libvirt (5.4.0-0ubuntu5) eoan; urgency=medium * No-change upload with strops.h and sys/strops.h removed in glibc. -- Matthias Klose Thu, 05 Sep 2019 11:00:53 +0000 libvirt (5.4.0-0ubuntu4) eoan; urgency=medium * d/p/ubuntu/lp-1828495-*: make libvirt able to handle arch_capabilities cpu features for the Host. (LP: 1828495 - not closing yet as guest caps are still need fixups to work well LP: 1841066) -- Christian Ehrhardt Tue, 20 Aug 2019 10:50:08 +0200 libvirt (5.4.0-0ubuntu3) eoan; urgency=medium * SECURITY UPDATE: virDomainSaveImageGetXMLDesc does not check for read-only connection - debian/patches/CVE-2019-10161.patch: add check to src/libvirt-domain.c, src/qemu/qemu_driver.c, src/remote/remote_protocol.x. - CVE-2019-10161 * SECURITY UPDATE: virDomainManagedSaveDefineXML does not check for read-only connection - debian/patches/CVE-2019-10166.patch: add check to src/libvirt-domain.c. - CVE-2019-10166 * SECURITY UPDATE: virConnectGetDomainCapabilities does not check for read-only connection - debian/patches/CVE-2019-10167.patch: add check to src/libvirt-domain.c. - CVE-2019-10167 * SECURITY UPDATE: virConnect*HypervisorCPU do not check for read-only connection - debian/patches/CVE-2019-10168.patch: add checks to src/libvirt-host.c. - CVE-2019-10168 -- Marc Deslauriers Tue, 02 Jul 2019 08:08:33 -0400 libvirt (5.4.0-0ubuntu2) eoan; urgency=medium * d/p/ubuntu-aa/lp-1833040-Add-openGraphicsFD-rule-for-named-profile.patch: avoid issues with remote screen connections like virt-manager due to apparmor changes in libvirt 5.1 (LP: #1833040) -- Christian Ehrhardt Wed, 19 Jun 2019 14:34:54 +0200 libvirt (5.4.0-0ubuntu1) eoan; urgency=medium * Merged with Debian git 5.3.0-1~1.gbp7b1637 and upstreams 5.4 release Among many other new features and fixes this includes fixes for: LP: #1759509 - virsh dompmwakeup fails to wake VM from dompmsuspend state Remaining changes: - Disable libssh2 support (universe dependency) - Disable firewalld support (universe dependency) - Set qemu-group to kvm (for compat with older ubuntu) - Additional apport package-hook - Autostart default bridged network (As upstream does, but not Debian). In addition to just enabling it our solution provides: + do not autostart if subnet is already taken (e.g. in guests). + iterate some alternative subnets before giving up - d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch: This is the group based access to libvirt functions as it was used in Ubuntu for quite long. + d/p/ubuntu/daemon-augeas-fix-expected.patch fix some related tests due to the group access change. + d/libvirt-daemon-system.postinst: add users in sudo to the libvirt group. - ubuntu/parallel-shutdown.patch: set parallel shutdown by default. - Update Vcs-Git and Vcs-Browser fields to point to launchpad - Xen related - d/p/ubuntu/ubuntu-libxl-qemu-path.patch: this change was split. The section that adapts the path of the emulator to the Debian/Ubuntu packaging is kept. - d/p/ubuntu/ubuntu-libxl-Fix-up-VRAM-to-minimum-requirements.patch: auto set VRAM to minimum requirements - d/p/ubuntu/xen-default-uri.patch: set default URI on xen hosts - Add libxl log directory - libvirt-uri.sh: Automatically switch default libvirt URI for users on Xen dom0 via user profile (was missing on changelogs before) - d/p/ubuntu/apibuild-skip-libvirt-common.h: drop libvirt-common.h from included_files to avoid build failures due to duplicate definitions. - Update README.Debian with Ubuntu changes - Enable some additional features on ppc64el and s390x (for arch parity) + systemtap, zfs, numa and numad on s390x. + systemtap on ppc64el. - d/t/control, d/t/smoke-qemu-session: fixup smoke-qemu-session by making vmlinuz available and accessible (Debian bug 848314) - d/t/control, d/t/smoke-lxc: fix up lxc smoke test isolation - d/p/ubuntu/ubuntu_machine_type.patch: accept ubuntu types as pci440fx - Further upstreamed apparmor Delta, especially any new one Our former delta is split into logical pieces and is either Ubuntu only or is part of a continuous upstreaming effort. Listing related remaining changes in debian/patches/ubuntu-aa/: + 0001-apparmor-Allow-pygrub-to-run-on-Debian-Ubuntu.patch: apparmor: Allow pygrub to run on Debian/Ubuntu + 0003-apparmor-libvirt-qemu-Allow-read-access-to-overcommi.patch: apparmor, libvirt-qemu: Allow read access to overcommit_memory + 0007-apparmor-libvirt-qemu-Allow-owner-read-access-to-PRO.patch: apparmor, libvirt-qemu: Allow owner read access to @{PROC}/*/auxv + 0017-apparmor-virt-aa-helper-Allow-access-to-tmp-director.patch: apparmor, virt-aa-helper: Allow access to tmp directories + ubuntu-aa/0020-virt-aa-helper-ubuntu-storage-paths.patch: apparmor, virt-aa-helper: Allow various storage pools and image locations + 0021-apparmor-virt-aa-helper-Add-openvswitch-support.patch: apparmor, virt-aa-helper: Add openvswitch support + 0029-appmor-libvirt-qemu-Add-9p-support.patch: appmor, libvirt-qemu: Add 9p support + 0030-virt-aa-helper-Complete-9p-support.patch: virt-aa-helper: add l to 9p file options. + 0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch: virt-aa-helper: Ask for no deny rule for readonly disk (renamed and reworded, was virt-aa-helper-no-explicity-deny-for-basefiles.patch) + 0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch: apparmor, libvirt-qemu: Allow reading charm-specific ceph config + 0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch: allow commands executed by ubuntu only kvm wrapper on ppc64el (LP 1686621 LP 1680384 LP 1784023) + 0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch: apparmor, virt-aa-helper: access for snapped nova + d/p/ubuntu-aa/0050-local-include-for-libvirt-qemu.patch, d/libvirt-daemon-system.postinst: provide a local apparmor include for abstraction/libvirt-qemu (LP: 1786019) + d/p/ubuntu-aa/lp-1815910-allow-vhost-net.patch: avoid apparmor issues with vhost-net/vhost-vsock/vhost-scsi hotplug (LP: 1815910) - d/rules: enable build time self tests on all architectures - dnsmasq related enhancements + run dnsmasq as libvirt-dnsmasq (LP: 1743718) + d/libvirt-daemon-system.postinst: add libvirt-dnsmasq user and group + d/libvirt-daemon-system.postrm: remove libvirt-dnsmasq user and group on purge + d/p/ubuntu/dnsmasq-as-priv-user: write dnsmasq config with user libvirt-dnsmasq and adapt the self tests to expect that config + d/libvirt-daemon-system.postinst: fix old libvirt-dnsmasq users group + Add dnsmasq configuration to work with system wide dnsmasq-base - debian/rules: disable the netcf backend. (LP: 1764314) - debian/control: drop libnetcf from Build-Depends. - debian/patches/ubuntu/ovmf_paths.patch: adjust paths to secboot.fd UEFI Secure Boot enabled variants of the OVMF firmware and variable store for the paths where we ship these files in Ubuntu. - d/rules: install virtlockd correctly with defaults file (LP: 1729516) - d/rules: also check build time self test results on all architectures - d/p/ubuntu/set-default-machine-to-ubuntu.patch: to select default machine type correctly with newer qemu/libvirt - d/t/control: fix smoke-qemu-session by ensuring the service will run installing libvirt-daemon-system - d/t/smoke-lxc: fix smoke-lxc by ignoring potential issues on destroy as long as the following undefine succeeds - avoid service dependency issues on upgrade (LP: 1786179) This will in the long term be resolved in dh_* tools, but to let an upgrade work for now we need to drop the sysV scripts (which we don't use anyway) and slightly modify the systemd service to work with todays dh_systemd_start properly. Can be dropped once Debian bug 905772 is resolved in dh_* tools and libvirt uses those new code. - d/libvirt-daemon-system.virtlogd.init: removed sysV init file - d/libvirt-daemon-system.libvirtd.init: removed sysV init file - debian/libvirt-daemon-system.maintscript: rm_conffile for virtlogd and lbivirtd sysV init file - d/p/ubuntu/avoid-restarting-virtlog-socket.patch: drop Also references to virtlogd/virtlockd sockets as they would imply a restart of virtlogd breaking it. - d/t/smoke-lxc: use systemd instead of sysV to restart the service * Added Changes: - Refreshed patches to match new upstream - d/p/Reduce-udevadm-settle-timeout-to-10-seconds.patch - d/p/ubuntu/ubuntu_machine_type.patch - d/control: Revert iptables/ebtables dependency as Eoan still is on 1.6.x This can be dropped once >=1.8.1 - d/rules: adapt iptables binary paths present in Eoan (LP: #1832297) This can be dropped once >=1.8.1 - d/p/ubuntu/dnsmasq-as-priv-user: update to include the new test nat-network-mtu - revert [c3c4cd4] drop in helper for firewalld as it is disabled on Ubuntu [can be squashed with the disabling of firewalld on next merge] - d/libvirt0.symbols: bump symbol versions for 5.4.0 - d/rules: add --no-restart-after-upgrade to services that are supposed to stay up through upgrades - this also applies to related sockets. * Dropped Changes (upstream) - d/p/ubuntu-aa/lp-1804766-*: Allow rendering node access as needed for the ease use of mdev and gl devices (LP: 1804766) - d/p/ubuntu/lp-1771662-*: fix handling of VFs without associated PF (LP: 1771662) - d/p/ubuntu/lp-1825195-*.patch: fix issues with old guests that defined the never functional osxsave and ospke features (LP: 1825195). - d/p/ubuntu-aa/lp-1829223-virt-aa-helper-allow-vhost-scsi.patch fix vhost-scsi hotplug in virt-aa-helper (LP: 1829223) - SECURITY UPDATE: Add support for md-clear functionality + debian/patches/ubuntu/md-clear.patch: Define md-clear CPUID bit in src/cpu_map/x86_features.xml. + CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 - Implement further apparmor rules for usage of gl enabled graphics (LP: 1815452) + d/p/ubuntu-aa/lp-1815452-more-gl-rules.patch + d/p/ubuntu-aa/lp-1815452-virt-aa-helper-rule.patch - Implement further apparmor rules for usage of gl enabled graphics with nvidia cards (LP: 1817943) + d/p/ubuntu-aa/lp-1817943-nvidia-gl-rules.patch + d/p/ubuntu-aa/lp-1817943-devices-in-sysfs.patch * Dropped Changes (in Debian) - d/rules: strip -Bsymbolic-functions from linker flags as it breaks libvirt tests -- Christian Ehrhardt Fri, 07 Jun 2019 11:55:52 +0200 libvirt (5.3.0-1~1.gbp7b1637) UNRELEASED; urgency=medium ** SNAPSHOT build @7b1637605da9224c46ebf3a243fa725d643e7556 ** [ Guido Günther ] * [fb43676] d/control: Drop dh-autoreconf build-dep. Not needed for dh compat > 10. * [81d21d5] d/not-installed: Use multi-arch dirs. Files moved during the dh12 switch. * [428ad14] New upstream version 5.3.0~rc2 * [641e532] New upstream version 5.3.0 [ Christian Ehrhardt ] * [c28c3b3] d/libvirt0.install: install translations * [c3c4cd4] d/libvirt-daemon-system.install: drop in helper for firewalld * [3e8b43c] d/not-installed: ignore default files /etc/sysconfig * [c223d7f] d/libvirt-daemon-system.examples: ship sysctl config as example * [f19acf6] d/libvirt-daemon-system.install: ship libxl-sanlock.conf (Closes: #919484) [ Andrea Bolognani ] * [6a2eae3] Simplify and improve watch file. -- Guido Günther Mon, 06 May 2019 13:06:27 +0200 libvirt (5.2.0-2) experimental; urgency=medium [ Guido Günther ] * [1ec90c0] d/compat: Switch to debhelper level 12 * [fb6dd18] d/rules: s/no-restart-on-upgrade/no-stop-on-upgrade/ * [3764b71] d/rules: --prallel not needed anymore * [1d92095] d/control: Add ${misc:Pre-Depends} for libvirt-daemon-system. This makes sure we pull in recent enough init-system-helpers * [02a155b] d/rules: Switch to dh_installsystemd dh_systemd_start is no longer used. * [bcad111] d/control: Fix typo * [8609192] d/control: Drop Debian revision on iptables build-dep. Any version greater than 1.8.1 will do. * [447dd58] libnss-libvirt: Install libnss_libvirt-guest as well (Closes: #910288) * [4fb7d11] d/control: Build-depend on libglusterfs-dev. Since this is a recent addition we can drop the versioned dependency. (Closes: #919663) * [7b4ffeb] d/rules: Newer debhelper puts the libs into multi arch dirs. There's no need to move them manually anymore. [ Andrea Bolognani ] * [dd9cdaa] Use HTTPS for all URLs. This gets rid of the debian-watch-uses-insecure-uri informational Lintian tag, and then some. * [faaec12] Minimize upstream's signing key. This gets rid of the public-upstream-key-not-minimal informational Lintian tag. * [8a0e6f1] Remove Priority field from binary packages. This gets rid of the binary-control-field-duplicates-source informational Lintian tag. [ Christian Ehrhardt ] * [08f3a23] d/libvirt-clients.manpages: add virkeycode and virkeyname man pages. * [0f359de] d/rules: mv logrotate files to silence dh_missing * [f36ca33] dh_missing: ignore warning on libtool .la file -- Guido Günther Mon, 22 Apr 2019 12:20:36 +0200 libvirt (5.2.0-1) experimental; urgency=medium * Team upload. [ Christian Ehrhardt ] * [3997186] d/libvirt-daemon-system.maintscript: remove obsolete conffile /etc/logrotate.d/libvirtd.uml became obsolete since UML was dropped in libvirt 5.0 (Closes: #920574) * [c64d020] d/libvirt-daemon-system.libvirtd.default: clarify libvirtd_opts example (Closes: #921713) [ Guido Günther ] * [dd9d74f] New upstream version 5.2.0 * [790365e] CVE-2019-3886: Don't allow unprivileged users to use the guest agent. Apply upstream patches remote-enforce-ACL-write-permission-for-getting-guest-tim.patch api-disallow-virDomainGetHostname-for-read-only-connectio.patch (Closes: #926418) [ Andrea Bolognani ] * [453f85d] Rediff patches. The patches security-aa-helper-allow-virt-aa-helper-to-read-dev-dri.patch security-aa-helper-generate-more-rules-for-gl-devices.patch security-aa-helper-gl-devices-in-sysfs-at-arbitrary-depth.patch security-aa-helper-nvidia-rules-for-gl-devices.patch virt-aa-helper-generate-rules-for-gl-enabled-graphics-dev.patch are included in libvirt 5.2.0 and have thus been dropped. * [a4294ef] Bump symbol versions. * [68394f6] Add tests-Avoid-writing-into-HOME-during-virsh-snapshot.patch -- Andrea Bolognani Sun, 07 Apr 2019 18:39:49 +0200 libvirt (5.1.0-1) experimental; urgency=medium [ Laurent Bigonville ] * [76e2cb7] Don't recommend ebtables. It's part of the iptables package now. (Closes: #918472) [ Guido Günther ] * [5814c89] New upstream version 5.1.0 * [55d063d] Rediff patches * [1102dae] d/gbp.conf: Switch to experimental * [cdf3787] d/rules: Adjust to now versioned wireshark module path -- Guido Günther Thu, 28 Mar 2019 13:03:29 +0100 libvirt (5.0.0-2) unstable; urgency=medium [ Laurent Bigonville ] * [76e2cb7] Don't recommend ebtables. It's part of the iptables package now. (Closes: #918472) [ intrigeri ] * [d7a7218] Fix virtio-gpu + virgl support by cherry-picking upstream commits virt-manager in current sid still creates new VMs with QXL graphics by default, so this bug only affects users who opt in for virtio-gpu 3D acceleration. Still, the option for virtio-gpu + 3D acceleration is offered in the virt-manager GUI, so having it broken by default is an important problem. (Closes: #916587) [ Christian Ehrhardt ] * [3997186] d/libvirt-daemon-system.maintscript: remove obsolete conffile /etc/logrotate.d/libvirtd.uml became obsolete since UML was dropped in libvirt 5.0 (Closes: #920574) * [c64d020] d/libvirt-daemon-system.libvirtd.default: clarify libvirtd_opts example (Closes: #921713) [ Guido Günther ] * [790365e] CVE-2019-3886: Don't allow unprivileged users to use the guest agent. Apply upstream patches remote-enforce-ACL-write-permission-for-getting-guest-tim.patch api-disallow-virDomainGetHostname-for-read-only-connectio.patch (Closes: #926418) -- Guido Günther Sun, 07 Apr 2019 12:36:21 +0200 libvirt (5.0.0-1ubuntu4) eoan; urgency=medium * d/p/ubuntu/lp-1825195-*.patch: fix issues with old guests that defined the never functional osxsave and ospke features (LP: #1825195). * d/p/series: reorder ubuntu Delta * d/p/ubuntu-aa/lp-1815910-allow-vhost-net.patch: avoid apparmor issues with vhost-net/vhost-vsock/vhost-scsi hotplug (LP: #1815910) * d/p/ubuntu-aa/lp-1829223-virt-aa-helper-allow-vhost-scsi.patch fix vhost-scsi hotplug in virt-aa-helper (LP: #1829223) -- Christian Ehrhardt Thu, 16 May 2019 10:42:09 +0200 libvirt (5.0.0-1ubuntu3) eoan; urgency=medium * SECURITY UPDATE: Add support for md-clear functionality - debian/patches/ubuntu/md-clear.patch: Define md-clear CPUID bit in src/cpu_map/x86_features.xml. - CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 -- Marc Deslauriers Tue, 14 May 2019 14:48:05 -0400 libvirt (5.0.0-1ubuntu2) disco; urgency=medium * Implement further apparmor rules for usage of gl enabled graphics (LP: #1815452) - d/p/ubuntu-aa/lp-1815452-more-gl-rules.patch - d/p/ubuntu-aa/lp-1815452-virt-aa-helper-rule.patch * Implement further apparmor rules for usage of gl enabled graphics with nvidia cards (LP: #1817943) - d/p/ubuntu-aa/lp-1817943-nvidia-gl-rules.patch - d/p/ubuntu-aa/lp-1817943-devices-in-sysfs.patch * d/p/ubuntu-aa/lp-1804766-*: updated to the upstream accepted version (no functional change, LP: 1804766) -- Christian Ehrhardt Tue, 12 Feb 2019 11:27:14 +0100 libvirt (5.0.0-1ubuntu1) disco; urgency=medium * Merged with Debian unstable Among many other new features and fixes this includes fixes for: LP: #1754871 - 1799446 zPCI passthrough support for KVM LP: #1811198 - remove arbitrary limit on socket_id/core_id Remaining changes: - Disable libssh2 support (universe dependency) - Disable firewalld support (universe dependency) - Set qemu-group to kvm (for compat with older ubuntu) - Additional apport package-hook - Autostart default bridged network (As upstream does, but not Debian). In addition to just enabling it our solution provides: + do not autostart if subnet is already taken (e.g. in guests). + iterate some alternative subnets before giving up - d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch: This is the group based access to libvirt functions as it was used in Ubuntu for quite long. + d/p/ubuntu/daemon-augeas-fix-expected.patch fix some related tests due to the group access change. + d/libvirt-daemon-system.postinst: add users in sudo to the libvirt group. - ubuntu/parallel-shutdown.patch: set parallel shutdown by default. - Update Vcs-Git and Vcs-Browser fields to point to launchpad - Xen related - d/p/ubuntu/ubuntu-libxl-qemu-path.patch: this change was split. The section that adapts the path of the emulator to the Debian/Ubuntu packaging is kept. - d/p/ubuntu/ubuntu-libxl-Fix-up-VRAM-to-minimum-requirements.patch: auto set VRAM to minimum requirements - d/p/ubuntu/xen-default-uri.patch: set default URI on xen hosts - Add libxl log directory - libvirt-uri.sh: Automatically switch default libvirt URI for users on Xen dom0 via user profile (was missing on changelogs before) - d/p/ubuntu/apibuild-skip-libvirt-common.h: drop libvirt-common.h from included_files to avoid build failures due to duplicate definitions. - Update README.Debian with Ubuntu changes - Enable some additional features on ppc64el and s390x (for arch parity) + systemtap, zfs, numa and numad on s390x. + systemtap on ppc64el. - d/t/control, d/t/smoke-qemu-session: fixup smoke-qemu-session by making vmlinuz available and accessible (Debian bug 848314) - d/t/control, d/t/smoke-lxc: fix up lxc smoke test isolation - d/p/ubuntu/ubuntu_machine_type.patch: accept ubuntu types as pci440fx - Further upstreamed apparmor Delta, especially any new one Our former delta is split into logical pieces and is either Ubuntu only or is part of a continuous upstreaming effort. Listing related remaining changes in debian/patches/ubuntu-aa/: + 0001-apparmor-Allow-pygrub-to-run-on-Debian-Ubuntu.patch: apparmor: Allow pygrub to run on Debian/Ubuntu + 0003-apparmor-libvirt-qemu-Allow-read-access-to-overcommi.patch: apparmor, libvirt-qemu: Allow read access to overcommit_memory + 0007-apparmor-libvirt-qemu-Allow-owner-read-access-to-PRO.patch: apparmor, libvirt-qemu: Allow owner read access to @{PROC}/*/auxv + 0017-apparmor-virt-aa-helper-Allow-access-to-tmp-director.patch: apparmor, virt-aa-helper: Allow access to tmp directories + ubuntu-aa/0020-virt-aa-helper-ubuntu-storage-paths.patch: apparmor, virt-aa-helper: Allow various storage pools and image locations + 0021-apparmor-virt-aa-helper-Add-openvswitch-support.patch: apparmor, virt-aa-helper: Add openvswitch support + 0029-appmor-libvirt-qemu-Add-9p-support.patch: appmor, libvirt-qemu: Add 9p support + 0030-virt-aa-helper-Complete-9p-support.patch: virt-aa-helper: add l to 9p file options. + 0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch: virt-aa-helper: Ask for no deny rule for readonly disk (renamed and reworded, was virt-aa-helper-no-explicity-deny-for-basefiles.patch) + 0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch: apparmor, libvirt-qemu: Allow reading charm-specific ceph config + 0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch: allow commands executed by ubuntu only kvm wrapper on ppc64el (LP 1686621 LP 1680384 LP 1784023) + 0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch: apparmor, virt-aa-helper: access for snapped nova + d/p/ubuntu-aa/0050-local-include-for-libvirt-qemu.patch, d/libvirt-daemon-system.postinst: provide a local apparmor include for abstraction/libvirt-qemu (LP: 1786019) - d/rules: enable build time self tests on all architectures - dnsmasq related enhancements + run dnsmasq as libvirt-dnsmasq (LP: 1743718) + d/libvirt-daemon-system.postinst: add libvirt-dnsmasq user and group + d/libvirt-daemon-system.postrm: remove libvirt-dnsmasq user and group on purge + d/p/ubuntu/dnsmasq-as-priv-user: write dnsmasq config with user libvirt-dnsmasq and adapt the self tests to expect that config + d/libvirt-daemon-system.postinst: fix old libvirt-dnsmasq users group + Add dnsmasq configuration to work with system wide dnsmasq-base - debian/rules: disable the netcf backend. (LP: 1764314) - debian/control: drop libnetcf from Build-Depends. - debian/patches/ubuntu/ovmf_paths.patch: adjust paths to secboot.fd UEFI Secure Boot enabled variants of the OVMF firmware and variable store for the paths where we ship these files in Ubuntu. - d/rules: install virtlockd correctly with defaults file (LP: 1729516) - avoid service dependency issues on upgrade (LP: 1786179) This will in the long term be resolved in dh_* tools, but to let an upgrade work for now we need to drop the sysV scripts (which we don't use anyway) and slightly modify the systemd service to work with todays dh_systemd_start properly. Can be dropped once Debian bug 905772 is resolved in dh_* tools and libvirt uses those new code. - d/libvirt-daemon-system.virtlogd.init: removed sysV init file - d/libvirt-daemon-system.libvirtd.init: removed sysV init file - debian/libvirt-daemon-system.maintscript: rm_conffile for virtlogd and lbivirtd sysV init file - d/p/ubuntu/avoid-restarting-virtlog-socket.patch: drop Also references to virtlogd/virtlockd sockets as they would imply a restart of virtlogd breaking it. - d/t/smoke-lxc: use systemd instead of sysV to restart the service * Added Changes: - Refresh d/p/ubuntu/ubuntu-libxl-qemu-path.patch for new context - d/rules: also check build time self test results on all architectures - d/rules: strip -Bsymbolic-functions from linker flags as it breaks libvirt tests - d/p/ubuntu/set-default-machine-to-ubuntu.patch: to select default machine type correctly with newer qemu/libvirt - d/p/ubuntu-aa/lp-1804766-*: Allow rendering node access as needed for the ease use of mdev and gl devices (LP: #1804766) - refreshed d/p/ubuntu-aa for updated paths in libvirt 5.0 - d/t/control: fix smoke-qemu-session by ensuring the service will run installing libvirt-daemon-system - d/t/smoke-lxc: fix smoke-lxc by ignoring potential issues on destroy as long as the following undefine succeeds - d/p/ubuntu/lp-1771662-*: fix handling of VFs without associated PF (LP: #1771662) * Dropped Changes (upstream) - debian/patches/ubuntu/lp1787405-*: Support guest dedicated Crypto Adapters on s390x (LP: 1787405) - d/p/ubuntu/lp-1802727-netdevbridge-fall-back-to-ioctl-from-sysfs.patch: fix libvirt bridge handling in unprivileged containers (LP: 1802906) - d/p/ubuntu-aa/lp-1788603-fix-ptrace-rules-with-kernel-4.18.patch: avoid issues with newer kernels >=4.18 (LP: 1788603) - Fix an issue where guests with plenty of hostdevs attached where detected as not shut down due to the kernel needing more time to free up resources (LP: 1788226) - d/p/ubuntu/lp-1788226-wait-longer-5-30s-on-hard-shutdown.patch - d/p/ubuntu/lp-1788226-wait-longer-on-kill-per-assigned-Hostdev.patch - 0025-apparmor-fix-newer-virt-manager-1.4.0.patch: Add Apparmor permissions so virt-manager 1.4.0 viewing works (LP 1668681 1747442). - 0040-apparmor-add-mediation-rules-for-unconfined.patch: apparmor: add mediation rules for unconfined guests - d/p/ubuntu-aa/0051-allow-user-tmp.patch: some features need tmp, but we don't want blanket access. We only allow enumerating the base dir and reading owned files. Further features needing /tmp have to add local overrides, examples are qemu-smb and some modes of local snapshots. (LP: 1365261) Can be dropped >=libvirt 4.7 - d/p/ubuntu-aa/0052-allow-to-preserve-dev-mountpoints.patch: Allow to preserve /dev mountpoints in qemu namespaces (LP: 1786168) Can be dropped >=libvirt 4.7 - d/p/ubuntu/enable-kvm-spice.patch: compat with older Ubuntu qemu/kvm which provided a separate kvm-spice. Upstream completely dropped alternative types and kvm-spice is a symlink for quite some time. Builtin expected binaries work, so drop this delta. * Dropped Changes (in Debian) - Convert libvirt0, libnss_libvirt and libvirt-dev to multi-arch. -- Christian Ehrhardt Tue, 08 Jan 2019 13:09:31 +0100 libvirt (5.0.0-1) unstable; urgency=medium * [7346f30] New upstream version 5.0.0 * [1c46a4c] Drop sheepdog support (Closes: #908071) * [b88175f] Bump symbol versions * [c13a8da] Rediff patches -- Guido Günther Wed, 16 Jan 2019 10:31:33 +0100 libvirt (4.10.0-2) unstable; urgency=medium [ Marcin Juszkiewicz ] * [d143d3c] update Vcs-git tags to point to salsa.debian.org * [96995c1] Fix versions in *.NEWS files * [8e8286d] Don't mark bash completion as executable * [72f8ed3] Use multiarch layout. Based on the on what Ubuntu does (Closes: #813062) * [9b52c21] Use dpkg-buildflags on configure to e.g. get the proper hardening flags. [ Andrea Bolognani ] * [684bb89] Move data files from libvirt-daemon to libvirt0. These files are used internally by the library, so they should be shipped along with it rather than with the daemon. This is consistent with the upstream libvirt.spec file. The pattern is partially expanded in the libvirt0.install file to avoid having to remove a specific subset of data files later on as part of debian/rules. [ Guido Günther ] * [a6cbf92] cpu_map is now a directory. It used to be a single XML file -- Guido Günther Tue, 18 Dec 2018 12:55:10 +0100 libvirt (4.10.0-1) unstable; urgency=medium * [0cde44d] Remove bridge-utils from recommends. We don't use brctl since ages. Thanks to Andreas Henriksson * [3c22e06] Drop debian/remove-RHism.diff.patch. Debian has /usr/bin/service since quiet some time now. Thanks to Andrea Bolognani * [54a5cdb] New upstream version 4.10.0 * [87f075c] Rediff patches * [f798585] Bump symbol versions * [3bfd881] Depend on sensible-utils -- Guido Günther Thu, 13 Dec 2018 11:58:14 +0100 libvirt (4.7.0-1) unstable; urgency=medium * [8ff38ac] New upstream version 4.7.0 (Closes: #908341) * [afdd147] Bump symbol versions * [41fa8f5] Rediff patches. Drop all jansson related patches. Fixed ustream. -- Guido Günther Sun, 09 Sep 2018 21:42:33 +0200 libvirt (4.6.0-2ubuntu6) disco; urgency=medium * No-change rebuild for readline soname change. -- Matthias Klose Tue, 15 Jan 2019 10:26:04 +0000 libvirt (4.6.0-2ubuntu5) disco; urgency=medium * d/p/ubuntu/lp1787405-0008-qemu-mdev-Use-vfio-pci-display-property-only -with-vf.patch: fix handling of non PCI vfio display propery (part of LP: #1787405) -- Christian Ehrhardt Thu, 06 Dec 2018 09:20:39 +0100 libvirt (4.6.0-2ubuntu4) disco; urgency=medium * debian/patches/ubuntu/lp1787405-*: Support guest dedicated Crypto Adapters on s390x (LP: #1787405) * d/p/ubuntu/lp-1802727-netdevbridge-fall-back-to-ioctl-from-sysfs.patch: fix libvirt bridge handling in unprivileged containers (LP: #1802906) -- Christian Ehrhardt Fri, 09 Nov 2018 07:42:01 +0100 libvirt (4.6.0-2ubuntu3) cosmic; urgency=medium * d/p/ubuntu-aa/lp-1788603-fix-ptrace-rules-with-kernel-4.18.patch: avoid issues with newer kernels >=4.18 (LP: #1788603) -- Christian Ehrhardt Mon, 27 Aug 2018 10:57:57 +0200 libvirt (4.6.0-2ubuntu2) cosmic; urgency=medium * Fix an issue where guests with plenty of hostdevs attached where detected as not shut down due to the kernel needing more time to free up resources (LP: #1788226) - d/p/ubuntu/lp-1788226-wait-longer-5-30s-on-hard-shutdown.patch - d/p/ubuntu/lp-1788226-wait-longer-on-kill-per-assigned-Hostdev.patch -- Christian Ehrhardt Tue, 21 Aug 2018 17:51:43 +0200 libvirt (4.6.0-2ubuntu1) cosmic; urgency=medium * Merged with Debian unstable (LP: #1786957). Among many other new features and fixes this includes fixes for (LP: #1754871), Remaining changes: - Disable libssh2 support (universe dependency) - Disable firewalld support (universe dependency) - Set qemu-group to kvm (for compat with older ubuntu) - Additional apport package-hook - Autostart default bridged network (As upstream does, but not Debian). In addition to just enabling it our solution provides: + do not autostart if subnet is already taken (e.g. in guests). + iterate some alternative subnets before giving up - d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch: This is the group based access to libvirt functions as it was used in Ubuntu for quite long. + d/p/ubuntu/daemon-augeas-fix-expected.patch fix some related tests due to the group access change. + d/libvirt-daemon-system.postinst: add users in sudo to the libvirt group. - ubuntu/parallel-shutdown.patch: set parallel shutdown by default. - d/p/ubuntu/enable-kvm-spice.patch: compat with older Ubuntu qemu/kvm which provided a separate kvm-spice. - Xen related - d/p/ubuntu/ubuntu-libxl-qemu-path.patch: this change was split. The section that adapts the path of the emulator to the Debian/Ubuntu packaging is kept. - d/p/ubuntu/ubuntu-libxl-Fix-up-VRAM-to-minimum-requirements.patch: auto set VRAM to minimum requirements - d/p/ubuntu/xen-default-uri.patch: set default URI on xen hosts - Add libxl log directory - libvirt-uri.sh: Automatically switch default libvirt URI for users on Xen dom0 via user profile (was missing on changelogs before) - d/p/ubuntu/apibuild-skip-libvirt-common.h: drop libvirt-common.h from included_files to avoid build failures due to duplicate definitions. - Update README.Debian with Ubuntu changes - Convert libvirt0, libnss_libvirt and libvirt-dev to multi-arch. - Enable some additional features on ppc64el and s390x (for arch parity) + systemtap, zfs, numa and numad on s390x. + systemtap on ppc64el. - d/t/control, d/t/smoke-qemu-session: fixup smoke-qemu-session by making vmlinuz available and accessible (Debian bug 848314) - d/t/control, d/t/smoke-lxc: fix up lxc smoke test isolation - Add dnsmasq configuration to work with system wide dnsmasq (drop >18.04, no more UCA onto Xenial then which has global dnsmasq by default). - d/p/ubuntu/ubuntu_machine_type.patch: accept ubuntu types as pci440fx - Further upstreamed apparmor Delta, especially any new one Our former delta is split into logical pieces and is either Ubuntu only or is part of a continuous upstreaming effort. Listing related remaining changes in debian/patches/ubuntu-aa/: + 0001-apparmor-Allow-pygrub-to-run-on-Debian-Ubuntu.patch: apparmor: Allow pygrub to run on Debian/Ubuntu + 0003-apparmor-libvirt-qemu-Allow-read-access-to-overcommi.patch: apparmor, libvirt-qemu: Allow read access to overcommit_memory + 0007-apparmor-libvirt-qemu-Allow-owner-read-access-to-PRO.patch: apparmor, libvirt-qemu: Allow owner read access to @{PROC}/*/auxv + 0017-apparmor-virt-aa-helper-Allow-access-to-tmp-director.patch: apparmor, virt-aa-helper: Allow access to tmp directories + ubuntu-aa/0020-virt-aa-helper-ubuntu-storage-paths.patch: apparmor, virt-aa-helper: Allow various storage pools and image locations + 0021-apparmor-virt-aa-helper-Add-openvswitch-support.patch: apparmor, virt-aa-helper: Add openvswitch support + 0025-apparmor-fix-newer-virt-manager-1.4.0.patch: Add Apparmor permissions so virt-manager 1.4.0 viewing works (LP 1668681 1747442). Can be dropped >=libvirt 4.7 + 0029-appmor-libvirt-qemu-Add-9p-support.patch: appmor, libvirt-qemu: Add 9p support + 0030-virt-aa-helper-Complete-9p-support.patch: virt-aa-helper: add l to 9p file options. + 0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch: virt-aa-helper: Ask for no deny rule for readonly disk (renamed and reworded, was virt-aa-helper-no-explicity-deny-for-basefiles.patch) + 0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch: apparmor, libvirt-qemu: Allow reading charm-specific ceph config + 0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch: allow commands executed by ubuntu only kvm wrapper on ppc64el (LP 1686621 & LP 1680384). + 0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch: apparmor, virt-aa-helper: access for snapped nova + 0040-apparmor-add-mediation-rules-for-unconfined.patch: apparmor: add mediation rules for unconfined guests Can be dropped >=libvirt 4.7 - d/rules: enable build time self tests on all architectures - run dnsmasq as libvirt-dnsmasq (LP: 1743718) + d/libvirt-daemon-system.postinst: add libvirt-dnsmasq user and group + d/libvirt-daemon-system.postrm: remove libvirt-dnsmasq user and group on purge + d/p/ubuntu/dnsmasq-as-priv-user: write dnsmas config with user libvirt-dnsmasq and adapt the self tests to expect that config + d/libvirt-daemon-system.postinst: fix old libvirt-dnsmasq users - debian/rules: disable the netcf backend. (LP: 1764314) - debian/control: drop libnetcf from Build-Depends. - ddebian/patches/ubuntu/ovmf_paths.patch: adjust paths to secboot.fd UEFI Secure Boot enabled variants of the OVMF firmware and variable store for the paths where we ship these files in Ubuntu. - d/rules: install virtlockd correctly with defaults file (LP: 1729516) * Added Changes - 0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch: updated to take care of no more silencing and thereby hiding denials (LP 1719579 is an example) - 0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch: updated to also allow the optionally placed ceph asok file (LP: #1779674) - 0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch: prepare profile for usrmerge (LP: #1784023) - Finalize the libvirt-bin -> libvirt-* transition in the apport package-hook. - d/p/ubuntu-aa/0050-local-include-for-libvirt-qemu.patch, d/libvirt-daemon-system.postinst: provide a local apparmor include for abstraction/libvirt-qemu (LP: #1786019) - d/p/ubuntu-aa/0051-allow-user-tmp.patch: some features need tmp, but we don't want blanket access. We only allow enumerating the base dir and reading owned files. Further features needing /tmp have to add local overrides, examples are qemu-smb and some modes of local snapshots. (LP: #1365261) Can be dropped >=libvirt 4.7 - d/p/ubuntu-aa/0052-allow-to-preserve-dev-mountpoints.patch: Allow to preserve /dev mountpoints in qemu namespaces (LP: #1786168) Can be dropped >=libvirt 4.7 - avoid service dependency issues on upgrade (LP: #1786179) This will in the long term be resolved in dh_* tools, but to let an upgrade work for now we need to drop the sysV scripts (which we don't use anyway) and slightly modify the systemd service to work with todays dh_systemd_start properly. Can be dropped once Debian bug 905772 is resolved in dh_* tools and libvirt uses those new code. - d/libvirt-daemon-system.virtlogd.init: removed sysV init file - d/libvirt-daemon-system.libvirtd.init: removed sysV init file - debian/libvirt-daemon-system.maintscript: rm_conffile for virtlogd and lbivirtd sysV init file - d/p/ubuntu/avoid-restarting-virtlog-socket.patch: drop Also references to virtlogd/virtlockd sockets as they would imply a restart of virtlogd breaking it. - d/t/smoke-lxc: use systemd instead of sysV to restart the service * Dropped Changes (upstream) - d/p/ubuntu/virt-aa-helper-Set-the-supported-features.patch: allow parsing of memory slots and other extended features without breaking virt-aa-helper (LP: 1746431). - d/p/stable/0001-Revert-qemu-monitor-do-not-report-error-on-shutdown.patch - d/p/stable/0002-nodedev-Fix-failing-to-parse-PCI-address-for-non-PCI.patch - d/p/stable/0003-qemu-assign-correct-type-of-PCI-address-for-vhost-sc.patch - d/p/stable/0004-qemu-Refresh-caps-cache-after-booting-a-different-ke.patch - d/p/stable/0005-qemu-auto-add-generic-xhci-rather-than-NEC-xhci-to-Q.patch - d/p/stable/0006-libvirtd-Explicit-dependency-on-systemd-machined.patch - d/p/stable/0007-rpc-fix-race-sending-and-encoding-sasl-data.patch - d/p/stable/0008-vhost-user-add-support-reconnect-for-vhost-user-port.patch - d/p/stable/0009-qemu-Fix-memory-leak-in-processGuestPanicEvent.patch - d/p/stable/0010-storage-util-Properly-ignore-errors-when-backing-vol.patch - d/p/stable/0011-conf-Use-correct-attribute-name-in-error-message.patch - d/p/stable/0012-util-json-Add-helper-to-return-string-or-number-prop.patch - d/p/stable/0013-util-storage-Parse-lun-for-iSCSI-protocol-from-JSON-.patch - d/p/stable/0014-virsh-Offer-only-persistent-domains-for-autostart.patch - d/p/stable/0015-blockjob-Fix-a-error-checking-of-blockjob-status-in-.patch - d/p/stable/0016-qemu-Expose-rx-tx_queue_size-in-qemu.conf-too.patch - d/p/stable/0017-qemu-migration-Refresh-device-information-after-tran.patch - d/p/stable/0018-qemuDomainRemoveMemoryDevice-unlink-memory-backing-f.patch - d/p/stable/0019-vbox-fix-SEGV-during-dumpxml-of-a-serial-port.patch - d/p/stable/0020-qemu-Initialize-priv-in-qemuDomainCoreDumpWithFormat.patch - d/p/stable/0021-fix-regex-to-check-CN-from-server-certificate.patch - d/p/stable/0022-storage-Fix-formatting-and-parsing-of-qemu-type-Unix.patch - d/p/stable/0023-util-storage-Remove-detected-authentication-data-for.patch - d/p/stable/0024-qemu-blockcopy-Add-check-for-bandwidth.patch - d/p/stable/0025-conf-move-generated-member-from-virMacAddr-to-virDom.patch - d/p/stable/0026-lxc-Drop-useless-check-in-live-device-update.patch - d/p/stable/0027-Pass-oldDev-to-virDomainDefCompatibleDevice-on-devic.patch - d/p/stable/0028-qemu-Fix-updating-device-with-boot-order.patch - d/p/stable/0030-daemon-fix-rpc-event-leak-on-error-path-in-remoteDis.patch - d/p/stable/0029-lxc-fix-rpc-event-leak-on-error-path-in-virLXCContro.patch - d/p/stable/0031-qemu-fix-memory-leak-of-vporttype-during-migration.patch - d/p/stable/0032-virsh-fixing-segfault-by-pool-autocompleter-function.patch - d/p/stable/0033-qemu-Fix-comparison-assignment-in-qemuDomainUpdateDe.patch - d/p/stable/0034-qemu-Fix-memory-leak-in-qemuConnectGetAllDomainStats.patch - d/p/stable/0035-libvirtd-fix-potential-deadlock-when-reloading.patch - d/p/stable/0036-qemu-Use-correct-bus-type-for-input-devices.patch - d/p/stable/0037-qemu-hostdev-Fix-the-error-on-VM-start-with-an-mdev-.patch - d/p/stable/0038-conf-Fix-crash-in-virDomainDefCompatibleDevice.patch - d/p/ubuntu/lp1688508-tools-avoid-text-spilling-into-variables.patch: avoid hanging on shutdown (LP: 1688508) - d/p/ubuntu-aa/0041-apparmor-add-ro-rule-for-sasl-GSSAPI- plugin-on-etc-g.patch fix issues if sasl is configured (LP: 1696471) - d/p/ubuntu-aa/0042-virt-aa-helper-resolve-yet-to-be-created-paths.patch ensure symlinks are resolved to get valid rules if interim parts of a path are a symlink (LP: 1752361) - d/p/ubuntu/lp1688508-tools-fix-variable-scope-in-in-check_guests_shutdown: avoid issues shutting down more guests than configured for parallel shutdown (LP: 1688508) - d/p/ubuntu-aa/lp1756394-virt-aa-helper-resolve-file-symlinks.patch: fix using devices that are symlinks (LP: 1756394) - Fix nvdimm memory and passthrough input devices for hotplug via domain security callbacks backporting upstream commits (LP: 1755153). + d/p/ubuntu-aa/lp1755153-apparmor-add-Set-Restore-InputLabel.patch + d/p/ubuntu-aa/lp1755153-apparmor-add-Set-Restore-MemoryLabel.patch - Fix nvdimm memory and passthrough input devices in initial guest description via virt-aa-helper (LP: 1757085). + d/p/ubuntu-aa/lp1757085-virt-aa-helper-nvdimm-memory.patch + d/p/ubuntu-aa/lp1757085-virt-aa-helper-passthrough-input.patch - Fix clean shut down of guests on system shutdown (LP: 1764668) + d/p/ubuntu/lp-1764668-do-not-report-unknown-guests.patch + d/p/ubuntu/lp-1764668-fix-check_guests_shutdown-loop.patch - SECURITY UPDATE: QEMU monitor DoS + debian/patches/CVE-2018-1064.patch: add size limit to src/qemu/qemu_agent.c. + CVE-2018-1064 - SECURITY UPDATE: Speculative Store Bypass + debian/patches/CVE-2018-3639-1.patch: define the 'ssbd' CPUID feature bit in src/cpu/cpu_map.xml. + debian/patches/CVE-2018-3639-2.patch: define the 'virt-ssbd' CPUID feature bit in src/cpu/cpu_map.xml. + CVE-2018-3639 - d/p/ubuntu-aa/lp1775777-vfio-usage-without-initial-hostdev.patch: fix hotplug use cases where the initial guest had no hostdev at all and therefore vrit-aa-helper did not allow /dev/vfio/vfio (LP: 1775777) - debian/patches/ubuntu/lp-1758037-nwfilter-increase-pcap-buffer-size.patch: Fix nwfilters that set CTRL_IP_LEARNING set to dhcp failing with "An error occurred, but the cause is unknown" due to a buffer being too small for pcap with TPACKET_V3 enabled (LP: 1758037) - SECURITY UPDATE: code injection via libnss_dns.so + debian/patches/CVE-2018-6764-1.patch: determine the hostname on startup in src/util/virlog.c. + debian/patches/CVE-2018-6764-2.patch: fix syntax-check in src/util/virlog.c. + debian/patches/CVE-2018-6764-3.patch: fix deadlock obtaining hostname in cfg.mk, src/util/virlog.c. + CVE-2018-6764 * Dropped Changes (no upgrade path left that needs those) - Backwards compatible handling of group rename (can be dropped >18.04). - Modifications to adapt for our delayed switch away from libvirt-bin (can be dropped >18.04). + d/p/ubuntu/libvirtd-service-add-bin-alias.patch: systemd: define alias to old service name so that old references work + d/p/ubuntu/libvirtd-init-add-bin-alias.patch: sysv init: define alias to old service name so that old references work + d/control: transitional package with the old name and maintainer scripts to handle the transition - fix conffile upgrade handling to avoid obsolete files and inactive duplicates (LP 1694159) - conffile handling of files dropped in 3.5 (can be dropped >18.04) + /etc/init.d/virtlockd was sysv init only + /etc/apparmor.d/local/usr.sbin.libvirtd and /etc/apparmor.d/local/usr.lib.libvirt.virt-aa-helper are now generated by dh_apparmor as needed - d/libvirt-daemon-system.maintscript: remove the now dropped conffile /etc/cron.daily/libvirt-daemon-system * Dropped Changes (cleanups) - d/test/smoke-lxc workaround for debbug 848317/867379 (systemd has fixed one issue and the other is solved in libvirt by ensuring to move to the right cgroups.) - remove no more used libvirt-dnsmasq user (this was redundant since 4.0.0-1ubuntu5 reintroduced a libvirt-dnsmasq user) - Disable selinux (now in main) -- Christian Ehrhardt Sat, 18 Aug 2018 14:40:58 +0200 libvirt (4.6.0-2) unstable; urgency=medium * [c33faee] Drop dwarves dependency. Unmaintained and only used in the test suite. (Closes: #905700) * [43da5ad] Don't use jansson for JSON encoding. It has borken integer parsing. This adds new patches: Revert-m4-Introduce-STABLE_ORDERING_JANSSON.patch Revert-Remove-virJSONValueNewStringLen.patch Revert-build-undef-WITH_JANSSON-for-SETUID_RPC_CLIENT.patch Revert-tests-qemucapsprobe-Fix-output-after-switching-to-.patch Revert-build-require-Jansson-if-QEMU-driver-is-enabled.patch Revert-util-jsoncompat-Stub-out-virJSONInitialize-when-co.patch Revert-Switch-from-yajl-to-Jansson.patch Revert-remote-daemon-Make-sure-that-JSON-symbols-are-prop.patch Revert-build-remove-references-to-WITH_YAJL-for-SETUID_RP.patch Revert-build-add-with-jansson.patch Revert-Remove-functions-using-yajl.patch Revert-build-switch-with-qemu-default-from-yes-to-check.patch Revert-tests-also-skip-qemuagenttest-with-old-jansson.patch Revert-util-avoid-symbol-clash-between-json-libraries.patch (Closes: #906116) -- Guido Günther Tue, 14 Aug 2018 15:09:14 +0200 libvirt (4.6.0-1) unstable; urgency=medium * [afd5e39] d/control: Fix typo in libnss-libvirt's short description. Thanks to Salvatore Bonaccorso (Closes: #904738) * [f2f7871] New upstream version 4.6.0 * [a81e098] Drop apparmor-Fix-forgotten-comma-at-EOL.patch applied upstream * [d53b4b1] Use jansson instead of yajl. The later is no longer supported upstream * [bf99d36] Bump symbol versions -- Guido Günther Mon, 06 Aug 2018 21:54:45 +0200 libvirt (4.5.0-1) unstable; urgency=medium * [c2b3afc] New upstream version 4.5.0 * [50aa257] Drop patch-qemuMonitorTextGetMigrationStatus-to-intercept.patch not needed with QEMU since at least stretch. * [7698a4e] Build-dep on libwiretap-dev for the wireshark dissector * [2390909] examples: adjust to libvirtd code move * [64e5530] Bump symbol versions * [a89e652] l-d-s: suggest open-iscsi (Closes: #903262) * [882c646] Install bash completion (Closes: #902450) * [8d79673] apparmor: Fix forgotten comma at EOL * [0a9cb25] Install storage-file drivers * [84269a2] Warn about uninstalled files -- Guido Günther Tue, 17 Jul 2018 09:36:26 +0200 libvirt (4.3.0-1) unstable; urgency=medium * [8730a15] New upstream version 4.3.0 * [1272efc] Drop patches due to upstream code removal. Allow-xen-toolstack-to-find-it-s-binaries.patch debian/fix-Debian-specific-path-to-hvm-loader.patch * [20eb594] Bump symbol versions -- Guido Günther Wed, 16 May 2018 12:09:53 +0200 libvirt (4.2.0-3) unstable; urgency=medium * [78872cc] Ship logrotate snippets again (Closes: #895709) -- Guido Günther Wed, 16 May 2018 07:54:29 +0200 libvirt (4.2.0-2) unstable; urgency=medium * [c859ce5] Prefer /sbin over /usr/sbin. If libvirt is built in a chroot with merged /usr it will otherwise break on non /usr merged systems. (Closes: #895145) -- Guido Günther Sun, 08 Apr 2018 11:05:14 +0200 libvirt (4.2.0-1) unstable; urgency=medium [ Laurent Bigonville ] * [8d62a8c] Start admin sockets on installation (Closes: #893484) [ Guido Günther ] * [417534b] New upstream version 4.2.0 (Closes: #894985) * [9d7fa44] Bump symbol versions * [c23ed3d] Rediff patches. Applied upstream: lockd-fix-typo-in-virtlockd-admin.socket.patch CVE-2018-1064-qemu-avoid-denial-of-service-reading-from-Q.patch -- Guido Günther Fri, 06 Apr 2018 12:33:30 +0200 libvirt (4.1.0-2) unstable; urgency=medium * [0b6cf2f] lockd: fix typo in virtlockd-admin.socket (Closes: #893330) -- Guido Günther Sun, 18 Mar 2018 10:51:37 +0100 libvirt (4.1.0-1) unstable; urgency=medium * [3cbbfa5] New upstream version 4.1.0 * [0e596b3] Bump symbol versions * [e886044] Drop patches applied upstream - apparmor-allow-libvirt-to-send-term-signal-to-unconfined.patch - virlog-determine-the-hostname-on-startup-CVE-2018-6764.patch * [097d74c] CVE-2018-1064: qemu: avoid denial of service reading from QEMU guest agent -- Guido Günther Thu, 15 Mar 2018 08:25:29 +0100 libvirt (4.0.0-2) unstable; urgency=medium * [4339f02] CVE-2018-6764: virlog: determine the hostname on startup Closes: #889839 -- Guido Günther Thu, 08 Feb 2018 19:29:59 +0100 libvirt (4.0.0-1ubuntu13) cosmic; urgency=medium * ddebian/patches/ubuntu/ovmf_paths.patch: adjust paths to secboot.fd UEFI Secure Boot enabled variants of the OVMF firmware and variable store for the paths where we ship these files in Ubuntu. -- Mathieu Trudel-Lapierre Wed, 27 Jun 2018 11:16:23 -0400 libvirt (4.0.0-1ubuntu12) cosmic; urgency=medium * d/p/ubuntu-aa/lp1775777-vfio-usage-without-initial-hostdev.patch: fix hotplug use cases where the initial guest had no hostdev at all and therefore vrit-aa-helper did not allow /dev/vfio/vfio (LP: #1775777) -- Christian Ehrhardt Tue, 12 Jun 2018 16:24:01 +0200 libvirt (4.0.0-1ubuntu11) cosmic; urgency=medium * SECURITY UPDATE: QEMU monitor DoS - debian/patches/CVE-2018-1064.patch: add size limit to src/qemu/qemu_agent.c. - CVE-2018-1064 * SECURITY UPDATE: Speculative Store Bypass - debian/patches/CVE-2018-3639-1.patch: define the 'ssbd' CPUID feature bit in src/cpu/cpu_map.xml. - debian/patches/CVE-2018-3639-2.patch: define the 'virt-ssbd' CPUID feature bit in src/cpu/cpu_map.xml. - CVE-2018-3639 -- Marc Deslauriers Tue, 22 May 2018 10:55:56 -0400 libvirt (4.0.0-1ubuntu10) cosmic; urgency=medium * Fix nwfilters that set CTRL_IP_LEARNING set to dhcp failing with "An error occurred, but the cause is unknown" due to a buffer being too small for pcap with TPACKET_V3 enabled (LP: #1758037) - debian/patches/ubuntu/lp-1758037-nwfilter-increase-pcap-buffer-size.patch -- Christian Ehrhardt Wed, 09 May 2018 17:07:59 +0200 libvirt (4.0.0-1ubuntu9) cosmic; urgency=medium * debian/rules: disable the netcf backend. (LP: #1764314) * debian/control: drop libnetcf from Build-Depends. -- Mathieu Trudel-Lapierre Wed, 09 May 2018 10:06:15 -0400 libvirt (4.0.0-1ubuntu8) bionic; urgency=medium * Fix clean shut down of guests on system shutdown (LP: #1764668) - d/p/ubuntu/lp-1764668-do-not-report-unknown-guests.patch - d/p/ubuntu/lp-1764668-fix-check_guests_shutdown-loop.patch -- Christian Ehrhardt Tue, 24 Apr 2018 11:09:48 +0200 libvirt (4.0.0-1ubuntu7) bionic; urgency=medium * Fix nvdimm memory and passthrough input devices for hotplug via domain security callbacks backporting upstream commits (LP: #1755153). - d/p/ubuntu-aa/lp1755153-apparmor-add-Set-Restore-InputLabel.patch - d/p/ubuntu-aa/lp1755153-apparmor-add-Set-Restore-MemoryLabel.patch * Fix nvdimm memory and passthrough input devices in initial guest description via virt-aa-helper (LP: #1757085). - d/p/ubuntu-aa/lp1757085-virt-aa-helper-nvdimm-memory.patch - d/p/ubuntu-aa/lp1757085-virt-aa-helper-passthrough-input.patch -- Christian Ehrhardt Wed, 21 Mar 2018 08:30:47 +0100 libvirt (4.0.0-1ubuntu6) bionic; urgency=medium * Backport from recent upstream to stabilize libvirt (LP: #1756915) - d/p/stable/0033-qemu-Fix-comparison-assignment-in-qemuDomainUpdateDe.patch - d/p/stable/0034-qemu-Fix-memory-leak-in-qemuConnectGetAllDomainStats.patch - d/p/stable/0035-libvirtd-fix-potential-deadlock-when-reloading.patch - d/p/stable/0036-qemu-Use-correct-bus-type-for-input-devices.patch - d/p/stable/0037-qemu-hostdev-Fix-the-error-on-VM-start-with-an-mdev-.patch - d/p/stable/0038-conf-Fix-crash-in-virDomainDefCompatibleDevice.patch * d/p/ubuntu/lp1688508-tools-fix-variable-scope-in-in-check_guests_shutdown: avoid issues shutting down more guests than configured for parallel shutdown (LP: #1688508) * d/p/ubuntu-aa/lp1756394-virt-aa-helper-resolve-file-symlinks.patch: fix using devices that are symlinks (LP: #1756394) -- Christian Ehrhardt Mon, 19 Mar 2018 14:57:08 +0100 libvirt (4.0.0-1ubuntu5) bionic; urgency=medium * run dnsmasq as libvirt-dnsmasq (LP: #1743718) - d/libvirt-daemon-system.postinst: add libvirt-dnsmasq user and group - d/libvirt-daemon-system.postrm: remove libvirt-dnsmasq user and group on purge - d/p/ubuntu/dnsmasq-as-priv-user: write dnsmas config with user libvirt-dnsmasq and adapt the self tests to expect that config - d/libvirt-daemon-system.postinst: fix old libvirt-dnsmasq users * Backport from recent upstream to stabilize libvirt (LP: #1754352) - d/p/stable/0024-qemu-blockcopy-Add-check-for-bandwidth.patch - d/p/stable/0025-conf-move-generated-member-from-virMacAddr-to-virDom.patch - d/p/stable/0026-lxc-Drop-useless-check-in-live-device-update.patch - d/p/stable/0027-Pass-oldDev-to-virDomainDefCompatibleDevice-on-devic.patch - d/p/stable/0028-qemu-Fix-updating-device-with-boot-order.patch - d/p/stable/0030-daemon-fix-rpc-event-leak-on-error-path-in-remoteDis.patch - d/p/stable/0029-lxc-fix-rpc-event-leak-on-error-path-in-virLXCContro.patch - d/p/stable/0031-qemu-fix-memory-leak-of-vporttype-during-migration.patch - d/p/stable/0032-virsh-fixing-segfault-by-pool-autocompleter-function.patch * d/p/ubuntu-aa/0041-apparmor-add-ro-rule-for-sasl-GSSAPI- plugin-on-etc-g.patch fix issues if sasl is configured (LP: #1696471) * d/p/ubuntu-aa/0042-virt-aa-helper-resolve-yet-to-be-created-paths.patch ensure symlinks are resolved to get valid rules if interim parts of a path are a symlink (LP: #1752361) -- Christian Ehrhardt Tue, 27 Feb 2018 12:04:02 +0100 libvirt (4.0.0-1ubuntu4) bionic; urgency=medium * d/p/ubuntu/lp1688508-tools-avoid-text-spilling-into-variables.patch: avoid hanging on shutdown (LP: #1688508) -- Christian Ehrhardt Fri, 23 Feb 2018 16:43:19 +0100 libvirt (4.0.0-1ubuntu3) bionic; urgency=medium [ Christian Ehrhardt ] * Backport of 23 bug fixes from recent upstream to stabilize libvirt on 18.04 - d/p/stable/0001-Revert-qemu-monitor-do-not-report-error-on-shutdown.patch - d/p/stable/0002-nodedev-Fix-failing-to-parse-PCI-address-for-non-PCI.patch - d/p/stable/0003-qemu-assign-correct-type-of-PCI-address-for-vhost-sc.patch - d/p/stable/0004-qemu-Refresh-caps-cache-after-booting-a-different-ke.patch - d/p/stable/0005-qemu-auto-add-generic-xhci-rather-than-NEC-xhci-to-Q.patch - d/p/stable/0006-libvirtd-Explicit-dependency-on-systemd-machined.patch - d/p/stable/0007-rpc-fix-race-sending-and-encoding-sasl-data.patch - d/p/stable/0008-vhost-user-add-support-reconnect-for-vhost-user-port.patch - d/p/stable/0009-qemu-Fix-memory-leak-in-processGuestPanicEvent.patch - d/p/stable/0010-storage-util-Properly-ignore-errors-when-backing-vol.patch - d/p/stable/0011-conf-Use-correct-attribute-name-in-error-message.patch - d/p/stable/0012-util-json-Add-helper-to-return-string-or-number-prop.patch - d/p/stable/0013-util-storage-Parse-lun-for-iSCSI-protocol-from-JSON-.patch - d/p/stable/0014-virsh-Offer-only-persistent-domains-for-autostart.patch - d/p/stable/0015-blockjob-Fix-a-error-checking-of-blockjob-status-in-.patch - d/p/stable/0016-qemu-Expose-rx-tx_queue_size-in-qemu.conf-too.patch - d/p/stable/0017-qemu-migration-Refresh-device-information-after-tran.patch - d/p/stable/0018-qemuDomainRemoveMemoryDevice-unlink-memory-backing-f.patch - d/p/stable/0019-vbox-fix-SEGV-during-dumpxml-of-a-serial-port.patch - d/p/stable/0020-qemu-Initialize-priv-in-qemuDomainCoreDumpWithFormat.patch - d/p/stable/0021-fix-regex-to-check-CN-from-server-certificate.patch - d/p/stable/0022-storage-Fix-formatting-and-parsing-of-qemu-type-Unix.patch - d/p/stable/0023-util-storage-Remove-detected-authentication-data-for.patch * d/rules: enable build time self tests on all architectures [ Marc Deslauriers ] * SECURITY UPDATE: code injection via libnss_dns.so - debian/patches/CVE-2018-6764-1.patch: determine the hostname on startup in src/util/virlog.c. - debian/patches/CVE-2018-6764-2.patch: fix syntax-check in src/util/virlog.c. - debian/patches/CVE-2018-6764-3.patch: fix deadlock obtaining hostname in cfg.mk, src/util/virlog.c. - CVE-2018-6764 -- Christian Ehrhardt Mon, 19 Feb 2018 14:18:44 +0100 libvirt (4.0.0-1ubuntu2) bionic; urgency=medium * d/p/ubuntu-aa/0025-apparmor-fix-newer-virt-manager-1.4.0.patch: refreshed as libvirt 4.0 needs a reversed rule for openGraphicsFD (LP: #1747442) - refreshed 0032 and 0040 to match the new context. * d/p/ubuntu/virt-aa-helper-Set-the-supported-features.patch: allow parsing of memory slots and other extended features without breaking virt-aa-helper (LP: #1746431). -- Christian Ehrhardt Fri, 02 Feb 2018 07:31:17 +0100 libvirt (4.0.0-1ubuntu1) bionic; urgency=medium * Merged with Debian unstable (4.0) This closes several bugs: - Error generating apparmor profile when hostname contains spaces (LP: #799997) - qemu 2.10 locks files, libvirt shared now sets share-rw=on (LP: #1716028) - libvirt usb passthrough throws apparmor denials related to /run/udev/data/+usb (LP: #1727311) - AppArmor denies access to /sys/block/*/queue/max_segments (LP: #1729626) - iohelper improvements to let bypass-cache work without opening up the apparmor isolation (LP: #1719579) - nodeinfo on s390x to contain more CPU info (LP: #1733688) - Upgrade libvirt >= 4.0 (LP: #1745934) * Remaining changes: - Disable libssh2 support (universe dependency) - Disable firewalld support (universe dependency) - Disable selinux - Set qemu-group to kvm (for compat with older ubuntu) - Additional apport package-hook - Modifications to adapt for our delayed switch away from libvirt-bin (can be dropped >18.04). + d/p/ubuntu/libvirtd-service-add-bin-alias.patch: systemd: define alias to old service name so that old references work + d/p/ubuntu/libvirtd-init-add-bin-alias.patch: sysv init: define alias to old service name so that old references work + d/control: transitional package with the old name and maintainer scripts to handle the transition - Backwards compatible handling of group rename (can be dropped >18.04). - config details and autostart of default bridged network. Creating that is now the default in general, yet our solution provides the following on top as of today: + autostart the default network by default + do not autostart if subnet is already taken (e.g. in guests). - d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch: This is the group based access to libvirt functions as it was used in Ubuntu for quite long. + d/p/ubuntu/daemon-augeas-fix-expected.patch fix some related tests due to the group access change. - ubuntu/parallel-shutdown.patch: set parallel shutdown by default. - d/p/ubuntu/enable-kvm-spice.patch: compat with older Ubuntu qemu/kvm which provided a separate kvm-spice. - d/p/ubuntu/ubuntu-libxl-qemu-path.patch: this change was split. The section that adapts the path of the emulator to the Debian/Ubuntu packaging is kept. - d/p/ubuntu/ubuntu-libxl-Fix-up-VRAM-to-minimum-requirements.patch: auto set VRAM to minimum requirements - d/p/ubuntu/xen-default-uri.patch: set default URI on xen hosts - Add libxl log directory - libvirt-uri.sh: Automatically switch default libvirt URI for users on Xen dom0 via user profile (was missing on changelogs before) - d/p/ubuntu/apibuild-skip-libvirt-common.h: drop libvirt-common.h from included_files to avoid build failures due to duplicate definitions. - Update README.Debian with Ubuntu changes - Convert libvirt0, libnss_libvirt and libvirt-dev to multi-arch. - Enable some additional features on ppc64el and s390x (for arch parity) + systemtap, zfs, numa and numad on s390x. + systemtap on ppc64el. - fix conffile upgrade handling to avoid obsolete files and inactive duplicates (LP 1694159) - d/t/control, d/t/smoke-qemu-session: fixup smoke-qemu-session by making vmlinuz available and accessible (Debian bug 848314) - d/test/smoke-lxc workaround for debbug 848317/867379 - d/t/control, d/t/smoke-lxc: fix up lxc smoke test (Debian bug 848317) - Add dnsmasq configuration to work with system wide dnsmasq (drop >18.04, no more UCA onto Xenial then which has global dnsmasq by default). - d/p/ubuntu/ubuntu_machine_type.patch: accept ubuntu types as pci440fx - conffile handling of files dropped in 3.5 (can be dropped >18.04) + /etc/init.d/virtlockd was sysv init only + /etc/apparmor.d/local/usr.sbin.libvirtd and /etc/apparmor.d/local/usr.lib.libvirt.virt-aa-helper are now generated by dh_apparmor as needed - Reworked apparmor Delta, especially the more complex delta is dropped now, also our former delta is now split into logical pieces, has improved comments and is part of a continuous upstreaming effort. Listing related remaining changes: + d/p/0001-apparmor-Allow-pygrub-to-run-on-Debian-Ubuntu.patch: apparmor: Allow pygrub to run on Debian/Ubuntu + d/p/0003-apparmor-libvirt-qemu-Allow-read-access-to-overcommi.patch: apparmor, libvirt-qemu: Allow read access to overcommit_memory + d/p/0007-apparmor-libvirt-qemu-Allow-owner-read-access-to-PRO.patch: apparmor, libvirt-qemu: Allow owner read access to @{PROC}/*/auxv + d/p/0017-apparmor-virt-aa-helper-Allow-access-to-tmp-director.patch: apparmor, virt-aa-helper: Allow access to tmp directories + d/p/ubuntu-aa/0020-virt-aa-helper-ubuntu-storage-paths.patch: apparmor, virt-aa-helper: Allow various storage pools and image locations + d/p/0021-apparmor-virt-aa-helper-Add-openvswitch-support.patch: apparmor, virt-aa-helper: Add openvswitch support + d/p/0025-apparmor-fix-newer-virt-manager-1.4.0.patch: Add Apparmor permissions so virt-manager 1.4.0 viewing works (LP 1668681). + d/p/0029-appmor-libvirt-qemu-Add-9p-support.patch: appmor, libvirt-qemu: Add 9p support + d/p/0030-virt-aa-helper-Complete-9p-support.patch: virt-aa-helper: add l to 9p file options. + d/p/0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch: virt-aa-helper: Ask for no deny rule for readonly disk (renamed and reworded, was virt-aa-helper-no-explicity-deny-for-basefiles.patch) + d/p/0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch: apparmor, libvirt-qemu: Allow reading charm-specific ceph config + d/p/0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch: allow commands executed by ubuntu only kvm wrapper on ppc64el (LP 1686621). + d/p/0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch: apparmor, virt-aa-helper: access for snapped nova * Dropped Changes (Upstream): - d/p/0005-apparmor-libvirt-qemu-Allow-use-of-sgabios.patch: apparmor, libvirt-qemu: Allow use of sgabios - d/p/0006-apparmor-libvirt-qemu-Silence-lttng-related-deny-mes.patch: apparmor, libvirt-qemu: Silence lttng related deny messages - d/p/0008-apparmor-libvirt-qemu-Allow-read-access-to-sysfs-sys.patch: apparmor, libvirt-qemu: Allow read access to sysfs system info - d/p/0009-apparmor-libvirt-qemu-Allow-read-access-to-max_mem_r.patch: apparmor, libvirt-qemu: Allow read access to max_mem_regions - d/p/0010-apparmor-libvirt-qemu-Allow-qemu-block-extra-librari.patch: apparmor, libvirt-qemu: Allow qemu-block-extra libraries - d/p/0012-apparmor-libvirtd-Allow-access-to-netlink-sockets.patch: apparmor, libvirtd: Allow access to netlink sockets - d/p/0013-apparmor-Add-rules-for-mediation-support.patch: apparmor: Add rules for mediation support - d/p/0015-apparmor-virt-aa-helper-Allow-access-to-ecryptfs-fil.patch: apparmor, virt-aa-helper: Allow access to ecryptfs files - d/p/0016-apparmor-libvirtd-Allow-ixr-to-var-lib-libvirt-virtd.patch: apparmor, libvirtd: Allow ixr to /var/lib/libvirt/virtd* - d/p/0018-apparmor-virt-aa-helper-Add-ipv6-network-policy.patch: apparmor, virt-aa-helper: Add ipv6 network policy - d/p/0019-apparmor-virt-aa-helper-Allow-access-to-sys-bus-usb-.patch: apparmor, virt-aa-helper: Allow access to /sys/bus/usb/devices - d/p/0023-apparmor-qemu-won-t-call-qemu-nbd.patch: apparmor: qemu won't call qemu-nbd - d/p/0027-apparmor-allow-reading-cmdline-of-shutdown-signal.patch: apparmor: allow to parse cmdline of the pid that send the shutdown signal (LP 1680384). - d/p/0028-apparmor-add-default-pki-path-of-lbvirt-spice.patch: apparmor: add default pki path of lbvirt-spice (LP 1690140) - d/p/ubuntu-aa/0035-virt-aa-helper-locking-disk-files-for-qemu-2.10.patch: for compatibility with the behavior of qemu 2.10 this adds locking permission to rules generated for disk files (LP 1709818) - d/p/ubuntu-aa/0036-virt-aa-helper-locking-loader-nvram-for-qemu-2.10.patch: for compatibility with the behavior of qemu 2.10 this adds locking permission to rules generated for loader/nvram (LP 1710960) - d/p/ubuntu-aa/0037-virt-aa-helper...: grant locking permission on append files (LP 1726804) - d/p/ubuntu-aa/0038-virt-aa-helper-fix-paths-for-usb-hostdevs.patch: fix path generation for USB host devices (LP 1552241) - d/p/ubuntu-aa/0039-virt-aa-helper-fix-libusb-access-to-udev-usb-data.patch: generate valid rules on usb passthrough (LP 1686324) - d/p/avoid-double-locking.patch: fix a deadlock that could occur when libvirtd interactions raced with dbus causing a deadlock (LP 1714254). - d/p/u/gnulib-getopt-posix-Fix-build-failure-when-using-ac_cv_head.patch: fix FTBFS with glibc 2.26 (LP 1718668) - Extended handling of apparmor profiles - clear lost profiles via cron (now cleared by virt-aa-helper on domain stop) - nat only on some ports (upstream default now if nothing is specified, actually dropped last cycle) * Dropped Changes (In Debian or no more important): - d/p/0002-apparmor-libvirt-qemu-Allow-macvtap-access.patch: apparmor, libvirt-qemu: Allow macvtap access - d/p/0004-apparmor-Explicit-deny-for-setpcap.patch: apparmor: Explicit deny for setpcap (LP 522845). - d/p/0014-apparmor-virt-aa-helper-Improve-comment-about-backin.patch: apparmor, virt-aa-helper: Improve comment about backing store - d/p/0022-apparmor-drop-references-to-qemu-kvm.patch: apparmor: drop references to qemu-kvm - d/p/0024-apparmor-virt-aa-helper-Allow-access-to-name-service.patch: apparmor, virt-aa-helper: Allow access to name services - d/p/0026-apparmor-add-generic-base-vfio-device.patch: apparmor: add /dev/vfio for vf (hot) attach (LP 1680384) (added by virt-aa-helper per guest if needed). - d/p/0011-apparmor-libvirt-qemu-Allow-access-to-hugepage-mount.patch: apparmor, libvirt-qemu: Allow access to hugepage mounts - Disable sheepdog (was for universe dependency, but is now only a suggest) - d/p/ubuntu/storage-disable-gluster-test: gluster not enabled, skip test * Dropped Changes (In Debian/Upstream now based on interim 3.10 work) some of these were never released, but important to mention for the bug references: - libnss-libvirt once enabled causes apt to call getdents avoid this being an issue by dropping a apt conf that allows this in seccomp (LP: #1732030). - d/libvirt-daemon-system.postrm: clean up more libvirt directories on purge - d/p/ubuntu-aa/0041-apparmor-allow-unix-stream-for-p2p-migrations.patch: apparmor: allow unix stream for p2p migrations - d/p/ubuntu-aa/0043-security-apparmor-implement-domainSetPathLabel.patch: this replaces the hugepage rules and fixes many more formerly missing - d/p/ubuntu-aa/0044-security-full-path-option-for-DomainSetPathLabel.patch: allowing to have path wildcards on labels set by domain callbacks - d/p/ubuntu-aa/0045-security-apparmor-add-Set-Restore-ChardevLabel.patch: apparmor implementation of security callback - d/p/ubuntu-aa/0046-apparmor-virt-aa-helper-drop-static-channel-rule.patch: this is now covered by chardev label callbacks * Added Changes: - Revert Debian change "Drop libvirt-bin upgrade handling" This is needed in Ubuntu one last time (drop >18.04) - Revert Debian change "Drop maintscript helpers for versions predating jessie and wheezy-backports". This is needed in Ubuntu one last time (drop >18.04) - Refreshed d/p/* to match new version (only fuzz, no semantic change) - d/libvirt-daemon-system.postrm: change order of libvirt-qemu removal to avoid error messages on purge - remove no more used libvirt-dnsmasq user (drop >18.04) - d/p/ubuntu-aa/0040-apparmor-add-mediation-rules-for-unconfined.patch: apparmor: add mediation rules for unconfined guests - d/p/ubuntu-aa/0042-security-introduce-virSecurityManager-Set-Restore-Ch .patch: backport upstream cahnge to expose already used chardev calls. - d/libvirt-daemon-system.postrm: Remove the default.xml network link set up by postinst. - d/libvirt-daemon-system.maintscript: remove the now dropped conffile /etc/cron.daily/libvirt-daemon-system - d/libvirt-daemon-system.postinst: fixups for autostart default network - use modern shell syntax - try more default networks before giving up to enable by default - d/p/ubuntu-aa/0020-virt-aa-helper-ubuntu-storage-paths.patch: add multipass image path and mark as ubuntu only change. - d/rules: install virtlockd correctly with defaults file (LP: #1729516) - extended d/p/0025-apparmor-fix-newer-virt-manager-1.4.0.patch to cover the slightly changed behavior of libvirt 4.0 (LP: #1741617) - d/control: make libvirt-daemon-driver-storage-rbd a recommend instead of just a suggest to have 3rd party relying on rbd out of the box working. This is deprecated and users of rbd backend should start depending on this package for it will be dropped to a suggest in future releases. -- Christian Ehrhardt Thu, 14 Dec 2017 14:15:55 +0100 libvirt (4.0.0-1) unstable; urgency=medium * [5936904] New upstream version 4.0.0 * [bcb7ca3] Drop patches applied upstream. Allow-libvirt-to-kill-unconfined-domains.patch Drop qemu-avoid-denial-of-service-reading-from-QEMU-monitor-CV.patch -- Guido Günther Sat, 20 Jan 2018 16:31:11 +0100 libvirt (4.0.0~rc2-1) experimental; urgency=medium * [8dd2f5b] Don't manage /etc/apparmor.d/local as conf files (Closes: #887612) * [0819e5a] apparmor: allow libvirt to send term signal to unconfined * [b1ecc1a] New upstream version 4.0.0~rc2 * [7406ae5] CVE-2018-5748: qemu: avoid denial of service reading from QEMU monitor (Closes: #887700) * [564e232] Bump symbol versions * [0a274c0] d/control: use priority optional instead of extra -- Guido Günther Fri, 19 Jan 2018 12:54:54 +0100 libvirt (4.0.0~rc1-1) experimental; urgency=medium [ Guido Günther ] * [a225d2b] New upstream version 4.0.0~rc1 (Closes: #881293, #846534) * [2270343] Rediff patches [ intrigeri ] * [89b8ab4] Allow libvirt to kill unconfined domains [ Christian Ehrhardt ] * [b2ce106] Clear more directories on purge (Closes: #884828) * [0cd10ab] Avoid apt seccomp issues due to libnss-libvirt (LP: #1732030) -- Guido Günther Mon, 15 Jan 2018 09:44:37 +0100 libvirt (3.10.0-1) unstable; urgency=medium * [0d103b6] Bump standards version * [3eca017] Add russian debconf translation. Thanks to Lev Lamberov (Closes: #883109) * [04da2ca] New upstream version 3.10.0 * [f311e52] Drop AppArmor-add-rules-needed-with-additional-mediation-featu.patch - fixed upstream * [0c7f363] Bump symbol versions * [cbe1699] Use recent debhelper instead of dh-systemd * [c757791] apparmor: Allow virt-aa-helper to access the name service switch. Thanks to Martin Pitt (Closes: #882979) -- Guido Günther Tue, 05 Dec 2017 14:55:51 +0100 libvirt (3.9.0-1) unstable; urgency=medium * [eef697c] New upstream version 3.9.0 -- Guido Günther Sun, 05 Nov 2017 14:49:43 +0100 libvirt (3.9.0~rc1-1) experimental; urgency=medium * Upload to experimental * [23e28a0] New upstream version 3.9.0~rc1 * [b19f9f8] Bump symbol versions * [83a3ff3] Drop patches applied upstream apparmor-add-dnsmasq-ptrace-rule-to-libvirtd-profile.patch virt-host-validate-require-fuse-for-LXC-if-compiled-in.patch qemu-ensure-TLS-clients-always-verify-the-server-certific.patch * [e834771] AppArmor: add rules needed with additional mediation features brought by Linux 4.14. Thanks: intrigeri (Closes: #879772) -- Guido Günther Tue, 31 Oct 2017 12:13:29 +0100 libvirt (3.8.0-3) unstable; urgency=medium * [e0e0a42] virt-host-validate: require fuse for LXC if compiled in. This should make us skip the lxc test properly on debci. * [d16ae50] Drop libvirt-bin upgrade handling libvirt-bin was dropped before Jessie * [3f18a26] CVE-2017-1000256: qemu: ensure TLS clients always verify the server certificate (Closes: #878799) -- Guido Günther Mon, 16 Oct 2017 19:36:25 +0200 libvirt (3.8.0-2) unstable; urgency=medium * Upload to unstable Closes: #878153 * [646a20f] apparmor: add dnsmasq ptrace rule to libvirtd profile -- Guido Günther Thu, 12 Oct 2017 10:27:25 +0200 libvirt (3.8.0-1) experimental; urgency=medium * [842dee5] Add id-length to gbp.conf * [6cf2527] New upstream version 3.8.0 -- Guido Günther Thu, 05 Oct 2017 18:30:55 +0200 libvirt (3.8.0~rc1-1) experimental; urgency=medium * apparmor: add attach_disconnected * apparmor: cater for new AAVMF image location * Don't ship apparmor profiles in the doc package too. This is just confusing since things are installed in libvirt-daemon-system. * Drpo maintscript helpers for versions predating jessie and wheezy-backports * New upstream version 3.8.0~rc1 * New upstream version 3.8.0~rc1 * Rediff patches apparmor-cater-for-new-AAVMF-image-location.patch apparmor-delete-profile-on-VM-shutdown.patch apparmor-add-attach_disconnected.patch * Bump symbol versions -- Guido Günther Fri, 29 Sep 2017 12:53:25 +0200 libvirt (3.7.0-4) unstable; urgency=medium * Pass-GPG_TTY-env-var-to-the-ssh-binary.patch: sanitize commit message * apparmor: add attach_disconnected (Closes: #876071) * apparmor: cater for new AAVMF image location * apparmor: delete profile on VM shutdown -- Guido Günther Mon, 18 Sep 2017 20:24:07 +0200 libvirt (3.7.0-3) unstable; urgency=medium * Move glusterfs, rbd, sheepdog and zfs storage drivers into separate packages. This reduces the dependencies pulled into default installations. (Closes: #875834) -- Guido Günther Fri, 15 Sep 2017 14:09:31 +0200 libvirt (3.7.0-2) unstable; urgency=medium * Update copyright file -- Guido Günther Thu, 14 Sep 2017 12:16:47 +0200 libvirt (3.7.0-1) unstable; urgency=medium * New upstream version 3.7.0 (Closes: #874323) * Rediff patches * Bump symbol versions * Also pass $TERM to ssh so pinentry works Thanks to Guilhem Moulin (Closes: #843863) * Enable Gluster support (Closes: #755545) * Enable wireshark dissector (Closes: #862989) -- Guido Günther Fri, 08 Sep 2017 14:52:38 +0200 libvirt (3.6.0-1ubuntu6) artful; urgency=medium * d/p/ubuntu-aa/0037-virt-aa-helper...: grant locking permission on append files (LP: #1726804) * d/p/ubuntu-aa/0038-virt-aa-helper-fix-paths-for-usb-hostdevs.patch: fix path generation for USB host devices (LP: #1552241) * d/p/ubuntu-aa/0039-virt-aa-helper-fix-libusb-access-to-udev-usb-data.patch: generate valid rules on usb passthrough (LP: #1686324) -- Christian Ehrhardt Tue, 24 Oct 2017 14:30:34 +0200 libvirt (3.6.0-1ubuntu5) artful; urgency=medium * d/p/u/gnulib-getopt-posix-Fix-build-failure-when-using-ac_cv_head.patch: fix FTBFS with glibc 2.26 (LP: #1718668) -- Christian Ehrhardt Thu, 28 Sep 2017 08:18:10 -0400 libvirt (3.6.0-1ubuntu4) artful; urgency=medium * d/p/avoid-double-locking.patch: fix a deadlock that could occur when libvirtd interactions raced with dbus causing a deadlock (LP: #1714254). -- Christian Ehrhardt Fri, 01 Sep 2017 10:29:35 +0200 libvirt (3.6.0-1ubuntu3) artful; urgency=medium * No change rebuild for Qemu 2.10 and Xen 4.9 -- Christian Ehrhardt Mon, 21 Aug 2017 10:34:13 +0200 libvirt (3.6.0-1ubuntu2) artful; urgency=medium * d/p/ubuntu-aa/0036-virt-aa-helper-locking-loader-nvram-for-qemu-2.10.patch: for compatibility with the behavior of qemu 2.10 this adds locking permission to rules generated for loader/nvram (LP: #1710960) -- Christian Ehrhardt Thu, 17 Aug 2017 10:00:19 +0200 libvirt (3.6.0-1ubuntu1) artful; urgency=medium * Merged with Debian unstable (3.6) This closes several bugs: - aarch64: improved chardev handling (LP: #1697610) - Forbid locking memory without memtune (LP: #1708305) * Remaining changes: - Disable sheepdog (universe dependency) - Disable libssh2 support (universe dependency) - Disable firewalld support (universe dependency) - Disable selinux - Set qemu-group to kvm (for compat with older ubuntu) - Regularly clear AppArmor profiles for vms that no longer exist - Additional apport package-hook - Modifications to adapt for our delayed switch away from libvirt-bin (can be dropped >18.04). + d/p/ubuntu/libvirtd-service-add-bin-alias.patch: systemd: define alias to old service name so that old references work + d/p/ubuntu/libvirtd-init-add-bin-alias.patch: sysv init: define alias to old service name so that old references work + d/control: transitional package with the old name and maintainer scripts to handle the transition - Backwards compatible handling of group rename (can be dropped >18.04). - config details and autostart of default bridged network. Creating that is now the default in general, yet our solution provides the following on top as of today: + nat only on some ports + autostart the default network by default + do not autostart if 192.168.122.0 is already taken (e.g. in containers) - d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch: This is the group based access to libvirt functions as it was used in Ubuntu for quite long. + d/p/ubuntu/daemon-augeas-fix-expected.patch fix some related tests due to the group access change. - ubuntu/parallel-shutdown.patch: set parallel shutdown by default. - d/p/ubuntu/enable-kvm-spice.patch: compat with older Ubuntu qemu/kvm which provided a separate kvm-spice. - d/p/ubuntu/storage-disable-gluster-test: gluster not enabled, skip test - d/p/ubuntu/ubuntu-libxl-qemu-path.patch: this change was split. The section that adapts the path of the emulator to the Debian/Ubuntu packaging is kept. - d/p/ubuntu/ubuntu-libxl-Fix-up-VRAM-to-minimum-requirements.patch: auto set VRAM to minimum requirements - d/p/ubuntu/xen-default-uri.patch: set default URI on xen hosts - Add libxl log directory - libvirt-uri.sh: Automatically switch default libvirt URI for users on Xen dom0 via user profile (was missing on changelogs before) - d/p/ubuntu/apibuild-skip-libvirt-common.h: drop libvirt-common.h from included_files to avoid build failures due to duplicate definitions. - Update README.Debian with Ubuntu changes - Convert libvirt0, libnss_libvirt and libvirt-dev to multi-arch. - Enable some additional features on ppc64el and s390x (for arch parity) + systemtap, zfs, numa and numad on s390x. + systemtap on ppc64el. - fix conffile upgrade handling to avoid obsolete files and inactive duplicates (LP 1694159) - d/t/control, d/t/smoke-qemu-session: fixup smoke-qemu-session by making vmlinuz available and accessible (Debian bug 848314) - d/test/smoke-lxc workaround for debbug 848317/867379 - d/t/control, d/t/smoke-lxc: fix up lxc smoke test (Debian bug 848317) - Extended handling of apparmor profiles - clear lost profiles via cron - Add dnsmasq configuration to work with system wide dnsmasq (drop >18.04, no more UCA onto Xenial then which has global dnsmasq by default). - d/p/ubuntu/ubuntu_machine_type.patch: accept ubuntu types as pci440fx - conffile handling of files dropped in 3.5 (can be dropped >18.04) + /etc/init.d/virtlockd was sysv init only + /etc/apparmor.d/local/usr.sbin.libvirtd and /etc/apparmor.d/local/usr.lib.libvirt.virt-aa-helper are now generated by dh_apparmor as needed - Reworked apparmor Delta, especially the more complex delta is dropped now, also our former delta is now split into logical pieces, has improved comments and is part of a continuous upstreaming effort. Listing related remaining changes: + d/p/0001-apparmor-Allow-pygrub-to-run-on-Debian-Ubuntu.patch: apparmor: Allow pygrub to run on Debian/Ubuntu + d/p/0002-apparmor-libvirt-qemu-Allow-macvtap-access.patch: apparmor, libvirt-qemu: Allow macvtap access + d/p/0003-apparmor-libvirt-qemu-Allow-read-access-to-overcommi.patch: apparmor, libvirt-qemu: Allow read access to overcommit_memory + d/p/0004-apparmor-Explicit-deny-for-setpcap.patch: apparmor: Explicit deny for setpcap + d/p/0005-apparmor-libvirt-qemu-Allow-use-of-sgabios.patch: apparmor, libvirt-qemu: Allow use of sgabios + d/p/0006-apparmor-libvirt-qemu-Silence-lttng-related-deny-mes.patch: apparmor, libvirt-qemu: Silence lttng related deny messages + d/p/0007-apparmor-libvirt-qemu-Allow-owner-read-access-to-PRO.patch: apparmor, libvirt-qemu: Allow owner read access to @{PROC}/*/auxv + d/p/0008-apparmor-libvirt-qemu-Allow-read-access-to-sysfs-sys.patch: apparmor, libvirt-qemu: Allow read access to sysfs system info + d/p/0009-apparmor-libvirt-qemu-Allow-read-access-to-max_mem_r.patch: apparmor, libvirt-qemu: Allow read access to max_mem_regions + d/p/0010-apparmor-libvirt-qemu-Allow-qemu-block-extra-librari.patch: apparmor, libvirt-qemu: Allow qemu-block-extra libraries + d/p/0011-apparmor-libvirt-qemu-Allow-access-to-hugepage-mount.patch: apparmor, libvirt-qemu: Allow access to hugepage mounts + d/p/0012-apparmor-libvirtd-Allow-access-to-netlink-sockets.patch: apparmor, libvirtd: Allow access to netlink sockets + d/p/0013-apparmor-Add-rules-for-mediation-support.patch: apparmor: Add rules for mediation support + d/p/0014-apparmor-virt-aa-helper-Improve-comment-about-backin.patch: apparmor, virt-aa-helper: Improve comment about backing store + d/p/0015-apparmor-virt-aa-helper-Allow-access-to-ecryptfs-fil.patch: apparmor, virt-aa-helper: Allow access to ecryptfs files + d/p/0016-apparmor-libvirtd-Allow-ixr-to-var-lib-libvirt-virtd.patch: apparmor, libvirtd: Allow ixr to /var/lib/libvirt/virtd* + d/p/0017-apparmor-virt-aa-helper-Allow-access-to-tmp-director.patch: apparmor, virt-aa-helper: Allow access to tmp directories + d/p/0018-apparmor-virt-aa-helper-Add-ipv6-network-policy.patch: apparmor, virt-aa-helper: Add ipv6 network policy + d/p/0019-apparmor-virt-aa-helper-Allow-access-to-sys-bus-usb-.patch: apparmor, virt-aa-helper: Allow access to /sys/bus/usb/devices + d/p/0020-apparmor-virt-aa-helper-Allow-various-storage-pools-.patch: apparmor, virt-aa-helper: Allow various storage pools and image locations + d/p/0021-apparmor-virt-aa-helper-Add-openvswitch-support.patch: apparmor, virt-aa-helper: Add openvswitch support + d/p/0022-apparmor-drop-references-to-qemu-kvm.patch: apparmor: drop references to qemu-kvm + d/p/0023-apparmor-qemu-won-t-call-qemu-nbd.patch: apparmor: qemu won't call qemu-nbd + d/p/0024-apparmor-virt-aa-helper-Allow-access-to-name-service.patch: apparmor, virt-aa-helper: Allow access to name services + d/p/0025-apparmor-fix-newer-virt-manager-1.4.0.patch: Add Apparmor permissions so virt-manager 1.4.0 viewing works (LP 1668681). + d/p/0026-apparmor-add-generic-base-vfio-device.patch: apparmor: add /dev/vfio for vf (hot) attach (LP 1680384). + d/p/0027-apparmor-allow-reading-cmdline-of-shutdown-signal.patch: apparmor: allow to parse cmdline of the pid that send the shutdown signal (LP 1680384). + d/p/0028-apparmor-add-default-pki-path-of-lbvirt-spice.patch: apparmor: add default pki path of lbvirt-spice (LP 1690140) + d/p/0029-appmor-libvirt-qemu-Add-9p-support.patch: appmor, libvirt-qemu: Add 9p support + d/p/0030-virt-aa-helper-Complete-9p-support.patch: virt-aa-helper: add l to 9p file options. + d/p/0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch: virt-aa-helper: Ask for no deny rule for readonly disk (renamed and reworded, was virt-aa-helper-no-explicity-deny-for-basefiles.patch) + d/p/0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch: apparmor, libvirt-qemu: Allow reading charm-specific ceph config + d/p/0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch: allow commands executed by ubuntu only kvm wrapper on ppc64el (LP 1686621). + d/p/0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch: apparmor, virt-aa-helper: access for snapped nova * Dropped Changes (Upstream): - d/p/ubuntu/fix-libxl-default-driver-name.patch: avoid an issue with default driver entries missing name='qemu'. - d/p/u/aa-helper-Properly-link-with-storage-driver.patch (LP 1704782) Fix to be able to follow BackinStorage chains when creating per guest apparmor rules. * Dropped Changes (In Debian): - Enable esx support + Add build-dep to libcurl4-gnutls-dev (required for esx) * Added Changes: - d/p/ubuntu-aa/0035-virt-aa-helper-locking-disk-files-for-qemu-2.10.patch: for compatibility with the behavior of qemu 2.10 this adds locking permission to rules generated for disk files (LP: #1709818) -- Christian Ehrhardt Thu, 10 Aug 2017 12:44:47 +0200 libvirt (3.6.0-1) unstable; urgency=medium * [ece8d56] New upstream version 3.6.0 (Closes: #870626) * [f807f7e] Move debianization patches to front of pq since these are unlikely to go away * [a06e5a6] Don't build nss on non-linux since it depends on network support which is not available on non-linux. Thanks to Pino Toscano (Closes: #867393) * [6982266] Enable esx support (Closes: #602807) * [2c29499] Bump symbol versions * [f974bd9] d/control: fix typo. Thanks to lintian * [d4f1521] Bump standards version to 4.0.0 -- Guido Günther Fri, 04 Aug 2017 00:05:47 -0300 libvirt (3.5.0-1ubuntu3) artful; urgency=medium * Refresh changes to match they way they were accepted upstream - d/p/u/aa-helper-Properly-link-with-storage-driver.patch add commit reference now that it is in git. - d/p/u/fix-libxl-default-driver-name.patch: instead of addin the name this is now fixed by relaxing the schema. -- Christian Ehrhardt Wed, 19 Jul 2017 12:48:39 +0200 libvirt (3.5.0-1ubuntu2) artful; urgency=medium * d/p/u/aa-helper-Properly-link-with-storage-driver.patch (LP: #1704782) Fix to be able to follow BackinStorage chains when creating per guest apparmor rules. -- Christian Ehrhardt Tue, 18 Jul 2017 16:34:57 +0200 libvirt (3.5.0-1ubuntu1) artful; urgency=medium * Merged with Debian unstable (3.5) This closes several bugs: - improved handling of host-model since libvirt 3.2 (LP: #1673467) - Adding POWER9 cpu model to cpu_map.xml (LP: #1690209) * Remaining changes: - Disable sheepdog (universe dependency) - Disable libssh2 support (universe dependency) - Disable firewalld support (universe dependency) - Disable selinux - Enable esx support + Add build-dep to libcurl4-gnutls-dev (required for esx) - Set qemu-group to kvm (for compat with older ubuntu) - Regularly clear AppArmor profiles for vms that no longer exist - Additional apport package-hook - Modifications to adapt for our delayed switch away from libvirt-bin (can be dropped >18.04). + d/p/ubuntu/libvirtd-service-add-bin-alias.patch: systemd: define alias to old service name so that old references work + d/p/ubuntu/libvirtd-init-add-bin-alias.patch: sysv init: define alias to old service name so that old references work + d/control: transitional package with the old name and maintainer scripts to handle the transition - Backwards compatible handling of group rename (can be dropped >18.04). - config details and autostart of default bridged network. Creating that is now the default in general, yet our solution provides the following on top as of today: + nat only on some ports + autostart the default network by default + do not autostart if 192.168.122.0 is already taken (e.g. in containers) - d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch: This is the group based access to libvirt functions as it was used in Ubuntu for quite long. + d/p/ubuntu/daemon-augeas-fix-expected.patch fix some related tests due to the group access change. - ubuntu/parallel-shutdown.patch: set parallel shutdown by default. - d/p/ubuntu/enable-kvm-spice.patch: compat with older Ubuntu qemu/kvm which provided a separate kvm-spice. - d/p/ubuntu/storage-disable-gluster-test: gluster not enabled, skip test - d/p/ubuntu/ubuntu-libxl-qemu-path.patch: this change was split. The section that adapts the path of the emulator to the Debian/Ubuntu packaging is kept. - d/p/ubuntu/ubuntu-libxl-Fix-up-VRAM-to-minimum-requirements.patch: auto set VRAM to minimum requirements - d/p/ubuntu/xen-default-uri.patch: set default URI on xen hosts - Add libxl log directory - libvirt-uri.sh: Automatically switch default libvirt URI for users on Xen dom0 via user profile (was missing on changelogs before) - d/p/ubuntu/apibuild-skip-libvirt-common.h: drop libvirt-common.h from included_files to avoid build failures due to duplicate definitions. - Update README.Debian with Ubuntu changes - Convert libvirt0, libnss_libvirt and libvirt-dev to multi-arch. - Enable some additional features on ppc64el and s390x (for arch parity) + systemtap, zfs, numa and numad on s390x. + systemtap on ppc64el. - fix conffile upgrade handling to avoid obsolete files and inactive duplicates (LP 1694159) - d/t/control, d/t/smoke-qemu-session: fixup smoke-qemu-session by making vmlinuz available and accessible (Debian bug 848314) - d/t/control, d/t/smoke-lxc: fix up lxc smoke test (Debian bug 848317) - Extended handling of apparmor profiles - clear lost profiles via cron - Add dnsmasq configuration to work with system wide dnsmasq (drop >18.04, no more UCA onto Xenial then which has global dnsmasq by default). - Reworked apparmor Delta, especially the more complex delta is dropped now, also our former delta is now split into logical pieces, has improved comments and is part of a continuous upstreaming effort. Listing related remaining changes: + d/p/0001-apparmor-Allow-pygrub-to-run-on-Debian-Ubuntu.patch: apparmor: Allow pygrub to run on Debian/Ubuntu + d/p/0002-apparmor-libvirt-qemu-Allow-macvtap-access.patch: apparmor, libvirt-qemu: Allow macvtap access + d/p/0003-apparmor-libvirt-qemu-Allow-read-access-to-overcommi.patch: apparmor, libvirt-qemu: Allow read access to overcommit_memory + d/p/0004-apparmor-Explicit-deny-for-setpcap.patch: apparmor: Explicit deny for setpcap + d/p/0005-apparmor-libvirt-qemu-Allow-use-of-sgabios.patch: apparmor, libvirt-qemu: Allow use of sgabios + d/p/0006-apparmor-libvirt-qemu-Silence-lttng-related-deny-mes.patch: apparmor, libvirt-qemu: Silence lttng related deny messages + d/p/0007-apparmor-libvirt-qemu-Allow-owner-read-access-to-PRO.patch: apparmor, libvirt-qemu: Allow owner read access to @{PROC}/*/auxv + d/p/0008-apparmor-libvirt-qemu-Allow-read-access-to-sysfs-sys.patch: apparmor, libvirt-qemu: Allow read access to sysfs system info + d/p/0009-apparmor-libvirt-qemu-Allow-read-access-to-max_mem_r.patch: apparmor, libvirt-qemu: Allow read access to max_mem_regions + d/p/0010-apparmor-libvirt-qemu-Allow-qemu-block-extra-librari.patch: apparmor, libvirt-qemu: Allow qemu-block-extra libraries + d/p/0011-apparmor-libvirt-qemu-Allow-access-to-hugepage-mount.patch: apparmor, libvirt-qemu: Allow access to hugepage mounts + d/p/0012-apparmor-libvirtd-Allow-access-to-netlink-sockets.patch: apparmor, libvirtd: Allow access to netlink sockets + d/p/0013-apparmor-Add-rules-for-mediation-support.patch: apparmor: Add rules for mediation support + d/p/0014-apparmor-virt-aa-helper-Improve-comment-about-backin.patch: apparmor, virt-aa-helper: Improve comment about backing store + d/p/0015-apparmor-virt-aa-helper-Allow-access-to-ecryptfs-fil.patch: apparmor, virt-aa-helper: Allow access to ecryptfs files + d/p/0016-apparmor-libvirtd-Allow-ixr-to-var-lib-libvirt-virtd.patch: apparmor, libvirtd: Allow ixr to /var/lib/libvirt/virtd* + d/p/0017-apparmor-virt-aa-helper-Allow-access-to-tmp-director.patch: apparmor, virt-aa-helper: Allow access to tmp directories + d/p/0018-apparmor-virt-aa-helper-Add-ipv6-network-policy.patch: apparmor, virt-aa-helper: Add ipv6 network policy + d/p/0019-apparmor-virt-aa-helper-Allow-access-to-sys-bus-usb-.patch: apparmor, virt-aa-helper: Allow access to /sys/bus/usb/devices + d/p/0020-apparmor-virt-aa-helper-Allow-various-storage-pools-.patch: apparmor, virt-aa-helper: Allow various storage pools and image locations + d/p/0021-apparmor-virt-aa-helper-Add-openvswitch-support.patch: apparmor, virt-aa-helper: Add openvswitch support + d/p/0022-apparmor-drop-references-to-qemu-kvm.patch: apparmor: drop references to qemu-kvm + d/p/0023-apparmor-qemu-won-t-call-qemu-nbd.patch: apparmor: qemu won't call qemu-nbd + d/p/0024-apparmor-virt-aa-helper-Allow-access-to-name-service.patch: apparmor, virt-aa-helper: Allow access to name services + d/p/0025-apparmor-fix-newer-virt-manager-1.4.0.patch: Add Apparmor permissions so virt-manager 1.4.0 viewing works (LP 1668681). + d/p/0026-apparmor-add-generic-base-vfio-device.patch: apparmor: add /dev/vfio for vf (hot) attach (LP 1680384). + d/p/0027-apparmor-allow-reading-cmdline-of-shutdown-signal.patch: apparmor: allow to parse cmdline of the pid that send the shutdown signal (LP 1680384). + (28 is a new patch, listed in added changes) + d/p/0029-appmor-libvirt-qemu-Add-9p-support.patch: appmor, libvirt-qemu: Add 9p support + d/p/0030-virt-aa-helper-Complete-9p-support.patch: virt-aa-helper: add l to 9p file options. + d/p/0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch: virt-aa-helper: Ask for no deny rule for readonly disk (renamed and reworded, was virt-aa-helper-no-explicity-deny-for-basefiles.patch) + d/p/0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch: apparmor, libvirt-qemu: Allow reading charm-specific ceph config + d/p/0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch: allow commands executed by ubuntu only kvm wrapper on ppc64el (LP 1686621). + d/p/0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch: apparmor, virt-aa-helper: access for snapped nova - remaining but updated to match the latest release + d/p/Disable-use-of-namespaces-by-default.patch (Debian change) + d/p/Reduce-udevadm-settle-timeout-to-10-seconds.patch (Debian change) + d/p/debian/apparmor_profiles_local_include.patch Include local apparmor profile (Debian change) + d/p/ubuntu/ubuntu_machine_type.patch: accept ubuntu types as pci440fx + d/test/smoke-lxc workaround for debbug 848317/867379 * Dropped Changes (Upstream): - Add missing apparmor rule for debug-threads feature (LP 1615550). - Add new block device types to virt-aa-helpers profile (LP 1641618) - d/p/ubuntu/storage-default-permission-mode-to-0711: safer default perms for storage dirs like /var/lib/libvirt/images. - d/p/ubuntu/libvirtd-service-nolimit.patch: remove proc/file/task limits to support huge systems. - d/p/ubuntu/libvirtd-service-set-notifyaccess.patch: set NotifyAccess=all in libvirtd.service (-d not allowed to be specified, everything else upstream so drop delta; LP 1574566). - d/p/ubuntu/qemu_process-spice-don-t-release-used-port.patch: qemu_process spice: don't release used port (LP 1697729). - d/p/ubuntu/virsh-maxvcpu-fall-back-to-old-command.patch: virsh: maxvcpus: Always fall back to the old command if domain caps fail (LP 1674298) - d/p/ubuntu/qemu-Allow-empty-script-path-to-interface.patch: in the past it was possible to have