aboutsummaryrefslogtreecommitdiff
path: root/qemu-options.hx
AgeCommit message (Collapse)Author
2019-02-26authz: add QAuthZPAM object type for authorizing using PAMDaniel P. Berrange
Add an authorization backend that talks to PAM to check whether the user identity is allowed. This only uses the PAM account validation facility, which is essentially just a check to see if the provided username is permitted access. It doesn't use the authentication or session parts of PAM, since that's dealt with by the relevant part of QEMU (eg VNC server). Consider starting QEMU with a VNC server and telling it to use TLS with x509 client certificates and configuring it to use an PAM to validate the x509 distinguished name. In this example we're telling it to use PAM for the QAuthZ impl with a service name of "qemu-vnc" $ qemu-system-x86_64 \ -object tls-creds-x509,id=tls0,dir=/home/berrange/security/qemutls,\ endpoint=server,verify-peer=yes \ -object authz-pam,id=authz0,service=qemu-vnc \ -vnc :1,tls-creds=tls0,tls-authz=authz0 This requires an /etc/pam/qemu-vnc file to be created with the auth rules. A very simple file based whitelist can be setup using $ cat > /etc/pam/qemu-vnc <<EOF account requisite pam_listfile.so item=user sense=allow file=/etc/qemu/vnc.allow EOF The /etc/qemu/vnc.allow file simply contains one username per line. Any username not in the file is denied. The usernames in this example are the x509 distinguished name from the client's x509 cert. $ cat > /etc/qemu/vnc.allow <<EOF CN=laptop.berrange.com,O=Berrange Home,L=London,ST=London,C=GB EOF More interesting would be to configure PAM to use an LDAP backend, so that the QEMU authorization check data can be centralized instead of requiring each compute host to have file maintained. The main limitation with this PAM module is that the rules apply to all QEMU instances on the host. Setting up different rules per VM, would require creating a separate PAM service name & config file for every guest. An alternative approach for the future might be to not pass in the plain username to PAM, but instead combine the VM name or UUID with the username. This requires further consideration though. Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2019-02-26authz: add QAuthZListFile object type for a file access control listDaniel P. Berrangé
Add a QAuthZListFile object type that implements the QAuthZ interface. This built-in implementation is a proxy around the QAuthZList object type, initializing it from an external file, and optionally, automatically reloading it whenever it changes. To create an instance of this object via the QMP monitor, the syntax used would be: { "execute": "object-add", "arguments": { "qom-type": "authz-list-file", "id": "authz0", "props": { "filename": "/etc/qemu/vnc.acl", "refresh": true } } } If "refresh" is "yes", inotify is used to monitor the file, automatically reloading changes. If an error occurs during reloading, all authorizations will fail until the file is next successfully loaded. The /etc/qemu/vnc.acl file would contain a JSON representation of a QAuthZList object { "rules": [ { "match": "fred", "policy": "allow", "format": "exact" }, { "match": "bob", "policy": "allow", "format": "exact" }, { "match": "danb", "policy": "deny", "format": "glob" }, { "match": "dan*", "policy": "allow", "format": "exact" }, ], "policy": "deny" } This sets up an authorization rule that allows 'fred', 'bob' and anyone whose name starts with 'dan', except for 'danb'. Everyone unmatched is denied. The object can be loaded on the comand line using -object authz-list-file,id=authz0,filename=/etc/qemu/vnc.acl,refresh=yes Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-02-26authz: add QAuthZSimple object type for easy whitelist auth checksDaniel P. Berrangé
In many cases a single VM will just need to whitelist a single identity as the allowed user of network services. This is especially the case for TLS live migration (optionally with NBD storage) where we just need to whitelist the x509 certificate distinguished name of the source QEMU host. Via QMP this can be configured with: { "execute": "object-add", "arguments": { "qom-type": "authz-simple", "id": "authz0", "props": { "identity": "fred" } } } Or via the command line -object authz-simple,id=authz0,identity=fred Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2019-02-22display: add -display spice-app launching a Spice clientMarc-André Lureau
Add a new display backend that will configure Spice to allow a remote client to control QEMU in a similar fashion as other QEMU display backend/UI like GTK. For this to work, it will set up Spice server with a unix socket, and register a VC chardev that will be exposed as Spice ports. A QMP monitor is also exposed as a Spice port, this allows the remote client fuller qemu control and state handling. - doesn't handle VC set_echo() - this doesn't seem a strong requirement, very few front-end use it - spice options can be tweaked with other -spice arguments - Windows support shouldn't be hard to do, but will probably use a TCP port instead - we may want to watch the child process to quit automatically if it crashed Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Tested-by: Victor Toso <victortoso@redhat.com> Message-id: 20190221110703.5775-12-marcandre.lureau@redhat.com [ kraxel: squash incremental fix ] Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2019-02-14qemu-options: Remove deprecated option -clockThomas Huth
The option is only a dummy since a long time. We've finally deprecated it in QEMU v3.0, so it's time to remove it now. Signed-off-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <1549545296-18903-3-git-send-email-thuth@redhat.com> Signed-off-by: Laurent Vivier <laurent@vivier.eu>
2019-02-05Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into stagingPeter Maydell
* cpu-exec fixes (Emilio, Laurent) * TCG bugfix in queue.h (Paolo) * high address load for linuxboot (Zhijian) * PVH support (Liam, Stefano) * misc i386 changes (Paolo, Robert, Doug) * configure tweak for openpty (Thomas) * elf2dmp port to Windows (Viktor) * initial improvements to Makefile infrastructure (Yang + GSoC 2013) # gpg: Signature made Tue 05 Feb 2019 17:34:42 GMT # gpg: using RSA key BFFBD25F78C7AE83 # gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" [full] # gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" [full] # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1 # Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83 * remotes/bonzini/tags/for-upstream: (76 commits) queue: fix QTAILQ_FOREACH_REVERSE_SAFE scsi-generic: Convert from DPRINTF() macro to trace events scsi-disk: Convert from DPRINTF() macro to trace events pc: Use hotplug_handler_(plug|unplug|unplug_request) i386: hvf: Fix smp boot hangs hw/vfio/Makefile.objs: Create new CONFIG_* variables for VFIO core and PCI hw/i2c/Makefile.objs: Create new CONFIG_* variables for EEPROM and ACPI controller hw/tricore/Makefile.objs: Create CONFIG_* for tricore hw/openrisc/Makefile.objs: Create CONFIG_* for openrisc hw/moxie/Makefile.objs: Conditionally build moxie hw/hppa/Makefile.objs: Create CONFIG_* for hppa hw/cris/Makefile.objs: Create CONFIG_* for cris hw/alpha/Makefile.objs: Create CONFIG_* for alpha hw/sparc64/Makefile.objs: Create CONFIG_* for sparc64 hw/riscv/Makefile.objs: Create CONFIG_* for riscv boards hw/nios2/Makefile.objs: Conditionally build nios2 hw/xtensa/Makefile.objs: Build xtensa_sim and xtensa_fpga conditionally hw/lm32/Makefile.objs: Conditionally build lm32 and milkmyst hw/sparc/Makefile.objs: CONFIG_* for sun4m and leon3 created hw/s390/Makefile.objs: Create new CONFIG_* variables for s390x boards and devices ... Signed-off-by: Peter Maydell <peter.maydell@linaro.org> # Conflicts: # qemu-deprecated.texi
2019-02-05qemu-options: Remove deprecated "-virtioconsole" optionPaolo Bonzini
It's been deprecated since QEMU 3.0, and nobody complained so far, so it is time to remove this option now. Signed-off-by: Thomas Huth <thuth@redhat.com> Message-Id: <1544684731-18828-1-git-send-email-thuth@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2019-02-05Remove deprecated -enable-hax optionThomas Huth
Our command line interface is really quite overcrowded, we should avoid duplicated options that do the same thing in just a slightly different way. "-accel hax" is shorter and more generic that "-enable-hax", so there is really no real usage for the latter option. "-enable-hax" has been deprecated since two releases, and nobody complained so far, so it's time to remove this now. Signed-off-by: Thomas Huth <thuth@redhat.com> Message-Id: <1544790073-23049-1-git-send-email-thuth@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2019-02-05Remove deprecated -no-frame optionThomas Huth
The -no-frame option has been deprecated with QEMU v2.12. It was only useful with SDL1.2 - now that we've removed support for SDL1.2, we can certainly remove the -no-frame option, too. Signed-off-by: Thomas Huth <thuth@redhat.com> Message-id: 1549351769-19620-1-git-send-email-thuth@redhat.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2019-01-14xen: Replace few mentions of xend by libxlAnthony PERARD
xend have been replaced by libxenlight (libxl) for many Xen releases now. Signed-off-by: Anthony PERARD <anthony.perard@citrix.com> Acked-by: Stefano Stabellini <sstabellini@kernel.org>
2019-01-14Remove broken Xen PV domain builderAnthony PERARD
It is broken since Xen 4.9 [1] and it will not build in Xen 4.12. Also, it is not built by default since QEMU 2.6. [1] https://lists.xenproject.org/archives/html/xen-devel/2018-09/msg00313.html Signed-off-by: Anthony PERARD <anthony.perard@citrix.com> Acked-by: Stefano Stabellini <sstabellini@kernel.org>
2019-01-08util: Implement debug-threads for macOSRoman Bolshakov
macOS provides pthread_setname_np that doesn't have thread id argument. Signed-off-by: Roman Bolshakov <r.bolshakov@yadro.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-12-129p: remove support for the "handle" backendGreg Kurz
The "handle" fsdev backend was deprecated in QEMU 2.12.0 with: commit db3b3c7281ca82e2647e072a1f97db111313dd73 Author: Greg Kurz <groug@kaod.org> Date: Mon Jan 8 11:18:23 2018 +0100 9pfs: deprecate handle backend This backend raise some concerns: - doesn't support symlinks - fails +100 tests in the PJD POSIX file system test suite [1] - requires the QEMU process to run with the CAP_DAC_READ_SEARCH capability, which isn't recommended for security reasons This backend should not be used and wil be removed. The 'local' backend is the recommended alternative. [1] https://www.tuxera.com/community/posix-test-suite/ Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Daniel P. Berrange <berrange@redhat.com> Reviewed-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com> It has passed the two release cooling period without any complaint. Remove it now. Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Thomas Huth <thuth@redhat.com>
2018-11-27hostmem-memfd: honour share=on/off propertyMarc-André Lureau
The share=on/off property is used to modified mmap() MAP_SHARED setting. Make it on by default for convenience and compatibility reasons. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2018-11-16help: Provide help for egl-headlessErik Skultety
EGL headless has been missing from QEMU's help or man page, we should mention that such a thing exists, especially since projects like libvirt might rely on that. This patch also adds the newly introduced option for egl-headless 'rendernode'. Signed-off-by: Erik Skultety <eskultet@redhat.com> Message-id: 87ef678b0934d3abba66c46c9e65b57119d29295.1542362949.git.eskultet@redhat.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-11-12bt: Mark the bluetooth subsystem as deprecatedThomas Huth
It has been unmaintained since years, and there were only trivial or tree-wide changes to the related files since many years, so the code is likely very bitrotten and broken. For example the following segfaults as soon as as you press a key: qemu-system-x86_64 -usb -device usb-bt-dongle -bt hci -bt device:keyboard Since we are not aware of anybody using bluetooth with the current version of QEMU, let's mark the subsystem as deprecated, with a special request for the users to write to the qemu-devel mailing list in case they still use it (so we could revert the deprecation status in that case). Signed-off-by: Thomas Huth <thuth@redhat.com> Message-id: 1542016830-19189-1-git-send-email-thuth@redhat.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-11-01chardev: Add websocket supportJulia Suvorova
New option "websocket" added to allow using WebSocket protocol for chardev socket backend. Example: -chardev socket,websocket,server,id=... Signed-off-by: Julia Suvorova <jusual@mail.ru> Message-Id: <20181018223501.21683-3-jusual@mail.ru> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
2018-10-21slirp: Implement RFC2132 TFTP server nameFam Zheng
This new usernet option can be used to add data for option 66 (tftp server name) in the BOOTP reply, which is useful in PXE based automatic OS install such as OpenBSD. Signed-off-by: Fam Zheng <famz@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Tested-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
2018-10-19Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into stagingPeter Maydell
* RTC fixes (Artem) * icount fixes (Artem) * rr fixes (Pavel, myself) * hotplug cleanup (Igor) * SCSI fixes (myself) * 4.20-rc1 KVM header update (myself) * coalesced PIO support (Peng Hao) * HVF fixes (Roman B.) * Hyper-V refactoring (Roman K.) * Support for Hyper-V IPI (Vitaly) # gpg: Signature made Fri 19 Oct 2018 12:47:58 BST # gpg: using RSA key BFFBD25F78C7AE83 # gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" # gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1 # Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83 * remotes/bonzini/tags/for-upstream: (47 commits) replay: pass raw icount value to replay_save_clock target/i386: kvm: just return after migrate_add_blocker failed hyperv_testdev: add SynIC message and event testmodes hyperv: process POST_MESSAGE hypercall hyperv: add support for KVM_HYPERV_EVENTFD hyperv: process SIGNAL_EVENT hypercall hyperv: add synic event flag signaling hyperv: add synic message delivery hyperv: make overlay pages for SynIC hyperv: only add SynIC in compatible configurations hyperv: qom-ify SynIC hyperv:synic: split capability testing and setting i386: add hyperv-stub for CONFIG_HYPERV=n default-configs: collect CONFIG_HYPERV* in hyperv.mak hyperv: factor out arch-independent API into hw/hyperv hyperv: make hyperv_vp_index inline hyperv: split hyperv-proto.h into x86 and arch-independent parts hyperv: rename kvm_hv_sint_route_set_sint hyperv: make HvSintRoute reference-counted hyperv: address HvSintRoute by X86CPU pointer ... Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-10-19vl: improve/fix documentation related to RTC functionArtem Pisarenko
Documentation describing -rtc option updated to better match current implementation and highlight some important specifics. Signed-off-by: Artem Pisarenko <artem.k.pisarenko@gmail.com> Message-Id: <1b245c6c0803d4bf11dcbf9eb32f34af8c2bd0b4.1539846575.git.artem.k.pisarenko@gmail.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2018-10-19qemu-options: Fix bad "macaddr" property in the documentationThomas Huth
When using the "-device" option, the property is called "mac". "macaddr" is only used for the legacy "-net nic" option. Reported-by: Harald Hoyer <harald@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
2018-10-01qcow2: Fix cache-clean-interval documentationLeonid Bloch
Fixing cache-clean-interval documentation following the recent change to a default of 600 seconds on supported plarforms (only Linux currently). Signed-off-by: Leonid Bloch <lbloch@janustech.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2018-10-01qcow2: Set the default cache-clean-interval to 10 minutesLeonid Bloch
The default cache-clean-interval is set to 10 minutes, in order to lower the overhead of the qcow2 caches (before the default was 0, i.e. disabled). * For non-Linux platforms the default is kept at 0, because cache-clean-interval is not supported there yet. Signed-off-by: Leonid Bloch <lbloch@janustech.com> Reviewed-by: Alberto Garcia <berto@igalia.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2018-10-01qcow2: Increase the default upper limit on the L2 cache sizeLeonid Bloch
The upper limit on the L2 cache size is increased from 1 MB to 32 MB on Linux platforms, and to 8 MB on other platforms (this difference is caused by the ability to set intervals for cache cleaning on Linux platforms only). This is done in order to allow default full coverage with the L2 cache for images of up to 256 GB in size (was 8 GB). Note, that only the needed amount to cover the full image is allocated. The value which is changed here is just the upper limit on the L2 cache size, beyond which it will not grow, even if the size of the image will require it to. Signed-off-by: Leonid Bloch <lbloch@janustech.com> Reviewed-by: Alberto Garcia <berto@igalia.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2018-10-01qcow2: Assign the L2 cache relatively to the image sizeLeonid Bloch
Sufficient L2 cache can noticeably improve the performance when using large images with frequent I/O. Previously, unless 'cache-size' was specified and was large enough, the L2 cache was set to a certain size without taking the virtual image size into account. Now, the L2 cache assignment is aware of the virtual size of the image, and will cover the entire image, unless the cache size needed for that is larger than a certain maximum. This maximum is set to 1 MB by default (enough to cover an 8 GB image with the default cluster size) but can be increased or decreased using the 'l2-cache-size' option. This option was previously documented as the *maximum* L2 cache size, and this patch makes it behave as such, instead of as a constant size. Also, the existing option 'cache-size' can limit the sum of both L2 and refcount caches, as previously. Signed-off-by: Leonid Bloch <lbloch@janustech.com> Reviewed-by: Alberto Garcia <berto@igalia.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2018-10-01qcow2: Options' documentation fixesLeonid Bloch
Signed-off-by: Leonid Bloch <lbloch@janustech.com> Reviewed-by: Alberto Garcia <berto@igalia.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2018-08-31net: Remove the deprecated -tftp, -bootp, -redir and -smb optionsThomas Huth
These options likely do not work as expected as soon as the user tries to use more than one network interface at once. The parameters have been marked as deprecated since QEMU v2.6, so users had plenty of time to move their scripts to the new syntax. Time to remove the old parameters now. Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Acked-by: Peter Krempa <pkrempa@redhat.com> Acked-by: Ján Tomko <jtomko@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
2018-08-31Remove the deprecated options -startdate, -localtime and -rtc-td-hackThomas Huth
Deprecated since two releases, nobody complained, thus it's time to remove them now. Acked-by: Peter Krempa <pkrempa@redhat.com> Acked-by: Ján Tomko <jtomko@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
2018-08-31Remove the deprecated -nodefconfig optionThomas Huth
It's the same as -no-user-config and marked as deprecated since three releases already. Time to remove it now. Acked-by: Peter Krempa <pkrempa@redhat.com> Acked-by: Ján Tomko <jtomko@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
2018-08-31Remove the deprecated -balloon optionThomas Huth
The "-balloon" option has been replaced by "-device virtio-balloon". It's been marked as deprecated since two releases, and nobody complained, so let's remove it now. Acked-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Cornelia Huck <cohuck@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: David Hildenbrand <david@redhat.com> Acked-by: Peter Krempa <pkrempa@redhat.com> Acked-by: Ján Tomko <jtomko@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
2018-08-27Merge remote-tracking branch ↵Peter Maydell
'remotes/kraxel/tags/ui-20180827-v4-pull-request' into staging ui: misc fixes which piled up during 3.0 release freeze # gpg: Signature made Mon 27 Aug 2018 09:53:07 BST # gpg: using RSA key 4CB6D8EED3E87138 # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" # gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" # gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" # Primary key fingerprint: A032 8CFF B93A 17A7 9901 FE7D 4CB6 D8EE D3E8 7138 * remotes/kraxel/tags/ui-20180827-v4-pull-request: util: promote qemu_egl_rendernode_open() to libqemuutil dmabuf: add y0_top, pass it to spice ui/vnc: Remove useless parenthesis around DIV_ROUND_UP macro ui/sdl2: Fix broken -full-screen CLI option spice-display: fix qemu_spice_cursor_refresh_bh locking spice-display: access ptr_x/ptr_y under Mutex vnc: remove support for deprecated tls, x509, x509verify options doc: switch to modern syntax for VNC TLS setup sdl2: redraw correctly when scanout_mode enabled. ui: use enum to string helpers vnc: fix memleak of the "vnc-worker-output" name ui/sdl2: Remove the obsolete SDL_INIT_NOPARACHUTE flag Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-08-24vnc: remove support for deprecated tls, x509, x509verify optionsDaniel P. Berrangé
The 'tls-creds' option accepts the name of a TLS credentials object. This replaced the usage of 'tls', 'x509' and 'x509verify' options in 2.5.0. These deprecated options were grandfathered in when the deprecation policy was introduded in 2.10.0, so can now finally be removed. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Message-id: 20180725092751.21767-3-berrange@redhat.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-08-23vl: add -enable-sync-profileEmilio G. Cota
Signed-off-by: Emilio G. Cota <cota@braap.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2018-08-21Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into stagingPeter Maydell
pc: fixes This includes nvdimm persistence fixes queued before the release. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> # gpg: Signature made Mon 20 Aug 2018 11:38:11 BST # gpg: using RSA key 281F0DB8D28D5469 # gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>" # gpg: aka "Michael S. Tsirkin <mst@redhat.com>" # Primary key fingerprint: 0270 606B 6F3C DF3D 0B17 0970 C350 3912 AFBE 8E67 # Subkey fingerprint: 5D09 FD08 71C8 F85B 94CA 8A0D 281F 0DB8 D28D 5469 * remotes/mst/tags/for_upstream: migration/ram: ensure write persistence on loading all data to PMEM. migration/ram: Add check and info message to nvdimm post copy. mem/nvdimm: ensure write persistence to PMEM in label emulation hostmem-file: add the 'pmem' option configure: add libpmem support memory, exec: switch file ram allocation functions to 'flags' parameters memory, exec: Expose all memory block related flags. Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-08-20s390x: remove 's390-squash-mcss' optionCornelia Huck
This option has been deprecated for two releases; remove it. Acked-by: Christian Borntraeger <borntraeger@de.ibm.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Acked-by: Halil Pasic <pasic@linux.ibm.com> Signed-off-by: Cornelia Huck <cohuck@redhat.com>
2018-08-15block: Remove deprecated -drive option serialKevin Wolf
This reinstates commit b0083267444a5e0f28391f6c2831a539f878d424, which was temporarily reverted for the 3.0 release so that libvirt gets some extra time to update their command lines. The -drive option serial was deprecated in QEMU 2.10. It's time to remove it. Tests need to be updated to set the serial number with -global instead of using the -drive option. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Jeff Cody <jcody@redhat.com>
2018-08-15block: Remove deprecated -drive option addrKevin Wolf
This reinstates commit eae3bd1eb7c6b105d30ec06008b3bc3dfc5f45bb, which was temporarily reverted for the 3.0 release so that libvirt gets some extra time to update their command lines. The -drive option addr was deprecated in QEMU 2.10. It's time to remove it. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Jeff Cody <jcody@redhat.com>
2018-08-15block: Remove deprecated -drive geometry optionsKevin Wolf
This reinstates commit a7aff6dd10b16b67e8b142d0c94c5d92c3fe88f6, which was temporarily reverted for the 3.0 release so that libvirt gets some extra time to update their command lines. The -drive options cyls, heads, secs and trans were deprecated in QEMU 2.10. It's time to remove them. hd-geo-test tested both the old version with geometry options in -drive and the new one with -device. Therefore the code using -drive doesn't have to be replaced there, we just need to remove the -drive test cases. This in turn allows some simplification of the code. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com>
2018-08-10hostmem-file: add the 'pmem' optionJunyan He
When QEMU emulates vNVDIMM labels and migrates vNVDIMM devices, it needs to know whether the backend storage is a real persistent memory, in order to decide whether special operations should be performed to ensure the data persistence. This boolean option 'pmem' allows users to specify whether the backend storage of memory-backend-file is a real persistent memory. If 'pmem=on', QEMU will set the flag RAM_PMEM in the RAM block of the corresponding memory region. If 'pmem' is set while lack of libpmem support, a error is generated. Signed-off-by: Junyan He <junyan.he@intel.com> Signed-off-by: Haozhong Zhang <haozhong.zhang@intel.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2018-07-17Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into stagingPeter Maydell
Bug fixes. # gpg: Signature made Tue 17 Jul 2018 16:06:07 BST # gpg: using RSA key BFFBD25F78C7AE83 # gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" # gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1 # Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83 * remotes/bonzini/tags/for-upstream: Document command line options with single dash opts: remove redundant check for NULL parameter i386: only parse the initrd_filename once for multiboot modules i386: fix regression parsing multiboot initrd modules virtio-scsi: fix hotplug ->reset() vs event race qdev: add HotplugHandler->post_plug() callback hw/char/serial: retry write if EAGAIN PC Chipset: Improve serial divisor calculation vhost-user-test: added proper TestServer *dest initialization in test_migrate() hyperv: ensure VP index equal to QEMU cpu_index hyperv: rename vcpu_id to vp_index accel: Fix typo and grammar in comment dump: add kernel_gs_base to QEMU CPU state Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-07-17Document command line options with single dashBALATON Zoltan
QEMU options have a single dash (but also work as double dash for convenience and compatibility). Most options are listed with single dash in command line help but some were listed with two dashes. Normalize these to have the same format as the others. Left --preconfig as that is mentioned as double dash everywhere so I assume that is the preferred form for that. Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> Acked-by: Thomas Huth <thuth@redhat.com> Message-Id: <20180716193312.A5BA17456B9@zero.eik.bme.hu> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2018-07-16cli qmp: Mark --preconfig, exit-preconfig experimentalMarkus Armbruster
Committing to the current --preconfig / exit-preconfig interface before it has seen any use is premature. Mark both as experimental, the former in documentation, the latter by renaming it to x-exit-preconfig. See the previous commit for more detailed rationale. Signed-off-by: Markus Armbruster <armbru@redhat.com> Message-Id: <20180705091402.26244-3-armbru@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Acked-by: Eduardo Habkost <ehabkost@redhat.com> Acked-by: Igor Mammedov <imammedo@redhat.com> [Straightforward conflict with commit 514337c142f resolved]
2018-07-10Revert "block: Remove deprecated -drive geometry options"Cornelia Huck
This reverts commit a7aff6dd10b16b67e8b142d0c94c5d92c3fe88f6. Hold off removing this for one more QEMU release (current libvirt release still uses it.) Signed-off-by: Cornelia Huck <cohuck@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2018-07-10Revert "block: Remove deprecated -drive option addr"Cornelia Huck
This reverts commit eae3bd1eb7c6b105d30ec06008b3bc3dfc5f45bb. Reverted to avoid conflicts for geometry options revert. Signed-off-by: Cornelia Huck <cohuck@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2018-07-10Revert "block: Remove deprecated -drive option serial"Cornelia Huck
This reverts commit b0083267444a5e0f28391f6c2831a539f878d424. Hold off removing this for one more QEMU release (current libvirt release still uses it.) Signed-off-by: Cornelia Huck <cohuck@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2018-07-03crypto: Implement TLS Pre-Shared Keys (PSK).Richard W.M. Jones
Pre-Shared Keys (PSK) is a simpler mechanism for enabling TLS connections than using certificates. It requires only a simple secret key: $ mkdir -m 0700 /tmp/keys $ psktool -u rjones -p /tmp/keys/keys.psk $ cat /tmp/keys/keys.psk rjones:d543770c15ad93d76443fb56f501a31969235f47e999720ae8d2336f6a13fcbc The key can be secretly shared between clients and servers. Clients must specify the directory containing the "keys.psk" file and a username (defaults to "qemu"). Servers must specify only the directory. Example NBD client: $ qemu-img info \ --object tls-creds-psk,id=tls0,dir=/tmp/keys,username=rjones,endpoint=client \ --image-opts \ file.driver=nbd,file.host=localhost,file.port=10809,file.tls-creds=tls0,file.export=/ Example NBD server using qemu-nbd: $ qemu-nbd -t -x / \ --object tls-creds-psk,id=tls0,endpoint=server,dir=/tmp/keys \ --tls-creds tls0 \ image.qcow2 Example NBD server using nbdkit: $ nbdkit -n -e / -fv \ --tls=on --tls-psk=/tmp/keys/keys.psk \ file file=disk.img Signed-off-by: Richard W.M. Jones <rjones@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-06-28kvm: support -overcommit cpu-pm=on|offMichael S. Tsirkin
With this flag, kvm allows guest to control host CPU power state. This increases latency for other processes using same host CPU in an unpredictable way, but if decreases idle entry/exit times for the running VCPU, so to use it QEMU needs a hint about whether host CPU is overcommitted, hence the flag name. Follow-up patches will expose this capability to guest (using mwait leaf). Based on a patch by Wanpeng Li <kernellwp@gmail.com> . Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Message-Id: <20180622192148.178309-2-mst@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2018-06-28Deprecate the -enable-hax optionThomas Huth
We currently have got three ways of turning on the HAX accelerator: "-machine accel=hax", "-accel hax" and "-enable-hax". That's really confusing and overloaded. Since "-accel" is our preferred way to enable an accelerator nowadays, and "-accel hax" is even less to type than "-enable-hax", let's deprecate the "-enable-hax" option now. Note: While "-enable-kvm" is available since a long time and can hardly be removed since it is used in a lot of upper layer tools and scripts, the "-enable-hax" option is still rather new and not very widespread yet, so I think that it should be OK if we remove this in a couple of releases again (we'll see whether someone complains after seeing the deprecation message - then we could still reconsider to keep it if there a well-founded reasons). Signed-off-by: Thomas Huth <thuth@redhat.com> Message-Id: <1529950933-28347-1-git-send-email-thuth@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2018-06-28qemu-options: Add missing newline to -accel help textEduardo Habkost
The newline was removed by commit c97d6d2c, and broke -help output: Before this patch: $ qemu-system-x86_64 -help | grep smp thread=single|multi (enable multi-threaded TCG)-smp [...] After this patch: $ qemu-system-x86_64 -help | grep smp -smp [cpus=]n[,maxcpus=cpus][,cores=cores][,threads=threads][,sockets=sockets] Fixes: c97d6d2cdf97edb4aebe832fdba65d701ad7bcb6 Cc: Sergio Andres Gomez Del Real <sergio.g.delreal@gmail.com> Signed-off-by: Eduardo Habkost <ehabkost@redhat.com> Message-Id: <20180611195607.3015-1-ehabkost@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2018-06-15block: Remove deprecated -drive option serialKevin Wolf
The -drive option serial was deprecated in QEMU 2.10. It's time to remove it. Tests need to be updated to set the serial number with -global instead of using the -drive option. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Jeff Cody <jcody@redhat.com>