github/kata-containers
1
0
Fork 2
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-09-18 07:18:27 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #2382 from dgibson/prep-qemu-6.1

Browse Source 
Update Kata to allow it to use Qemu 6.1
This commit is contained in:
Julio Montes
2021-08-04 09:16:06 -05:00
committed by GitHub
parent 48bb104660 831c2feead
commit 03325f0612
15 changed files with 88 additions and 700 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/runtime/go.mod
View File

@@ -24,7 +24,7 @@ require (
github.com/gogo/protobuf v1.3.2
github.com/hashicorp/go-multierror v1.0.0
github.com/intel-go/cpuid v0.0.0-20210602155658-5747e5cec0d9
github.com/kata-containers/govmm v0.0.0-20210722115311-0173713ea912
github.com/kata-containers/govmm v0.0.0-20210804035756-3c64244cbb48
github.com/mdlayher/vsock v0.0.0-20191108225356-d9c65923cb8f
github.com/opencontainers/runc v1.0.1
github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417

4
src/runtime/go.sum
View File

@@ -364,8 +364,8 @@ github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/X
github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo=
github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
github.com/kata-containers/govmm v0.0.0-20210722115311-0173713ea912 h1:Ejn4L5OXYbdgnh1ghmlKvTPEC1b415PQDsNhzA2kWLQ=
github.com/kata-containers/govmm v0.0.0-20210722115311-0173713ea912/go.mod h1:A6QaNB6N6PRQ9mTRpFtUxiF5T5CJpzLALjxBrUQPlFI=
github.com/kata-containers/govmm v0.0.0-20210804035756-3c64244cbb48 h1:+tb5btBYMjZ1C5zBqK7ygCb03yqZtC5Mz0W6riq6T5k=
github.com/kata-containers/govmm v0.0.0-20210804035756-3c64244cbb48/go.mod h1:A6QaNB6N6PRQ9mTRpFtUxiF5T5CJpzLALjxBrUQPlFI=
github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=

11
src/runtime/vendor/github.com/kata-containers/govmm/qemu/qemu.go generated vendored
View File

@@ -2448,6 +2448,9 @@ type Config struct {
// CPUModel is the CPU model to be used by qemu.
CPUModel string
// SeccompSandbox is the qemu function which enables the seccomp feature
SeccompSandbox string
// Machine
Machine Machine
@@ -2524,6 +2527,13 @@ func (config *Config) appendFDs(fds []*os.File) []int {
return fdInts
}
func (config *Config) appendSeccompSandbox() {
if config.SeccompSandbox != "" {
config.qemuParams = append(config.qemuParams, "-sandbox")
config.qemuParams = append(config.qemuParams, config.SeccompSandbox)
}
}
func (config *Config) appendName() {
if config.Name != "" {
config.qemuParams = append(config.qemuParams, "-name")
@@ -2877,6 +2887,7 @@ func LaunchQemu(config Config, logger QMPLog) (string, error) {
config.appendPidFile()
config.appendLogFile()
config.appendFwCfg(logger)
config.appendSeccompSandbox()
if err := config.appendCPUs(); err != nil {
return "", err

77
src/runtime/vendor/github.com/kata-containers/govmm/qemu/qmp.go generated vendored
View File

@@ -719,6 +719,10 @@ func QMPStart(ctx context.Context, socket string, cfg QMPConfig, disconnectedCh
}
}
if q.version.Major < 5 {
return nil, nil, fmt.Errorf("govmm requires qemu version 5.0 or later, this is qemu (%d.%d)", q.version.Major, q.version.Minor)
}
return q, q.version, nil
}
@@ -775,20 +779,13 @@ func (q *QMP) blockdevAddBaseArgs(device, blockdevID string, ro bool) (map[strin
"driver": "raw",
"read-only": ro,
"file": map[string]interface{}{
"driver": "file",
"driver": "host_device",
"filename": device,
},
}
if q.version.Major > 2 || (q.version.Major == 2 && q.version.Minor >= 8) {
blockdevArgs["node-name"] = blockdevID
args = blockdevArgs
} else {
blockdevArgs["id"] = blockdevID
args = map[string]interface{}{
"options": blockdevArgs,
}
}
blockdevArgs["node-name"] = blockdevID
args = blockdevArgs
return args, blockdevArgs
}
@@ -813,11 +810,6 @@ func (q *QMP) ExecuteBlockdevAdd(ctx context.Context, device, blockdevID string,
func (q *QMP) ExecuteBlockdevAddWithCache(ctx context.Context, device, blockdevID string, direct, noFlush, ro bool) error {
args, blockdevArgs := q.blockdevAddBaseArgs(device, blockdevID, ro)
if q.version.Major < 2 || (q.version.Major == 2 && q.version.Minor < 9) {
return fmt.Errorf("versions of qemu (%d.%d) older than 2.9 do not support set cache-related options for block devices",
q.version.Major, q.version.Minor)
}
blockdevArgs["cache"] = map[string]interface{}{
"direct": direct,
"no-flush": noFlush,
@@ -850,7 +842,7 @@ func (q *QMP) ExecuteDeviceAdd(ctx context.Context, blockdevID, devID, driver, b
args["bus"] = bus
}
if shared && (q.version.Major > 2 || (q.version.Major == 2 && q.version.Minor >= 10)) {
if shared {
args["share-rw"] = "on"
}
if transport.isVirtioPCI(nil) {
@@ -904,32 +896,22 @@ func (q *QMP) ExecuteSCSIDeviceAdd(ctx context.Context, blockdevID, devID, drive
if lun >= 0 {
args["lun"] = lun
}
if shared && (q.version.Major > 2 || (q.version.Major == 2 && q.version.Minor >= 10)) {
if shared {
args["share-rw"] = "on"
}
return q.executeCommand(ctx, "device_add", args, nil)
}
// ExecuteBlockdevDel deletes a block device by sending a x-blockdev-del command
// for qemu versions < 2.9. It sends the updated blockdev-del command for qemu>=2.9.
// blockdevID is the id of the block device to be deleted. Typically, this will
// match the id passed to ExecuteBlockdevAdd. It must be a valid QMP id.
// ExecuteBlockdevDel deletes a block device by sending blockdev-del
// command. blockdevID is the id of the block device to be deleted.
// Typically, this will match the id passed to ExecuteBlockdevAdd. It
// must be a valid QMP id.
func (q *QMP) ExecuteBlockdevDel(ctx context.Context, blockdevID string) error {
args := map[string]interface{}{}
if q.version.Major > 2 || (q.version.Major == 2 && q.version.Minor >= 9) {
args["node-name"] = blockdevID
return q.executeCommand(ctx, "blockdev-del", args, nil)
}
if q.version.Major == 2 && q.version.Minor == 8 {
args["node-name"] = blockdevID
} else {
args["id"] = blockdevID
}
return q.executeCommand(ctx, "x-blockdev-del", args, nil)
args["node-name"] = blockdevID
return q.executeCommand(ctx, "blockdev-del", args, nil)
}
// ExecuteChardevDel deletes a char device by sending a chardev-remove command.
@@ -1104,7 +1086,7 @@ func (q *QMP) ExecutePCIDeviceAdd(ctx context.Context, blockdevID, devID, driver
if bus != "" {
args["bus"] = bus
}
if shared && (q.version.Major > 2 || (q.version.Major == 2 && q.version.Minor >= 10)) {
if shared {
args["share-rw"] = "on"
}
if queues > 0 {
@@ -1240,10 +1222,7 @@ func isThreadIDSupported(driver string) bool {
// isDieIDSupported returns if the cpu driver and the qemu version support the die id option
func (q *QMP) isDieIDSupported(driver string) bool {
if (q.version.Major > 4 || (q.version.Major == 4 && q.version.Minor >= 1)) && driver == "host-x86_64-cpu" {
return true
}
return false
return driver == "host-x86_64-cpu"
}
// ExecuteCPUDeviceAdd adds a CPU to a QEMU instance using the device_add command.
@@ -1387,17 +1366,16 @@ func (q *QMP) ExecQueryCpusFast(ctx context.Context) ([]CPUInfoFast, error) {
// ExecMemdevAdd adds size of MiB memory device to the guest
func (q *QMP) ExecMemdevAdd(ctx context.Context, qomtype, id, mempath string, size int, share bool, driver, driverID, addr, bus string) error {
props := map[string]interface{}{"size": uint64(size) << 20}
args := map[string]interface{}{
"qom-type": qomtype,
"id": id,
"props": props,
"size": uint64(size) << 20,
}
if mempath != "" {
props["mem-path"] = mempath
args["mem-path"] = mempath
}
if share {
props["share"] = true
args["share"] = true
}
err := q.executeCommand(ctx, "object-add", args, nil)
if err != nil {
@@ -1447,18 +1425,13 @@ func (q *QMP) ExecuteNVDIMMDeviceAdd(ctx context.Context, id, mempath string, si
args := map[string]interface{}{
"qom-type": "memory-backend-file",
"id": "nvdimmbackmem" + id,
"props": map[string]interface{}{
"mem-path": mempath,
"size": size,
"share": true,
},
"mem-path": mempath,
"size": size,
"share": true,
}
if q.version.Major > 4 || (q.version.Major == 4 && q.version.Minor >= 1) {
if pmem != nil {
props := args["props"].(map[string]interface{})
props["pmem"] = *pmem
}
if pmem != nil {
args["pmem"] = *pmem
}
err := q.executeCommand(ctx, "object-add", args, nil)

2
src/runtime/vendor/modules.txt vendored
View File

@@ -249,7 +249,7 @@ github.com/imdario/mergo
# github.com/intel-go/cpuid v0.0.0-20210602155658-5747e5cec0d9
## explicit
github.com/intel-go/cpuid
# github.com/kata-containers/govmm v0.0.0-20210722115311-0173713ea912
# github.com/kata-containers/govmm v0.0.0-20210804035756-3c64244cbb48
## explicit
github.com/kata-containers/govmm/qemu
# github.com/klauspost/compress v1.11.13

2
src/runtime/virtcontainers/qemu_amd64.go
View File

@@ -31,7 +31,7 @@ const (
defaultQemuMachineType = QemuQ35
defaultQemuMachineOptions = "accel=kvm,kernel_irqchip"
defaultQemuMachineOptions = "accel=kvm,kernel_irqchip=on"
qmpMigrationWaitTimeout = 5 * time.Second

98
tools/packaging/qemu/patches/4.0.x/0001-9p-removing-coroutines-of-9p-to-increase-the-I-O-per.patch
View File

@@ -1,98 +0,0 @@
From 894a8ae5524fff4ad9d3551c515788c5650e1fc7 Mon Sep 17 00:00:00 2001
From: Yang Zhong <yang.zhong@intel.com>
Date: Wed, 28 Mar 2018 20:14:53 +0800
Subject: [PATCH 1/2] 9p: removing coroutines of 9p to increase the I/O
performance
This is a quick workaround, need to be fixed.
Signed-off-by: Chao Peng <chao.p.peng@linux.intel.com>
---
hw/9pfs/9p.c | 12 +++++-------
hw/9pfs/9p.h | 6 +++---
hw/9pfs/coth.h | 3 +++
3 files changed, 11 insertions(+), 10 deletions(-)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 55821343e5..c5f089860d 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -690,10 +690,7 @@ static void coroutine_fn pdu_complete(V9fsPDU *pdu, ssize_t len)
out_notify:
pdu->s->transport->push_and_notify(pdu);
- /* Now wakeup anybody waiting in flush for this request */
- if (!qemu_co_queue_next(&pdu->complete)) {
- pdu_free(pdu);
- }
+ pdu_free(pdu);
}
static mode_t v9mode_to_mode(uint32_t mode, V9fsString *extension)
@@ -3525,7 +3522,7 @@ static inline bool is_read_only_op(V9fsPDU *pdu)
void pdu_submit(V9fsPDU *pdu, P9MsgHeader *hdr)
{
- Coroutine *co;
+// Coroutine *co;
CoroutineEntry *handler;
V9fsState *s = pdu->s;
@@ -3543,8 +3540,9 @@ void pdu_submit(V9fsPDU *pdu, P9MsgHeader *hdr)
}
qemu_co_queue_init(&pdu->complete);
- co = qemu_coroutine_create(handler, pdu);
- qemu_coroutine_enter(co);
+ handler(pdu);
+ //co = qemu_coroutine_create(handler, pdu);
+ //qemu_coroutine_enter(co);
}
/* Returns 0 on success, 1 on failure. */
diff --git a/hw/9pfs/9p.h b/hw/9pfs/9p.h
index 8883761b2c..24aeba03f7 100644
--- a/hw/9pfs/9p.h
+++ b/hw/9pfs/9p.h
@@ -320,21 +320,21 @@ extern int total_open_fd;
static inline void v9fs_path_write_lock(V9fsState *s)
{
if (s->ctx.export_flags & V9FS_PATHNAME_FSCONTEXT) {
- qemu_co_rwlock_wrlock(&s->rename_lock);
+ // qemu_co_rwlock_wrlock(&s->rename_lock);
}
}
static inline void v9fs_path_read_lock(V9fsState *s)
{
if (s->ctx.export_flags & V9FS_PATHNAME_FSCONTEXT) {
- qemu_co_rwlock_rdlock(&s->rename_lock);
+ // qemu_co_rwlock_rdlock(&s->rename_lock);
}
}
static inline void v9fs_path_unlock(V9fsState *s)
{
if (s->ctx.export_flags & V9FS_PATHNAME_FSCONTEXT) {
- qemu_co_rwlock_unlock(&s->rename_lock);
+ // qemu_co_rwlock_unlock(&s->rename_lock);
}
}
diff --git a/hw/9pfs/coth.h b/hw/9pfs/coth.h
index 19e4d9287e..728a25865d 100644
--- a/hw/9pfs/coth.h
+++ b/hw/9pfs/coth.h
@@ -47,6 +47,9 @@
qemu_coroutine_yield(); \
} while (0)
+#undef v9fs_co_run_in_worker
+#define v9fs_co_run_in_worker(code_block) do {code_block} while(0);
+
void co_run_in_worker_bh(void *);
int coroutine_fn v9fs_co_readlink(V9fsPDU *, V9fsPath *, V9fsString *);
int coroutine_fn v9fs_co_readdir(V9fsPDU *, V9fsFidState *, struct dirent **);
--
2.17.2

73
tools/packaging/qemu/patches/4.0.x/0002-migration-allow-private-destination-ram-with-x-ignor.patch
View File

@@ -1,73 +0,0 @@
From b17fbbe55cba95ad323b27c2f9f3e22eb6364d4b Mon Sep 17 00:00:00 2001
From: Peng Tao <tao.peng@linux.alibaba.com>
Date: Fri, 14 Jun 2019 14:35:13 +0800
Subject: [PATCH] migration: allow private destination ram with x-ignore-shared
By removing the share ram check, qemu is able to migrate
to private destination ram when x-ignore-shared capability
is on. Then we can create multiple destination VMs based
on the same source VM.
This changes the x-ignore-shared migration capability to
work similar to Lai's original bypass-shared-memory
work(https://lists.gnu.org/archive/html/qemu-devel/2018-04/msg00003.html)
which enables kata containers (https://katacontainers.io)
to implement the VM templating feature.
An example usage in kata containers(https://katacontainers.io):
1. Start the source VM:
qemu-system-x86 -m 2G \
-object memory-backend-file,id=mem0,size=2G,share=on,mem-path=/tmpfs/template-memory \
-numa node,memdev=mem0
2. Stop the template VM, set migration x-ignore-shared capability,
migrate "exec:cat>/tmpfs/state", quit it
3. Start target VM:
qemu-system-x86 -m 2G \
-object memory-backend-file,id=mem0,size=2G,share=off,mem-path=/tmpfs/template-memory \
-numa node,memdev=mem0 \
-incoming defer
4. connect to target VM qmp, set migration x-ignore-shared capability,
migrate_incoming "exec:cat /tmpfs/state"
5. create more target VMs repeating 3 and 4
Cc: Dr. David Alan Gilbert <dgilbert@redhat.com>
Cc: Yury Kotov <yury-kotov@yandex-team.ru>
Cc: Jiangshan Lai <laijs@hyper.sh>
Cc: Xu Wang <xu@hyper.sh>
Signed-off-by: Peng Tao <tao.peng@linux.alibaba.com>
Reviewed-by: Juan Quintela <quintela@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-Id: <1560494113-1141-1-git-send-email-tao.peng@linux.alibaba.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
---
migration/ram.c | 7 -------
1 file changed, 7 deletions(-)
diff --git a/migration/ram.c b/migration/ram.c
index 8a6ad61d3d..8622b4dc49 100644
--- a/migration/ram.c
+++ b/migration/ram.c
@@ -3426,7 +3426,6 @@ static int ram_save_setup(QEMUFile *f, void *opaque)
}
if (migrate_ignore_shared()) {
qemu_put_be64(f, block->mr->addr);
- qemu_put_byte(f, ramblock_is_ignored(block) ? 1 : 0);
}
}
@@ -4393,12 +4392,6 @@ static int ram_load(QEMUFile *f, void *opaque, int version_id)
}
if (migrate_ignore_shared()) {
hwaddr addr = qemu_get_be64(f);
- bool ignored = qemu_get_byte(f);
- if (ignored != ramblock_is_ignored(block)) {
- error_report("RAM block %s should %s be migrated",
- id, ignored ? "" : "not");
- ret = -EINVAL;
- }
if (ramblock_is_ignored(block) &&
block->mr->addr != addr) {
error_report("Mismatched GPAs for block %s "
--
2.17.1

43
tools/packaging/qemu/patches/4.0.x/0003-memory-backend-file-nvdimm-support-read-only-files-a.patch
View File

@@ -1,43 +0,0 @@
From bf71d7d8e04e85517578c021804c77739f9fed72 Mon Sep 17 00:00:00 2001
From: Julio Montes <julio.montes@intel.com>
Date: Mon, 8 Jul 2019 21:19:36 +0000
Subject: [PATCH] memory-backend-file/nvdimm: support read-only files as
memory-backends
Currently is not possible to use a file that is part of a read-only
filesystem as memory backend for nvdimm devices, even if this is not modified
in the guest. In order to improve the security of Virtual Machines that share
and do not modify the memory-backend-file, QEMU should support
read-only memory-backeds.
Use case:
* Kata Containers use a memory-backed-file as read-only rootfs, and this
file is used to start all the virtual machines in the node.
It would be really bad if somehow a malicious container modified it.
Signed-off-by: Julio Montes <julio.montes@intel.com>
Message-Id: <20190708211936.8037-1-julio.montes@intel.com>
---
exec.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/exec.c b/exec.c
index 3e78de3b8f..a1b6f939fb 100644
--- a/exec.c
+++ b/exec.c
@@ -1865,6 +1865,12 @@ static int file_ram_open(const char *path,
break;
}
g_free(filename);
+ } else if (errno == EROFS) {
+ fd = open(path, O_RDONLY);
+ if (fd >= 0) {
+ /* @path names an existing read-only file, use it */
+ break;
+ }
}
if (errno != EEXIST && errno != EINTR) {
error_setg_errno(errp, errno,
--
2.17.2

98
tools/packaging/qemu/patches/4.1.x/0001-9p-removing-coroutines-of-9p-to-increase-the-I-O-per.patch
View File

@@ -1,98 +0,0 @@
From 493163ca322c87860492328c7898064051321c67 Mon Sep 17 00:00:00 2001
From: Yang Zhong <yang.zhong@intel.com>
Date: Wed, 28 Mar 2018 20:14:53 +0800
Subject: [PATCH 1/3] 9p: removing coroutines of 9p to increase the I/O
performance
This is a quick workaround, need to be fixed.
Signed-off-by: Chao Peng <chao.p.peng@linux.intel.com>
---
hw/9pfs/9p.c | 12 +++++-------
hw/9pfs/9p.h | 6 +++---
hw/9pfs/coth.h | 3 +++
3 files changed, 11 insertions(+), 10 deletions(-)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 55821343e5..c5f089860d 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -690,10 +690,7 @@ static void coroutine_fn pdu_complete(V9fsPDU *pdu, ssize_t len)
out_notify:
pdu->s->transport->push_and_notify(pdu);
- /* Now wakeup anybody waiting in flush for this request */
- if (!qemu_co_queue_next(&pdu->complete)) {
- pdu_free(pdu);
- }
+ pdu_free(pdu);
}
static mode_t v9mode_to_mode(uint32_t mode, V9fsString *extension)
@@ -3525,7 +3522,7 @@ static inline bool is_read_only_op(V9fsPDU *pdu)
void pdu_submit(V9fsPDU *pdu, P9MsgHeader *hdr)
{
- Coroutine *co;
+// Coroutine *co;
CoroutineEntry *handler;
V9fsState *s = pdu->s;
@@ -3543,8 +3540,9 @@ void pdu_submit(V9fsPDU *pdu, P9MsgHeader *hdr)
}
qemu_co_queue_init(&pdu->complete);
- co = qemu_coroutine_create(handler, pdu);
- qemu_coroutine_enter(co);
+ handler(pdu);
+ //co = qemu_coroutine_create(handler, pdu);
+ //qemu_coroutine_enter(co);
}
/* Returns 0 on success, 1 on failure. */
diff --git a/hw/9pfs/9p.h b/hw/9pfs/9p.h
index 8883761b2c..24aeba03f7 100644
--- a/hw/9pfs/9p.h
+++ b/hw/9pfs/9p.h
@@ -320,21 +320,21 @@ extern int total_open_fd;
static inline void v9fs_path_write_lock(V9fsState *s)
{
if (s->ctx.export_flags & V9FS_PATHNAME_FSCONTEXT) {
- qemu_co_rwlock_wrlock(&s->rename_lock);
+ // qemu_co_rwlock_wrlock(&s->rename_lock);
}
}
static inline void v9fs_path_read_lock(V9fsState *s)
{
if (s->ctx.export_flags & V9FS_PATHNAME_FSCONTEXT) {
- qemu_co_rwlock_rdlock(&s->rename_lock);
+ // qemu_co_rwlock_rdlock(&s->rename_lock);
}
}
static inline void v9fs_path_unlock(V9fsState *s)
{
if (s->ctx.export_flags & V9FS_PATHNAME_FSCONTEXT) {
- qemu_co_rwlock_unlock(&s->rename_lock);
+ // qemu_co_rwlock_unlock(&s->rename_lock);
}
}
diff --git a/hw/9pfs/coth.h b/hw/9pfs/coth.h
index 19e4d9287e..728a25865d 100644
--- a/hw/9pfs/coth.h
+++ b/hw/9pfs/coth.h
@@ -47,6 +47,9 @@
qemu_coroutine_yield(); \
} while (0)
+#undef v9fs_co_run_in_worker
+#define v9fs_co_run_in_worker(code_block) do {code_block} while(0);
+
void co_run_in_worker_bh(void *);
int coroutine_fn v9fs_co_readlink(V9fsPDU *, V9fsPath *, V9fsString *);
int coroutine_fn v9fs_co_readdir(V9fsPDU *, V9fsFidState *, struct dirent **);
--
2.17.2

45
tools/packaging/qemu/patches/4.1.x/0002-memory-backend-file-nvdimm-support-read-only-files-a.patch
View File

@@ -1,45 +0,0 @@
From f116c58ab18762b1fdf5b5908af8612bf933d159 Mon Sep 17 00:00:00 2001
From: Julio Montes <julio.montes@intel.com>
Date: Mon, 8 Jul 2019 21:19:36 +0000
Subject: [PATCH 2/3] memory-backend-file/nvdimm: support read-only files as
memory-backends
Currently it is not possible to use a file that is part of a read-only
filesystem as memory backend for nvdimm devices, even if the file itself
is not modified in the guest. Same goes for files that do not have write access.
In order to improve the security of Virtual Machines that share
and do not modify the memory-backend-file, QEMU should support
read-only memory-backends.
Use case:
* Kata Containers use a memory-backed-file as read-only rootfs, and this
file is used to start all the virtual machines in the node.
It would be really bad if somehow a malicious container modified it.
Signed-off-by: Julio Montes <julio.montes@intel.com>
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Message-Id: <20190708211936.8037-1-julio.montes@intel.com>
---
exec.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/exec.c b/exec.c
index 3e78de3b8f..a1b6f939fb 100644
--- a/exec.c
+++ b/exec.c
@@ -1865,6 +1865,12 @@ static int file_ram_open(const char *path,
break;
}
g_free(filename);
+ } else if (errno == EROFS || errno == EACCES) {
+ fd = open(path, O_RDONLY);
+ if (fd >= 0) {
+ /* @path names an existing read-only file, use it */
+ break;
+ }
}
if (errno != EEXIST && errno != EINTR) {
error_setg_errno(errp, errno,
--
2.17.2

71
tools/packaging/qemu/patches/4.1.x/0003-configure-more-resilient-Python-version-capture.patch
View File

@@ -1,71 +0,0 @@
From 19ec1516315083bb609a6683271dc19adb464522 Mon Sep 17 00:00:00 2001
From: Cleber Rosa <crosa@redhat.com>
Date: Mon, 26 Aug 2019 11:58:32 -0400
Subject: [PATCH 3/3] configure: more resilient Python version capture
The current approach to capture the Python version is fragile, as it
was demonstrated by a very specific build of Python 3 on Fedora 29
that, under non-interactive shells would print multiline version
information.
The (badly) stripped version output would be sent to config-host.mak,
producing bad syntax and rendering the makefiles unusable. Now, the
Python versions is printed by configure, but only a simple (and better
controlled variable) indicating whether the build system is using
Python 2 is kept on config-host.mak.
Signed-off-by: Cleber Rosa <crosa@redhat.com>
Message-Id: <20190826155832.17427-1-crosa@redhat.com>
Reviewed-by: Tony Nguyen <tony.nguyen@bt.com>
---
configure | 5 +++--
tests/Makefile.include | 2 +-
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/configure b/configure
index 714e7fb6a1..0a6a617fa3 100755
--- a/configure
+++ b/configure
@@ -1864,7 +1864,7 @@ if ! $python -c 'import sys; sys.exit(sys.version_info < (2,7))'; then
fi
# Preserve python version since some functionality is dependent on it
-python_version=$($python -V 2>&1 | sed -e 's/Python\ //')
+python_version=$($python -c 'import sys; print("%d.%d.%d" % (sys.version_info[0], sys.version_info[1], sys.version_info[2]))' 2>/dev/null)
# Suppress writing compiled files
python="$python -B"
@@ -6514,6 +6514,7 @@ if ! $python -c 'import sys; sys.exit(sys.version_info < (3,0))'; then
echo
echo "warning: Python 2 support is deprecated" >&2
echo "warning: Python 3 will be required for building future versions of QEMU" >&2
+ python2="y"
fi
config_host_mak="config-host.mak"
@@ -7333,7 +7334,7 @@ echo "INSTALL_DATA=$install -c -m 0644" >> $config_host_mak
echo "INSTALL_PROG=$install -c -m 0755" >> $config_host_mak
echo "INSTALL_LIB=$install -c -m 0644" >> $config_host_mak
echo "PYTHON=$python" >> $config_host_mak
-echo "PYTHON_VERSION=$python_version" >> $config_host_mak
+echo "PYTHON2=$python2" >> $config_host_mak
echo "CC=$cc" >> $config_host_mak
if $iasl -h > /dev/null 2>&1; then
echo "IASL=$iasl" >> $config_host_mak
diff --git a/tests/Makefile.include b/tests/Makefile.include
index fd7fdb8658..fc67846431 100644
--- a/tests/Makefile.include
+++ b/tests/Makefile.include
@@ -1132,7 +1132,7 @@ TESTS_RESULTS_DIR=$(BUILD_DIR)/tests/results
AVOCADO_SHOW=app
AVOCADO_TAGS=$(patsubst %-softmmu,-t arch:%, $(filter %-softmmu,$(TARGET_DIRS)))
-ifneq ($(findstring v2,"v$(PYTHON_VERSION)"),v2)
+ifneq ($(PYTHON2),y)
$(TESTS_VENV_DIR): $(TESTS_VENV_REQ)
$(call quiet-command, \
$(PYTHON) -m venv --system-site-packages $@, \
--
2.17.2

98
tools/packaging/qemu/patches/4.2.x/0001-9p-removing-coroutines-of-9p-to-increase-the-I-O-per.patch
View File

@@ -1,98 +0,0 @@
From 4400ea745b2a073186061a04dc07d90a8fb8a51f Mon Sep 17 00:00:00 2001
From: Yang Zhong <yang.zhong@intel.com>
Date: Wed, 28 Mar 2018 20:14:53 +0800
Subject: [PATCH 1/2] 9p: removing coroutines of 9p to increase the I/O
performance
This is a quick workaround, need to be fixed.
Signed-off-by: Chao Peng <chao.p.peng@linux.intel.com>
---
hw/9pfs/9p.c | 12 +++++-------
hw/9pfs/9p.h | 6 +++---
hw/9pfs/coth.h | 3 +++
3 files changed, 11 insertions(+), 10 deletions(-)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 520177f40c..191c43e42d 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -1082,10 +1082,7 @@ static void coroutine_fn pdu_complete(V9fsPDU *pdu, ssize_t len)
out_notify:
pdu->s->transport->push_and_notify(pdu);
- /* Now wakeup anybody waiting in flush for this request */
- if (!qemu_co_queue_next(&pdu->complete)) {
- pdu_free(pdu);
- }
+ pdu_free(pdu);
}
static mode_t v9mode_to_mode(uint32_t mode, V9fsString *extension)
@@ -3968,7 +3965,7 @@ static inline bool is_read_only_op(V9fsPDU *pdu)
void pdu_submit(V9fsPDU *pdu, P9MsgHeader *hdr)
{
- Coroutine *co;
+// Coroutine *co;
CoroutineEntry *handler;
V9fsState *s = pdu->s;
@@ -3986,8 +3983,9 @@ void pdu_submit(V9fsPDU *pdu, P9MsgHeader *hdr)
}
qemu_co_queue_init(&pdu->complete);
- co = qemu_coroutine_create(handler, pdu);
- qemu_coroutine_enter(co);
+ handler(pdu);
+ //co = qemu_coroutine_create(handler, pdu);
+ //qemu_coroutine_enter(co);
}
/* Returns 0 on success, 1 on failure. */
diff --git a/hw/9pfs/9p.h b/hw/9pfs/9p.h
index 3904f82901..30ecab2b2e 100644
--- a/hw/9pfs/9p.h
+++ b/hw/9pfs/9p.h
@@ -380,21 +380,21 @@ extern int total_open_fd;
static inline void v9fs_path_write_lock(V9fsState *s)
{
if (s->ctx.export_flags & V9FS_PATHNAME_FSCONTEXT) {
- qemu_co_rwlock_wrlock(&s->rename_lock);
+ // qemu_co_rwlock_wrlock(&s->rename_lock);
}
}
static inline void v9fs_path_read_lock(V9fsState *s)
{
if (s->ctx.export_flags & V9FS_PATHNAME_FSCONTEXT) {
- qemu_co_rwlock_rdlock(&s->rename_lock);
+ // qemu_co_rwlock_rdlock(&s->rename_lock);
}
}
static inline void v9fs_path_unlock(V9fsState *s)
{
if (s->ctx.export_flags & V9FS_PATHNAME_FSCONTEXT) {
- qemu_co_rwlock_unlock(&s->rename_lock);
+ // qemu_co_rwlock_unlock(&s->rename_lock);
}
}
diff --git a/hw/9pfs/coth.h b/hw/9pfs/coth.h
index c2cdc7a9ea..0fe971d1f5 100644
--- a/hw/9pfs/coth.h
+++ b/hw/9pfs/coth.h
@@ -46,6 +46,9 @@
qemu_coroutine_yield(); \
} while (0)
+#undef v9fs_co_run_in_worker
+#define v9fs_co_run_in_worker(code_block) do {code_block} while(0);
+
void co_run_in_worker_bh(void *);
int coroutine_fn v9fs_co_readlink(V9fsPDU *, V9fsPath *, V9fsString *);
int coroutine_fn v9fs_co_readdir(V9fsPDU *, V9fsFidState *, struct dirent **);
--
2.21.0

45
tools/packaging/qemu/patches/4.2.x/0002-memory-backend-file-nvdimm-support-read-only-files-a.patch
View File

@@ -1,45 +0,0 @@
From f06edce09ed88568a743c6aa36343081e35cca54 Mon Sep 17 00:00:00 2001
From: Julio Montes <julio.montes@intel.com>
Date: Mon, 8 Jul 2019 21:19:36 +0000
Subject: [PATCH 2/2] memory-backend-file/nvdimm: support read-only files as
memory-backends
Currently it is not possible to use a file that is part of a read-only
filesystem as memory backend for nvdimm devices, even if the file itself
is not modified in the guest. Same goes for files that do not have write access.
In order to improve the security of Virtual Machines that share
and do not modify the memory-backend-file, QEMU should support
read-only memory-backends.
Use case:
* Kata Containers use a memory-backed-file as read-only rootfs, and this
file is used to start all the virtual machines in the node.
It would be really bad if somehow a malicious container modified it.
Signed-off-by: Julio Montes <julio.montes@intel.com>
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Message-Id: <20190708211936.8037-1-julio.montes@intel.com>
---
exec.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/exec.c b/exec.c
index ffdb518535..506a5af8c1 100644
--- a/exec.c
+++ b/exec.c
@@ -1819,6 +1819,12 @@ static int file_ram_open(const char *path,
break;
}
g_free(filename);
+ } else if (errno == EROFS || errno == EACCES) {
+ fd = open(path, O_RDONLY);
+ if (fd >= 0) {
+ /* @path names an existing read-only file, use it */
+ break;
+ }
}
if (errno != EEXIST && errno != EINTR) {
error_setg_errno(errp, errno,
--
2.21.0

119
tools/packaging/scripts/configure-hypervisor.sh
View File

@@ -222,18 +222,14 @@ generate_qemu_options() {
# Disabled options
if gt_eq "${qemu_version}" "5.0.0" ; then
# Disable sheepdog block driver support
# Disable sheepdog block driver support (deprecated in 5.2.0)
if ! gt_eq ${qemu_version} 5.2.0 ; then
qemu_options+=(size:--disable-sheepdog)
# Disable block migration in the main migration stream
qemu_options+=(size:--disable-live-block-migration)
else
# Starting from QEMU 5.0, the bluetooth code has been removed without replacement.
# bluetooth support not required
qemu_options+=(size:--disable-bluez)
fi
# Disable block migration in the main migration stream
qemu_options+=(size:--disable-live-block-migration)
# braille support not required
qemu_options+=(size:--disable-brlapi)
@@ -256,7 +252,7 @@ generate_qemu_options() {
# Disable PAM authentication: it's a feature used together with VNC access
# that's not used. See QEMU commit 8953caf for more details
gt_eq "${qemu_version}" "4.0.0" && qemu_options+=(size:--disable-auth-pam)
qemu_options+=(size:--disable-auth-pam)
# Disable unused filesystem support
[ "$arch" == x86_64 ] && qemu_options+=(size:--disable-fdt)
@@ -265,11 +261,7 @@ generate_qemu_options() {
qemu_options+=(size:--disable-libnfs)
# Starting from QEMU 4.1, libssh replaces to libssh2
if gt_eq "${qemu_version}" "4.1.0" ; then
qemu_options+=(size:--disable-libssh)
else
qemu_options+=(size:--disable-libssh2)
fi
qemu_options+=(size:--disable-libssh)
# Disable unused compression support
qemu_options+=(size:--disable-bzip2)
@@ -294,12 +286,6 @@ generate_qemu_options() {
s390x) qemu_options+=(size:--disable-tcg) ;;
esac
# SECURITY: Don't build a static binary (lowers security)
# needed if qemu version is less than 2.7
if ! gt_eq "${qemu_version}" "2.7.0" ; then
qemu_options+=(security:--disable-static)
fi
if [ "${static}" == "true" ]; then
qemu_options+=(misc:--static)
fi
@@ -370,38 +356,33 @@ generate_qemu_options() {
# Disable Capstone
qemu_options+=(size:--disable-capstone)
if gt_eq "${qemu_version}" "3.0.0" ; then
# Disable graphics
qemu_options+=(size:--disable-virglrenderer)
# Disable graphics
qemu_options+=(size:--disable-virglrenderer)
# Due to qemu commit 3ebb9c4f52, we can't disable replication in v3.0
if gt_eq "${qemu_version}" "3.1.0" ; then
# Disable block replication
qemu_options+=(size:--disable-replication)
fi
# Disable block replication
qemu_options+=(size:--disable-replication)
# Disable USB smart card reader
qemu_options+=(size:--disable-smartcard)
# Disable USB smart card reader
qemu_options+=(size:--disable-smartcard)
# Disable guest agent
qemu_options+=(size:--disable-guest-agent)
qemu_options+=(size:--disable-guest-agent-msi)
# Disable guest agent
qemu_options+=(size:--disable-guest-agent)
qemu_options+=(size:--disable-guest-agent-msi)
# unused image formats
qemu_options+=(size:--disable-vvfat)
qemu_options+=(size:--disable-vdi)
qemu_options+=(size:--disable-qed)
qemu_options+=(size:--disable-qcow1)
qemu_options+=(size:--disable-bochs)
qemu_options+=(size:--disable-cloop)
qemu_options+=(size:--disable-dmg)
qemu_options+=(size:--disable-parallels)
# unused image formats
qemu_options+=(size:--disable-vvfat)
qemu_options+=(size:--disable-vdi)
qemu_options+=(size:--disable-qed)
qemu_options+=(size:--disable-qcow1)
qemu_options+=(size:--disable-bochs)
qemu_options+=(size:--disable-cloop)
qemu_options+=(size:--disable-dmg)
qemu_options+=(size:--disable-parallels)
# vxhs was deprecated on QEMU 5.1 so it doesn't need to be
# explicitly disabled.
if ! gt_eq "${qemu_version}" "5.1.0" ; then
qemu_options+=(size:--disable-vxhs)
fi
# vxhs was deprecated on QEMU 5.1 so it doesn't need to be
# explicitly disabled.
if ! gt_eq "${qemu_version}" "5.1.0" ; then
qemu_options+=(size:--disable-vxhs)
fi
#---------------------------------------------------------------------
@@ -414,12 +395,6 @@ generate_qemu_options() {
# Required for fast network access
qemu_options+=(speed:--enable-vhost-net)
# Always strip binaries
# needed if qemu version is less than 2.7
if ! gt_eq "${qemu_version}" "2.7.0" ; then
qemu_options+=(size:--enable-strip)
fi
# Support Ceph RADOS Block Device (RBD)
[ -z "${static}" ] && qemu_options+=(functionality:--enable-rbd)
@@ -433,25 +408,21 @@ generate_qemu_options() {
qemu_options+=(functionality:--enable-cap-ng)
qemu_options+=(functionality:--enable-seccomp)
if gt_eq "${qemu_version}" "3.1.0" ; then
# AVX2 is enabled by default by x86_64, make sure it's enabled only
# for that architecture
if [ "$arch" == x86_64 ]; then
qemu_options+=(speed:--enable-avx2)
if gt_eq "${qemu_version}" "5.0.0" ; then
qemu_options+=(speed:--enable-avx512f)
fi
# According to QEMU's nvdimm documentation: When 'pmem' is 'on' and QEMU is
# built with libpmem support, QEMU will take necessary operations to guarantee
# the persistence of its own writes to the vNVDIMM backend.
qemu_options+=(functionality:--enable-libpmem)
else
qemu_options+=(speed:--disable-avx2)
qemu_options+=(functionality:--disable-libpmem)
fi
# Enable libc malloc_trim() for memory optimization.
qemu_options+=(speed:--enable-malloc-trim)
# AVX2 is enabled by default by x86_64, make sure it's enabled only
# for that architecture
if [ "$arch" == x86_64 ]; then
qemu_options+=(speed:--enable-avx2)
qemu_options+=(speed:--enable-avx512f)
# According to QEMU's nvdimm documentation: When 'pmem' is 'on' and QEMU is
# built with libpmem support, QEMU will take necessary operations to guarantee
# the persistence of its own writes to the vNVDIMM backend.
qemu_options+=(functionality:--enable-libpmem)
else
qemu_options+=(speed:--disable-avx2)
qemu_options+=(functionality:--disable-libpmem)
fi
# Enable libc malloc_trim() for memory optimization.
qemu_options+=(speed:--enable-malloc-trim)
#---------------------------------------------------------------------
# Other options
@@ -587,6 +558,10 @@ main() {
[ -n "${qemu_version}" ] ||
die "cannot determine qemu version from file $qemu_version_file"
if ! gt_eq "${qemu_version}" "5.0.0" ; then
die "Kata requires QEMU >= 5.0.0"
fi
local gcc_version_major=$(gcc -dumpversion | cut -f1 -d.)
[ -n "${gcc_version_major}" ] ||
die "cannot determine gcc major version, please ensure it is installed"