Show Table of Contents
Updated libvirt packages that fix several bugs and add one enhancement are now available for Red Hat Enterprise Linux 6.
The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems.
- The AMD family 15h processors CPU architecture consists of "modules", which are represented both as separate cores and separate threads. Management applications needed to choose between one of the approaches, and libvirt did not provide enough information to do this. Management applications were not able to represent the modules in an AMD family 15h processors core according to their needs. The capabilities XML output now contains more information about the processor topology, so that the management applications can extract the information they need.
- When auto-port and port were not specified, but the tlsPort attribute was set to "-1", the tlsPort parameter specified in the QEMU command line was set to "1" instead of a valid port. Consequently, QEMU failed, because it was unable to bind a socket on the port. This update replaces the current QEMU driver code for managing port reservations with the new virPortAllocator APIs, and QEMU is able to bind a socket on the port.
- Previously, libvirtd was unable to execute an s3/s4 operation for a Microsoft Windows guest which ran the guest agent service. Consequently, this resulted in a "domain s4 fail" error message, due to the domain being destroyed. With this update, the guest is destroyed successfully and the libvirtd service no longer crashes.
- When a VM was saved into a compressed file and decompression of that file failed while libvirt was trying to resume the VM, libvirt removed the VM from the list of running VMs, but did not remove the corresponding QEMU process. With this update, the QEMU process is killed in such cases. Moreover, non-fatal decompression errors are now ignored and a VM can be successfully resumed if such an error occurs.
- Python bindings for libvirt contained incorrect implementation of getDomain() and getConnect() methods in virDomainSnapshot class. Consequently, the Python client terminated unexpectedly with a segmentation fault. Python bindings now provide proper domain() and connect() accessors that fetch Python objects stored internally within virDomainSnapshot instance and crashes no longer occur.
- Previously, libvirt added a cache of storage file backing chains, rather than rediscovering the backing chain details on every operation. This cache was then used to decide which files to label for sVirt, but when libvirt switched over to use the cache, the code only populated when cgroups were in use. On setups that did not use cgroups, due to the lack of backing chain cache information, sVirt was unable to properly label backing chain files, which caused a regression observed by guests being prevented from running. Now, populating the cache was moved earlier, to be independent of cgroups, the cache results in more efficient sVirt operations, and now works whether or not cgroups are in effect.
- Occasionally, when users ran multiple virsh create/destroy loops, a race condition could have occurred and libvirtd terminated unexpectedly with a segmentation fault. False error messages regarding the domain having already been destroyed to the caller also occurred. With this update, the outlined script is run and completes without libvirtd crashing.
- Previously, libvirt followed relative backing chains differently than QEMU. This resulted in missing sVirt permissions when libvirt could not follow the chain. With this update, relative backing files are now treated identically in libvirt and QEMU, and VDSM use of relative backing files functions properly.
- Previously, libvirt reported raw QEMU errors when snapshots failed, and the error message provided was confusing. With this update, libvirt now gives a clear error message when QEMU is not capable of snapshots, which enables more informative handling of the situation.
- Previously, libvirt was not tolerant of missing unpriv_sgio support in running kernel even though it was not necessary. After upgrading the host system to Red Hat Enterprise Linux 6.4, users were unable to start domains using shareable block disk devices unless they rebooted the host into the new kernel. The check for unpriv_sgio support is only performed when it is really needed, and libvirt is now able to start all domains that do not strictly require unpriv_sgio support regardless of host kernel support for it.
- When asked to create a logical volume with zero allocation, libvirt ran lvcreate to create a volume with no extends, which is not permitted. Creation of logical volumes with zero allocation failed and libvirt returned an error message that did not mention the real error. Now, rather than asking for no extends, libvirt tries to create the volume with a minimal number of extends. The code is also fixed to provide the real error message should the volume creation process fail. Logical volumes with zero allocation can now be successfully created using libvirt.
- Previously, when users started the guest with a sharable block CD-Rom, libvirtd failed unexpectedly due to accessing memory that was already freed. This update addresses the aforementioned issue, and libvirtd no longer crashes in the described scenario.
- Various memory leaks in libvirtd were discovered when users ran Coverity and Valgrind leak detection tools. This update addresses these issues, and libvirtd no longer leaks memory in the described scenario.
- This update adds support for ram_size settings to the QXL device. When using multiple heads in one PCI device, the device needed more RAM assigned. Now, the memory of the RAM bar size is set larger than the default size and libvirt can drive multi-head QXL.
Users of libvirt are advised to upgrade to these updated packages, which fix these bugs and add this enhancement. After installing the updated packages, libvirtd will be restarted automatically.
Updated libvirt packages that fix one security issue, multiple bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
The libvirt packages provide the
libvirtlibrary which is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition,
libvirtprovides tools for remote management of virtualized systems.
The libvirt packages have been upgraded to upstream version 0.10.2, which provides a number of bug fixes and enhancements over the previous version, such as support for
Open vSwitch, a new API for detailed CPU statistics, improved support of LXC method including the
sVirttechnology, improvements of the
virsh editcommand, improved APIs for listing various objects and support for pinning and tuning emulator threads. (BZ#836934)
- It was discovered that libvirt made certain invalid assumptions about dnsmasq's command line options when setting up DNS masquerading for virtual machines, resulting in dnsmasq incorrectly processing network packets from network interfaces that were intended to be prohibited. This update includes the changes necessary to call dnsmasq with a new command line option, which was introduced to dnsmasq via RHSA-2013:0277.In order for libvirt to be able to make use of the new command line option (--bind-dynamic), updated dnsmasq packages need to be installed. Refer to RHSA-2013:0277 for additional information.
libvirtlibrary was issuing the
PAUSEDevent before the QEMU processor emulator really paused. Consequently, a domain could be reported as paused before it was actually paused, which could confuse a management application using the
libvirtlibrary. With this update, the
PAUSEDevent is started after QEMU is stopped on a monitor and the management application is no longer confused by
- BZ#797279, BZ#808980, BZ#869557
- The fixed limit for the maximum size of an RPC message that could be sent between the
libvirtddaemon and a client, such as the
virshutility, was 65536 bytes. However, this limit was not always sufficient and messages that were longer than that could be dropped, leaving a client unable to fetch important data. With this update, the buffer for incoming messages has been made dynamic and both sides, a client and
libvirtd, now allocate as much memory as is needed for a given message, thus allowing to send much bigger messages.
- Previously, repeatedly migrating a guest between two machines while using the tunnelled migration could cause the
libvirtddaemon to lock up unexpectedly. The bug in the code for locking remote drivers has been fixed and repeated tunnelled migrations of domains now work as expected.
- Previously, multiple
libvirtAPI calls were needed to determine the full list of guests on a host controlled by the
libvirtlibrary. Consequently, a race condition could occur when a guest changed its state between two calls that were needed to enumerate started and stopped guests. This behavior caused the guest to disappear from both of the lists, because the time of enumeration was not considered to be a part of the lists. This update adds a new API function allowing to gather the guest list in one call while the driver is locked. This guarantees that no guest changes its state before the list is gathered so that guests no longer disappear in the described scenario.
libvirtdid not report many useful error messages that were returned by external programs such as QEMU and only reported a command failure. Consequently, certain problems, whose cause or resolution could be trivial to discover by looking at the error output, were difficult to diagnose. With this update, if any external command run by
libvirtexits with a failure, its standard error output is added to the system log as a
libvirterror. As a result, problems are now easier to diagnose, because better information is available.
- Closing a file descriptor multiple times could, under certain circumstances, lead to a failure to execute the qemu-kvm binary. As a consequence, a guest failed to start. A patch has been applied to address this issue, so that the guest now starts successfully.
- Prior to this update,
libvirtused an unsuitable detection procedure to detect NUMA and processor topology of a system. Consequently, topology of some advanced multi-processor systems was detected incorrectly and management applications could not utilize the full potential of the system. Now, the detection has been improved and the topology is properly recognized even on modern systems.
- Previously, the
libvirtlibrary had hooks for calling a user-written script when a guest was started or stopped, but had no hook to call a script for each guest when the
libvirtddaemon itself was restarted. Consequently, certain custom setups that required extra operations not directly provided by
libvirtcould fail when
libvirtdwas restarted. For example, packet forwarding rules installed to redirect incoming connections to a particular guest could be overridden by
libvirt's “refresh” of its own iptables packet forwarding rules, breaking the connection forwarding that had been set up. This update improves
libvirtwith a new “reconnect” hook; the QEMU hook script is called with a type of “reconnect” for every active guest each time
libvirtdis restarted. Users can now write scripts to recognize the “reconnect” event, and for example reload the user-supplied iptables forwarding rules when this event occurs. As a result, incoming connections continue to be forwarded correctly, even when
- On certain NUMA architectures,
libvirtfailed to process and expose the NUMA topology, sometimes leading to performance degradation. With this update,
libvirtcan parse and expose the NUMA topology on such machines and makes the correct CPU placement, thus avoiding performance degradation.
virsh undefinecommand supports deleting volumes associated with a domain. When using this command, the volumes are passed as additional arguments and if the user adds any trailing string after the basic command, the string is interpreted as a volume to be deleted. Previously, the volumes were checked after the guest was deleted, which could lead to user's errors. With this update, the check of the volume arguments is performed before the deleting process so that errors can be reported sensibly. As a result, the command with an incorrect argument fails before it attempts to delete a guest and the host system stays in a sane state.
- Due to several bugs in the implementation of keep-alive messages that are used for the detection of broken connections or non-functional peers, these connections and peers could be incorrectly considered broken or non-functional and thus the keep-alive messages were disabled by default in Red Hat Enterprise Linux 6.3. The implementation of the keep-alive messages has been fixed and this feature is now enabled by default.
- Previously, a reversed condition in a check which is used during registering callbacks prevented multiple callbacks from being registered. This update applies a patch to fix this condition and multiple callbacks can be registered successfully now.
SPICEserver needs certain time at the end of the migration process to transfer an internal state to a destination guest. Previously, the
libvirtlibrary could kill the source QEMU and the
SPICEserver before the internal state was transmitted. This behavior caused the destination client to be unresponsive. With this update,
libvirtwaits until the end of
SPICEmigration. As a result, the
SPICEserver no longer becomes unresponsive in this situation.
- When using the
sanlockdaemon for locking resources used by a domain, if such a resource was read-only, the locking attempt failed. Consequently, it was impossible to start a domain with a CD-ROM drive. This bug has been fixed and
sanlockcan now be properly used with read-only devices.
- Previously, the
libvirtlibrary did not support the S4 (Suspend-to-Disk) event on QEMU domains. Consequently, management applications could not register whether a guest was suspended to disk or powered off. With this update, support for S4 event has been added and management applications can now request receiving S4 events.
- Due to an installation of the
libvirtlibrary was reconfigured and under certain conditions,
libvirtwas searching for a non-existing option when used outside of
vdsm. Consequently, using the
virshutility on such a machine caused the system to terminate with a segmentation fault. The underlying source code has been modified to fix this bug and users can now use
virshon machines configured by
- Previously, a condition in a check, which is used for checking if modification of a domain XML in a saved file was successful or not, was inverted. Consequently, the
virshutility reported that this check failed even if it was successful and vice versa. This update applies a patch to fix this bug and success and failure of this check are reported correctly now.
- Disk hot plug is a two-part action: the
qemuMonitorAddDrive()call is followed by the
qemuMonitorAddDevice()call. When the first part succeeded but the second one failed,
libvirtfailed to roll back the first part and the device remained in use even though the disk hot plug failed. With this update, the rollback for the drive addition is properly performed in the described scenario and disk hot plug now works as expected.
- Previously the
SIGINTsignal was not blocked when the
virDomainGetBlockJobInfo()function was performed. Consequently, an attempt to abort a process initialized by a command with the
--waitoption specified using the CTRL+C shortcut did not work properly. This update applies a patch to block
virDomainGetBlockJobInfo()and aborting processes using the CTRL+C shortcut now works as expected.
- Previously, an unspecified error with a meaningless error code was returned when a guest agent became unresponsive. Consequently, management applications could not recognize why the guest agent hung; whether the guest agent was not configured or was unusable. This update introduces a new
VIR_ERR_AGENT_UNRESPONSIVEerror code and fixes the error message. As a result, management applications now can recognize why the guest agent hangs.
- Due to a bug in the
libvirtcode, two mutually exclusive cases could occur. In the first case, a guest operating system could fail do detect that it was being suspended because the suspend routine is handled by hypervisor. In the second case, the cooperation of the guest operating system was required, for example during synchronization of the time after the resume routine. Consequently, it was possible to successfully call the suspend routine on a domain with the
libvirtreturned success on operation, which in fact failed. This update adds an additional check to prevent
libvirtfrom suspending a domain with the
- Due to recent changes in port allocation, SPICE ports and SPICE TLS ports were the same. Consequently, QEMU domains started with both options configured to use the same port and SPICE TLS ports could not allocate one port twice. With this update, the port allocation has been fixed and the QEMU domains now work as expected in this situation.
- A virtual guest can have a network interface that is connected to an SR-IOV (Single Root I/O Virtualization) device's virtual function (VF) using the
macvtapdriver in passthrough mode, and from there is connected to an
802.1Qbh-capable switch. Previously, when shutting down the guest,
libvirterroneously set SR-IOV device's physical function (PF) instead of VF and the PF offline rather than setting the VF offline. Here is an example of the type of an interface that could be affected:
<interface type='direct'> <source dev='eth7' mode='passthrough'/> <virtualport type='802.1Qbh'> <parameters profileid='test'/> </virtualport> </interface>Consequently, if PF was being used by the host for its own network connectivity, the host networking would be adversely affected, possibly completely disabled, whenever the guest was shut down, or when the guest's network device was detached. The underlying source code has been modified to fix this bug and the PF associated with the VF used by the
macvtapdriver now continues to work in the described scenario.
- Red Hat Enterprise Linux 6.3 implemented the
block copyfeature before the upstream version of QEMU. Since then, several improvements were made to the upstream version of this feature. Consequently, previous versions of the
libvirtlibrary were unable to fully manage the
block copyfeature in current release of QEMU. With this update, the
block copyfeature has been updated to upstream versions of QEMU and
libvirt. As a result,
libvirtis able to manage all versions of the
libvirtput the default USB controller into the XML configuration file during the live migration to Red Hat Enterprise Linux 6.1 hosts. These hosts did not support USB controllers in the XML file. Consequently, live migration to these hosts failed. This update prevents
libvirtfrom including the default USB controller in the XML configuration file during live migration and live migration works properly in the described scenario.
- When a QEMU process is being destroyed by
libvirt, a clean-up operation frees some internal structures and locks. However, since users can destroy QEMU processes at the same time,
libvirtholds the QEMU driver mutex to protect the list of domains and their states, among other things. Previously, a function tried to lock up the QEMU driver mutex when it was already locked, creating a deadlock. The code has been modified to always check if the mutex is free before attempting to lock it up, thus fixing this bug.
- When the
host_uuidoption was present in the
augeas libvirtlens was unable to parse the file. This bug has been fixed and the
augeas libvirtlens now parses
libvirtd.confas expected in the described scenario.
- Previously, handling of duplicate MAC addresses differed between live attach or detach, and persistent attach or detach of network devices. Consequently, the persistent attach-interface of a device with a MAC address that matches an existing device could fail, even though the live attach-interface of such a device succeed. This behavior was inconsistent, and sometimes led to an incorrect device being detached from the guest. With this update,
libvirthas been modified to allow duplicate MAC addresses in all cases and to check a unique PCI address in order to distinguish between multiple devices with the same MAC address.
qemu-kvm -helpcommand every time it started a guest to learn what features were available for use in QEMU. On a machine with a number of guests, this behavior caused noticeable delays in starting all of the guests. This update modifies
libvirtto store information cache about QEMU until the QEMU time stamp is changed. As a result,
libvirtis faster when starting a machine with various guests.
- Previously, the
ESX 5.1server was not fully tested. Consequently, connecting to
ESX 5.1caused a warning to be returned. The
ESX 5.1server has been properly tested and connecting to this server now works as expected.
- Under certain circumstances, the
iohelperprocess failed to write data to disk while saving a domain and kernel did not report an out-of-space error (
ENOSPC). With this update,
fdatasync()function in the described scenario to force the data to be written to disk or catch a write error. As a result, if a write error occurs, it is now properly caught and reported.
- Certain operations in
libvirtcan be done only when a domain is paused to prevent data corruption. However, if a resuming operation failed, the management application was not notified since no event was sent. This update introduces the
VIR_DOMAIN_EVENT_SUSPENDED_API_ERRORevent and management applications can now keep closer track of domain states and act accordingly.
libvirtcould not find a suitable CPU model for a host CPU, it failed to provide the CPU topology in host capabilities even though the topology was detected correctly. Consequently, applications that work with the host CPU topology but not with the CPU model could not see the topology in host capabilities. With this update, the host capabilities XML description contains the host CPU topology even if the host CPU model is unknown.
emulatorpinoption to set the CPU affinity for a QEMU domain process. However, this behavior overrode the CPU affinity set by the
vcpu placement="auto"setting when creating a cgroup hierarchy for the domain process. This CPU affinity is set with the advisory nodeset from the
numaddaemon. With this update,
libvirtdoes not allow
emulatorpinoption to change the CPU affinity of a domain process if the
vcpu placementsetting is set to
auto. As a result, the
numaddaemon is supported as expected.
libvirtlibrary allows users to cancel an ongoing migration. Previously, if an attempt to cancel the migration was made in the migration preparation phase, QEMU missed the request and the migration was not canceled. With this update, the
virDomainAbortJob()function sets a flag when a cancel request is made and this flag is checked before the main phase of the migration starts. As a result, a migration can now be properly canceled even in the preparation phase.
- Certain AMD processors contain modules which are reported by the kernel as both threads and cores. Previously, the
libvirtprocessor topology detection code was not able to detect these modules. Consequently,
libvirtreported the actual number of processors twice. This bug has been fixed by reporting a topology that adds up to the total number of processors reported in the system. However, the actual topology has to be checked in the output of the
virCapabilities()function. Additionally, documentation for the fallback output has been provided.
NoteNote that users should be instructed to use the capability output for topology detection purposes due to performance reasons. The NUMA topology has the important impact performance-wise but the physical topology can differ from that.
- Due to changes in the
virStorageBackendLogicalCreateVol()function, the setting of the volume type was removed. Consequently, logical volumes were treated as files without any format and
libvirtwas unable to clone them. This update provides a patch to set the volume type and
libvirtclones logical volumes as expected.
- When a saved file could not be opened, the
virFileWrapperFdCatchError()function was called with a
NULLargument. Consequently, the
libvirtddaemon terminated unexpectedly due to a NULL pointer dereference. With this update, the
virFileWrapperFdCatchError()function is called only when the file is open and instead of crashing, the daemon now reports an error.
- Whenever the
virDomainGetXMLDesc()function was executed on an unresponsive domain, the call also became unresponsive. With this update, QEMU sends the
BALLOON_CHANGEevent when memory usage on a domain changes so that
virDomainGetXMLDesc()no longer has to query an unresponsive domain. As a result,
virDomainGetXMLDesc()calls no longer hang in the described scenario.
- This update adds support for external live snapshots of disks and RAM.
libvirtcould apply packet filters, among others the anti-spoofing filter, to guest network connections using the nwfilter subsystem. However, these filter rules required manually entering the IP address of a guest into the guest configuration. This process was not effective when guests were acquired their IP addresses via the
DHCPprotocol; the network needed a manually added
static hostentry for each guest and the guest's network interface definition needed that same IP address to be added to its filters. This enhancement improves
libvirtto automatically learn IP and MAC addresses used by a guest network connection by monitoring the connection's
ARPtraffic in order to setup host-based guest-specific packet filtering rules that block traffic with incorrect IP or MAC addresses from the guests. With this new feature, nwfilter packet filters can be written to use automatically detected IP and MAC addresses, which simplifies the process of provisioning a guest.
- When the guest CPU definition is not supported due to the user's special configuration, an error message is returned. This enhancement improves this error message to contain flags that indicate precisely which options of the user's configuration are not supported.
- The Resident Set Size (RSS) limits control how much RAM can a process use. If a process leaks memory, the limits do not let the process influence other processes within the system. With this update, the RSS limits of a QEMU process are set by default according to how much RAM and video RAM is configured for the domain.
- Previously, the
libvirtlibrary could create block snapshots, but could not clean them up. For a long-running guest, creating a large number of snapshots led to performance issues as the QEMU process emulator had to traverse longer chains of backing images. This enhancement improves the
libvirtlibrary to control the feature of the QEMU process emulator which is responsible for committing the changes in a snapshot image back into the backing file and the backing chain is now kept at a more manageable length.
- Previously, the automatically allocated ports for the
VNCprotocols started on the port number 5900. With this update, the starting port for
VNCis configurable by users.
- The QEMU guest and the media of CD_ROM or Floppy could be suspended or resumed inside the guest directly instead of using the
libvirtAPI. This enhancement improves the
libvirtlibrary to support three new events of the
QEMU Monitor Protocol(QMP): the
DEVICE_TRAY_MOVEDevent. These events let a management application know that the guest status or the tray status has been changed:
- when the
SUSPENDevent is emitted, the domain status is changed to
- when the
WAKEUPevent is emitted, the domain status is changed to
- when the
DEVICE_TRAY_MOVEDevent is emitted for a disk device, the current tray status for the disk is reflected to the
libvirtXML file, so that management applications do not start the guest with the medium inserted while the medium has been previously ejected inside the guest.
- The QEMU process emulator now supports
TSC-Deadline timermode for guests that are running on the Intel 64 architecture. This enhancement improves the
libvirtlibrary with this feature's flag to stay synchronized with QEMU.
- Previously, it was impossible to move a guest's network connection to a different network without stopping the guest. In order to change the connection, the network needed to be completely detached from the guest and then re-attached after changing the configuration to specify the new connection. With this update, it is now possible to change a guest's interface definition to specify a different type of interface, and to change the network or bridge name or both, all without stopping or pausing the guest or detaching its network device. From the point of view of the guest, the network remains available during the entire transition; if the move requires a new IP address, that can be handled by changing the configuration on the guest, or by requesting that it renews its
- When connecting to the
libvirtlibrary, certain form of authentication could be required and if so, interactive prompts were presented to the user. However, in certain cases, the interactive prompts cannot be used, for example when automating background processes. This enhancement improves
libvirtto use the
auth.conffile located in the
$HOME/.libvirt/directory to supply authentication credentials for connections. As a result, these credentials are pre-populated, thus avoiding the interactive prompts.
- This enhancement improves
libvirtto support connection of virtual guest network devices to Open vSwitch bridges, which provides a more fully-featured replacement for the standard Linux Host Bridge. Among other features, Open vSwitch bridges allow setting more connections to a single bridge, transparent VLAN tagging, and better management using the Open Flow standard. As a result,
libvirtis now able to use an already existing Open vSwitch bridge, either directly in the interface definition of a guest, or as a bridge in a
libvirtnetwork. Management of the bridge must be handled outside the scope of
libvirt, but guest network devices can be attached and detached, and VLAN tags and interface IDs can be assigned on a per-port basis.
- Certain users prefer to run minimal configurations for server systems and do not need graphical or USB support. This enhancement provides a new feature that allows users to disable USB and graphic controllers in guest machines.
- BZ#820808, BZ#826325
- With this enhancement, the
virsh dumpcommand is now supported for domains with passthrough devices. As a result, these domains can be dumped with an additional
libvirtlibrary has already supported pinning and limiting QEMU threads associated with virtual CPUs, but other threads, such as the I/O thread, could not be pinned and limited separately. This enhancement improves
libvirtto support pinning and limiting of both CPU threads and other emulator threads separately.
- This enhancement improves the
libvirtlibrary to be able to configure Discretionary Access Control (DAC) for each domain, so that certain domains can access different resources.
- Previously, only the “system instance” of the
libvirtddaemon, that is the one that is running as the root user, could set up a guest network connection using a tap device and host bridge. A “session instance”, that is the one that is running as a non-root user, was only able to use QEMU's limited “user mode” networking. User mode network connection have several limitations; for example, they do not allow incoming connections, or ping in either direction, and are slower than a tap-device based network connection. With this enhancement,
libvirthas been updated to support QEMU's new SUID “network helper”, so that non-privileged
libvirtusers are able to create guest network connections using tap devices and host bridges. Users who require this behavior need to set the interface type to
bridgein the virtual machine's configuration,
libvirtdthen automatically notices that it is running as a non-privileged user, and notifies QEMU to set up the network connection using its “network helper”.
NoteThis feature is only supported when the interface type is
bridge, and does not work with the
networkinterface type even if the specified network uses a bridge device.
- Previously, core dumps for domains with a large amount of memory were unnecessarily huge. With this update, a new
dumpCoreoption has been added to control whether guest's memory should be included in a core dump. When this option is set to
off, core dumps are reduced by the size of the guest's memory.
- This enhancement allows the
libvirtlibrary to set the World Wide Name (WWN), which provides stable device paths, for IDE and SCSI disks.
- This enhancement adds the possibility to control the advertising of S3 (Suspend-to-RAM) and S4 (Suspend-to-Disk) domain states to a guest. As a result, supported versions of QEMU can be configured to not advertise its S3 or S4 capability to a guest.
- With this update, support for the AMD Opteron G5 processor model has been added to the
libvirtlibrary. This change allows the user to utilize the full potential of new features, such as
- This enhancement adds support for the next generation Intel Core and Intel Xeon processors to the
libvirtlibrary. The next generation supports the following features:
rtm, compared to the previous Intel Xeon Processor E5-XXXX and Intel Xeon Processor E5-XXXX V2 family of processors.
- When changing the configuration of a
libvirtvirtual network, it was necessary to restart the network for these changes to take effect. This enhancement adds a new
virsh net-updatecommand that allows certain parts of a network configuration to be modified, and the changes to be applied immediately without requiring a restart of the network and disconnecting of guests. As a result, it is now possible to add static host entries to and remove them from a network's dhcp section; change the range of IP addresses dynamically assigned by the DHCP server; modify, add, and remove portgroup elements; and add and remove interfaces from a forward element's pool of interfaces, all without restarting the network. Refer to the
virsh(1)man page for more details about the
- With this enhancement, the virsh program supports the
--helpoption for all its commands and displays appropriate documentation.
- With this enhancement, the
libvirtlibrary can now control the
hv_relaxedfeature. This feature makes a Windows guest more tolerant to long periods of inactivity.
- Current release of the
libvirtlibrary added several capabilities related to snapshots. Among these was the ability to create an external snapshot, whether the domain was running or was offline. Consequently, it was also necessary to improve the user interface to support those features in the virsh program. With this update, these snapshot-related improvements were added to virsh to provide full support of these features.
- For security reasons, certain SCSI commands were blocked in a virtual machine. This behavior was related to applications where logical unit numbers (LUNs) of SCSI disks were passed to trusted guests. This enhancement improves
libvirtto support a new
sgioattribute. Setting this attribute to
unfilteredallows trusted guests to invoke all supported SCSI commands.
All users of libvirt are advised to upgrade to these updated packages, which fix these issues and add these enhancements. After installing the updated packages, the
libvirtddaemon must be restarted using the
service libvirtd restartcommand for this update to take effect.
Updated libvirt packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems.
- libvirt invokes the PolicyKit pkcheck utility to handle authorization. A race condition was found in the way libvirt used this utility, allowing a local user to bypass intended PolicyKit authorizations or execute arbitrary commands with root privileges.
- Note: With this update, libvirt has been rebuilt to communicate with PolicyKit via a different API that is not vulnerable to the race condition. The polkit RHSA-2013:1270 advisory must also be installed to fix the CVE-2013-4311 issue.An invalid free flaw was found in libvirtd's remoteDispatchDomainMemoryStats function. An attacker able to establish a read-only connection to libvirtd could use this flaw to crash libvirtd.
The CVE-2013-4296 issue was discovered by Daniel P. Berrange of Red Hat.
- Prior to this update, the libvirtd daemon leaked memory in the virCgroupMoveTask() function. A fix has been provided which prevents libvirtd from incorrect management of memory allocations.
- Previously, the libvirtd daemon was accessing one byte before the array in the virCgroupGetValueStr() function. This bug has been fixed and libvirtd now stays within the array bounds.
- When migrating, libvirtd leaked the migration URI (Uniform Resource Identifier) on destination. A patch has been provided to fix this bug and the migration URI is now freed correctly.
- Updating a network interface using virDomainUpdateDeviceFlags API failed when a boot order was set for that interface. The update failed even if the boot order was set in the provided device XML. The virDomainUpdateDeviceFlags API has been fixed to correctly parse the boot order specification from the provided device XML and updating network interfaces with boot orders now works as expected.
Users of libvirt are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, libvirtd will be restarted automatically.