Bug #1874647 “[Ubuntu 20.04] Stale libvirt cache leads to VM sta...” : Focal (20.04) : Bugs : libvirt package : Ubuntu

bugproxy (bugproxy) on 2020-04-24

tags:	added: architecture-s39064 bugnameltc-185546 severity-medium targetmilestone-inin2004
Changed in ubuntu:
assignee:	nobody → Skipper Bug Screeners (skipper-screen-team)
affects:	ubuntu → linux (Ubuntu)

Revision history for this message

Frank Heimes (fheimes) wrote on 2020-04-24:

#1

Was this problem already reported upstream and a fix made available?
Btw. the latest (and wit that GA) kernel of 20.04 is: 5.4.0-26

Changed in ubuntu-z-systems:
importance:	Undecided → Medium
status:	New → Incomplete

Revision history for this message

bugproxy (bugproxy) wrote on 2020-04-24: Comment bridged from LTC Bugzilla

#2

------- Comment From <email address hidden> 2020-04-24 04:49 EDT-------
I just realized that AMD SEV faces the equivalent issue, as can be seen in https://github.com/libvirt/libvirt/blob/master/docs/kbase/launch_security_sev.rst. The only difference is that for Secure Execution it's the kernel command line setting, wheras SEV uses a module parameter.

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2020-04-24:

#3

The case with the module parameter in SEV needs a fix similar to
https://libvirt.org/git/?p=libvirt.git;a=commit;h=b183a75319b90d0af5512be513743e1eab950612
as it can be re-loaded at any time.

Essentially the checks in virQEMUCapsLoadCache check qemu/kernel version and many other things.
They also check microcode version ...

I think the decision there can be two ways, either "on any reboot we need to refresh caps" which makes the code small but probably also wastes quite some refreshes that were not needed.
Or it could along all the versions that it checks also keep a full string of /proc/cmdline and compare it. If changed it needs to be refreshed.

I agree to Frank that this should be reported upstream.
No matter if you or I write a fix, it needs to go upstream then - so a bug tracker there can't hurt.
OTOH you can as well start right away with a RFC patch there if you have something prepared already - there is no "strict need" for an upstream bug, only if you hope someone there will fix it for you.

Since workarounds are available the prio is medium IMHO, eager to see what upstream thinks.

P.S. Even if you have no patch, it would be great if you (as the affected) would kick off the discussion upstream. Please provide a link here to the mailing list entry.

affects:	linux (Ubuntu) → libvirt (Ubuntu)
Changed in libvirt (Ubuntu):
status:	New → Triaged
importance:	Undecided → Medium

Revision history for this message

bugproxy (bugproxy) wrote on 2020-04-24:

#4

------- Comment From <email address hidden> 2020-04-24 06:03 EDT-------
(In reply to comment #8)
> The case with the module parameter in SEV needs a fix similar to
> https://libvirt.org/git/?p=libvirt.git;a=commit;
> h=b183a75319b90d0af5512be513743e1eab950612
> as it can be re-loaded at any time.
>
> Essentially the checks in virQEMUCapsLoadCache check qemu/kernel version and
> many other things.
> They also check microcode version ...
>
> I think the decision there can be two ways, either "on any reboot we need to
> refresh caps" which makes the code small but probably also wastes quite some
> refreshes that were not needed.
> Or it could along all the versions that it checks also keep a full string of
> /proc/cmdline and compare it. If changed it needs to be refreshed.
>
> I agree to Frank that this should be reported upstream.
> No matter if you or I write a fix, it needs to go upstream then - so a bug
> tracker there can't hurt.
> OTOH you can as well start right away with a RFC patch there if you have
> something prepared already - there is no "strict need" for an upstream bug,
> only if you hope someone there will fix it for you.
>
> Since workarounds are available the prio is medium IMHO, eager to see what
> upstream thinks.
>
> P.S. Even if you have no patch, it would be great if you (as the affected)
> would kick off the discussion upstream. Please provide a link here to the
> mailing list entry.

I agree with you. Please regard this as a tracking bug to pick up the upstream commits.

We (IBM) will prepare a write up for Secure Execution comparable to what exists for AMD SEV and also provide a fix for the cap caching invalidity problem. If that is going to look similar for what was done for nesting needs to be seen but it is a good starting point. Thanks for providing it.

Revision history for this message

bugproxy (bugproxy) wrote on 2020-04-24:

#5

------- Comment From <email address hidden> 2020-04-24 06:08 EDT-------
(In reply to comment #9)
> (In reply to comment #8)
> > The case with the module parameter in SEV needs a fix similar to
> > https://libvirt.org/git/?p=libvirt.git;a=commit;
> > h=b183a75319b90d0af5512be513743e1eab950612
> > as it can be re-loaded at any time.
> >
> > Essentially the checks in virQEMUCapsLoadCache check qemu/kernel version and
> > many other things.
> > They also check microcode version ...
> >
> > I think the decision there can be two ways, either "on any reboot we need to
> > refresh caps" which makes the code small but probably also wastes quite some
> > refreshes that were not needed.
> > Or it could along all the versions that it checks also keep a full string of
> > /proc/cmdline and compare it. If changed it needs to be refreshed.
> >
> > I agree to Frank that this should be reported upstream.
> > No matter if you or I write a fix, it needs to go upstream then - so a bug
> > tracker there can't hurt.
> > OTOH you can as well start right away with a RFC patch there if you have
> > something prepared already - there is no "strict need" for an upstream bug,
> > only if you hope someone there will fix it for you.
> >
> > Since workarounds are available the prio is medium IMHO, eager to see what
> > upstream thinks.
> >
> > P.S. Even if you have no patch, it would be great if you (as the affected)
> > would kick off the discussion upstream. Please provide a link here to the
> > mailing list entry.
>
> I agree with you. Please regard this as a tracking bug to pick up the
> upstream commits.
>
> We (IBM) will prepare a write up for Secure Execution comparable to what
> exists for AMD SEV and also provide a fix for the cap caching invalidity
> problem. If that is going to look similar for what was done for nesting
> needs to be seen but it is a good starting point. Thanks for providing it.

I think the proper solution is to rebuild the capabilities whenever the date of /dev/kvm changed. There are module parameters (hpage and nested) that will change the capabilities. Caching beyond the lifetime of /dev/kvm is just wrong.
When the startup takes slightly longer after reboot - so be it.

Agreed to discuss this upstream. Please cc me

------- Comment From cborntra@de.ibm.com 2020-04-24 06:08 EDT-------
(In reply to comment #9)
> (In reply to comment #8)
> > The case with the module parameter in SEV needs a fix similar to
> > https://libvirt.org/git/?p=libvirt.git;a=commit;
> > h=b183a75319b90d0af5512be513743e1eab950612
> > as it can be re-loaded at any time.
> >
> > Essentially the checks in virQEMUCapsLoadCache check qemu/kernel version and
> > many other things.
> > They also check microcode version ...
> >
> > I think the decision there can be two ways, either "on any reboot we need to
> > refresh caps" which makes the code small but probably also wastes quite some
> > refreshes that were not needed.
> > Or it could along all the versions that it checks also keep a full string of
> > /proc/cmdline and compare it. If changed it needs to be refreshed.
> >
> > I agree to Frank that this should be reported upstream.
> > No matter if you or I write a fix, it needs to go upstream then - so a bug
> > tracker there can't hurt.
> > OTOH you can as well start right away with a RFC patch there if you have
> > something prepared already - there is no "strict need" for an upstream bug,
> > only if you hope someone there will fix it for you.
> >
> > Since workarounds are available the prio is medium IMHO, eager to see what
> > upstream thinks.
> >
> > P.S. Even if you have no patch, it would be great if you (as the affected)
> > would kick off the discussion upstream. Please provide a link here to the
> > mailing list entry.
>
> I agree with you. Please regard this as a tracking bug to pick up the
> upstream commits.
>
> We (IBM) will prepare a write up for Secure Execution comparable to what
> exists for AMD SEV and also provide a fix for the cap caching invalidity
> problem. If that is going to look similar for what was done for nesting
> needs to be seen but it is a good starting point. Thanks for providing it.

I think the proper solution is to rebuild the capabilities whenever the date of /dev/kvm changed. There are module parameters (hpage and nested) that will change the capabilities. Caching beyond the lifetime of /dev/kvm is just wrong.
When the startup takes slightly longer after reboot - so be it.

Agreed to discuss this upstream. Please cc me

Revision history for this message

bugproxy (bugproxy) wrote on 2020-05-12:

#6

------- Comment From <email address hidden> 2020-05-12 02:37 EDT-------
I sent a patch series to the libvirt mailing list yesterday addressing the issues of this bugzilla.
https://www.redhat.com/archives/libvir-list/2020-May/msg00416.html

Revision history for this message

bugproxy (bugproxy) wrote on 2020-05-26:

#7

------- Comment From <email address hidden> 2020-05-26 07:14 EDT-------
*** Bug 185971 has been marked as a duplicate of this bug. ***

Revision history for this message

Frank Heimes (fheimes) wrote on 2020-05-26:

#8

(just for the records: "Bug 185971" in comment #7 is an IBM Bugzilla number, not a LP bug number, hence pointing with the automatic link generation to a wrong LP bug)

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2020-05-26:

#9

Note: the referred path set didn't land yet.

Revision history for this message

bugproxy (bugproxy) wrote on 2020-06-17:

#10

------- Comment From <email address hidden> 2020-06-17 12:27 EDT-------
(In reply to comment #14)
> Note: the referred path set didn't land yet.

Please not that the patch series has been accepted upstream.
It will be released as part of libvirt v6.5.0.

Here is the list of the commit ids:
c5fffb959d util: Introduce a parser for kernel cmdline arguments
b611b620ce qemu: Check if s390 secure guest support is enabled
657365e74f qemu: Check if AMD secure guest support is enabled
0254ceab82 tools: Secure guest check on s390 in virt-host-validate
4b561d49ad tools: Secure guest check for AMD in virt-host-validate
2c3ffa3728 docs: Update AMD launch secure description
f0d0cd6179 docs: Describe protected virtualization guest setup

The issue described in this bugzilla (stale capability cache) should be resolved already by the first two patches of the series. Patch 4 extends virt-host-validate with checks of the hosts readiness to support IBM Secure Execution and patch 6 provides documentation how to setup and use IBM Secure Execution with libvirt on linux on Z.

Please also not that there is another series that might come in handy for some other stale capability cache scenarios. This might e.g. occur if the KVM host system itself is being moved/migrated/upgraded.
Here is the list of commit ids:
8cb9d2495c util: Define g_autoptr callback for FILE
a551dd5fdf hostcpu: Introduce virHostCPUGetSignature
44f826e4a0 hostcpu: Implement virHostCPUGetSignature for x86
2a68ceaa6e hostcpu: Implement virHostCPUGetSignature for ppc64
d3d87e0cef hostcpu: Implement virHostCPUGetSignature for s390
004804a7d7 qemu: Invalidate capabilities when host CPU changes

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2020-06-19:

#11

awesome, thanks Boris!

I think I'm looking at making sure to catch these when merging libvirt for 20.10 and then we might take just the two commits for the initial bug into Focal.

tags:

added: libvirt-20.10

Frank Heimes (fheimes) on 2020-06-19

Changed in ubuntu-z-systems:
assignee:	nobody → Christian Ehrhardt  (paelzer)
status:	Incomplete → Triaged
Changed in libvirt (Ubuntu):
assignee:	Skipper Bug Screeners (skipper-screen-team) → Christian Ehrhardt  (paelzer)
Changed in ubuntu-z-systems:
assignee:	Christian Ehrhardt  (paelzer) → Skipper Bug Screeners (skipper-screen-team)

Revision history for this message

bugproxy (bugproxy) wrote on 2020-08-26:

#12

------- Comment From <email address hidden> 2020-08-26 07:24 EDT-------
@Canonical. Any update available?

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2020-08-26:

#13

Libvirt 6.6 contains the fix, but is stuck in groovy proposed for a while already.
After a fix (that you also want for virtiofsd) and another issue around libtripc being resolved there will be a follow up upload that should resolve those two today and hopefully migrate to groovy-release soon after.

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2020-08-26:

#14

See
https://launchpad.net/ubuntu/+source/libvirt/6.6.0-1ubuntu1
And soon but not yet
https://launchpad.net/ubuntu/+source/libvirt/6.6.0-1ubuntu2

Christian Ehrhardt  (paelzer) on 2020-08-26

Changed in libvirt (Ubuntu Groovy):
status:	Triaged → In Progress

Revision history for this message

bugproxy (bugproxy) wrote on 2020-08-26:

#15

------- Comment From <email address hidden> 2020-08-26 09:01 EDT-------
Thx for the update.

Frank Heimes (fheimes) on 2020-08-26

Changed in ubuntu-z-systems:
status:	Triaged → In Progress

Revision history for this message

Launchpad Janitor (janitor) wrote on 2020-08-29:

#16

Download full text (18.5 KiB)

This bug was fixed in the package libvirt - 6.6.0-1ubuntu2

---------------
libvirt (6.6.0-1ubuntu2) groovy; urgency=medium

  * d/p/u/lp-1892826-Revert-m4-virt-xdr-rewrite-XDR-check.patch: avoid clashes
    between libtripc and glibc that break libvirt-lxc (LP: #1892826)
  * d/p/ubuntu-aa/lp-1892736-apparmor-allow-libvirtd-to-call-virtiofsd.patch:
    allow libvirt to control virtiofsd (LP: #1892736)

libvirt (6.6.0-1ubuntu1) groovy; urgency=medium

  * Merge with Debian 6.6.0-1 from experimental
    Among many other new features and fixes this includes fixes for:
    (LP: #1874647) - Stale libvirt cache leads to VM startup failures
    (LP: #1869796) - bad ordering and dependent restarts of services/sockets
    Remaining changes:
    - d/p/ubuntu-aa/lp-1847361-load-versioned-module.patch: allow loading
      versioned modules after qemu package upgrades (LP 1847361)
    - libvirt-uri.sh: Automatically switch default libvirt URI for users
      via user profile (xen URI on dom0, qemu:///system otherwise)
    - Disable libssh2 support (universe dependency)
    - Disable firewalld support (universe dependency)
    - Set qemu-group to kvm (for compat with older ubuntu)
    - Additional apport package-hook
    - Autostart default bridged network (As upstream does, but not Debian).
      In addition to just enabling it our solution provides:
      + do not autostart if subnet is already taken (e.g. in guests).
      + iterate some alternative subnets before giving up
    - d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch: This is
      the group based access to libvirt functions as it was used in Ubuntu
      for quite long.
      + d/p/ubuntu/daemon-augeas-fix-expected.patch fix some related tests
        due to the group access change.
      + d/libvirt-daemon-system.postinst: add users in sudo to the libvirt
        group.
    - ubuntu/parallel-shutdown.patch: set parallel shutdown by default.
    - Update README.Debian with Ubuntu changes
    - d/p/ubuntu/ubuntu_machine_type.patch: accept ubuntu types as pci440fx
    - fix autopkgtests
      + d/t/control, d/t/smoke-qemu-session: fixup smoke-qemu-session by making
        vmlinuz available and accessible (Debian bug 848314)
      + d/t/control: fix smoke-qemu-session by ensuring the service will run
        installing libvirt-daemon-system
      + d/t/smoke-lxc: fix smoke-lxc by ignoring potential issues on destroy as
        long as the following undefine succeeds
      + d/t/smoke-lxc: use systemd instead of sysV to restart the service
    - dnsmasq related enhancements
      + run dnsmasq as libvirt-dnsmasq (LP: 1743718)
      + d/libvirt-daemon-system.postinst: add libvirt-dnsmasq user and group
      + d/libvirt-daemon-system.postrm: remove libvirt-dnsmasq user and group
        on purge
      + d/p/ubuntu/dnsmasq-as-priv-user: write dnsmasq config with user
        libvirt-dnsmasq and adapt the self tests to expect that config
      + d/libvirt-daemon-system.postinst: fix old libvirt-dnsmasq users group
      + Add dnsmasq configuration to work with system wide dnsmasq-base
    - debian/rules: disable the netcf backend. (LP: 1764314)
    - debian/patches/ubuntu/ovmf_paths.patch...

This bug was fixed in the package libvirt - 6.6.0-1ubuntu2

---------------
libvirt (6.6.0-1ubuntu2) groovy; urgency=medium

* d/p/u/lp-1892826-Revert-m4-virt-xdr-rewrite-XDR-check.patch: avoid clashes
    between libtripc and glibc that break libvirt-lxc (LP: #1892826)
  * d/p/ubuntu-aa/lp-1892736-apparmor-allow-libvirtd-to-call-virtiofsd.patch:
    allow libvirt to control virtiofsd (LP: #1892736)

libvirt (6.6.0-1ubuntu1) groovy; urgency=medium

* Merge with Debian 6.6.0-1 from experimental
    Among many other new features and fixes this includes fixes for:
    (LP: #1874647) - Stale libvirt cache leads to VM startup failures
    (LP: #1869796) - bad ordering and dependent restarts of services/sockets
    Remaining changes:
    - d/p/ubuntu-aa/lp-1847361-load-versioned-module.patch: allow loading
      versioned modules after qemu package upgrades (LP 1847361)
    - libvirt-uri.sh: Automatically switch default libvirt URI for users
      via user profile (xen URI on dom0, qemu:///system otherwise)
    - Disable libssh2 support (universe dependency)
    - Disable firewalld support (universe dependency)
    - Set qemu-group to kvm (for compat with older ubuntu)
    - Additional apport package-hook
    - Autostart default bridged network (As upstream does, but not Debian).
      In addition to just enabling it our solution provides:
      + do not autostart if subnet is already taken (e.g. in guests).
      + iterate some alternative subnets before giving up
    - d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch: This is
      the group based access to libvirt functions as it was used in Ubuntu
      for quite long.
      + d/p/ubuntu/daemon-augeas-fix-expected.patch fix some related tests
        due to the group access change.
      + d/libvirt-daemon-system.postinst: add users in sudo to the libvirt
        group.
    - ubuntu/parallel-shutdown.patch: set parallel shutdown by default.
    - Update README.Debian with Ubuntu changes
    - d/p/ubuntu/ubuntu_machine_type.patch: accept ubuntu types as pci440fx
    - fix autopkgtests
      + d/t/control, d/t/smoke-qemu-session: fixup smoke-qemu-session by making
        vmlinuz available and accessible (Debian bug 848314)
      + d/t/control: fix smoke-qemu-session by ensuring the service will run
        installing libvirt-daemon-system
      + d/t/smoke-lxc: fix smoke-lxc by ignoring potential issues on destroy as
        long as the following undefine succeeds
      + d/t/smoke-lxc: use systemd instead of sysV to restart the service
    - dnsmasq related enhancements
      + run dnsmasq as libvirt-dnsmasq (LP: 1743718)
      + d/libvirt-daemon-system.postinst: add libvirt-dnsmasq user and group
      + d/libvirt-daemon-system.postrm: remove libvirt-dnsmasq user and group
        on purge
      + d/p/ubuntu/dnsmasq-as-priv-user: write dnsmasq config with user
        libvirt-dnsmasq and adapt the self tests to expect that config
      + d/libvirt-daemon-system.postinst: fix old libvirt-dnsmasq users group
      + Add dnsmasq configuration to work with system wide dnsmasq-base
    - debian/rules: disable the netcf backend. (LP: 1764314)
    - debian/patches/ubuntu/ovmf_paths.patch: adjust paths to secboot.fd UEFI
      Secure Boot enabled variants of the OVMF firmware and variable store for
      the paths where we ship these files in Ubuntu.
    - d/p/ubuntu/set-default-machine-to-ubuntu.patch: to select default
      machine type correctly with newer qemu/libvirt
    - d/control: add libzfslinux-dev to build-deps
    - d/control: drop libvirt-lxc, vbox and xen drivers to suggest
    - d/p/ubuntu/lp-1861125-ubuntu-models: recognize Ubuntu models for
      (LP 1861125) fixups
    - Apparmor Delta that is Ubuntu specific or yet to be upstreamed
      split into logical pieces. File names in debian/patches/ubuntu-aa/:
      + 0003-apparmor-libvirt-qemu-Allow-read-access-to-overcommi.patch:
        apparmor, libvirt-qemu: Allow read access to overcommit_memory
      + 0007-apparmor-libvirt-qemu-Allow-owner-read-access-to-PRO.patch:
        apparmor, libvirt-qemu: Allow owner read access to @{PROC}/*/auxv
      + 0020-virt-aa-helper-ubuntu-storage-paths.patch:
        apparmor, virt-aa-helper: Allow various storage pools and image
        locations
      + 0029-appmor-libvirt-qemu-Add-9p-support.patch: appmor,
        libvirt-qemu: Add 9p support
      + 0030-virt-aa-helper-Complete-9p-support.patch: virt-aa-helper:
        add l to 9p file options.
      + 0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch:
        virt-aa-helper: Ask for no deny rule for readonly disk (renamed and
        reworded, was virt-aa-helper-no-explicity-deny-for-basefiles.patch)
      + 0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch:
        apparmor, libvirt-qemu: Allow reading charm-specific ceph config
      + 0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch: allow
        commands executed by ubuntu only kvm wrapper on ppc64el
        (LP 1686621 LP 1680384 LP 1784023)
      + 0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch:
        apparmor, virt-aa-helper: access for snapped nova
      + 0050-local-include-for-libvirt-qemu.patch,
        d/libvirt-daemon-system.postinst: provide a local apparmor include
        for abstraction/libvirt-qemu (LP: 1786019)
      + lp-1815910-allow-vhost-net.patch: avoid apparmor issues
        with vhost-net/vhost-vsock/vhost-scsi hotplug (LP: 1815910)
  * Dropped changes (in Debian now):
    - Enable some additional features on ppc64el and s390x (for arch parity)
      + systemtap, zfs, numa and numad on s390x.
      + systemtap on ppc64el.
    - enable attr support to store XATTR labels. Among other things
      this allows to properly restore file ownership (LP 691590)
        - d/control: build depend to libattr1-dev
        - d/rules: configure --with-attr
    - Install virt-login-shell-helper
    - Install augeas lenses for all drivers
    - Remove all mentions of Devhelp
    - not-installed: Remove obsolete entries
    - not-installed: List all split daemons files
    - d/control: bump build dep to python3
    - d/control: add python3-docutils as build dependency
    - d/rules: set enable-dependency-tracking to avoid FTBFS
    - d/rules: drop the no more existing phyp option
    - d/rules: drop the no more existing xen configure option
    - minimize patches generated by autoreconf
    - fix build on Debian/Ubuntu in qemuhotplugtest
    - d/libvirt-doc.doc: install rendered docs
    - d/libvirt-daemon-system.examples: drop old examples that are now active
    - d/libvirt-doc.doc-base.libvirt-doc: adapt doc base to new file placement
    - d/libvirt-daemon-system-sysv.lintian-overrides: not shipiing systemd files
    - d/libnss-libvirt.lintian-overrides: accept having two nss so files
    - d/rules: don't ship split daemons just yet
    - d/rules: install /etc/default/* files that are shared between sysv and
      systemd packages
    - d/rules: add libvirt-guests.default to libvirt-daemon-system instead of
      libvirt-daemon-system-sysv
    - d/rules: install virtlockd correctly with defaults file (LP: 1729516)
    - d/rules: also check build time self test results on all architectures
    - d/rules: add --no-restart-after-upgrade to services that are supposed to
      stay up through upgrades - this also applies to related sockets.
  * Dropped changes (part of upstream now):
    - d/p/ubuntu/lp-1879325-*: avoid issues with apparmor metadata labeling
      (LP 1879325)
    - d/p/ubuntu-aa/lp-1871354*: fix apparmor denials on libpmem init
      (LP 1871354)
    - d/p/ubuntu/CVE-CVE-2020-10701-api-disallow-virDomainAgentSetResponseTimeout
      -on-rea.patch: avoid DOS through read only connections
      CVE-2020-10701
    - d/p/ubuntu/lp-1867460-*: fix domcapabilities before capabilities
      and binary autodetection in general (LP 1867460)
    - d/p/stable/lp-1868539-*: stabilize libvirt by backporting upstream
      fixes (LP 1868539)
    - d/p/ubuntu/lp-1853200*: add cpu models without hle/rtm features to have
      modern types on kernels with recent security fixes (LP 1853200)
    - d/p/ubuntu/lp-1868528-*: Fail when fetching CPU Status for invalid CPU
      (LP 1868528)
    - d/p/ubuntu/lp-1865425-*: avoid killing the monitor job in
      qemuDomainSetTimeAgent (LP 1865425)
    - d/p/ubuntu-aa/virt-aa-helper-Add-support-for-smartcard-host-certif.patch:
      allow emulation of smartcard via host certificates
    - d/p/ubuntu/lp-1861125-*: fix non host-model migrations from old machine
      types (LP 1861125)
    - d/p/ubuntu-aa/apparmor-allow-to-call-vhost-user-gpu.patch: do not apparmor
      block vhost-user-gpu usage
    - d/p/ubuntu/lp-1655111*: fix qemu_bridge_helper to work with named
      profiles (LP 1655111)
  * Dropped changes (no more needed):
    - d/control: make libvirt-daemon-driver-storage-rbd a recommend instead of
      just a suggest. This was deprecated since bionic and now will be dropped.
    - Update Vcs-Git and Vcs-Browser fields to point to launchpad
    - d/control: VCS links to use generic Ubuntu launchpad git URLs
    - refreshed patches for libvirt v6.0.0
    - d/libvirt-daemon-system.postrm: change order of libvirt-qemu removal to
      avoid error messages on purge [deluser/delgroup no more report warnings]
    - "Additional apport package-hook": due to context auto updates
      d/libvirt-daemon.install had bad entries which are no more required.
    - d/control, d/rules: Disable rbd and zfs on riscv64 where they are
      unavailable (LP 1872952)
  * Added Changes:
    - d/control: breaks replaces for augeas lenses move in 6.0.0-1
      (follows Debian, droppable >22.04)
    - refresh ubuntu patches for 6.6
      - d/p/ubuntu-aa/0050-local-include-for-libvirt-qemu.patch
      - d/p/ubuntu-aa/0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch
      - d/p/ubuntu-aa/0020-virt-aa-helper-ubuntu-storage-paths.patch
      - d/p/ubuntu/dnsmasq-as-priv-user
      - d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch
      - d/p/ubuntu/daemon-augeas-fix-expected.patch
    - d/libvirt-daemon-system.postinst: fix bashism in dnsmasq related
      enhancements
    - d/p/ubuntu/wait-for-qemu-kvm.patch - avoid hangs on startup (LP: #1887592)
    - d/libvirt-clients.lintian-overrides: profile scripts are non executable
    - d/p/ubuntu-aa/apparmor-allow-unmounting-.dev-entries.patch: avoid
      triggering denials in devmapper error path
    - d/p/ubuntu-aa/pparmor-profiles-are-meant-to-allow-adding-permanen.patch:
      (again) allow permanent per guest overrides (LP: #1745114)
    - d/control: drop mdevctl to a suggest until (LP 1889248) is ready

libvirt (6.6.0-1) unstable; urgency=medium

* Team upload

[ Andrea Bolognani ]
  * [ecdcc72] New upstream version 6.6.0
    Includes fix for CVE-2020-14339 (Closes: #966563)
  * [751e146] upstream: Add key for Jiří Denemark
  * [ab2a1b4] control: Add Build-Depends on libtirpc-dev
  * [8714f7d] control: Drop Build-Depends on libncurses5-dev.
  * [1137e33] patches: Assign topic to all patches.
  * [51e52ab] patches: Reorder patches.

[ Christian Ehrhardt ]
  * [ceab403] d/control, d/rules: feature architecture parity.
    Enable systemtap, numa and numad on more architectures.
  * [dd2d1a9] Drop d/p/apparmor-Allow-[....]-name-service-.patch.
    Doesn't seem to be necessary anymore.
  * [d31eba5] fix device mapper issues.
    Add the following backports:
    - virdevmapper-Don-t-cache-device-mapper-major.patch
    - virdevmapper-Ignore-all-errors-when-opening-dev-mapper-co.patch
    - virdevmapper-Handle-kernel-without-device-mapper-support.patch
  * [3145e31] tools: fix libvirt-guests.sh text assignments
    Add the following backports:
    - tools-fix-libvirt-guests.sh-text-assignments.patch

libvirt (6.5.0-1) unstable; urgency=medium

* Team upload

* [38c0fa7] New upstream version 6.5.0
  * [b8a07b4] control: Add Recommends for mdevctl

libvirt (6.4.0-2) unstable; urgency=medium

[ Christian Ehrhardt ]
  * [d0f7eb5] enable attr support to be able to store XATTR labels.
    Among other things this allows to properly restore file ownership
    - d/control: build depend on libattr1-dev
    - d/rules: configure --with-attr
    Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/691590

[ Andrea Bolognani ]
  * Use consistent layout in packaging files

libvirt (6.4.0-1) experimental; urgency=medium

* Team upload

* [1662a90] New upstream version 6.4.0
    Includes a fix for CVE-2020-14301 (Closes: #963474)
  * [ad19936] patches: Drop tests-Mock-[...]-for-qemuhotplug.patch
  * [bfc4f8b] rules: Install upstream release notes
  * [995991b] control: Set Rules-Requires-Root: no
  * [dd75022] control: Bump Standards-Version to 4.5.0
  * [fa6aefb] rules: Enable 'bindnow' hardening option

libvirt (6.2.0-1) experimental; urgency=medium

* Team upload

[ Guido Günther ]
  * Upload to experimental
  * [1b6982f] New upstream version 6.2.0
    Contains fix for CVE-2020-10701. (Closes: #955841)
      Thanks to Carnil for the triage
    Contains fix for CVE-2020-12430. (Closes: #959447)

[ Andrea Bolognani ]
  * [ba77756] patches: Drop all gnulib-related patches
    Specifically:
      openpty-Skip-test-if-no-pty-is-available.patch
      Disable-gnulib-s-test-nonplocking-pipe.sh.patch
      test-posix_openpt-don-t-fail-on-EACCESS.patch
  * [2e0b5f1] patches: Add tests-Mock-[...]-for-qemuhotplug.patch
    Replaces:
      skip-qemuhotplugtest.patch
  * [7c1e182] debhelper: Use debhelper-compat package

libvirt (6.0.0-7) unstable; urgency=medium

[ Laurent Bigonville ]
  * [4e6f909] Disable polkit support on !linux, see: #927896
  * [3ee1c87] Do not build-depends against libglusterfs-dev on non-linux
    architectures

[ Guido Günther ]
  * [41c33eb] Rediff patches
  * [da804f9] Backport fix for CVE-2020-10701.
    Thanks to Carnil for the triage (Closes: #955841)
  * [a5dd08c] d/rules: systemd: Also pass --no-restart-on-upgrade when using
    --no-start.

[ Andrea Bolognani ]
  * [0c6a3a0] salsa-ci: Create local pristine-tar branch.

libvirt (6.0.0-6) unstable; urgency=medium

[ Laurent Bigonville ]
  * [ea7b8b7] autopkgtest exits with 2 when there are skipped tests do not
    consider that as fatal

[ Guido Günther ]
  * [100e8aa] Don't start or restart socket units on package upgrades.
    Changes get picked up when the corresponding system unit is being restarted.
    This avoids problems when socket and service units of the same service get
    restarted together. See #955483 for details.
  * [ff981d5] Pass --no-auto to dh_instalsystemd.
    This avoids generation of restart snippets for services listed in `Also=`
    sections of the service units. Otherwise these get restarted but we want
    to avoid that and let systemd figure it out all by itself.
    See: #955483, #841095

libvirt (6.0.0-5) unstable; urgency=medium

[ Guido Günther ]
  * [421e865] systemd: Don't restart libvirt-guests on upgrade
    (Closes: #955216)

[ Laurent Bigonville ]
  * [5f72035] Only run qemu test on amd64
    (Closes: #955278)

libvirt (6.0.0-4) unstable; urgency=medium

* [d7df842] sysv: Don't restart libvirt-guests on upgrade
    (Closes: #954921)

libvirt (6.0.0-3) unstable; urgency=medium

* [de68a4b] Bump Breaks/conflicts.
    While there were conflicts/breaks for the driver split we moved
    the augeas lenses in 6.0.0-1. (Closes: #954032, #953894)

libvirt (6.0.0-2) unstable; urgency=medium

* Upload to unstable

libvirt (6.0.0-1) experimental; urgency=medium

[ Guido Günther ]
  * [33890b9] New upstream version 6.0.0
    (Closes: #939552)
  * [c9f82be] gitlab-ci: Run autopkgtests

[ Christian Ehrhardt ]
  * [fa167bc] d/libnss-libvirt.lintian-overrides: accept having two nss so
    files
  * [bf48357] d/libvirt-daemon-system-sysv.lintian-overrides: not shipping
    systemd files.  Packages are split intentionally, ignore this lintian
    warning.
  * [2278598] d/rules: also check build time self test results on all
    architectures
  * [c1be36a] d/rules: drop doc binary cleanup.
  * [6d60c3c] d/rules: don't ship split daemons just yet
  * [33f8dc4] d/p/skip-qemuhotplugtest.patch: fix qemuhotplugtest.
    Skip some elements of qemuhotplugtest that for now break in
    Debian/Ubuntu build environments.
  * [a1734f7] d/rules: add libvirt-guests.default to libvirt-daemon-system
    instead of libvirt-daemon-system-sysv
  * [69f6cfe] d/rules: install /etc/default/* files that are shared between
    sysv and systemd packages
  * [31be682] d/rules: install virtlockd for sysv
    (Closes: #880970)

[ Andrea Bolognani ]
  * [070d158] Install virt-login-shell-helper.
    This new binary was introduced in libvirt 5.7.0 and is necessary for
    virt-login-shell to work.
  * [143dafb] Install augeas lenses for all drivers.
    These slipped through the cracks when we moved from picking up the
    corresponding directories as a whole to listing the specific files we're
    interested in.
  * [efa4cfe] Remove all mentions of Devhelp.
    As of libvirt 5.8.0, the corresponding files are no longer
    generated.
  * [8ebd427] not-installed: Remove obsolete entries.
    Now that upstream's build system has been fixed and we're picking up the
    documentation from the install location rather than the source directory,
    the corresponding files will no longer be flagged by dh_missing.
  * [ce54aef] not-installed: List all split daemons files.
    Since we're not shipping split daemons yet, the corresponding
    binaries as well as systemd units and augeas lenses will be
    flagged by dh_missing if we don't list them here.
  * [391e39d] symbols: Drop LIBVIRT_5.9.0
    libvirt 5.9.0 didn't introduce any new public symbols.

libvirt (6.0.0~rc1-1) experimental; urgency=medium

[ Guido Günther ]
  * [443fae0] New upstream version 6.0.0~rc1
  * [70c5676] Bump symbol versions
  * [eb6c6c1] gitlab-ci: Build package.
    We unfortunately can't use salsa-ci's prebuilt pipeline since
    that hangs on large jobs:
    https://salsa.debian.org/salsa/support/issues/180
    We redirct output to a file to work around:
    https://salsa.debian.org/salsa/support/issues/191

[ Christian Ehrhardt ]
  * [cc6b955] refresh d/p/* for v6.0.0
  * [5639ffb] d/control: bump build dep to python3
  * [dc99d35] d/rules: set enable-dependency-tracking to avoid FTBFS.
  * [af131c7] d/rules: drop the no more existing xen configure option
  * [84367d9] d/control: add python3-docutils as build dependency
  * [37f0a5c] d/libvirt-doc.doc: install rendered docs
  * [880f00e] d/libvirt-daemon-system.examples: Drop examples that are now
    conf files
  * [671aeca] d/libvirt-doc.doc-base.libvirt-doc: adapt doc base to new file
    placement

-- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Tue, 25 Aug 2020 14:53:26 +0200

Changed in libvirt (Ubuntu Groovy):
status:	In Progress → Fix Released

Christian Ehrhardt  (paelzer) on 2020-09-01

description:

updated

Christian Ehrhardt  (paelzer) on 2020-09-02

Changed in libvirt (Ubuntu Groovy):
assignee:	Christian Ehrhardt  (paelzer) → nobody
Changed in libvirt (Ubuntu Focal):
assignee:	nobody → Christian Ehrhardt  (paelzer)
status:	New → In Progress

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2020-09-02:

#17

Test the test to be helpful:

Run guest a defined model like:
23 <cpu mode='custom' match='exact' check='partial'>
24 <model fallback='forbid'>SandyBridge-IBRS</model>
25 <vendor>Intel</vendor>
26 </cpu>

In the guest check the cache file update time:
$ sudo ls -laF /var/cache/libvirt/qemu/capabilities/
-rw------- 1 root root 75171 Sep 2 08:58 926803a9278e445ec919c2b6cbd8c1c449c75b26dcb1686b774314180376c725.xml
-rw------- 1 root root 85376 Sep 2 08:58 f11008721aacc79c97e592178e61264d75be551864cd79cc41fe820e31262f27.xml
$ virsh domcapabilities > dpre
$ virsh capabilities > cpre
$ head -n5 /proc/cpuinfo
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 42
model name : Intel Xeon E312xx (Sandy Bridge, IBRS update)

Then shutdown and change that to IvyBridge-IBRS (similar but not the same)
When again started it should refresh the cache, as the CPU changed.
But without the fix it hasn't.

While cpuinfo changed, the cache and results didn't.

$ head -n5 /proc/cpuinfo
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 58
model name : Intel Xeon E3-12xx v2 (Ivy Bridge, IBRS)
$ virsh domcapabilities > dpost
$ virsh capabilities > cpost
$ md5sum cp* dp*
f0df917463798992d5842297fa039f86 cpost
4f214575cab864502576a0da1bceb031 cpre
94d6fe53ee5f9f6270e001788a225328 dpost
94d6fe53ee5f9f6270e001788a225328 dpre

With the fix:

-rw------- 1 root root 75171 Sep 2 09:04 926803a9278e445ec919c2b6cbd8c1c449c75b26dcb1686b774314180376c725.xml
-rw------- 1 root root 85376 Sep 2 09:04 f11008721aacc79c97e592178e61264d75be551864cd79cc41fe820e31262f27.xml

And after reboot into the other type we see the host section updated.
$ md5sum cp* dp*
4f214575cab864502576a0da1bceb031 cpost
f0df917463798992d5842297fa039f86 cpre
94d6fe53ee5f9f6270e001788a225328 dpost
94d6fe53ee5f9f6270e001788a225328 dpre
-rw------- 1 root root 75171 Sep 2 09:04 926803a9278e445ec919c2b6cbd8c1c449c75b26dcb1686b774314180376c725.xml
-rw------- 1 root root 85376 Sep 2 09:04 f11008721aacc79c97e592178e61264d75be551864cd79cc41fe820e31262f27.xml

$ diff -Naur cpre cpost
--- cpre 2020-09-02 09:04:41.058583142 +0000
+++ cpost 2020-09-02 09:05:50.652000000 +0000
@@ -4,10 +4,11 @@
     <uuid>058268cb-6229-46c7-84f8-5cd8edac4c5d</uuid>
     <cpu>
       <arch>x86_64</arch>
- <model>IvyBridge-IBRS</model>
+ <model>SandyBridge-IBRS</model>
       <vendor>Intel</vendor>
       <microcode version='1'/>
       <topology sockets='1' cores='1' threads='1'/>
+ <feature name='vme'/>
       <feature name='osxsave'/>
       <feature name='hypervisor'/>
       <feature name='arat'/>

There are more complex feature checks that might go deeper e.g. when actually starting a guest and deriving host-model. But this should be ok as a test of the area I hope.

P.S. I've yet to see the "Outdated capabilities for '%s': host CPU changed" message in a debug log, maybe the tests needs to be further adapted for the specific case.

Test the test to be helpful:

Run guest a defined model like:
 23   <cpu mode='custom' match='exact' check='partial'>                              
 24     <model fallback='forbid'>SandyBridge-IBRS</model>                            
 25     <vendor>Intel</vendor>                                                       
 26   </cpu>

In the guest check the cache file update time:
$ sudo ls -laF /var/cache/libvirt/qemu/capabilities/
-rw------- 1 root         root 75171 Sep  2 08:58 926803a9278e445ec919c2b6cbd8c1c449c75b26dcb1686b774314180376c725.xml
-rw------- 1 root         root 85376 Sep  2 08:58 f11008721aacc79c97e592178e61264d75be551864cd79cc41fe820e31262f27.xml
$ virsh domcapabilities > dpre
$ virsh capabilities > cpre
$ head -n5 /proc/cpuinfo 
processor	: 0
vendor_id	: GenuineIntel
cpu family	: 6
model		: 42
model name	: Intel Xeon E312xx (Sandy Bridge, IBRS update)

Then shutdown and change that to IvyBridge-IBRS (similar but not the same)
When again started it should refresh the cache, as the CPU changed.
But without the fix it hasn't.

While cpuinfo changed, the cache and results didn't.

$ head -n5 /proc/cpuinfo 
processor	: 0
vendor_id	: GenuineIntel
cpu family	: 6
model		: 58
model name	: Intel Xeon E3-12xx v2 (Ivy Bridge, IBRS)
$ virsh domcapabilities > dpost
$ virsh capabilities > cpost
$ md5sum cp* dp*
f0df917463798992d5842297fa039f86  cpost
4f214575cab864502576a0da1bceb031  cpre
94d6fe53ee5f9f6270e001788a225328  dpost
94d6fe53ee5f9f6270e001788a225328  dpre

With the fix:

-rw------- 1 root         root 75171 Sep  2 09:04 926803a9278e445ec919c2b6cbd8c1c449c75b26dcb1686b774314180376c725.xml
-rw------- 1 root         root 85376 Sep  2 09:04 f11008721aacc79c97e592178e61264d75be551864cd79cc41fe820e31262f27.xml

And after reboot into the other type we see the host section updated.
$ md5sum cp* dp*
4f214575cab864502576a0da1bceb031  cpost
f0df917463798992d5842297fa039f86  cpre
94d6fe53ee5f9f6270e001788a225328  dpost
94d6fe53ee5f9f6270e001788a225328  dpre
-rw------- 1 root         root 75171 Sep  2 09:04 926803a9278e445ec919c2b6cbd8c1c449c75b26dcb1686b774314180376c725.xml
-rw------- 1 root         root 85376 Sep  2 09:04 f11008721aacc79c97e592178e61264d75be551864cd79cc41fe820e31262f27.xml

$ diff -Naur cpre cpost
--- cpre	2020-09-02 09:04:41.058583142 +0000
+++ cpost	2020-09-02 09:05:50.652000000 +0000
@@ -4,10 +4,11 @@
     <uuid>058268cb-6229-46c7-84f8-5cd8edac4c5d</uuid>
     <cpu>
       <arch>x86_64</arch>
-      <model>IvyBridge-IBRS</model>
+      <model>SandyBridge-IBRS</model>
       <vendor>Intel</vendor>
       <microcode version='1'/>
       <topology sockets='1' cores='1' threads='1'/>
+      <feature name='vme'/>
       <feature name='osxsave'/>
       <feature name='hypervisor'/>
       <feature name='arat'/>

There are more complex feature checks that might go deeper e.g. when actually starting a guest and deriving host-model. But this should be ok as a test of the area I hope.

P.S. I've yet to see the "Outdated capabilities for '%s': host CPU changed" message in a debug log, maybe the tests needs to be further adapted for the specific case.

Frank Heimes (fheimes) on 2020-09-03

Changed in ubuntu-z-systems:
status:	In Progress → Incomplete

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2020-09-04:

#18

MP is also reviewed, this is uploaded for an SRU.
Once the SRU Team got to it it would be great to have IBM testing -proposed for this case.

Frank Heimes (fheimes) on 2020-09-04

Changed in ubuntu-z-systems:
status:	Incomplete → In Progress

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2020-09-09:

#19

FYI - Re-uploaded since the first shot (while testing fine) had formally an incorrect format for referencing a Launchpad bug.

Revision history for this message

bugproxy (bugproxy) wrote on 2020-09-15:

#20

------- Comment From <email address hidden> 2020-09-15 09:55 EDT-------
Upgraded on an SE capable LPAR an Ubuntu Focal to Groovy.
Successfully checked installed libvirt packages if they are at least match with the above description.

# apt list --installed | grep libvirt

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

gir1.2-libvirt-glib-1.0/groovy,now 3.0.0-1 s390x [installed,automatic]
libvirt-clients/groovy,now 6.6.0-1ubuntu2 s390x [installed]
libvirt-daemon-driver-qemu/groovy,now 6.6.0-1ubuntu2 s390x [installed,automatic]
libvirt-daemon-system-systemd/groovy,now 6.6.0-1ubuntu2 s390x [installed,automatic]
libvirt-daemon-system/groovy,now 6.6.0-1ubuntu2 s390x [installed,automatic]
libvirt-daemon/groovy,now 6.6.0-1ubuntu2 s390x [installed]
libvirt-dev/groovy,now 6.6.0-1ubuntu2 s390x [installed]
libvirt-glib-1.0-0/groovy,now 3.0.0-1 s390x [installed,automatic]
libvirt0/groovy,now 6.6.0-1ubuntu2 s390x [installed,automatic]
python3-libvirt/groovy,now 6.1.0-1 s390x [installed,automatic]

Protected virtualization was enabled on the system before and after upgrade.
Libvirts cached capabilities file was up to date, virt-host-validate returned "pass" for "QEMU: Checking for secure guest support" and SE guest was able to start successfully.

Removed "prot-virt=1" kernel parameter and rebooted host.
Libvirts cached capabilities file had been updated, virt-host-validate returned "WARN (IBM Secure Execution appears to be disabled in kernel. Add prot_virt=1 to kernel cmdline arguments)" for "QEMU: Checking for secure guest support" and as expected SE guest was NOT able to start.

Added "prot_virt=1" kernel parameter and rebooted host.
Libvirts cached capabilities file has been update, virt-host-validate returned "pass" for "QEMU: Checking for secure guest support" and SE guest was able to start successfully.

Played around with kernel parameter values (prot_virt or prot-virt setting it to 0 or 1) a couple of times.
All seems to work as expected.

------- Comment From boris_fiuczynski@de.ibm.com 2020-09-15 09:55 EDT-------
Upgraded on an SE capable LPAR an Ubuntu Focal to Groovy.
Successfully checked installed libvirt packages if they are at least match with the above description.

# apt list --installed | grep libvirt

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

gir1.2-libvirt-glib-1.0/groovy,now 3.0.0-1 s390x [installed,automatic]
libvirt-clients/groovy,now 6.6.0-1ubuntu2 s390x [installed]
libvirt-daemon-driver-qemu/groovy,now 6.6.0-1ubuntu2 s390x [installed,automatic]
libvirt-daemon-system-systemd/groovy,now 6.6.0-1ubuntu2 s390x [installed,automatic]
libvirt-daemon-system/groovy,now 6.6.0-1ubuntu2 s390x [installed,automatic]
libvirt-daemon/groovy,now 6.6.0-1ubuntu2 s390x [installed]
libvirt-dev/groovy,now 6.6.0-1ubuntu2 s390x [installed]
libvirt-glib-1.0-0/groovy,now 3.0.0-1 s390x [installed,automatic]
libvirt0/groovy,now 6.6.0-1ubuntu2 s390x [installed,automatic]
python3-libvirt/groovy,now 6.1.0-1 s390x [installed,automatic]

Protected virtualization was enabled on the system before and after upgrade.
Libvirts cached capabilities file was up to date, virt-host-validate returned "pass" for "QEMU: Checking for secure guest support" and SE guest was able to start successfully.

Removed "prot-virt=1" kernel parameter and rebooted host.
Libvirts cached capabilities file had been updated, virt-host-validate returned "WARN (IBM Secure Execution appears to be disabled in kernel. Add prot_virt=1 to kernel cmdline arguments)" for "QEMU: Checking for secure guest support" and as expected SE guest was NOT able to start.

Added "prot_virt=1" kernel parameter and rebooted host.
Libvirts cached capabilities file has been update, virt-host-validate returned "pass" for "QEMU: Checking for secure guest support" and SE guest was able to start successfully.

Played around with kernel parameter values (prot_virt or prot-virt setting it to 0 or 1) a couple of times.
All seems to work as expected.

Revision history for this message

Brian Murray (brian-murray) wrote on 2020-09-15: Please test proposed package

#21

Hello bugproxy, or anyone else affected,

Accepted libvirt into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/libvirt/6.0.0-0ubuntu8.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in libvirt (Ubuntu Focal):
status:	In Progress → Fix Committed
tags:	added: verification-needed verification-needed-focal

Revision history for this message

Ubuntu SRU Bot (ubuntu-sru-bot) wrote on 2020-09-15: Autopkgtest regression report (libvirt/6.0.0-0ubuntu8.4)

#22

All autopkgtests for the newly accepted libvirt (6.0.0-0ubuntu8.4) for focal have finished running.
The following regressions have been reported in tests triggered by the package:

ruby-libvirt/unknown (armhf)
nova/unknown (armhf)
vagrant-libvirt/unknown (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/focal/update_excuses.html#libvirt

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Frank Heimes (fheimes) on 2020-09-16

Changed in ubuntu-z-systems:
status:	In Progress → Fix Committed

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2020-09-16:

#23

Thank you Brian, IBM just did the s390x specific eval on the equivalent build from the PPA - no need to redo all of this.
I was running a regression test and the tests I was doing before in comment #17 again.
They behaved the same as with my PPA tests which is (combined with the IBM tests on protvirt) enough confirmation on this.

Setting verified tags on this, yet we need to still sort out the off autopkgtest issues that we hit...

tags:

added: verification-done verification-done-focal
removed: verification-needed verification-needed-focal

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2020-09-16:

#24

The three test issues on armhf all seemed to be from the test environment, but not the involved components. For now I just restarted them as-is ...

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2020-09-16:

#25

@Boris - while not strictly required if you have the test system still around testing also the version in -proposed as well would be awesome.

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2020-09-16:

#26

It seems vorlon already retried two of the three cases. One recovered, one did not.
Still an indication that it is at least flaky ... :-/

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2020-09-16:

#27

All tests should be resolved by now reaching their former result state

Revision history for this message

bugproxy (bugproxy) wrote on 2020-09-16: Comment bridged from LTC Bugzilla

#28

Download full text (7.4 KiB)

------- Comment From <email address hidden> 2020-09-16 08:38 EDT-------
Edited /etc/apt/sources.list by duplicating all lines containing groovy-update and replacing it with groovy-proposed.
Running "apt update" and "apt upgrade"
Rebooting host

Seems like libvirt remained unchanged and qemu and kernel updated
# apt list --installed | grep -e libvirt -e qemu -e linux-image

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

gir1.2-libvirt-glib-1.0/groovy,now 3.0.0-1 s390x [installed,automatic]
libvirt-clients/groovy,now 6.6.0-1ubuntu2 s390x [installed]
libvirt-daemon-driver-qemu/groovy,now 6.6.0-1ubuntu2 s390x [installed,automatic]
libvirt-daemon-system-systemd/groovy,now 6.6.0-1ubuntu2 s390x [installed,automatic]
libvirt-daemon-system/groovy,now 6.6.0-1ubuntu2 s390x [installed,automatic]
libvirt-daemon/groovy,now 6.6.0-1ubuntu2 s390x [installed]
libvirt-dev/groovy,now 6.6.0-1ubuntu2 s390x [installed]
libvirt-glib-1.0-0/groovy,now 3.0.0-1 s390x [installed,automatic]
libvirt0/groovy,now 6.6.0-1ubuntu2 s390x [installed,automatic]
linux-image-5.4.0-21-generic/now 5.4.0-21.25 s390x [installed,local]
linux-image-5.4.0-47-generic/now 5.4.0-47.51 s390x [installed,local]
linux-image-5.8.0-18-generic/groovy,now 5.8.0-18.19 s390x [installed,automatic]
linux-image-5.8.0-19-generic/groovy-proposed,groovy-proposed,now 5.8.0-19.20 s390x [installed,automatic]
linux-image-generic/groovy-proposed,groovy-proposed,now 5.8.0.19.23 s390x [installed,automatic]
linux-image-unsigned-5.4.0-9019-generic/now 5.4.0-9019.23 s390x [installed,local]
python3-libvirt/groovy,now 6.1.0-1 s390x [installed,automatic]
qemu-block-extra/groovy-proposed,groovy-proposed,now 1:5.0-5ubuntu8 s390x [installed,automatic]
qemu-kvm/groovy-proposed,groovy-proposed,now 1:5.0-5ubuntu8 s390x [installed]
qemu-system-common/groovy-proposed,groovy-proposed,now 1:5.0-5ubuntu8 s390x [installed,automatic]
qemu-system-data/groovy-proposed,groovy-proposed,now 1:5.0-5ubuntu8 all [installed,automatic]
qemu-system-s390x/groovy-proposed,groovy-proposed,now 1:5.0-5ubuntu8 s390x [installed]
qemu-utils/groovy-proposed,groovy-proposed,now 1:5.0-5ubuntu8 s390x [installed,automatic]
qemu/groovy-proposed,groovy-proposed,now 1:5.0-5ubuntu8 s390x [installed]

Protected virtualization was enabled on the system before and after upgrade with kernel parameter "prot_virt=1".
Libvirts cached capabilities file was updated due to new kernel booting and virt-host-validate returned "pass" for "QEMU: Checking for secure guest support".
Unexpectedly starting an SE guest with console (virsh start guest01 --console) resulted in a crash of the guest.

Here is what I caught in the log:
2020-09-16 10:48:14.805+0000: starting up libvirt version: 6.6.0, package: 1ubuntu2 (Christian Ehrhardt <email address hidden> Tue, 25 Aug 2020 14:53:26 +0200), qemu version: 5.0.0Debian 1:5.0-5ubuntu8, kernel: 5.8.0-19-generic, hostname: linux02.
LC_ALL=C \
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \
HOME=/var/lib/libvirt/qemu/domain-1-focal \
XDG_DATA_HOME=/var/lib/libvirt/qemu/domain-1-focal/.local/share \
XDG_CACHE_HOME=/var/lib/libvirt/qemu/domain-1-focal/.cache \
XDG_CONFIG_...

------- Comment From boris_fiuczynski@de.ibm.com 2020-09-16 08:38 EDT-------
Edited /etc/apt/sources.list by duplicating all lines containing groovy-update and replacing it with groovy-proposed.
Running "apt update" and "apt upgrade"
Rebooting host

Seems like libvirt remained unchanged and qemu and kernel updated
# apt list --installed | grep -e libvirt -e qemu -e linux-image

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

gir1.2-libvirt-glib-1.0/groovy,now 3.0.0-1 s390x [installed,automatic]
libvirt-clients/groovy,now 6.6.0-1ubuntu2 s390x [installed]
libvirt-daemon-driver-qemu/groovy,now 6.6.0-1ubuntu2 s390x [installed,automatic]
libvirt-daemon-system-systemd/groovy,now 6.6.0-1ubuntu2 s390x [installed,automatic]
libvirt-daemon-system/groovy,now 6.6.0-1ubuntu2 s390x [installed,automatic]
libvirt-daemon/groovy,now 6.6.0-1ubuntu2 s390x [installed]
libvirt-dev/groovy,now 6.6.0-1ubuntu2 s390x [installed]
libvirt-glib-1.0-0/groovy,now 3.0.0-1 s390x [installed,automatic]
libvirt0/groovy,now 6.6.0-1ubuntu2 s390x [installed,automatic]
linux-image-5.4.0-21-generic/now 5.4.0-21.25 s390x [installed,local]
linux-image-5.4.0-47-generic/now 5.4.0-47.51 s390x [installed,local]
linux-image-5.8.0-18-generic/groovy,now 5.8.0-18.19 s390x [installed,automatic]
linux-image-5.8.0-19-generic/groovy-proposed,groovy-proposed,now 5.8.0-19.20 s390x [installed,automatic]
linux-image-generic/groovy-proposed,groovy-proposed,now 5.8.0.19.23 s390x [installed,automatic]
linux-image-unsigned-5.4.0-9019-generic/now 5.4.0-9019.23 s390x [installed,local]
python3-libvirt/groovy,now 6.1.0-1 s390x [installed,automatic]
qemu-block-extra/groovy-proposed,groovy-proposed,now 1:5.0-5ubuntu8 s390x [installed,automatic]
qemu-kvm/groovy-proposed,groovy-proposed,now 1:5.0-5ubuntu8 s390x [installed]
qemu-system-common/groovy-proposed,groovy-proposed,now 1:5.0-5ubuntu8 s390x [installed,automatic]
qemu-system-data/groovy-proposed,groovy-proposed,now 1:5.0-5ubuntu8 all [installed,automatic]
qemu-system-s390x/groovy-proposed,groovy-proposed,now 1:5.0-5ubuntu8 s390x [installed]
qemu-utils/groovy-proposed,groovy-proposed,now 1:5.0-5ubuntu8 s390x [installed,automatic]
qemu/groovy-proposed,groovy-proposed,now 1:5.0-5ubuntu8 s390x [installed]

Protected virtualization was enabled on the system before and after upgrade with kernel parameter "prot_virt=1".
Libvirts cached capabilities file was updated due to new kernel booting and virt-host-validate returned "pass" for "QEMU: Checking for secure guest support".
Unexpectedly starting an SE guest with console (virsh start guest01 --console) resulted in a crash of the guest.

Here is what I caught in the log:
2020-09-16 10:48:14.805+0000: starting up libvirt version: 6.6.0, package: 1ubuntu2 (Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 25 Aug 2020 14:53:26 +0200), qemu version: 5.0.0Debian 1:5.0-5ubuntu8, kernel: 5.8.0-19-generic, hostname: linux02.
LC_ALL=C \
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \
HOME=/var/lib/libvirt/qemu/domain-1-focal \
XDG_DATA_HOME=/var/lib/libvirt/qemu/domain-1-focal/.local/share \
XDG_CACHE_HOME=/var/lib/libvirt/qemu/domain-1-focal/.cache \
XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain-1-focal/.config \
QEMU_AUDIO_DRV=none \
/usr/bin/qemu-system-s390x \
-name guest=focal,debug-threads=on \
-S \
-object secret,id=masterKey0,format=raw,file=/var/lib/libvirt/qemu/domain-1-focal/master-key.aes \
-machine s390-ccw-virtio-5.0,accel=kvm,usb=off,dump-guest-core=off,loadparm=5 \
-cpu gen15b-base,aen=on,cmmnt=on,vxpdeh=on,aefsi=on,csske=on,mepoch=on,msa9=on,msa8=on,msa7=on,msa6=on,msa5=on,msa4=on,msa3=on,msa2=on,msa1=on,sthyi=on,edat=on,ri=on,deflate=on,edat2=on,unpack=on,etoken=on,vx=on,ipter=on,mepochptff=on,ap=on,vxeh=on,vxpd=on,esop=on,vxeh2=on,esort=on,apqi=on,apft=on,iep=on,apqci=on,cte=on,ais=on,bpb=on,gs=on,ppa15=on,zpci=on,sea_esop2=on,te=on,cmm=on \
-m 2000 \
-overcommit mem-lock=off \
-smp 4,sockets=4,cores=1,threads=1 \
-object iothread,id=iothread1 \
-object iothread,id=iothread2 \
-uuid fa435f71-7724-4ff1-8515-77ce1d0f22d1 \
-display none \
-no-user-config \
-nodefaults \
-chardev socket,id=charmonitor,fd=28,server,nowait \
-mon chardev=charmonitor,id=monitor,mode=control \
-rtc base=utc \
-no-shutdown \
-boot strict=on \
-blockdev '{"driver":"file","filename":"/var/lib/libvirt/images/focal.qcow2","aio":"native","node-name":"libvirt-1-storage","cache":{"direct":true,"no-flush":false},"auto-read-only":true,"discard":"unmap"}' \
-blockdev '{"node-name":"libvirt-1-format","read-only":false,"cache":{"direct":true,"no-flush":false},"driver":"qcow2","file":"libvirt-1-storage","backing":null}' \
-device virtio-blk-ccw,iothread=iothread1,iommu_platform=on,devno=fe.0.0000,drive=libvirt-1-format,id=virtio-disk0,bootindex=1,write-cache=on \
-netdev tap,fd=30,id=hostnet0 \
-device virtio-net-ccw,netdev=hostnet0,id=net0,mac=52:54:00:36:d3:88,devno=fe.0.0001,iommu_platform=on \
-chardev pty,id=charconsole0 \
-device sclpconsole,chardev=charconsole0,id=console0 \
-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \
-msg timestamp=on
char device redirected to /dev/pts/1 (label charconsole0)
2020-09-16 10:48:15.496+0000: panic s390: core='1' psw-mask='0x0002000000000000' psw-addr='0x0000000000000000' reason='disabled-wait'
2020-09-16T10:52:42.641203Z qemu-system-s390x: terminating on signal 15 from pid 3382 (/usr/sbin/libvirtd)
2020-09-16 10:52:43.241+0000: shutting down, reason=destroyed

Retrying without console worked without crash.
Again retrying with console worked without crash and trying multiple times to recreate the crash failed.
Note: libvirts capabilities cache file remained unchanged during all this!
Rebooted and tried to cause the crash again failed as well. I am not sure what caused this glitch!

Continued testing by replacing kernel parameter prot_virt=1 with prot-virt=0 and rebooting.
Libvirts cached capabilities file has been updated, virt-host-validate returned "WARN (IBM Secure Execution appears to be disabled in kernel. Add prot_virt=1 to kernel cmdline arguments)" for "QEMU: Checking for secure guest support" and as expected SE guest was NOT able to start. Guest log:
2020-09-16 11:17:06.859+0000: panic s390: core='0' psw-mask='0x0002000080000000' psw-addr='0x0000000000004607' reason='disabled-wait'

Replaced kernel parameter "prot-virt=0" with "prot-virt=1" and rebooted.
Libvirts cached capabilities file has been updated, virt-host-validate returned "PASS" for "QEMU: Checking for secure guest support" and as expected SE guest was able to start.

Removed kernel parameter "prot-virt=1" and rebooted host.
Libvirts cached capabilities file has been updated, virt-host-validate returned "WARN (IBM Secure Execution appears to be disabled in kernel. Add prot_virt=1 to kernel cmdline arguments)" for "QEMU: Checking for secure guest support" and as expected SE guest was NOT able to start. Guest log:
2020-09-16 12:06:12.182+0000: panic s390: core='0' psw-mask='0x0002000080000000' psw-addr='0x0000000000004607' reason='disabled-wait'

Added kernel parameter "prot-virt=1 prot_virt=0" and rebooted host.
Libvirts cached capabilities file has been update, virt-host-validate returned "pass" for "QEMU: Checking for secure guest support" and SE guest was able to start successfully.

Played around with kernel parameter values (prot_virt or prot-virt setting it to 0 or 1) a couple of times.
All seems to work as expected.
I was never able to recreate the guest crash experienced first and since I doubt that libvirt is involved in this behavior I regard this test successful.

Revision history for this message

Chris Halse Rogers (raof) wrote on 2020-09-23:

#29

This looks like it should be ready for release into focal-updates, but it's unclear to me whether anyone has tested the packages currently in focal-proposed?

I see that some PPA packages have been tested and confirmed to work, but for SRUs we generally require that the actual packages that will end up in -updates (ie: the packages in -proposed) be tested.

This is to avoid human error where the packages in a PPA are not exactly the same code as that in -proposed, and also to avoid the rare cases where some quirk of the build environment causes PPA builds to build correctly but the archive packages to fail.

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2020-09-23: Re: [Bug 1874647] Re: [Ubuntu 20.04] Stale libvirt cache leads to VM startup failures

#30

On Wed, Sep 23, 2020 at 4:05 AM Chris Halse Rogers
<email address hidden> wrote:
>
> This looks like it should be ready for release into focal-updates, but
> it's unclear to me whether anyone has tested the packages currently in
> focal-proposed?

Hi Chris, I did test the x86 part of it.
AFAIK the s390x part was only tested on the PPA, but I'm unsure if we
can expect them to be tested twice without actively pinging/polling
for it.

Revision history for this message

bugproxy (bugproxy) wrote on 2020-09-24: Comment bridged from LTC Bugzilla

#31

------- Comment From <email address hidden> 2020-09-24 09:56 EDT-------
Installed focal.
Added proposed repo
$ cat <<EOF >/etc/apt/sources.list.d/ubuntu-$(lsb_release -cs)-proposed.list
# Enable Ubuntu proposed archive
deb http://ports.ubuntu.com/ubuntu-ports $(lsb_release -cs)-proposed restricted main multiverse universe
EOF

Ran
$ apt-get upgrade

Checked installed packages
$ apt list --installed | grep -e libvirt -e qemu -e linux-image
libvirt-clients/focal-proposed,now 6.0.0-0ubuntu8.4 s390x [installed]
libvirt-daemon-driver-qemu/focal-proposed,now 6.0.0-0ubuntu8.4 s390x [installed]
libvirt-daemon-driver-storage-rbd/focal-proposed,now 6.0.0-0ubuntu8.4 s390x [installed,automatic]
libvirt-daemon-system-systemd/focal-proposed,now 6.0.0-0ubuntu8.4 s390x [installed,automatic]
libvirt-daemon-system/focal-proposed,now 6.0.0-0ubuntu8.4 s390x [installed]
libvirt-daemon/focal-proposed,now 6.0.0-0ubuntu8.4 s390x [installed]
libvirt0/focal-proposed,now 6.0.0-0ubuntu8.4 s390x [installed,automatic]
linux-image-5.4.0-48-generic/focal-updates,focal-security,focal-proposed,now 5.4.0-48.52 s390x [installed,automatic]
linux-image-generic/focal-updates,focal-security,now 5.4.0.48.51 s390x [installed,upgradable to: 5.4.0.49.52]
qemu-block-extra/focal-updates,focal-security,now 1:4.2-3ubuntu6.6 s390x [installed,automatic]
qemu-kvm/focal-updates,focal-security,now 1:4.2-3ubuntu6.6 s390x [installed]
qemu-system-common/focal-updates,focal-security,now 1:4.2-3ubuntu6.6 s390x [installed,automatic]
qemu-system-data/focal-updates,focal-security,now 1:4.2-3ubuntu6.6 all [installed,automatic]
qemu-system-s390x/focal-updates,focal-security,now 1:4.2-3ubuntu6.6 s390x [installed,automatic]
qemu-utils/focal-updates,focal-security,now 1:4.2-3ubuntu6.6 s390x [installed,automatic]

Ran virt-host-validate and received the expected warning: "WARN (IBM Secure Execution appears to be disabled in kernel. Add prot_virt=1 to kernel cmdline arguments)"

Enabled protected virtualization by adding kernel parameter "prot_virt=1" and rebooted.
Libvirts cached capabilities file was updated and virt-host-validate returned "PASS" for "QEMU: Checking for secure guest support" and as expected an SE guest was able to start.

Disabled protected virtualization by changing kernel parameter "prot_virt=1" to "prot-virt=0" and rebooted.
Libvirts cached capabilities file was updated and virt-host-validate returned "WARN..." for "QEMU: Checking for secure guest support" and as expected an SE guest was NOT able to start.

Reenabled protected virtualization by changing kernel parameter "prot-virt=0" to "prot-virt=1" and rebooted.
Libvirts cached capabilities file was updated and virt-host-validate returned "PASS" for "QEMU: Checking for secure guest support" and as expected an SE guest was able to start.

------- Comment From boris_fiuczynski@de.ibm.com 2020-09-24 09:56 EDT-------
Installed focal.
Added proposed repo
$ cat <<EOF >/etc/apt/sources.list.d/ubuntu-$(lsb_release -cs)-proposed.list
# Enable Ubuntu proposed archive
deb http://ports.ubuntu.com/ubuntu-ports $(lsb_release -cs)-proposed restricted main multiverse universe
EOF

Ran
$ apt-get upgrade

Checked installed packages
$ apt list --installed | grep -e libvirt -e qemu -e linux-image
libvirt-clients/focal-proposed,now 6.0.0-0ubuntu8.4 s390x [installed]
libvirt-daemon-driver-qemu/focal-proposed,now 6.0.0-0ubuntu8.4 s390x [installed]
libvirt-daemon-driver-storage-rbd/focal-proposed,now 6.0.0-0ubuntu8.4 s390x [installed,automatic]
libvirt-daemon-system-systemd/focal-proposed,now 6.0.0-0ubuntu8.4 s390x [installed,automatic]
libvirt-daemon-system/focal-proposed,now 6.0.0-0ubuntu8.4 s390x [installed]
libvirt-daemon/focal-proposed,now 6.0.0-0ubuntu8.4 s390x [installed]
libvirt0/focal-proposed,now 6.0.0-0ubuntu8.4 s390x [installed,automatic]
linux-image-5.4.0-48-generic/focal-updates,focal-security,focal-proposed,now 5.4.0-48.52 s390x [installed,automatic]
linux-image-generic/focal-updates,focal-security,now 5.4.0.48.51 s390x [installed,upgradable to: 5.4.0.49.52]
qemu-block-extra/focal-updates,focal-security,now 1:4.2-3ubuntu6.6 s390x [installed,automatic]
qemu-kvm/focal-updates,focal-security,now 1:4.2-3ubuntu6.6 s390x [installed]
qemu-system-common/focal-updates,focal-security,now 1:4.2-3ubuntu6.6 s390x [installed,automatic]
qemu-system-data/focal-updates,focal-security,now 1:4.2-3ubuntu6.6 all [installed,automatic]
qemu-system-s390x/focal-updates,focal-security,now 1:4.2-3ubuntu6.6 s390x [installed,automatic]
qemu-utils/focal-updates,focal-security,now 1:4.2-3ubuntu6.6 s390x [installed,automatic]

Ran virt-host-validate and received the expected warning: "WARN (IBM Secure Execution appears to be disabled in kernel. Add prot_virt=1 to kernel cmdline arguments)"

Enabled protected virtualization by adding kernel parameter "prot_virt=1" and rebooted.
Libvirts cached capabilities file was updated and virt-host-validate returned "PASS" for "QEMU: Checking for secure guest support" and as expected an SE guest was able to start.

Disabled protected virtualization by changing kernel parameter "prot_virt=1" to "prot-virt=0" and rebooted.
Libvirts cached capabilities file was updated and virt-host-validate returned "WARN..." for "QEMU: Checking for secure guest support" and as expected an SE guest was NOT able to start.

Reenabled protected virtualization by changing kernel parameter "prot-virt=0" to "prot-virt=1" and rebooted.
Libvirts cached capabilities file was updated and virt-host-validate returned "PASS" for "QEMU: Checking for secure guest support" and as expected an SE guest was able to start.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2020-09-24:

#32

This bug was fixed in the package libvirt - 6.0.0-0ubuntu8.4

---------------
libvirt (6.0.0-0ubuntu8.4) focal; urgency=medium

  * avoid stale libvirt capability cache (LP: #1874647)
    - when host cpu changes (e.g. nested with different configuration)
    - when s390x protvirt or AMD SEV changes
    - d/p/ubuntu/lp-1874647-*

-- Christian Ehrhardt <email address hidden> Mon, 31 Aug 2020 08:41:25 +0200

Changed in libvirt (Ubuntu Focal):
status:	Fix Committed → Fix Released

Revision history for this message

Łukasz Zemczak (sil2100) wrote on 2020-09-24: Update Released

#33

The verification of the Stable Release Update for libvirt has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Frank Heimes (fheimes) on 2020-09-24

Changed in ubuntu-z-systems:
status:	Fix Committed → Fix Released

Revision history for this message

bugproxy (bugproxy) wrote on 2020-09-30: Comment bridged from LTC Bugzilla

#34

------- Comment From <email address hidden> 2020-09-30 06:46 EDT-------
IBM Bugzilla status-> closed, Fix Released with all requested distros

Ubuntu
libvirt package

[Ubuntu 20.04] Stale libvirt cache leads to VM startup failures

Bug Description

Related branches

CVE References

Other bug subscribers

Remote bug watches

	Status	Importance	Assigned to
Ubuntu on IBM z Systems	Fix Released	Medium	Skipper Bug Screeners
libvirt (Ubuntu)	Fix Released	Medium	Unassigned
Focal	Fix Released	Undecided	Christian Ehrhardt 
Groovy	Fix Released	Medium	Unassigned

Ubuntulibvirt package

[Ubuntu 20.04] Stale libvirt cache leads to VM startup failures

Bug Description

Related branches

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
libvirt package