Accepting request 512570 from home:bfrogers:branches:Virtualization
Include latest security fixes. Also fix support statements. Also adjust to recent libvdeplug-devel package name change. OBS-URL: https://build.opensuse.org/request/show/512570 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=350
This commit is contained in:
parent
83070edea7
commit
d7cf6350b8
47
0069-qemu-nbd-Ignore-SIGPIPE.patch
Normal file
47
0069-qemu-nbd-Ignore-SIGPIPE.patch
Normal file
@ -0,0 +1,47 @@
|
||||
From 40c9dcf30be29a4d76aeb85b5510cea071423b81 Mon Sep 17 00:00:00 2001
|
||||
From: Max Reitz <mreitz@redhat.com>
|
||||
Date: Sun, 11 Jun 2017 14:37:14 +0200
|
||||
Subject: [PATCH] qemu-nbd: Ignore SIGPIPE
|
||||
|
||||
qemu proper has done so for 13 years
|
||||
(8a7ddc38a60648257dc0645ab4a05b33d6040063), qemu-img and qemu-io have
|
||||
done so for four years (526eda14a68d5b3596be715505289b541288ef2a).
|
||||
Ignoring this signal is especially important in qemu-nbd because
|
||||
otherwise a client can easily take down the qemu-nbd server by dropping
|
||||
the connection when the server wants to send something, for example:
|
||||
|
||||
$ qemu-nbd -x foo -f raw -t null-co:// &
|
||||
[1] 12726
|
||||
$ qemu-io -c quit nbd://localhost/bar
|
||||
can't open device nbd://localhost/bar: No export with name 'bar' available
|
||||
[1] + 12726 broken pipe qemu-nbd -x foo -f raw -t null-co://
|
||||
|
||||
In this case, the client sends an NBD_OPT_ABORT and closes the
|
||||
connection (because it is not required to wait for a reply), but the
|
||||
server replies with an NBD_REP_ACK (because it is required to reply).
|
||||
|
||||
Signed-off-by: Max Reitz <mreitz@redhat.com>
|
||||
Message-Id: <20170611123714.31292-1-mreitz@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 041e32b8d9d076980b4e35317c0339e57ab888f1)
|
||||
[BR: BSC#1046636 CVE-2017-10664]
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
qemu-nbd.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/qemu-nbd.c b/qemu-nbd.c
|
||||
index b44764eb87..83bf9cb46c 100644
|
||||
--- a/qemu-nbd.c
|
||||
+++ b/qemu-nbd.c
|
||||
@@ -581,6 +581,10 @@ int main(int argc, char **argv)
|
||||
sa_sigterm.sa_handler = termsig_handler;
|
||||
sigaction(SIGTERM, &sa_sigterm, NULL);
|
||||
|
||||
+#ifdef CONFIG_POSIX
|
||||
+ signal(SIGPIPE, SIG_IGN);
|
||||
+#endif
|
||||
+
|
||||
module_call_init(MODULE_INIT_TRACE);
|
||||
qcrypto_init(&error_fatal);
|
||||
|
50
0070-usb-redir-fix-stack-overflow-in-usb.patch
Normal file
50
0070-usb-redir-fix-stack-overflow-in-usb.patch
Normal file
@ -0,0 +1,50 @@
|
||||
From 416a6f3bf137b8e6782dd7c1f9563afe8ee97b19 Mon Sep 17 00:00:00 2001
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Tue, 9 May 2017 13:01:28 +0200
|
||||
Subject: [PATCH] usb-redir: fix stack overflow in usbredir_log_data
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Don't reinvent a broken wheel, just use the hexdump function we have.
|
||||
|
||||
Impact: low, broken code doesn't run unless you have debug logging
|
||||
enabled.
|
||||
|
||||
Reported-by: 李强 <liqiang6-s@360.cn>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Message-id: 20170509110128.27261-1-kraxel@redhat.com
|
||||
(cherry picked from commit bd4a683505b27adc1ac809f71e918e58573d851d)
|
||||
[BR: BSC#1047674 CVE-2017-10806]
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
hw/usb/redirect.c | 13 +------------
|
||||
1 file changed, 1 insertion(+), 12 deletions(-)
|
||||
|
||||
diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
|
||||
index 0efe62f725..eb70dc7218 100644
|
||||
--- a/hw/usb/redirect.c
|
||||
+++ b/hw/usb/redirect.c
|
||||
@@ -229,21 +229,10 @@ static void usbredir_log(void *priv, int level, const char *msg)
|
||||
static void usbredir_log_data(USBRedirDevice *dev, const char *desc,
|
||||
const uint8_t *data, int len)
|
||||
{
|
||||
- int i, j, n;
|
||||
-
|
||||
if (dev->debug < usbredirparser_debug_data) {
|
||||
return;
|
||||
}
|
||||
-
|
||||
- for (i = 0; i < len; i += j) {
|
||||
- char buf[128];
|
||||
-
|
||||
- n = sprintf(buf, "%s", desc);
|
||||
- for (j = 0; j < 8 && i + j < len; j++) {
|
||||
- n += sprintf(buf + n, " %02X", data[i + j]);
|
||||
- }
|
||||
- error_report("%s", buf);
|
||||
- }
|
||||
+ qemu_hexdump((char *)data, stderr, desc, len);
|
||||
}
|
||||
|
||||
/*
|
43
0071-exec-use-qemu_ram_ptr_length-to-acc.patch
Normal file
43
0071-exec-use-qemu_ram_ptr_length-to-acc.patch
Normal file
@ -0,0 +1,43 @@
|
||||
From f6658a500e003e91225f59bc2c2305c6b7d2f0d1 Mon Sep 17 00:00:00 2001
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Wed, 12 Jul 2017 18:08:40 +0530
|
||||
Subject: [PATCH] exec: use qemu_ram_ptr_length to access guest ram
|
||||
|
||||
When accessing guest's ram block during DMA operation, use
|
||||
'qemu_ram_ptr_length' to get ram block pointer. It ensures
|
||||
that DMA operation of given length is possible; And avoids
|
||||
any OOB memory access situations.
|
||||
|
||||
Reported-by: Alex <broscutamaker@gmail.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <20170712123840.29328-1-ppandit@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 04bf2526ce87f21b32c9acba1c5518708c243ad0)
|
||||
[BR: BSC#1048902 CVE-2017-11334]
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
exec.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/exec.c b/exec.c
|
||||
index b47b3f9096..1de9107b61 100644
|
||||
--- a/exec.c
|
||||
+++ b/exec.c
|
||||
@@ -2767,7 +2767,7 @@ static MemTxResult address_space_write_continue(AddressSpace *as, hwaddr addr,
|
||||
}
|
||||
} else {
|
||||
/* RAM case */
|
||||
- ptr = qemu_map_ram_ptr(mr->ram_block, addr1);
|
||||
+ ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l);
|
||||
memcpy(ptr, buf, l);
|
||||
invalidate_and_set_dirty(mr, addr1, l);
|
||||
}
|
||||
@@ -2858,7 +2858,7 @@ MemTxResult address_space_read_continue(AddressSpace *as, hwaddr addr,
|
||||
}
|
||||
} else {
|
||||
/* RAM case */
|
||||
- ptr = qemu_map_ram_ptr(mr->ram_block, addr1);
|
||||
+ ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l);
|
||||
memcpy(buf, ptr, l);
|
||||
}
|
||||
|
33
0072-slirp-check-len-against-dhcp-option.patch
Normal file
33
0072-slirp-check-len-against-dhcp-option.patch
Normal file
@ -0,0 +1,33 @@
|
||||
From 9ba94af263d7c64137cc748abd9cf3c23e07decc Mon Sep 17 00:00:00 2001
|
||||
From: P J P <ppandit@redhat.com>
|
||||
Date: Tue, 25 Jul 2017 13:34:29 -0600
|
||||
Subject: [PATCH] slirp: check len against dhcp options array end
|
||||
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
|
||||
While parsing dhcp options string in 'dhcp_decode', if an options'
|
||||
length 'len' appeared towards the end of 'bp_vend' array, ensuing
|
||||
read could lead to an OOB memory access issue. Add check to avoid it.
|
||||
|
||||
Reported-by: Reno Robert <renorobert@gmail.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
[BR: BSC#1049381 CVE-2017-11434]
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
slirp/bootp.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/slirp/bootp.c b/slirp/bootp.c
|
||||
index 5a4646c182..5dd1a415b5 100644
|
||||
--- a/slirp/bootp.c
|
||||
+++ b/slirp/bootp.c
|
||||
@@ -123,6 +123,9 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
|
||||
if (p >= p_end)
|
||||
break;
|
||||
len = *p++;
|
||||
+ if (p + len > p_end) {
|
||||
+ break;
|
||||
+ }
|
||||
DPRINTF("dhcp: tag=%d len=%d\n", tag, len);
|
||||
|
||||
switch(tag) {
|
@ -1,3 +1,13 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Jul 25 19:36:58 UTC 2017 - brogers@suse.com
|
||||
|
||||
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.9
|
||||
* Patches added:
|
||||
0069-qemu-nbd-Ignore-SIGPIPE.patch
|
||||
0070-usb-redir-fix-stack-overflow-in-usb.patch
|
||||
0071-exec-use-qemu_ram_ptr_length-to-acc.patch
|
||||
0072-slirp-check-len-against-dhcp-option.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jul 18 19:51:49 UTC 2017 - brogers@suse.com
|
||||
|
||||
|
@ -94,6 +94,10 @@ Patch0065: 0065-hid-Reset-kbd-modifiers-on-reset.patch
|
||||
Patch0066: 0066-input-Decrement-queue-count-on-kbd-.patch
|
||||
Patch0067: 0067-xhci-only-update-dequeue-ptr-on-com.patch
|
||||
Patch0068: 0068-vnc-Set-default-kbd-delay-to-10ms.patch
|
||||
Patch0069: 0069-qemu-nbd-Ignore-SIGPIPE.patch
|
||||
Patch0070: 0070-usb-redir-fix-stack-overflow-in-usb.patch
|
||||
Patch0071: 0071-exec-use-qemu_ram_ptr_length-to-acc.patch
|
||||
Patch0072: 0072-slirp-check-len-against-dhcp-option.patch
|
||||
# Please do not add QEMU patches manually here.
|
||||
# Run update_git.sh to regenerate this queue.
|
||||
Source400: update_git.sh
|
||||
@ -215,6 +219,10 @@ run cross-architecture builds.
|
||||
%patch0066 -p1
|
||||
%patch0067 -p1
|
||||
%patch0068 -p1
|
||||
%patch0069 -p1
|
||||
%patch0070 -p1
|
||||
%patch0071 -p1
|
||||
%patch0072 -p1
|
||||
|
||||
%build
|
||||
./configure \
|
||||
|
@ -1,3 +1,26 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Jul 25 19:36:55 UTC 2017 - brogers@suse.com
|
||||
|
||||
- Address various security/stability issues
|
||||
* Fix DOS vulnerability in qemu-nbd (bsc#1046636 CVE-2017-10664)
|
||||
0069-qemu-nbd-Ignore-SIGPIPE.patch
|
||||
* Fix DOS from stack overflow in debug messages of usb redirection
|
||||
support (bsc#1047674 CVE-2017-10806)
|
||||
0070-usb-redir-fix-stack-overflow-in-usb.patch
|
||||
* Fix OOB access during DMA operation (CVE-2017-11334 bsc#1048902)
|
||||
0071-exec-use-qemu_ram_ptr_length-to-acc.patch
|
||||
* Fix OOB access parsing dhcp slirp options (CVE-2017-11434 bsc#1049381)
|
||||
0072-slirp-check-len-against-dhcp-option.patch
|
||||
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.9
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jul 25 16:51:20 UTC 2017 - brogers@suse.com
|
||||
|
||||
- Fix support docs to indicate ARM64 is now fully L3 supported in
|
||||
SLES 12 SP3. Apply a few additional clarifications in the support
|
||||
docs. (bsc#1050268)
|
||||
- Adjust to libvdeplug-devel package naming changes.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jul 18 19:51:45 UTC 2017 - brogers@suse.com
|
||||
|
||||
|
@ -198,6 +198,10 @@ Patch0065: 0065-hid-Reset-kbd-modifiers-on-reset.patch
|
||||
Patch0066: 0066-input-Decrement-queue-count-on-kbd-.patch
|
||||
Patch0067: 0067-xhci-only-update-dequeue-ptr-on-com.patch
|
||||
Patch0068: 0068-vnc-Set-default-kbd-delay-to-10ms.patch
|
||||
Patch0069: 0069-qemu-nbd-Ignore-SIGPIPE.patch
|
||||
Patch0070: 0070-usb-redir-fix-stack-overflow-in-usb.patch
|
||||
Patch0071: 0071-exec-use-qemu_ram_ptr_length-to-acc.patch
|
||||
Patch0072: 0072-slirp-check-len-against-dhcp-option.patch
|
||||
# Please do not add QEMU patches manually here.
|
||||
# Run update_git.sh to regenerate this queue.
|
||||
|
||||
@ -334,7 +338,11 @@ BuildRequires: libssh2-devel
|
||||
%if 0%{?suse_version} > 1310
|
||||
BuildRequires: libusb-1_0-devel
|
||||
%endif
|
||||
%if 0%{?suse_version} > 1320
|
||||
BuildRequires: libvdeplug-devel
|
||||
%else
|
||||
BuildRequires: libvdeplug3-devel
|
||||
%endif
|
||||
BuildRequires: lzo-devel
|
||||
%if 0%{?suse_version} > 1220
|
||||
BuildRequires: makeinfo
|
||||
@ -914,6 +922,10 @@ This package provides a service file for starting and stopping KSM.
|
||||
%patch0066 -p1
|
||||
%patch0067 -p1
|
||||
%patch0068 -p1
|
||||
%patch0069 -p1
|
||||
%patch0070 -p1
|
||||
%patch0071 -p1
|
||||
%patch0072 -p1
|
||||
|
||||
pushd roms/ipxe
|
||||
%patch1100 -p1
|
||||
|
23
qemu.changes
23
qemu.changes
@ -1,3 +1,26 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Jul 25 19:36:55 UTC 2017 - brogers@suse.com
|
||||
|
||||
- Address various security/stability issues
|
||||
* Fix DOS vulnerability in qemu-nbd (bsc#1046636 CVE-2017-10664)
|
||||
0069-qemu-nbd-Ignore-SIGPIPE.patch
|
||||
* Fix DOS from stack overflow in debug messages of usb redirection
|
||||
support (bsc#1047674 CVE-2017-10806)
|
||||
0070-usb-redir-fix-stack-overflow-in-usb.patch
|
||||
* Fix OOB access during DMA operation (CVE-2017-11334 bsc#1048902)
|
||||
0071-exec-use-qemu_ram_ptr_length-to-acc.patch
|
||||
* Fix OOB access parsing dhcp slirp options (CVE-2017-11434 bsc#1049381)
|
||||
0072-slirp-check-len-against-dhcp-option.patch
|
||||
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.9
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jul 25 16:51:20 UTC 2017 - brogers@suse.com
|
||||
|
||||
- Fix support docs to indicate ARM64 is now fully L3 supported in
|
||||
SLES 12 SP3. Apply a few additional clarifications in the support
|
||||
docs. (bsc#1050268)
|
||||
- Adjust to libvdeplug-devel package naming changes.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jul 18 19:51:45 UTC 2017 - brogers@suse.com
|
||||
|
||||
|
12
qemu.spec
12
qemu.spec
@ -198,6 +198,10 @@ Patch0065: 0065-hid-Reset-kbd-modifiers-on-reset.patch
|
||||
Patch0066: 0066-input-Decrement-queue-count-on-kbd-.patch
|
||||
Patch0067: 0067-xhci-only-update-dequeue-ptr-on-com.patch
|
||||
Patch0068: 0068-vnc-Set-default-kbd-delay-to-10ms.patch
|
||||
Patch0069: 0069-qemu-nbd-Ignore-SIGPIPE.patch
|
||||
Patch0070: 0070-usb-redir-fix-stack-overflow-in-usb.patch
|
||||
Patch0071: 0071-exec-use-qemu_ram_ptr_length-to-acc.patch
|
||||
Patch0072: 0072-slirp-check-len-against-dhcp-option.patch
|
||||
# Please do not add QEMU patches manually here.
|
||||
# Run update_git.sh to regenerate this queue.
|
||||
|
||||
@ -334,7 +338,11 @@ BuildRequires: libssh2-devel
|
||||
%if 0%{?suse_version} > 1310
|
||||
BuildRequires: libusb-1_0-devel
|
||||
%endif
|
||||
%if 0%{?suse_version} > 1320
|
||||
BuildRequires: libvdeplug-devel
|
||||
%else
|
||||
BuildRequires: libvdeplug3-devel
|
||||
%endif
|
||||
BuildRequires: lzo-devel
|
||||
%if 0%{?suse_version} > 1220
|
||||
BuildRequires: makeinfo
|
||||
@ -914,6 +922,10 @@ This package provides a service file for starting and stopping KSM.
|
||||
%patch0066 -p1
|
||||
%patch0067 -p1
|
||||
%patch0068 -p1
|
||||
%patch0069 -p1
|
||||
%patch0070 -p1
|
||||
%patch0071 -p1
|
||||
%patch0072 -p1
|
||||
|
||||
pushd roms/ipxe
|
||||
%patch1100 -p1
|
||||
|
@ -267,7 +267,11 @@ BuildRequires: libssh2-devel
|
||||
%if 0%{?suse_version} > 1310
|
||||
BuildRequires: libusb-1_0-devel
|
||||
%endif
|
||||
%if 0%{?suse_version} > 1320
|
||||
BuildRequires: libvdeplug-devel
|
||||
%else
|
||||
BuildRequires: libvdeplug3-devel
|
||||
%endif
|
||||
BuildRequires: lzo-devel
|
||||
%if 0%{?suse_version} > 1220
|
||||
BuildRequires: makeinfo
|
||||
@ -315,14 +319,14 @@ BuildRequires: zlib-devel
|
||||
%if "%{name}" == "qemu-testsuite"
|
||||
BuildRequires: bc
|
||||
BuildRequires: qemu-arm = %version
|
||||
BuildRequires: qemu-block-curl = %version
|
||||
BuildRequires: qemu-block-dmg = %version
|
||||
BuildRequires: qemu-extra = %version
|
||||
BuildRequires: qemu-guest-agent = %version
|
||||
BuildRequires: qemu-ppc = %version
|
||||
BuildRequires: qemu-s390 = %version
|
||||
BuildRequires: qemu-tools = %version
|
||||
BuildRequires: qemu-x86 = %version
|
||||
BuildRequires: qemu-block-curl = %version
|
||||
BuildRequires: qemu-block-dmg = %version
|
||||
%if 0%{?suse_version} >= 1310 && 0%{?suse_version} != 1315
|
||||
BuildRequires: qemu-block-gluster = %version
|
||||
%endif
|
||||
|
@ -10,13 +10,12 @@ Overview
|
||||
quality or value. The linux kernel includes components which contribute KVM
|
||||
virtualization features as well. This document was created to assist the user
|
||||
in deciding which features can be relied upon to build enterprise class
|
||||
virtualization solutions. KVM based virtualization for x86 (Intel 64/AMD64)
|
||||
and for IBM System z (s390x) are offered at the L3 (full support) level,
|
||||
while KVM for the ARM64 architecture (AArch64) is L3 supported for certain
|
||||
partner-specific use cases. The bulk of this document deals with L3 supported
|
||||
features and is primarily ARM64 centric. This document should be considered a
|
||||
companion to the standard virtualization documentation delivered with the
|
||||
product.
|
||||
virtualization solutions. KVM based virtualization for x86 (Intel 64/AMD64),
|
||||
for IBM System z (s390x) and for the ARM64 architecture (AArch64) are offered
|
||||
at the L3 (full support) level. The bulk of this document deals with L3
|
||||
supported features and is primarily ARM64 centric. This document should be
|
||||
considered a companion to the standard virtualization documentation delivered
|
||||
with the product.
|
||||
|
||||
KVM is implemented in linux kernel modules which enable the linux kernel to
|
||||
function as an integral part of the KVM hypervisor. The hypervisor-guest
|
||||
@ -57,9 +56,6 @@ Major QEMU/KVM Supported Features
|
||||
Since a KVM guest runs in the context of a normal linux process, some types
|
||||
of execution controls are managed with linux tools.
|
||||
|
||||
- Various standard vCPU types are available, along with the ability to specify
|
||||
individual CPU features visible to the guest.
|
||||
|
||||
- QEMU is compatible with EDK based UEFI firmware available with SLES12-SP3,
|
||||
which allow boot options common to physical systems along with other features
|
||||
tailored to virtualization. Various VGABIOS ROMs, from the SEABIOS project,
|
||||
@ -79,8 +75,8 @@ Major QEMU/KVM Supported Features
|
||||
take place either from certain prior SLES versioned hosts to a SLES 12 SP3
|
||||
or between hosts of the same version. Certain other restrictions also apply.
|
||||
|
||||
- Security considerations include seccomp2 based sandboxing, privileged
|
||||
helpers and a security model which allows running guests as a non-root user.
|
||||
- Security considerations include privileged helpers and a security model which
|
||||
allows running guests as a non-root user.
|
||||
|
||||
- QEMU provides best effort reuse of existing disk images, including those with
|
||||
systems installed, through geometry probing. Also disk images produced by
|
||||
|
@ -10,21 +10,20 @@ Overview
|
||||
quality or value. The linux kernel includes components which contribute KVM
|
||||
virtualization features as well. This document was created to assist the user
|
||||
in deciding which features can be relied upon to build enterprise class
|
||||
virtualization solutions. KVM based virtualization for x86 (Intel 64/AMD64)
|
||||
and for IBM System z (s390x) are offered at the L3 (full support) level,
|
||||
while KVM for the ARM64 architecture (AArch64) is L3 supported for certain
|
||||
partner-specific use cases. The bulk of this document deals with L3 supported
|
||||
features and is primarily s390x centric. This document should be considered a
|
||||
companion to the standard virtualization documentation delivered with the
|
||||
product.
|
||||
virtualization solutions. KVM based virtualization for x86 (Intel 64/AMD64),
|
||||
for IBM System z (s390x) and for the ARM64 architecture (AArch64) are offered
|
||||
at the L3 (full support) level. The bulk of this document deals with L3
|
||||
supported features and is primarily s390x centric. This document should be
|
||||
considered a companion to the standard virtualization documentation delivered
|
||||
with the product.
|
||||
|
||||
KVM is implemented in linux kernel modules which enable the linux kernel to
|
||||
function as an integral part of the KVM hypervisor. The hypervisor-guest
|
||||
interaction is managed by QEMU through the /dev/kvm ioctl interface. The linux
|
||||
host assists in the virtualization of storage, networking and display
|
||||
resources as well as allowing direct hardware passthrough of PCI and USB
|
||||
devices. Linux memory and cpu management features are used by QEMU/KVM to
|
||||
enable guests to share those host resources as efficiently as possible.
|
||||
resources as well as allowing direct hardware passthrough of PCI devices.
|
||||
Linux memory and cpu management features are used by QEMU/KVM to enable guests
|
||||
to share those host resources as efficiently as possible.
|
||||
|
||||
QEMU is a primary component of KVM based virtualization. The legacy qemu-kvm
|
||||
program is provided for continuity with pre SLES 12 usage, including in
|
||||
@ -59,9 +58,6 @@ Major QEMU/KVM Supported Features
|
||||
Since a KVM guest runs in the context of a normal linux process, some types
|
||||
of execution controls are managed with linux tools.
|
||||
|
||||
- Various standard vCPU types are available, along with the ability to specify
|
||||
individual CPU features visible to the guest.
|
||||
|
||||
- QEMU incorporates virtualized, 390 specific, ccw bus based firmware for
|
||||
booting s390 guests. This firmware is automatically incorporated and
|
||||
doesn't need to be explicitly referenced.
|
||||
@ -80,8 +76,8 @@ Major QEMU/KVM Supported Features
|
||||
take place either from certain prior SLES versioned hosts to a SLES 12 SP3
|
||||
or between hosts of the same version. Certain other restrictions also apply.
|
||||
|
||||
- Security considerations include seccomp2 based sandboxing, privileged
|
||||
helpers and a security model which allows running guests as a non-root user.
|
||||
- Security considerations include privileged helpers and a security model which
|
||||
allows running guests as a non-root user.
|
||||
|
||||
- QEMU provides best effort reuse of existing disk images, including those with
|
||||
systems installed, through geometry probing. Also disk images produced by
|
||||
@ -97,8 +93,8 @@ Major QEMU/KVM Supported Features
|
||||
- Guest performance is enhanced through the use of virtio devices, various disk
|
||||
caching modes, network acceleration via the vhost-net kernel module, multi-
|
||||
queue network transmit capabilities, host transparent huge pages (THP) and
|
||||
direct hugetlb usage. Physical PCI and USB devices may also be passed through
|
||||
to the guest, including SR-IOV VF's.
|
||||
direct hugetlb usage. Physical PCI devices may also be passed through to the
|
||||
guest, including SR-IOV VF's.
|
||||
|
||||
- The guest UI is accessable via GTK, SDL, VNC, Spice, and serial (including
|
||||
curses TUI) interfaces.
|
||||
|
@ -10,13 +10,12 @@ Overview
|
||||
quality or value. The linux kernel includes components which contribute KVM
|
||||
virtualization features as well. This document was created to assist the user
|
||||
in deciding which features can be relied upon to build enterprise class
|
||||
virtualization solutions. KVM based virtualization for x86 (Intel 64/AMD64)
|
||||
and for IBM System z (s390x) are offered at the L3 (full support) level,
|
||||
while KVM for the ARM64 architecture (AArch64) is L3 supported for certain
|
||||
partner-specific use cases. The bulk of this document deals with L3 supported
|
||||
features and is primarily x86 centric. This document should be considered a
|
||||
companion to the standard virtualization documentation delivered with the
|
||||
product.
|
||||
virtualization solutions. KVM based virtualization for x86 (Intel 64/AMD64),
|
||||
for IBM System z (s390x) and for the ARM64 architecture (AArch64) are offered
|
||||
at the L3 (full support) level. The bulk of this document deals with L3
|
||||
supported features and is primarily x86 centric. This document should be
|
||||
considered a companion to the standard virtualization documentation delivered
|
||||
with the product.
|
||||
|
||||
KVM is implemented in linux kernel modules which enable the linux kernel to
|
||||
function as an integral part of the KVM hypervisor. The hypervisor-guest
|
||||
|
Loading…
Reference in New Issue
Block a user