1) impish; urgency=medium * Merge v7.6.0 from upstream and unreleased changes from Debian git. Among other bugs this fixes copy-storage-inc based migrations (LP: #1936778) - New upstream version 7.5.0 - New upstream version 7.6.0 - symbols: Bump symbol versions - refresh d/p/debian/Set-defaults-for-zfs-tools.patch for v7.5.0 - patches: Refresh patches - d/rules: disable the new Cloud Hypervisor driver - d/rules: enable more features explicitly - d/rules: use apparmor_profiles=enabled instead of the now rejected value true - update d/p/debian/Revert-m4-virt-xdr-rewrite-XDR-check.patch: to detect XDR functions from glibc * d/control, d/rules: enable libssh (LP: #1939416) * refresh ubuntu patches for v7.6.0 * Further fixups for v7.6.0 (thanks to Andrea Bolognani) - rules: Explicitly set remote_default_mode - rules: Rework installation of AppArmor-related files -- Christian Ehrhardt Wed, 11 Aug 2021 08:11:16 +0200 libvirt (7.6.0-1) unstable; urgency=medium * Team upload [ Andrea Bolognani ] * [a256a80] New upstream version 7.6.0 - Fixes CVE-2021-3667 (Closes: #991594) * [4a96793] rules: Disable netcf support - netcf support is considered deprecated upstream [ Christian Ehrhardt ] * [ac145fd] d/rules: disable the new Cloud Hypervisor driver - Cloud Hypervisor is not available in Debian * [4bafac5] d/control, d/rules: enable libssh - Closes: #985969 - LP: #1939416 * [fbc728f] d/t/smoke-lxc: skip if cgroup v1&v2 are present - This works around an upstream bug which causes the LXC driver to break when both v1 and v2 cgroups are in use * [8d2e0fe] d/control: add libtirpc for rpc.h with glibc >=2.31-14 - Switch from glibc's legacy RPC implementation, which is now disabled in the Debian package, to libtirpc's one -- Andrea Bolognani Thu, 19 Aug 2021 21:16:21 +0200 libvirt (7.4.0-0ubuntu3) impish; urgency=medium * d/t/smoke-lxc: skip if cgroup v1&v2 are present (systemd 248 was not enough) -- Christian Ehrhardt Thu, 08 Jul 2021 14:20:53 +0200 libvirt (7.4.0-0ubuntu2) impish; urgency=medium * d/t/smoke-lxc: skip before systemd 248 due to a known bug (LP: #1934966) -- Christian Ehrhardt Thu, 08 Jul 2021 09:33:49 +0200 libvirt (7.4.0-0ubuntu1) impish; urgency=medium * Merge v7.4.0 from upstream, among a lot of new features and fixes this closes a few of issues reported against Ubuntu - Toleration for qemu >=6.0 handling of props (LP: #1932264) - Persistent vfio-ccw device assignments (LP: #1887929) - Drop patches that are upstream in v7.4.0 - d/p/b/meson-Fix-cross-building-of-dtrace-probes.patch - d/p/b/apparmor-let-image-label-setting-loop-over-backing-files.patch - d/p/r/systemd-Revert-remote-Add-libvirtd-dependency-to-virt-gue.patch - d/p/u/lp-1913266-*: add vsock options to be usable with s390x - d/p/u/lp-1921754-*: EPYC-Rome-v2 - d/p/u/lp-1921880-*: EPYC-Milan - d/libvirt-clients.install: completions no more are symlinked to vsh - Revert "disable firewalld support (universe dependency)" This does not add a runtime dependency and while firewalld isn't in main that way users can install and use it from universe. (LP: #1928113) - d/libvirt0.symbols: bump symbol versions for 7.4.0 - d/rules: disable the now auto-built vstorage backend - not-installed: split daemon man pages are no yet installed -- Christian Ehrhardt Thu, 17 Jun 2021 10:33:27 +0200 libvirt (7.0.0-3) unstable; urgency=medium * Team upload * [5ae74e0] libvirtd: Improve default file * [b11d3c3] virtlogd: Fix some bugs in the sysv init script -- Andrea Bolognani Fri, 26 Feb 2021 16:46:34 +0100 libvirt (7.0.0-2ubuntu2) hirsute; urgency=medium * d/p/u/lp-1921754*: add EPYC-Rome-v2 as v1 missed IBRS and thereby fails on some HW/Guest combinations e.g. Windows 10 on Threadripper (LP: #1921754) * d/p/u/lp-1921880*: add EPYC-Milan features and named cpu type support (LP: #1921880) -- Christian Ehrhardt Wed, 07 Apr 2021 13:33:46 +0200 libvirt (7.0.0-2ubuntu1) hirsute; urgency=medium * Merge with Debian 7.0.0-1 from Debian unstable Remaining changes: - libvirt-uri.sh: Automatically switch default libvirt URI for users via user profile (xen URI on dom0, qemu:///system otherwise) [contains lintian fixups of 6.6.0-1ubuntu1] - Disable libssh2 support (universe dependency) - Disable firewalld support (universe dependency) - d/control: add libzfslinux-dev to build-deps - d/control: drop libvirt-lxc, vbox and xen drivers to suggest - d/control: breaks replaces for augeas lenses move in 6.0.0-1 (follows Debian, droppable >22.04) - debian/rules: disable the netcf backend. (LP: 1764314) - debian/patches/ubuntu/ovmf_paths.patch: adjust paths to secboot.fd UEFI Secure Boot enabled variants of the OVMF firmware and variable store for the paths where we ship these files in Ubuntu. - Set qemu-group to kvm (for compat with older ubuntu) - Additional apport package-hook - Autostart default bridged network (As upstream does, but not Debian). In addition to just enabling it our solution provides: + do not autostart if subnet is already taken (e.g. in guests). + iterate some alternative subnets before giving up - d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch: This is the group based access to libvirt functions as it was used in Ubuntu for quite a long time. + d/p/ubuntu/daemon-augeas-fix-expected.patch fix some related tests due to the group access change. + d/libvirt-daemon-system.postinst: add users in sudo to the libvirt group. - ubuntu/parallel-shutdown.patch: set parallel shutdown by default. - Update README.Debian with Ubuntu changes - d/p/ubuntu/ubuntu_machine_type.patch: accept ubuntu types as pci440fx - fix autopkgtests (LP 1899180) + d/t/control, d/t/smoke-qemu-session: fixup smoke-qemu-session by making vmlinuz available and accessible (Debian bug 848314) + d/t/control: fix smoke-qemu-session by ensuring the service will run installing libvirt-daemon-system + d/t/smoke-lxc: fix smoke-lxc by ignoring potential issues on destroy as long as the following undefine succeeds + d/t/smoke-lxc: use systemd instead of sysV to restart the service + d/t/control, d/t/smoke-lxc: retry service restart and skip test if failing; This was flaky on some release/architectures + d/t/smoke-lxc: retry check_domain being flaky on arm64 - dnsmasq related enhancements [now contains dnsmasq-as-priv-user of 6.6.0-1ubuntu1] + run dnsmasq as libvirt-dnsmasq (LP: 1743718) + d/libvirt-daemon-system.postinst: add libvirt-dnsmasq user and group + d/libvirt-daemon-system.postrm: remove libvirt-dnsmasq user and group on purge + d/p/ubuntu/dnsmasq-as-priv-user: write dnsmasq config with user libvirt-dnsmasq and adapt the self tests to expect that config + d/libvirt-daemon-system.postinst: fix old libvirt-dnsmasq users group + Add dnsmasq configuration to work with system wide dnsmasq-base - d/p/ubuntu/set-default-machine-to-ubuntu.patch: to select default machine type correctly with newer qemu/libvirt - d/p/ubuntu/lp-1861125-ubuntu-models: recognize Ubuntu models for (LP 1861125) fixups - d/p/ubuntu/wait-for-qemu-kvm.patch - avoid hangs on startup (LP 1887592) - remove Debian debian/Revert-m4-virt-xdr-rewrite-XDR-check.patch as with recent ubuntu glibx 2.32 it is breaking the build - d/control: add libtirpc for rpc.h with glibc >=2.32 - Apparmor Delta that is Ubuntu specific or yet to be upstreamed split into logical pieces. File names in debian/patches/ubuntu-aa/: + 0020-virt-aa-helper-ubuntu-storage-paths.patch: apparmor, virt-aa-helper: Allow various storage pools and image locations + 0029-appmor-libvirt-qemu-Add-9p-support.patch: appmor, libvirt-qemu: Add 9p support + 0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch: virt-aa-helper: Ask for no deny rule for readonly disk (renamed and reworded, was virt-aa-helper-no-explicity-deny-for-basefiles.patch) + 0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch: apparmor, libvirt-qemu: Allow reading charm-specific ceph config + 0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch: allow commands executed by ubuntu only kvm wrapper on ppc64el (LP 1686621 LP 1680384 LP 1784023) + 0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch: apparmor, virt-aa-helper: access for snapped nova + lp-1815910-allow-vhost-net.patch: avoid apparmor issues with vhost-net/vhost-vsock/vhost-scsi hotplug (LP: 1815910) - d/p/u/lp-1913266-*: add vsock options to be usable with s390x secure execution (LP 1913266) * Dropped Changes [in Debian now] - Avoid various issues around service/socket status after install/reinstall and on upgrades (LP 1914054). - d/rules: let sockets use --no-stop-on-upgrade to avoid false positives - d/rules: --no-restart-after-upgrade does not prevent restarts - d/rules: avoid --no-start which breaks .sockets on re-install - d/rules: start, but do not restart libvirt-guests.service - Dependency improvements yet unreleased from salsa/debian/master thanks to Andrea Bolognani (Debian #981435). - control: Always explicitly depend on libvirt0 - control: Always use versioned deps for libvirt components - d/control: extend demotion of libvirt-lxc related dependencies to libvirt-login-shell -- Christian Ehrhardt Tue, 23 Feb 2021 12:16:08 +0100 libvirt (7.0.0-2) unstable; urgency=medium * Team upload [ Matthew Gabeler-Lee ] * [7391555] control: recommend qemu support for iscsi-direct - Closes: #981284 [ Andrea Bolognani ] * [8048eef] control: Always use versioned deps for libvirt components - Closes: #981435 * [effe0cd] control: Always explicitly depend on libvirt0 * [d3c8ec2] control: Bump Standards-Version to 4.5.1 [ Christian Ehrhardt ] * [3cbe8f9] d/control: avoid libvirt-clients to pull in libvirt-daemon * [295944d] systemd: start, but do not restart libvirt-guests.service * [ddbad4b] systemd: do not restart sockets -- Andrea Bolognani Wed, 10 Feb 2021 23:23:32 +0100 libvirt (7.0.0-1ubuntu2) hirsute; urgency=medium * d/control: extend demotion of libvirt-lxc related dependencies to libvirt-login-shell -- Christian Ehrhardt Thu, 04 Feb 2021 13:44:49 +0100 libvirt (7.0.0-1ubuntu1) hirsute; urgency=medium * Merge with Debian 7.0.0-1 from Debian unstable This fixes unwanted conffile prompts (LP: #1906248) Remaining changes: - libvirt-uri.sh: Automatically switch default libvirt URI for users via user profile (xen URI on dom0, qemu:///system otherwise) [contains lintian fixups of 6.6.0-1ubuntu1] - Disable libssh2 support (universe dependency) - Disable firewalld support (universe dependency) - d/control: add libzfslinux-dev to build-deps - d/control: drop libvirt-lxc, vbox and xen drivers to suggest - d/control: breaks replaces for augeas lenses move in 6.0.0-1 (follows Debian, droppable >22.04) - debian/rules: disable the netcf backend. (LP: 1764314) - debian/patches/ubuntu/ovmf_paths.patch: adjust paths to secboot.fd UEFI Secure Boot enabled variants of the OVMF firmware and variable store for the paths where we ship these files in Ubuntu. - Set qemu-group to kvm (for compat with older ubuntu) - Additional apport package-hook - Autostart default bridged network (As upstream does, but not Debian). In addition to just enabling it our solution provides: + do not autostart if subnet is already taken (e.g. in guests). + iterate some alternative subnets before giving up - d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch: This is the group based access to libvirt functions as it was used in Ubuntu for quite a long time. + d/p/ubuntu/daemon-augeas-fix-expected.patch fix some related tests due to the group access change. + d/libvirt-daemon-system.postinst: add users in sudo to the libvirt group. - ubuntu/parallel-shutdown.patch: set parallel shutdown by default. - Update README.Debian with Ubuntu changes - d/p/ubuntu/ubuntu_machine_type.patch: accept ubuntu types as pci440fx - fix autopkgtests (LP 1899180) + d/t/control, d/t/smoke-qemu-session: fixup smoke-qemu-session by making vmlinuz available and accessible (Debian bug 848314) + d/t/control: fix smoke-qemu-session by ensuring the service will run installing libvirt-daemon-system + d/t/smoke-lxc: fix smoke-lxc by ignoring potential issues on destroy as long as the following undefine succeeds + d/t/smoke-lxc: use systemd instead of sysV to restart the service + d/t/control, d/t/smoke-lxc: retry service restart and skip test if failing; This was flaky on some release/architectures + d/t/smoke-lxc: retry check_domain being flaky on arm64 - dnsmasq related enhancements [now contains dnsmasq-as-priv-user of 6.6.0-1ubuntu1] + run dnsmasq as libvirt-dnsmasq (LP: 1743718) + d/libvirt-daemon-system.postinst: add libvirt-dnsmasq user and group + d/libvirt-daemon-system.postrm: remove libvirt-dnsmasq user and group on purge + d/p/ubuntu/dnsmasq-as-priv-user: write dnsmasq config with user libvirt-dnsmasq and adapt the self tests to expect that config + d/libvirt-daemon-system.postinst: fix old libvirt-dnsmasq users group + Add dnsmasq configuration to work with system wide dnsmasq-base - d/p/ubuntu/set-default-machine-to-ubuntu.patch: to select default machine type correctly with newer qemu/libvirt - d/p/ubuntu/lp-1861125-ubuntu-models: recognize Ubuntu models for (LP 1861125) fixups - d/p/ubuntu/wait-for-qemu-kvm.patch - avoid hangs on startup (LP 1887592) - remove Debian debian/Revert-m4-virt-xdr-rewrite-XDR-check.patch as with recent ubuntu glibx 2.32 it is breaking the build - d/control: add libtirpc for rpc.h with glibc >=2.32 - Apparmor Delta that is Ubuntu specific or yet to be upstreamed split into logical pieces. File names in debian/patches/ubuntu-aa/: + 0020-virt-aa-helper-ubuntu-storage-paths.patch: apparmor, virt-aa-helper: Allow various storage pools and image locations + 0029-appmor-libvirt-qemu-Add-9p-support.patch: appmor, libvirt-qemu: Add 9p support + 0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch: virt-aa-helper: Ask for no deny rule for readonly disk (renamed and reworded, was virt-aa-helper-no-explicity-deny-for-basefiles.patch) + 0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch: apparmor, libvirt-qemu: Allow reading charm-specific ceph config + 0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch: allow commands executed by ubuntu only kvm wrapper on ppc64el (LP 1686621 LP 1680384 LP 1784023) + 0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch: apparmor, virt-aa-helper: access for snapped nova + lp-1815910-allow-vhost-net.patch: avoid apparmor issues with vhost-net/vhost-vsock/vhost-scsi hotplug (LP: 1815910) * Dropped Changes [in Debian now] - 0050-local-include-for-libvirt-qemu.patch, d/libvirt-daemon-system.postinst: provide a local apparmor include for abstraction/libvirt-qemu (LP: 1786019) * Dropped Changes [in upstream now] - d/p/ubuntu-aa/apparmor-allow-kvm-spice-compat-wrapper.patch: fix migrating pre-Focal guests by allowing kvm-spice - virt-ssh-helper: fix slow migrations and volume transfers (LP 1904584) - d/p/ubuntu/lp-1904584-remote-make-ssh-helper-massively-faster.patch - d/p/ubuntu/lp-1904584-util-avoid-glib-event-loop-workaround.patch * Dropped Changes [ready for main] - d/control: drop mdevctl to a suggest until (LP: #1889248) is ready * Added Changes: - Avoid various issues around service/socket status after install/reinstall and on upgrades (LP: #1914054). - d/rules: let sockets use --no-stop-on-upgrade to avoid false positives - d/rules: --no-restart-after-upgrade does not prevent restarts - d/rules: avoid --no-start which breaks .sockets on re-install - d/rules: start, but do not restart libvirt-guests.service - d/p/u/lp-1913266-*: add vsock options to be usable with s390x secure execution (LP: #1913266) - Dependency improvements yet unreleased from salsa/debian/master thanks to Andrea Bolognani (Debian #981435). - control: Always explicitly depend on libvirt0 - control: Always use versioned deps for libvirt components -- Christian Ehrhardt Mon, 25 Jan 2021 14:32:05 +0100 libvirt (7.0.0-1) unstable; urgency=medium * Team upload [ Andrea Bolognani ] * [561e347] libvirt-daemon-config-nwfilter: Install new nwfilters * [56231e3] patches: Add backport/meson-Fix-cross-building-[...].patch - Closes: #980334 [ Christian Ehrhardt ] * [6568c68] apparmor: allow hot-plug for qcow backing chains - Closes: #981001 * [8173ce4] libvirt-daemon-config-*: reload libvirtd before restart * [dc21d88] systemd: Drop libvirtd dep from virt-guest-shutdown.target - Avoids reintroducing: #955216 -- Andrea Bolognani Thu, 28 Jan 2021 22:06:43 +0100 libvirt (6.9.0-4) unstable; urgency=medium * Team upload * [f5c0ebf] control: Strengthen dependencies between packages -- Andrea Bolognani Fri, 22 Jan 2021 22:31:04 +0100 libvirt (6.9.0-3) unstable; urgency=medium * Team upload * [81999fb] rules: Move virt-aa-helper to libvirt-daemon * [b9b6a95] control: Make libvirt-daemon-system-{systemd,sysv} Arch: all -- Andrea Bolognani Tue, 19 Jan 2021 23:10:20 +0100 libvirt (6.9.0-2) experimental; urgency=medium * Team upload [ Andrea Bolognani ] * [55504dd] libvirt-daemon-config-network: New binary package - Closes: #973489 * [0168a25] libvirt-daemon-config-nwfilter: New binary package * [7ad0fe3] libvirt-daemon-driver-storage-iscsi-direct: New binary package - Closes: #918728 * [aadb56a] libvirt-login-shell: New binary package * [807a8de] libvirt-clients: Move out virt-qemu-run * [3af477f] libvirt-daemon: Move out libvirt_lxc * [03f8bbb] libvirt-daemon: Move out sanlock-related files * [b94f649] libvirt-daemon: Move out bash-completion support - Closes: #904036 [ Guido Günther ] * [acb5c16] d/control: Use qemu-system instead of qemu - Closes: #966239 [ Christian Ehrhardt ] * [8c1bf5d] d/control: fix circular dependency on libvirt-daemon-driver-qemu - Closes: #963898 * [3d8fdd2] apparmor: add local include for libvirt-qemu & libvirt-lxc -- Andrea Bolognani Thu, 14 Jan 2021 23:51:32 +0100 libvirt (6.9.0-1ubuntu4) hirsute; urgency=medium * Improve flaky smoke-lxc test (LP: #1899180) - d/t/control, d/t/smoke-lxc: retry service restart and skip test if failing; This was flaky on some release/architectures - d/t/smoke-lxc: retry check_domain being flaky on arm64 -- Christian Ehrhardt Fri, 04 Dec 2020 08:12:02 +0100 libvirt (6.9.0-1ubuntu3) hirsute; urgency=high * No change rebuild against wireshark 3.4.0 -- Balint Reczey Mon, 07 Dec 2020 08:06:59 +0100 libvirt (6.9.0-1ubuntu2) hirsute; urgency=medium * virt-ssh-helper: fix slow migrations and volume transfers (LP: #1904584) - d/p/ubuntu/lp-1904584-remote-make-ssh-helper-massively-faster.patch - d/p/ubuntu/lp-1904584-util-avoid-glib-event-loop-workaround.patch -- Christian Ehrhardt Thu, 26 Nov 2020 16:52:23 +0100 libvirt (6.9.0-1ubuntu1) hirsute; urgency=medium * Merge with Debian 6.8.0-1 from unstable Remaining changes: - libvirt-uri.sh: Automatically switch default libvirt URI for users via user profile (xen URI on dom0, qemu:///system otherwise) [contains lintian fixups of 6.6.0-1ubuntu1] - Disable libssh2 support (universe dependency) - Disable firewalld support (universe dependency) - d/control: add libzfslinux-dev to build-deps - d/control: drop libvirt-lxc, vbox and xen drivers to suggest - d/control: breaks replaces for augeas lenses move in 6.0.0-1 (follows Debian, droppable >22.04) - d/control: drop mdevctl to a suggest until (LP 1889248) is ready - debian/rules: disable the netcf backend. (LP: 1764314) - debian/patches/ubuntu/ovmf_paths.patch: adjust paths to secboot.fd UEFI Secure Boot enabled variants of the OVMF firmware and variable store for the paths where we ship these files in Ubuntu. - Set qemu-group to kvm (for compat with older ubuntu) - Additional apport package-hook - Autostart default bridged network (As upstream does, but not Debian). In addition to just enabling it our solution provides: + do not autostart if subnet is already taken (e.g. in guests). + iterate some alternative subnets before giving up - d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch: This is the group based access to libvirt functions as it was used in Ubuntu for quite a long time. + d/p/ubuntu/daemon-augeas-fix-expected.patch fix some related tests due to the group access change. + d/libvirt-daemon-system.postinst: add users in sudo to the libvirt group. - ubuntu/parallel-shutdown.patch: set parallel shutdown by default. - Update README.Debian with Ubuntu changes - d/p/ubuntu/ubuntu_machine_type.patch: accept ubuntu types as pci440fx - fix autopkgtests + d/t/control, d/t/smoke-qemu-session: fixup smoke-qemu-session by making vmlinuz available and accessible (Debian bug 848314) + d/t/control: fix smoke-qemu-session by ensuring the service will run installing libvirt-daemon-system + d/t/smoke-lxc: fix smoke-lxc by ignoring potential issues on destroy as long as the following undefine succeeds + d/t/smoke-lxc: use systemd instead of sysV to restart the service - dnsmasq related enhancements [now contains dnsmasq-as-priv-user of 6.6.0-1ubuntu1] + run dnsmasq as libvirt-dnsmasq (LP: 1743718) + d/libvirt-daemon-system.postinst: add libvirt-dnsmasq user and group + d/libvirt-daemon-system.postrm: remove libvirt-dnsmasq user and group on purge + d/p/ubuntu/dnsmasq-as-priv-user: write dnsmasq config with user libvirt-dnsmasq and adapt the self tests to expect that config + d/libvirt-daemon-system.postinst: fix old libvirt-dnsmasq users group + Add dnsmasq configuration to work with system wide dnsmasq-base - d/p/ubuntu/set-default-machine-to-ubuntu.patch: to select default machine type correctly with newer qemu/libvirt - d/p/ubuntu/lp-1861125-ubuntu-models: recognize Ubuntu models for (LP 1861125) fixups - d/p/ubuntu/wait-for-qemu-kvm.patch - avoid hangs on startup (LP 1887592) - Apparmor Delta that is Ubuntu specific or yet to be upstreamed split into logical pieces. File names in debian/patches/ubuntu-aa/: + 0020-virt-aa-helper-ubuntu-storage-paths.patch: apparmor, virt-aa-helper: Allow various storage pools and image locations + 0029-appmor-libvirt-qemu-Add-9p-support.patch: appmor, libvirt-qemu: Add 9p support + 0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch: virt-aa-helper: Ask for no deny rule for readonly disk (renamed and reworded, was virt-aa-helper-no-explicity-deny-for-basefiles.patch) + 0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch: apparmor, libvirt-qemu: Allow reading charm-specific ceph config + 0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch: allow commands executed by ubuntu only kvm wrapper on ppc64el (LP 1686621 LP 1680384 LP 1784023) + 0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch: apparmor, virt-aa-helper: access for snapped nova + 0050-local-include-for-libvirt-qemu.patch, d/libvirt-daemon-system.postinst: provide a local apparmor include for abstraction/libvirt-qemu (LP: 1786019) + lp-1815910-allow-vhost-net.patch: avoid apparmor issues with vhost-net/vhost-vsock/vhost-scsi hotplug (LP: 1815910) * Dropped Changes [in Debian now] - d/p/u/lp-1892826-Revert-m4-virt-xdr-rewrite-XDR-check.patch: avoid clashes between libtripc and glibc that break libvirt-lxc (LP 1892826) * Dropped Changes [in upstream now] - d/p/ubuntu/lp-1901242-util-Fix-logic-in-virFileSetCOW.patch: fix dir pool handling on non BTRFS affecting virt-manager, api and commandline pool handling (LP 1901242) - d/p/ubuntu-aa/lp-1892736-apparmor-allow-libvirtd-to-call-virtiofsd.patch: allow libvirt to control virtiofsd (LP 1892736) - d/p/ubuntu-aa/apparmor-allow-unmounting-.dev-entries.patch: avoid triggering denials in devmapper error path - d/p/ubuntu-aa/apparmor-profiles-are-meant-to-allow-adding-permanen.patch: (again) allow permanent per guest overrides (LP 1745114) - d/p/ubuntu-aa/lp-1847361-load-versioned-module.patch: allow loading versioned modules after qemu package upgrades (LP 1847361) - d/p/ubuntu-aa/0003-apparmor-libvirt-qemu-Allow-read-access-to-overcommi. patch: apparmor, libvirt-qemu: Allow read access to overcommit_memory - d/p/ubuntu-aa/0007-apparmor-libvirt-qemu-Allow-owner-read-access-to-PRO. patch: apparmor, libvirt-qemu: Allow owner read access to @{PROC}/*/auxv - d/p/ubuntu/lp-1887490-*: add named types and definitions for EPYC-Rome chips (LP 1887490) - 0030-virt-aa-helper-Complete-9p-support.patch: virt-aa-helper: add l to 9p file options. * Added Changes - d/p/ubuntu/daemon-augeas-fix-expected.patch: update for 6.9 - d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch: update for 6.9 - remove Debian debian/Revert-m4-virt-xdr-rewrite-XDR-check.patch as with recent ubuntu glibx 2.32 it is breaking the build - d/control: add libtirpc for rpc.h with glibc >=2.32 - d/p/ubuntu-aa/apparmor-allow-kvm-spice-compat-wrapper.patch: fix migrating pre-Focal guests by allowing kvm-spice -- Christian Ehrhardt Mon, 02 Nov 2020 12:02:26 +0100 libvirt (6.9.0-1) unstable; urgency=medium * Team upload * [9328bc8] New upstream version 6.9.0 * [88c8a9e] patches: Drop backport/rpc-Fix-virt-ssh-helper-detection.patch -- Andrea Bolognani Sun, 08 Nov 2020 15:33:59 +0100 libvirt (6.8.0-1) unstable; urgency=medium * Team upload * [a09e8f2] New upstream version 6.8.0 * [11671ad] patches: Drop backport/[...]gluster-module-dep.patch * [d4522ee] patches: Add backport/rpc-Fix-virt-ssh-helper-detection.patch * [1012105] libvirt-daemon: Install virt-ssh-helper * [1070367] control: Drop Build-Depends on netcat-openbsd * [509eb72] control: Drop Build-Depends on libdbus-1-dev -- Andrea Bolognani Wed, 28 Oct 2020 01:08:23 +0100 libvirt (6.7.0-3) experimental; urgency=medium * Team upload * [2a7b4f4] rules: Decrease timeout for tests to 5m * [6337ea2] rules: Make dh_missing errors non-fatal for -indep builds -- Andrea Bolognani Sun, 11 Oct 2020 16:29:18 +0200 libvirt (6.7.0-2) experimental; urgency=medium * [7b7ff73] patches: Add backport/[...]gluster-module-dep.patch * [a9cc391] debhelper: Use compat level 13 * [b327f9a] rules: Increase timeout for tests to 15m -- Andrea Bolognani Thu, 10 Sep 2020 18:29:25 +0200 libvirt (6.7.0-1) experimental; urgency=medium * Team upload * [0d7a347] New upstream version 6.7.0 * [c6306e9] patches: Drop obsolete patches The following patches are no longer necessary: - backport/apparmor-allow-default-pki-path.patch - backport/apparmor-allow-libvirtd-to-call-pygrub.patch - backport/apparmor-allow-libvirtd-to-call-virtiofsd.patch - backport/tools-fix-libvirt-guests.sh-text-assignments.patch - backport/virdevmapper-Don-t-cache-device-mapper-major.patch - backport/virdevmapper-Handle-kernel-without-device-mapper-support.patch - backport/virdevmapper-Ignore-all-errors-when-opening-dev-mapper-co.patch - debian/Prefer-sbin-over-usr-sbin.patch * [72f7997] patches: Rewrite build system patches The following patches have been rewritten: - debian/Revert-m4-virt-xdr-rewrite-XDR-check.patch - debian/Set-defaults-for-zfs-tools.patch * [37e7b80] patches: Add debian/Use-sensible-editor-by-default.patch Replaces use of the removed --with-default-editor configure option * [c326ac4] control: Add Build-Depends on meson -- Andrea Bolognani Tue, 01 Sep 2020 23:26:23 +0200 libvirt (6.6.0-2) unstable; urgency=medium * Team upload [ Christian Ehrhardt ] * fix libvirt-lxc that was broken by libtirpc linking issues (LP: #1892826) - [92acaf6] add d/p/debian/Revert-m4-virt-xdr-rewrite-XDR-check.patch - [90093c0] Revert "control: Add Build-Depends on libtirpc-dev" * [c12faf1] replace patches for pki and pygrub with clean upstream backports * [6377d90] apparmor: allow libvirtd to call virtiofsd (LP: #1892736) -- Andrea Bolognani Fri, 28 Aug 2020 17:18:51 +0200 libvirt (6.6.0-1ubuntu4) hirsute; urgency=medium * d/p/ubuntu/lp-1901242-util-Fix-logic-in-virFileSetCOW.patch: fix dir pool handling on non BTRFS affecting virt-manager, api and commandline pool handling (LP: #1901242) -- Christian Ehrhardt Wed, 28 Oct 2020 07:47:53 +0100 libvirt (6.6.0-1ubuntu3) groovy; urgency=medium * d/p/ubuntu/lp-1887490-*: add named types and definitions for EPYC-Rome chips (LP: #1887490) -- Christian Ehrhardt Thu, 08 Oct 2020 07:36:06 +0200 libvirt (6.6.0-1ubuntu2) groovy; urgency=medium * d/p/u/lp-1892826-Revert-m4-virt-xdr-rewrite-XDR-check.patch: avoid clashes between libtripc and glibc that break libvirt-lxc (LP: #1892826) * d/p/ubuntu-aa/lp-1892736-apparmor-allow-libvirtd-to-call-virtiofsd.patch: allow libvirt to control virtiofsd (LP: #1892736) -- Christian Ehrhardt Tue, 25 Aug 2020 14:53:26 +0200 libvirt (6.6.0-1ubuntu1) groovy; urgency=medium * Merge with Debian 6.6.0-1 from experimental Among many other new features and fixes this includes fixes for: (LP: #1874647) - Stale libvirt cache leads to VM startup failures (LP: #1869796) - bad ordering and dependent restarts of services/sockets Remaining changes: - d/p/ubuntu-aa/lp-1847361-load-versioned-module.patch: allow loading versioned modules after qemu package upgrades (LP 1847361) - libvirt-uri.sh: Automatically switch default libvirt URI for users via user profile (xen URI on dom0, qemu:///system otherwise) - Disable libssh2 support (universe dependency) - Disable firewalld support (universe dependency) - Set qemu-group to kvm (for compat with older ubuntu) - Additional apport package-hook - Autostart default bridged network (As upstream does, but not Debian). In addition to just enabling it our solution provides: + do not autostart if subnet is already taken (e.g. in guests). + iterate some alternative subnets before giving up - d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch: This is the group based access to libvirt functions as it was used in Ubuntu for quite long. + d/p/ubuntu/daemon-augeas-fix-expected.patch fix some related tests due to the group access change. + d/libvirt-daemon-system.postinst: add users in sudo to the libvirt group. - ubuntu/parallel-shutdown.patch: set parallel shutdown by default. - Update README.Debian with Ubuntu changes - d/p/ubuntu/ubuntu_machine_type.patch: accept ubuntu types as pci440fx - fix autopkgtests + d/t/control, d/t/smoke-qemu-session: fixup smoke-qemu-session by making vmlinuz available and accessible (Debian bug 848314) + d/t/control: fix smoke-qemu-session by ensuring the service will run installing libvirt-daemon-system + d/t/smoke-lxc: fix smoke-lxc by ignoring potential issues on destroy as long as the following undefine succeeds + d/t/smoke-lxc: use systemd instead of sysV to restart the service - dnsmasq related enhancements + run dnsmasq as libvirt-dnsmasq (LP: 1743718) + d/libvirt-daemon-system.postinst: add libvirt-dnsmasq user and group + d/libvirt-daemon-system.postrm: remove libvirt-dnsmasq user and group on purge + d/p/ubuntu/dnsmasq-as-priv-user: write dnsmasq config with user libvirt-dnsmasq and adapt the self tests to expect that config + d/libvirt-daemon-system.postinst: fix old libvirt-dnsmasq users group + Add dnsmasq configuration to work with system wide dnsmasq-base - debian/rules: disable the netcf backend. (LP: 1764314) - debian/patches/ubuntu/ovmf_paths.patch: adjust paths to secboot.fd UEFI Secure Boot enabled variants of the OVMF firmware and variable store for the paths where we ship these files in Ubuntu. - d/p/ubuntu/set-default-machine-to-ubuntu.patch: to select default machine type correctly with newer qemu/libvirt - d/control: add libzfslinux-dev to build-deps - d/control: drop libvirt-lxc, vbox and xen drivers to suggest - d/p/ubuntu/lp-1861125-ubuntu-models: recognize Ubuntu models for (LP 1861125) fixups - Apparmor Delta that is Ubuntu specific or yet to be upstreamed split into logical pieces. File names in debian/patches/ubuntu-aa/: + 0003-apparmor-libvirt-qemu-Allow-read-access-to-overcommi.patch: apparmor, libvirt-qemu: Allow read access to overcommit_memory + 0007-apparmor-libvirt-qemu-Allow-owner-read-access-to-PRO.patch: apparmor, libvirt-qemu: Allow owner read access to @{PROC}/*/auxv + 0020-virt-aa-helper-ubuntu-storage-paths.patch: apparmor, virt-aa-helper: Allow various storage pools and image locations + 0029-appmor-libvirt-qemu-Add-9p-support.patch: appmor, libvirt-qemu: Add 9p support + 0030-virt-aa-helper-Complete-9p-support.patch: virt-aa-helper: add l to 9p file options. + 0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch: virt-aa-helper: Ask for no deny rule for readonly disk (renamed and reworded, was virt-aa-helper-no-explicity-deny-for-basefiles.patch) + 0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch: apparmor, libvirt-qemu: Allow reading charm-specific ceph config + 0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch: allow commands executed by ubuntu only kvm wrapper on ppc64el (LP 1686621 LP 1680384 LP 1784023) + 0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch: apparmor, virt-aa-helper: access for snapped nova + 0050-local-include-for-libvirt-qemu.patch, d/libvirt-daemon-system.postinst: provide a local apparmor include for abstraction/libvirt-qemu (LP: 1786019) + lp-1815910-allow-vhost-net.patch: avoid apparmor issues with vhost-net/vhost-vsock/vhost-scsi hotplug (LP: 1815910) * Dropped changes (in Debian now): - Enable some additional features on ppc64el and s390x (for arch parity) + systemtap, zfs, numa and numad on s390x. + systemtap on ppc64el. - enable attr support to store XATTR labels. Among other things this allows to properly restore file ownership (LP 691590) - d/control: build depend to libattr1-dev - d/rules: configure --with-attr - Install virt-login-shell-helper - Install augeas lenses for all drivers - Remove all mentions of Devhelp - not-installed: Remove obsolete entries - not-installed: List all split daemons files - d/control: bump build dep to python3 - d/control: add python3-docutils as build dependency - d/rules: set enable-dependency-tracking to avoid FTBFS - d/rules: drop the no more existing phyp option - d/rules: drop the no more existing xen configure option - minimize patches generated by autoreconf - fix build on Debian/Ubuntu in qemuhotplugtest - d/libvirt-doc.doc: install rendered docs - d/libvirt-daemon-system.examples: drop old examples that are now active - d/libvirt-doc.doc-base.libvirt-doc: adapt doc base to new file placement - d/libvirt-daemon-system-sysv.lintian-overrides: not shipiing systemd files - d/libnss-libvirt.lintian-overrides: accept having two nss so files - d/rules: don't ship split daemons just yet - d/rules: install /etc/default/* files that are shared between sysv and systemd packages - d/rules: add libvirt-guests.default to libvirt-daemon-system instead of libvirt-daemon-system-sysv - d/rules: install virtlockd correctly with defaults file (LP: 1729516) - d/rules: also check build time self test results on all architectures - d/rules: add --no-restart-after-upgrade to services that are supposed to stay up through upgrades - this also applies to related sockets. * Dropped changes (part of upstream now): - d/p/ubuntu/lp-1879325-*: avoid issues with apparmor metadata labeling (LP 1879325) - d/p/ubuntu-aa/lp-1871354*: fix apparmor denials on libpmem init (LP 1871354) - d/p/ubuntu/CVE-CVE-2020-10701-api-disallow-virDomainAgentSetResponseTimeout -on-rea.patch: avoid DOS through read only connections CVE-2020-10701 - d/p/ubuntu/lp-1867460-*: fix domcapabilities before capabilities and binary autodetection in general (LP 1867460) - d/p/stable/lp-1868539-*: stabilize libvirt by backporting upstream fixes (LP 1868539) - d/p/ubuntu/lp-1853200*: add cpu models without hle/rtm features to have modern types on kernels with recent security fixes (LP 1853200) - d/p/ubuntu/lp-1868528-*: Fail when fetching CPU Status for invalid CPU (LP 1868528) - d/p/ubuntu/lp-1865425-*: avoid killing the monitor job in qemuDomainSetTimeAgent (LP 1865425) - d/p/ubuntu-aa/virt-aa-helper-Add-support-for-smartcard-host-certif.patch: allow emulation of smartcard via host certificates - d/p/ubuntu/lp-1861125-*: fix non host-model migrations from old machine types (LP 1861125) - d/p/ubuntu-aa/apparmor-allow-to-call-vhost-user-gpu.patch: do not apparmor block vhost-user-gpu usage - d/p/ubuntu/lp-1655111*: fix qemu_bridge_helper to work with named profiles (LP 1655111) * Dropped changes (no more needed): - d/control: make libvirt-daemon-driver-storage-rbd a recommend instead of just a suggest. This was deprecated since bionic and now will be dropped. - Update Vcs-Git and Vcs-Browser fields to point to launchpad - d/control: VCS links to use generic Ubuntu launchpad git URLs - refreshed patches for libvirt v6.0.0 - d/libvirt-daemon-system.postrm: change order of libvirt-qemu removal to avoid error messages on purge [deluser/delgroup no more report warnings] - "Additional apport package-hook": due to context auto updates d/libvirt-daemon.install had bad entries which are no more required. - d/control, d/rules: Disable rbd and zfs on riscv64 where they are unavailable (LP 1872952) * Added Changes: - d/control: breaks replaces for augeas lenses move in 6.0.0-1 (follows Debian, droppable >22.04) - refresh ubuntu patches for 6.6 - d/p/ubuntu-aa/0050-local-include-for-libvirt-qemu.patch - d/p/ubuntu-aa/0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch - d/p/ubuntu-aa/0020-virt-aa-helper-ubuntu-storage-paths.patch - d/p/ubuntu/dnsmasq-as-priv-user - d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch - d/p/ubuntu/daemon-augeas-fix-expected.patch - d/libvirt-daemon-system.postinst: fix bashism in dnsmasq related enhancements - d/p/ubuntu/wait-for-qemu-kvm.patch - avoid hangs on startup (LP: #1887592) - d/libvirt-clients.lintian-overrides: profile scripts are non executable - d/p/ubuntu-aa/apparmor-allow-unmounting-.dev-entries.patch: avoid triggering denials in devmapper error path - d/p/ubuntu-aa/pparmor-profiles-are-meant-to-allow-adding-permanen.patch: (again) allow permanent per guest overrides (LP: #1745114) - d/control: drop mdevctl to a suggest until (LP 1889248) is ready -- Christian Ehrhardt Thu, 06 Aug 2020 08:04:09 +0200 libvirt (6.6.0-1) unstable; urgency=medium * Team upload [ Andrea Bolognani ] * [ecdcc72] New upstream version 6.6.0 Includes fix for CVE-2020-14339 (Closes: #966563) * [751e146] upstream: Add key for Jiří Denemark * [ab2a1b4] control: Add Build-Depends on libtirpc-dev * [8714f7d] control: Drop Build-Depends on libncurses5-dev. * [1137e33] patches: Assign topic to all patches. * [51e52ab] patches: Reorder patches. [ Christian Ehrhardt ] * [ceab403] d/control, d/rules: feature architecture parity. Enable systemtap, numa and numad on more architectures. * [dd2d1a9] Drop d/p/apparmor-Allow-[....]-name-service-.patch. Doesn't seem to be necessary anymore. * [d31eba5] fix device mapper issues. Add the following backports: - virdevmapper-Don-t-cache-device-mapper-major.patch - virdevmapper-Ignore-all-errors-when-opening-dev-mapper-co.patch - virdevmapper-Handle-kernel-without-device-mapper-support.patch * [3145e31] tools: fix libvirt-guests.sh text assignments Add the following backports: - tools-fix-libvirt-guests.sh-text-assignments.patch -- Andrea Bolognani Sat, 22 Aug 2020 17:05:23 +0200 libvirt (6.5.0-1) unstable; urgency=medium * Team upload * [38c0fa7] New upstream version 6.5.0 * [b8a07b4] control: Add Recommends for mdevctl -- Andrea Bolognani Mon, 27 Jul 2020 22:50:08 +0200 libvirt (6.4.0-2) unstable; urgency=medium [ Christian Ehrhardt ] * [d0f7eb5] enable attr support to be able to store XATTR labels. Among other things this allows to properly restore file ownership - d/control: build depend on libattr1-dev - d/rules: configure --with-attr Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/691590 [ Andrea Bolognani ] * Use consistent layout in packaging files -- Guido Günther Fri, 10 Jul 2020 16:44:12 +0200 libvirt (6.4.0-1) experimental; urgency=medium * Team upload * [1662a90] New upstream version 6.4.0 Includes a fix for CVE-2020-14301 (Closes: #963474) * [ad19936] patches: Drop tests-Mock-[...]-for-qemuhotplug.patch * [bfc4f8b] rules: Install upstream release notes * [995991b] control: Set Rules-Requires-Root: no * [dd75022] control: Bump Standards-Version to 4.5.0 * [fa6aefb] rules: Enable 'bindnow' hardening option -- Andrea Bolognani Sun, 21 Jun 2020 23:59:13 +0200 libvirt (6.2.0-1) experimental; urgency=medium * Team upload [ Guido Günther ] * Upload to experimental * [1b6982f] New upstream version 6.2.0 Contains fix for CVE-2020-10701. (Closes: #955841) Thanks to Carnil for the triage Contains fix for CVE-2020-12430. (Closes: #959447) [ Andrea Bolognani ] * [ba77756] patches: Drop all gnulib-related patches Specifically: openpty-Skip-test-if-no-pty-is-available.patch Disable-gnulib-s-test-nonplocking-pipe.sh.patch test-posix_openpt-don-t-fail-on-EACCESS.patch * [2e0b5f1] patches: Add tests-Mock-[...]-for-qemuhotplug.patch Replaces: skip-qemuhotplugtest.patch * [7c1e182] debhelper: Use debhelper-compat package -- Andrea Bolognani Sun, 03 May 2020 01:32:30 +0200 libvirt (6.0.0-7) unstable; urgency=medium [ Laurent Bigonville ] * [4e6f909] Disable polkit support on !linux, see: #927896 * [3ee1c87] Do not build-depends against libglusterfs-dev on non-linux architectures [ Guido Günther ] * [41c33eb] Rediff patches * [da804f9] Backport fix for CVE-2020-10701. Thanks to Carnil for the triage (Closes: #955841) * [a5dd08c] d/rules: systemd: Also pass --no-restart-on-upgrade when using --no-start. [ Andrea Bolognani ] * [0c6a3a0] salsa-ci: Create local pristine-tar branch. -- Guido Günther Wed, 13 May 2020 12:12:36 +0200 libvirt (6.0.0-6) unstable; urgency=medium [ Laurent Bigonville ] * [ea7b8b7] autopkgtest exits with 2 when there are skipped tests do not consider that as fatal [ Guido Günther ] * [100e8aa] Don't start or restart socket units on package upgrades. Changes get picked up when the corresponding system unit is being restarted. This avoids problems when socket and service units of the same service get restarted together. See #955483 for details. * [ff981d5] Pass --no-auto to dh_instalsystemd. This avoids generation of restart snippets for services listed in `Also=` sections of the service units. Otherwise these get restarted but we want to avoid that and let systemd figure it out all by itself. See: #955483, #841095 -- Guido Günther Wed, 08 Apr 2020 17:04:11 +0200 libvirt (6.0.0-5) unstable; urgency=medium [ Guido Günther ] * [421e865] systemd: Don't restart libvirt-guests on upgrade (Closes: #955216) [ Laurent Bigonville ] * [5f72035] Only run qemu test on amd64 (Closes: #955278) -- Guido Günther Tue, 31 Mar 2020 09:39:40 +0200 libvirt (6.0.0-4) unstable; urgency=medium * [d7df842] sysv: Don't restart libvirt-guests on upgrade (Closes: #954921) -- Guido Günther Tue, 24 Mar 2020 15:10:20 +0100 libvirt (6.0.0-3) unstable; urgency=medium * [de68a4b] Bump Breaks/conflicts. While there were conflicts/breaks for the driver split we moved the augeas lenses in 6.0.0-1. (Closes: #954032, #953894) -- Guido Günther Mon, 16 Mar 2020 09:55:01 +0100 libvirt (6.0.0-2) unstable; urgency=medium * Upload to unstable -- Guido Günther Sat, 14 Mar 2020 12:37:22 +0100 libvirt (6.0.0-1) experimental; urgency=medium [ Guido Günther ] * [33890b9] New upstream version 6.0.0 (Closes: #939552) * [c9f82be] gitlab-ci: Run autopkgtests [ Christian Ehrhardt ] * [fa167bc] d/libnss-libvirt.lintian-overrides: accept having two nss so files * [bf48357] d/libvirt-daemon-system-sysv.lintian-overrides: not shipping systemd files. Packages are split intentionally, ignore this lintian warning. * [2278598] d/rules: also check build time self test results on all architectures * [c1be36a] d/rules: drop doc binary cleanup. * [6d60c3c] d/rules: don't ship split daemons just yet * [33f8dc4] d/p/skip-qemuhotplugtest.patch: fix qemuhotplugtest. Skip some elements of qemuhotplugtest that for now break in Debian/Ubuntu build environments. * [a1734f7] d/rules: add libvirt-guests.default to libvirt-daemon-system instead of libvirt-daemon-system-sysv * [69f6cfe] d/rules: install /etc/default/* files that are shared between sysv and systemd packages * [31be682] d/rules: install virtlockd for sysv (Closes: #880970) [ Andrea Bolognani ] * [070d158] Install virt-login-shell-helper. This new binary was introduced in libvirt 5.7.0 and is necessary for virt-login-shell to work. * [143dafb] Install augeas lenses for all drivers. These slipped through the cracks when we moved from picking up the corresponding directories as a whole to listing the specific files we're interested in. * [efa4cfe] Remove all mentions of Devhelp. As of libvirt 5.8.0, the corresponding files are no longer generated. * [8ebd427] not-installed: Remove obsolete entries. Now that upstream's build system has been fixed and we're picking up the documentation from the install location rather than the source directory, the corresponding files will no longer be flagged by dh_missing. * [ce54aef] not-installed: List all split daemons files. Since we're not shipping split daemons yet, the corresponding binaries as well as systemd units and augeas lenses will be flagged by dh_missing if we don't list them here. * [391e39d] symbols: Drop LIBVIRT_5.9.0 libvirt 5.9.0 didn't introduce any new public symbols. -- Guido Günther Wed, 12 Feb 2020 13:06:33 +0100 libvirt (6.0.0~rc1-1) experimental; urgency=medium [ Guido Günther ] * [443fae0] New upstream version 6.0.0~rc1 * [70c5676] Bump symbol versions * [eb6c6c1] gitlab-ci: Build package. We unfortunately can't use salsa-ci's prebuilt pipeline since that hangs on large jobs: https://salsa.debian.org/salsa/support/issues/180 We redirct output to a file to work around: https://salsa.debian.org/salsa/support/issues/191 [ Christian Ehrhardt ] * [cc6b955] refresh d/p/* for v6.0.0 * [5639ffb] d/control: bump build dep to python3 * [dc99d35] d/rules: set enable-dependency-tracking to avoid FTBFS. * [af131c7] d/rules: drop the no more existing xen configure option * [84367d9] d/control: add python3-docutils as build dependency * [37f0a5c] d/libvirt-doc.doc: install rendered docs * [880f00e] d/libvirt-daemon-system.examples: Drop examples that are now conf files * [671aeca] d/libvirt-doc.doc-base.libvirt-doc: adapt doc base to new file placement -- Guido Günther Sat, 18 Jan 2020 18:16:20 +0100 libvirt (6.0.0-0ubuntu11) groovy; urgency=medium * SECURITY UPDATE: privilege escalation via incorrect socket permissions - debian/patches/ubuntu/Allow-libvirt-group-to-access-the-socket.patch: updated patch to also set appropriate permissions on socket created by systemd. - CVE-2020-15708 -- Marc Deslauriers Wed, 05 Aug 2020 09:08:34 -0400 libvirt (6.0.0-0ubuntu10) groovy; urgency=medium * enable attr support to store XATTR labels. Among other things this allows to properly restore file ownership (LP: #691590) - d/control: build depend to libattr1-dev - d/rules: configure --with-attr -- Christian Ehrhardt Mon, 22 Jun 2020 21:30:50 +0200 libvirt (6.0.0-0ubuntu9) groovy; urgency=medium * d/p/ubuntu/lp-1879325-*: avoid issues with apparmor metadata labeling (LP: #1879325) -- Christian Ehrhardt Wed, 20 May 2020 06:59:57 +0200 libvirt (6.0.0-0ubuntu8) focal; urgency=medium * d/control, d/rules: Disable rbd and zfs on riscv64 where they are unavailable (LP: #1872952) -- William Grant Sat, 18 Apr 2020 13:59:21 +1000 libvirt (6.0.0-0ubuntu7) focal; urgency=medium * d/p/ubuntu-aa/lp-1871354*: fix apparmor denials on libpmem init (LP: #1871354) * d/p/ubuntu/CVE-CVE-2020-10701-api-disallow-virDomainAgentSetResponseTimeout -on-rea.patch: avoid DOS through read only connections CVE-2020-10701 -- Christian Ehrhardt Wed, 15 Apr 2020 12:29:12 +0200 libvirt (6.0.0-0ubuntu6) focal; urgency=medium * d/p/ubuntu/lp-1867460-*: fix domcapabilities before capabilities and binary autodetection in general (LP: #1867460) * d/p/stable/lp-1868539-*: stabilize libvirt by backporting upstream fixes (LP: #1868539) * d/p/ubuntu/lp-1853200*: add cpu models without hle/rtm features to have modern types on kernels with recent security fixes (LP: #1853200) * d/p/ubuntu/lp-1868528-*: Fail when fetching CPU Status for invalid CPU (LP: #1868528) -- Christian Ehrhardt Fri, 20 Mar 2020 10:34:19 +0100 libvirt (6.0.0-0ubuntu5) focal; urgency=medium * d/p/ubuntu-aa/lp-1847361-load-versioned-module.patch: allow loading versioned modules after qemu package upgrades (LP: #1847361) -- Christian Ehrhardt Tue, 10 Mar 2020 08:58:04 +0100 libvirt (6.0.0-0ubuntu4) focal; urgency=medium * d/p/ubuntu/lp-1865425-*: avoid killing the monitor job in qemuDomainSetTimeAgent (LP: #1865425) -- Christian Ehrhardt Mon, 02 Mar 2020 10:44:22 +0100 libvirt (6.0.0-0ubuntu3) focal; urgency=medium * rebuild against libxen-dev 4.11.3 (no change needed) * d/p/ubuntu-aa/virt-aa-helper-Add-support-for-smartcard-host-certif.patch: allow emulation of smartcard via host certificates * d/p/ubuntu/lp-1861125-*: fix non host-model migrations from old machine types (LP: #1861125) * d/p/ubuntu-aa/apparmor-allow-to-call-vhost-user-gpu.patch: do not apparmor block vhost-user-gpu usage -- Christian Ehrhardt Wed, 12 Feb 2020 14:20:08 +0100 libvirt (6.0.0-0ubuntu2) focal; urgency=medium [ Christian Ehrhardt ] * Bring back the ubuntu default URI handling. While no more needed for xen its removal made libvirt fallback further to the upstream default qemu:///session while Ubuntu forever had and for now wants to keep qemu:///system (LP: #1861693) - revert 'd/libvirt-clients.maintscript: rm_conffile libvirt-uri.sh that was optional for use on xen hosts' - libvirt-uri.sh: Automatically switch default libvirt URI for users on Xen dom0 via user profile [added back former delta] [ Andrea Bolognani ] * Merge further fixes from debian/experimental - Install virt-login-shell-helper - Install augeas lenses for all drivers - Remove all mentions of Devhelp - not-installed: Remove obsolete entries - not-installed: List all split daemons files -- Christian Ehrhardt Tue, 04 Feb 2020 13:08:49 +0100 libvirt (6.0.0-0ubuntu1) focal; urgency=medium * Merged with Debian 5.6.0-4 from experimental and v6.0.0 from upstream Among many other new features and fixes this includes fixes for: - LP: #1859253 - rbd driver fails to create a new volume - LP: #1858341 - rbd driver does not list all volumes in pool - LP: #1845506 - Libvirt snapshot doesn't update apparmor profile - LP: #1854653 - slow libvirt-guests.sh during shutdown if service is off - LP: #1848229 - enable ppc64el to use ccf-assist feature - LP: #1853315 - Enable CPU Model Comparison and Baselining on s390x - LP: #1853317 - CCW IPL support to boot from ECKD DASDs - LP: #1859506 - security: AppArmor profile fixes for swtpm Remaining changes: - Disable libssh2 support (universe dependency) - Disable firewalld support (universe dependency) - Set qemu-group to kvm (for compat with older ubuntu) - Additional apport package-hook - Autostart default bridged network (As upstream does, but not Debian). In addition to just enabling it our solution provides: + do not autostart if subnet is already taken (e.g. in guests). + iterate some alternative subnets before giving up - d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch: This is the group based access to libvirt functions as it was used in Ubuntu for quite long. + d/p/ubuntu/daemon-augeas-fix-expected.patch fix some related tests due to the group access change. + d/libvirt-daemon-system.postinst: add users in sudo to the libvirt group. - ubuntu/parallel-shutdown.patch: set parallel shutdown by default. - Update Vcs-Git and Vcs-Browser fields to point to launchpad - Update README.Debian with Ubuntu changes - Enable some additional features on ppc64el and s390x (for arch parity) + systemtap, zfs, numa and numad on s390x. + systemtap on ppc64el. - d/p/ubuntu/ubuntu_machine_type.patch: accept ubuntu types as pci440fx - Further upstreamed apparmor Delta, especially any new one Our former delta is split into logical pieces and is either Ubuntu only or is part of a continuous upstreaming effort. Listing related remaining changes in debian/patches/ubuntu-aa/: - fix autopkgtests + d/t/control, d/t/smoke-qemu-session: fixup smoke-qemu-session by making vmlinuz available and accessible (Debian bug 848314) + d/t/control: fix smoke-qemu-session by ensuring the service will run installing libvirt-daemon-system + d/t/smoke-lxc: fix smoke-lxc by ignoring potential issues on destroy as long as the following undefine succeeds + d/t/smoke-lxc: use systemd instead of sysV to restart the service - dnsmasq related enhancements + run dnsmasq as libvirt-dnsmasq (LP: 1743718) + d/libvirt-daemon-system.postinst: add libvirt-dnsmasq user and group + d/libvirt-daemon-system.postrm: remove libvirt-dnsmasq user and group on purge + d/p/ubuntu/dnsmasq-as-priv-user: write dnsmasq config with user libvirt-dnsmasq and adapt the self tests to expect that config + d/libvirt-daemon-system.postinst: fix old libvirt-dnsmasq users group + Add dnsmasq configuration to work with system wide dnsmasq-base - debian/rules: disable the netcf backend. (LP: 1764314) - debian/patches/ubuntu/ovmf_paths.patch: adjust paths to secboot.fd UEFI Secure Boot enabled variants of the OVMF firmware and variable store for the paths where we ship these files in Ubuntu. - d/rules: install virtlockd correctly with defaults file (LP: 1729516) - d/rules: also check build time self test results on all architectures - d/p/ubuntu/set-default-machine-to-ubuntu.patch: to select default machine type correctly with newer qemu/libvirt - d/rules: add --no-restart-after-upgrade to services that are supposed to stay up through upgrades - this also applies to related sockets. - Apparmor Delta that is Ubuntu specific or yet to be upstreamed split into logical pieces. File names in debian/patches/ubuntu-aa/: + 0003-apparmor-libvirt-qemu-Allow-read-access-to-overcommi.patch: apparmor, libvirt-qemu: Allow read access to overcommit_memory + 0007-apparmor-libvirt-qemu-Allow-owner-read-access-to-PRO.patch: apparmor, libvirt-qemu: Allow owner read access to @{PROC}/*/auxv + 0017-apparmor-virt-aa-helper-Allow-access-to-tmp-director.patch: apparmor, virt-aa-helper: Allow access to tmp directories + 0020-virt-aa-helper-ubuntu-storage-paths.patch: apparmor, virt-aa-helper: Allow various storage pools and image locations + 0021-apparmor-virt-aa-helper-Add-openvswitch-support.patch: apparmor, virt-aa-helper: Add openvswitch support + 0029-appmor-libvirt-qemu-Add-9p-support.patch: appmor, libvirt-qemu: Add 9p support + 0030-virt-aa-helper-Complete-9p-support.patch: virt-aa-helper: add l to 9p file options. + 0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch: virt-aa-helper: Ask for no deny rule for readonly disk (renamed and reworded, was virt-aa-helper-no-explicity-deny-for-basefiles.patch) + 0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch: apparmor, libvirt-qemu: Allow reading charm-specific ceph config + 0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch: allow commands executed by ubuntu only kvm wrapper on ppc64el (LP 1686621 LP 1680384 LP 1784023) + 0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch: apparmor, virt-aa-helper: access for snapped nova + 0050-local-include-for-libvirt-qemu.patch, d/libvirt-daemon-system.postinst: provide a local apparmor include for abstraction/libvirt-qemu (LP: 1786019) + lp-1815910-allow-vhost-net.patch: avoid apparmor issues with vhost-net/vhost-vsock/vhost-scsi hotplug (LP: 1815910) * Dropped changes (in Debian) - d/libvirt0.symbols: bump symbol versions for 5.4.0 - avoid service dependency issues on upgrade (LP: 1786179) This will in the long term be resolved in dh_* tools, but to let an upgrade work for now we need to drop the sysV scripts (which we don't use anyway) and slightly modify the systemd service to work with todays dh_systemd_start properly. Can be dropped once Debian bug 905772 is resolved in dh_* tools and libvirt uses those new code. + d/libvirt-daemon-system.virtlogd.init: removed sysV init file + d/libvirt-daemon-system.libvirtd.init: removed sysV init file + debian/libvirt-daemon-system.maintscript: rm_conffile for virtlogd and lbivirtd sysV init file + d/p/ubuntu/avoid-restarting-virtlog-socket.patch: drop Also references to virtlogd/virtlockd sockets as they would imply a restart of virtlogd breaking it. [ we now have split packages for sysv and systemd support ] - d/t/control, d/t/smoke-lxc: fix up lxc smoke test isolation - Refreshed to match new upstream + d/p/Reduce-udevadm-settle-timeout-to-10-seconds.patch * Dropped changes (now upstream) - d/p/ubuntu/lp-1828495-*: make libvirt able to handle arch_capabilities cpu features for the Host. (LP: 1828495 - not closing yet as guest caps are still need fixups to work well LP: 1841066) - SECURITY UPDATEs: CVE-2019-10161, CVE-2019-10166, CVE-2019-10167 and CVE-2019-10168 - d/p/ubuntu-aa/lp-1833040-Add-openGraphicsFD-rule-for-named-profile.patch: avoid issues with remote screen connections like virt-manager due to apparmor changes in libvirt 5.1 (LP 1833040) - 0001-apparmor-Allow-pygrub-to-run-on-Debian-Ubuntu.patch: apparmor: Allow pygrub to run on Debian/Ubuntu - update to v5.4.0 * Dropped changes (Xen demoted to universe) - d/p/ubuntu/ubuntu-libxl-qemu-path.patch: this change was split. The section that adapts the path of the emulator to the Debian/Ubuntu packaging is kept. - d/p/ubuntu/ubuntu-libxl-Fix-up-VRAM-to-minimum-requirements.patch: auto set VRAM to minimum requirements - d/p/ubuntu/xen-default-uri.patch: set default URI on xen hosts - Add libxl log directory - libvirt-uri.sh: Automatically switch default libvirt URI for users on Xen dom0 via user profile (was missing on changelogs before) * Dropped changes (no more needed) - d/p/ubuntu/apibuild-skip-libvirt-common.h: drop libvirt-common.h from included_files to avoid build failures due to duplicate definitions. [ finally works in v6.0.0 ] - d/control: Revert iptables/ebtables dependency as Eoan still is on 1.6.x [ focal has iptables 1.8.3 ] - d/rules: adapt iptables binary paths present in Eoan (LP 1832297) [ focal has iptables 1.8.3 ] * Added Changes: - refreshed patches for libvirt v6.0.0 - d/control: bump build dep to python3 - d/control: VCS links to use generic Ubuntu launchpad git URLs - d/control: add python3-docutils as build dependency - d/control: add libzfslinux-dev to build-deps - d/rules: set enable-dependency-tracking to avoid FTBFS - d/rules: drop the no more existing phyp option - d/rules: drop the no more existing xen configure option - d/libvirt-clients.maintscript: rm_conffile libvirt-uri.sh that was optional for use on xen hosts - d/control: drop libvirt-lxc, vbox and xen drivers to suggest - minimize patches generated by autoreconf - fix build on Debian/Ubuntu in qemuhotplugtest - d/libvirt-doc.doc: install rendered docs - d/libvirt-daemon-system.examples: drop old examples that are now active - d/libvirt-doc.doc-base.libvirt-doc: adapt doc base to new file placement - d/libvirt-daemon-system-sysv.lintian-overrides: not shipiing systemd files - d/libnss-libvirt.lintian-overrides: accept having two nss so files - d/rules: don't ship split daemons just yet - d/rules: install /etc/default/* files that are shared between sysv and systemd packages - d/rules: add libvirt-guests.default to libvirt-daemon-system instead of libvirt-daemon-system-sysv - d/p/ubuntu/lp-1655111*: fix qemu_bridge_helper to work with named profiles (LP: #1655111) -- Christian Ehrhardt Mon, 13 Jan 2020 13:14:14 +0100 libvirt (5.6.0-4) experimental; urgency=medium * [d88536d] Introduce libvirt-daemon-system-{systemd,sysv} Move init scripts to separate package that allows people to experiment with alternative init systems while avoiding the problems that mixed init scripts and systemd units have in the current packaging. Thanks to Christian Ehrhardt for all the input regarding upgrade problems seen in Ubuntu and possible solutions. (Closes: #887911, #905772) * [c19d230] autopkg tests: Use isolation-machine. This avoids running under debian ci since libvirt-lxc in lxc doesn't work there. (Closes: #947006) -- Guido Günther Sun, 12 Jan 2020 13:51:05 +0100 libvirt (5.6.0-3) unstable; urgency=medium * Team upload. [ Christian Ehrhardt ] * Move qemu, lxc, uml, vbox and xen connection drivers into separate packages. This reduces the dependencies pulled into default installations. (Closes: #901940) * d/copyright: Update [ Guido Günther ] * [362bec6] autopkgtest: Adjust to new path -- Guido Günther Wed, 27 Nov 2019 11:13:51 +0100 libvirt (5.6.0-2) unstable; urgency=medium * Team upload. * [4dcbe93] Revert "Disable libvirtd socket activation" (Closes: #935883) * [b464de1] Add libvirtd sockets handling -- Andrea Bolognani Wed, 28 Aug 2019 19:39:00 +0200 libvirt (5.6.0-1) unstable; urgency=medium * Team upload. [ Guido Günther ] * [fb43676] d/control: Drop dh-autoreconf build-dep * [81d21d5] d/not-installed: Use multi-arch dirs * [07d5669] New upstream version 5.6.0 Fixes CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091, CVE-2019-10132 (Closes: #915107, #931243, #929334) * [9f38a9e] apparmor: Allow run pygrub (Closes: #931768) * Acknowledge NMU. Thanks Jonathan Wiltshire [ Christian Ehrhardt ] * [c28c3b3] d/libvirt0.install: install translations * [c3c4cd4] d/libvirt-daemon-system.install: drop in helper for firewalld * [3e8b43c] d/not-installed: ignore default files /etc/sysconfig * [c223d7f] d/libvirt-daemon-system.examples: ship sysctl config as example * [f19acf6] d/libvirt-daemon-system.install: ship libxl-sanlock.conf (Closes: #919484) * [483e44a] d/libvirt-doc.docs: fix whitespace issue * [4f4751f] d/libvirt-doc.docs: install new doc elements * [781e22e] d/not-installed: ignore documentation already being installed * [eda89b2] d/no-installed, d/libvirt-doc.docs: do not install fonts * [ab67a28] d/copyright: add license for docs/fonts/ * [2e222a2] d/rules: strip symbolic-functions linker option * [39b658c] Revert "d/libvirt-daemon-system.install: ship libxl-sanlock.conf" * [ce46360] d/rules: install libxl-sanlock.conf dependent on xen being enabled [ Andrea Bolognani ] * [6a2eae3] Simplify and improve watch file * [82a1edc] Bump symbol versions * [73fccd9] Specify --doc-main-package for dh_installdocs * [d48fdf6] Rediff patches * [3b16c86] Bump symbol versions * [48c9b75] Drop Avahi support * [a49de91] Fix AppArmor profile for virt-aa-helper * [b8e92da] Disable libvirtd socket activation * [73d1e8c] Install kbase articles -- Andrea Bolognani Sun, 25 Aug 2019 16:32:31 +0200 libvirt (5.4.0-0ubuntu5) eoan; urgency=medium * No-change upload with strops.h and sys/strops.h removed in glibc. -- Matthias Klose Thu, 05 Sep 2019 11:00:53 +0000 libvirt (5.4.0-0ubuntu4) eoan; urgency=medium * d/p/ubuntu/lp-1828495-*: make libvirt able to handle arch_capabilities cpu features for the Host. (LP: 1828495 - not closing yet as guest caps are still need fixups to work well LP: 1841066) -- Christian Ehrhardt Tue, 20 Aug 2019 10:50:08 +0200 libvirt (5.4.0-0ubuntu3) eoan; urgency=medium * SECURITY UPDATE: virDomainSaveImageGetXMLDesc does not check for read-only connection - debian/patches/CVE-2019-10161.patch: add check to src/libvirt-domain.c, src/qemu/qemu_driver.c, src/remote/remote_protocol.x. - CVE-2019-10161 * SECURITY UPDATE: virDomainManagedSaveDefineXML does not check for read-only connection - debian/patches/CVE-2019-10166.patch: add check to src/libvirt-domain.c. - CVE-2019-10166 * SECURITY UPDATE: virConnectGetDomainCapabilities does not check for read-only connection - debian/patches/CVE-2019-10167.patch: add check to src/libvirt-domain.c. - CVE-2019-10167 * SECURITY UPDATE: virConnect*HypervisorCPU do not check for read-only connection - debian/patches/CVE-2019-10168.patch: add checks to src/libvirt-host.c. - CVE-2019-10168 -- Marc Deslauriers Tue, 02 Jul 2019 08:08:33 -0400 libvirt (5.4.0-0ubuntu2) eoan; urgency=medium * d/p/ubuntu-aa/lp-1833040-Add-openGraphicsFD-rule-for-named-profile.patch: avoid issues with remote screen connections like virt-manager due to apparmor changes in libvirt 5.1 (LP: #1833040) -- Christian Ehrhardt Wed, 19 Jun 2019 14:34:54 +0200 libvirt (5.4.0-0ubuntu1) eoan; urgency=medium * Merged with Debian git 5.3.0-1~1.gbp7b1637 and upstreams 5.4 release Among many other new features and fixes this includes fixes for: LP: #1759509 - virsh dompmwakeup fails to wake VM from dompmsuspend state Remaining changes: - Disable libssh2 support (universe dependency) - Disable firewalld support (universe dependency) - Set qemu-group to kvm (for compat with older ubuntu) - Additional apport package-hook - Autostart default bridged network (As upstream does, but not Debian). In addition to just enabling it our solution provides: + do not autostart if subnet is already taken (e.g. in guests). + iterate some alternative subnets before giving up - d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch: This is the group based access to libvirt functions as it was used in Ubuntu for quite long. + d/p/ubuntu/daemon-augeas-fix-expected.patch fix some related tests due to the group access change. + d/libvirt-daemon-system.postinst: add users in sudo to the libvirt group. - ubuntu/parallel-shutdown.patch: set parallel shutdown by default. - Update Vcs-Git and Vcs-Browser fields to point to launchpad - Xen related - d/p/ubuntu/ubuntu-libxl-qemu-path.patch: this change was split. The section that adapts the path of the emulator to the Debian/Ubuntu packaging is kept. - d/p/ubuntu/ubuntu-libxl-Fix-up-VRAM-to-minimum-requirements.patch: auto set VRAM to minimum requirements - d/p/ubuntu/xen-default-uri.patch: set default URI on xen hosts - Add libxl log directory - libvirt-uri.sh: Automatically switch default libvirt URI for users on Xen dom0 via user profile (was missing on changelogs before) - d/p/ubuntu/apibuild-skip-libvirt-common.h: drop libvirt-common.h from included_files to avoid build failures due to duplicate definitions. - Update README.Debian with Ubuntu changes - Enable some additional features on ppc64el and s390x (for arch parity) + systemtap, zfs, numa and numad on s390x. + systemtap on ppc64el. - d/t/control, d/t/smoke-qemu-session: fixup smoke-qemu-session by making vmlinuz available and accessible (Debian bug 848314) - d/t/control, d/t/smoke-lxc: fix up lxc smoke test isolation - d/p/ubuntu/ubuntu_machine_type.patch: accept ubuntu types as pci440fx - Further upstreamed apparmor Delta, especially any new one Our former delta is split into logical pieces and is either Ubuntu only or is part of a continuous upstreaming effort. Listing related remaining changes in debian/patches/ubuntu-aa/: + 0001-apparmor-Allow-pygrub-to-run-on-Debian-Ubuntu.patch: apparmor: Allow pygrub to run on Debian/Ubuntu + 0003-apparmor-libvirt-qemu-Allow-read-access-to-overcommi.patch: apparmor, libvirt-qemu: Allow read access to overcommit_memory + 0007-apparmor-libvirt-qemu-Allow-owner-read-access-to-PRO.patch: apparmor, libvirt-qemu: Allow owner read access to @{PROC}/*/auxv + 0017-apparmor-virt-aa-helper-Allow-access-to-tmp-director.patch: apparmor, virt-aa-helper: Allow access to tmp directories + ubuntu-aa/0020-virt-aa-helper-ubuntu-storage-paths.patch: apparmor, virt-aa-helper: Allow various storage pools and image locations + 0021-apparmor-virt-aa-helper-Add-openvswitch-support.patch: apparmor, virt-aa-helper: Add openvswitch support + 0029-appmor-libvirt-qemu-Add-9p-support.patch: appmor, libvirt-qemu: Add 9p support + 0030-virt-aa-helper-Complete-9p-support.patch: virt-aa-helper: add l to 9p file options. + 0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch: virt-aa-helper: Ask for no deny rule for readonly disk (renamed and reworded, was virt-aa-helper-no-explicity-deny-for-basefiles.patch) + 0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch: apparmor, libvirt-qemu: Allow reading charm-specific ceph config + 0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch: allow commands executed by ubuntu only kvm wrapper on ppc64el (LP 1686621 LP 1680384 LP 1784023) + 0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch: apparmor, virt-aa-helper: access for snapped nova + d/p/ubuntu-aa/0050-local-include-for-libvirt-qemu.patch, d/libvirt-daemon-system.postinst: provide a local apparmor include for abstraction/libvirt-qemu (LP: 1786019) + d/p/ubuntu-aa/lp-1815910-allow-vhost-net.patch: avoid apparmor issues with vhost-net/vhost-vsock/vhost-scsi hotplug (LP: 1815910) - d/rules: enable build time self tests on all architectures - dnsmasq related enhancements + run dnsmasq as libvirt-dnsmasq (LP: 1743718) + d/libvirt-daemon-system.postinst: add libvirt-dnsmasq user and group + d/libvirt-daemon-system.postrm: remove libvirt-dnsmasq user and group on purge + d/p/ubuntu/dnsmasq-as-priv-user: write dnsmasq config with user libvirt-dnsmasq and adapt the self tests to expect that config + d/libvirt-daemon-system.postinst: fix old libvirt-dnsmasq users group + Add dnsmasq configuration to work with system wide dnsmasq-base - debian/rules: disable the netcf backend. (LP: 1764314) - debian/control: drop libnetcf from Build-Depends. - debian/patches/ubuntu/ovmf_paths.patch: adjust paths to secboot.fd UEFI Secure Boot enabled variants of the OVMF firmware and variable store for the paths where we ship these files in Ubuntu. - d/rules: install virtlockd correctly with defaults file (LP: 1729516) - d/rules: also check build time self test results on all architectures - d/p/ubuntu/set-default-machine-to-ubuntu.patch: to select default machine type correctly with newer qemu/libvirt - d/t/control: fix smoke-qemu-session by ensuring the service will run installing libvirt-daemon-system - d/t/smoke-lxc: fix smoke-lxc by ignoring potential issues on destroy as long as the following undefine succeeds - avoid service dependency issues on upgrade (LP: 1786179) This will in the long term be resolved in dh_* tools, but to let an upgrade work for now we need to drop the sysV scripts (which we don't use anyway) and slightly modify the systemd service to work with todays dh_systemd_start properly. Can be dropped once Debian bug 905772 is resolved in dh_* tools and libvirt uses those new code. - d/libvirt-daemon-system.virtlogd.init: removed sysV init file - d/libvirt-daemon-system.libvirtd.init: removed sysV init file - debian/libvirt-daemon-system.maintscript: rm_conffile for virtlogd and lbivirtd sysV init file - d/p/ubuntu/avoid-restarting-virtlog-socket.patch: drop Also references to virtlogd/virtlockd sockets as they would imply a restart of virtlogd breaking it. - d/t/smoke-lxc: use systemd instead of sysV to restart the service * Added Changes: - Refreshed patches to match new upstream - d/p/Reduce-udevadm-settle-timeout-to-10-seconds.patch - d/p/ubuntu/ubuntu_machine_type.patch - d/control: Revert iptables/ebtables dependency as Eoan still is on 1.6.x This can be dropped once >=1.8.1 - d/rules: adapt iptables binary paths present in Eoan (LP: #1832297) This can be dropped once >=1.8.1 - d/p/ubuntu/dnsmasq-as-priv-user: update to include the new test nat-network-mtu - revert [c3c4cd4] drop in helper for firewalld as it is disabled on Ubuntu [can be squashed with the disabling of firewalld on next merge] - d/libvirt0.symbols: bump symbol versions for 5.4.0 - d/rules: add --no-restart-after-upgrade to services that are supposed to stay up through upgrades - this also applies to related sockets. * Dropped Changes (upstream) - d/p/ubuntu-aa/lp-1804766-*: Allow rendering node access as needed for the ease use of mdev and gl devices (LP: 1804766) - d/p/ubuntu/lp-1771662-*: fix handling of VFs without associated PF (LP: 1771662) - d/p/ubuntu/lp-1825195-*.patch: fix issues with old guests that defined the never functional osxsave and ospke features (LP: 1825195). - d/p/ubuntu-aa/lp-1829223-virt-aa-helper-allow-vhost-scsi.patch fix vhost-scsi hotplug in virt-aa-helper (LP: 1829223) - SECURITY UPDATE: Add support for md-clear functionality + debian/patches/ubuntu/md-clear.patch: Define md-clear CPUID bit in src/cpu_map/x86_features.xml. + CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 - Implement further apparmor rules for usage of gl enabled graphics (LP: 1815452) + d/p/ubuntu-aa/lp-1815452-more-gl-rules.patch + d/p/ubuntu-aa/lp-1815452-virt-aa-helper-rule.patch - Implement further apparmor rules for usage of gl enabled graphics with nvidia cards (LP: 1817943) + d/p/ubuntu-aa/lp-1817943-nvidia-gl-rules.patch + d/p/ubuntu-aa/lp-1817943-devices-in-sysfs.patch * Dropped Changes (in Debian) - d/rules: strip -Bsymbolic-functions from linker flags as it breaks libvirt tests -- Christian Ehrhardt Fri, 07 Jun 2019 11:55:52 +0200 libvirt (5.3.0-1~1.gbp7b1637) UNRELEASED; urgency=medium ** SNAPSHOT build @7b1637605da9224c46ebf3a243fa725d643e7556 ** [ Guido Günther ] * [fb43676] d/control: Drop dh-autoreconf build-dep. Not needed for dh compat > 10. * [81d21d5] d/not-installed: Use multi-arch dirs. Files moved during the dh12 switch. * [428ad14] New upstream version 5.3.0~rc2 * [641e532] New upstream version 5.3.0 [ Christian Ehrhardt ] * [c28c3b3] d/libvirt0.install: install translations * [c3c4cd4] d/libvirt-daemon-system.install: drop in helper for firewalld * [3e8b43c] d/not-installed: ignore default files /etc/sysconfig * [c223d7f] d/libvirt-daemon-system.examples: ship sysctl config as example * [f19acf6] d/libvirt-daemon-system.install: ship libxl-sanlock.conf (Closes: #919484) [ Andrea Bolognani ] * [6a2eae3] Simplify and improve watch file. -- Guido Günther Mon, 06 May 2019 13:06:27 +0200 libvirt (5.2.0-2) experimental; urgency=medium [ Guido Günther ] * [1ec90c0] d/compat: Switch to debhelper level 12 * [fb6dd18] d/rules: s/no-restart-on-upgrade/no-stop-on-upgrade/ * [3764b71] d/rules: --prallel not needed anymore * [1d92095] d/control: Add ${misc:Pre-Depends} for libvirt-daemon-system. This makes sure we pull in recent enough init-system-helpers * [02a155b] d/rules: Switch to dh_installsystemd dh_systemd_start is no longer used. * [bcad111] d/control: Fix typo * [8609192] d/control: Drop Debian revision on iptables build-dep. Any version greater than 1.8.1 will do. * [447dd58] libnss-libvirt: Install libnss_libvirt-guest as well (Closes: #910288) * [4fb7d11] d/control: Build-depend on libglusterfs-dev. Since this is a recent addition we can drop the versioned dependency. (Closes: #919663) * [7b4ffeb] d/rules: Newer debhelper puts the libs into multi arch dirs. There's no need to move them manually anymore. [ Andrea Bolognani ] * [dd9cdaa] Use HTTPS for all URLs. This gets rid of the debian-watch-uses-insecure-uri informational Lintian tag, and then some. * [faaec12] Minimize upstream's signing key. This gets rid of the public-upstream-key-not-minimal informational Lintian tag. * [8a0e6f1] Remove Priority field from binary packages. This gets rid of the binary-control-field-duplicates-source informational Lintian tag. [ Christian Ehrhardt ] * [08f3a23] d/libvirt-clients.manpages: add virkeycode and virkeyname man pages. * [0f359de] d/rules: mv logrotate files to silence dh_missing * [f36ca33] dh_missing: ignore warning on libtool .la file -- Guido Günther Mon, 22 Apr 2019 12:20:36 +0200 libvirt (5.2.0-1) experimental; urgency=medium * Team upload. [ Christian Ehrhardt ] * [3997186] d/libvirt-daemon-system.maintscript: remove obsolete conffile /etc/logrotate.d/libvirtd.uml became obsolete since UML was dropped in libvirt 5.0 (Closes: #920574) * [c64d020] d/libvirt-daemon-system.libvirtd.default: clarify libvirtd_opts example (Closes: #921713) [ Guido Günther ] * [dd9d74f] New upstream version 5.2.0 * [790365e] CVE-2019-3886: Don't allow unprivileged users to use the guest agent. Apply upstream patches remote-enforce-ACL-write-permission-for-getting-guest-tim.patch api-disallow-virDomainGetHostname-for-read-only-connectio.patch (Closes: #926418) [ Andrea Bolognani ] * [453f85d] Rediff patches. The patches security-aa-helper-allow-virt-aa-helper-to-read-dev-dri.patch security-aa-helper-generate-more-rules-for-gl-devices.patch security-aa-helper-gl-devices-in-sysfs-at-arbitrary-depth.patch security-aa-helper-nvidia-rules-for-gl-devices.patch virt-aa-helper-generate-rules-for-gl-enabled-graphics-dev.patch are included in libvirt 5.2.0 and have thus been dropped. * [a4294ef] Bump symbol versions. * [68394f6] Add tests-Avoid-writing-into-HOME-during-virsh-snapshot.patch -- Andrea Bolognani Sun, 07 Apr 2019 18:39:49 +0200 libvirt (5.1.0-1) experimental; urgency=medium [ Laurent Bigonville ] * [76e2cb7] Don't recommend ebtables. It's part of the iptables package now. (Closes: #918472) [ Guido Günther ] * [5814c89] New upstream version 5.1.0 * [55d063d] Rediff patches * [1102dae] d/gbp.conf: Switch to experimental * [cdf3787] d/rules: Adjust to now versioned wireshark module path -- Guido Günther Thu, 28 Mar 2019 13:03:29 +0100 libvirt (5.0.0-4) unstable; urgency=medium * [0fdc2af] Fix multiple CVEs related to privilege escalations on R/O connections. - CVE-2019-10161: CVE-2019-10161-api-disallow-virDomainSaveImageGetXMLDesc-.patch - CVE-2019-10166: api-disallow-virDomainManagedSaveDefineXML-on-read-only-c.patch - CVE-2019-10167: api-disallow-virConnectGetDomainCapabilities-on-read-only.patch - CVE-2019-10168: api-disallow-virConnect-HypervisorCPU-on-read-only-connec.patch * Include /etc/pki/qemu in apparmor (Closes: #930100) -- Guido Günther Mon, 17 Jun 2019 19:05:40 +0200 libvirt (5.0.0-3) unstable; urgency=medium [ Guido Günther ] * [6bc6e60] CVE-2019-10132: Fix vir{lock,log}d socket access. All patches were cherry-picked from upstream's v5.0-maint branch. (Closes: #929334) * [09016dd] d/patches: Move security fixes into security/ [ Joachim Falk ] * [5d96699] lxc: Fix killing of lxc containers if cgroup backend v2 is unavailable. (Closes: #926999) * [ea7a491] lxc: Fix container shutdown and host reboot (Closes: #927310, #897394) -- Guido Günther Wed, 22 May 2019 12:31:08 +0200 libvirt (5.0.0-2.1) unstable; urgency=medium * Non-maintainer upload. [ Guido Günther ] * [3a9c65c] d/control: Fix typo * [b9935e5] d/control: Drop Debian revision on iptables build-dep. Any version greater than 1.8.1 will do. [ Salvatore Bonaccorso ] * [b811e38] cpu_map: Define md-clear CPUID bit (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091) (Closes: #929154) -- Salvatore Bonaccorso Sun, 19 May 2019 13:50:25 +0200 libvirt (5.0.0-2) unstable; urgency=medium [ Laurent Bigonville ] * [76e2cb7] Don't recommend ebtables. It's part of the iptables package now. (Closes: #918472) [ intrigeri ] * [d7a7218] Fix virtio-gpu + virgl support by cherry-picking upstream commits virt-manager in current sid still creates new VMs with QXL graphics by default, so this bug only affects users who opt in for virtio-gpu 3D acceleration. Still, the option for virtio-gpu + 3D acceleration is offered in the virt-manager GUI, so having it broken by default is an important problem. (Closes: #916587) [ Christian Ehrhardt ] * [3997186] d/libvirt-daemon-system.maintscript: remove obsolete conffile /etc/logrotate.d/libvirtd.uml became obsolete since UML was dropped in libvirt 5.0 (Closes: #920574) * [c64d020] d/libvirt-daemon-system.libvirtd.default: clarify libvirtd_opts example (Closes: #921713) [ Guido Günther ] * [790365e] CVE-2019-3886: Don't allow unprivileged users to use the guest agent. Apply upstream patches remote-enforce-ACL-write-permission-for-getting-guest-tim.patch api-disallow-virDomainGetHostname-for-read-only-connectio.patch (Closes: #926418) -- Guido Günther Sun, 07 Apr 2019 12:36:21 +0200 libvirt (5.0.0-1ubuntu4) eoan; urgency=medium * d/p/ubuntu/lp-1825195-*.patch: fix issues with old guests that defined the never functional osxsave and ospke features (LP: #1825195). * d/p/series: reorder ubuntu Delta * d/p/ubuntu-aa/lp-1815910-allow-vhost-net.patch: avoid apparmor issues with vhost-net/vhost-vsock/vhost-scsi hotplug (LP: #1815910) * d/p/ubuntu-aa/lp-1829223-virt-aa-helper-allow-vhost-scsi.patch fix vhost-scsi hotplug in virt-aa-helper (LP: #1829223) -- Christian Ehrhardt Thu, 16 May 2019 10:42:09 +0200 libvirt (5.0.0-1ubuntu3) eoan; urgency=medium * SECURITY UPDATE: Add support for md-clear functionality - debian/patches/ubuntu/md-clear.patch: Define md-clear CPUID bit in src/cpu_map/x86_features.xml. - CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 -- Marc Deslauriers Tue, 14 May 2019 14:48:05 -0400 libvirt (5.0.0-1ubuntu2) disco; urgency=medium * Implement further apparmor rules for usage of gl enabled graphics (LP: #1815452) - d/p/ubuntu-aa/lp-1815452-more-gl-rules.patch - d/p/ubuntu-aa/lp-1815452-virt-aa-helper-rule.patch * Implement further apparmor rules for usage of gl enabled graphics with nvidia cards (LP: #1817943) - d/p/ubuntu-aa/lp-1817943-nvidia-gl-rules.patch - d/p/ubuntu-aa/lp-1817943-devices-in-sysfs.patch * d/p/ubuntu-aa/lp-1804766-*: updated to the upstream accepted version (no functional change, LP: 1804766) -- Christian Ehrhardt Tue, 12 Feb 2019 11:27:14 +0100 libvirt (5.0.0-1ubuntu1) disco; urgency=medium * Merged with Debian unstable Among many other new features and fixes this includes fixes for: LP: #1754871 - 1799446 zPCI passthrough support for KVM LP: #1811198 - remove arbitrary limit on socket_id/core_id Remaining changes: - Disable libssh2 support (universe dependency) - Disable firewalld support (universe dependency) - Set qemu-group to kvm (for compat with older ubuntu) - Additional apport package-hook - Autostart default bridged network (As upstream does, but not Debian). In addition to just enabling it our solution provides: + do not autostart if subnet is already taken (e.g. in guests). + iterate some alternative subnets before giving up - d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch: This is the group based access to libvirt functions as it was used in Ubuntu for quite long. + d/p/ubuntu/daemon-augeas-fix-expected.patch fix some related tests due to the group access change. + d/libvirt-daemon-system.postinst: add users in sudo to the libvirt group. - ubuntu/parallel-shutdown.patch: set parallel shutdown by default. - Update Vcs-Git and Vcs-Browser fields to point to launchpad - Xen related - d/p/ubuntu/ubuntu-libxl-qemu-path.patch: this change was split. The section that adapts the path of the emulator to the Debian/Ubuntu packaging is kept. - d/p/ubuntu/ubuntu-libxl-Fix-up-VRAM-to-minimum-requirements.patch: auto set VRAM to minimum requirements - d/p/ubuntu/xen-default-uri.patch: set default URI on xen hosts - Add libxl log directory - libvirt-uri.sh: Automatically switch default libvirt URI for users on Xen dom0 via user profile (was missing on changelogs before) - d/p/ubuntu/apibuild-skip-libvirt-common.h: drop libvirt-common.h from included_files to avoid build failures due to duplicate definitions. - Update README.Debian with Ubuntu changes - Enable some additional features on ppc64el and s390x (for arch parity) + systemtap, zfs, numa and numad on s390x. + systemtap on ppc64el. - d/t/control, d/t/smoke-qemu-session: fixup smoke-qemu-session by making vmlinuz available and accessible (Debian bug 848314) - d/t/control, d/t/smoke-lxc: fix up lxc smoke test isolation - d/p/ubuntu/ubuntu_machine_type.patch: accept ubuntu types as pci440fx - Further upstreamed apparmor Delta, especially any new one Our former delta is split into logical pieces and is either Ubuntu only or is part of a continuous upstreaming effort. Listing related remaining changes in debian/patches/ubuntu-aa/: + 0001-apparmor-Allow-pygrub-to-run-on-Debian-Ubuntu.patch: apparmor: Allow pygrub to run on Debian/Ubuntu + 0003-apparmor-libvirt-qemu-Allow-read-access-to-overcommi.patch: apparmor, libvirt-qemu: Allow read access to overcommit_memory + 0007-apparmor-libvirt-qemu-Allow-owner-read-access-to-PRO.patch: apparmor, libvirt-qemu: Allow owner read access to @{PROC}/*/auxv + 0017-apparmor-virt-aa-helper-Allow-access-to-tmp-director.patch: apparmor, virt-aa-helper: Allow access to tmp directories + ubuntu-aa/0020-virt-aa-helper-ubuntu-storage-paths.patch: apparmor, virt-aa-helper: Allow various storage pools and image locations + 0021-apparmor-virt-aa-helper-Add-openvswitch-support.patch: apparmor, virt-aa-helper: Add openvswitch support + 0029-appmor-libvirt-qemu-Add-9p-support.patch: appmor, libvirt-qemu: Add 9p support + 0030-virt-aa-helper-Complete-9p-support.patch: virt-aa-helper: add l to 9p file options. + 0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch: virt-aa-helper: Ask for no deny rule for readonly disk (renamed and reworded, was virt-aa-helper-no-explicity-deny-for-basefiles.patch) + 0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch: apparmor, libvirt-qemu: Allow reading charm-specific ceph config + 0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch: allow commands executed by ubuntu only kvm wrapper on ppc64el (LP 1686621 LP 1680384 LP 1784023) + 0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch: apparmor, virt-aa-helper: access for snapped nova + d/p/ubuntu-aa/0050-local-include-for-libvirt-qemu.patch, d/libvirt-daemon-system.postinst: provide a local apparmor include for abstraction/libvirt-qemu (LP: 1786019) - d/rules: enable build time self tests on all architectures - dnsmasq related enhancements + run dnsmasq as libvirt-dnsmasq (LP: 1743718) + d/libvirt-daemon-system.postinst: add libvirt-dnsmasq user and group + d/libvirt-daemon-system.postrm: remove libvirt-dnsmasq user and group on purge + d/p/ubuntu/dnsmasq-as-priv-user: write dnsmasq config with user libvirt-dnsmasq and adapt the self tests to expect that config + d/libvirt-daemon-system.postinst: fix old libvirt-dnsmasq users group + Add dnsmasq configuration to work with system wide dnsmasq-base - debian/rules: disable the netcf backend. (LP: 1764314) - debian/control: drop libnetcf from Build-Depends. - debian/patches/ubuntu/ovmf_paths.patch: adjust paths to secboot.fd UEFI Secure Boot enabled variants of the OVMF firmware and variable store for the paths where we ship these files in Ubuntu. - d/rules: install virtlockd correctly with defaults file (LP: 1729516) - avoid service dependency issues on upgrade (LP: 1786179) This will in the long term be resolved in dh_* tools, but to let an upgrade work for now we need to drop the sysV scripts (which we don't use anyway) and slightly modify the systemd service to work with todays dh_systemd_start properly. Can be dropped once Debian bug 905772 is resolved in dh_* tools and libvirt uses those new code. - d/libvirt-daemon-system.virtlogd.init: removed sysV init file - d/libvirt-daemon-system.libvirtd.init: removed sysV init file - debian/libvirt-daemon-system.maintscript: rm_conffile for virtlogd and lbivirtd sysV init file - d/p/ubuntu/avoid-restarting-virtlog-socket.patch: drop Also references to virtlogd/virtlockd sockets as they would imply a restart of virtlogd breaking it. - d/t/smoke-lxc: use systemd instead of sysV to restart the service * Added Changes: - Refresh d/p/ubuntu/ubuntu-libxl-qemu-path.patch for new context - d/rules: also check build time self test results on all architectures - d/rules: strip -Bsymbolic-functions from linker flags as it breaks libvirt tests - d/p/ubuntu/set-default-machine-to-ubuntu.patch: to select default machine type correctly with newer qemu/libvirt - d/p/ubuntu-aa/lp-1804766-*: Allow rendering node access as needed for the ease use of mdev and gl devices (LP: #1804766) - refreshed d/p/ubuntu-aa for updated paths in libvirt 5.0 - d/t/control: fix smoke-qemu-session by ensuring the service will run installing libvirt-daemon-system - d/t/smoke-lxc: fix smoke-lxc by ignoring potential issues on destroy as long as the following undefine succeeds - d/p/ubuntu/lp-1771662-*: fix handling of VFs without associated PF (LP: #1771662) * Dropped Changes (upstream) - debian/patches/ubuntu/lp1787405-*: Support guest dedicated Crypto Adapters on s390x (LP: 1787405) - d/p/ubuntu/lp-1802727-netdevbridge-fall-back-to-ioctl-from-sysfs.patch: fix libvirt bridge handling in unprivileged containers (LP: 1802906) - d/p/ubuntu-aa/lp-1788603-fix-ptrace-rules-with-kernel-4.18.patch: avoid issues with newer kernels >=4.18 (LP: 1788603) - Fix an issue where guests with plenty of hostdevs attached where detected as not shut down due to the kernel needing more time to free up resources (LP: 1788226) - d/p/ubuntu/lp-1788226-wait-longer-5-30s-on-hard-shutdown.patch - d/p/ubuntu/lp-1788226-wait-longer-on-kill-per-assigned-Hostdev.patch - 0025-apparmor-fix-newer-virt-manager-1.4.0.patch: Add Apparmor permissions so virt-manager 1.4.0 viewing works (LP 1668681 1747442). - 0040-apparmor-add-mediation-rules-for-unconfined.patch: apparmor: add mediation rules for unconfined guests - d/p/ubuntu-aa/0051-allow-user-tmp.patch: some features need tmp, but we don't want blanket access. We only allow enumerating the base dir and reading owned files. Further features needing /tmp have to add local overrides, examples are qemu-smb and some modes of local snapshots. (LP: 1365261) Can be dropped >=libvirt 4.7 - d/p/ubuntu-aa/0052-allow-to-preserve-dev-mountpoints.patch: Allow to preserve /dev mountpoints in qemu namespaces (LP: 1786168) Can be dropped >=libvirt 4.7 - d/p/ubuntu/enable-kvm-spice.patch: compat with older Ubuntu qemu/kvm which provided a separate kvm-spice. Upstream completely dropped alternative types and kvm-spice is a symlink for quite some time. Builtin expected binaries work, so drop this delta. * Dropped Changes (in Debian) - Convert libvirt0, libnss_libvirt and libvirt-dev to multi-arch. -- Christian Ehrhardt Tue, 08 Jan 2019 13:09:31 +0100 libvirt (5.0.0-1) unstable; urgency=medium * [7346f30] New upstream version 5.0.0 * [1c46a4c] Drop sheepdog support (Closes: #908071) * [b88175f] Bump symbol versions * [c13a8da] Rediff patches -- Guido Günther Wed, 16 Jan 2019 10:31:33 +0100 libvirt (4.10.0-2) unstable; urgency=medium [ Marcin Juszkiewicz ] * [d143d3c] update Vcs-git tags to point to salsa.debian.org * [96995c1] Fix versions in *.NEWS files * [8e8286d] Don't mark bash completion as executable * [72f8ed3] Use multiarch layout. Based on the on what Ubuntu does (Closes: #813062) * [9b52c21] Use dpkg-buildflags on configure to e.g. get the proper hardening flags. [ Andrea Bolognani ] * [684bb89] Move data files from libvirt-daemon to libvirt0. These files are used internally by the library, so they should be shipped along with it rather than with the daemon. This is consistent with the upstream libvirt.spec file. The pattern is partially expanded in the libvirt0.install file to avoid having to remove a specific subset of data files later on as part of debian/rules. [ Guido Günther ] * [a6cbf92] cpu_map is now a directory. It used to be a single XML file -- Guido Günther Tue, 18 Dec 2018 12:55:10 +0100 libvirt (4.10.0-1) unstable; urgency=medium * [0cde44d] Remove bridge-utils from recommends. We don't use brctl since ages. Thanks to Andreas Henriksson * [3c22e06] Drop debian/remove-RHism.diff.patch. Debian has /usr/bin/service since quiet some time now. Thanks to Andrea Bolognani * [54a5cdb] New upstream version 4.10.0 * [87f075c] Rediff patches * [f798585] Bump symbol versions * [3bfd881] Depend on sensible-utils -- Guido Günther Thu, 13 Dec 2018 11:58:14 +0100 libvirt (4.7.0-1) unstable; urgency=medium * [8ff38ac] New upstream version 4.7.0 (Closes: #908341) * [afdd147] Bump symbol versions * [41fa8f5] Rediff patches. Drop all jansson related patches. Fixed ustream. -- Guido Günther Sun, 09 Sep 2018 21:42:33 +0200 libvirt (4.6.0-2ubuntu6) disco; urgency=medium * No-change rebuild for readline soname change. -- Matthias Klose Tue, 15 Jan 2019 10:26:04 +0000 libvirt (4.6.0-2ubuntu5) disco; urgency=medium * d/p/ubuntu/lp1787405-0008-qemu-mdev-Use-vfio-pci-display-property-only -with-vf.patch: fix handling of non PCI vfio display propery (part of LP: #1787405) -- Christian Ehrhardt Thu, 06 Dec 2018 09:20:39 +0100 libvirt (4.6.0-2ubuntu4) disco; urgency=medium * debian/patches/ubuntu/lp1787405-*: Support guest dedicated Crypto Adapters on s390x (LP: #1787405) * d/p/ubuntu/lp-1802727-netdevbridge-fall-back-to-ioctl-from-sysfs.patch: fix libvirt bridge handling in unprivileged containers (LP: #1802906) -- Christian Ehrhardt Fri, 09 Nov 2018 07:42:01 +0100 libvirt (4.6.0-2ubuntu3) cosmic; urgency=medium * d/p/ubuntu-aa/lp-1788603-fix-ptrace-rules-with-kernel-4.18.patch: avoid issues with newer kernels >=4.18 (LP: #1788603) -- Christian Ehrhardt Mon, 27 Aug 2018 10:57:57 +0200 libvirt (4.6.0-2ubuntu2) cosmic; urgency=medium * Fix an issue where guests with plenty of hostdevs attached where detected as not shut down due to the kernel needing more time to free up resources (LP: #1788226) - d/p/ubuntu/lp-1788226-wait-longer-5-30s-on-hard-shutdown.patch - d/p/ubuntu/lp-1788226-wait-longer-on-kill-per-assigned-Hostdev.patch -- Christian Ehrhardt Tue, 21 Aug 2018 17:51:43 +0200 libvirt (4.6.0-2ubuntu1) cosmic; urgency=medium * Merged with Debian unstable (LP: #1786957). Among many other new features and fixes this includes fixes for (LP: #1754871), Remaining changes: - Disable libssh2 support (universe dependency) - Disable firewalld support (universe dependency) - Set qemu-group to kvm (for compat with older ubuntu) - Additional apport package-hook - Autostart default bridged network (As upstream does, but not Debian). In addition to just enabling it our solution provides: + do not autostart if subnet is already taken (e.g. in guests). + iterate some alternative subnets before giving up - d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch: This is the group based access to libvirt functions as it was used in Ubuntu for quite long. + d/p/ubuntu/daemon-augeas-fix-expected.patch fix some related tests due to the group access change. + d/libvirt-daemon-system.postinst: add users in sudo to the libvirt group. - ubuntu/parallel-shutdown.patch: set parallel shutdown by default. - d/p/ubuntu/enable-kvm-spice.patch: compat with older Ubuntu qemu/kvm which provided a separate kvm-spice. - Xen related - d/p/ubuntu/ubuntu-libxl-qemu-path.patch: this change was split. The section that adapts the path of the emulator to the Debian/Ubuntu packaging is kept. - d/p/ubuntu/ubuntu-libxl-Fix-up-VRAM-to-minimum-requirements.patch: auto set VRAM to minimum requirements - d/p/ubuntu/xen-default-uri.patch: set default URI on xen hosts - Add libxl log directory - libvirt-uri.sh: Automatically switch default libvirt URI for users on Xen dom0 via user profile (was missing on changelogs before) - d/p/ubuntu/apibuild-skip-libvirt-common.h: drop libvirt-common.h from included_files to avoid build failures due to duplicate definitions. - Update README.Debian with Ubuntu changes - Convert libvirt0, libnss_libvirt and libvirt-dev to multi-arch. - Enable some additional features on ppc64el and s390x (for arch parity) + systemtap, zfs, numa and numad on s390x. + systemtap on ppc64el. - d/t/control, d/t/smoke-qemu-session: fixup smoke-qemu-session by making vmlinuz available and accessible (Debian bug 848314) - d/t/control, d/t/smoke-lxc: fix up lxc smoke test isolation - Add dnsmasq configuration to work with system wide dnsmasq (drop >18.04, no more UCA onto Xenial then which has global dnsmasq by default). - d/p/ubuntu/ubuntu_machine_type.patch: accept ubuntu types as pci440fx - Further upstreamed apparmor Delta, especially any new one Our former delta is split into logical pieces and is either Ubuntu only or is part of a continuous upstreaming effort. Listing related remaining changes in debian/patches/ubuntu-aa/: + 0001-apparmor-Allow-pygrub-to-run-on-Debian-Ubuntu.patch: apparmor: Allow pygrub to run on Debian/Ubuntu + 0003-apparmor-libvirt-qemu-Allow-read-access-to-overcommi.patch: apparmor, libvirt-qemu: Allow read access to overcommit_memory + 0007-apparmor-libvirt-qemu-Allow-owner-read-access-to-PRO.patch: apparmor, libvirt-qemu: Allow owner read access to @{PROC}/*/auxv + 0017-apparmor-virt-aa-helper-Allow-access-to-tmp-director.patch: apparmor, virt-aa-helper: Allow access to tmp directories + ubuntu-aa/0020-virt-aa-helper-ubuntu-storage-paths.patch: apparmor, virt-aa-helper: Allow various storage pools and image locations + 0021-apparmor-virt-aa-helper-Add-openvswitch-support.patch: apparmor, virt-aa-helper: Add openvswitch support + 0025-apparmor-fix-newer-virt-manager-1.4.0.patch: Add Apparmor permissions so virt-manager 1.4.0 viewing works (LP 1668681 1747442). Can be dropped >=libvirt 4.7 + 0029-appmor-libvirt-qemu-Add-9p-support.patch: appmor, libvirt-qemu: Add 9p support + 0030-virt-aa-helper-Complete-9p-support.patch: virt-aa-helper: add l to 9p file options. + 0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch: virt-aa-helper: Ask for no deny rule for readonly disk (renamed and reworded, was virt-aa-helper-no-explicity-deny-for-basefiles.patch) + 0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch: apparmor, libvirt-qemu: Allow reading charm-specific ceph config + 0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch: allow commands executed by ubuntu only kvm wrapper on ppc64el (LP 1686621 & LP 1680384). + 0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch: apparmor, virt-aa-helper: access for snapped nova + 0040-apparmor-add-mediation-rules-for-unconfined.patch: apparmor: add mediation rules for unconfined guests Can be dropped >=libvirt 4.7 - d/rules: enable build time self tests on all architectures - run dnsmasq as libvirt-dnsmasq (LP: 1743718) + d/libvirt-daemon-system.postinst: add libvirt-dnsmasq user and group + d/libvirt-daemon-system.postrm: remove libvirt-dnsmasq user and group on purge + d/p/ubuntu/dnsmasq-as-priv-user: write dnsmas config with user libvirt-dnsmasq and adapt the self tests to expect that config + d/libvirt-daemon-system.postinst: fix old libvirt-dnsmasq users - debian/rules: disable the netcf backend. (LP: 1764314) - debian/control: drop libnetcf from Build-Depends. - ddebian/patches/ubuntu/ovmf_paths.patch: adjust paths to secboot.fd UEFI Secure Boot enabled variants of the OVMF firmware and variable store for the paths where we ship these files in Ubuntu. - d/rules: install virtlockd correctly with defaults file (LP: 1729516) * Added Changes - 0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch: updated to take care of no more silencing and thereby hiding denials (LP 1719579 is an example) - 0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch: updated to also allow the optionally placed ceph asok file (LP: #1779674) - 0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch: prepare profile for usrmerge (LP: #1784023) - Finalize the libvirt-bin -> libvirt-* transition in the apport package-hook. - d/p/ubuntu-aa/0050-local-include-for-libvirt-qemu.patch, d/libvirt-daemon-system.postinst: provide a local apparmor include for abstraction/libvirt-qemu (LP: #1786019) - d/p/ubuntu-aa/0051-allow-user-tmp.patch: some features need tmp, but we don't want blanket access. We only allow enumerating the base dir and reading owned files. Further features needing /tmp have to add local overrides, examples are qemu-smb and some modes of local snapshots. (LP: #1365261) Can be dropped >=libvirt 4.7 - d/p/ubuntu-aa/0052-allow-to-preserve-dev-mountpoints.patch: Allow to preserve /dev mountpoints in qemu namespaces (LP: #1786168) Can be dropped >=libvirt 4.7 - avoid service dependency issues on upgrade (LP: #1786179) This will in the long term be resolved in dh_* tools, but to let an upgrade work for now we need to drop the sysV scripts (which we don't use anyway) and slightly modify the systemd service to work with todays dh_systemd_start properly. Can be dropped once Debian bug 905772 is resolved in dh_* tools and libvirt uses those new code. - d/libvirt-daemon-system.virtlogd.init: removed sysV init file - d/libvirt-daemon-system.libvirtd.init: removed sysV init file - debian/libvirt-daemon-system.maintscript: rm_conffile for virtlogd and lbivirtd sysV init file - d/p/ubuntu/avoid-restarting-virtlog-socket.patch: drop Also references to virtlogd/virtlockd sockets as they would imply a restart of virtlogd breaking it. - d/t/smoke-lxc: use systemd instead of sysV to restart the service * Dropped Changes (upstream) - d/p/ubuntu/virt-aa-helper-Set-the-supported-features.patch: allow parsing of memory slots and other extended features without breaking virt-aa-helper (LP: 1746431). - d/p/stable/0001-Revert-qemu-monitor-do-not-report-error-on-shutdown.patch - d/p/stable/0002-nodedev-Fix-failing-to-parse-PCI-address-for-non-PCI.patch - d/p/stable/0003-qemu-assign-correct-type-of-PCI-address-for-vhost-sc.patch - d/p/stable/0004-qemu-Refresh-caps-cache-after-booting-a-different-ke.patch - d/p/stable/0005-qemu-auto-add-generic-xhci-rather-than-NEC-xhci-to-Q.patch - d/p/stable/0006-libvirtd-Explicit-dependency-on-systemd-machined.patch - d/p/stable/0007-rpc-fix-race-sending-and-encoding-sasl-data.patch - d/p/stable/0008-vhost-user-add-support-reconnect-for-vhost-user-port.patch - d/p/stable/0009-qemu-Fix-memory-leak-in-processGuestPanicEvent.patch - d/p/stable/0010-storage-util-Properly-ignore-errors-when-backing-vol.patch - d/p/stable/0011-conf-Use-correct-attribute-name-in-error-message.patch - d/p/stable/0012-util-json-Add-helper-to-return-string-or-number-prop.patch - d/p/stable/0013-util-storage-Parse-lun-for-iSCSI-protocol-from-JSON-.patch - d/p/stable/0014-virsh-Offer-only-persistent-domains-for-autostart.patch - d/p/stable/0015-blockjob-Fix-a-error-checking-of-blockjob-status-in-.patch - d/p/stable/0016-qemu-Expose-rx-tx_queue_size-in-qemu.conf-too.patch - d/p/stable/0017-qemu-migration-Refresh-device-information-after-tran.patch - d/p/stable/0018-qemuDomainRemoveMemoryDevice-unlink-memory-backing-f.patch - d/p/stable/0019-vbox-fix-SEGV-during-dumpxml-of-a-serial-port.patch - d/p/stable/0020-qemu-Initialize-priv-in-qemuDomainCoreDumpWithFormat.patch - d/p/stable/0021-fix-regex-to-check-CN-from-server-certificate.patch - d/p/stable/0022-storage-Fix-formatting-and-parsing-of-qemu-type-Unix.patch - d/p/stable/0023-util-storage-Remove-detected-authentication-data-for.patch - d/p/stable/0024-qemu-blockcopy-Add-check-for-bandwidth.patch - d/p/stable/0025-conf-move-generated-member-from-virMacAddr-to-virDom.patch - d/p/stable/0026-lxc-Drop-useless-check-in-live-device-update.patch - d/p/stable/0027-Pass-oldDev-to-virDomainDefCompatibleDevice-on-devic.patch - d/p/stable/0028-qemu-Fix-updating-device-with-boot-order.patch - d/p/stable/0030-daemon-fix-rpc-event-leak-on-error-path-in-remoteDis.patch - d/p/stable/0029-lxc-fix-rpc-event-leak-on-error-path-in-virLXCContro.patch - d/p/stable/0031-qemu-fix-memory-leak-of-vporttype-during-migration.patch - d/p/stable/0032-virsh-fixing-segfault-by-pool-autocompleter-function.patch - d/p/stable/0033-qemu-Fix-comparison-assignment-in-qemuDomainUpdateDe.patch - d/p/stable/0034-qemu-Fix-memory-leak-in-qemuConnectGetAllDomainStats.patch - d/p/stable/0035-libvirtd-fix-potential-deadlock-when-reloading.patch - d/p/stable/0036-qemu-Use-correct-bus-type-for-input-devices.patch - d/p/stable/0037-qemu-hostdev-Fix-the-error-on-VM-start-with-an-mdev-.patch - d/p/stable/0038-conf-Fix-crash-in-virDomainDefCompatibleDevice.patch - d/p/ubuntu/lp1688508-tools-avoid-text-spilling-into-variables.patch: avoid hanging on shutdown (LP: 1688508) - d/p/ubuntu-aa/0041-apparmor-add-ro-rule-for-sasl-GSSAPI- plugin-on-etc-g.patch fix issues if sasl is configured (LP: 1696471) - d/p/ubuntu-aa/0042-virt-aa-helper-resolve-yet-to-be-created-paths.patch ensure symlinks are resolved to get valid rules if interim parts of a path are a symlink (LP: 1752361) - d/p/ubuntu/lp1688508-tools-fix-variable-scope-in-in-check_guests_shutdown: avoid issues shutting down more guests than configured for parallel shutdown (LP: 1688508) - d/p/ubuntu-aa/lp1756394-virt-aa-helper-resolve-file-symlinks.patch: fix using devices that are symlinks (LP: 1756394) - Fix nvdimm memory and passthrough input devices for hotplug via domain security callbacks backporting upstream commits (LP: 1755153). + d/p/ubuntu-aa/lp1755153-apparmor-add-Set-Restore-InputLabel.patch + d/p/ubuntu-aa/lp1755153-apparmor-add-Set-Restore-MemoryLabel.patch - Fix nvdimm memory and passthrough input devices in initial guest description via virt-aa-helper (LP: 1757085). + d/p/ubuntu-aa/lp1757085-virt-aa-helper-nvdimm-memory.patch + d/p/ubuntu-aa/lp1757085-virt-aa-helper-passthrough-input.patch - Fix clean shut down of guests on system shutdown (LP: 1764668) + d/p/ubuntu/lp-1764668-do-not-report-unknown-guests.patch + d/p/ubuntu/lp-1764668-fix-check_guests_shutdown-loop.patch - SECURITY UPDATE: QEMU monitor DoS + debian/patches/CVE-2018-1064.patch: add size limit to src/qemu/qemu_agent.c. + CVE-2018-1064 - SECURITY UPDATE: Speculative Store Bypass + debian/patches/CVE-2018-3639-1.patch: define the 'ssbd' CPUID feature bit in src/cpu/cpu_map.xml. + debian/patches/CVE-2018-3639-2.patch: define the 'virt-ssbd' CPUID feature bit in src/cpu/cpu_map.xml. + CVE-2018-3639 - d/p/ubuntu-aa/lp1775777-vfio-usage-without-initial-hostdev.patch: fix hotplug use cases where the initial guest had no hostdev at all and therefore vrit-aa-helper did not allow /dev/vfio/vfio (LP: 1775777) - debian/patches/ubuntu/lp-1758037-nwfilter-increase-pcap-buffer-size.patch: Fix nwfilters that set CTRL_IP_LEARNING set to dhcp failing with "An error occurred, but the cause is unknown" due to a buffer being too small for pcap with TPACKET_V3 enabled (LP: 1758037) - SECURITY UPDATE: code injection via libnss_dns.so + debian/patches/CVE-2018-6764-1.patch: determine the hostname on startup in src/util/virlog.c. + debian/patches/CVE-2018-6764-2.patch: fix syntax-check in src/util/virlog.c. + debian/patches/CVE-2018-6764-3.patch: fix deadlock obtaining hostname in cfg.mk, src/util/virlog.c. + CVE-2018-6764 * Dropped Changes (no upgrade path left that needs those) - Backwards compatible handling of group rename (can be dropped >18.04). - Modifications to adapt for our delayed switch away from libvirt-bin (can be dropped >18.04). + d/p/ubuntu/libvirtd-service-add-bin-alias.patch: systemd: define alias to old service name so that old references work + d/p/ubuntu/libvirtd-init-add-bin-alias.patch: sysv init: define alias to old service name so that old references work + d/control: transitional package with the old name and maintainer scripts to handle the transition - fix conffile upgrade handling to avoid obsolete files and inactive duplicates (LP 1694159) - conffile handling of files dropped in 3.5 (can be dropped >18.04) + /etc/init.d/virtlockd was sysv init only + /etc/apparmor.d/local/usr.sbin.libvirtd and /etc/apparmor.d/local/usr.lib.libvirt.virt-aa-helper are now generated by dh_apparmor as needed - d/libvirt-daemon-system.maintscript: remove the now dropped conffile /etc/cron.daily/libvirt-daemon-system * Dropped Changes (cleanups) - d/test/smoke-lxc workaround for debbug 848317/867379 (systemd has fixed one issue and the other is solved in libvirt by ensuring to move to the right cgroups.) - remove no more used libvirt-dnsmasq user (this was redundant since 4.0.0-1ubuntu5 reintroduced a libvirt-dnsmasq user) - Disable selinux (now in main) -- Christian Ehrhardt Sat, 18 Aug 2018 14:40:58 +0200 libvirt (4.6.0-2) unstable; urgency=medium * [c33faee] Drop dwarves dependency. Unmaintained and only used in the test suite. (Closes: #905700) * [43da5ad] Don't use jansson for JSON encoding. It has borken integer parsing. This adds new patches: Revert-m4-Introduce-STABLE_ORDERING_JANSSON.patch Revert-Remove-virJSONValueNewStringLen.patch Revert-build-undef-WITH_JANSSON-for-SETUID_RPC_CLIENT.patch Revert-tests-qemucapsprobe-Fix-output-after-switching-to-.patch Revert-build-require-Jansson-if-QEMU-driver-is-enabled.patch Revert-util-jsoncompat-Stub-out-virJSONInitialize-when-co.patch Revert-Switch-from-yajl-to-Jansson.patch Revert-remote-daemon-Make-sure-that-JSON-symbols-are-prop.patch Revert-build-remove-references-to-WITH_YAJL-for-SETUID_RP.patch Revert-build-add-with-jansson.patch Revert-Remove-functions-using-yajl.patch Revert-build-switch-with-qemu-default-from-yes-to-check.patch Revert-tests-also-skip-qemuagenttest-with-old-jansson.patch Revert-util-avoid-symbol-clash-between-json-libraries.patch (Closes: #906116) -- Guido Günther Tue, 14 Aug 2018 15:09:14 +0200 libvirt (4.6.0-1) unstable; urgency=medium * [afd5e39] d/control: Fix typo in libnss-libvirt's short description. Thanks to Salvatore Bonaccorso (Closes: #904738) * [f2f7871] New upstream version 4.6.0 * [a81e098] Drop apparmor-Fix-forgotten-comma-at-EOL.patch applied upstream * [d53b4b1] Use jansson instead of yajl. The later is no longer supported upstream * [bf99d36] Bump symbol versions -- Guido Günther Mon, 06 Aug 2018 21:54:45 +0200 libvirt (4.5.0-1) unstable; urgency=medium * [c2b3afc] New upstream version 4.5.0 * [50aa257] Drop patch-qemuMonitorTextGetMigrationStatus-to-intercept.patch not needed with QEMU since at least stretch. * [7698a4e] Build-dep on libwiretap-dev for the wireshark dissector * [2390909] examples: adjust to libvirtd code move * [64e5530] Bump symbol versions * [a89e652] l-d-s: suggest open-iscsi (Closes: #903262) * [882c646] Install bash completion (Closes: #902450) * [8d79673] apparmor: Fix forgotten comma at EOL * [0a9cb25] Install storage-file drivers * [84269a2] Warn about uninstalled files -- Guido Günther Tue, 17 Jul 2018 09:36:26 +0200 libvirt (4.3.0-1) unstable; urgency=medium * [8730a15] New upstream version 4.3.0 * [1272efc] Drop patches due to upstream code removal. Allow-xen-toolstack-to-find-it-s-binaries.patch debian/fix-Debian-specific-path-to-hvm-loader.patch * [20eb594] Bump symbol versions -- Guido Günther Wed, 16 May 2018 12:09:53 +0200 libvirt (4.2.0-3) unstable; urgency=medium * [78872cc] Ship logrotate snippets again (Closes: #895709) -- Guido Günther Wed, 16 May 2018 07:54:29 +0200 libvirt (4.2.0-2) unstable; urgency=medium * [c859ce5] Prefer /sbin over /usr/sbin. If libvirt is built in a chroot with merged /usr it will otherwise break on non /usr merged systems. (Closes: #895145) -- Guido Günther Sun, 08 Apr 2018 11:05:14 +0200 libvirt (4.2.0-1) unstable; urgency=medium [ Laurent Bigonville ] * [8d62a8c] Start admin sockets on installation (Closes: #893484) [ Guido Günther ] * [417534b] New upstream version 4.2.0 (Closes: #894985) * [9d7fa44] Bump symbol versions * [c23ed3d] Rediff patches. Applied upstream: lockd-fix-typo-in-virtlockd-admin.socket.patch CVE-2018-1064-qemu-avoid-denial-of-service-reading-from-Q.patch -- Guido Günther Fri, 06 Apr 2018 12:33:30 +0200 libvirt (4.1.0-2) unstable; urgency=medium * [0b6cf2f] lockd: fix typo in virtlockd-admin.socket (Closes: #893330) -- Guido Günther Sun, 18 Mar 2018 10:51:37 +0100 libvirt (4.1.0-1) unstable; urgency=medium * [3cbbfa5] New upstream version 4.1.0 * [0e596b3] Bump symbol versions * [e886044] Drop patches applied upstream - apparmor-allow-libvirt-to-send-term-signal-to-unconfined.patch - virlog-determine-the-hostname-on-startup-CVE-2018-6764.patch * [097d74c] CVE-2018-1064: qemu: avoid denial of service reading from QEMU guest agent -- Guido Günther Thu, 15 Mar 2018 08:25:29 +0100 libvirt (4.0.0-2) unstable; urgency=medium * [4339f02] CVE-2018-6764: virlog: determine the hostname on startup Closes: #889839 -- Guido Günther Thu, 08 Feb 2018 19:29:59 +0100 libvirt (4.0.0-1ubuntu13) cosmic; urgency=medium * ddebian/patches/ubuntu/ovmf_paths.patch: adjust paths to secboot.fd UEFI Secure Boot enabled variants of the OVMF firmware and variable store for the paths where we ship these files in Ubuntu. -- Mathieu Trudel-Lapierre Wed, 27 Jun 2018 11:16:23 -0400 libvirt (4.0.0-1ubuntu12) cosmic; urgency=medium * d/p/ubuntu-aa/lp1775777-vfio-usage-without-initial-hostdev.patch: fix hotplug use cases where the initial guest had no hostdev at all and therefore vrit-aa-helper did not allow /dev/vfio/vfio (LP: #1775777) -- Christian Ehrhardt Tue, 12 Jun 2018 16:24:01 +0200 libvirt (4.0.0-1ubuntu11) cosmic; urgency=medium * SECURITY UPDATE: QEMU monitor DoS - debian/patches/CVE-2018-1064.patch: add size limit to src/qemu/qemu_agent.c. - CVE-2018-1064 * SECURITY UPDATE: Speculative Store Bypass - debian/patches/CVE-2018-3639-1.patch: define the 'ssbd' CPUID feature bit in src/cpu/cpu_map.xml. - debian/patches/CVE-2018-3639-2.patch: define the 'virt-ssbd' CPUID feature bit in src/cpu/cpu_map.xml. - CVE-2018-3639 -- Marc Deslauriers Tue, 22 May 2018 10:55:56 -0400 libvirt (4.0.0-1ubuntu10) cosmic; urgency=medium * Fix nwfilters that set CTRL_IP_LEARNING set to dhcp failing with "An error occurred, but the cause is unknown" due to a buffer being too small for pcap with TPACKET_V3 enabled (LP: #1758037) - debian/patches/ubuntu/lp-1758037-nwfilter-increase-pcap-buffer-size.patch -- Christian Ehrhardt Wed, 09 May 2018 17:07:59 +0200 libvirt (4.0.0-1ubuntu9) cosmic; urgency=medium * debian/rules: disable the netcf backend. (LP: #1764314) * debian/control: drop libnetcf from Build-Depends. -- Mathieu Trudel-Lapierre Wed, 09 May 2018 10:06:15 -0400 libvirt (4.0.0-1ubuntu8) bionic; urgency=medium * Fix clean shut down of guests on system shutdown (LP: #1764668) - d/p/ubuntu/lp-1764668-do-not-report-unknown-guests.patch - d/p/ubuntu/lp-1764668-fix-check_guests_shutdown-loop.patch -- Christian Ehrhardt Tue, 24 Apr 2018 11:09:48 +0200 libvirt (4.0.0-1ubuntu7) bionic; urgency=medium * Fix nvdimm memory and passthrough input devices for hotplug via domain security callbacks backporting upstream commits (LP: #1755153). - d/p/ubuntu-aa/lp1755153-apparmor-add-Set-Restore-InputLabel.patch - d/p/ubuntu-aa/lp1755153-apparmor-add-Set-Restore-MemoryLabel.patch * Fix nvdimm memory and passthrough input devices in initial guest description via virt-aa-helper (LP: #1757085). - d/p/ubuntu-aa/lp1757085-virt-aa-helper-nvdimm-memory.patch - d/p/ubuntu-aa/lp1757085-virt-aa-helper-passthrough-input.patch -- Christian Ehrhardt Wed, 21 Mar 2018 08:30:47 +0100 libvirt (4.0.0-1ubuntu6) bionic; urgency=medium * Backport from recent upstream to stabilize libvirt (LP: #1756915) - d/p/stable/0033-qemu-Fix-comparison-assignment-in-qemuDomainUpdateDe.patch - d/p/stable/0034-qemu-Fix-memory-leak-in-qemuConnectGetAllDomainStats.patch - d/p/stable/0035-libvirtd-fix-potential-deadlock-when-reloading.patch - d/p/stable/0036-qemu-Use-correct-bus-type-for-input-devices.patch - d/p/stable/0037-qemu-hostdev-Fix-the-error-on-VM-start-with-an-mdev-.patch - d/p/stable/0038-conf-Fix-crash-in-virDomainDefCompatibleDevice.patch * d/p/ubuntu/lp1688508-tools-fix-variable-scope-in-in-check_guests_shutdown: avoid issues shutting down more guests than configured for parallel shutdown (LP: #1688508) * d/p/ubuntu-aa/lp1756394-virt-aa-helper-resolve-file-symlinks.patch: fix using devices that are symlinks (LP: #1756394) -- Christian Ehrhardt Mon, 19 Mar 2018 14:57:08 +0100 libvirt (4.0.0-1ubuntu5) bionic; urgency=medium * run dnsmasq as libvirt-dnsmasq (LP: #1743718) - d/libvirt-daemon-system.postinst: add libvirt-dnsmasq user and group - d/libvirt-daemon-system.postrm: remove libvirt-dnsmasq user and group on purge - d/p/ubuntu/dnsmasq-as-priv-user: write dnsmas config with user libvirt-dnsmasq and adapt the self tests to expect that config - d/libvirt-daemon-system.postinst: fix old libvirt-dnsmasq users * Backport from recent upstream to stabilize libvirt (LP: #1754352) - d/p/stable/0024-qemu-blockcopy-Add-check-for-bandwidth.patch - d/p/stable/0025-conf-move-generated-member-from-virMacAddr-to-virDom.patch - d/p/stable/0026-lxc-Drop-useless-check-in-live-device-update.patch - d/p/stable/0027-Pass-oldDev-to-virDomainDefCompatibleDevice-on-devic.patch - d/p/stable/0028-qemu-Fix-updating-device-with-boot-order.patch - d/p/stable/0030-daemon-fix-rpc-event-leak-on-error-path-in-remoteDis.patch - d/p/stable/0029-lxc-fix-rpc-event-leak-on-error-path-in-virLXCContro.patch - d/p/stable/0031-qemu-fix-memory-leak-of-vporttype-during-migration.patch - d/p/stable/0032-virsh-fixing-segfault-by-pool-autocompleter-function.patch * d/p/ubuntu-aa/0041-apparmor-add-ro-rule-for-sasl-GSSAPI- plugin-on-etc-g.patch fix issues if sasl is configured (LP: #1696471) * d/p/ubuntu-aa/0042-virt-aa-helper-resolve-yet-to-be-created-paths.patch ensure symlinks are resolved to get valid rules if interim parts of a path are a symlink (LP: #1752361) -- Christian Ehrhardt Tue, 27 Feb 2018 12:04:02 +0100 libvirt (4.0.0-1ubuntu4) bionic; urgency=medium * d/p/ubuntu/lp1688508-tools-avoid-text-spilling-into-variables.patch: avoid hanging on shutdown (LP: #1688508) -- Christian Ehrhardt Fri, 23 Feb 2018 16:43:19 +0100 libvirt (4.0.0-1ubuntu3) bionic; urgency=medium [ Christian Ehrhardt ] * Backport of 23 bug fixes from recent upstream to stabilize libvirt on 18.04 - d/p/stable/0001-Revert-qemu-monitor-do-not-report-error-on-shutdown.patch - d/p/stable/0002-nodedev-Fix-failing-to-parse-PCI-address-for-non-PCI.patch - d/p/stable/0003-qemu-assign-correct-type-of-PCI-address-for-vhost-sc.patch - d/p/stable/0004-qemu-Refresh-caps-cache-after-booting-a-different-ke.patch - d/p/stable/0005-qemu-auto-add-generic-xhci-rather-than-NEC-xhci-to-Q.patch - d/p/stable/0006-libvirtd-Explicit-dependency-on-systemd-machined.patch - d/p/stable/0007-rpc-fix-race-sending-and-encoding-sasl-data.patch - d/p/stable/0008-vhost-user-add-support-reconnect-for-vhost-user-port.patch - d/p/stable/0009-qemu-Fix-memory-leak-in-processGuestPanicEvent.patch - d/p/stable/0010-storage-util-Properly-ignore-errors-when-backing-vol.patch - d/p/stable/0011-conf-Use-correct-attribute-name-in-error-message.patch - d/p/stable/0012-util-json-Add-helper-to-return-string-or-number-prop.patch - d/p/stable/0013-util-storage-Parse-lun-for-iSCSI-protocol-from-JSON-.patch - d/p/stable/0014-virsh-Offer-only-persistent-domains-for-autostart.patch - d/p/stable/0015-blockjob-Fix-a-error-checking-of-blockjob-status-in-.patch - d/p/stable/0016-qemu-Expose-rx-tx_queue_size-in-qemu.conf-too.patch - d/p/stable/0017-qemu-migration-Refresh-device-information-after-tran.patch - d/p/stable/0018-qemuDomainRemoveMemoryDevice-unlink-memory-backing-f.patch - d/p/stable/0019-vbox-fix-SEGV-during-dumpxml-of-a-serial-port.patch - d/p/stable/0020-qemu-Initialize-priv-in-qemuDomainCoreDumpWithFormat.patch - d/p/stable/0021-fix-regex-to-check-CN-from-server-certificate.patch - d/p/stable/0022-storage-Fix-formatting-and-parsing-of-qemu-type-Unix.patch - d/p/stable/0023-util-storage-Remove-detected-authentication-data-for.patch * d/rules: enable build time self tests on all architectures [ Marc Deslauriers ] * SECURITY UPDATE: code injection via libnss_dns.so - debian/patches/CVE-2018-6764-1.patch: determine the hostname on startup in src/util/virlog.c. - debian/patches/CVE-2018-6764-2.patch: fix syntax-check in src/util/virlog.c. - debian/patches/CVE-2018-6764-3.patch: fix deadlock obtaining hostname in cfg.mk, src/util/virlog.c. - CVE-2018-6764 -- Christian Ehrhardt Mon, 19 Feb 2018 14:18:44 +0100 libvirt (4.0.0-1ubuntu2) bionic; urgency=medium * d/p/ubuntu-aa/0025-apparmor-fix-newer-virt-manager-1.4.0.patch: refreshed as libvirt 4.0 needs a reversed rule for openGraphicsFD (LP: #1747442) - refreshed 0032 and 0040 to match the new context. * d/p/ubuntu/virt-aa-helper-Set-the-supported-features.patch: allow parsing of memory slots and other extended features without breaking virt-aa-helper (LP: #1746431). -- Christian Ehrhardt Fri, 02 Feb 2018 07:31:17 +0100 libvirt (4.0.0-1ubuntu1) bionic; urgency=medium * Merged with Debian unstable (4.0) This closes several bugs: - Error generating apparmor profile when hostname contains spaces (LP: #799997) - qemu 2.10 locks files, libvirt shared now sets share-rw=on (LP: #1716028) - libvirt usb passthrough throws apparmor denials related to /run/udev/data/+usb (LP: #1727311) - AppArmor denies access to /sys/block/*/queue/max_segments (LP: #1729626) - iohelper improvements to let bypass-cache work without opening up the apparmor isolation (LP: #1719579) - nodeinfo on s390x to contain more CPU info (LP: #1733688) - Upgrade libvirt >= 4.0 (LP: #1745934) * Remaining changes: - Disable libssh2 support (universe dependency) - Disable firewalld support (universe dependency) - Disable selinux - Set qemu-group to kvm (for compat with older ubuntu) - Additional apport package-hook - Modifications to adapt for our delayed switch away from libvirt-bin (can be dropped >18.04). + d/p/ubuntu/libvirtd-service-add-bin-alias.patch: systemd: define alias to old service name so that old references work + d/p/ubuntu/libvirtd-init-add-bin-alias.patch: sysv init: define alias to old service name so that old references work + d/control: transitional package with the old name and maintainer scripts to handle the transition - Backwards compatible handling of group rename (can be dropped >18.04). - config details and autostart of default bridged network. Creating that is now the default in general, yet our solution provides the following on top as of today: + autostart the default network by default + do not autostart if subnet is already taken (e.g. in guests). - d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch: This is the group based access to libvirt functions as it was used in Ubuntu for quite long. + d/p/ubuntu/daemon-augeas-fix-expected.patch fix some related tests due to the group access change. - ubuntu/parallel-shutdown.patch: set parallel shutdown by default. - d/p/ubuntu/enable-kvm-spice.patch: compat with older Ubuntu qemu/kvm which provided a separate kvm-spice. - d/p/ubuntu/ubuntu-libxl-qemu-path.patch: this change was split. The section that adapts the path of the emulator to the Debian/Ubuntu packaging is kept. - d/p/ubuntu/ubuntu-libxl-Fix-up-VRAM-to-minimum-requirements.patch: auto set VRAM to minimum requirements - d/p/ubuntu/xen-default-uri.patch: set default URI on xen hosts - Add libxl log directory - libvirt-uri.sh: Automatically switch default libvirt URI for users on Xen dom0 via user profile (was missing on changelogs before) - d/p/ubuntu/apibuild-skip-libvirt-common.h: drop libvirt-common.h from included_files to avoid build failures due to duplicate definitions. - Update README.Debian with Ubuntu changes - Convert libvirt0, libnss_libvirt and libvirt-dev to multi-arch. - Enable some additional features on ppc64el and s390x (for arch parity) + systemtap, zfs, numa and numad on s390x. + systemtap on ppc64el. - fix conffile upgrade handling to avoid obsolete files and inactive duplicates (LP 1694159) - d/t/control, d/t/smoke-qemu-session: fixup smoke-qemu-session by making vmlinuz available and accessible (Debian bug 848314) - d/test/smoke-lxc workaround for debbug 848317/867379 - d/t/control, d/t/smoke-lxc: fix up lxc smoke test (Debian bug 848317) - Add dnsmasq configuration to work with system wide dnsmasq (drop >18.04, no more UCA onto Xenial then which has global dnsmasq by default). - d/p/ubuntu/ubuntu_machine_type.patch: accept ubuntu types as pci440fx - conffile handling of files dropped in 3.5 (can be dropped >18.04) + /etc/init.d/virtlockd was sysv init only + /etc/apparmor.d/local/usr.sbin.libvirtd and /etc/apparmor.d/local/usr.lib.libvirt.virt-aa-helper are now generated by dh_apparmor as needed - Reworked apparmor Delta, especially the more complex delta is dropped now, also our former delta is now split into logical pieces, has improved comments and is part of a continuous upstreaming effort. Listing related remaining changes: + d/p/0001-apparmor-Allow-pygrub-to-run-on-Debian-Ubuntu.patch: apparmor: Allow pygrub to run on Debian/Ubuntu + d/p/0003-apparmor-libvirt-qemu-Allow-read-access-to-overcommi.patch: apparmor, libvirt-qemu: Allow read access to overcommit_memory + d/p/0007-apparmor-libvirt-qemu-Allow-owner-read-access-to-PRO.patch: apparmor, libvirt-qemu: Allow owner read access to @{PROC}/*/auxv + d/p/0017-apparmor-virt-aa-helper-Allow-access-to-tmp-director.patch: apparmor, virt-aa-helper: Allow access to tmp directories + d/p/ubuntu-aa/0020-virt-aa-helper-ubuntu-storage-paths.patch: apparmor, virt-aa-helper: Allow various storage pools and image locations + d/p/0021-apparmor-virt-aa-helper-Add-openvswitch-support.patch: apparmor, virt-aa-helper: Add openvswitch support + d/p/0025-apparmor-fix-newer-virt-manager-1.4.0.patch: Add Apparmor permissions so virt-manager 1.4.0 viewing works (LP 1668681). + d/p/0029-appmor-libvirt-qemu-Add-9p-support.patch: appmor, libvirt-qemu: Add 9p support + d/p/0030-virt-aa-helper-Complete-9p-support.patch: virt-aa-helper: add l to 9p file options. + d/p/0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch: virt-aa-helper: Ask for no deny rule for readonly disk (renamed and reworded, was virt-aa-helper-no-explicity-deny-for-basefiles.patch) + d/p/0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch: apparmor, libvirt-qemu: Allow reading charm-specific ceph config + d/p/0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch: allow commands executed by ubuntu only kvm wrapper on ppc64el (LP 1686621). + d/p/0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch: apparmor, virt-aa-helper: access for snapped nova * Dropped Changes (Upstream): - d/p/0005-apparmor-libvirt-qemu-Allow-use-of-sgabios.patch: apparmor, libvirt-qemu: Allow use of sgabios - d/p/0006-apparmor-libvirt-qemu-Silence-lttng-related-deny-mes.patch: apparmor, libvirt-qemu: Silence lttng related deny messages - d/p/0008-apparmor-libvirt-qemu-Allow-read-access-to-sysfs-sys.patch: apparmor, libvirt-qemu: Allow read access to sysfs system info - d/p/0009-apparmor-libvirt-qemu-Allow-read-access-to-max_mem_r.patch: apparmor, libvirt-qemu: Allow read access to max_mem_regions - d/p/0010-apparmor-libvirt-qemu-Allow-qemu-block-extra-librari.patch: apparmor, libvirt-qemu: Allow qemu-block-extra libraries - d/p/0012-apparmor-libvirtd-Allow-access-to-netlink-sockets.patch: apparmor, libvirtd: Allow access to netlink sockets - d/p/0013-apparmor-Add-rules-for-mediation-support.patch: apparmor: Add rules for mediation support - d/p/0015-apparmor-virt-aa-helper-Allow-access-to-ecryptfs-fil.patch: apparmor, virt-aa-helper: Allow access to ecryptfs files - d/p/0016-apparmor-libvirtd-Allow-ixr-to-var-lib-libvirt-virtd.patch: apparmor, libvirtd: Allow ixr to /var/lib/libvirt/virtd* - d/p/0018-apparmor-virt-aa-helper-Add-ipv6-network-policy.patch: apparmor, virt-aa-helper: Add ipv6 network policy - d/p/0019-apparmor-virt-aa-helper-Allow-access-to-sys-bus-usb-.patch: apparmor, virt-aa-helper: Allow access to /sys/bus/usb/devices - d/p/0023-apparmor-qemu-won-t-call-qemu-nbd.patch: apparmor: qemu won't call qemu-nbd - d/p/0027-apparmor-allow-reading-cmdline-of-shutdown-signal.patch: apparmor: allow to parse cmdline of the pid that send the shutdown signal (LP 1680384). - d/p/0028-apparmor-add-default-pki-path-of-lbvirt-spice.patch: apparmor: add default pki path of lbvirt-spice (LP 1690140) - d/p/ubuntu-aa/0035-virt-aa-helper-locking-disk-files-for-qemu-2.10.patch: for compatibility with the behavior of qemu 2.10 this adds locking permission to rules generated for disk files (LP 1709818) - d/p/ubuntu-aa/0036-virt-aa-helper-locking-loader-nvram-for-qemu-2.10.patch: for compatibility with the behavior of qemu 2.10 this adds locking permission to rules generated for loader/nvram (LP 1710960) - d/p/ubuntu-aa/0037-virt-aa-helper...: grant locking permission on append files (LP 1726804) - d/p/ubuntu-aa/0038-virt-aa-helper-fix-paths-for-usb-hostdevs.patch: fix path generation for USB host devices (LP 1552241) - d/p/ubuntu-aa/0039-virt-aa-helper-fix-libusb-access-to-udev-usb-data.patch: generate valid rules on usb passthrough (LP 1686324) - d/p/avoid-double-locking.patch: fix a deadlock that could occur when libvirtd interactions raced with dbus causing a deadlock (LP 1714254). - d/p/u/gnulib-getopt-posix-Fix-build-failure-when-using-ac_cv_head.patch: fix FTBFS with glibc 2.26 (LP 1718668) - Extended handling of apparmor profiles - clear lost profiles via cron (now cleared by virt-aa-helper on domain stop) - nat only on some ports (upstream default now if nothing is specified, actually dropped last cycle) * Dropped Changes (In Debian or no more important): - d/p/0002-apparmor-libvirt-qemu-Allow-macvtap-access.patch: apparmor, libvirt-qemu: Allow macvtap access - d/p/0004-apparmor-Explicit-deny-for-setpcap.patch: apparmor: Explicit deny for setpcap (LP 522845). - d/p/0014-apparmor-virt-aa-helper-Improve-comment-about-backin.patch: apparmor, virt-aa-helper: Improve comment about backing store - d/p/0022-apparmor-drop-references-to-qemu-kvm.patch: apparmor: drop references to qemu-kvm - d/p/0024-apparmor-virt-aa-helper-Allow-access-to-name-service.patch: apparmor, virt-aa-helper: Allow access to name services - d/p/0026-apparmor-add-generic-base-vfio-device.patch: apparmor: add /dev/vfio for vf (hot) attach (LP 1680384) (added by virt-aa-helper per guest if needed). - d/p/0011-apparmor-libvirt-qemu-Allow-access-to-hugepage-mount.patch: apparmor, libvirt-qemu: Allow access to hugepage mounts - Disable sheepdog (was for universe dependency, but is now only a suggest) - d/p/ubuntu/storage-disable-gluster-test: gluster not enabled, skip test * Dropped Changes (In Debian/Upstream now based on interim 3.10 work) some of these were never released, but important to mention for the bug references: - libnss-libvirt once enabled causes apt to call getdents avoid this being an issue by dropping a apt conf that allows this in seccomp (LP: #1732030). - d/libvirt-daemon-system.postrm: clean up more libvirt directories on purge - d/p/ubuntu-aa/0041-apparmor-allow-unix-stream-for-p2p-migrations.patch: apparmor: allow unix stream for p2p migrations - d/p/ubuntu-aa/0043-security-apparmor-implement-domainSetPathLabel.patch: this replaces the hugepage rules and fixes many more formerly missing - d/p/ubuntu-aa/0044-security-full-path-option-for-DomainSetPathLabel.patch: allowing to have path wildcards on labels set by domain callbacks - d/p/ubuntu-aa/0045-security-apparmor-add-Set-Restore-ChardevLabel.patch: apparmor implementation of security callback - d/p/ubuntu-aa/0046-apparmor-virt-aa-helper-drop-static-channel-rule.patch: this is now covered by chardev label callbacks * Added Changes: - Revert Debian change "Drop libvirt-bin upgrade handling" This is needed in Ubuntu one last time (drop >18.04) - Revert Debian change "Drop maintscript helpers for versions predating jessie and wheezy-backports". This is needed in Ubuntu one last time (drop >18.04) - Refreshed d/p/* to match new version (only fuzz, no semantic change) - d/libvirt-daemon-system.postrm: change order of libvirt-qemu removal to avoid error messages on purge - remove no more used libvirt-dnsmasq user (drop >18.04) - d/p/ubuntu-aa/0040-apparmor-add-mediation-rules-for-unconfined.patch: apparmor: add mediation rules for unconfined guests - d/p/ubuntu-aa/0042-security-introduce-virSecurityManager-Set-Restore-Ch .patch: backport upstream cahnge to expose already used chardev calls. - d/libvirt-daemon-system.postrm: Remove the default.xml network link set up by postinst. - d/libvirt-daemon-system.maintscript: remove the now dropped conffile /etc/cron.daily/libvirt-daemon-system - d/libvirt-daemon-system.postinst: fixups for autostart default network - use modern shell syntax - try more default networks before giving up to enable by default - d/p/ubuntu-aa/0020-virt-aa-helper-ubuntu-storage-paths.patch: add multipass image path and mark as ubuntu only change. - d/rules: install virtlockd correctly with defaults file (LP: #1729516) - extended d/p/0025-apparmor-fix-newer-virt-manager-1.4.0.patch to cover the slightly changed behavior of libvirt 4.0 (LP: #1741617) - d/control: make libvirt-daemon-driver-storage-rbd a recommend instead of just a suggest to have 3rd party relying on rbd out of the box working. This is deprecated and users of rbd backend should start depending on this package for it will be dropped to a suggest in future releases. -- Christian Ehrhardt Thu, 14 Dec 2017 14:15:55 +0100 libvirt (4.0.0-1) unstable; urgency=medium * [5936904] New upstream version 4.0.0 * [bcb7ca3] Drop patches applied upstream. Allow-libvirt-to-kill-unconfined-domains.patch Drop qemu-avoid-denial-of-service-reading-from-QEMU-monitor-CV.patch -- Guido Günther Sat, 20 Jan 2018 16:31:11 +0100 libvirt (4.0.0~rc2-1) experimental; urgency=medium * [8dd2f5b] Don't manage /etc/apparmor.d/local as conf files (Closes: #887612) * [0819e5a] apparmor: allow libvirt to send term signal to unconfined * [b1ecc1a] New upstream version 4.0.0~rc2 * [7406ae5] CVE-2018-5748: qemu: avoid denial of service reading from QEMU monitor (Closes: #887700) * [564e232] Bump symbol versions * [0a274c0] d/control: use priority optional instead of extra -- Guido Günther Fri, 19 Jan 2018 12:54:54 +0100 libvirt (4.0.0~rc1-1) experimental; urgency=medium [ Guido Günther ] * [a225d2b] New upstream version 4.0.0~rc1 (Closes: #881293, #846534) * [2270343] Rediff patches [ intrigeri ] * [89b8ab4] Allow libvirt to kill unconfined domains [ Christian Ehrhardt ] * [b2ce106] Clear more directories on purge (Closes: #884828) * [0cd10ab] Avoid apt seccomp issues due to libnss-libvirt (LP: #1732030) -- Guido Günther Mon, 15 Jan 2018 09:44:37 +0100 libvirt (3.10.0-1) unstable; urgency=medium * [0d103b6] Bump standards version * [3eca017] Add russian debconf translation. Thanks to Lev Lamberov (Closes: #883109) * [04da2ca] New upstream version 3.10.0 * [f311e52] Drop AppArmor-add-rules-needed-with-additional-mediation-featu.patch - fixed upstream * [0c7f363] Bump symbol versions * [cbe1699] Use recent debhelper instead of dh-systemd * [c757791] apparmor: Allow virt-aa-helper to access the name service switch. Thanks to Martin Pitt (Closes: #882979) -- Guido Günther Tue, 05 Dec 2017 14:55:51 +0100 libvirt (3.9.0-1) unstable; urgency=medium * [eef697c] New upstream version 3.9.0 -- Guido Günther Sun, 05 Nov 2017 14:49:43 +0100 libvirt (3.9.0~rc1-1) experimental; urgency=medium * Upload to experimental * [23e28a0] New upstream version 3.9.0~rc1 * [b19f9f8] Bump symbol versions * [83a3ff3] Drop patches applied upstream apparmor-add-dnsmasq-ptrace-rule-to-libvirtd-profile.patch virt-host-validate-require-fuse-for-LXC-if-compiled-in.patch qemu-ensure-TLS-clients-always-verify-the-server-certific.patch * [e834771] AppArmor: add rules needed with additional mediation features brought by Linux 4.14. Thanks: intrigeri (Closes: #879772) -- Guido Günther Tue, 31 Oct 2017 12:13:29 +0100 libvirt (3.8.0-3) unstable; urgency=medium * [e0e0a42] virt-host-validate: require fuse for LXC if compiled in. This should make us skip the lxc test properly on debci. * [d16ae50] Drop libvirt-bin upgrade handling libvirt-bin was dropped before Jessie * [3f18a26] CVE-2017-1000256: qemu: ensure TLS clients always verify the server certificate (Closes: #878799) -- Guido Günther Mon, 16 Oct 2017 19:36:25 +0200 libvirt (3.8.0-2) unstable; urgency=medium * Upload to unstable Closes: #878153 * [646a20f] apparmor: add dnsmasq ptrace rule to libvirtd profile -- Guido Günther Thu, 12 Oct 2017 10:27:25 +0200 libvirt (3.8.0-1) experimental; urgency=medium * [842dee5] Add id-length to gbp.conf * [6cf2527] New upstream version 3.8.0 -- Guido Günther Thu, 05 Oct 2017 18:30:55 +0200 libvirt (3.8.0~rc1-1) experimental; urgency=medium * apparmor: add attach_disconnected * apparmor: cater for new AAVMF image location * Don't ship apparmor profiles in the doc package too. This is just confusing since things are installed in libvirt-daemon-system. * Drpo maintscript helpers for versions predating jessie and wheezy-backports * New upstream version 3.8.0~rc1 * New upstream version 3.8.0~rc1 * Rediff patches apparmor-cater-for-new-AAVMF-image-location.patch apparmor-delete-profile-on-VM-shutdown.patch apparmor-add-attach_disconnected.patch * Bump symbol versions -- Guido Günther Fri, 29 Sep 2017 12:53:25 +0200 libvirt (3.7.0-4) unstable; urgency=medium * Pass-GPG_TTY-env-var-to-the-ssh-binary.patch: sanitize commit message * apparmor: add attach_disconnected (Closes: #876071) * apparmor: cater for new AAVMF image location * apparmor: delete profile on VM shutdown -- Guido Günther Mon, 18 Sep 2017 20:24:07 +0200 libvirt (3.7.0-3) unstable; urgency=medium * Move glusterfs, rbd, sheepdog and zfs storage drivers into separate packages. This reduces the dependencies pulled into default installations. (Closes: #875834) -- Guido Günther Fri, 15 Sep 2017 14:09:31 +0200 libvirt (3.7.0-2) unstable; urgency=medium * Update copyright file -- Guido Günther Thu, 14 Sep 2017 12:16:47 +0200 libvirt (3.7.0-1) unstable; urgency=medium * New upstream version 3.7.0 (Closes: #874323) * Rediff patches * Bump symbol versions * Also pass $TERM to ssh so pinentry works Thanks to Guilhem Moulin (Closes: #843863) * Enable Gluster support (Closes: #755545) * Enable wireshark dissector (Closes: #862989) -- Guido Günther Fri, 08 Sep 2017 14:52:38 +0200 libvirt (3.6.0-1ubuntu6) artful; urgency=medium * d/p/ubuntu-aa/0037-virt-aa-helper...: grant locking permission on append files (LP: #1726804) * d/p/ubuntu-aa/0038-virt-aa-helper-fix-paths-for-usb-hostdevs.patch: fix path generation for USB host devices (LP: #1552241) * d/p/ubuntu-aa/0039-virt-aa-helper-fix-libusb-access-to-udev-usb-data.patch: generate valid rules on usb passthrough (LP: #1686324) -- Christian Ehrhardt Tue, 24 Oct 2017 14:30:34 +0200 libvirt (3.6.0-1ubuntu5) artful; urgency=medium * d/p/u/gnulib-getopt-posix-Fix-build-failure-when-using-ac_cv_head.patch: fix FTBFS with glibc 2.26 (LP: #1718668) -- Christian Ehrhardt Thu, 28 Sep 2017 08:18:10 -0400 libvirt (3.6.0-1ubuntu4) artful; urgency=medium * d/p/avoid-double-locking.patch: fix a deadlock that could occur when libvirtd interactions raced with dbus causing a deadlock (LP: #1714254). -- Christian Ehrhardt Fri, 01 Sep 2017 10:29:35 +0200 libvirt (3.6.0-1ubuntu3) artful; urgency=medium * No change rebuild for Qemu 2.10 and Xen 4.9 -- Christian Ehrhardt Mon, 21 Aug 2017 10:34:13 +0200 libvirt (3.6.0-1ubuntu2) artful; urgency=medium * d/p/ubuntu-aa/0036-virt-aa-helper-locking-loader-nvram-for-qemu-2.10.patch: for compatibility with the behavior of qemu 2.10 this adds locking permission to rules generated for loader/nvram (LP: #1710960) -- Christian Ehrhardt Thu, 17 Aug 2017 10:00:19 +0200 libvirt (3.6.0-1ubuntu1) artful; urgency=medium * Merged with Debian unstable (3.6) This closes several bugs: - aarch64: improved chardev handling (LP: #1697610) - Forbid locking memory without memtune (LP: #1708305) * Remaining changes: - Disable sheepdog (universe dependency) - Disable libssh2 support (universe dependency) - Disable firewalld support (universe dependency) - Disable selinux - Set qemu-group to kvm (for compat with older ubuntu) - Regularly clear AppArmor profiles for vms that no longer exist - Additional apport package-hook - Modifications to adapt for our delayed switch away from libvirt-bin (can be dropped >18.04). + d/p/ubuntu/libvirtd-service-add-bin-alias.patch: systemd: define alias to old service name so that old references work + d/p/ubuntu/libvirtd-init-add-bin-alias.patch: sysv init: define alias to old service name so that old references work + d/control: transitional package with the old name and maintainer scripts to handle the transition - Backwards compatible handling of group rename (can be dropped >18.04). - config details and autostart of default bridged network. Creating that is now the default in general, yet our solution provides the following on top as of today: + nat only on some ports + autostart the default network by default + do not autostart if 192.168.122.0 is already taken (e.g. in containers) - d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch: This is the group based access to libvirt functions as it was used in Ubuntu for quite long. + d/p/ubuntu/daemon-augeas-fix-expected.patch fix some related tests due to the group access change. - ubuntu/parallel-shutdown.patch: set parallel shutdown by default. - d/p/ubuntu/enable-kvm-spice.patch: compat with older Ubuntu qemu/kvm which provided a separate kvm-spice. - d/p/ubuntu/storage-disable-gluster-test: gluster not enabled, skip test - d/p/ubuntu/ubuntu-libxl-qemu-path.patch: this change was split. The section that adapts the path of the emulator to the Debian/Ubuntu packaging is kept. - d/p/ubuntu/ubuntu-libxl-Fix-up-VRAM-to-minimum-requirements.patch: auto set VRAM to minimum requirements - d/p/ubuntu/xen-default-uri.patch: set default URI on xen hosts - Add libxl log directory - libvirt-uri.sh: Automatically switch default libvirt URI for users on Xen dom0 via user profile (was missing on changelogs before) - d/p/ubuntu/apibuild-skip-libvirt-common.h: drop libvirt-common.h from included_files to avoid build failures due to duplicate definitions. - Update README.Debian with Ubuntu changes - Convert libvirt0, libnss_libvirt and libvirt-dev to multi-arch. - Enable some additional features on ppc64el and s390x (for arch parity) + systemtap, zfs, numa and numad on s390x. + systemtap on ppc64el. - fix conffile upgrade handling to avoid obsolete files and inactive duplicates (LP 1694159) - d/t/control, d/t/smoke-qemu-session: fixup smoke-qemu-session by making vmlinuz available and accessible (Debian bug 848314) - d/test/smoke-lxc workaround for debbug 848317/867379 - d/t/control, d/t/smoke-lxc: fix up lxc smoke test (Debian bug 848317) - Extended handling of apparmor profiles - clear lost profiles via cron - Add dnsmasq configuration to work with system wide dnsmasq (drop >18.04, no more UCA onto Xenial then which has global dnsmasq by default). - d/p/ubuntu/ubuntu_machine_type.patch: accept ubuntu types as pci440fx - conffile handling of files dropped in 3.5 (can be dropped >18.04) + /etc/init.d/virtlockd was sysv init only + /etc/apparmor.d/local/usr.sbin.libvirtd and /etc/apparmor.d/local/usr.lib.libvirt.virt-aa-helper are now generated by dh_apparmor as needed - Reworked apparmor Delta, especially the more complex delta is dropped now, also our former delta is now split into logical pieces, has improved comments and is part of a continuous upstreaming effort. Listing related remaining changes: + d/p/0001-apparmor-Allow-pygrub-to-run-on-Debian-Ubuntu.patch: apparmor: Allow pygrub to run on Debian/Ubuntu + d/p/0002-apparmor-libvirt-qemu-Allow-macvtap-access.patch: apparmor, libvirt-qemu: Allow macvtap access + d/p/0003-apparmor-libvirt-qemu-Allow-read-access-to-overcommi.patch: apparmor, libvirt-qemu: Allow read access to overcommit_memory + d/p/0004-apparmor-Explicit-deny-for-setpcap.patch: apparmor: Explicit deny for setpcap + d/p/0005-apparmor-libvirt-qemu-Allow-use-of-sgabios.patch: apparmor, libvirt-qemu: Allow use of sgabios + d/p/0006-apparmor-libvirt-qemu-Silence-lttng-related-deny-mes.patch: apparmor, libvirt-qemu: Silence lttng related deny messages + d/p/0007-apparmor-libvirt-qemu-Allow-owner-read-access-to-PRO.patch: apparmor, libvirt-qemu: Allow owner read access to @{PROC}/*/auxv + d/p/0008-apparmor-libvirt-qemu-Allow-read-access-to-sysfs-sys.patch: apparmor, libvirt-qemu: Allow read access to sysfs system info + d/p/0009-apparmor-libvirt-qemu-Allow-read-access-to-max_mem_r.patch: apparmor, libvirt-qemu: Allow read access to max_mem_regions + d/p/0010-apparmor-libvirt-qemu-Allow-qemu-block-extra-librari.patch: apparmor, libvirt-qemu: Allow qemu-block-extra libraries + d/p/0011-apparmor-libvirt-qemu-Allow-access-to-hugepage-mount.patch: apparmor, libvirt-qemu: Allow access to hugepage mounts + d/p/0012-apparmor-libvirtd-Allow-access-to-netlink-sockets.patch: apparmor, libvirtd: Allow access to netlink sockets + d/p/0013-apparmor-Add-rules-for-mediation-support.patch: apparmor: Add rules for mediation support + d/p/0014-apparmor-virt-aa-helper-Improve-comment-about-backin.patch: apparmor, virt-aa-helper: Improve comment about backing store + d/p/0015-apparmor-virt-aa-helper-Allow-access-to-ecryptfs-fil.patch: apparmor, virt-aa-helper: Allow access to ecryptfs files + d/p/0016-apparmor-libvirtd-Allow-ixr-to-var-lib-libvirt-virtd.patch: apparmor, libvirtd: Allow ixr to /var/lib/libvirt/virtd* + d/p/0017-apparmor-virt-aa-helper-Allow-access-to-tmp-director.patch: apparmor, virt-aa-helper: Allow access to tmp directories + d/p/0018-apparmor-virt-aa-helper-Add-ipv6-network-policy.patch: apparmor, virt-aa-helper: Add ipv6 network policy + d/p/0019-apparmor-virt-aa-helper-Allow-access-to-sys-bus-usb-.patch: apparmor, virt-aa-helper: Allow access to /sys/bus/usb/devices + d/p/0020-apparmor-virt-aa-helper-Allow-various-storage-pools-.patch: apparmor, virt-aa-helper: Allow various storage pools and image locations + d/p/0021-apparmor-virt-aa-helper-Add-openvswitch-support.patch: apparmor, virt-aa-helper: Add openvswitch support + d/p/0022-apparmor-drop-references-to-qemu-kvm.patch: apparmor: drop references to qemu-kvm + d/p/0023-apparmor-qemu-won-t-call-qemu-nbd.patch: apparmor: qemu won't call qemu-nbd + d/p/0024-apparmor-virt-aa-helper-Allow-access-to-name-service.patch: apparmor, virt-aa-helper: Allow access to name services + d/p/0025-apparmor-fix-newer-virt-manager-1.4.0.patch: Add Apparmor permissions so virt-manager 1.4.0 viewing works (LP 1668681). + d/p/0026-apparmor-add-generic-base-vfio-device.patch: apparmor: add /dev/vfio for vf (hot) attach (LP 1680384). + d/p/0027-apparmor-allow-reading-cmdline-of-shutdown-signal.patch: apparmor: allow to parse cmdline of the pid that send the shutdown signal (LP 1680384). + d/p/0028-apparmor-add-default-pki-path-of-lbvirt-spice.patch: apparmor: add default pki path of lbvirt-spice (LP 1690140) + d/p/0029-appmor-libvirt-qemu-Add-9p-support.patch: appmor, libvirt-qemu: Add 9p support + d/p/0030-virt-aa-helper-Complete-9p-support.patch: virt-aa-helper: add l to 9p file options. + d/p/0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch: virt-aa-helper: Ask for no deny rule for readonly disk (renamed and reworded, was virt-aa-helper-no-explicity-deny-for-basefiles.patch) + d/p/0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch: apparmor, libvirt-qemu: Allow reading charm-specific ceph config + d/p/0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch: allow commands executed by ubuntu only kvm wrapper on ppc64el (LP 1686621). + d/p/0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch: apparmor, virt-aa-helper: access for snapped nova * Dropped Changes (Upstream): - d/p/ubuntu/fix-libxl-default-driver-name.patch: avoid an issue with default driver entries missing name='qemu'. - d/p/u/aa-helper-Properly-link-with-storage-driver.patch (LP 1704782) Fix to be able to follow BackinStorage chains when creating per guest apparmor rules. * Dropped Changes (In Debian): - Enable esx support + Add build-dep to libcurl4-gnutls-dev (required for esx) * Added Changes: - d/p/ubuntu-aa/0035-virt-aa-helper-locking-disk-files-for-qemu-2.10.patch: for compatibility with the behavior of qemu 2.10 this adds locking permission to rules generated for disk files (LP: #1709818) -- Christian Ehrhardt Thu, 10 Aug 2017 12:44:47 +0200 libvirt (3.6.0-1) unstable; urgency=medium * [ece8d56] New upstream version 3.6.0 (Closes: #870626) * [f807f7e] Move debianization patches to front of pq since these are unlikely to go away * [a06e5a6] Don't build nss on non-linux since it depends on network support which is not available on non-linux. Thanks to Pino Toscano (Closes: #867393) * [6982266] Enable esx support (Closes: #602807) * [2c29499] Bump symbol versions * [f974bd9] d/control: fix typo. Thanks to lintian * [d4f1521] Bump standards version to 4.0.0 -- Guido Günther Fri, 04 Aug 2017 00:05:47 -0300 libvirt (3.5.0-1ubuntu3) artful; urgency=medium * Refresh changes to match they way they were accepted upstream - d/p/u/aa-helper-Properly-link-with-storage-driver.patch add commit reference now that it is in git. - d/p/u/fix-libxl-default-driver-name.patch: instead of addin the name this is now fixed by relaxing the schema. -- Christian Ehrhardt Wed, 19 Jul 2017 12:48:39 +0200 libvirt (3.5.0-1ubuntu2) artful; urgency=medium * d/p/u/aa-helper-Properly-link-with-storage-driver.patch (LP: #1704782) Fix to be able to follow BackinStorage chains when creating per guest apparmor rules. -- Christian Ehrhardt Tue, 18 Jul 2017 16:34:57 +0200 libvirt (3.5.0-1ubuntu1) artful; urgency=medium * Merged with Debian unstable (3.5) This closes several bugs: - improved handling of host-model since libvirt 3.2 (LP: #1673467) - Adding POWER9 cpu model to cpu_map.xml (LP: #1690209) * Remaining changes: - Disable sheepdog (universe dependency) - Disable libssh2 support (universe dependency) - Disable firewalld support (universe dependency) - Disable selinux - Enable esx support + Add build-dep to libcurl4-gnutls-dev (required for esx) - Set qemu-group to kvm (for compat with older ubuntu) - Regularly clear AppArmor profiles for vms that no longer exist - Additional apport package-hook - Modifications to adapt for our delayed switch away from libvirt-bin (can be dropped >18.04). + d/p/ubuntu/libvirtd-service-add-bin-alias.patch: systemd: define alias to old service name so that old references work + d/p/ubuntu/libvirtd-init-add-bin-alias.patch: sysv init: define alias to old service name so that old references work + d/control: transitional package with the old name and maintainer scripts to handle the transition - Backwards compatible handling of group rename (can be dropped >18.04). - config details and autostart of default bridged network. Creating that is now the default in general, yet our solution provides the following on top as of today: + nat only on some ports + autostart the default network by default + do not autostart if 192.168.122.0 is already taken (e.g. in containers) - d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch: This is the group based access to libvirt functions as it was used in Ubuntu for quite long. + d/p/ubuntu/daemon-augeas-fix-expected.patch fix some related tests due to the group access change. - ubuntu/parallel-shutdown.patch: set parallel shutdown by default. - d/p/ubuntu/enable-kvm-spice.patch: compat with older Ubuntu qemu/kvm which provided a separate kvm-spice. - d/p/ubuntu/storage-disable-gluster-test: gluster not enabled, skip test - d/p/ubuntu/ubuntu-libxl-qemu-path.patch: this change was split. The section that adapts the path of the emulator to the Debian/Ubuntu packaging is kept. - d/p/ubuntu/ubuntu-libxl-Fix-up-VRAM-to-minimum-requirements.patch: auto set VRAM to minimum requirements - d/p/ubuntu/xen-default-uri.patch: set default URI on xen hosts - Add libxl log directory - libvirt-uri.sh: Automatically switch default libvirt URI for users on Xen dom0 via user profile (was missing on changelogs before) - d/p/ubuntu/apibuild-skip-libvirt-common.h: drop libvirt-common.h from included_files to avoid build failures due to duplicate definitions. - Update README.Debian with Ubuntu changes - Convert libvirt0, libnss_libvirt and libvirt-dev to multi-arch. - Enable some additional features on ppc64el and s390x (for arch parity) + systemtap, zfs, numa and numad on s390x. + systemtap on ppc64el. - fix conffile upgrade handling to avoid obsolete files and inactive duplicates (LP 1694159) - d/t/control, d/t/smoke-qemu-session: fixup smoke-qemu-session by making vmlinuz available and accessible (Debian bug 848314) - d/t/control, d/t/smoke-lxc: fix up lxc smoke test (Debian bug 848317) - Extended handling of apparmor profiles - clear lost profiles via cron - Add dnsmasq configuration to work with system wide dnsmasq (drop >18.04, no more UCA onto Xenial then which has global dnsmasq by default). - Reworked apparmor Delta, especially the more complex delta is dropped now, also our former delta is now split into logical pieces, has improved comments and is part of a continuous upstreaming effort. Listing related remaining changes: + d/p/0001-apparmor-Allow-pygrub-to-run-on-Debian-Ubuntu.patch: apparmor: Allow pygrub to run on Debian/Ubuntu + d/p/0002-apparmor-libvirt-qemu-Allow-macvtap-access.patch: apparmor, libvirt-qemu: Allow macvtap access + d/p/0003-apparmor-libvirt-qemu-Allow-read-access-to-overcommi.patch: apparmor, libvirt-qemu: Allow read access to overcommit_memory + d/p/0004-apparmor-Explicit-deny-for-setpcap.patch: apparmor: Explicit deny for setpcap + d/p/0005-apparmor-libvirt-qemu-Allow-use-of-sgabios.patch: apparmor, libvirt-qemu: Allow use of sgabios + d/p/0006-apparmor-libvirt-qemu-Silence-lttng-related-deny-mes.patch: apparmor, libvirt-qemu: Silence lttng related deny messages + d/p/0007-apparmor-libvirt-qemu-Allow-owner-read-access-to-PRO.patch: apparmor, libvirt-qemu: Allow owner read access to @{PROC}/*/auxv + d/p/0008-apparmor-libvirt-qemu-Allow-read-access-to-sysfs-sys.patch: apparmor, libvirt-qemu: Allow read access to sysfs system info + d/p/0009-apparmor-libvirt-qemu-Allow-read-access-to-max_mem_r.patch: apparmor, libvirt-qemu: Allow read access to max_mem_regions + d/p/0010-apparmor-libvirt-qemu-Allow-qemu-block-extra-librari.patch: apparmor, libvirt-qemu: Allow qemu-block-extra libraries + d/p/0011-apparmor-libvirt-qemu-Allow-access-to-hugepage-mount.patch: apparmor, libvirt-qemu: Allow access to hugepage mounts + d/p/0012-apparmor-libvirtd-Allow-access-to-netlink-sockets.patch: apparmor, libvirtd: Allow access to netlink sockets + d/p/0013-apparmor-Add-rules-for-mediation-support.patch: apparmor: Add rules for mediation support + d/p/0014-apparmor-virt-aa-helper-Improve-comment-about-backin.patch: apparmor, virt-aa-helper: Improve comment about backing store + d/p/0015-apparmor-virt-aa-helper-Allow-access-to-ecryptfs-fil.patch: apparmor, virt-aa-helper: Allow access to ecryptfs files + d/p/0016-apparmor-libvirtd-Allow-ixr-to-var-lib-libvirt-virtd.patch: apparmor, libvirtd: Allow ixr to /var/lib/libvirt/virtd* + d/p/0017-apparmor-virt-aa-helper-Allow-access-to-tmp-director.patch: apparmor, virt-aa-helper: Allow access to tmp directories + d/p/0018-apparmor-virt-aa-helper-Add-ipv6-network-policy.patch: apparmor, virt-aa-helper: Add ipv6 network policy + d/p/0019-apparmor-virt-aa-helper-Allow-access-to-sys-bus-usb-.patch: apparmor, virt-aa-helper: Allow access to /sys/bus/usb/devices + d/p/0020-apparmor-virt-aa-helper-Allow-various-storage-pools-.patch: apparmor, virt-aa-helper: Allow various storage pools and image locations + d/p/0021-apparmor-virt-aa-helper-Add-openvswitch-support.patch: apparmor, virt-aa-helper: Add openvswitch support + d/p/0022-apparmor-drop-references-to-qemu-kvm.patch: apparmor: drop references to qemu-kvm + d/p/0023-apparmor-qemu-won-t-call-qemu-nbd.patch: apparmor: qemu won't call qemu-nbd + d/p/0024-apparmor-virt-aa-helper-Allow-access-to-name-service.patch: apparmor, virt-aa-helper: Allow access to name services + d/p/0025-apparmor-fix-newer-virt-manager-1.4.0.patch: Add Apparmor permissions so virt-manager 1.4.0 viewing works (LP 1668681). + d/p/0026-apparmor-add-generic-base-vfio-device.patch: apparmor: add /dev/vfio for vf (hot) attach (LP 1680384). + d/p/0027-apparmor-allow-reading-cmdline-of-shutdown-signal.patch: apparmor: allow to parse cmdline of the pid that send the shutdown signal (LP 1680384). + (28 is a new patch, listed in added changes) + d/p/0029-appmor-libvirt-qemu-Add-9p-support.patch: appmor, libvirt-qemu: Add 9p support + d/p/0030-virt-aa-helper-Complete-9p-support.patch: virt-aa-helper: add l to 9p file options. + d/p/0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch: virt-aa-helper: Ask for no deny rule for readonly disk (renamed and reworded, was virt-aa-helper-no-explicity-deny-for-basefiles.patch) + d/p/0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch: apparmor, libvirt-qemu: Allow reading charm-specific ceph config + d/p/0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch: allow commands executed by ubuntu only kvm wrapper on ppc64el (LP 1686621). + d/p/0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch: apparmor, virt-aa-helper: access for snapped nova - remaining but updated to match the latest release + d/p/Disable-use-of-namespaces-by-default.patch (Debian change) + d/p/Reduce-udevadm-settle-timeout-to-10-seconds.patch (Debian change) + d/p/debian/apparmor_profiles_local_include.patch Include local apparmor profile (Debian change) + d/p/ubuntu/ubuntu_machine_type.patch: accept ubuntu types as pci440fx + d/test/smoke-lxc workaround for debbug 848317/867379 * Dropped Changes (Upstream): - Add missing apparmor rule for debug-threads feature (LP 1615550). - Add new block device types to virt-aa-helpers profile (LP 1641618) - d/p/ubuntu/storage-default-permission-mode-to-0711: safer default perms for storage dirs like /var/lib/libvirt/images. - d/p/ubuntu/libvirtd-service-nolimit.patch: remove proc/file/task limits to support huge systems. - d/p/ubuntu/libvirtd-service-set-notifyaccess.patch: set NotifyAccess=all in libvirtd.service (-d not allowed to be specified, everything else upstream so drop delta; LP 1574566). - d/p/ubuntu/qemu_process-spice-don-t-release-used-port.patch: qemu_process spice: don't release used port (LP 1697729). - d/p/ubuntu/virsh-maxvcpu-fall-back-to-old-command.patch: virsh: maxvcpus: Always fall back to the old command if domain caps fail (LP 1674298) - d/p/ubuntu/qemu-Allow-empty-script-path-to-interface.patch: in the past it was possible to have