[PATCH] libvirt: upgrade 7.2.0 -> 8.1.0


sakib.sajal@...
 

Dropped patches which are part of the new version:
0001-docs-Fix-template-matching-in-page.xsl.patch
0001-security-fix-SELinux-label-generation-logic.patch
0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch
0002-meson-Fix-compatibility-with-Meson-0.58.patch

Dropped the obsolete md5checksum.

From upstream libvirt, the commit:
8eb4461645 remove sysconfig files
removes all sysconfig files. Add the former libvirtd
sysconfig file that starts libvirtd in the right mode.
Since the sysconfig file has already been sed'ed,
remove the sed line from the install rule.

Signed-off-by: Sakib Sajal <sakib.sajal@...>
---
recipes-extended/libvirt/libvirt-python.inc | 4 +-
...cs-Fix-template-matching-in-page.xsl.patch | 64 -------------------
...y-fix-SELinux-label-generation-logic.patch | 56 ----------------
...nlock-object-on-ACL-fail-in-storageP.patch | 40 ------------
...on-Fix-compatibility-with-Meson-0.58.patch | 48 --------------
recipes-extended/libvirt/libvirt/libvirtd | 22 +++++++
.../{libvirt_7.2.0.bb => libvirt_8.1.0.bb} | 19 +++---
7 files changed, 34 insertions(+), 219 deletions(-)
delete mode 100644 recipes-extended/libvirt/libvirt/0001-docs-Fix-template-matching-in-page.xsl.patch
delete mode 100644 recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch
delete mode 100644 recipes-extended/libvirt/libvirt/0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch
delete mode 100644 recipes-extended/libvirt/libvirt/0002-meson-Fix-compatibility-with-Meson-0.58.patch
create mode 100644 recipes-extended/libvirt/libvirt/libvirtd
rename recipes-extended/libvirt/{libvirt_7.2.0.bb => libvirt_8.1.0.bb} (94%)

diff --git a/recipes-extended/libvirt/libvirt-python.inc b/recipes-extended/libvirt/libvirt-python.inc
index a48aaea5..6f963fb8 100644
--- a/recipes-extended/libvirt/libvirt-python.inc
+++ b/recipes-extended/libvirt/libvirt-python.inc
@@ -17,8 +17,8 @@ FILES:${PN}-python = "${bindir}/* ${libdir}/* ${libdir}/${PYTHON_DIR}/*"

SRC_URI += "http://libvirt.org/sources/python/libvirt-python-${PV}.tar.gz;name=libvirt_python"

-SRC_URI[libvirt_python.md5sum] = "19bf22414a43d358581b9259b52047a7"
-SRC_URI[libvirt_python.sha256sum] = "c0c3bac54c55622e17927b09cd9843869600d71842fb072c99491fe2608dcee7"
+SRC_URI[libvirt_python.md5sum] = "dbb1ab179303700aefa20f831b645ee2"
+SRC_URI[libvirt_python.sha256sum] = "a21ecfab6d29ac1bdd1bfd4aa3ef58447f9f70919aefecd03774613f65914e43"

export LIBVIRT_API_PATH = "${S}/docs/libvirt-api.xml"
export LIBVIRT_CFLAGS = "-I${S}/include"
diff --git a/recipes-extended/libvirt/libvirt/0001-docs-Fix-template-matching-in-page.xsl.patch b/recipes-extended/libvirt/libvirt/0001-docs-Fix-template-matching-in-page.xsl.patch
deleted file mode 100644
index 9dd650ee..00000000
--- a/recipes-extended/libvirt/libvirt/0001-docs-Fix-template-matching-in-page.xsl.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-Upstream-Status: Backport
-
-Signed-off-by: Kai Kang <kai.kang@...>
-
-From 54814c87f3706cc8eb894634ebef0f9cf7dabae6 Mon Sep 17 00:00:00 2001
-From: Martin Kletzander <mkletzan@...>
-Date: Mon, 21 Feb 2022 09:26:13 +0100
-Subject: [PATCH] docs: Fix template matching in page.xsl
-
-Our last default template had a match of "node()" which incidentally matched
-everything, including text nodes. Since this has the same priority according to
-the XSLT spec, section 5.5:
-
- https://www.w3.org/TR/1999/REC-xslt-19991116#conflict
-
-this is an error. Also according to the same spec section, the XSLT processor
-may signal the error or pick the last rule.
-
-This was uncovered with libxslt 1.1.35 which contains the following commit:
-
- https://gitlab.gnome.org/GNOME/libxslt/-/commit/b0074eeca3c6b21b4da14fdf712b853900c51635
-
-which makes the build fail with:
-
- runtime error: file ../docs/page.xsl line 223 element element
- xsl:element: The effective name '' is not a valid QName.
-
-because our last rule also matches text nodes and we are trying to extract the
-node name out of them.
-
-To fix this we change the match to "*" which only matches elements and not all
-the nodes, and to avoid any possible errors with different XSLT processors we
-also bump the priority of the match="text()" rule a little higher, just in case
-someone needs to use an XSLT processor that chooses signalling the error instead
-of the optional recovery.
-
-https://bugs.gentoo.org/833586
-
-Signed-off-by: Martin Kletzander <mkletzan@...>
----
- docs/page.xsl | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/docs/page.xsl b/docs/page.xsl
-index fd67918d3b..72a6fa0842 100644
---- a/docs/page.xsl
-+++ b/docs/page.xsl
-@@ -215,11 +215,11 @@
- </xsl:element>
- </xsl:template>
-
-- <xsl:template match="text()" mode="copy">
-+ <xsl:template match="text()" mode="copy" priority="0">
- <xsl:value-of select="."/>
- </xsl:template>
-
-- <xsl:template match="node()" mode="copy">
-+ <xsl:template match="*" mode="copy">
- <xsl:element name="{name()}">
- <xsl:copy-of select="./@*"/>
- <xsl:apply-templates mode="copy" />
---
-2.33.0
-
diff --git a/recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch b/recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch
deleted file mode 100644
index 2753503d..00000000
--- a/recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From 15073504dbb624d3f6c911e85557019d3620fdb2 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@...>
-Date: Mon, 28 Jun 2021 13:09:04 +0100
-Subject: [PATCH] security: fix SELinux label generation logic
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-A process can access a file if the set of MCS categories
-for the file is equal-to *or* a subset-of, the set of
-MCS categories for the process.
-
-If there are two VMs:
-
- a) svirt_t:s0:c117
- b) svirt_t:s0:c117,c720
-
-Then VM (b) is able to access files labelled for VM (a).
-
-IOW, we must discard case where the categories are equal
-because that is a subset of many other valid category pairs.
-
-Upstream-status: Backport
-
-Fixes: https://gitlab.com/libvirt/libvirt/-/issues/153
-CVE-2021-3631
-Reviewed-by: Peter Krempa <pkrempa@...>
-Signed-off-by: Daniel P. Berrangé <berrange@...>
----
- src/security/security_selinux.c | 10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
-index b50f4463cc..0c2cf1d1c7 100644
---- a/src/security/security_selinux.c
-+++ b/src/security/security_selinux.c
-@@ -383,7 +383,15 @@ virSecuritySELinuxMCSFind(virSecurityManager *mgr,
- VIR_DEBUG("Try cat %s:c%d,c%d", sens, c1 + catMin, c2 + catMin);
-
- if (c1 == c2) {
-- mcs = g_strdup_printf("%s:c%d", sens, catMin + c1);
-+ /*
-+ * A process can access a file if the set of MCS categories
-+ * for the file is equal-to *or* a subset-of, the set of
-+ * MCS categories for the process.
-+ *
-+ * IOW, we must discard case where the categories are equal
-+ * because that is a subset of other category pairs.
-+ */
-+ continue;
- } else {
- if (c1 > c2) {
- int t = c1;
---
-2.17.1
-
diff --git a/recipes-extended/libvirt/libvirt/0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch b/recipes-extended/libvirt/libvirt/0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch
deleted file mode 100644
index 608322d9..00000000
--- a/recipes-extended/libvirt/libvirt/0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From d3e20e186ed531e196bb1529430f39b0c917e6dc Mon Sep 17 00:00:00 2001
-From: Peter Krempa <pkrempa@...>
-Date: Wed, 21 Jul 2021 11:22:25 +0200
-Subject: [PATCH] storage_driver: Unlock object on ACL fail in
- storagePoolLookupByTargetPath
-
-'virStoragePoolObjListSearch' returns a locked and refed object, thus we
-must release it on ACL permission failure.
-
-Fixes: 7aa0e8c0cb8
-Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1984318
-Signed-off-by: Peter Krempa <pkrempa@...>
-Reviewed-by: Michal Privoznik <mprivozn@...>
-
-Upstream-status: Backport
-CVE-2021-3667 [https://bugzilla.redhat.com/show_bug.cgi?id=1986094]
-Signed-off-by: Yanfei Xu <yanfei.xu@...>
----
- src/storage/storage_driver.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/src/storage/storage_driver.c b/src/storage/storage_driver.c
-index ecb5b86b4f..de66f1f9e5 100644
---- a/src/storage/storage_driver.c
-+++ b/src/storage/storage_driver.c
-@@ -1739,8 +1739,10 @@ storagePoolLookupByTargetPath(virConnectPtr conn,
- storagePoolLookupByTargetPathCallback,
- cleanpath))) {
- def = virStoragePoolObjGetDef(obj);
-- if (virStoragePoolLookupByTargetPathEnsureACL(conn, def) < 0)
-+ if (virStoragePoolLookupByTargetPathEnsureACL(conn, def) < 0) {
-+ virStoragePoolObjEndAPI(&obj);
- return NULL;
-+ }
-
- pool = virGetStoragePool(conn, def->name, def->uuid, NULL, NULL);
- virStoragePoolObjEndAPI(&obj);
---
-2.27.0
-
diff --git a/recipes-extended/libvirt/libvirt/0002-meson-Fix-compatibility-with-Meson-0.58.patch b/recipes-extended/libvirt/libvirt/0002-meson-Fix-compatibility-with-Meson-0.58.patch
deleted file mode 100644
index 3201eede..00000000
--- a/recipes-extended/libvirt/libvirt/0002-meson-Fix-compatibility-with-Meson-0.58.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From c607266619c5ab78ad5d4179b3ea93cfb6348391 Mon Sep 17 00:00:00 2001
-From: Andrea Bolognani <abologna@...>
-Date: Mon, 3 May 2021 09:06:34 +0200
-Subject: [PATCH] meson: Fix compatibility with Meson 0.58
-
-Builds failed with
-
- tests/meson.build:690:0: ERROR: List item must be one
- of <class 'str'>, not <class 'list'>
-
-before this change.
-
-https://gitlab.com/libvirt/libvirt/-/issues/158
-
-Upstream-Status: Backport [https://gitlab.com/libvirt/libvirt/-/commit/c607266619c5ab78ad5d4179b3ea93cfb6348391]
-
-Signed-off-by: Martin Jansa <Martin.Jansa@...>
-Signed-off-by: Andrea Bolognani <abologna@...>
-Reviewed-by: Peter Krempa <pkrempa@...>
-Reviewed-by: Pavel Hrdina <phrdina@...>
----
- tests/meson.build | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/tests/meson.build b/tests/meson.build
-index 05c3e90195..9900983d0c 100644
---- a/tests/meson.build
-+++ b/tests/meson.build
-@@ -687,12 +687,12 @@ foreach name : test_scripts
- test(name, script, env: tests_env)
- endforeach
-
-+testenv = runutf8
-+testenv += 'VIR_TEST_FILE_ACCESS=1'
-+
- add_test_setup(
- 'access',
-- env: [
-- 'VIR_TEST_FILE_ACCESS=1',
-- runutf8,
-- ],
-+ env: testenv,
- exe_wrapper: [ python3_prog, check_file_access_prog.path() ],
- )
-
---
-GitLab
-
diff --git a/recipes-extended/libvirt/libvirt/libvirtd b/recipes-extended/libvirt/libvirt/libvirtd
new file mode 100644
index 00000000..455b4395
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/libvirtd
@@ -0,0 +1,22 @@
+# Customizations for the libvirtd.service systemd unit
+
+# Default behaviour is for libvirtd.service to start on boot
+# so that VM autostart can be performed. We then want it to
+# shutdown again if nothing was started and rely on systemd
+# socket activation to start it again when some client app
+# connects.
+LIBVIRTD_ARGS="--timeout 120"
+
+# If systemd socket activation is disabled, then the following
+# can be used to listen on TCP/TLS sockets
+#LIBVIRTD_ARGS="--listen"
+LIBVIRTD_ARGS="--listen --daemon"
+
+# Override the QEMU/SDL default audio driver probing when
+# starting virtual machines using SDL graphics
+#
+# NB these have no effect for VMs using VNC, unless vnc_allow_host_audio
+# is enabled in /etc/libvirt/qemu.conf
+#QEMU_AUDIO_DRV=sdl
+#
+#SDL_AUDIODRIVER=pulse
diff --git a/recipes-extended/libvirt/libvirt_7.2.0.bb b/recipes-extended/libvirt/libvirt_8.1.0.bb
similarity index 94%
rename from recipes-extended/libvirt/libvirt_7.2.0.bb
rename to recipes-extended/libvirt/libvirt_8.1.0.bb
index 1fc55b8d..f4c0722a 100644
--- a/recipes-extended/libvirt/libvirt_7.2.0.bb
+++ b/recipes-extended/libvirt/libvirt_8.1.0.bb
@@ -23,19 +23,15 @@ RDEPENDS:libvirt-libvirtd:append:x86 = " dmidecode"
RCONFLICTS:${PN}_libvirtd = "connman"

SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \
+ file://libvirtd \
file://libvirtd.sh \
file://libvirtd.conf \
file://dnsmasq.conf \
file://hook_support.py \
file://gnutls-helper.py \
- file://0002-meson-Fix-compatibility-with-Meson-0.58.patch \
- file://0001-security-fix-SELinux-label-generation-logic.patch \
- file://0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch \
- file://0001-docs-Fix-template-matching-in-page.xsl.patch \
"

-SRC_URI[libvirt.md5sum] = "92044b629216e44adce63224970a54a3"
-SRC_URI[libvirt.sha256sum] = "01f459d0c7ba5009622a628dba1a026200e8f4a299fea783b936a71d7e0ed1d0"
+SRC_URI[libvirt.sha256sum] = "3c6c43becffeb34a3f397c616206aa69a893ff8bf5e8208393c84e8e75352934"

inherit meson gettext update-rc.d pkgconfig systemd useradd perlnative
USERADD_PACKAGES = "${PN}"
@@ -160,7 +156,7 @@ PACKAGECONFIG[fuse] = "-Dfuse=enabled,-Dfuse=disabled,fuse,"
PACKAGECONFIG[audit] = "-Daudit=enabled,-Daudit=disabled,audit,"
PACKAGECONFIG[libcap-ng] = "-Dcapng=enabled,-Dcapng=disabled,libcap-ng,"
PACKAGECONFIG[wireshark] = "-Dwireshark_dissector=enabled,-Dwireshark_dissector=disabled,wireshark libwsutil,"
-PACKAGECONFIG[apparmor_profiles] = "-Dapparmor_profiles=true, -Dapparmor_profiles=false,"
+PACKAGECONFIG[apparmor_profiles] = "-Dapparmor_profiles=enabled, -Dapparmor_profiles=disabled,"
PACKAGECONFIG[firewalld] = "-Dfirewalld=enabled, -Dfirewalld=disabled,"
PACKAGECONFIG[libpcap] = "-Dlibpcap=enabled, -Dlibpcap=disabled,libpcap,libpcap"
PACKAGECONFIG[numad] = "-Dnumad=enabled, -Dnumad=disabled,"
@@ -211,8 +207,8 @@ do_install:append() {
rmdir ${D}${prefix}/lib/systemd/system ${D}${prefix}/lib/systemd
fi

- # This variable is used by libvirtd.service to start libvirtd in the right mode
- sed -i '/#LIBVIRTD_ARGS="--listen"/a LIBVIRTD_ARGS="--listen --daemon"' ${D}/${sysconfdir}/sysconfig/libvirtd
+ mkdir -p ${D}/${sysconfdir}/sysconfig
+ install -m 0644 ${WORKDIR}/libvirtd ${D}/${sysconfdir}/sysconfig

# We can't use 'notify' when we don't support 'sd_notify' dbus capabilities.
sed -i -e 's/Type=notify/Type=forking/' \
@@ -307,6 +303,11 @@ do_install:append() {

# virt-login-shell needs to run with setuid permission
chmod 4755 ${D}${bindir}/virt-login-shell
+
+ # remove unsupported migration config file
+ # migration process is described here:
+ # https://wiki.qemu.org/Features/PostCopyLiveMigration
+ rm ${D}/usr/lib/sysctl.d/60-qemu-postcopy-migration.conf
}

EXTRA_OEMESON += " \
--
2.33.0


Bruce Ashfield
 

There's already a libvirt upgrade in master-next.

Check it out and send any patches incrementally to that.

Bruce

On Thu, Mar 31, 2022 at 10:18 AM <sakib.sajal@...> wrote:
Dropped patches which are part of the new version:
        0001-docs-Fix-template-matching-in-page.xsl.patch
        0001-security-fix-SELinux-label-generation-logic.patch
        0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch
        0002-meson-Fix-compatibility-with-Meson-0.58.patch

Dropped the obsolete md5checksum.

From upstream libvirt, the commit:
        8eb4461645 remove sysconfig files
removes all sysconfig files. Add the former libvirtd
sysconfig file that starts libvirtd in the right mode.
Since the sysconfig file has already been sed'ed,
remove the sed line from the install rule.

Signed-off-by: Sakib Sajal <sakib.sajal@...>
---
 recipes-extended/libvirt/libvirt-python.inc   |  4 +-
 ...cs-Fix-template-matching-in-page.xsl.patch | 64 -------------------
 ...y-fix-SELinux-label-generation-logic.patch | 56 ----------------
 ...nlock-object-on-ACL-fail-in-storageP.patch | 40 ------------
 ...on-Fix-compatibility-with-Meson-0.58.patch | 48 --------------
 recipes-extended/libvirt/libvirt/libvirtd     | 22 +++++++
 .../{libvirt_7.2.0.bb => libvirt_8.1.0.bb}    | 19 +++---
 7 files changed, 34 insertions(+), 219 deletions(-)
 delete mode 100644 recipes-extended/libvirt/libvirt/0001-docs-Fix-template-matching-in-page.xsl.patch
 delete mode 100644 recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch
 delete mode 100644 recipes-extended/libvirt/libvirt/0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch
 delete mode 100644 recipes-extended/libvirt/libvirt/0002-meson-Fix-compatibility-with-Meson-0.58.patch
 create mode 100644 recipes-extended/libvirt/libvirt/libvirtd
 rename recipes-extended/libvirt/{libvirt_7.2.0.bb => libvirt_8.1.0.bb} (94%)

diff --git a/recipes-extended/libvirt/libvirt-python.inc b/recipes-extended/libvirt/libvirt-python.inc
index a48aaea5..6f963fb8 100644
--- a/recipes-extended/libvirt/libvirt-python.inc
+++ b/recipes-extended/libvirt/libvirt-python.inc
@@ -17,8 +17,8 @@ FILES:${PN}-python = "${bindir}/* ${libdir}/* ${libdir}/${PYTHON_DIR}/*"

 SRC_URI += "http://libvirt.org/sources/python/libvirt-python-${PV}.tar.gz;name=libvirt_python"

-SRC_URI[libvirt_python.md5sum] = "19bf22414a43d358581b9259b52047a7"
-SRC_URI[libvirt_python.sha256sum] = "c0c3bac54c55622e17927b09cd9843869600d71842fb072c99491fe2608dcee7"
+SRC_URI[libvirt_python.md5sum] = "dbb1ab179303700aefa20f831b645ee2"
+SRC_URI[libvirt_python.sha256sum] = "a21ecfab6d29ac1bdd1bfd4aa3ef58447f9f70919aefecd03774613f65914e43"

 export LIBVIRT_API_PATH = "${S}/docs/libvirt-api.xml"
 export LIBVIRT_CFLAGS = "-I${S}/include"
diff --git a/recipes-extended/libvirt/libvirt/0001-docs-Fix-template-matching-in-page.xsl.patch b/recipes-extended/libvirt/libvirt/0001-docs-Fix-template-matching-in-page.xsl.patch
deleted file mode 100644
index 9dd650ee..00000000
--- a/recipes-extended/libvirt/libvirt/0001-docs-Fix-template-matching-in-page.xsl.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-Upstream-Status: Backport
-
-Signed-off-by: Kai Kang <kai.kang@...>
-
-From 54814c87f3706cc8eb894634ebef0f9cf7dabae6 Mon Sep 17 00:00:00 2001
-From: Martin Kletzander <mkletzan@...>
-Date: Mon, 21 Feb 2022 09:26:13 +0100
-Subject: [PATCH] docs: Fix template matching in page.xsl
-
-Our last default template had a match of "node()" which incidentally matched
-everything, including text nodes.  Since this has the same priority according to
-the XSLT spec, section 5.5:
-
https://www.w3.org/TR/1999/REC-xslt-19991116#conflict
-
-this is an error.  Also according to the same spec section, the XSLT processor
-may signal the error or pick the last rule.
-
-This was uncovered with libxslt 1.1.35 which contains the following commit:
-
https://gitlab.gnome.org/GNOME/libxslt/-/commit/b0074eeca3c6b21b4da14fdf712b853900c51635
-
-which makes the build fail with:
-
-  runtime error: file ../docs/page.xsl line 223 element element
-  xsl:element: The effective name '' is not a valid QName.
-
-because our last rule also matches text nodes and we are trying to extract the
-node name out of them.
-
-To fix this we change the match to "*" which only matches elements and not all
-the nodes, and to avoid any possible errors with different XSLT processors we
-also bump the priority of the match="text()" rule a little higher, just in case
-someone needs to use an XSLT processor that chooses signalling the error instead
-of the optional recovery.
-
-https://bugs.gentoo.org/833586
-
-Signed-off-by: Martin Kletzander <mkletzan@...>
----
- docs/page.xsl | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/docs/page.xsl b/docs/page.xsl
-index fd67918d3b..72a6fa0842 100644
---- a/docs/page.xsl
-+++ b/docs/page.xsl
-@@ -215,11 +215,11 @@
-     </xsl:element>
-   </xsl:template>
-
--  <xsl:template match="text()" mode="copy">
-+  <xsl:template match="text()" mode="copy" priority="0">
-     <xsl:value-of select="."/>
-   </xsl:template>
-
--  <xsl:template match="node()" mode="copy">
-+  <xsl:template match="*" mode="copy">
-     <xsl:element name="{name()}">
-       <xsl:copy-of select="./@*"/>
-       <xsl:apply-templates mode="copy" />
---
-2.33.0
-
diff --git a/recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch b/recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch
deleted file mode 100644
index 2753503d..00000000
--- a/recipes-extended/libvirt/libvirt/0001-security-fix-SELinux-label-generation-logic.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From 15073504dbb624d3f6c911e85557019d3620fdb2 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@...>
-Date: Mon, 28 Jun 2021 13:09:04 +0100
-Subject: [PATCH] security: fix SELinux label generation logic
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-A process can access a file if the set of MCS categories
-for the file is equal-to *or* a subset-of, the set of
-MCS categories for the process.
-
-If there are two VMs:
-
-  a) svirt_t:s0:c117
-  b) svirt_t:s0:c117,c720
-
-Then VM (b) is able to access files labelled for VM (a).
-
-IOW, we must discard case where the categories are equal
-because that is a subset of many other valid category pairs.
-
-Upstream-status: Backport
-
-Fixes: https://gitlab.com/libvirt/libvirt/-/issues/153
-CVE-2021-3631
-Reviewed-by: Peter Krempa <pkrempa@...>
-Signed-off-by: Daniel P. Berrangé <berrange@...>
----
- src/security/security_selinux.c | 10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
-index b50f4463cc..0c2cf1d1c7 100644
---- a/src/security/security_selinux.c
-+++ b/src/security/security_selinux.c
-@@ -383,7 +383,15 @@ virSecuritySELinuxMCSFind(virSecurityManager *mgr,
-         VIR_DEBUG("Try cat %s:c%d,c%d", sens, c1 + catMin, c2 + catMin);
-
-         if (c1 == c2) {
--            mcs = g_strdup_printf("%s:c%d", sens, catMin + c1);
-+            /*
-+             * A process can access a file if the set of MCS categories
-+             * for the file is equal-to *or* a subset-of, the set of
-+             * MCS categories for the process.
-+             *
-+             * IOW, we must discard case where the categories are equal
-+             * because that is a subset of other category pairs.
-+             */
-+            continue;
-         } else {
-             if (c1 > c2) {
-                 int t = c1;
---
-2.17.1
-
diff --git a/recipes-extended/libvirt/libvirt/0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch b/recipes-extended/libvirt/libvirt/0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch
deleted file mode 100644
index 608322d9..00000000
--- a/recipes-extended/libvirt/libvirt/0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From d3e20e186ed531e196bb1529430f39b0c917e6dc Mon Sep 17 00:00:00 2001
-From: Peter Krempa <pkrempa@...>
-Date: Wed, 21 Jul 2021 11:22:25 +0200
-Subject: [PATCH] storage_driver: Unlock object on ACL fail in
- storagePoolLookupByTargetPath
-
-'virStoragePoolObjListSearch' returns a locked and refed object, thus we
-must release it on ACL permission failure.
-
-Fixes: 7aa0e8c0cb8
-Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1984318
-Signed-off-by: Peter Krempa <pkrempa@...>
-Reviewed-by: Michal Privoznik <mprivozn@...>
-
-Upstream-status: Backport
-CVE-2021-3667 [https://bugzilla.redhat.com/show_bug.cgi?id=1986094]
-Signed-off-by: Yanfei Xu <yanfei.xu@...>
----
- src/storage/storage_driver.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/src/storage/storage_driver.c b/src/storage/storage_driver.c
-index ecb5b86b4f..de66f1f9e5 100644
---- a/src/storage/storage_driver.c
-+++ b/src/storage/storage_driver.c
-@@ -1739,8 +1739,10 @@ storagePoolLookupByTargetPath(virConnectPtr conn,
-                                            storagePoolLookupByTargetPathCallback,
-                                            cleanpath))) {
-         def = virStoragePoolObjGetDef(obj);
--        if (virStoragePoolLookupByTargetPathEnsureACL(conn, def) < 0)
-+        if (virStoragePoolLookupByTargetPathEnsureACL(conn, def) < 0) {
-+            virStoragePoolObjEndAPI(&obj);
-             return NULL;
-+        }
-
-         pool = virGetStoragePool(conn, def->name, def->uuid, NULL, NULL);
-         virStoragePoolObjEndAPI(&obj);
---
-2.27.0
-
diff --git a/recipes-extended/libvirt/libvirt/0002-meson-Fix-compatibility-with-Meson-0.58.patch b/recipes-extended/libvirt/libvirt/0002-meson-Fix-compatibility-with-Meson-0.58.patch
deleted file mode 100644
index 3201eede..00000000
--- a/recipes-extended/libvirt/libvirt/0002-meson-Fix-compatibility-with-Meson-0.58.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From c607266619c5ab78ad5d4179b3ea93cfb6348391 Mon Sep 17 00:00:00 2001
-From: Andrea Bolognani <abologna@...>
-Date: Mon, 3 May 2021 09:06:34 +0200
-Subject: [PATCH] meson: Fix compatibility with Meson 0.58
-
-Builds failed with
-
-  tests/meson.build:690:0: ERROR: List item must be one
-  of <class 'str'>, not <class 'list'>
-
-before this change.
-
-https://gitlab.com/libvirt/libvirt/-/issues/158
-
-Upstream-Status: Backport [https://gitlab.com/libvirt/libvirt/-/commit/c607266619c5ab78ad5d4179b3ea93cfb6348391]
-
-Signed-off-by: Martin Jansa <Martin.Jansa@...>
-Signed-off-by: Andrea Bolognani <abologna@...>
-Reviewed-by: Peter Krempa <pkrempa@...>
-Reviewed-by: Pavel Hrdina <phrdina@...>
----
- tests/meson.build | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/tests/meson.build b/tests/meson.build
-index 05c3e90195..9900983d0c 100644
---- a/tests/meson.build
-+++ b/tests/meson.build
-@@ -687,12 +687,12 @@ foreach name : test_scripts
-   test(name, script, env: tests_env)
- endforeach
-
-+testenv = runutf8
-+testenv += 'VIR_TEST_FILE_ACCESS=1'
-+
- add_test_setup(
-   'access',
--  env: [
--    'VIR_TEST_FILE_ACCESS=1',
--    runutf8,
--  ],
-+  env: testenv,
-   exe_wrapper: [ python3_prog, check_file_access_prog.path() ],
- )
-
---
-GitLab
-
diff --git a/recipes-extended/libvirt/libvirt/libvirtd b/recipes-extended/libvirt/libvirt/libvirtd
new file mode 100644
index 00000000..455b4395
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/libvirtd
@@ -0,0 +1,22 @@
+# Customizations for the libvirtd.service systemd unit
+
+# Default behaviour is for libvirtd.service to start on boot
+# so that VM autostart can be performed. We then want it to
+# shutdown again if nothing was started and rely on systemd
+# socket activation to start it again when some client app
+# connects.
+LIBVIRTD_ARGS="--timeout 120"
+
+# If systemd socket activation is disabled, then the following
+# can be used to listen on TCP/TLS sockets
+#LIBVIRTD_ARGS="--listen"
+LIBVIRTD_ARGS="--listen --daemon"
+
+# Override the QEMU/SDL default audio driver probing when
+# starting virtual machines using SDL graphics
+#
+# NB these have no effect for VMs using VNC, unless vnc_allow_host_audio
+# is enabled in /etc/libvirt/qemu.conf
+#QEMU_AUDIO_DRV=sdl
+#
+#SDL_AUDIODRIVER=pulse
diff --git a/recipes-extended/libvirt/libvirt_7.2.0.bb b/recipes-extended/libvirt/libvirt_8.1.0.bb
similarity index 94%
rename from recipes-extended/libvirt/libvirt_7.2.0.bb
rename to recipes-extended/libvirt/libvirt_8.1.0.bb
index 1fc55b8d..f4c0722a 100644
--- a/recipes-extended/libvirt/libvirt_7.2.0.bb
+++ b/recipes-extended/libvirt/libvirt_8.1.0.bb
@@ -23,19 +23,15 @@ RDEPENDS:libvirt-libvirtd:append:x86 = " dmidecode"
 RCONFLICTS:${PN}_libvirtd = "connman"

 SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \
+           file://libvirtd \
            file://libvirtd.sh \
            file://libvirtd.conf \
            file://dnsmasq.conf \
            file://hook_support.py \
            file://gnutls-helper.py \
-           file://0002-meson-Fix-compatibility-with-Meson-0.58.patch \
-           file://0001-security-fix-SELinux-label-generation-logic.patch \
-           file://0001-storage_driver-Unlock-object-on-ACL-fail-in-storageP.patch \
-           file://0001-docs-Fix-template-matching-in-page.xsl.patch \
           "

-SRC_URI[libvirt.md5sum] = "92044b629216e44adce63224970a54a3"
-SRC_URI[libvirt.sha256sum] = "01f459d0c7ba5009622a628dba1a026200e8f4a299fea783b936a71d7e0ed1d0"
+SRC_URI[libvirt.sha256sum] = "3c6c43becffeb34a3f397c616206aa69a893ff8bf5e8208393c84e8e75352934"

 inherit meson gettext update-rc.d pkgconfig systemd useradd perlnative
 USERADD_PACKAGES = "${PN}"
@@ -160,7 +156,7 @@ PACKAGECONFIG[fuse] = "-Dfuse=enabled,-Dfuse=disabled,fuse,"
 PACKAGECONFIG[audit] = "-Daudit=enabled,-Daudit=disabled,audit,"
 PACKAGECONFIG[libcap-ng] = "-Dcapng=enabled,-Dcapng=disabled,libcap-ng,"
 PACKAGECONFIG[wireshark] = "-Dwireshark_dissector=enabled,-Dwireshark_dissector=disabled,wireshark libwsutil,"
-PACKAGECONFIG[apparmor_profiles] = "-Dapparmor_profiles=true, -Dapparmor_profiles=false,"
+PACKAGECONFIG[apparmor_profiles] = "-Dapparmor_profiles=enabled, -Dapparmor_profiles=disabled,"
 PACKAGECONFIG[firewalld] = "-Dfirewalld=enabled, -Dfirewalld=disabled,"
 PACKAGECONFIG[libpcap] = "-Dlibpcap=enabled, -Dlibpcap=disabled,libpcap,libpcap"
 PACKAGECONFIG[numad] = "-Dnumad=enabled, -Dnumad=disabled,"
@@ -211,8 +207,8 @@ do_install:append() {
                 rmdir ${D}${prefix}/lib/systemd/system ${D}${prefix}/lib/systemd
             fi

-           # This variable is used by libvirtd.service to start libvirtd in the right mode
-           sed -i '/#LIBVIRTD_ARGS="--listen"/a LIBVIRTD_ARGS="--listen --daemon"' ${D}/${sysconfdir}/sysconfig/libvirtd
+            mkdir -p ${D}/${sysconfdir}/sysconfig
+            install -m 0644 ${WORKDIR}/libvirtd ${D}/${sysconfdir}/sysconfig

            # We can't use 'notify' when we don't support 'sd_notify' dbus capabilities.
            sed -i -e 's/Type=notify/Type=forking/' \
@@ -307,6 +303,11 @@ do_install:append() {

        # virt-login-shell needs to run with setuid permission
        chmod 4755 ${D}${bindir}/virt-login-shell
+
+        # remove unsupported migration config file
+        # migration process is described here:
+        # https://wiki.qemu.org/Features/PostCopyLiveMigration
+        rm ${D}/usr/lib/sysctl.d/60-qemu-postcopy-migration.conf
 }

 EXTRA_OEMESON += " \
--
2.33.0






--
- Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end
- "Use the force Harry" - Gandalf, Star Trek II