From c34f4d7e5013bbd2a19aef205b818d2e2045f21ce2c6e43fdc048c7b9d87765a Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.com>
Date: Wed, 21 Apr 2021 01:35:46 +0000
Subject: [PATCH] Accepting request 887108 from home:cyphar:lxc
- Don't use SecureBoot OVMF blobs, they don't work with LXD.
- Add backport of <https://github.com/lxc/lxd/pull/8700> to fix LXD VMs on
openSUSE. boo#1181549
+ boo1181549-0001-vm-qemu-configure-spice-using-spice-parameter.patch
OBS-URL: https://build.opensuse.org/request/show/887108
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/lxd?expand=0&rev=86
---
...onfigure-spice-using-spice-parameter.patch | 76 +++++++++++++++++++
lxd.changes | 8 ++
lxd.spec | 8 +-
3 files changed, 90 insertions(+), 2 deletions(-)
create mode 100644 boo1181549-0001-vm-qemu-configure-spice-using-spice-parameter.patch
diff --git a/boo1181549-0001-vm-qemu-configure-spice-using-spice-parameter.patch b/boo1181549-0001-vm-qemu-configure-spice-using-spice-parameter.patch
new file mode 100644
index 0000000..088ffc7
--- /dev/null
+++ b/boo1181549-0001-vm-qemu-configure-spice-using-spice-parameter.patch
@@ -0,0 +1,76 @@
+From f86eaf85c38cda988589e64b643670189d22923f Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <cyphar@cyphar.com>
+Date: Wed, 21 Apr 2021 10:11:21 +1000
+Subject: [PATCH] vm/qemu: configure spice using -spice parameter
+
+Since QEMU 5.2, if QEMU has its modules compiled as dynamic objects to
+be dlopen(2)'d rather than statically compiled into the QEMU binary,
+QEMU will not accept [spice] directives through -readconfig. This is a
+known issue with QEMU but has been effectively marked as WONTFIX because
+-readconfig has sort-of been soft-deprecated[1,2,3].
+
+In the meantime, just switch to the -spice commandline since this
+appears to only affect modules rather than core QEMU options.
+
+[1]: https://bugs.launchpad.net/qemu/+bug/1910696
+[2]: https://lists.gnu.org/archive/html/qemu-devel/2020-11/msg02934.html
+[3]: https://bugzilla.suse.com/show_bug.cgi?id=1181549#c11
+
+SUSE-Bugs: bsc#1181549
+Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
+---
+ lxd/instance/drivers/driver_qemu.go | 6 +++++-
+ lxd/instance/drivers/driver_qemu_templates.go | 6 ------
+ 2 files changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/lxd/instance/drivers/driver_qemu.go b/lxd/instance/drivers/driver_qemu.go
+index 13211f1c651f..d14267bdbb87 100644
+--- a/lxd/instance/drivers/driver_qemu.go
++++ b/lxd/instance/drivers/driver_qemu.go
+@@ -1043,6 +1043,7 @@ func (d *qemu) Start(stateful bool) error {
+ "-no-user-config",
+ "-sandbox", "on,obsolete=deny,elevateprivileges=allow,spawn=deny,resourcecontrol=deny",
+ "-readconfig", confFile,
++ "-spice", d.spiceCmdlineConfig(),
+ "-pidfile", d.pidFilePath(),
+ "-D", d.LogFilePath(),
+ }
+@@ -1572,6 +1573,10 @@ func (d *qemu) spicePath() string {
+ return filepath.Join(d.LogPath(), "qemu.spice")
+ }
+
++func (d *qemu) spiceCmdlineConfig() string {
++ return fmt.Sprintf("unix=on,disable-ticketing=on,addr=%s", d.spicePath())
++}
++
+ // generateConfigShare generates the config share directory that will be exported to the VM via
+ // a 9P share. Due to the unknown size of templates inside the images this directory is created
+ // inside the VM's config volume so that it can be restricted by quota.
+@@ -2004,7 +2009,6 @@ func (d *qemu) generateQemuConfigFile(mountInfo *storagePools.MountInfo, busName
+
+ err := qemuBase.Execute(sb, map[string]interface{}{
+ "architecture": d.architectureName,
+- "spicePath": d.spicePath(),
+ })
+ if err != nil {
+ return "", err
+diff --git a/lxd/instance/drivers/driver_qemu_templates.go b/lxd/instance/drivers/driver_qemu_templates.go
+index aa51f45c1426..3999c2bfbb9c 100644
+--- a/lxd/instance/drivers/driver_qemu_templates.go
++++ b/lxd/instance/drivers/driver_qemu_templates.go
+@@ -44,12 +44,6 @@ strict = "on"
+ # Console
+ [chardev "console"]
+ backend = "pty"
+-
+-# Graphical console
+-[spice]
+-unix = "on"
+-addr = "{{.spicePath}}"
+-disable-ticketing = "on"
+ `))
+
+ var qemuMemory = template.Must(template.New("qemuMemory").Parse(`
+--
+2.30.2
+
diff --git a/lxd.changes b/lxd.changes
index c75e229..abacace 100644
--- a/lxd.changes
+++ b/lxd.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Wed Apr 21 00:19:11 UTC 2021 - Aleksa Sarai <asarai@suse.com>
+
+- Don't use SecureBoot OVMF blobs, they don't work with LXD.
+- Add backport of <https://github.com/lxc/lxd/pull/8700> to fix LXD VMs on
+ openSUSE. boo#1181549
+ + boo1181549-0001-vm-qemu-configure-spice-using-spice-parameter.patch
+
-------------------------------------------------------------------
Mon Apr 12 05:19:43 UTC 2021 - Aleksa Sarai <asarai@suse.com>
diff --git a/lxd.spec b/lxd.spec
index 92760d0..621ddc0 100644
--- a/lxd.spec
+++ b/lxd.spec
@@ -43,6 +43,8 @@ Source101: %{name}-config.yml
# Additional runtime configuration.
Source200: %{name}.sysctl
Source201: %{name}.dnsmasq
+# Backport of <https://github.com/lxc/lxd/pull/8700>. boo#1181549
+Patch1: boo1181549-0001-vm-qemu-configure-spice-using-spice-parameter.patch
BuildRequires: fdupes
BuildRequires: golang-packaging
BuildRequires: libacl-devel
@@ -106,6 +108,8 @@ Bash command line completion support for %{name}.
%prep
%setup -q
+# boo#1181549
+%patch1 -p1
# Create fake "go mod"-like import paths. This is going to be really fun to
# maintain but it's unfortunately necessary because openSUSE doesn't have nice
@@ -313,9 +317,9 @@ install -d -m 0755 %{buildroot}%{_localstatedir}/log/%{name}
# in the way it expects. In particular, LXD depends on specific filenames for
# the firmware files so we create fake ones with symlinks.
mkdir -p %{buildroot}%{lxd_ovmfdir}
-ln -s %{_datarootdir}/qemu/ovmf-x86_64-ms-code.bin %{buildroot}%{lxd_ovmfdir}/OVMF_CODE.fd
-ln -s %{_datarootdir}/qemu/ovmf-x86_64-ms-vars.bin %{buildroot}%{lxd_ovmfdir}/OVMF_VARS.ms.fd
+ln -s %{_datarootdir}/qemu/ovmf-x86_64-code.bin %{buildroot}%{lxd_ovmfdir}/OVMF_CODE.fd
ln -s %{_datarootdir}/qemu/ovmf-x86_64-vars.bin %{buildroot}%{lxd_ovmfdir}/OVMF_VARS.fd
+ln -s OVMF_VARS.fd %{buildroot}%{lxd_ovmfdir}/OVMF_VARS.ms.fd
%fdupes %{buildroot}