diff -pruN 11.6.0-1/debian/changelog 11.6.0-1ubuntu2/debian/changelog --- 11.6.0-1/debian/changelog 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/changelog 2025-08-27 08:18:49.000000000 +0000 @@ -1,3 +1,132 @@ +libvirt (11.6.0-1ubuntu2) questing; urgency=medium + + [ Lukas Märdian ] + * Default to qemu:///system libvirt URI (LP: #2027838) + On Ubuntu we always want to initialize the URI to qemu:///system, + regardless if running as privileged daemon or not. This keeps backward + compatibility with Ubuntu's default behavior, while still allowing users + more flexibility in changing that default, through config files or + environment variables. + - d/p/u/lp-2027838-conf-Default-to-qemu-system-libvirt-URI.patch + * d/t/default-uri: add basic test for LIBVIRT_DEFAULT_URI handling + * d/libvirt-clients.conffiles: Remove libvirt-uri.sh profile.d script + * Drop Changes: + - libvirt-uri.sh, d/rules: Automatically switch default libvirt URI + for users via user profile (qemu:///system) + + [ Hector Cao ] + * d/p/u-aa/lp2079869-* : virt-aa-helper: Avoid duplicate when append rule + (LP: #2120278) + + -- Hector Cao Wed, 27 Aug 2025 10:18:49 +0200 + +libvirt (11.6.0-1ubuntu1) questing; urgency=medium + + * Merge with Debian experimental (LP: #2115181). Remaining changes: + * Remaining changes: + - d/p/u-aa/lp2079869-*: allow access for bridge helper to sys node + (LP 2079869) + - d/*(post|pre)(rm|inst), d/*.install: drop generated files + - Disable libssh2 support (universe dependency) + - d/control: add libzfslinux-dev to build-deps + - debian/patches/ubuntu/ovmf_paths.patch: adjust paths to secboot.fd UEFI + Secure Boot enabled variants of the OVMF firmware and variable store for + the paths where we ship these files in Ubuntu. + - Set qemu-group to kvm (for compat with older ubuntu) + - Additional apport package-hook + - Autostart default bridged network (As upstream does, but not Debian). + In addition to just enabling it our solution provides: + + do not autostart if subnet is already taken (e.g. in guests). + + iterate some alternative subnets before giving up + + d/l-d-config-network.postinst: clear 'autostarted' state, to activate + network on install (LP 2093864) + + d/control: Add Breaks/Replaces, to account for the move of configuration + of the default bridged network to libvirt-daemon-config-network. + (LP 2107448) + + d/t/network: Test automatic virbr0 setup via autopkgtest. + + d/l-d-config-network.{pre,post}inst.in: diversions for network config. + + d/l-d-config-network.{pre,post}inst.in: retain non pkg owned network + config. + - d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch: This is + the group based access to libvirt functions as it was used in Ubuntu + for quite a long time. + + d/p/ubuntu/daemon-augeas-fix-expected.patch fix some related tests + due to the group access change. + + d/libvirt-daemon-driver-qemu.postinst*: add users in sudo to the libvirt + group. + - Update README.Debian with Ubuntu changes + - d/p/ubuntu/ubuntu_machine_type.patch: accept ubuntu types as pci440fx + - fix autopkgtests (LP 1899180) + + d/t/control, d/t/smoke-qemu-session: fixup smoke-qemu-session by making + vmlinuz available and accessible (Debian bug 848314) + + d/t/control: fix smoke-qemu-session by ensuring the service will run + installing libvirt-daemon-system + + d/t/smoke-lxc: fix smoke-lxc by ignoring potential issues on destroy as + long as the following undefine succeeds + + d/t/smoke-lxc: use systemd instead of sysV to restart the service + + d/t/control, d/t/smoke-lxc: retry service restart and skip test if + failing; This was flaky on some release/architectures + + d/t/smoke-lxc: retry check_domain being flaky on arm64 + - dnsmasq related enhancements + + run dnsmasq as libvirt-dnsmasq (LP 1743718) + + d/libvirt-daemon-config-network.postinst*: add libvirt-dnsmasq user + and group + + d/libvirt-daemon-config-network.postrm*: remove libvirt-dnsmasq user + and group + on purge + + d/p/ubuntu/dnsmasq-as-priv-user: write dnsmasq config with user + libvirt-dnsmasq and adapt the self tests to expect that config + + Add dnsmasq configuration to work with system wide dnsmasq-base + - d/p/ubuntu/set-default-machine-to-ubuntu.patch: to select default + machine type correctly with newer qemu/libvirt + - d/p/ubuntu/lp-1861125-ubuntu-models: recognize Ubuntu models for + (LP 1861125) fixups + - d/p/ubuntu/wait-for-qemu-kvm.patch - avoid hangs on startup (LP 1887592) + - d/libvirt-daemon-common.libvirt-guests.default: shut guests down + in parallel + - Apparmor Delta that is Ubuntu specific or yet to be upstreamed + split into logical pieces. File names in debian/patches/ubuntu-aa/: + + 0020-virt-aa-helper-ubuntu-storage-paths.patch: + apparmor, virt-aa-helper: Allow various storage pools and image + locations + + 0029-appmor-libvirt-qemu-Add-9p-support.patch: appmor, + libvirt-qemu: Add 9p support + + 0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch: + virt-aa-helper: Ask for no deny rule for readonly disk + + 0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch: + apparmor, libvirt-qemu: Allow reading charm-specific ceph config + + 0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch: allow + commands executed by ubuntu only kvm wrapper on ppc64el + (LP 1686621 LP 1680384 LP 1784023) + + 0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch: + apparmor, virt-aa-helper: access for snapped nova + + lp-1815910-allow-vhost-hotplug.patch: avoid apparmor issues + with vhost-net/vhost-vsock/vhost-scsi hotplug (LP 1815910) + - libvirt should not use user/group tss for swtpm (LP 1948880) + + d/libvirt-daemon-system.postinst: own swtpm logdir by user swtpm + + d/p/u/swtpm-by-swtpm-user.patch: change default spawned swtpm processes + to user swtpm and adapt expected self test result changes triggered by + this + + d/libvirt-daemon-system.postinst: create user/group swtpm if not present + due to swtpm-tools (LP 1951975) + - d/libvirt-clients.lintian-overrides: Add script-not-executable lintian + override + - libvirt-uri.sh, d/rules: Automatically switch default libvirt URI + for users via user profile (qemu:///system) + + Update: Set LIBVIRT_DEFAULT_URI to "qemu:///system" in all + cases. (LP #2027838) + - d/control: Demote passt to Suggests (from Recommends) for + libvirt-daemon-driver-qemu, because passt is in universe. + - d/control: Make libvirt-daemon Suggest (instead of Recommend) + libvirt-daemon-plugin-sanlock, which is in universe. + - d/control: re-generate from d/control-in: we stop changing both files + and eventually re-generate from d/control-in at built as intended. + * Updated changes + - d/p/u/ovmf_paths.patch: update to match new upstreams qemu.conf + - d/p/u/swtpm-by-swtpm-user.patch: update to match new upstreams qemu.conf + + -- Christian Ehrhardt Mon, 04 Aug 2025 13:24:59 +0200 + libvirt (11.6.0-1) experimental; urgency=medium * [047260f] New upstream version 11.6.0 @@ -10,6 +139,156 @@ libvirt (11.5.0-1) experimental; urgency -- Andrea Bolognani Wed, 02 Jul 2025 21:22:39 +0200 +libvirt (11.4.0-1ubuntu2) questing; urgency=medium + + * d/l-d-config-network.postinst: clear 'autostarted' state, to activate + network on install (LP: #2093864) + * Drop Changes: [Replaced by the above] + - Start default network on install (LP 2093864) + + d/l-d-config-network.postinst: add explicit virsh net-start workaround + + d/control: add libvirt-clients Recommends to l-d-config-network + + d/l-d-config-network.dirs: add var/libvirt/dnsmasq to store lease files + to avoid a warning on install + + -- Lukas Märdian Wed, 25 Jun 2025 11:02:02 +0200 + +libvirt (11.4.0-1ubuntu1) questing; urgency=medium + + [ Christian Ehrhardt ] + * Merge with Debian experimental (LP: #2110424) + * Among many other imrpovements this fixes + - ppc64: P11 Support in Libvirt (LP: #2109469) + - s390x: KVM: Implement virsh hypervisor-cpu-models (LP: #2027925) + * Remaining changes: + - d/p/u-aa/lp2079869-*: allow access for bridge helper to sys node + (LP 2079869) + - d/*(post|pre)(rm|inst), d/*.install: drop generated files + - Disable libssh2 support (universe dependency) + - d/control: add libzfslinux-dev to build-deps + - debian/patches/ubuntu/ovmf_paths.patch: adjust paths to secboot.fd UEFI + Secure Boot enabled variants of the OVMF firmware and variable store for + the paths where we ship these files in Ubuntu. + - Set qemu-group to kvm (for compat with older ubuntu) + - Additional apport package-hook + - Autostart default bridged network (As upstream does, but not Debian). + In addition to just enabling it our solution provides: + + do not autostart if subnet is already taken (e.g. in guests). + + iterate some alternative subnets before giving up + - d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch: This is + the group based access to libvirt functions as it was used in Ubuntu + for quite a long time. + + d/p/ubuntu/daemon-augeas-fix-expected.patch fix some related tests + due to the group access change. + + d/libvirt-daemon-driver-qemu.postinst*: add users in sudo to the libvirt + group. + - Update README.Debian with Ubuntu changes + - d/p/ubuntu/ubuntu_machine_type.patch: accept ubuntu types as pci440fx + - fix autopkgtests (LP 1899180) + + d/t/control, d/t/smoke-qemu-session: fixup smoke-qemu-session by making + vmlinuz available and accessible (Debian bug 848314) + + d/t/control: fix smoke-qemu-session by ensuring the service will run + installing libvirt-daemon-system + + d/t/smoke-lxc: fix smoke-lxc by ignoring potential issues on destroy as + long as the following undefine succeeds + + d/t/smoke-lxc: use systemd instead of sysV to restart the service + + d/t/control, d/t/smoke-lxc: retry service restart and skip test if + failing; This was flaky on some release/architectures + + d/t/smoke-lxc: retry check_domain being flaky on arm64 + - dnsmasq related enhancements + + run dnsmasq as libvirt-dnsmasq (LP 1743718) + + d/libvirt-daemon-driver-qemu.postinst*: add libvirt-dnsmasq user + and group + + d/libvirt-daemon-driver-qemu.postrm*: remove libvirt-dnsmasq user + and group + on purge + + d/p/ubuntu/dnsmasq-as-priv-user: write dnsmasq config with user + libvirt-dnsmasq and adapt the self tests to expect that config + + d/libvirt-daemon-system.postinst: fix old libvirt-dnsmasq users group + + Add dnsmasq configuration to work with system wide dnsmasq-base + - d/p/ubuntu/set-default-machine-to-ubuntu.patch: to select default + machine type correctly with newer qemu/libvirt + - d/p/ubuntu/lp-1861125-ubuntu-models: recognize Ubuntu models for + (LP 1861125) fixups + - d/p/ubuntu/wait-for-qemu-kvm.patch - avoid hangs on startup (LP 1887592) + - d/libvirt-daemon-common.libvirt-guests.default: shut guests down + in parallel + - Apparmor Delta that is Ubuntu specific or yet to be upstreamed + split into logical pieces. File names in debian/patches/ubuntu-aa/: + + 0020-virt-aa-helper-ubuntu-storage-paths.patch: + apparmor, virt-aa-helper: Allow various storage pools and image + locations + + 0029-appmor-libvirt-qemu-Add-9p-support.patch: appmor, + libvirt-qemu: Add 9p support + + 0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch: + virt-aa-helper: Ask for no deny rule for readonly disk + + 0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch: + apparmor, libvirt-qemu: Allow reading charm-specific ceph config + + 0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch: allow + commands executed by ubuntu only kvm wrapper on ppc64el + (LP 1686621 LP 1680384 LP 1784023) + + 0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch: + apparmor, virt-aa-helper: access for snapped nova + + lp-1815910-allow-vhost-hotplug.patch: avoid apparmor issues + with vhost-net/vhost-vsock/vhost-scsi hotplug (LP 1815910) + - libvirt should not use user/group tss for swtpm (LP 1948880) + + d/libvirt-daemon-system.postinst: own swtpm logdir by user swtpm + + d/p/u/swtpm-by-swtpm-user.patch: change default spawned swtpm processes + to user swtpm and adapt expected self test result changes triggered by + this + + d/libvirt-daemon-system.postinst: create user/group swtpm if not present + due to swtpm-tools (LP 1951975) + - d/libvirt-clients.lintian-overrides: Add script-not-executable lintian + override + - libvirt-uri.sh, d/rules: Automatically switch default libvirt URI + for users via user profile (qemu:///system) + + Update: Set LIBVIRT_DEFAULT_URI to "qemu:///system" in all + cases. (LP #2027838) + - d/control: Demote passt to Suggests (from Recommends) for + libvirt-daemon-driver-qemu, because passt is in universe. + - d/control: Make libvirt-daemon Suggest (instead of Recommend) + libvirt-daemon-plugin-sanlock, which is in universe. + * Added changes + - d/control: re-generate from d/control-in: we stop changing both files + and eventually re-generate from d/control-in as it is meant to be. + Having more than just d/control-in is only a git-import artifact anyway. + * Drop changes [in Debian 11.1.0-2] + - Fix potential issue in regard to conffile transfer on upgrades + (LP 2105496) + * Drop changes [in Upstream 11.1.0] + - d/control: drop libvirt-lxc, vbox and xen drivers to suggest + - apparmor: Allow SGX if configured (LP 2100024) + - d/p/u/lp2097886: Enable virtio-mem support not in 11.0 (LP 2097886) + + [ Lukas Märdian ] + * Move autostart of default bridged network from libvirt-daemon-driver-qemu + to libvirt-daemon-config-network.postinst, as it depends on the default.xml + template shipped by the latter. (LP: #2107448) + - Move dnsmasq related enhancements to libvirt-daemon-config-network + + run dnsmasq as libvirt-dnsmasq (LP: 1743718) + + d/libvirt-daemon-config-network.postinst*: add libvirt-dnsmasq + user/group, as moved from d/libvirt-daemon-driver-qemu.postinst. + + d/libvirt-daemon-config-network.postrm*: remove libvirt-dnsmasq + user/group on purge, as moved from d/libvirt-daemon-driver-qemu.postinst + + Move dnsmasq configuration to work with system wide dnsmasq-base from + libvirt-daemon-driver-qemu.post* to libvirt-daemon-config-network.post* + - d/control: Add Breaks/Replaces, to account for the move of configuration + of the default bridged network to libvirt-daemon-config-network. + As per https://wiki.debian.org/PackageTransition case #9. + - d/t/network: Test automatic virbr0 setup via autopkgtest. + - d/l-d-config-network.{pre,post}inst.in: Add diversions for network config. + - d/l-d-config-network.{pre,post}inst.in: retain non pkg owned network + config. + * Start default network on install (LP: #2093864) + - d/l-d-config-network.postinst: add explicit virsh net-start workaround + - d/control: add libvirt-clients Recommends to l-d-config-network + - d/l-d-config-network.dirs: add var/libvirt/dnsmasq to store lease files + to avoid a warning on install + * Drop Changes: + - d/libvirt-daemon-system.postinst: fix old libvirt-dnsmasq users group + [Upgrade path for 4.0.0-1ubuntu5~ not relevant anymore] + + -- Christian Ehrhardt Wed, 11 Jun 2025 13:11:23 +0200 + libvirt (11.4.0-1) experimental; urgency=medium * [f8bc946] New upstream version 11.4.0 @@ -18,6 +297,13 @@ libvirt (11.4.0-1) experimental; urgency -- Andrea Bolognani Thu, 05 Jun 2025 00:07:28 +0200 +libvirt (11.3.0-3) unstable; urgency=medium + + * [d10b70f] patches: Add backports + - backport/qemu-Be-more-forgiving-when-acquiring-QUERY-job-[...] + + -- Andrea Bolognani Wed, 02 Jul 2025 22:15:28 +0200 + libvirt (11.3.0-2) unstable; urgency=medium * [eb4a97a] patches: Add backports diff -pruN 11.6.0-1/debian/control 11.6.0-1ubuntu2/debian/control --- 11.6.0-1/debian/control 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/control 2025-08-27 08:03:12.000000000 +0000 @@ -1,7 +1,8 @@ Source: libvirt Section: libs Priority: optional -Maintainer: Debian Libvirt Maintainers +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian Libvirt Maintainers Uploaders: Guido Günther , Andrea Bolognani , @@ -39,7 +40,6 @@ Build-Depends: libsasl2-dev, libselinux1-dev [linux-any], libssh-dev, - libssh2-1-dev, libtasn1-6-dev, libtirpc-dev, libudev-dev [linux-any], @@ -47,6 +47,7 @@ Build-Depends: libxen-dev [amd64 arm64], libxml2-dev, libxml2-utils, + libzfslinux-dev [linux-amd64 linux-arm64 linux-armhf linux-i386 linux-ppc64el linux-s390x], meson, po-debconf, python3-docutils, @@ -150,6 +151,7 @@ Suggests: libvirt-daemon-driver-storage-zfs (= ${binary:Version}), libvirt-daemon-driver-vbox (= ${binary:Version}) [amd64 i386], libvirt-daemon-driver-xen (= ${binary:Version}) [amd64 arm64], + libvirt-daemon-plugin-sanlock (= ${binary:Version}), libvirt-daemon-system (= ${binary:Version}), Conflicts: libvirt-daemon-system (<< 10.6.0-2~), @@ -282,17 +284,18 @@ Depends: ${misc:Depends}, ${shlibs:Depends}, Recommends: - passt, swtpm, swtpm-tools, Suggests: numad, + passt, Enhances: qemu-kvm, qemu-system, Breaks: libvirt-clients (<< 6.9.0-2~), libvirt-daemon-system (<< 10.6.0-2~), + libvirt-daemon-config-network (<< 11.0.0-2ubuntu9~), Replaces: libvirt-clients (<< 6.9.0-2~), libvirt-daemon-system (<< 10.6.0-2~), @@ -842,6 +845,7 @@ Package: libvirt-daemon-config-network Section: admin Architecture: all Depends: + adduser, libvirt-common (<< ${source:Version}.1~), libvirt-common (>= ${source:Version}), libvirt-daemon-driver-network (<< ${source:Version}.1~), @@ -851,8 +855,10 @@ Depends: ${misc:Depends}, Breaks: libvirt-daemon-system (<< 6.9.0-2~), + libvirt-daemon-driver-qemu (<< 11.0.0-2ubuntu9~), Replaces: libvirt-daemon-system (<< 6.9.0-2~), + libvirt-daemon-driver-qemu (<< 11.0.0-2ubuntu9~), Description: virtualization daemon - configuration files (default network) libvirt exposes a long-term stable API that can be used to interact with various hypervisors. Its architecture is highly modular, with most features diff -pruN 11.6.0-1/debian/control.in 11.6.0-1ubuntu2/debian/control.in --- 11.6.0-1/debian/control.in 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/control.in 2025-08-27 08:03:12.000000000 +0000 @@ -1,7 +1,8 @@ Source: libvirt Section: libs Priority: optional -Maintainer: Debian Libvirt Maintainers +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian Libvirt Maintainers Uploaders: Guido Günther , Andrea Bolognani , @@ -39,7 +40,6 @@ Build-Depends: libsasl2-dev, libselinux1-dev [linux-any], libssh-dev, - libssh2-1-dev, libtasn1-6-dev, libtirpc-dev, libudev-dev [linux-any], @@ -47,6 +47,7 @@ Build-Depends: libxen-dev [${ARCHES_XEN}], libxml2-dev, libxml2-utils, + libzfslinux-dev [linux-amd64 linux-arm64 linux-armhf linux-i386 linux-ppc64el linux-s390x], meson, po-debconf, python3-docutils, @@ -142,6 +143,7 @@ Suggests: libvirt-daemon-driver-storage-zfs (= ${binary:Version}), libvirt-daemon-driver-vbox (= ${binary:Version}) [${ARCHES_VBOX}], libvirt-daemon-driver-xen (= ${binary:Version}) [${ARCHES_XEN}], + libvirt-daemon-plugin-sanlock (= ${binary:Version}), libvirt-daemon-system (= ${binary:Version}), Conflicts: libvirt-daemon-system (<< 10.6.0-2~), @@ -258,17 +260,18 @@ Depends: ${misc:Depends}, ${shlibs:Depends}, Recommends: - passt, swtpm, swtpm-tools, Suggests: numad, + passt, Enhances: qemu-kvm, qemu-system, Breaks: libvirt-clients (<< 6.9.0-2~), libvirt-daemon-system (<< 10.6.0-2~), + libvirt-daemon-config-network (<< 11.0.0-2ubuntu9~), Replaces: libvirt-clients (<< 6.9.0-2~), libvirt-daemon-system (<< 10.6.0-2~), @@ -730,6 +733,7 @@ Package: libvirt-daemon-config-network Section: admin Architecture: all Depends: + adduser, libvirt-common (<< ${source:Version}.1~), libvirt-common (>= ${source:Version}), libvirt-daemon-driver-network (<< ${source:Version}.1~), @@ -739,8 +743,10 @@ Depends: ${misc:Depends}, Breaks: libvirt-daemon-system (<< 6.9.0-2~), + libvirt-daemon-driver-qemu (<< 11.0.0-2ubuntu9~), Replaces: libvirt-daemon-system (<< 6.9.0-2~), + libvirt-daemon-driver-qemu (<< 11.0.0-2ubuntu9~), Description: virtualization daemon - configuration files (default network) @COMMON_DESCRIPTION@ . diff -pruN 11.6.0-1/debian/libnss-libvirt.install 11.6.0-1ubuntu2/debian/libnss-libvirt.install --- 11.6.0-1/debian/libnss-libvirt.install 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libnss-libvirt.install 1970-01-01 00:00:00.000000000 +0000 @@ -1,3 +0,0 @@ -etc/apt/apt.conf.d/90libnss-libvirt -usr/lib/${DEB_HOST_MULTIARCH}/libnss_libvirt.so.2 -usr/lib/${DEB_HOST_MULTIARCH}/libnss_libvirt_guest.so.2 diff -pruN 11.6.0-1/debian/libvirt-clients-qemu.install 11.6.0-1ubuntu2/debian/libvirt-clients-qemu.install --- 11.6.0-1/debian/libvirt-clients-qemu.install 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-clients-qemu.install 1970-01-01 00:00:00.000000000 +0000 @@ -1,4 +0,0 @@ -usr/bin/virt-qemu-qmp-proxy -usr/bin/virt-qemu-sev-validate -usr/share/man/man1/virt-qemu-qmp-proxy.1 -usr/share/man/man1/virt-qemu-sev-validate.1 diff -pruN 11.6.0-1/debian/libvirt-clients.conffiles 11.6.0-1ubuntu2/debian/libvirt-clients.conffiles --- 11.6.0-1/debian/libvirt-clients.conffiles 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-clients.conffiles 2025-08-27 08:18:49.000000000 +0000 @@ -0,0 +1 @@ +remove-on-upgrade /etc/profile.d/libvirt-uri.sh diff -pruN 11.6.0-1/debian/libvirt-clients.install 11.6.0-1ubuntu2/debian/libvirt-clients.install --- 11.6.0-1/debian/libvirt-clients.install 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-clients.install 1970-01-01 00:00:00.000000000 +0000 @@ -1,21 +0,0 @@ -usr/bin/virsh -usr/bin/virt-pki-query-dn -usr/bin/virt-pki-validate -usr/bin/virt-xml-validate -usr/share/bash-completion/completions/virsh -usr/share/man/man1/virsh.1 -usr/share/man/man1/virt-pki-query-dn.1 -usr/share/man/man1/virt-pki-validate.1 -usr/share/man/man1/virt-xml-validate.1 -usr/share/man/man7/virkeycode-atset1.7 -usr/share/man/man7/virkeycode-atset2.7 -usr/share/man/man7/virkeycode-atset3.7 -usr/share/man/man7/virkeycode-linux.7 -usr/share/man/man7/virkeycode-osx.7 -usr/share/man/man7/virkeycode-qnum.7 -usr/share/man/man7/virkeycode-usb.7 -usr/share/man/man7/virkeycode-win32.7 -usr/share/man/man7/virkeycode-xtkbd.7 -usr/share/man/man7/virkeyname-linux.7 -usr/share/man/man7/virkeyname-osx.7 -usr/share/man/man7/virkeyname-win32.7 diff -pruN 11.6.0-1/debian/libvirt-common.README.Debian 11.6.0-1ubuntu2/debian/libvirt-common.README.Debian --- 11.6.0-1/debian/libvirt-common.README.Debian 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-common.README.Debian 2025-08-27 08:03:12.000000000 +0000 @@ -42,30 +42,11 @@ EOF This makes dnsmasq only bind to the loopback interface by default so libvirtd can handle the virtual bridges. -Bridged network -=============== -libvirt can use the qemu-bridge-helper to create bridged network interfaces for -session domains. For this to work the helper must have the capability to create -TUN/TAP devices or must have the SUID permission set. -This can be done by running the following command as the user root: - - setcap cap_net_admin+ep /usr/lib/qemu/qemu-bridge-helper - -The allowed bridges must be configured in the file '/etc/qemu/bridge.conf'. For -each bridge add a line like 'allow br0'. - Access Control ============== -Access to the libvirt managing tasks is controlled by PolicyKit. To ease -configuration membership in the "libvirt" group is sufficient. If you want to -manage VMs as non-root you need to add a user to that group. - -Note that this will allow users in this group to use all of libvirt's -API including modifying files on the host. For finer grained access -control have a look at libvirt's ACLs. - -System QEMU/KVM processes are run as user and group libvirt-qemu. This can be -adjusted via /etc/libvirt/qemu.conf. +Access to the libvirt socket is controlled by membership in the "libvirtd" +group. +If you want to manage VMs as non root you need to add a user to that group. QEMU/KVM: Dropping Capabilties ============================== @@ -116,3 +97,82 @@ model. See for further details. -- Guido Günther Wen, 24 Dec 2014 09:55:41 +0200 + +AppArmor Profile +================ +Libvirt now contains AppArmor integration when using KVM or QEMU using +libvirt's sVirt infrastructure. Libvirtd can be configured to launch virtual +machines that are confined by uniquely restrictive AppArmor profiles. This +feature significantly improves virtualization in Ubuntu by providing user-space +host protection as well as guest isolation. + +In the sVirt model, if a profile is loaded for the libvirtd daemon, then each +qemu:///system QEMU virtual machine will have a profile created for it when +the virtual machine is started if one does not already exist. This generated +profile is based on a template file and uses a profile name based on the UUID +of the QEMU virtual machine and contains rules allowing access to only the +files it needs to run, such as its disks, pid file and log files. Just before +the QEMU virtual machine is started, the libvirtd daemon will change into this +unique profile, preventing the QEMU process from accessing any file resources +that are present in another QEMU process or the host machine. + +The AppArmor sVirt implementation is flexible in that it allows a user to +customize the template file in /etc/apparmor.d/libvirt/TEMPLATE for +site-specific access for all newly created QEMU virtual machines. When a +new profile is generated, two files are created: + + /etc/apparmor.d/libvirt/libvirt- + /etc/apparmor.d/libvirt/libvirt-.files + +The former can be fine-tuned by the administrator to allow custom access for +this particular QEMU virtual machine, and the latter will be updated +appropriately when required file access changes, such as when a disk is added. +This flexibility allows for situations such as having one virtual machine in +complain mode with all others in enforce mode. + +Profiles for /usr/sbin/libvirtd, /usr/lib/libvirt/virt-aa-helper (a helper +program which the libvirtd daemon uses instead of manipulating AppArmor +directly), and /etc/apparmor.d/abstractions/libvirt-qemu are used to configure +AppArmor confinement with sVirt. Administrators of libvirt in production +environments are encouraged to review these files (especially 'libvirt-qemu') +to ensure that only the access required is given to the virtual machines. + +If the sVirt security model is active, then the node capabilities XML will +include its details. If a virtual machine is currently protected by the +security model, then the guest XML will include its assigned profile name. If +enabled at compile time, the sVirt security model will be activated if AppArmor +is available on the host OS and a profile for the libvirtd daemon is loaded +when libvirtd is started. To disable sVirt, and revert to the basic level of +AppArmor protection (host protection only), the /etc/libvirt/qemu.conf file can +be used to change the setting to security_driver="none". Users may also +disable AppArmor integration through AppArmor itself by performing: + +$ sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.libvirtd +$ sudo ln -s /etc/apparmor.d/usr.sbin.libvirtd /etc/apparmor.d/disable/usr.sbin.libvirtd + +If your system uses AppArmor, please note that the shipped profile works with +the default installation, and changes in your configuration may require changes +to the installed apparmor profile. Before filing a bug against this software, +please see https://wiki.ubuntu.com/DebuggingApparmor before filing a bug +against this software. + +qemu:///system +-------------- +Adding users to the libvirtd group effectively grants them root access. In +Ubuntu, users in the sudo group (who already have 'sudo' access) are added to +this group automatically. + +Virtual machines started from qemu:///system may run with or without root +privileges. As discussed above, in Ubuntu Qemu/KVM virtual machines are fully +isolated and confined by the AppArmor security driver. Users can adjust this +/etc/libvirt/qemu.conf so that virtual machines started under qemu:///system +run as a non-privileged user (new in libvirt 0.7). The 'libvirt-qemu' user and +'kvm' group are configured for this purpose. In Ubuntu, libvirt runs virtual +machines with non-root privileges as well as fully confined by AppArmor. + +While the current non-root implementation does reduce the privileges of virtual +machines running under qemu:///system, continuing to use a MAC system such as +AppArmor is important because without the MAC system all VMs will still run +under the same user and there is no guest isolation. Additionally, if each VM +ran under its own user, an attacker could potentially break out of the VM and +have unconfined user access to the host machine. diff -pruN 11.6.0-1/debian/libvirt-common.install 11.6.0-1ubuntu2/debian/libvirt-common.install --- 11.6.0-1/debian/libvirt-common.install 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-common.install 1970-01-01 00:00:00.000000000 +0000 @@ -1,212 +0,0 @@ -etc/libvirt/libvirt-admin.conf -etc/libvirt/libvirt.conf -usr/share/libvirt/cpu_map/arm_Ampere-1.xml -usr/share/libvirt/cpu_map/arm_Ampere-1a.xml -usr/share/libvirt/cpu_map/arm_FT-2000plus.xml -usr/share/libvirt/cpu_map/arm_Falkor.xml -usr/share/libvirt/cpu_map/arm_Kunpeng-920.xml -usr/share/libvirt/cpu_map/arm_Neoverse-N1.xml -usr/share/libvirt/cpu_map/arm_Neoverse-N2.xml -usr/share/libvirt/cpu_map/arm_Neoverse-V1.xml -usr/share/libvirt/cpu_map/arm_Tengyun-S2500.xml -usr/share/libvirt/cpu_map/arm_ThunderX299xx.xml -usr/share/libvirt/cpu_map/arm_a64fx.xml -usr/share/libvirt/cpu_map/arm_cortex-a53.xml -usr/share/libvirt/cpu_map/arm_cortex-a57.xml -usr/share/libvirt/cpu_map/arm_cortex-a72.xml -usr/share/libvirt/cpu_map/arm_features.xml -usr/share/libvirt/cpu_map/arm_vendors.xml -usr/share/libvirt/cpu_map/index.xml -usr/share/libvirt/cpu_map/ppc64_POWER10.xml -usr/share/libvirt/cpu_map/ppc64_POWER11.xml -usr/share/libvirt/cpu_map/ppc64_POWER6.xml -usr/share/libvirt/cpu_map/ppc64_POWER7.xml -usr/share/libvirt/cpu_map/ppc64_POWER8.xml -usr/share/libvirt/cpu_map/ppc64_POWER9.xml -usr/share/libvirt/cpu_map/ppc64_POWERPC_e5500.xml -usr/share/libvirt/cpu_map/ppc64_POWERPC_e6500.xml -usr/share/libvirt/cpu_map/ppc64_vendors.xml -usr/share/libvirt/cpu_map/x86_486-v1.xml -usr/share/libvirt/cpu_map/x86_486.xml -usr/share/libvirt/cpu_map/x86_Broadwell-IBRS.xml -usr/share/libvirt/cpu_map/x86_Broadwell-noTSX-IBRS.xml -usr/share/libvirt/cpu_map/x86_Broadwell-noTSX.xml -usr/share/libvirt/cpu_map/x86_Broadwell-v1.xml -usr/share/libvirt/cpu_map/x86_Broadwell-v2.xml -usr/share/libvirt/cpu_map/x86_Broadwell-v3.xml -usr/share/libvirt/cpu_map/x86_Broadwell-v4.xml -usr/share/libvirt/cpu_map/x86_Broadwell.xml -usr/share/libvirt/cpu_map/x86_Cascadelake-Server-noTSX.xml -usr/share/libvirt/cpu_map/x86_Cascadelake-Server-v1.xml -usr/share/libvirt/cpu_map/x86_Cascadelake-Server-v2.xml -usr/share/libvirt/cpu_map/x86_Cascadelake-Server-v3.xml -usr/share/libvirt/cpu_map/x86_Cascadelake-Server-v4.xml -usr/share/libvirt/cpu_map/x86_Cascadelake-Server-v5.xml -usr/share/libvirt/cpu_map/x86_Cascadelake-Server.xml -usr/share/libvirt/cpu_map/x86_Conroe-v1.xml -usr/share/libvirt/cpu_map/x86_Conroe.xml -usr/share/libvirt/cpu_map/x86_Cooperlake-v1.xml -usr/share/libvirt/cpu_map/x86_Cooperlake-v2.xml -usr/share/libvirt/cpu_map/x86_Cooperlake.xml -usr/share/libvirt/cpu_map/x86_Denverton-v1.xml -usr/share/libvirt/cpu_map/x86_Denverton-v2.xml -usr/share/libvirt/cpu_map/x86_Denverton-v3.xml -usr/share/libvirt/cpu_map/x86_Denverton.xml -usr/share/libvirt/cpu_map/x86_Dhyana-v1.xml -usr/share/libvirt/cpu_map/x86_Dhyana-v2.xml -usr/share/libvirt/cpu_map/x86_Dhyana.xml -usr/share/libvirt/cpu_map/x86_EPYC-Genoa-v1.xml -usr/share/libvirt/cpu_map/x86_EPYC-Genoa.xml -usr/share/libvirt/cpu_map/x86_EPYC-IBPB.xml -usr/share/libvirt/cpu_map/x86_EPYC-Milan-v1.xml -usr/share/libvirt/cpu_map/x86_EPYC-Milan-v2.xml -usr/share/libvirt/cpu_map/x86_EPYC-Milan.xml -usr/share/libvirt/cpu_map/x86_EPYC-Rome-v1.xml -usr/share/libvirt/cpu_map/x86_EPYC-Rome-v2.xml -usr/share/libvirt/cpu_map/x86_EPYC-Rome-v3.xml -usr/share/libvirt/cpu_map/x86_EPYC-Rome-v4.xml -usr/share/libvirt/cpu_map/x86_EPYC-Rome.xml -usr/share/libvirt/cpu_map/x86_EPYC-v1.xml -usr/share/libvirt/cpu_map/x86_EPYC-v2.xml -usr/share/libvirt/cpu_map/x86_EPYC-v3.xml -usr/share/libvirt/cpu_map/x86_EPYC-v4.xml -usr/share/libvirt/cpu_map/x86_EPYC.xml -usr/share/libvirt/cpu_map/x86_GraniteRapids-v1.xml -usr/share/libvirt/cpu_map/x86_GraniteRapids-v2.xml -usr/share/libvirt/cpu_map/x86_GraniteRapids.xml -usr/share/libvirt/cpu_map/x86_Haswell-IBRS.xml -usr/share/libvirt/cpu_map/x86_Haswell-noTSX-IBRS.xml -usr/share/libvirt/cpu_map/x86_Haswell-noTSX.xml -usr/share/libvirt/cpu_map/x86_Haswell-v1.xml -usr/share/libvirt/cpu_map/x86_Haswell-v2.xml -usr/share/libvirt/cpu_map/x86_Haswell-v3.xml -usr/share/libvirt/cpu_map/x86_Haswell-v4.xml -usr/share/libvirt/cpu_map/x86_Haswell.xml -usr/share/libvirt/cpu_map/x86_Icelake-Client-noTSX.xml -usr/share/libvirt/cpu_map/x86_Icelake-Client.xml -usr/share/libvirt/cpu_map/x86_Icelake-Server-noTSX.xml -usr/share/libvirt/cpu_map/x86_Icelake-Server-v1.xml -usr/share/libvirt/cpu_map/x86_Icelake-Server-v2.xml -usr/share/libvirt/cpu_map/x86_Icelake-Server-v3.xml -usr/share/libvirt/cpu_map/x86_Icelake-Server-v4.xml -usr/share/libvirt/cpu_map/x86_Icelake-Server-v5.xml -usr/share/libvirt/cpu_map/x86_Icelake-Server-v6.xml -usr/share/libvirt/cpu_map/x86_Icelake-Server-v7.xml -usr/share/libvirt/cpu_map/x86_Icelake-Server.xml -usr/share/libvirt/cpu_map/x86_IvyBridge-IBRS.xml -usr/share/libvirt/cpu_map/x86_IvyBridge-v1.xml -usr/share/libvirt/cpu_map/x86_IvyBridge-v2.xml -usr/share/libvirt/cpu_map/x86_IvyBridge.xml -usr/share/libvirt/cpu_map/x86_KnightsMill-v1.xml -usr/share/libvirt/cpu_map/x86_KnightsMill.xml -usr/share/libvirt/cpu_map/x86_Nehalem-IBRS.xml -usr/share/libvirt/cpu_map/x86_Nehalem-v1.xml -usr/share/libvirt/cpu_map/x86_Nehalem-v2.xml -usr/share/libvirt/cpu_map/x86_Nehalem.xml -usr/share/libvirt/cpu_map/x86_Opteron_G1-v1.xml -usr/share/libvirt/cpu_map/x86_Opteron_G1.xml -usr/share/libvirt/cpu_map/x86_Opteron_G2-v1.xml -usr/share/libvirt/cpu_map/x86_Opteron_G2.xml -usr/share/libvirt/cpu_map/x86_Opteron_G3-v1.xml -usr/share/libvirt/cpu_map/x86_Opteron_G3.xml -usr/share/libvirt/cpu_map/x86_Opteron_G4-v1.xml -usr/share/libvirt/cpu_map/x86_Opteron_G4.xml -usr/share/libvirt/cpu_map/x86_Opteron_G5-v1.xml -usr/share/libvirt/cpu_map/x86_Opteron_G5.xml -usr/share/libvirt/cpu_map/x86_Penryn-v1.xml -usr/share/libvirt/cpu_map/x86_Penryn.xml -usr/share/libvirt/cpu_map/x86_SandyBridge-IBRS.xml -usr/share/libvirt/cpu_map/x86_SandyBridge-v1.xml -usr/share/libvirt/cpu_map/x86_SandyBridge-v2.xml -usr/share/libvirt/cpu_map/x86_SandyBridge.xml -usr/share/libvirt/cpu_map/x86_SapphireRapids-v1.xml -usr/share/libvirt/cpu_map/x86_SapphireRapids-v2.xml -usr/share/libvirt/cpu_map/x86_SapphireRapids-v3.xml -usr/share/libvirt/cpu_map/x86_SapphireRapids.xml -usr/share/libvirt/cpu_map/x86_SierraForest-v1.xml -usr/share/libvirt/cpu_map/x86_SierraForest.xml -usr/share/libvirt/cpu_map/x86_Skylake-Client-IBRS.xml -usr/share/libvirt/cpu_map/x86_Skylake-Client-noTSX-IBRS.xml -usr/share/libvirt/cpu_map/x86_Skylake-Client-v1.xml -usr/share/libvirt/cpu_map/x86_Skylake-Client-v2.xml -usr/share/libvirt/cpu_map/x86_Skylake-Client-v3.xml -usr/share/libvirt/cpu_map/x86_Skylake-Client-v4.xml -usr/share/libvirt/cpu_map/x86_Skylake-Client.xml -usr/share/libvirt/cpu_map/x86_Skylake-Server-IBRS.xml -usr/share/libvirt/cpu_map/x86_Skylake-Server-noTSX-IBRS.xml -usr/share/libvirt/cpu_map/x86_Skylake-Server-v1.xml -usr/share/libvirt/cpu_map/x86_Skylake-Server-v2.xml -usr/share/libvirt/cpu_map/x86_Skylake-Server-v3.xml -usr/share/libvirt/cpu_map/x86_Skylake-Server-v4.xml -usr/share/libvirt/cpu_map/x86_Skylake-Server-v5.xml -usr/share/libvirt/cpu_map/x86_Skylake-Server.xml -usr/share/libvirt/cpu_map/x86_Snowridge-v1.xml -usr/share/libvirt/cpu_map/x86_Snowridge-v2.xml -usr/share/libvirt/cpu_map/x86_Snowridge-v3.xml -usr/share/libvirt/cpu_map/x86_Snowridge-v4.xml -usr/share/libvirt/cpu_map/x86_Snowridge.xml -usr/share/libvirt/cpu_map/x86_Westmere-IBRS.xml -usr/share/libvirt/cpu_map/x86_Westmere-v1.xml -usr/share/libvirt/cpu_map/x86_Westmere-v2.xml -usr/share/libvirt/cpu_map/x86_Westmere.xml -usr/share/libvirt/cpu_map/x86_athlon-v1.xml -usr/share/libvirt/cpu_map/x86_athlon.xml -usr/share/libvirt/cpu_map/x86_core2duo-v1.xml -usr/share/libvirt/cpu_map/x86_core2duo.xml -usr/share/libvirt/cpu_map/x86_coreduo-v1.xml -usr/share/libvirt/cpu_map/x86_coreduo.xml -usr/share/libvirt/cpu_map/x86_cpu64-rhel5.xml -usr/share/libvirt/cpu_map/x86_cpu64-rhel6.xml -usr/share/libvirt/cpu_map/x86_features.xml -usr/share/libvirt/cpu_map/x86_kvm32-v1.xml -usr/share/libvirt/cpu_map/x86_kvm32.xml -usr/share/libvirt/cpu_map/x86_kvm64-v1.xml -usr/share/libvirt/cpu_map/x86_kvm64.xml -usr/share/libvirt/cpu_map/x86_n270-v1.xml -usr/share/libvirt/cpu_map/x86_n270.xml -usr/share/libvirt/cpu_map/x86_pentium-v1.xml -usr/share/libvirt/cpu_map/x86_pentium.xml -usr/share/libvirt/cpu_map/x86_pentium2-v1.xml -usr/share/libvirt/cpu_map/x86_pentium2.xml -usr/share/libvirt/cpu_map/x86_pentium3-v1.xml -usr/share/libvirt/cpu_map/x86_pentium3.xml -usr/share/libvirt/cpu_map/x86_pentiumpro.xml -usr/share/libvirt/cpu_map/x86_phenom-v1.xml -usr/share/libvirt/cpu_map/x86_phenom.xml -usr/share/libvirt/cpu_map/x86_qemu32-v1.xml -usr/share/libvirt/cpu_map/x86_qemu32.xml -usr/share/libvirt/cpu_map/x86_qemu64-v1.xml -usr/share/libvirt/cpu_map/x86_qemu64.xml -usr/share/libvirt/cpu_map/x86_vendors.xml -usr/share/libvirt/schemas/basictypes.rng -usr/share/libvirt/schemas/capability.rng -usr/share/libvirt/schemas/cpu.rng -usr/share/libvirt/schemas/cputypes.rng -usr/share/libvirt/schemas/domain.rng -usr/share/libvirt/schemas/domainbackup.rng -usr/share/libvirt/schemas/domaincaps.rng -usr/share/libvirt/schemas/domaincheckpoint.rng -usr/share/libvirt/schemas/domaincommon.rng -usr/share/libvirt/schemas/domainoverrides.rng -usr/share/libvirt/schemas/domainsnapshot.rng -usr/share/libvirt/schemas/inactiveDomain.rng -usr/share/libvirt/schemas/interface.rng -usr/share/libvirt/schemas/network.rng -usr/share/libvirt/schemas/networkcommon.rng -usr/share/libvirt/schemas/networkport.rng -usr/share/libvirt/schemas/nodedev.rng -usr/share/libvirt/schemas/nwfilter.rng -usr/share/libvirt/schemas/nwfilter_params.rng -usr/share/libvirt/schemas/nwfilterbinding.rng -usr/share/libvirt/schemas/privatedata.rng -usr/share/libvirt/schemas/secret.rng -usr/share/libvirt/schemas/storagecommon.rng -usr/share/libvirt/schemas/storagepool.rng -usr/share/libvirt/schemas/storagepoolcaps.rng -usr/share/libvirt/schemas/storagevol.rng -usr/share/libvirt/schemas/sysinfo.rng -usr/share/libvirt/schemas/sysinfocommon.rng -usr/share/libvirt/test-screenshot.png -usr/share/systemtap/tapset/libvirt_functions.stp -usr/share/systemtap/tapset/libvirt_probes.stp -usr/share/systemtap/tapset/libvirt_qemu_probes.stp diff -pruN 11.6.0-1/debian/libvirt-daemon-common.apport 11.6.0-1ubuntu2/debian/libvirt-daemon-common.apport --- 11.6.0-1/debian/libvirt-daemon-common.apport 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-common.apport 2025-08-27 08:03:12.000000000 +0000 @@ -0,0 +1,22 @@ +'''apport package hook for libvirt source package + +(c) 2009-2011 Canonical Ltd. +Author: +Jamie Strandboge + +''' + +from apport.hookutils import * +from os import path +import re + +def add_info(report): + attach_conffiles(report, 'libvirt-daemon') + attach_related_packages(report, ['apparmor', 'libapparmor1', + 'libapparmor-perl', 'apparmor-utils', 'auditd', 'libaudit0']) + + # get apparmor stuff. + attach_mac_events(report, ['/usr/lib/libvirt/virt-aa-helper', + '/usr/sbin/libvirtd', + 'libvirt-.*']) + diff -pruN 11.6.0-1/debian/libvirt-daemon-common.dirs 11.6.0-1ubuntu2/debian/libvirt-daemon-common.dirs --- 11.6.0-1/debian/libvirt-daemon-common.dirs 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-common.dirs 2025-08-27 08:03:12.000000000 +0000 @@ -3,3 +3,5 @@ var/cache/libvirt var/lib/libvirt/boot var/lib/libvirt/images var/log/libvirt +usr/share/apport/package-hooks +etc/dnsmasq.d-available diff -pruN 11.6.0-1/debian/libvirt-daemon-common.install 11.6.0-1ubuntu2/debian/libvirt-daemon-common.install --- 11.6.0-1/debian/libvirt-daemon-common.install 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-common.install 1970-01-01 00:00:00.000000000 +0000 @@ -1,17 +0,0 @@ -etc/apparmor.d/usr.lib.libvirt.virt-aa-helper -etc/sasl2/libvirt.conf -usr/bin/virt-admin -usr/bin/virt-host-validate -usr/bin/virt-ssh-helper -usr/lib/libvirt/libvirt-guests.sh -usr/lib/libvirt/libvirt_iohelper -usr/lib/systemd/system/libvirt-guests.service -usr/lib/systemd/system/virt-guest-shutdown.target -usr/share/bash-completion/completions/virt-admin -usr/share/man/man1/virt-admin.1 -usr/share/man/man1/virt-host-validate.1 -usr/share/man/man8/libvirt-guests.8 -usr/share/man/man8/virt-ssh-helper.8 -usr/share/polkit-1/actions/org.libvirt.api.policy -usr/share/polkit-1/actions/org.libvirt.unix.policy -usr/share/polkit-1/rules.d/60-libvirt.rules diff -pruN 11.6.0-1/debian/libvirt-daemon-common.install.in 11.6.0-1ubuntu2/debian/libvirt-daemon-common.install.in --- 11.6.0-1/debian/libvirt-daemon-common.install.in 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-common.install.in 2025-08-27 08:03:12.000000000 +0000 @@ -1,4 +1,5 @@ etc/apparmor.d/usr.lib.libvirt.virt-aa-helper +usr/share/apport/package-hooks/source_libvirt.py etc/sasl2/libvirt.conf usr/bin/virt-admin usr/bin/virt-host-validate diff -pruN 11.6.0-1/debian/libvirt-daemon-common.libvirt-guests.default 11.6.0-1ubuntu2/debian/libvirt-daemon-common.libvirt-guests.default --- 11.6.0-1/debian/libvirt-daemon-common.libvirt-guests.default 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-common.libvirt-guests.default 2025-08-27 08:03:12.000000000 +0000 @@ -30,14 +30,14 @@ # "ON_SHUTDOWN" is set to "shutdown". If Set to 0, guests will be shutdown one # after another. Number of guests on shutdown at any time will not exceed number # set in this variable. -#PARALLEL_SHUTDOWN=0 +PARALLEL_SHUTDOWN=10 # Number of seconds we're willing to wait for a guest to shut down. If parallel # shutdown is enabled, this timeout applies as a timeout for shutting down all # guests on a single URI defined in the variable URIS. If this is 0, then there # is no time out (use with caution, as guests might not respond to a shutdown # request). The default value is 300 seconds (5 minutes). -#SHUTDOWN_TIMEOUT=300 +SHUTDOWN_TIMEOUT=120 # If non-zero, try to bypass the file system cache when saving and # restoring guests, even though this may give slower operation for diff -pruN 11.6.0-1/debian/libvirt-daemon-common.postinst 11.6.0-1ubuntu2/debian/libvirt-daemon-common.postinst --- 11.6.0-1/debian/libvirt-daemon-common.postinst 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-common.postinst 1970-01-01 00:00:00.000000000 +0000 @@ -1,99 +0,0 @@ -#!/bin/sh - -set -e - -# summary of how this script can be called: -# -# * `configure' -# * `abort-upgrade' -# * `abort-remove' `in-favour' -# * `abort-remove' -# * `abort-deconfigure' `in-favour' -# `removing' -# -# for details, see https://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -delete_protective_diversion() { - local usrfile="$1" - local firstver="$2" - - if [ "$3" != "--" ]; then - echo "delete_protective_diversion called with the wrong number of arguments" >&2 - return 1 - fi - for _ in $(seq 1 3); do - shift - done - - # If the diversion doesn't exist there's nothing to clean up - if [ -z "$(dpkg-divert --list "$usrfile")" ]; then - return 0 - fi - - dpkg-divert \ - --no-rename \ - --divert "$usrfile.usr-is-merged" \ - --remove "$usrfile" -} - -add_users_groups() -{ - if ! getent group libvirt >/dev/null; then - addgroup --quiet --system libvirt - fi -} - -add_statoverrides() -{ - ROOT_DIRS=" - /var/lib/libvirt/images/ - /var/lib/libvirt/boot/ - /var/cache/libvirt/ - " - - for dir in ${ROOT_DIRS}; do - if ! dpkg-statoverride --list "${dir}" >/dev/null 2>&1; then - [ ! -e "${dir}" ] || chown root:root "${dir}" - [ ! -e "${dir}" ] || chmod 0711 "${dir}" - fi - done -} - -DAEMON_COMMON_UNITS=" - libvirt-guests.service - virt-guest-shutdown.target -" - -case "$1" in - configure) - add_users_groups - add_statoverrides - - # Obsolete UML stuff included until 9.0.0-1 - rm -f /var/log/libvirt/uml/.placeholder - if [ -d /var/log/libvirt/uml ]; then - rmdir --ignore-fail-on-non-empty /var/log/libvirt/uml - fi - - for unit in $DAEMON_COMMON_UNITS; do - delete_protective_diversion \ - "/lib/systemd/system/$unit" \ - "10.6.0-3~" \ - -- \ - "$@" - done - ;; - - abort-upgrade|abort-remove|abort-deconfigure) - ;; - - *) - echo "postinst called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -#DEBHELPER# - -exit 0 diff -pruN 11.6.0-1/debian/libvirt-daemon-common.postrm 11.6.0-1ubuntu2/debian/libvirt-daemon-common.postrm --- 11.6.0-1/debian/libvirt-daemon-common.postrm 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-common.postrm 1970-01-01 00:00:00.000000000 +0000 @@ -1,78 +0,0 @@ -#!/bin/sh - -set -e - -# summary of how this script can be called: -# -# * `remove' -# * `purge' -# * `upgrade' -# * `disappear' -# * `failed-upgrade' -# * `abort-install' -# * `abort-install' -# * `abort-upgrade' -# -# for details, see https://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -delete_protective_diversion() { - local usrfile="$1" - local firstver="$2" - - if [ "$3" != "--" ]; then - echo "delete_protective_diversion called with the wrong number of arguments" >&2 - return 1 - fi - for _ in $(seq 1 3); do - shift - done - - # If the diversion doesn't exist there's nothing to clean up - if [ -z "$(dpkg-divert --list "$usrfile")" ]; then - return 0 - fi - - dpkg-divert \ - --no-rename \ - --divert "$usrfile.usr-is-merged" \ - --remove "$usrfile" -} - -DAEMON_COMMON_UNITS=" - libvirt-guests.service - virt-guest-shutdown.target -" - -case "$1" in - purge) - if getent group libvirt >/dev/null; then - delgroup libvirt >/dev/null || true - fi - - # Clean up logs - rm -rf /var/log/libvirt - ;; - - failed-upgrade|abort-install|abort-upgrade) - for unit in $DAEMON_COMMON_UNITS; do - delete_protective_diversion \ - "/lib/systemd/system/$unit" \ - "10.6.0-3~" \ - -- \ - "$@" - done - ;; - - remove|upgrade|disappear) - ;; - - *) - echo "postrm called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -#DEBHELPER# - -exit 0 diff -pruN 11.6.0-1/debian/libvirt-daemon-common.preinst 11.6.0-1ubuntu2/debian/libvirt-daemon-common.preinst --- 11.6.0-1/debian/libvirt-daemon-common.preinst 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-common.preinst 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -#!/bin/sh - -set -e - -# summary of how this script can be called: -# -# * `install' -# * `install' -# * `upgrade' -# * `abort-upgrade' -# -# for details, see https://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -create_protective_diversion() { - local usrfile="$1" - local firstver="$2" - - if [ "$3" != "--" ]; then - echo "create_protective_diversion called with the wrong number of arguments" >&2 - return 1 - fi - for _ in $(seq 1 3); do - shift - done - - # If we're upgrading from a new enough version of the package, it means - # that usr-merge has already happened and we don't need to mess with - # diversions at all - if [ -n "$2" ] && dpkg --compare-versions -- "$2" gt "$firstver"; then - return 0 - fi - - dpkg-divert \ - --no-rename \ - --divert "$usrfile.usr-is-merged" \ - --add "$usrfile" -} - -DAEMON_COMMON_UNITS=" - libvirt-guests.service - virt-guest-shutdown.target -" - -case "$1" in - install|upgrade) - for unit in $DAEMON_COMMON_UNITS; do - create_protective_diversion \ - "/lib/systemd/system/$unit" \ - "10.6.0-3~" \ - -- \ - "$@" - done - ;; - - abort-upgrade) - ;; - - *) - echo "preinst called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -#DEBHELPER# - -exit 0 diff -pruN 11.6.0-1/debian/libvirt-daemon-config-network.dirs 11.6.0-1ubuntu2/debian/libvirt-daemon-config-network.dirs --- 11.6.0-1/debian/libvirt-daemon-config-network.dirs 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-config-network.dirs 2025-08-27 08:03:12.000000000 +0000 @@ -1 +1,2 @@ etc/libvirt/qemu/networks +etc/dnsmasq.d-available diff -pruN 11.6.0-1/debian/libvirt-daemon-config-network.dnsmasq 11.6.0-1ubuntu2/debian/libvirt-daemon-config-network.dnsmasq --- 11.6.0-1/debian/libvirt-daemon-config-network.dnsmasq 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-config-network.dnsmasq 2025-08-27 08:03:12.000000000 +0000 @@ -0,0 +1,2 @@ +bind-interfaces +except-interface=virbr0 diff -pruN 11.6.0-1/debian/libvirt-daemon-config-network.install 11.6.0-1ubuntu2/debian/libvirt-daemon-config-network.install --- 11.6.0-1/debian/libvirt-daemon-config-network.install 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-config-network.install 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -usr/share/libvirt/networks/default.xml diff -pruN 11.6.0-1/debian/libvirt-daemon-config-network.install.in 11.6.0-1ubuntu2/debian/libvirt-daemon-config-network.install.in --- 11.6.0-1/debian/libvirt-daemon-config-network.install.in 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-config-network.install.in 2025-08-27 08:03:12.000000000 +0000 @@ -1 +1,2 @@ usr/share/libvirt/networks/default.xml +etc/dnsmasq.d-available/libvirt-daemon diff -pruN 11.6.0-1/debian/libvirt-daemon-config-network.postinst 11.6.0-1ubuntu2/debian/libvirt-daemon-config-network.postinst --- 11.6.0-1/debian/libvirt-daemon-config-network.postinst 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-config-network.postinst 1970-01-01 00:00:00.000000000 +0000 @@ -1,76 +0,0 @@ -#!/bin/sh - -set -e - -# summary of how this script can be called: -# -# * `configure' -# * `abort-upgrade' -# * `abort-remove' `in-favour' -# * `abort-remove' -# * `abort-deconfigure' `in-favour' -# `removing' -# -# for details, see https://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -create_config_from_template() { - local config="$1" - local template="$2" - local firstver="$3" - - if [ "$4" != "--" ]; then - echo "create_config_from_template called with the wrong number of arguments" >&2 - return 1 - fi - for _ in $(seq 1 4); do - shift - done - - if [ -n "$2" ] && dpkg --compare-versions -- "$2" gt "$firstver"; then - # The package is already configured, and the version that's been - # configured is new enough to contain the config file - if [ -e "$config.dpkg-backup" ]; then - # The package had been configured in the past and has - # subsequently been removed without purging, so a backup of - # the config file is still present on the disk. Restore it - mv -f "$config.dpkg-backup" "$config" - return 0 - else - # We're doing a regular upgrade. Don't change anything - return 0 - fi - else - # We're either installing from scratch, or upgrading from a version - # that didn't have the config file yet. Make a copy of the template - # in the appropriate location and with the expected permissions - install -o root -g root -m 0600 "$template" "$config" - return 0 - fi -} - -case "$1" in - configure) - create_config_from_template \ - "/etc/libvirt/qemu/networks/default.xml" \ - "/usr/share/libvirt/networks/default.xml" \ - "6.9.0-2~" \ - -- \ - "$@" - - # Trigger daemon restart after installing configuration files - dpkg-trigger libvirt-restart-libvirtd - ;; - - abort-upgrade|abort-remove|abort-deconfigure) - ;; - - *) - echo "postinst called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -#DEBHELPER# - -exit 0 diff -pruN 11.6.0-1/debian/libvirt-daemon-config-network.postinst.in 11.6.0-1ubuntu2/debian/libvirt-daemon-config-network.postinst.in --- 11.6.0-1/debian/libvirt-daemon-config-network.postinst.in 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-config-network.postinst.in 2025-08-27 08:03:12.000000000 +0000 @@ -16,8 +16,105 @@ set -e #CREATE_CONFIG_FROM_TEMPLATE# +add_users_groups() { + if ! getent group libvirt-dnsmasq >/dev/null; then + addgroup --quiet --system libvirt-dnsmasq + fi + if ! getent passwd libvirt-dnsmasq >/dev/null; then + adduser --quiet \ + --system \ + --ingroup libvirt-dnsmasq \ + --disabled-login \ + --disabled-password \ + --home /var/lib/libvirt/dnsmasq \ + --no-create-home \ + --gecos "Libvirt Dnsmasq" \ + libvirt-dnsmasq + fi +} + +includes_addr() { + addr=${1} + mask=${2} + viraddr=${3} + for n in $(seq 1 4); do + curaddrcomponent=$(echo "${addr}" | awk -F. '{ print $'"${n}"' }') + tgtaddrcomponent=$(echo "${viraddr}" | awk -F. '{ print $'"${n}"' }') + cmp=$((mask/8)) + if [ "${cmp}" -ge "${n}" ]; then + if [ "${curaddrcomponent}" -ne "${tgtaddrcomponent}" ]; then + echo "false" + return + fi + elif [ "$((cmp+1))" -ge "${n}" ]; then + # do we bother comparing partial (i.e. /25)? + : + else + break + fi + done + echo "true" + return +} + +set_autostart() +{ + echo "Enabling libvirt default network" + if [ ! -e /etc/libvirt/qemu/networks/autostart/default.xml ]; then + ln -s /etc/libvirt/qemu/networks/default.xml \ + /etc/libvirt/qemu/networks/autostart/ + fi + # Since the src:libvirt package was split to not install this autostart + # configuration together with (ahead of) libvirt-daemon itself, we need + # to explicitly remove the stamp file, so that the trigger + # "libvirt-restart-libvirtd" will launch the autostart configuration on + # libvirtd.service restart. + rm -f /run/libvirt/network/autostarted +} + +# on first install, don't set default network to autostart if we already +# have a conflicting network. Good for instance for nested libvirt. +maybe_set_autostart() +{ + # 122 is the common default, but iterate a few more options + for thirdoctet in $(seq 122 128); do + tryip="192.168.${thirdoctet}.1" + found=0 + for pair in $(ip addr show | grep "inet\>" |awk '{ print $2 }'); do + a=$(echo "$pair" | awk -F/ '{ print $1}') + m=$(echo "$pair" | awk -F/ '{ print $2}') + res=$(includes_addr "${a}" "${m}" "${tryip}") + if [ "${res}" = "true" ]; then + found=1 + fi + done + if [ $found -ne 1 ]; then + # found a free subnet + if [ "${thirdoctet}" -ne "122" ]; then + echo "Default libvirt network on 192.168.122.1/24 already taken" + echo "Changing to free 192.168.${thirdoctet}.1/24" + sed -i 's/192.168.122/192.168.'"${thirdoctet}"'/g' /etc/libvirt/qemu/networks/default.xml + fi + set_autostart + return + fi + done + echo "Not enabling default network as no free network was found" +} + +# begin-remove-after: released:26.04 +# Restore existing configuration files (some created by maintainer scripts from +# templates) in (old < 11.0.0-2ubuntu8) libvirt-daemon-driver-qemu.postinst. +# This logic moved into libvirt-daemon-config-network, but we want to keep the +# original files. (LP: #2107448) +if [ "$1" = configure ] || [ "$1" = abort-upgrade ]; then + dpkg-divert --rename --divert /etc/dnsmasq.d-available/libvirt-daemon.dpkg-upgrade --remove /etc/dnsmasq.d-available/libvirt-daemon +fi +# end-remove-after + case "$1" in configure) + add_users_groups create_config_from_template \ "/etc/libvirt/qemu/networks/default.xml" \ "/usr/share/libvirt/networks/default.xml" \ @@ -25,6 +122,13 @@ case "$1" in -- \ "$@" + # On an initial package install, create the default network autostart + # symlink if on a system that it will work on. + # Note: needs to complete before services are started the first time + if [ -z $2 ]; then + maybe_set_autostart + fi + # Trigger daemon restart after installing configuration files dpkg-trigger libvirt-restart-libvirtd ;; @@ -40,4 +144,21 @@ esac #DEBHELPER# +# We need this after the debhelper generated code so that dpkg-maintscript +# can do its renamming first. +if [ "$1" = "configure" ]; then + # Configure dnsmasq + if [ -f /etc/dnsmasq.d-available/libvirt-daemon ]; then + echo "Setting up libvirt-daemon dnsmasq configuration." + mkdir -p /etc/dnsmasq.d + if [ ! -e /etc/dnsmasq.d/libvirt-daemon ]; then + ln -s /etc/dnsmasq.d-available/libvirt-daemon \ + /etc/dnsmasq.d/libvirt-daemon + fi + + # Try to restart a potential system wide dnsmasq + invoke-rc.d dnsmasq restart 2>/dev/null || true + fi +fi + exit 0 diff -pruN 11.6.0-1/debian/libvirt-daemon-config-network.postrm 11.6.0-1ubuntu2/debian/libvirt-daemon-config-network.postrm --- 11.6.0-1/debian/libvirt-daemon-config-network.postrm 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-config-network.postrm 1970-01-01 00:00:00.000000000 +0000 @@ -1,71 +0,0 @@ -#!/bin/sh - -set -e - -# summary of how this script can be called: -# -# * `remove' -# * `purge' -# * `upgrade' -# * `disappear' -# * `failed-upgrade' -# * `abort-install' -# * `abort-install' -# * `abort-upgrade' -# -# for details, see https://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -remove_config_from_template() { - local config="$1" - local template="$2" - local firstver="$3" - - if [ "$4" != "--" ]; then - echo "remove_config_from_template called with the wrong number of arguments" >&2 - return 1 - fi - for _ in $(seq 1 4); do - shift - done - - if [ "$1" = "remove" ] && [ -e "$config" ]; then - # When removing the package, move the configuration file to the side - # so that the daemon no longer sees it, but we can still restore it - # at a later time if the package is reinstalled - mv -f "$config" "$config.dpkg-backup" - return 0 - fi - - if [ "$1" = "purge" ]; then - # When purging the package, remove all traces of the configuration - rm -f "$config" "$config.dpkg-backup" - return 0 - fi -} - -case "$1" in - remove|purge) - remove_config_from_template \ - "/etc/libvirt/qemu/networks/default.xml" \ - "/usr/share/libvirt/networks/default.xml" \ - "6.9.0-2~" \ - -- \ - "$@" - - # Trigger daemon restart after removing configuration files - dpkg-trigger libvirt-restart-libvirtd - ;; - - upgrade|disappear|failed-upgrade|abort-install|abort-upgrade) - ;; - - *) - echo "postrm called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -#DEBHELPER# - -exit 0 diff -pruN 11.6.0-1/debian/libvirt-daemon-config-network.postrm.in 11.6.0-1ubuntu2/debian/libvirt-daemon-config-network.postrm.in --- 11.6.0-1/debian/libvirt-daemon-config-network.postrm.in 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-config-network.postrm.in 2025-08-27 08:03:12.000000000 +0000 @@ -19,7 +19,7 @@ set -e #REMOVE_CONFIG_FROM_TEMPLATE# case "$1" in - remove|purge) + remove) remove_config_from_template \ "/etc/libvirt/qemu/networks/default.xml" \ "/usr/share/libvirt/networks/default.xml" \ @@ -27,8 +27,32 @@ case "$1" in -- \ "$@" + if [ -L /etc/dnsmasq.d/libvirt-daemon ]; then + echo "Removing libvirt-daemon dnsmasq configuration" + rm -f /etc/dnsmasq.d/libvirt-daemon || true + + # Try to restart a potential system wide dnsmasq + invoke-rc.d dnsmasq restart || true + fi + + # Trigger daemon restart after removing configuration files dpkg-trigger libvirt-restart-libvirtd + + # Remove the link set up by postinst + rm -f /etc/libvirt/qemu/networks/autostart/default.xml + ;; + + purge) + # a running libvirt-dnsmasq will break these removals + # yet the lifecycle of the network is non-related to the pkg purge + # Therefore ignore errors on these removals, better leave a user than break + if getent group libvirt-dnsmasq >/dev/null; then + delgroup libvirt-dnsmasq --system >/dev/null || true + fi + if getent passwd libvirt-dnsmasq >/dev/null; then + deluser libvirt-dnsmasq --system >/dev/null || true + fi ;; upgrade|disappear|failed-upgrade|abort-install|abort-upgrade) diff -pruN 11.6.0-1/debian/libvirt-daemon-config-network.preinst.in 11.6.0-1ubuntu2/debian/libvirt-daemon-config-network.preinst.in --- 11.6.0-1/debian/libvirt-daemon-config-network.preinst.in 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-config-network.preinst.in 2025-08-27 08:03:12.000000000 +0000 @@ -0,0 +1,26 @@ +#!/bin/sh + +set -e + +# begin-remove-after: released:26.04 +# Keep existing configuration files (some created by maintainer scripts from +# templates) in (old < 11.0.0-2ubuntu8) libvirt-daemon-driver-qemu.postinst. +# This logic moved into libvirt-daemon-config-network, but we want to keep the +# original files. (LP: #2107448) +if [ "$1" = install ] || [ "$1" = upgrade ]; then + # Not owned by the pkg, postrm might call remove_config_from_template which would leave a .dpkg-backup + # Priority #1 - if there still is a /etc/libvirt/qemu/networks/default.xml - keep it untouched + # Priority #2 - if not #1, but there is a /etc/libvirt/qemu/networks/default.xml.dpkg-backup restore it as active config + # Priority #3 - if neither of the above apply, it means next install will do a fresh create_config_from_template in postinst + netconf="/etc/libvirt/qemu/networks/default.xml" + if [ ! -e "${netconf}" ]; then + if [ -e "${netconf}.dpkg-backup" ]; then + cp "${netconf}.dpkg-backup" "${netconf}" + fi + fi + # Owned by the pkg, if it was modified dpkg would retain it as .dpkg-upgrade + dpkg-divert --rename --divert /etc/dnsmasq.d-available/libvirt-daemon.dpkg-upgrade --add /etc/dnsmasq.d-available/libvirt-daemon +fi +# end-remove-after + +#DEBHELPER# diff -pruN 11.6.0-1/debian/libvirt-daemon-config-nwfilter.install 11.6.0-1ubuntu2/debian/libvirt-daemon-config-nwfilter.install --- 11.6.0-1/debian/libvirt-daemon-config-nwfilter.install 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-config-nwfilter.install 1970-01-01 00:00:00.000000000 +0000 @@ -1,24 +0,0 @@ -usr/share/libvirt/nwfilter/allow-arp.xml -usr/share/libvirt/nwfilter/allow-dhcp-server.xml -usr/share/libvirt/nwfilter/allow-dhcp.xml -usr/share/libvirt/nwfilter/allow-dhcpv6-server.xml -usr/share/libvirt/nwfilter/allow-dhcpv6.xml -usr/share/libvirt/nwfilter/allow-incoming-ipv4.xml -usr/share/libvirt/nwfilter/allow-incoming-ipv6.xml -usr/share/libvirt/nwfilter/allow-ipv4.xml -usr/share/libvirt/nwfilter/allow-ipv6.xml -usr/share/libvirt/nwfilter/clean-traffic-gateway.xml -usr/share/libvirt/nwfilter/clean-traffic.xml -usr/share/libvirt/nwfilter/no-arp-ip-spoofing.xml -usr/share/libvirt/nwfilter/no-arp-mac-spoofing.xml -usr/share/libvirt/nwfilter/no-arp-spoofing.xml -usr/share/libvirt/nwfilter/no-ip-multicast.xml -usr/share/libvirt/nwfilter/no-ip-spoofing.xml -usr/share/libvirt/nwfilter/no-ipv6-multicast.xml -usr/share/libvirt/nwfilter/no-ipv6-spoofing.xml -usr/share/libvirt/nwfilter/no-mac-broadcast.xml -usr/share/libvirt/nwfilter/no-mac-spoofing.xml -usr/share/libvirt/nwfilter/no-other-l2-traffic.xml -usr/share/libvirt/nwfilter/no-other-rarp-traffic.xml -usr/share/libvirt/nwfilter/qemu-announce-self-rarp.xml -usr/share/libvirt/nwfilter/qemu-announce-self.xml diff -pruN 11.6.0-1/debian/libvirt-daemon-config-nwfilter.postinst 11.6.0-1ubuntu2/debian/libvirt-daemon-config-nwfilter.postinst --- 11.6.0-1/debian/libvirt-daemon-config-nwfilter.postinst 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-config-nwfilter.postinst 1970-01-01 00:00:00.000000000 +0000 @@ -1,115 +0,0 @@ -#!/bin/sh - -set -e - -# summary of how this script can be called: -# -# * `configure' -# * `abort-upgrade' -# * `abort-remove' `in-favour' -# * `abort-remove' -# * `abort-deconfigure' `in-favour' -# `removing' -# -# for details, see https://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -create_config_from_template() { - local config="$1" - local template="$2" - local firstver="$3" - - if [ "$4" != "--" ]; then - echo "create_config_from_template called with the wrong number of arguments" >&2 - return 1 - fi - for _ in $(seq 1 4); do - shift - done - - if [ -n "$2" ] && dpkg --compare-versions -- "$2" gt "$firstver"; then - # The package is already configured, and the version that's been - # configured is new enough to contain the config file - if [ -e "$config.dpkg-backup" ]; then - # The package had been configured in the past and has - # subsequently been removed without purging, so a backup of - # the config file is still present on the disk. Restore it - mv -f "$config.dpkg-backup" "$config" - return 0 - else - # We're doing a regular upgrade. Don't change anything - return 0 - fi - else - # We're either installing from scratch, or upgrading from a version - # that didn't have the config file yet. Make a copy of the template - # in the appropriate location and with the expected permissions - install -o root -g root -m 0600 "$template" "$config" - return 0 - fi -} - -NWFILTERS=" - allow-arp - allow-dhcp - allow-dhcp-server - allow-incoming-ipv4 - allow-ipv4 - clean-traffic - clean-traffic-gateway - no-arp-ip-spoofing - no-arp-mac-spoofing - no-arp-spoofing - no-ip-multicast - no-ip-spoofing - no-mac-broadcast - no-mac-spoofing - no-other-l2-traffic - no-other-rarp-traffic - qemu-announce-self - qemu-announce-self-rarp -" -NWFILTERS_7_0_0=" - allow-dhcpv6 - allow-dhcpv6-server - allow-incoming-ipv6 - allow-ipv6 - no-ipv6-multicast - no-ipv6-spoofing -" - -case "$1" in - configure) - for nwfilter in $NWFILTERS; do - create_config_from_template \ - "/etc/libvirt/nwfilter/$nwfilter.xml" \ - "/usr/share/libvirt/nwfilter/$nwfilter.xml" \ - "6.9.0-2~" \ - -- \ - "$@" - done - for nwfilter in $NWFILTERS_7_0_0; do - create_config_from_template \ - "/etc/libvirt/nwfilter/$nwfilter.xml" \ - "/usr/share/libvirt/nwfilter/$nwfilter.xml" \ - "7.0.0-1~" \ - -- \ - "$@" - done - - # Trigger daemon restart after installing configuration files - dpkg-trigger libvirt-restart-libvirtd - ;; - - abort-upgrade|abort-remove|abort-deconfigure) - ;; - - *) - echo "postinst called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -#DEBHELPER# - -exit 0 diff -pruN 11.6.0-1/debian/libvirt-daemon-config-nwfilter.postrm 11.6.0-1ubuntu2/debian/libvirt-daemon-config-nwfilter.postrm --- 11.6.0-1/debian/libvirt-daemon-config-nwfilter.postrm 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-config-nwfilter.postrm 1970-01-01 00:00:00.000000000 +0000 @@ -1,110 +0,0 @@ -#!/bin/sh - -set -e - -# summary of how this script can be called: -# -# * `remove' -# * `purge' -# * `upgrade' -# * `disappear' -# * `failed-upgrade' -# * `abort-install' -# * `abort-install' -# * `abort-upgrade' -# -# for details, see https://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -remove_config_from_template() { - local config="$1" - local template="$2" - local firstver="$3" - - if [ "$4" != "--" ]; then - echo "remove_config_from_template called with the wrong number of arguments" >&2 - return 1 - fi - for _ in $(seq 1 4); do - shift - done - - if [ "$1" = "remove" ] && [ -e "$config" ]; then - # When removing the package, move the configuration file to the side - # so that the daemon no longer sees it, but we can still restore it - # at a later time if the package is reinstalled - mv -f "$config" "$config.dpkg-backup" - return 0 - fi - - if [ "$1" = "purge" ]; then - # When purging the package, remove all traces of the configuration - rm -f "$config" "$config.dpkg-backup" - return 0 - fi -} - -NWFILTERS=" - allow-arp - allow-dhcp - allow-dhcp-server - allow-incoming-ipv4 - allow-ipv4 - clean-traffic - clean-traffic-gateway - no-arp-ip-spoofing - no-arp-mac-spoofing - no-arp-spoofing - no-ip-multicast - no-ip-spoofing - no-mac-broadcast - no-mac-spoofing - no-other-l2-traffic - no-other-rarp-traffic - qemu-announce-self - qemu-announce-self-rarp -" -NWFILTERS_7_0_0=" - allow-dhcpv6 - allow-dhcpv6-server - allow-incoming-ipv6 - allow-ipv6 - no-ipv6-multicast - no-ipv6-spoofing -" - -case "$1" in - remove|purge) - for nwfilter in $NWFILTERS; do - remove_config_from_template \ - "/etc/libvirt/nwfilter/$nwfilter.xml" \ - "/usr/share/libvirt/nwfilter/$nwfilter.xml" \ - "6.9.0-2~" \ - -- \ - "$@" - done - for nwfilter in $NWFILTERS_7_0_0; do - remove_config_from_template \ - "/etc/libvirt/nwfilter/$nwfilter.xml" \ - "/usr/share/libvirt/nwfilter/$nwfilter.xml" \ - "7.0.0-1~" \ - -- \ - "$@" - done - - # Trigger daemon restart after removing configuration files - dpkg-trigger libvirt-restart-libvirtd - ;; - - upgrade|disappear|failed-upgrade|abort-install|abort-upgrade) - ;; - - *) - echo "postrm called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -#DEBHELPER# - -exit 0 diff -pruN 11.6.0-1/debian/libvirt-daemon-driver-interface.install 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-interface.install --- 11.6.0-1/debian/libvirt-daemon-driver-interface.install 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-interface.install 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -usr/lib/${DEB_HOST_MULTIARCH}/libvirt/connection-driver/libvirt_driver_interface.so diff -pruN 11.6.0-1/debian/libvirt-daemon-driver-interface.postinst 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-interface.postinst --- 11.6.0-1/debian/libvirt-daemon-driver-interface.postinst 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-interface.postinst 1970-01-01 00:00:00.000000000 +0000 @@ -1,34 +0,0 @@ -#!/bin/sh - -set -e - -# summary of how this script can be called: -# -# * `configure' -# * `abort-upgrade' -# * `abort-remove' `in-favour' -# * `abort-remove' -# * `abort-deconfigure' `in-favour' -# `removing' -# -# for details, see https://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -case "$1" in - configure) - # Trigger daemon restart after installing a driver - dpkg-trigger libvirt-restart-libvirtd - ;; - - abort-upgrade|abort-remove|abort-deconfigure) - ;; - - *) - echo "postinst called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -#DEBHELPER# - -exit 0 diff -pruN 11.6.0-1/debian/libvirt-daemon-driver-interface.postrm 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-interface.postrm --- 11.6.0-1/debian/libvirt-daemon-driver-interface.postrm 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-interface.postrm 1970-01-01 00:00:00.000000000 +0000 @@ -1,36 +0,0 @@ -#!/bin/sh - -set -e - -# summary of how this script can be called: -# -# * `remove' -# * `purge' -# * `upgrade' -# * `disappear' -# * `failed-upgrade' -# * `abort-install' -# * `abort-install' -# * `abort-upgrade' -# -# for details, see https://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -case "$1" in - remove) - # Trigger daemon restart after removing a driver - dpkg-trigger libvirt-restart-libvirtd - ;; - - purge|upgrade|disappear|failed-upgrade|abort-install|abort-upgrade) - ;; - - *) - echo "postrm called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -#DEBHELPER# - -exit 0 diff -pruN 11.6.0-1/debian/libvirt-daemon-driver-lxc.install 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-lxc.install --- 11.6.0-1/debian/libvirt-daemon-driver-lxc.install 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-lxc.install 1970-01-01 00:00:00.000000000 +0000 @@ -1,8 +0,0 @@ -etc/apparmor.d/abstractions/libvirt-lxc -etc/apparmor.d/libvirt/TEMPLATE.lxc -etc/libvirt/lxc.conf -etc/logrotate.d/libvirtd.lxc -usr/lib/${DEB_HOST_MULTIARCH}/libvirt/connection-driver/libvirt_driver_lxc.so -usr/lib/libvirt/libvirt_lxc -usr/share/augeas/lenses/libvirtd_lxc.aug -usr/share/augeas/lenses/tests/test_libvirtd_lxc.aug diff -pruN 11.6.0-1/debian/libvirt-daemon-driver-lxc.postinst 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-lxc.postinst --- 11.6.0-1/debian/libvirt-daemon-driver-lxc.postinst 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-lxc.postinst 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -#!/bin/sh - -set -e - -# summary of how this script can be called: -# -# * `configure' -# * `abort-upgrade' -# * `abort-remove' `in-favour' -# * `abort-remove' -# * `abort-deconfigure' `in-favour' -# `removing' -# -# for details, see https://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -case "$1" in - configure) - # Obsolete AppArmor stuff included until 9.6.0-1 - ABSTRACTIONS_DIR="/etc/apparmor.d/abstractions" - LOCAL_ABSTRACTIONS_DIR="/etc/apparmor.d/local/abstractions" - pkg="libvirt-daemon-driver-lxc" - name="libvirt-lxc" - - abstraction="$ABSTRACTIONS_DIR/$name" - local_abstraction="$LOCAL_ABSTRACTIONS_DIR/$name" - - expected=$(dpkg-query --showformat='${Conffiles}\n' --show "$pkg" | grep -E "^ $abstraction " | sed -E 's/^.* ([0-9a-f]+)$/\1/g') - actual=$(md5sum "$abstraction" 2>/dev/null | sed -E 's/^([0-9a-f]+) .*$/\1/g') - - # Delete the local abstraction if it's empty and the abstraction - # itself contains no customizations - if [ ! -s "$local_abstraction" ] && [ -n "$actual" ] && [ "$actual" = "$expected" ]; then - rm -f "$local_abstraction" - fi - if [ -d "$LOCAL_ABSTRACTIONS_DIR" ]; then - rmdir --ignore-fail-on-non-empty "$LOCAL_ABSTRACTIONS_DIR" - fi - - # Make sure the log directory doesn't get removed on package removal - # since logrotate chokes otherwise - touch /var/log/libvirt/lxc/.placeholder - - # Trigger daemon restart after installing a driver - dpkg-trigger libvirt-restart-libvirtd - ;; - - abort-upgrade|abort-remove|abort-deconfigure) - ;; - - *) - echo "postinst called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -#DEBHELPER# - -exit 0 diff -pruN 11.6.0-1/debian/libvirt-daemon-driver-lxc.postrm 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-lxc.postrm --- 11.6.0-1/debian/libvirt-daemon-driver-lxc.postrm 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-lxc.postrm 1970-01-01 00:00:00.000000000 +0000 @@ -1,53 +0,0 @@ -#!/bin/sh - -set -e - -# summary of how this script can be called: -# -# * `remove' -# * `purge' -# * `upgrade' -# * `disappear' -# * `failed-upgrade' -# * `abort-install' -# * `abort-install' -# * `abort-upgrade' -# -# for details, see https://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -case "$1" in - remove) - # Trigger daemon restart after removing a driver - dpkg-trigger libvirt-restart-libvirtd - ;; - - purge) - # Obsolete AppArmor stuff included until 9.6.0-1 - ABSTRACTIONS_DIR="/etc/apparmor.d/abstractions" - LOCAL_ABSTRACTIONS_DIR="/etc/apparmor.d/local/abstractions" - name="libvirt-lxc" - - abstraction="$ABSTRACTIONS_DIR/$name" - local_abstraction="$LOCAL_ABSTRACTIONS_DIR/$name" - - if [ ! -e "$abstraction" ]; then - rm -f "$local_abstraction" - if [ -d "$LOCAL_ABSTRACTIONS_DIR" ]; then - rmdir --ignore-fail-on-non-empty "$LOCAL_ABSTRACTIONS_DIR" - fi - fi - ;; - - upgrade|disappear|failed-upgrade|abort-install|abort-upgrade) - ;; - - *) - echo "postrm called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -#DEBHELPER# - -exit 0 diff -pruN 11.6.0-1/debian/libvirt-daemon-driver-network.install 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-network.install --- 11.6.0-1/debian/libvirt-daemon-driver-network.install 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-network.install 1970-01-01 00:00:00.000000000 +0000 @@ -1,10 +0,0 @@ -etc/libvirt/network.conf -usr/lib/${DEB_HOST_MULTIARCH}/libvirt/connection-driver/libvirt_driver_network.so -usr/lib/firewalld/policies/libvirt-routed-in.xml -usr/lib/firewalld/policies/libvirt-routed-out.xml -usr/lib/firewalld/policies/libvirt-to-host.xml -usr/lib/firewalld/zones/libvirt-routed.xml -usr/lib/firewalld/zones/libvirt.xml -usr/lib/libvirt/libvirt_leaseshelper -usr/share/augeas/lenses/libvirtd_network.aug -usr/share/augeas/lenses/tests/test_libvirtd_network.aug diff -pruN 11.6.0-1/debian/libvirt-daemon-driver-network.postinst 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-network.postinst --- 11.6.0-1/debian/libvirt-daemon-driver-network.postinst 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-network.postinst 1970-01-01 00:00:00.000000000 +0000 @@ -1,34 +0,0 @@ -#!/bin/sh - -set -e - -# summary of how this script can be called: -# -# * `configure' -# * `abort-upgrade' -# * `abort-remove' `in-favour' -# * `abort-remove' -# * `abort-deconfigure' `in-favour' -# `removing' -# -# for details, see https://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -case "$1" in - configure) - # Trigger daemon restart after installing a driver - dpkg-trigger libvirt-restart-libvirtd - ;; - - abort-upgrade|abort-remove|abort-deconfigure) - ;; - - *) - echo "postinst called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -#DEBHELPER# - -exit 0 diff -pruN 11.6.0-1/debian/libvirt-daemon-driver-network.postrm 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-network.postrm --- 11.6.0-1/debian/libvirt-daemon-driver-network.postrm 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-network.postrm 1970-01-01 00:00:00.000000000 +0000 @@ -1,36 +0,0 @@ -#!/bin/sh - -set -e - -# summary of how this script can be called: -# -# * `remove' -# * `purge' -# * `upgrade' -# * `disappear' -# * `failed-upgrade' -# * `abort-install' -# * `abort-install' -# * `abort-upgrade' -# -# for details, see https://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -case "$1" in - remove) - # Trigger daemon restart after removing a driver - dpkg-trigger libvirt-restart-libvirtd - ;; - - purge|upgrade|disappear|failed-upgrade|abort-install|abort-upgrade) - ;; - - *) - echo "postrm called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -#DEBHELPER# - -exit 0 diff -pruN 11.6.0-1/debian/libvirt-daemon-driver-nodedev.install 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-nodedev.install --- 11.6.0-1/debian/libvirt-daemon-driver-nodedev.install 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-nodedev.install 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -usr/lib/${DEB_HOST_MULTIARCH}/libvirt/connection-driver/libvirt_driver_nodedev.so diff -pruN 11.6.0-1/debian/libvirt-daemon-driver-nodedev.postinst 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-nodedev.postinst --- 11.6.0-1/debian/libvirt-daemon-driver-nodedev.postinst 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-nodedev.postinst 1970-01-01 00:00:00.000000000 +0000 @@ -1,34 +0,0 @@ -#!/bin/sh - -set -e - -# summary of how this script can be called: -# -# * `configure' -# * `abort-upgrade' -# * `abort-remove' `in-favour' -# * `abort-remove' -# * `abort-deconfigure' `in-favour' -# `removing' -# -# for details, see https://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -case "$1" in - configure) - # Trigger daemon restart after installing a driver - dpkg-trigger libvirt-restart-libvirtd - ;; - - abort-upgrade|abort-remove|abort-deconfigure) - ;; - - *) - echo "postinst called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -#DEBHELPER# - -exit 0 diff -pruN 11.6.0-1/debian/libvirt-daemon-driver-nodedev.postrm 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-nodedev.postrm --- 11.6.0-1/debian/libvirt-daemon-driver-nodedev.postrm 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-nodedev.postrm 1970-01-01 00:00:00.000000000 +0000 @@ -1,36 +0,0 @@ -#!/bin/sh - -set -e - -# summary of how this script can be called: -# -# * `remove' -# * `purge' -# * `upgrade' -# * `disappear' -# * `failed-upgrade' -# * `abort-install' -# * `abort-install' -# * `abort-upgrade' -# -# for details, see https://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -case "$1" in - remove) - # Trigger daemon restart after removing a driver - dpkg-trigger libvirt-restart-libvirtd - ;; - - purge|upgrade|disappear|failed-upgrade|abort-install|abort-upgrade) - ;; - - *) - echo "postrm called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -#DEBHELPER# - -exit 0 diff -pruN 11.6.0-1/debian/libvirt-daemon-driver-nwfilter.install 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-nwfilter.install --- 11.6.0-1/debian/libvirt-daemon-driver-nwfilter.install 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-nwfilter.install 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -usr/lib/${DEB_HOST_MULTIARCH}/libvirt/connection-driver/libvirt_driver_nwfilter.so diff -pruN 11.6.0-1/debian/libvirt-daemon-driver-nwfilter.postinst 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-nwfilter.postinst --- 11.6.0-1/debian/libvirt-daemon-driver-nwfilter.postinst 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-nwfilter.postinst 1970-01-01 00:00:00.000000000 +0000 @@ -1,34 +0,0 @@ -#!/bin/sh - -set -e - -# summary of how this script can be called: -# -# * `configure' -# * `abort-upgrade' -# * `abort-remove' `in-favour' -# * `abort-remove' -# * `abort-deconfigure' `in-favour' -# `removing' -# -# for details, see https://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -case "$1" in - configure) - # Trigger daemon restart after installing a driver - dpkg-trigger libvirt-restart-libvirtd - ;; - - abort-upgrade|abort-remove|abort-deconfigure) - ;; - - *) - echo "postinst called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -#DEBHELPER# - -exit 0 diff -pruN 11.6.0-1/debian/libvirt-daemon-driver-nwfilter.postrm 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-nwfilter.postrm --- 11.6.0-1/debian/libvirt-daemon-driver-nwfilter.postrm 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-nwfilter.postrm 1970-01-01 00:00:00.000000000 +0000 @@ -1,36 +0,0 @@ -#!/bin/sh - -set -e - -# summary of how this script can be called: -# -# * `remove' -# * `purge' -# * `upgrade' -# * `disappear' -# * `failed-upgrade' -# * `abort-install' -# * `abort-install' -# * `abort-upgrade' -# -# for details, see https://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -case "$1" in - remove) - # Trigger daemon restart after removing a driver - dpkg-trigger libvirt-restart-libvirtd - ;; - - purge|upgrade|disappear|failed-upgrade|abort-install|abort-upgrade) - ;; - - *) - echo "postrm called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -#DEBHELPER# - -exit 0 diff -pruN 11.6.0-1/debian/libvirt-daemon-driver-qemu.install 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-qemu.install --- 11.6.0-1/debian/libvirt-daemon-driver-qemu.install 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-qemu.install 1970-01-01 00:00:00.000000000 +0000 @@ -1,11 +0,0 @@ -etc/apparmor.d/abstractions/libvirt-qemu -etc/apparmor.d/libvirt/TEMPLATE.qemu -etc/libvirt/qemu-lockd.conf -etc/libvirt/qemu-sanlock.conf -etc/libvirt/qemu.conf -etc/logrotate.d/libvirtd.qemu -usr/bin/virt-qemu-run -usr/lib/${DEB_HOST_MULTIARCH}/libvirt/connection-driver/libvirt_driver_qemu.so -usr/share/augeas/lenses/libvirtd_qemu.aug -usr/share/augeas/lenses/tests/test_libvirtd_qemu.aug -usr/share/man/man1/virt-qemu-run.1 diff -pruN 11.6.0-1/debian/libvirt-daemon-driver-qemu.postinst 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-qemu.postinst --- 11.6.0-1/debian/libvirt-daemon-driver-qemu.postinst 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-qemu.postinst 1970-01-01 00:00:00.000000000 +0000 @@ -1,152 +0,0 @@ -#!/bin/sh - -set -e - -# summary of how this script can be called: -# -# * `configure' -# * `abort-upgrade' -# * `abort-remove' `in-favour' -# * `abort-remove' -# * `abort-deconfigure' `in-favour' -# `removing' -# -# for details, see https://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -. /usr/share/debconf/confmodule - -# Allocated UID and GID for libvirt-qemu -LIBVIRT_QEMU_UID=64055 -LIBVIRT_QEMU_GID=64055 - -add_users_groups() -{ - if ! getent group kvm >/dev/null; then - addgroup --quiet --system kvm - fi - # user and group libvirt runs qemu/kvm instances with - if ! getent passwd libvirt-qemu >/dev/null; then - - # set uid if available (expected); don't fail otherwise. - PARAMETER_UID='' - if ! getent passwd $LIBVIRT_QEMU_UID >/dev/null; then - PARAMETER_UID="--uid $LIBVIRT_QEMU_UID" - fi - - adduser --quiet \ - --system \ - --ingroup kvm \ - --quiet \ - --disabled-login \ - --disabled-password \ - --home /var/lib/libvirt \ - --no-create-home \ - --gecos "Libvirt Qemu" \ - $PARAMETER_UID \ - libvirt-qemu - fi - if ! getent group libvirt-qemu >/dev/null; then - - # set gid if available (expected); don't fail otherwise. - PARAMETER_GID='' - if ! getent group $LIBVIRT_QEMU_GID >/dev/null; then - PARAMETER_GID="--gid $LIBVIRT_QEMU_GID" - fi - - addgroup --quiet --system $PARAMETER_GID libvirt-qemu - adduser --quiet libvirt-qemu libvirt-qemu - fi -} - -add_statoverrides() -{ - ROOT_DIRS=" - /var/cache/libvirt/qemu/ - " - - QEMU_DIRS=" - /var/lib/libvirt/qemu/ - " - - QEMU_CONF="/etc/libvirt/qemu.conf" - - for dir in ${ROOT_DIRS}; do - if ! dpkg-statoverride --list "${dir}" >/dev/null 2>&1; then - [ ! -e "${dir}" ] || chown root:root "${dir}" - [ ! -e "${dir}" ] || chmod 0711 "${dir}" - fi - done - - for dir in ${QEMU_DIRS}; do - if ! dpkg-statoverride --list "${dir}" >/dev/null 2>&1; then - [ ! -e "${dir}" ] || chown libvirt-qemu:libvirt-qemu "${dir}" - [ ! -e "${dir}" ] || chmod 0750 "${dir}" - fi - done - - if ! dpkg-statoverride --list "${QEMU_CONF}" >/dev/null 2>&1; then - [ ! -e "${QEMU_CONF}" ] || chown root:root "${QEMU_CONF}" - [ ! -e "${QEMU_CONF}" ] || chmod 0600 "${QEMU_CONF}" - fi -} - -case "$1" in - configure) - add_users_groups - add_statoverrides - - # Make sure the log directory doesn't get removed on package removal - # since logrotate chokes otherwise - touch /var/log/libvirt/qemu/.placeholder - - # Directories used for channels until 9.7.0-1 - if [ -d /var/lib/libvirt/qemu/channel/target ]; then - rmdir --ignore-fail-on-non-empty /var/lib/libvirt/qemu/channel/target - fi - if [ -d /var/lib/libvirt/qemu/channel ]; then - rmdir --ignore-fail-on-non-empty /var/lib/libvirt/qemu/channel - fi - - # Force refresh of capabilities (#731815) - rm -f /var/cache/libvirt/qemu/capabilities/*.xml - - # Obsolete AppArmor stuff included until 9.6.0-1 - ABSTRACTIONS_DIR="/etc/apparmor.d/abstractions" - LOCAL_ABSTRACTIONS_DIR="/etc/apparmor.d/local/abstractions" - pkg="libvirt-daemon-driver-qemu" - name="libvirt-qemu" - - abstraction="$ABSTRACTIONS_DIR/$name" - local_abstraction="$LOCAL_ABSTRACTIONS_DIR/$name" - - expected=$(dpkg-query --showformat='${Conffiles}\n' --show "$pkg" | grep -E "^ $abstraction " | sed -E 's/^.* ([0-9a-f]+)$/\1/g') - actual=$(md5sum "$abstraction" 2>/dev/null | sed -E 's/^([0-9a-f]+) .*$/\1/g') - - # Delete the local abstraction if it's empty and the abstraction - # itself contains no customizations - if [ ! -s "$local_abstraction" ] && [ -n "$actual" ] && [ "$actual" = "$expected" ]; then - rm -f "$local_abstraction" - fi - if [ -d "$LOCAL_ABSTRACTIONS_DIR" ]; then - rmdir --ignore-fail-on-non-empty "$LOCAL_ABSTRACTIONS_DIR" - fi - - # Trigger daemon restart after installing a driver - dpkg-trigger libvirt-restart-libvirtd - ;; - - abort-upgrade|abort-remove|abort-deconfigure) - ;; - - *) - echo "postinst called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -db_stop - -#DEBHELPER# - -exit 0 diff -pruN 11.6.0-1/debian/libvirt-daemon-driver-qemu.postinst.in 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-qemu.postinst.in --- 11.6.0-1/debian/libvirt-daemon-driver-qemu.postinst.in 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-qemu.postinst.in 2025-08-27 08:03:12.000000000 +0000 @@ -57,6 +57,25 @@ add_users_groups() addgroup --quiet --system $PARAMETER_GID libvirt-qemu adduser --quiet libvirt-qemu libvirt-qemu fi + + # Add each sudo user to the libvirt group + for u in $(getent group sudo | sed -e "s/^.*://" -e "s/,/ /g"); do + adduser "$u" libvirt >/dev/null || true + done + + # These users are usually created and owned by swtpm-tools, but that shall + # not become a hard dependency, therefore if swtpm-tools isn't present we + # need to create that user/group here to avoid issues starting the service + # with the new defaults since LP: 1948880 (LP: #1951975) + if ! getent group swtpm >/dev/null; then + addgroup --system swtpm + fi + if ! getent passwd swtpm >/dev/null; then + adduser --system --ingroup swtpm --shell /bin/false \ + --home /var/lib/swtpm --no-create-home \ + --gecos "virtual TPM software stack" \ + swtpm + fi } add_statoverrides() @@ -71,6 +90,8 @@ add_statoverrides() QEMU_CONF="/etc/libvirt/qemu.conf" + SWTPM_DIR="/var/log/swtpm/libvirt/qemu" + for dir in ${ROOT_DIRS}; do if ! dpkg-statoverride --list "${dir}" >/dev/null 2>&1; then [ ! -e "${dir}" ] || chown root:root "${dir}" @@ -89,6 +110,12 @@ add_statoverrides() [ ! -e "${QEMU_CONF}" ] || chown root:root "${QEMU_CONF}" [ ! -e "${QEMU_CONF}" ] || chmod 0600 "${QEMU_CONF}" fi + + # swtpm shall use user swtpm (LP: #1948880) + if ! dpkg-statoverride --list "${SWTPM_DIR}" >/dev/null 2>&1; then + [ ! -e "${SWTPM_DIR}" ] || chown swtpm:swtpm "${SWTPM_DIR}" + [ ! -e "${SWTPM_DIR}" ] || chmod 0700 "${SWTPM_DIR}" + fi } case "$1" in diff -pruN 11.6.0-1/debian/libvirt-daemon-driver-qemu.postrm 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-qemu.postrm --- 11.6.0-1/debian/libvirt-daemon-driver-qemu.postrm 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-qemu.postrm 1970-01-01 00:00:00.000000000 +0000 @@ -1,87 +0,0 @@ -#!/bin/sh - -set -e - -# summary of how this script can be called: -# -# * `remove' -# * `purge' -# * `upgrade' -# * `disappear' -# * `failed-upgrade' -# * `abort-install' -# * `abort-install' -# * `abort-upgrade' -# -# for details, see https://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -case "$1" in - remove) - # Trigger daemon restart after removing a driver - dpkg-trigger libvirt-restart-libvirtd - ;; - - purge) - if getent passwd libvirt-qemu >/dev/null; then - deluser libvirt-qemu >/dev/null || true - fi - - if getent group libvirt-qemu >/dev/null; then - delgroup libvirt-qemu >/dev/null || true - fi - - # Clean up cached capabilities - rm -rf /var/cache/libvirt/qemu/capabilities - - # Clean up obsolete runtime data - rm -rf /var/lib/libvirt/qemu/channel/target/domain-* - if [ -d /var/lib/libvirt/qemu/channel/target ]; then - rmdir --ignore-fail-on-non-empty /var/lib/libvirt/qemu/channel/target - fi - if [ -d /var/lib/libvirt/qemu/channel ]; then - rmdir --ignore-fail-on-non-empty /var/lib/libvirt/qemu/channel - fi - - # Clean up created dirs if existent and empty, they contain precious - # data otherwise - for dir in /var/lib/libvirt/qemu/save \ - /var/lib/libvirt/qemu/snapshot \ - /var/lib/libvirt/qemu/dump \ - /var/lib/libvirt/qemu/nvram \ - /var/lib/libvirt/qemu/ram/libvirt/qemu \ - /var/lib/libvirt/qemu/ram/libvirt \ - /var/lib/libvirt/qemu/ram \ - /var/lib/libvirt/qemu \ - /var/cache/libvirt/qemu; do - [ ! -d $dir ] || rmdir --ignore-fail-on-non-empty $dir - done - - # Obsolete AppArmor stuff included until 9.6.0-1 - ABSTRACTIONS_DIR="/etc/apparmor.d/abstractions" - LOCAL_ABSTRACTIONS_DIR="/etc/apparmor.d/local/abstractions" - name="libvirt-qemu" - - abstraction="$ABSTRACTIONS_DIR/$name" - local_abstraction="$LOCAL_ABSTRACTIONS_DIR/$name" - - if [ ! -e "$abstraction" ]; then - rm -f "$local_abstraction" - if [ -d "$LOCAL_ABSTRACTIONS_DIR" ]; then - rmdir --ignore-fail-on-non-empty "$LOCAL_ABSTRACTIONS_DIR" - fi - fi - ;; - - upgrade|disappear|failed-upgrade|abort-install|abort-upgrade) - ;; - - *) - echo "postrm called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -#DEBHELPER# - -exit 0 diff -pruN 11.6.0-1/debian/libvirt-daemon-driver-secret.install 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-secret.install --- 11.6.0-1/debian/libvirt-daemon-driver-secret.install 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-secret.install 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -usr/lib/${DEB_HOST_MULTIARCH}/libvirt/connection-driver/libvirt_driver_secret.so diff -pruN 11.6.0-1/debian/libvirt-daemon-driver-secret.postinst 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-secret.postinst --- 11.6.0-1/debian/libvirt-daemon-driver-secret.postinst 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-secret.postinst 1970-01-01 00:00:00.000000000 +0000 @@ -1,34 +0,0 @@ -#!/bin/sh - -set -e - -# summary of how this script can be called: -# -# * `configure' -# * `abort-upgrade' -# * `abort-remove' `in-favour' -# * `abort-remove' -# * `abort-deconfigure' `in-favour' -# `removing' -# -# for details, see https://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -case "$1" in - configure) - # Trigger daemon restart after installing a driver - dpkg-trigger libvirt-restart-libvirtd - ;; - - abort-upgrade|abort-remove|abort-deconfigure) - ;; - - *) - echo "postinst called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -#DEBHELPER# - -exit 0 diff -pruN 11.6.0-1/debian/libvirt-daemon-driver-secret.postrm 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-secret.postrm --- 11.6.0-1/debian/libvirt-daemon-driver-secret.postrm 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-secret.postrm 1970-01-01 00:00:00.000000000 +0000 @@ -1,36 +0,0 @@ -#!/bin/sh - -set -e - -# summary of how this script can be called: -# -# * `remove' -# * `purge' -# * `upgrade' -# * `disappear' -# * `failed-upgrade' -# * `abort-install' -# * `abort-install' -# * `abort-upgrade' -# -# for details, see https://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -case "$1" in - remove) - # Trigger daemon restart after removing a driver - dpkg-trigger libvirt-restart-libvirtd - ;; - - purge|upgrade|disappear|failed-upgrade|abort-install|abort-upgrade) - ;; - - *) - echo "postrm called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -#DEBHELPER# - -exit 0 diff -pruN 11.6.0-1/debian/libvirt-daemon-driver-storage-disk.install 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-storage-disk.install --- 11.6.0-1/debian/libvirt-daemon-driver-storage-disk.install 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-storage-disk.install 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -usr/lib/${DEB_HOST_MULTIARCH}/libvirt/storage-backend/libvirt_storage_backend_disk.so diff -pruN 11.6.0-1/debian/libvirt-daemon-driver-storage-gluster.install 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-storage-gluster.install --- 11.6.0-1/debian/libvirt-daemon-driver-storage-gluster.install 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-storage-gluster.install 1970-01-01 00:00:00.000000000 +0000 @@ -1,2 +0,0 @@ -usr/lib/${DEB_HOST_MULTIARCH}/libvirt/storage-backend/libvirt_storage_backend_gluster.so -usr/lib/${DEB_HOST_MULTIARCH}/libvirt/storage-file/libvirt_storage_file_gluster.so diff -pruN 11.6.0-1/debian/libvirt-daemon-driver-storage-iscsi-direct.install 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-storage-iscsi-direct.install --- 11.6.0-1/debian/libvirt-daemon-driver-storage-iscsi-direct.install 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-storage-iscsi-direct.install 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -usr/lib/${DEB_HOST_MULTIARCH}/libvirt/storage-backend/libvirt_storage_backend_iscsi-direct.so diff -pruN 11.6.0-1/debian/libvirt-daemon-driver-storage-iscsi.install 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-storage-iscsi.install --- 11.6.0-1/debian/libvirt-daemon-driver-storage-iscsi.install 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-storage-iscsi.install 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -usr/lib/${DEB_HOST_MULTIARCH}/libvirt/storage-backend/libvirt_storage_backend_iscsi.so diff -pruN 11.6.0-1/debian/libvirt-daemon-driver-storage-logical.install 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-storage-logical.install --- 11.6.0-1/debian/libvirt-daemon-driver-storage-logical.install 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-storage-logical.install 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -usr/lib/${DEB_HOST_MULTIARCH}/libvirt/storage-backend/libvirt_storage_backend_logical.so diff -pruN 11.6.0-1/debian/libvirt-daemon-driver-storage-mpath.install 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-storage-mpath.install --- 11.6.0-1/debian/libvirt-daemon-driver-storage-mpath.install 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-storage-mpath.install 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -usr/lib/${DEB_HOST_MULTIARCH}/libvirt/storage-backend/libvirt_storage_backend_mpath.so diff -pruN 11.6.0-1/debian/libvirt-daemon-driver-storage-rbd.install 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-storage-rbd.install --- 11.6.0-1/debian/libvirt-daemon-driver-storage-rbd.install 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-storage-rbd.install 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -usr/lib/${DEB_HOST_MULTIARCH}/libvirt/storage-backend/libvirt_storage_backend_rbd.so diff -pruN 11.6.0-1/debian/libvirt-daemon-driver-storage-scsi.install 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-storage-scsi.install --- 11.6.0-1/debian/libvirt-daemon-driver-storage-scsi.install 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-storage-scsi.install 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -usr/lib/${DEB_HOST_MULTIARCH}/libvirt/storage-backend/libvirt_storage_backend_scsi.so diff -pruN 11.6.0-1/debian/libvirt-daemon-driver-storage-zfs.install 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-storage-zfs.install --- 11.6.0-1/debian/libvirt-daemon-driver-storage-zfs.install 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-storage-zfs.install 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -usr/lib/${DEB_HOST_MULTIARCH}/libvirt/storage-backend/libvirt_storage_backend_zfs.so diff -pruN 11.6.0-1/debian/libvirt-daemon-driver-storage.install 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-storage.install --- 11.6.0-1/debian/libvirt-daemon-driver-storage.install 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-storage.install 1970-01-01 00:00:00.000000000 +0000 @@ -1,3 +0,0 @@ -usr/lib/${DEB_HOST_MULTIARCH}/libvirt/connection-driver/libvirt_driver_storage.so -usr/lib/${DEB_HOST_MULTIARCH}/libvirt/storage-backend/libvirt_storage_backend_fs.so -usr/lib/libvirt/libvirt_parthelper diff -pruN 11.6.0-1/debian/libvirt-daemon-driver-storage.postinst 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-storage.postinst --- 11.6.0-1/debian/libvirt-daemon-driver-storage.postinst 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-storage.postinst 1970-01-01 00:00:00.000000000 +0000 @@ -1,34 +0,0 @@ -#!/bin/sh - -set -e - -# summary of how this script can be called: -# -# * `configure' -# * `abort-upgrade' -# * `abort-remove' `in-favour' -# * `abort-remove' -# * `abort-deconfigure' `in-favour' -# `removing' -# -# for details, see https://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -case "$1" in - configure) - # Trigger daemon restart after installing a driver - dpkg-trigger libvirt-restart-libvirtd - ;; - - abort-upgrade|abort-remove|abort-deconfigure) - ;; - - *) - echo "postinst called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -#DEBHELPER# - -exit 0 diff -pruN 11.6.0-1/debian/libvirt-daemon-driver-storage.postrm 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-storage.postrm --- 11.6.0-1/debian/libvirt-daemon-driver-storage.postrm 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-storage.postrm 1970-01-01 00:00:00.000000000 +0000 @@ -1,36 +0,0 @@ -#!/bin/sh - -set -e - -# summary of how this script can be called: -# -# * `remove' -# * `purge' -# * `upgrade' -# * `disappear' -# * `failed-upgrade' -# * `abort-install' -# * `abort-install' -# * `abort-upgrade' -# -# for details, see https://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -case "$1" in - remove) - # Trigger daemon restart after removing a driver - dpkg-trigger libvirt-restart-libvirtd - ;; - - purge|upgrade|disappear|failed-upgrade|abort-install|abort-upgrade) - ;; - - *) - echo "postrm called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -#DEBHELPER# - -exit 0 diff -pruN 11.6.0-1/debian/libvirt-daemon-driver-vbox.install 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-vbox.install --- 11.6.0-1/debian/libvirt-daemon-driver-vbox.install 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-vbox.install 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -usr/lib/${DEB_HOST_MULTIARCH}/libvirt/connection-driver/libvirt_driver_vbox.so diff -pruN 11.6.0-1/debian/libvirt-daemon-driver-vbox.postinst 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-vbox.postinst --- 11.6.0-1/debian/libvirt-daemon-driver-vbox.postinst 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-vbox.postinst 1970-01-01 00:00:00.000000000 +0000 @@ -1,34 +0,0 @@ -#!/bin/sh - -set -e - -# summary of how this script can be called: -# -# * `configure' -# * `abort-upgrade' -# * `abort-remove' `in-favour' -# * `abort-remove' -# * `abort-deconfigure' `in-favour' -# `removing' -# -# for details, see https://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -case "$1" in - configure) - # Trigger daemon restart after installing a driver - dpkg-trigger libvirt-restart-libvirtd - ;; - - abort-upgrade|abort-remove|abort-deconfigure) - ;; - - *) - echo "postinst called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -#DEBHELPER# - -exit 0 diff -pruN 11.6.0-1/debian/libvirt-daemon-driver-vbox.postrm 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-vbox.postrm --- 11.6.0-1/debian/libvirt-daemon-driver-vbox.postrm 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-vbox.postrm 1970-01-01 00:00:00.000000000 +0000 @@ -1,36 +0,0 @@ -#!/bin/sh - -set -e - -# summary of how this script can be called: -# -# * `remove' -# * `purge' -# * `upgrade' -# * `disappear' -# * `failed-upgrade' -# * `abort-install' -# * `abort-install' -# * `abort-upgrade' -# -# for details, see https://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -case "$1" in - remove) - # Trigger daemon restart after removing a driver - dpkg-trigger libvirt-restart-libvirtd - ;; - - purge|upgrade|disappear|failed-upgrade|abort-install|abort-upgrade) - ;; - - *) - echo "postrm called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -#DEBHELPER# - -exit 0 diff -pruN 11.6.0-1/debian/libvirt-daemon-driver-xen.install 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-xen.install --- 11.6.0-1/debian/libvirt-daemon-driver-xen.install 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-xen.install 1970-01-01 00:00:00.000000000 +0000 @@ -1,7 +0,0 @@ -etc/libvirt/libxl-lockd.conf -etc/libvirt/libxl-sanlock.conf -etc/libvirt/libxl.conf -etc/logrotate.d/libvirtd.libxl -usr/lib/${DEB_HOST_MULTIARCH}/libvirt/connection-driver/libvirt_driver_libxl.so -usr/share/augeas/lenses/libvirtd_libxl.aug -usr/share/augeas/lenses/tests/test_libvirtd_libxl.aug diff -pruN 11.6.0-1/debian/libvirt-daemon-driver-xen.postinst 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-xen.postinst --- 11.6.0-1/debian/libvirt-daemon-driver-xen.postinst 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-xen.postinst 1970-01-01 00:00:00.000000000 +0000 @@ -1,34 +0,0 @@ -#!/bin/sh - -set -e - -# summary of how this script can be called: -# -# * `configure' -# * `abort-upgrade' -# * `abort-remove' `in-favour' -# * `abort-remove' -# * `abort-deconfigure' `in-favour' -# `removing' -# -# for details, see https://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -case "$1" in - configure) - # Trigger daemon restart after installing a driver - dpkg-trigger libvirt-restart-libvirtd - ;; - - abort-upgrade|abort-remove|abort-deconfigure) - ;; - - *) - echo "postinst called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -#DEBHELPER# - -exit 0 diff -pruN 11.6.0-1/debian/libvirt-daemon-driver-xen.postrm 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-xen.postrm --- 11.6.0-1/debian/libvirt-daemon-driver-xen.postrm 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-driver-xen.postrm 1970-01-01 00:00:00.000000000 +0000 @@ -1,36 +0,0 @@ -#!/bin/sh - -set -e - -# summary of how this script can be called: -# -# * `remove' -# * `purge' -# * `upgrade' -# * `disappear' -# * `failed-upgrade' -# * `abort-install' -# * `abort-install' -# * `abort-upgrade' -# -# for details, see https://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -case "$1" in - remove) - # Trigger daemon restart after removing a driver - dpkg-trigger libvirt-restart-libvirtd - ;; - - purge|upgrade|disappear|failed-upgrade|abort-install|abort-upgrade) - ;; - - *) - echo "postrm called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -#DEBHELPER# - -exit 0 diff -pruN 11.6.0-1/debian/libvirt-daemon-lock.install 11.6.0-1ubuntu2/debian/libvirt-daemon-lock.install --- 11.6.0-1/debian/libvirt-daemon-lock.install 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-lock.install 1970-01-01 00:00:00.000000000 +0000 @@ -1,10 +0,0 @@ -etc/libvirt/virtlockd.conf -usr/lib/systemd/system/virtlockd-admin.socket -usr/lib/systemd/system/virtlockd.service -usr/lib/systemd/system/virtlockd.socket -usr/sbin/virtlockd -usr/share/augeas/lenses/libvirt_lockd.aug -usr/share/augeas/lenses/tests/test_libvirt_lockd.aug -usr/share/augeas/lenses/tests/test_virtlockd.aug -usr/share/augeas/lenses/virtlockd.aug -usr/share/man/man8/virtlockd.8 diff -pruN 11.6.0-1/debian/libvirt-daemon-lock.postinst 11.6.0-1ubuntu2/debian/libvirt-daemon-lock.postinst --- 11.6.0-1/debian/libvirt-daemon-lock.postinst 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-lock.postinst 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -#!/bin/sh - -set -e - -# summary of how this script can be called: -# -# * `configure' -# * `abort-upgrade' -# * `abort-remove' `in-favour' -# * `abort-remove' -# * `abort-deconfigure' `in-favour' -# `removing' -# -# for details, see https://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -delete_protective_diversion() { - local usrfile="$1" - local firstver="$2" - - if [ "$3" != "--" ]; then - echo "delete_protective_diversion called with the wrong number of arguments" >&2 - return 1 - fi - for _ in $(seq 1 3); do - shift - done - - # If the diversion doesn't exist there's nothing to clean up - if [ -z "$(dpkg-divert --list "$usrfile")" ]; then - return 0 - fi - - dpkg-divert \ - --no-rename \ - --divert "$usrfile.usr-is-merged" \ - --remove "$usrfile" -} - -DAEMON_LOCK_UNITS=" - virtlockd-admin.socket - virtlockd.service - virtlockd.socket -" - -case "$1" in - configure) - for unit in $DAEMON_LOCK_UNITS; do - delete_protective_diversion \ - "/lib/systemd/system/$unit" \ - "10.6.0-3~" \ - -- \ - "$@" - done - ;; - - abort-upgrade|abort-remove|abort-deconfigure) - ;; - - *) - echo "postinst called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -#DEBHELPER# - -exit 0 diff -pruN 11.6.0-1/debian/libvirt-daemon-lock.postrm 11.6.0-1ubuntu2/debian/libvirt-daemon-lock.postrm --- 11.6.0-1/debian/libvirt-daemon-lock.postrm 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-lock.postrm 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -#!/bin/sh - -set -e - -# summary of how this script can be called: -# -# * `remove' -# * `purge' -# * `upgrade' -# * `disappear' -# * `failed-upgrade' -# * `abort-install' -# * `abort-install' -# * `abort-upgrade' -# -# for details, see https://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -delete_protective_diversion() { - local usrfile="$1" - local firstver="$2" - - if [ "$3" != "--" ]; then - echo "delete_protective_diversion called with the wrong number of arguments" >&2 - return 1 - fi - for _ in $(seq 1 3); do - shift - done - - # If the diversion doesn't exist there's nothing to clean up - if [ -z "$(dpkg-divert --list "$usrfile")" ]; then - return 0 - fi - - dpkg-divert \ - --no-rename \ - --divert "$usrfile.usr-is-merged" \ - --remove "$usrfile" -} - -DAEMON_LOCK_UNITS=" - virtlockd-admin.socket - virtlockd.service - virtlockd.socket -" - -case "$1" in - failed-upgrade|abort-install|abort-upgrade) - for unit in $DAEMON_LOCK_UNITS; do - delete_protective_diversion \ - "/lib/systemd/system/$unit" \ - "10.6.0-3~" \ - -- \ - "$@" - done - ;; - - remove|purge|upgrade|disappear) - ;; - - *) - echo "postrm called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -#DEBHELPER# - -exit 0 diff -pruN 11.6.0-1/debian/libvirt-daemon-lock.preinst 11.6.0-1ubuntu2/debian/libvirt-daemon-lock.preinst --- 11.6.0-1/debian/libvirt-daemon-lock.preinst 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-lock.preinst 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -#!/bin/sh - -set -e - -# summary of how this script can be called: -# -# * `install' -# * `install' -# * `upgrade' -# * `abort-upgrade' -# -# for details, see https://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -create_protective_diversion() { - local usrfile="$1" - local firstver="$2" - - if [ "$3" != "--" ]; then - echo "create_protective_diversion called with the wrong number of arguments" >&2 - return 1 - fi - for _ in $(seq 1 3); do - shift - done - - # If we're upgrading from a new enough version of the package, it means - # that usr-merge has already happened and we don't need to mess with - # diversions at all - if [ -n "$2" ] && dpkg --compare-versions -- "$2" gt "$firstver"; then - return 0 - fi - - dpkg-divert \ - --no-rename \ - --divert "$usrfile.usr-is-merged" \ - --add "$usrfile" -} - -DAEMON_LOCK_UNITS=" - virtlockd-admin.socket - virtlockd.service - virtlockd.socket -" - -case "$1" in - install|upgrade) - for unit in $DAEMON_LOCK_UNITS; do - create_protective_diversion \ - "/lib/systemd/system/$unit" \ - "10.6.0-3~" \ - -- \ - "$@" - done - ;; - - abort-upgrade) - ;; - - *) - echo "preinst called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -#DEBHELPER# - -exit 0 diff -pruN 11.6.0-1/debian/libvirt-daemon-log.install 11.6.0-1ubuntu2/debian/libvirt-daemon-log.install --- 11.6.0-1/debian/libvirt-daemon-log.install 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-log.install 1970-01-01 00:00:00.000000000 +0000 @@ -1,8 +0,0 @@ -etc/libvirt/virtlogd.conf -usr/lib/systemd/system/virtlogd-admin.socket -usr/lib/systemd/system/virtlogd.service -usr/lib/systemd/system/virtlogd.socket -usr/sbin/virtlogd -usr/share/augeas/lenses/tests/test_virtlogd.aug -usr/share/augeas/lenses/virtlogd.aug -usr/share/man/man8/virtlogd.8 diff -pruN 11.6.0-1/debian/libvirt-daemon-log.postinst 11.6.0-1ubuntu2/debian/libvirt-daemon-log.postinst --- 11.6.0-1/debian/libvirt-daemon-log.postinst 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-log.postinst 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -#!/bin/sh - -set -e - -# summary of how this script can be called: -# -# * `configure' -# * `abort-upgrade' -# * `abort-remove' `in-favour' -# * `abort-remove' -# * `abort-deconfigure' `in-favour' -# `removing' -# -# for details, see https://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -delete_protective_diversion() { - local usrfile="$1" - local firstver="$2" - - if [ "$3" != "--" ]; then - echo "delete_protective_diversion called with the wrong number of arguments" >&2 - return 1 - fi - for _ in $(seq 1 3); do - shift - done - - # If the diversion doesn't exist there's nothing to clean up - if [ -z "$(dpkg-divert --list "$usrfile")" ]; then - return 0 - fi - - dpkg-divert \ - --no-rename \ - --divert "$usrfile.usr-is-merged" \ - --remove "$usrfile" -} - -DAEMON_LOG_UNITS=" - virtlogd-admin.socket - virtlogd.service - virtlogd.socket -" - -case "$1" in - configure) - for unit in $DAEMON_LOG_UNITS; do - delete_protective_diversion \ - "/lib/systemd/system/$unit" \ - "10.6.0-3~" \ - -- \ - "$@" - done - ;; - - abort-upgrade|abort-remove|abort-deconfigure) - ;; - - *) - echo "postinst called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -#DEBHELPER# - -exit 0 diff -pruN 11.6.0-1/debian/libvirt-daemon-log.postrm 11.6.0-1ubuntu2/debian/libvirt-daemon-log.postrm --- 11.6.0-1/debian/libvirt-daemon-log.postrm 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-log.postrm 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -#!/bin/sh - -set -e - -# summary of how this script can be called: -# -# * `remove' -# * `purge' -# * `upgrade' -# * `disappear' -# * `failed-upgrade' -# * `abort-install' -# * `abort-install' -# * `abort-upgrade' -# -# for details, see https://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -delete_protective_diversion() { - local usrfile="$1" - local firstver="$2" - - if [ "$3" != "--" ]; then - echo "delete_protective_diversion called with the wrong number of arguments" >&2 - return 1 - fi - for _ in $(seq 1 3); do - shift - done - - # If the diversion doesn't exist there's nothing to clean up - if [ -z "$(dpkg-divert --list "$usrfile")" ]; then - return 0 - fi - - dpkg-divert \ - --no-rename \ - --divert "$usrfile.usr-is-merged" \ - --remove "$usrfile" -} - -DAEMON_LOG_UNITS=" - virtlogd-admin.socket - virtlogd.service - virtlogd.socket -" - -case "$1" in - failed-upgrade|abort-install|abort-upgrade) - for unit in $DAEMON_LOG_UNITS; do - delete_protective_diversion \ - "/lib/systemd/system/$unit" \ - "10.6.0-3~" \ - -- \ - "$@" - done - ;; - - remove|purge|upgrade|disappear) - ;; - - *) - echo "postrm called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -#DEBHELPER# - -exit 0 diff -pruN 11.6.0-1/debian/libvirt-daemon-log.preinst 11.6.0-1ubuntu2/debian/libvirt-daemon-log.preinst --- 11.6.0-1/debian/libvirt-daemon-log.preinst 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-log.preinst 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -#!/bin/sh - -set -e - -# summary of how this script can be called: -# -# * `install' -# * `install' -# * `upgrade' -# * `abort-upgrade' -# -# for details, see https://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -create_protective_diversion() { - local usrfile="$1" - local firstver="$2" - - if [ "$3" != "--" ]; then - echo "create_protective_diversion called with the wrong number of arguments" >&2 - return 1 - fi - for _ in $(seq 1 3); do - shift - done - - # If we're upgrading from a new enough version of the package, it means - # that usr-merge has already happened and we don't need to mess with - # diversions at all - if [ -n "$2" ] && dpkg --compare-versions -- "$2" gt "$firstver"; then - return 0 - fi - - dpkg-divert \ - --no-rename \ - --divert "$usrfile.usr-is-merged" \ - --add "$usrfile" -} - -DAEMON_LOG_UNITS=" - virtlogd-admin.socket - virtlogd.service - virtlogd.socket -" - -case "$1" in - install|upgrade) - for unit in $DAEMON_LOG_UNITS; do - create_protective_diversion \ - "/lib/systemd/system/$unit" \ - "10.6.0-3~" \ - -- \ - "$@" - done - ;; - - abort-upgrade) - ;; - - *) - echo "preinst called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -#DEBHELPER# - -exit 0 diff -pruN 11.6.0-1/debian/libvirt-daemon-plugin-lockd.install 11.6.0-1ubuntu2/debian/libvirt-daemon-plugin-lockd.install --- 11.6.0-1/debian/libvirt-daemon-plugin-lockd.install 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-plugin-lockd.install 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -usr/lib/${DEB_HOST_MULTIARCH}/libvirt/lock-driver/lockd.so diff -pruN 11.6.0-1/debian/libvirt-daemon-plugin-sanlock.install 11.6.0-1ubuntu2/debian/libvirt-daemon-plugin-sanlock.install --- 11.6.0-1/debian/libvirt-daemon-plugin-sanlock.install 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-plugin-sanlock.install 1970-01-01 00:00:00.000000000 +0000 @@ -1,6 +0,0 @@ -usr/lib/${DEB_HOST_MULTIARCH}/libvirt/lock-driver/sanlock.so -usr/lib/libvirt/libvirt_sanlock_helper -usr/sbin/virt-sanlock-cleanup -usr/share/augeas/lenses/libvirt_sanlock.aug -usr/share/augeas/lenses/tests/test_libvirt_sanlock.aug -usr/share/man/man8/virt-sanlock-cleanup.8 diff -pruN 11.6.0-1/debian/libvirt-daemon-plugin-sanlock.postinst 11.6.0-1ubuntu2/debian/libvirt-daemon-plugin-sanlock.postinst --- 11.6.0-1/debian/libvirt-daemon-plugin-sanlock.postinst 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon-plugin-sanlock.postinst 1970-01-01 00:00:00.000000000 +0000 @@ -1,43 +0,0 @@ -#!/bin/sh - -set -e - -# summary of how this script can be called: -# -# * `configure' -# * `abort-upgrade' -# * `abort-remove' `in-favour' -# * `abort-remove' -# * `abort-deconfigure' `in-favour' -# `removing' -# -# for details, see https://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -add_statoverrides() -{ - SANLOCK_DIR="/var/lib/libvirt/sanlock" - - if ! dpkg-statoverride --list "${SANLOCK_DIR}" >/dev/null 2>&1; then - [ ! -e "${SANLOCK_DIR}" ] || chown root:root "${SANLOCK_DIR}" - [ ! -e "${SANLOCK_DIR}" ] || chmod 0700 "${SANLOCK_DIR}" - fi -} - -case "$1" in - configure) - add_statoverrides - ;; - - abort-upgrade|abort-remove|abort-deconfigure) - ;; - - *) - echo "postinst called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -#DEBHELPER# - -exit 0 diff -pruN 11.6.0-1/debian/libvirt-daemon.install 11.6.0-1ubuntu2/debian/libvirt-daemon.install --- 11.6.0-1/debian/libvirt-daemon.install 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon.install 1970-01-01 00:00:00.000000000 +0000 @@ -1,14 +0,0 @@ -etc/apparmor.d/usr.sbin.libvirtd -etc/libvirt/libvirtd.conf -etc/logrotate.d/libvirtd -usr/lib/libvirt/virt-aa-helper -usr/lib/systemd/system/libvirtd-admin.socket -usr/lib/systemd/system/libvirtd-ro.socket -usr/lib/systemd/system/libvirtd-tcp.socket -usr/lib/systemd/system/libvirtd-tls.socket -usr/lib/systemd/system/libvirtd.service -usr/lib/systemd/system/libvirtd.socket -usr/sbin/libvirtd -usr/share/augeas/lenses/libvirtd.aug -usr/share/augeas/lenses/tests/test_libvirtd.aug -usr/share/man/man8/libvirtd.8 diff -pruN 11.6.0-1/debian/libvirt-daemon.postinst 11.6.0-1ubuntu2/debian/libvirt-daemon.postinst --- 11.6.0-1/debian/libvirt-daemon.postinst 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon.postinst 1970-01-01 00:00:00.000000000 +0000 @@ -1,90 +0,0 @@ -#!/bin/sh - -set -e - -# summary of how this script can be called: -# -# * `configure' -# * `abort-upgrade' -# * `abort-remove' `in-favour' -# * `abort-remove' -# * `abort-deconfigure' `in-favour' -# `removing' -# -# for details, see https://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -delete_protective_diversion() { - local usrfile="$1" - local firstver="$2" - - if [ "$3" != "--" ]; then - echo "delete_protective_diversion called with the wrong number of arguments" >&2 - return 1 - fi - for _ in $(seq 1 3); do - shift - done - - # If the diversion doesn't exist there's nothing to clean up - if [ -z "$(dpkg-divert --list "$usrfile")" ]; then - return 0 - fi - - dpkg-divert \ - --no-rename \ - --divert "$usrfile.usr-is-merged" \ - --remove "$usrfile" -} -systemd_daemon_reload() { - if [ -z "$DPKG_ROOT" ] && [ -d /run/systemd/system ]; then - systemctl --system daemon-reload >/dev/null || true - fi -} -systemd_unit_restart_if_active() { - if [ -z "$DPKG_ROOT" ] && [ -d /run/systemd/system ]; then - for unit in "$@"; do - if systemctl is-active -q "$unit"; then - deb-systemd-invoke restart "$unit" >/dev/null || true - fi - done - fi -} - -DAEMON_UNITS=" - libvirtd-admin.socket - libvirtd-ro.socket - libvirtd-tcp.socket - libvirtd-tls.socket - libvirtd.service - libvirtd.socket -" - -case "$1" in - configure) - for unit in $DAEMON_UNITS; do - delete_protective_diversion \ - "/lib/systemd/system/$unit" \ - "10.6.0-3~" \ - -- \ - "$@" - done - ;; - - triggered) - systemd_daemon_reload - systemd_unit_restart_if_active libvirtd.service - ;; - - abort-upgrade|abort-remove|abort-deconfigure) - ;; - - *) - echo "postinst called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -#DEBHELPER# - -exit 0 diff -pruN 11.6.0-1/debian/libvirt-daemon.postrm 11.6.0-1ubuntu2/debian/libvirt-daemon.postrm --- 11.6.0-1/debian/libvirt-daemon.postrm 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon.postrm 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -#!/bin/sh - -set -e - -# summary of how this script can be called: -# -# * `remove' -# * `purge' -# * `upgrade' -# * `disappear' -# * `failed-upgrade' -# * `abort-install' -# * `abort-install' -# * `abort-upgrade' -# -# for details, see https://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -delete_protective_diversion() { - local usrfile="$1" - local firstver="$2" - - if [ "$3" != "--" ]; then - echo "delete_protective_diversion called with the wrong number of arguments" >&2 - return 1 - fi - for _ in $(seq 1 3); do - shift - done - - # If the diversion doesn't exist there's nothing to clean up - if [ -z "$(dpkg-divert --list "$usrfile")" ]; then - return 0 - fi - - dpkg-divert \ - --no-rename \ - --divert "$usrfile.usr-is-merged" \ - --remove "$usrfile" -} - -DAEMON_UNITS=" - libvirtd-admin.socket - libvirtd-ro.socket - libvirtd-tcp.socket - libvirtd-tls.socket - libvirtd.service - libvirtd.socket -" - -case "$1" in - failed-upgrade|abort-install|abort-upgrade) - for unit in $DAEMON_UNITS; do - delete_protective_diversion \ - "/lib/systemd/system/$unit" \ - "10.6.0-3~" \ - -- \ - "$@" - done - ;; - - remove|purge|upgrade|disappear) - ;; - - *) - echo "postrm called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -#DEBHELPER# - -exit 0 diff -pruN 11.6.0-1/debian/libvirt-daemon.preinst 11.6.0-1ubuntu2/debian/libvirt-daemon.preinst --- 11.6.0-1/debian/libvirt-daemon.preinst 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-daemon.preinst 1970-01-01 00:00:00.000000000 +0000 @@ -1,71 +0,0 @@ -#!/bin/sh - -set -e - -# summary of how this script can be called: -# -# * `install' -# * `install' -# * `upgrade' -# * `abort-upgrade' -# -# for details, see https://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -create_protective_diversion() { - local usrfile="$1" - local firstver="$2" - - if [ "$3" != "--" ]; then - echo "create_protective_diversion called with the wrong number of arguments" >&2 - return 1 - fi - for _ in $(seq 1 3); do - shift - done - - # If we're upgrading from a new enough version of the package, it means - # that usr-merge has already happened and we don't need to mess with - # diversions at all - if [ -n "$2" ] && dpkg --compare-versions -- "$2" gt "$firstver"; then - return 0 - fi - - dpkg-divert \ - --no-rename \ - --divert "$usrfile.usr-is-merged" \ - --add "$usrfile" -} - -DAEMON_UNITS=" - libvirtd-admin.socket - libvirtd-ro.socket - libvirtd-tcp.socket - libvirtd-tls.socket - libvirtd.service - libvirtd.socket -" - -case "$1" in - install|upgrade) - for unit in $DAEMON_UNITS; do - create_protective_diversion \ - "/lib/systemd/system/$unit" \ - "10.6.0-3~" \ - -- \ - "$@" - done - ;; - - abort-upgrade) - ;; - - *) - echo "preinst called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -#DEBHELPER# - -exit 0 diff -pruN 11.6.0-1/debian/libvirt-dev.install 11.6.0-1ubuntu2/debian/libvirt-dev.install --- 11.6.0-1/debian/libvirt-dev.install 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-dev.install 1970-01-01 00:00:00.000000000 +0000 @@ -1,30 +0,0 @@ -usr/include/libvirt/libvirt-admin.h -usr/include/libvirt/libvirt-common.h -usr/include/libvirt/libvirt-domain-checkpoint.h -usr/include/libvirt/libvirt-domain-snapshot.h -usr/include/libvirt/libvirt-domain.h -usr/include/libvirt/libvirt-event.h -usr/include/libvirt/libvirt-host.h -usr/include/libvirt/libvirt-interface.h -usr/include/libvirt/libvirt-lxc.h -usr/include/libvirt/libvirt-network.h -usr/include/libvirt/libvirt-nodedev.h -usr/include/libvirt/libvirt-nwfilter.h -usr/include/libvirt/libvirt-qemu.h -usr/include/libvirt/libvirt-secret.h -usr/include/libvirt/libvirt-storage.h -usr/include/libvirt/libvirt-stream.h -usr/include/libvirt/libvirt.h -usr/include/libvirt/virterror.h -usr/lib/${DEB_HOST_MULTIARCH}/libvirt-admin.so -usr/lib/${DEB_HOST_MULTIARCH}/libvirt-lxc.so -usr/lib/${DEB_HOST_MULTIARCH}/libvirt-qemu.so -usr/lib/${DEB_HOST_MULTIARCH}/libvirt.so -usr/lib/${DEB_HOST_MULTIARCH}/pkgconfig/libvirt-admin.pc -usr/lib/${DEB_HOST_MULTIARCH}/pkgconfig/libvirt-lxc.pc -usr/lib/${DEB_HOST_MULTIARCH}/pkgconfig/libvirt-qemu.pc -usr/lib/${DEB_HOST_MULTIARCH}/pkgconfig/libvirt.pc -usr/share/libvirt/api/libvirt-admin-api.xml -usr/share/libvirt/api/libvirt-api.xml -usr/share/libvirt/api/libvirt-lxc-api.xml -usr/share/libvirt/api/libvirt-qemu-api.xml diff -pruN 11.6.0-1/debian/libvirt-l10n.install 11.6.0-1ubuntu2/debian/libvirt-l10n.install --- 11.6.0-1/debian/libvirt-l10n.install 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-l10n.install 1970-01-01 00:00:00.000000000 +0000 @@ -1,47 +0,0 @@ -usr/share/locale/as/LC_MESSAGES/libvirt.mo -usr/share/locale/bg/LC_MESSAGES/libvirt.mo -usr/share/locale/bn_IN/LC_MESSAGES/libvirt.mo -usr/share/locale/bs/LC_MESSAGES/libvirt.mo -usr/share/locale/ca/LC_MESSAGES/libvirt.mo -usr/share/locale/cs/LC_MESSAGES/libvirt.mo -usr/share/locale/da/LC_MESSAGES/libvirt.mo -usr/share/locale/de/LC_MESSAGES/libvirt.mo -usr/share/locale/el/LC_MESSAGES/libvirt.mo -usr/share/locale/en_GB/LC_MESSAGES/libvirt.mo -usr/share/locale/es/LC_MESSAGES/libvirt.mo -usr/share/locale/fi/LC_MESSAGES/libvirt.mo -usr/share/locale/fr/LC_MESSAGES/libvirt.mo -usr/share/locale/gu/LC_MESSAGES/libvirt.mo -usr/share/locale/hi/LC_MESSAGES/libvirt.mo -usr/share/locale/hr/LC_MESSAGES/libvirt.mo -usr/share/locale/hu/LC_MESSAGES/libvirt.mo -usr/share/locale/id/LC_MESSAGES/libvirt.mo -usr/share/locale/it/LC_MESSAGES/libvirt.mo -usr/share/locale/ja/LC_MESSAGES/libvirt.mo -usr/share/locale/ka/LC_MESSAGES/libvirt.mo -usr/share/locale/kn/LC_MESSAGES/libvirt.mo -usr/share/locale/ko/LC_MESSAGES/libvirt.mo -usr/share/locale/mk/LC_MESSAGES/libvirt.mo -usr/share/locale/ml/LC_MESSAGES/libvirt.mo -usr/share/locale/mr/LC_MESSAGES/libvirt.mo -usr/share/locale/ms/LC_MESSAGES/libvirt.mo -usr/share/locale/nb/LC_MESSAGES/libvirt.mo -usr/share/locale/nl/LC_MESSAGES/libvirt.mo -usr/share/locale/or/LC_MESSAGES/libvirt.mo -usr/share/locale/pa/LC_MESSAGES/libvirt.mo -usr/share/locale/pl/LC_MESSAGES/libvirt.mo -usr/share/locale/pt/LC_MESSAGES/libvirt.mo -usr/share/locale/pt_BR/LC_MESSAGES/libvirt.mo -usr/share/locale/ro/LC_MESSAGES/libvirt.mo -usr/share/locale/ru/LC_MESSAGES/libvirt.mo -usr/share/locale/si/LC_MESSAGES/libvirt.mo -usr/share/locale/sr/LC_MESSAGES/libvirt.mo -usr/share/locale/sr@latin/LC_MESSAGES/libvirt.mo -usr/share/locale/sv/LC_MESSAGES/libvirt.mo -usr/share/locale/ta/LC_MESSAGES/libvirt.mo -usr/share/locale/te/LC_MESSAGES/libvirt.mo -usr/share/locale/tr/LC_MESSAGES/libvirt.mo -usr/share/locale/uk/LC_MESSAGES/libvirt.mo -usr/share/locale/vi/LC_MESSAGES/libvirt.mo -usr/share/locale/zh_CN/LC_MESSAGES/libvirt.mo -usr/share/locale/zh_TW/LC_MESSAGES/libvirt.mo diff -pruN 11.6.0-1/debian/libvirt-login-shell.install 11.6.0-1ubuntu2/debian/libvirt-login-shell.install --- 11.6.0-1/debian/libvirt-login-shell.install 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-login-shell.install 1970-01-01 00:00:00.000000000 +0000 @@ -1,4 +0,0 @@ -etc/libvirt/virt-login-shell.conf -usr/bin/virt-login-shell -usr/lib/libvirt/virt-login-shell-helper -usr/share/man/man1/virt-login-shell.1 diff -pruN 11.6.0-1/debian/libvirt-ssh-proxy.install 11.6.0-1ubuntu2/debian/libvirt-ssh-proxy.install --- 11.6.0-1/debian/libvirt-ssh-proxy.install 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-ssh-proxy.install 1970-01-01 00:00:00.000000000 +0000 @@ -1,2 +0,0 @@ -/etc/ssh/ssh_config.d/30-libvirt-ssh-proxy.conf -/usr/lib/libvirt/libvirt-ssh-proxy diff -pruN 11.6.0-1/debian/libvirt-wireshark.install 11.6.0-1ubuntu2/debian/libvirt-wireshark.install --- 11.6.0-1/debian/libvirt-wireshark.install 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt-wireshark.install 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -usr/lib/${DEB_HOST_MULTIARCH}/wireshark/plugins/*/epan/libvirt.so diff -pruN 11.6.0-1/debian/libvirt0.install 11.6.0-1ubuntu2/debian/libvirt0.install --- 11.6.0-1/debian/libvirt0.install 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/libvirt0.install 1970-01-01 00:00:00.000000000 +0000 @@ -1,8 +0,0 @@ -usr/lib/${DEB_HOST_MULTIARCH}/libvirt-admin.so.0 -usr/lib/${DEB_HOST_MULTIARCH}/libvirt-admin.so.0.* -usr/lib/${DEB_HOST_MULTIARCH}/libvirt-lxc.so.0 -usr/lib/${DEB_HOST_MULTIARCH}/libvirt-lxc.so.0.* -usr/lib/${DEB_HOST_MULTIARCH}/libvirt-qemu.so.0 -usr/lib/${DEB_HOST_MULTIARCH}/libvirt-qemu.so.0.* -usr/lib/${DEB_HOST_MULTIARCH}/libvirt.so.0 -usr/lib/${DEB_HOST_MULTIARCH}/libvirt.so.0.* diff -pruN 11.6.0-1/debian/patches/series 11.6.0-1ubuntu2/debian/patches/series --- 11.6.0-1/debian/patches/series 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/patches/series 2025-08-27 08:18:49.000000000 +0000 @@ -2,3 +2,25 @@ debian/Debianize-libvirt-guests.patch debian/apparmor_profiles_local_include.patch debian/Use-sensible-editor-by-default.patch debian/Drop-inter-package-Also-lines-from-libvirtd.service.patch + +ubuntu/Allow-libvirt-group-to-access-the-socket.patch +ubuntu/daemon-augeas-fix-expected.patch +ubuntu/ubuntu_machine_type.patch +ubuntu/set-default-machine-to-ubuntu.patch +ubuntu/lp-1861125-ubuntu-models.patch +ubuntu/dnsmasq-as-priv-user +ubuntu/ovmf_paths.patch +ubuntu/wait-for-qemu-kvm.patch +ubuntu/swtpm-by-swtpm-user.patch +ubuntu/lp-2027838-conf-Default-to-qemu-system-libvirt-URI.patch + +# Ubuntu Apparmor Changes +ubuntu-aa/0020-virt-aa-helper-ubuntu-storage-paths.patch +ubuntu-aa/0029-appmor-libvirt-qemu-Add-9p-support.patch +ubuntu-aa/0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch +ubuntu-aa/0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch +ubuntu-aa/0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch +ubuntu-aa/0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch +ubuntu-aa/lp-1815910-allow-vhost-hotplug.patch +ubuntu-aa/lp2079869-allow-access-for-bridge-helper-to-sys-devices-system.patch +ubuntu-aa/lp2120278-virt-aa-helper-Avoid-duplicate-when-append-rule.patch \ No newline at end of file diff -pruN 11.6.0-1/debian/patches/ubuntu/Allow-libvirt-group-to-access-the-socket.patch 11.6.0-1ubuntu2/debian/patches/ubuntu/Allow-libvirt-group-to-access-the-socket.patch --- 11.6.0-1/debian/patches/ubuntu/Allow-libvirt-group-to-access-the-socket.patch 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/patches/ubuntu/Allow-libvirt-group-to-access-the-socket.patch 2025-08-27 08:03:12.000000000 +0000 @@ -0,0 +1,50 @@ +From: Guido Guenther +Date: Thu, 26 Jun 2008 20:01:38 +0200 +Subject: Allow libvirt group to access the socket +Forwarded: no +Updated: 2020-08-05 + +This is the group based access to libvirt functions as it was used +in Ubuntu for quite long. + +Debian uses root + policykit for the same. But since Ubuntu did it +the group based way for so long people are used to that, so we keep it. + +There are some related tests (if augeas is enabled as build depend) that need +to be adapted in their expected output, that is done in: + d/p/ubuntu/daemon-augeas-fix-expected.patch + + +--- libvirt.orig/src/remote/libvirtd.conf.in 2024-01-12 15:03:56.073753030 -0500 ++++ libvirt/src/remote/libvirtd.conf.in 2024-01-12 15:03:56.073753030 -0500 +@@ -166,7 +166,7 @@ + # + # To restrict monitoring of domains you may wish to either + # enable 'sasl' here, or change the polkit policy definition. +-#auth_unix_ro = "@default_auth@" ++auth_unix_ro = "none" + + # Set an authentication scheme for UNIX read-write sockets. + # +@@ -182,7 +182,7 @@ + # is essential to change the systemd SocketMode parameter + # back to 0600, to avoid an insecure configuration. + # +-#auth_unix_rw = "@default_auth@" ++auth_unix_rw = "none" + @CUT_ENABLE_IP@ + + # Change the authentication scheme for TCP sockets. +--- libvirt.orig/src/remote/libvirtd.socket.in 2024-01-12 15:03:56.073753030 -0500 ++++ libvirt/src/remote/libvirtd.socket.in 2024-01-12 15:04:52.681162551 -0500 +@@ -4,7 +4,9 @@ Description=libvirt legacy monolithic da + [Socket] + ListenStream=@runstatedir@/libvirt/libvirt-sock + Service=libvirtd.service +-SocketMode=@sockmode@ ++SocketMode=0660 ++SocketUser=root ++SocketGroup=libvirt + RemoveOnStop=yes + + [Install] diff -pruN 11.6.0-1/debian/patches/ubuntu/daemon-augeas-fix-expected.patch 11.6.0-1ubuntu2/debian/patches/ubuntu/daemon-augeas-fix-expected.patch --- 11.6.0-1/debian/patches/ubuntu/daemon-augeas-fix-expected.patch 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/patches/ubuntu/daemon-augeas-fix-expected.patch 2025-08-27 08:02:11.000000000 +0000 @@ -0,0 +1,21 @@ +Description: Fix the expected augeas output for 'make check' + This never used to run for us because we never build-depended on + augeas-tools. +Author: Serge Hallyn +Forwarded: no + +This is only needed in combination with + d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch and makes the tests +match the slightly different default configuration. + +--- a/src/remote/test_libvirtd.aug.in ++++ b/src/remote/test_libvirtd.aug.in +@@ -14,8 +14,6 @@ module Test_@DAEMON_NAME@ = + { "unix_sock_rw_perms" = "0770" } + { "unix_sock_admin_perms" = "0700" } + { "unix_sock_dir" = "@runstatedir@/libvirt" } +- { "auth_unix_ro" = "@default_auth@" } +- { "auth_unix_rw" = "@default_auth@" } + @CUT_ENABLE_IP@ + { "auth_tcp" = "sasl" } + { "auth_tls" = "none" } diff -pruN 11.6.0-1/debian/patches/ubuntu/dnsmasq-as-priv-user 11.6.0-1ubuntu2/debian/patches/ubuntu/dnsmasq-as-priv-user --- 11.6.0-1/debian/patches/ubuntu/dnsmasq-as-priv-user 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/patches/ubuntu/dnsmasq-as-priv-user 2025-08-27 08:03:12.000000000 +0000 @@ -0,0 +1,300 @@ +Title: Run DNSMASQ as libvirt-dnsmasq user +DEP: 3 +Date: 2012-03-02 +Drivers: Serge Hallyn +URL: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/938255 + +Dropped in Artful for security reasons: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1690729 +Readded in improved Bionic: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1743718 +Debian nack: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862340 + +Abstract: + Generally it's bad form from a security perspective to run daemons as user + nobody because a vulnerability in one daemon will possibly allow it, when + compromised, to interfere with another daemon that is also running as nobody. + The preferred solution is to run it as a service-specific system user. In this + case, because there may be multiple dnsmasq daemons running, a separate + libvirt-dnsmasq user (the dnsmasq package itself runs the dnsmasq daemon under + a system user called unsurprisingly 'dnsmasq'). +--- a/src/network/bridge_driver.c ++++ b/src/network/bridge_driver.c +@@ -1129,7 +1129,8 @@ networkDnsmasqConfContents(virNetworkObj + "## virsh net-edit %s\n" + "## or other application using the libvirt API.\n" + "##\n## dnsmasq conf file created by libvirt\n" +- "strict-order\n", ++ "strict-order\n" ++ "user=libvirt-dnsmasq\n", + def->name); + + /* if dns is disabled, set its listening port to 0, which +--- a/tests/networkxml2confdata/dhcp6host-routed-network.conf ++++ b/tests/networkxml2confdata/dhcp6host-routed-network.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + except-interface=lo + bind-dynamic + interface=virbr1 +--- a/tests/networkxml2confdata/dhcp6-nat-network.conf ++++ b/tests/networkxml2confdata/dhcp6-nat-network.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + except-interface=lo + bind-dynamic + interface=virbr0 +--- a/tests/networkxml2confdata/dhcp6-network.conf ++++ b/tests/networkxml2confdata/dhcp6-network.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + domain=mynet + expand-hosts + except-interface=lo +--- a/tests/networkxml2confdata/isolated-network.conf ++++ b/tests/networkxml2confdata/isolated-network.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + except-interface=lo + bind-dynamic + interface=virbr2 +--- a/tests/networkxml2confdata/nat-network.conf ++++ b/tests/networkxml2confdata/nat-network.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + except-interface=lo + bind-dynamic + interface=virbr0 +--- a/tests/networkxml2confdata/nat-network-dns-forwarders.conf ++++ b/tests/networkxml2confdata/nat-network-dns-forwarders.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + server=8.8.8.8 + server=8.8.4.4 + server=/example.com/192.168.1.1 +--- a/tests/networkxml2confdata/nat-network-dns-forward-plain.conf ++++ b/tests/networkxml2confdata/nat-network-dns-forward-plain.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + except-interface=lo + bind-dynamic + interface=virbr0 +--- a/tests/networkxml2confdata/nat-network-dns-hosts.conf ++++ b/tests/networkxml2confdata/nat-network-dns-hosts.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + domain=example.com + expand-hosts + domain-needed +--- a/tests/networkxml2confdata/nat-network-dns-srv-record.conf ++++ b/tests/networkxml2confdata/nat-network-dns-srv-record.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + except-interface=lo + bind-dynamic + interface=virbr0 +--- a/tests/networkxml2confdata/nat-network-dns-srv-record-minimal.conf ++++ b/tests/networkxml2confdata/nat-network-dns-srv-record-minimal.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + except-interface=lo + bind-dynamic + interface=virbr0 +--- a/tests/networkxml2confdata/nat-network-dns-txt-record.conf ++++ b/tests/networkxml2confdata/nat-network-dns-txt-record.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + except-interface=lo + bind-dynamic + interface=virbr0 +--- a/tests/networkxml2confdata/netboot-network.conf ++++ b/tests/networkxml2confdata/netboot-network.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + domain=example.com + expand-hosts + except-interface=lo +--- a/tests/networkxml2confdata/netboot-proxy-network.conf ++++ b/tests/networkxml2confdata/netboot-proxy-network.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + domain=example.com + expand-hosts + except-interface=lo +--- a/tests/networkxml2confdata/routed-network.conf ++++ b/tests/networkxml2confdata/routed-network.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + except-interface=lo + bind-dynamic + interface=virbr1 +--- a/tests/networkxml2confdata/nat-network-dns-local-domain.conf ++++ b/tests/networkxml2confdata/nat-network-dns-local-domain.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + local=/example.com/ + domain=example.com + expand-hosts +--- a/tests/networkxml2confdata/nat-network-name-with-quotes.conf ++++ b/tests/networkxml2confdata/nat-network-name-with-quotes.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + except-interface=lo + bind-dynamic + interface=virbr0 +--- a/tests/networkxml2confdata/open-network.conf ++++ b/tests/networkxml2confdata/open-network.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + except-interface=lo + bind-dynamic + interface=virbr1 +--- a/tests/networkxml2confdata/ptr-domains-auto.conf ++++ b/tests/networkxml2confdata/ptr-domains-auto.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + local=/122.168.192.in-addr.arpa/ + local=/1.0.e.f.0.1.c.a.8.b.d.0.1.0.0.2.ip6.arpa/ + except-interface=lo +--- a/tests/networkxml2confdata/routed-network-no-dns.conf ++++ b/tests/networkxml2confdata/routed-network-no-dns.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + port=0 + except-interface=lo + bind-dynamic +--- a/tests/networkxml2confdata/nat-network-dns-forwarder-no-resolv.conf ++++ b/tests/networkxml2confdata/nat-network-dns-forwarder-no-resolv.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + server=/example.com/192.168.1.1 + except-interface=lo + bind-dynamic +--- a/tests/networkxml2confdata/nat-network-mtu.conf ++++ b/tests/networkxml2confdata/nat-network-mtu.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + except-interface=lo + bind-dynamic + interface=virbr0 +--- a/tests/networkxml2confdata/dnsmasq-options.conf ++++ b/tests/networkxml2confdata/dnsmasq-options.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + except-interface=lo + bind-dynamic + interface=virbr0 +--- a/tests/networkxml2confdata/leasetime-hours.conf ++++ b/tests/networkxml2confdata/leasetime-hours.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + except-interface=lo + bind-dynamic + interface=virbr0 +--- a/tests/networkxml2confdata/leasetime-infinite.conf ++++ b/tests/networkxml2confdata/leasetime-infinite.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + except-interface=lo + bind-dynamic + interface=virbr0 +--- a/tests/networkxml2confdata/leasetime-minutes.conf ++++ b/tests/networkxml2confdata/leasetime-minutes.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + except-interface=lo + bind-dynamic + interface=virbr0 +--- a/tests/networkxml2confdata/leasetime-seconds.conf ++++ b/tests/networkxml2confdata/leasetime-seconds.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + except-interface=lo + bind-dynamic + interface=virbr0 +--- a/tests/networkxml2confdata/netboot-tftp.conf ++++ b/tests/networkxml2confdata/netboot-tftp.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + except-interface=lo + bind-dynamic + interface=virbr0 diff -pruN 11.6.0-1/debian/patches/ubuntu/lp-1861125-ubuntu-models.patch 11.6.0-1ubuntu2/debian/patches/ubuntu/lp-1861125-ubuntu-models.patch --- 11.6.0-1/debian/patches/ubuntu/lp-1861125-ubuntu-models.patch 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/patches/ubuntu/lp-1861125-ubuntu-models.patch 2025-08-27 08:03:12.000000000 +0000 @@ -0,0 +1,21 @@ +Description: Ubuntu Models for LP: 1861125 + We got the issue fixed through + https://bugzilla.redhat.com/show_bug.cgi?id=1795651 but it is type based + so at least for the support time of Xenial we need to carry a delty adding + the named Ubuntu types to the workaround. +Forwarded: no (Ubuntu specific) +Author: Christian Ehrhardt +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1861125 +Bug-Upstream: https://bugzilla.redhat.com/show_bug.cgi?id=1795651 +Last-Update: 2020-02-12 +--- a/src/qemu/qemu_capabilities.c ++++ b/src/qemu/qemu_capabilities.c +@@ -2323,6 +2323,8 @@ const char *s390HostPassthroughOnlyMachi + "s390-ccw-virtio-2.5", + "s390-ccw-virtio-2.6", + "s390-ccw-virtio-2.7", ++ "s390-ccw-virtio-xenial", ++ "s390-ccw-virtio-yakkety", + NULL + }; + diff -pruN 11.6.0-1/debian/patches/ubuntu/lp-2027838-conf-Default-to-qemu-system-libvirt-URI.patch 11.6.0-1ubuntu2/debian/patches/ubuntu/lp-2027838-conf-Default-to-qemu-system-libvirt-URI.patch --- 11.6.0-1/debian/patches/ubuntu/lp-2027838-conf-Default-to-qemu-system-libvirt-URI.patch 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/patches/ubuntu/lp-2027838-conf-Default-to-qemu-system-libvirt-URI.patch 2025-08-27 08:18:49.000000000 +0000 @@ -0,0 +1,59 @@ +From: =?utf-8?q?Lukas_M=C3=A4rdian?= +Date: Wed, 20 Aug 2025 11:26:12 +0200 +Subject: conf: Default to qemu:///system libvirt URI (LP: #2027838) + +On Ubuntu we always want to initialize the URI to qemu:///system, regardless if +running as privileged daemon or not. This keeps backward compatibility with +Ubuntu's default behavior, while still allowing users more flexibility in +changing that default, through config files or environment variables. + +This can still be overridden via the "uri_default" setting in +/etc/libvirt.conf, ~/.config/libvirt/libvirt.conf or the +LIBVIRT_DEFAULT_URI environment variable. + +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/2027838 +Origin: vendor, Ubuntu +Forwarded: not-needed +Last-Update: 2025-08-20 +--- + docs/uri.rst | 2 +- + src/libvirt.c | 12 +++++++++++- + 2 files changed, 12 insertions(+), 2 deletions(-) + +diff --git a/docs/uri.rst b/docs/uri.rst +index cc97000..38efcce 100644 +--- a/docs/uri.rst ++++ b/docs/uri.rst +@@ -56,7 +56,7 @@ will use the following logic to determine what URI to use. + + #. The environment variable ``LIBVIRT_DEFAULT_URI`` + #. The client configuration file ``uri_default`` parameter +-#. Probe each hypervisor in turn until one that works is found ++#. Fallback to ``qemu:///system`` + + Historically an empty URI was equivalent to ``xen:///system``. + +diff --git a/src/libvirt.c b/src/libvirt.c +index 375d3fa..004de32 100644 +--- a/src/libvirt.c ++++ b/src/libvirt.c +@@ -886,8 +886,18 @@ virConnectGetDefaultURI(virConf *conf, + VIR_DEBUG("Using LIBVIRT_DEFAULT_URI '%s'", defname); + *name = g_strdup(defname); + } else { +- if (virConfGetValueString(conf, "uri_default", name) < 0) ++ int ret = virConfGetValueString(conf, "uri_default", name); ++ if (ret < 0) + return -1; ++ else if (ret == 0) { ++ /* Pretend uri_default was set to qemu:///system, if not found. ++ On Ubuntu we always want to initialize the URI to qemu:///system, ++ regardless if running as privileged daemon or not (LP: #2027838). ++ This can still be overridden via the "uri_default" setting in ++ /etc/libvirt.conf, ~/.config/libvirt/libvirt.conf or the ++ LIBVIRT_DEFAULT_URI environment variable. */ ++ *name = g_strdup("qemu:///system"); ++ } + + if (*name) + VIR_DEBUG("Using config file uri '%s'", *name); diff -pruN 11.6.0-1/debian/patches/ubuntu/ovmf_paths.patch 11.6.0-1ubuntu2/debian/patches/ubuntu/ovmf_paths.patch --- 11.6.0-1/debian/patches/ubuntu/ovmf_paths.patch 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/patches/ubuntu/ovmf_paths.patch 2025-08-27 08:18:49.000000000 +0000 @@ -0,0 +1,54 @@ +From: Mathieu Trudel-Lapierre +Subject: Add paths to "ms" variants of OVMF code/vars + +The "ms" Secure Boot -enabled variants of OVMF_CODE and OVMF_VARS +both should include the added label rather than just the OVMF_CODE file: +in Ubuntu, we always build OVMF_CODE with Secure Boot enabled, as we only +build it once, but the variable store in the ms.fd file additionally +includes preloaded Microsoft KEK/DB keys, as well as an ephemeral PK/KEK +key that was generated just for that purpose (for which only the public +part is available, the secret key has been deleted). The fact that a PK, +KEK, and DB keys are loaded means Secure Boot is effectively enabled and +can validate UEFI binaries. When users use the non-secboot variant, then +Secure Boot is effectively not in use due to the absence of the keys. + +--- + src/qemu/qemu.conf | 3 ++- + src/qemu/qemu_conf.c | 3 ++- + src/qemu/test_libvirtd_qemu.aug.in | 1 + + 3 files changed, 5 insertions(+), 2 deletions(-) + +--- a/src/qemu/qemu.conf.in ++++ b/src/qemu/qemu.conf.in +@@ -1006,7 +1006,8 @@ + # "/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd", + # "/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd", + # "/usr/share/AAVMF/AAVMF_CODE.fd:/usr/share/AAVMF/AAVMF_VARS.fd", +-# "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd" ++# "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd", ++# "/usr/share/OVMF/OVMF_CODE.ms.fd:/usr/share/OVMF/OVMF_VARS.ms.fd" + #] + + +--- a/src/qemu/qemu_conf.c ++++ b/src/qemu/qemu_conf.c +@@ -106,7 +106,8 @@ VIR_ONCE_GLOBAL_INIT(virQEMUConfig); + "/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd:" \ + "/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd:" \ + "/usr/share/AAVMF/AAVMF_CODE.fd:/usr/share/AAVMF/AAVMF_VARS.fd:" \ +- "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd" ++ "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd:" \ ++ "/usr/share/OVMF/OVMF_CODE.ms.fd:/usr/share/OVMF/OVMF_VARS.ms.fd" + #endif + + +--- a/src/qemu/test_libvirtd_qemu.aug.in ++++ b/src/qemu/test_libvirtd_qemu.aug.in +@@ -117,6 +117,7 @@ module Test_libvirtd_qemu = + { "2" = "/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd" } + { "3" = "/usr/share/AAVMF/AAVMF_CODE.fd:/usr/share/AAVMF/AAVMF_VARS.fd" } + { "4" = "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd" } ++ { "5" = "/usr/share/OVMF/OVMF_CODE.ms.fd:/usr/share/OVMF/OVMF_VARS.ms.fd" } + } + { "stdio_handler" = "logd" } + { "gluster_debug_level" = "9" } diff -pruN 11.6.0-1/debian/patches/ubuntu/set-default-machine-to-ubuntu.patch 11.6.0-1ubuntu2/debian/patches/ubuntu/set-default-machine-to-ubuntu.patch --- 11.6.0-1/debian/patches/ubuntu/set-default-machine-to-ubuntu.patch 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/patches/ubuntu/set-default-machine-to-ubuntu.patch 2025-08-27 08:03:12.000000000 +0000 @@ -0,0 +1,45 @@ +Description: set default machine type to ubuntu + Upstream qemu is about to change the default machine type to q35. + But libvirt has sort of an API-contract that guarantees to have the + default be at a "pc" type. + Note: it can not be overemphasized that users/tools should choose a type + themselves in any cases possible + . + Due to those changes in qemu libvirt now ignores the qemu default type. + But we want the latest distro machine type the default. + Qemu only provides max one alias per type, so we can not set "ubuntu" + which is the default we provided for users asking for the latest type + matching the current series AND at the same time an alias to "pc" which + is what libvirt now explicitly selects. + . + The lowest amount of confusion is to let libvirt select "ubuntu" instead of + "pc" as the default. That matches all former Ubuntu releases where "ubuntu" + was the default qemu provided and libvirt picked up and at the same time it + stays a pc-based type as required by libvirt. + . + Distro-only: as the machine types only are that way to maintain + differences between pure upstream and derived qemu implementation. +Forwarded: not-needed +Author: Christian Ehrhardt +Last-Update: 2019-01-10 + +--- libvirt.orig/src/qemu/qemu_capabilities.c 2024-07-23 18:33:02.852372495 -0400 ++++ libvirt/src/qemu/qemu_capabilities.c 2024-07-23 18:33:36.116126928 -0400 +@@ -2696,7 +2696,7 @@ static const char *preferredMachines[] = + + "virt", /* VIR_ARCH_AARCH64 */ + "axis-dev88", /* VIR_ARCH_CRIS */ +- "pc", /* VIR_ARCH_I686 */ ++ "ubuntu", /* VIR_ARCH_I686 */ + NULL, /* VIR_ARCH_ITANIUM (doesn't exist in QEMU any more) */ + "lm32-evr", /* VIR_ARCH_LM32 */ + +@@ -2730,7 +2730,7 @@ static const char *preferredMachines[] = + "sun4u", /* VIR_ARCH_SPARC64 */ + "puv3", /* VIR_ARCH_UNICORE32 */ + +- "pc", /* VIR_ARCH_X86_64 */ ++ "ubuntu", /* VIR_ARCH_X86_64 */ + "sim", /* VIR_ARCH_XTENSA */ + "sim", /* VIR_ARCH_XTENSAEB */ + }; diff -pruN 11.6.0-1/debian/patches/ubuntu/swtpm-by-swtpm-user.patch 11.6.0-1ubuntu2/debian/patches/ubuntu/swtpm-by-swtpm-user.patch --- 11.6.0-1/debian/patches/ubuntu/swtpm-by-swtpm-user.patch 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/patches/ubuntu/swtpm-by-swtpm-user.patch 2025-08-27 08:18:49.000000000 +0000 @@ -0,0 +1,40 @@ +Description: Have swtpm use the swtpm user by default + User 'tss' has more permissions than required and since tpm in some sense + is guest/host interface it shall be run under a more restrictive user. +Forwarded: no-needed +X-Not-Forwarded-Reason: swtpm user is ubuntu specific +Author: Christian Ehrhardt +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1948880 +Last-Update: 2021-11-11 +--- a/src/qemu/qemu.conf.in ++++ b/src/qemu/qemu.conf.in +@@ -1095,11 +1095,14 @@ + + # User for the swtpm TPM Emulator + # +-# Default is 'tss'; this is the same user that tcsd (TrouSerS) installs +-# and uses; alternative is 'root' ++# Default is 'swtpm' as established by the swtpm-tools package. + # +-#swtpm_user = "tss" +-#swtpm_group = "tss" ++# In the past this was 'tss' and that still would be the built-in default ++# if nothing was configured here, but the 'tss' user also has TPM device ++# access in the host which isn't needed for swtpm. ++# ++swtpm_user = "swtpm" ++swtpm_group = "swtpm" + + + # For debugging and testing purposes it's sometimes useful to be able to disable +--- a/src/qemu/test_libvirtd_qemu.aug.in ++++ b/src/qemu/test_libvirtd_qemu.aug.in +@@ -130,8 +130,6 @@ module Test_libvirtd_qemu = + { "slirp_helper" = "/usr/bin/slirp-helper" } + { "qemu_rdp" = "qemu-rdp" } + { "dbus_daemon" = "dbus-daemon" } +-{ "swtpm_user" = "tss" } +-{ "swtpm_group" = "tss" } + { "capability_filters" + { "1" = "capname" } + } diff -pruN 11.6.0-1/debian/patches/ubuntu/ubuntu_machine_type.patch 11.6.0-1ubuntu2/debian/patches/ubuntu/ubuntu_machine_type.patch --- 11.6.0-1/debian/patches/ubuntu/ubuntu_machine_type.patch 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/patches/ubuntu/ubuntu_machine_type.patch 2025-08-27 08:03:12.000000000 +0000 @@ -0,0 +1,14 @@ +Description: Extend libvirt checks for ubuntu machine types +Author: Felix Geyer +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1379346 +Last-Update: 2015-11-24 +--- a/src/qemu/qemu_domain.c ++++ b/src/qemu/qemu_domain.c +@@ -8900,6 +8900,7 @@ qemuDomainMachineIsI440FX(const char *ma + STRPREFIX(machine, "pc-0.") || + STRPREFIX(machine, "pc-1.") || + STRPREFIX(machine, "pc-i440fx-") || ++ STREQ(machine, "ubuntu") || + STRPREFIX(machine, "rhel")) { + return true; + } diff -pruN 11.6.0-1/debian/patches/ubuntu/wait-for-qemu-kvm.patch 11.6.0-1ubuntu2/debian/patches/ubuntu/wait-for-qemu-kvm.patch --- 11.6.0-1/debian/patches/ubuntu/wait-for-qemu-kvm.patch 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/patches/ubuntu/wait-for-qemu-kvm.patch 2025-08-27 08:03:12.000000000 +0000 @@ -0,0 +1,23 @@ +Description: Wait for qemu-kvm to have the module initialized + It was reported that in rare occasions libvirt might start up while + the kvm module is (re)loading. That can cause the capability probing + qemu processes to abort and let libvirtd hang on initialization. + Waiting on qemu-kvm is rather safe and reasonable, but is an ubuntu-only + service and therefore not generally applicable. + If qemu-kvm isn't installed or not enabled this is a no-op as it is only + an "After" rule for ordering. +Forwarded: no +X-Not-Forwarded-Reason: Ubuntu specific qemu-kvm service +Author: Christian Ehrhardt +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1887592 +Last-Update: 2020-08-06 +--- libvirt.orig/src/remote/libvirtd.service.in 2024-01-12 15:45:46.460367440 -0500 ++++ libvirt/src/remote/libvirtd.service.in 2024-01-12 15:46:05.904201450 -0500 +@@ -23,6 +23,7 @@ After=apparmor.service + After=remote-fs.target + After=systemd-machined.service + After=xencommons.service ++After=qemu-kvm.service + Conflicts=xendomains.service + + [Service] diff -pruN 11.6.0-1/debian/patches/ubuntu-aa/0020-virt-aa-helper-ubuntu-storage-paths.patch 11.6.0-1ubuntu2/debian/patches/ubuntu-aa/0020-virt-aa-helper-ubuntu-storage-paths.patch --- 11.6.0-1/debian/patches/ubuntu-aa/0020-virt-aa-helper-ubuntu-storage-paths.patch 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/patches/ubuntu-aa/0020-virt-aa-helper-ubuntu-storage-paths.patch 2025-08-27 08:03:12.000000000 +0000 @@ -0,0 +1,37 @@ +From 4a8125774ff0745c0273a199fa8b9fb8316c2992 Mon Sep 17 00:00:00 2001 +From: Stefan Bader +Date: Thu, 11 May 2017 16:36:19 +0200 +Subject: [PATCH 20/33] UBUNTU-only: apparmor, virt-aa-helper: Allow various storage pools + and image locations + +Got various updates over time to include further Ubuntu specific paths. + +Forwarded: no (Ubuntu specific paths) +Signed-off-by: Stefan Bader +--- + src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in ++++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in +@@ -57,7 +57,19 @@ profile virt-aa-helper @libexecdir@/virt + @{HOME}/** r, + /var/lib/libvirt/images/ r, + /var/lib/libvirt/images/** r, +- /var/lib/nova/instances/_base/* r, ++ # nova base images (LP: #907269) ++ /var/lib/nova/images/** r, ++ /var/lib/nova/instances/_base/** r, ++ # nova snapshots (LP: #1244694) ++ /var/lib/nova/instances/snapshots/** r, ++ # eucalyptus (LP: #564914) ++ /var/lib/eucalyptus/instances/**/disk* r, ++ # eucalyptus loader (LP: #637544) ++ /var/lib/eucalyptus/instances/**/loader* r, ++ # for uvtool ++ /var/lib/uvtool/libvirt/images/** r, ++ # for multipass ++ /var/snap/multipass/common/data/multipassd/vault/instances/** r, + /{media,mnt,opt,srv}/** r, + # For virt-sandbox + /{,var/}run/libvirt/**/[sv]d[a-z] r, diff -pruN 11.6.0-1/debian/patches/ubuntu-aa/0029-appmor-libvirt-qemu-Add-9p-support.patch 11.6.0-1ubuntu2/debian/patches/ubuntu-aa/0029-appmor-libvirt-qemu-Add-9p-support.patch --- 11.6.0-1/debian/patches/ubuntu-aa/0029-appmor-libvirt-qemu-Add-9p-support.patch 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/patches/ubuntu-aa/0029-appmor-libvirt-qemu-Add-9p-support.patch 2025-08-27 08:03:12.000000000 +0000 @@ -0,0 +1,34 @@ +From 0e7ed68253072d77b2997b316d37403a275c3d2f Mon Sep 17 00:00:00 2001 +From: Stefan Bader +Date: Fri, 19 May 2017 09:48:52 +0200 +Subject: [PATCH 29/33] appmor, libvirt-qemu.in: Add 9p support + +Add fowner and fsetid to libvirt-qemu profile. + +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1378434 + +Note: While upstreaming Serge and Guido were not very happy +with granting those permissions unconditionally. Instead they +thought it would be better to do this in virt-aa-helper only +if 9p filesystem is in use. + +Forwarded: no (part of continuous upstreaming effort) +Signed-off-by: Christian Ehrhardt +Signed-off-by: Stefan Bader +--- + src/security/apparmor/libvirt-qemu.in | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/src/security/apparmor/libvirt-qemu ++++ b/src/security/apparmor/libvirt-qemu +@@ -11,6 +11,10 @@ + capability setgid, + capability setuid, + ++ # for 9p ++ capability fsetid, ++ capability fowner, ++ + network inet stream, + network inet6 stream, + diff -pruN 11.6.0-1/debian/patches/ubuntu-aa/0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch 11.6.0-1ubuntu2/debian/patches/ubuntu-aa/0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch --- 11.6.0-1/debian/patches/ubuntu-aa/0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/patches/ubuntu-aa/0031-virt-aa-helper-Ask-for-no-deny-rule-for-readonly-dis.patch 2025-08-27 08:03:12.000000000 +0000 @@ -0,0 +1,43 @@ +From df20057fd2774cd61d86a6f0a7f05a545e1bd862 Mon Sep 17 00:00:00 2001 +From: Serge Hallyn +Date: Wed, 10 May 2017 15:16:30 +0200 +Subject: [PATCH 31/33] virt-aa-helper: Ask for no deny rule for readonly disk + elements + +Just because a disk element only requests read access doesn't mean +there may not be another readwrite request. + +Using 'R' when creating the apparmor rule will prevent an implicit +write-deny rule to be created alongside. This does not mean write +is allowed but it would cause a denial message and probably more +relevant, allows to add write access later. + +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1554031 + +Review note: Investigate whether instead of dropping explicit deny +write it would be possible to create explicit blockcommit rules +(LP: #1692441). + +Forwarded: no (part of continuous upstreaming effort) +Signed-off-by: Christian Ehrhardt +Signed-off-by: Stefan Bader +--- + src/security/virt-aa-helper.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/src/security/virt-aa-helper.c ++++ b/src/security/virt-aa-helper.c +@@ -851,11 +851,11 @@ add_file_path(virStorageSource *src, + + if (depth == 0) { + if (src->readonly) +- ret = vah_add_file(buf, src->path, "rk"); ++ ret = vah_add_file(buf, src->path, "Rk"); + else + ret = vah_add_file(buf, src->path, "rwk"); + } else { +- ret = vah_add_file(buf, src->path, "rk"); ++ ret = vah_add_file(buf, src->path, "Rk"); + } + + if (ret != 0) diff -pruN 11.6.0-1/debian/patches/ubuntu-aa/0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch 11.6.0-1ubuntu2/debian/patches/ubuntu-aa/0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch --- 11.6.0-1/debian/patches/ubuntu-aa/0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/patches/ubuntu-aa/0032-apparmor-libvirt-qemu-Allow-reading-charm-specific-c.patch 2025-08-27 08:03:12.000000000 +0000 @@ -0,0 +1,34 @@ +From b1d54d7e56da3961f9db8705f7a5eaecd6f9222c Mon Sep 17 00:00:00 2001 +From: Stefan Bader +Date: Tue, 23 May 2017 17:21:08 +0200 +Subject: [PATCH 32/33] apparmor, libvirt-qemu.in: Allow reading charm-specific + ceph config + +Allows reading ceph configuration files from (juju) charm +specific location and silence denial messages which were +occuring related to that. + +Bug-Ubuntu: http://bugs.launchpad.net/bugs/1403648 + +Forwarded: no (part of continuous upstreaming effort) +Signed-off-by: Christian Ehrhardt +Signed-off-by: Stefan Bader +--- + src/security/apparmor/libvirt-qemu.in | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/src/security/apparmor/libvirt-qemu ++++ b/src/security/apparmor/libvirt-qemu +@@ -250,6 +250,12 @@ + unix (send, receive) type=stream addr=none peer=(label=virtqemud), + unix (send, receive) type=stream addr=none peer=(label=swtpm), + ++ # allow access to charm-specific ceph config (LP: #1403648). ++ # No more silencing spurious denials as it can more critically hide other issues (LP: #1719579) ++ # Also allow the optional asok key that might be enabled by the charm (LP: #1779674) ++ /var/lib/charm/*/ceph.conf r, ++ /run/ceph/rbd-client-*.asok rw, ++ + # for gathering information about available host resources + /sys/devices/system/cpu/ r, + /sys/devices/system/node/ r, diff -pruN 11.6.0-1/debian/patches/ubuntu-aa/0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch 11.6.0-1ubuntu2/debian/patches/ubuntu-aa/0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch --- 11.6.0-1/debian/patches/ubuntu-aa/0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/patches/ubuntu-aa/0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch 2025-08-27 08:03:12.000000000 +0000 @@ -0,0 +1,41 @@ +From a7cf113469ba32951a0cfa44a35992153ae876c8 Mon Sep 17 00:00:00 2001 +From: Christian Ehrhardt +Date: Tue, 4 Jul 2017 07:57:19 +0200 +Subject: [PATCH 33/33] UBUNTU-only: apparmor: for kvm.powerpc (LP: #1680384) + +The (so far) Ubuntu only kvm wrappers call a lot more on ppc. +Since this is already considered as the qemu binary it must be opened up +in apparmor to work. +So allow these extra tools executed by kvm.powerpc + +Note: this got added in 1680384 and extended by 1686621 + +Forwarded: no (part of continuous upstreaming effort) +Signed-off-by: Christian Ehrhardt + +Author: Christian Ehrhardt +Forwarded: no +Forward-info: Distro specific +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1680384 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686621 +Last-Update: 2018-06-17 +--- + src/security/apparmor/libvirt-qemu.in | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/src/security/apparmor/libvirt-qemu ++++ b/src/security/apparmor/libvirt-qemu +@@ -256,6 +256,13 @@ + /var/lib/charm/*/ceph.conf r, + /run/ceph/rbd-client-*.asok rw, + ++ # kvm.powerpc executes/accesses this ++ /{usr/,}bin/uname rmix, ++ /{usr/,}sbin/ppc64_cpu rmix, ++ /{usr/,}bin/grep rmix, ++ /sys/devices/system/cpu/subcores_per_core r, ++ /sys/devices/system/cpu/cpu*/online r, ++ + # for gathering information about available host resources + /sys/devices/system/cpu/ r, + /sys/devices/system/node/ r, diff -pruN 11.6.0-1/debian/patches/ubuntu-aa/0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch 11.6.0-1ubuntu2/debian/patches/ubuntu-aa/0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch --- 11.6.0-1/debian/patches/ubuntu-aa/0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/patches/ubuntu-aa/0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch 2025-08-27 08:03:12.000000000 +0000 @@ -0,0 +1,28 @@ +From 4c5da648e1f1bb3fd721de59ff8b2c3614ef07a9 Mon Sep 17 00:00:00 2001 +From: Corey Bryant +Date: Wed, 5 Jul 2017 17:07:48 +0200 +Subject: [PATCH 34/34] apparmor:, virt-aa-helper: access for snapped nova + +Allow access to base images stored in nova-hypervisor snap's +$SNAP_COMMON directory, enabling use of the libvirt deb from the +nova-hypervisor snap (LP: #1644507). + +Author: Corey Bryant +Forwarded: no (part of continuous upstreaming effort) +Signed-off-by: Christian Ehrhardt +--- + src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in ++++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in +@@ -62,6 +62,9 @@ profile virt-aa-helper @libexecdir@/virt + /var/lib/nova/instances/_base/** r, + # nova snapshots (LP: #1244694) + /var/lib/nova/instances/snapshots/** r, ++ # nova base/snapshot files in snapped nova (LP: #1644507) ++ /var/snap/nova-hypervisor/common/instances/_base/** r, ++ /var/snap/nova-hypervisor/common/instances/snapshots/** r, + # eucalyptus (LP: #564914) + /var/lib/eucalyptus/instances/**/disk* r, + # eucalyptus loader (LP: #637544) diff -pruN 11.6.0-1/debian/patches/ubuntu-aa/lp-1815910-allow-vhost-hotplug.patch 11.6.0-1ubuntu2/debian/patches/ubuntu-aa/lp-1815910-allow-vhost-hotplug.patch --- 11.6.0-1/debian/patches/ubuntu-aa/lp-1815910-allow-vhost-hotplug.patch 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/patches/ubuntu-aa/lp-1815910-allow-vhost-hotplug.patch 2025-08-27 08:03:12.000000000 +0000 @@ -0,0 +1,57 @@ +Description: UBUNTU-only: apparmor: allow vhost-net/vsock + There are use case scenarios where a guest is started without vhost-net + or vhost-vsock, but later on such devices are hot added. + In the static start with such devices virt-aa-helper could generate rules + but actually doesn't have to as libvirt mediates access and passes FDs that + qemu will use. + This works fine, but on a hotplug of such devices without a static device + being present (that would have added the rule on start) we only have the + labeling calls of the security modules which do not vocer vhost-net/vsock. + The paths are considered security sensitive in general but even without + apparmor are protected by DAC due to Ubuntu by default not running guests + as root user or group. + To make people changing user/group aware this also adds a comment about it + to the qemu.conf file. + Under this constraint (warn in the .conf) we got the ack from security to + do this change for the comfort of our users until a more complex change like + new labellig calls is implemented. +Forwarded: yes (nacked, but complex solution has unknown ETA) +Author: Christian Ehrhardt +Origin: https://www.redhat.com/archives/libvir-list/2019-April/msg00750.html +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1815910 +Last-Update: 2019-05-15 + +--- a/src/security/apparmor/libvirt-qemu ++++ b/src/security/apparmor/libvirt-qemu +@@ -276,6 +276,11 @@ + # for vfio hotplug on systems without static vfio (LP: #1775777) + /dev/vfio/vfio rw, + ++ # for vhost-net/vsock/scsi hotplug (LP: #1815910) ++ /dev/vhost-net rw, ++ /dev/vhost-vsock rw, ++ /dev/vhost-scsi rw, ++ + # required for sasl GSSAPI plugin + /etc/gss/mech.d/ r, + /etc/gss/mech.d/* r, +--- a/src/qemu/qemu.conf.in ++++ b/src/qemu/qemu.conf.in +@@ -510,6 +510,17 @@ + # can be used to ensure that a user id will not be interpreted as a user + # name. + # ++# By default libvirt runs VMs as non-root and uses AppArmor profiles ++# to provide host protection and VM isolation. While AppArmor ++# continues to provide this protection when the VMs are running as ++# root, /dev/vhost-net, /dev/vhost-vsock and /dev/vhost-scsi access is ++# allowed by default in the AppArmor security policy, so malicious VMs ++# running as root would have direct access to this file. If changing this ++# to run as root, you may want to remove this access from ++# /etc/apparmor.d/abstractions/libvirt-qemu. For more information, see: ++# https://launchpad.net/bugs/1815910 ++# https://www.redhat.com/archives/libvir-list/2019-April/msg00750.html ++# + # Some examples of valid values are: + # + # user = "qemu" # A user named "qemu" diff -pruN 11.6.0-1/debian/patches/ubuntu-aa/lp2079869-allow-access-for-bridge-helper-to-sys-devices-system.patch 11.6.0-1ubuntu2/debian/patches/ubuntu-aa/lp2079869-allow-access-for-bridge-helper-to-sys-devices-system.patch --- 11.6.0-1/debian/patches/ubuntu-aa/lp2079869-allow-access-for-bridge-helper-to-sys-devices-system.patch 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/patches/ubuntu-aa/lp2079869-allow-access-for-bridge-helper-to-sys-devices-system.patch 2025-08-27 08:03:12.000000000 +0000 @@ -0,0 +1,31 @@ +From: Hector Cao +Date: Thu, 13 Feb 2025 11:09:34 +0100 +Subject: Allow acess for bridge-helper to sys devices node + +qemu-bridge-helper needs to read /sys/devices/system/node +that is not allowed in the apparmor profile +it does not make libvirtd fail but add an apparmor +audit message. This patch allows to remove this apparmor +warning + +Author: Hector Cao +Bug-Ubuntu: https://launchpad.net/bugs/2079869 +Forwarded: https://lists.ubuntu.com/archives/apparmor/2025-February/013499.html +--- + src/security/apparmor/usr.sbin.libvirtd.in | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in +index 3659ddc..2afc4cb 100644 +--- a/src/security/apparmor/usr.sbin.libvirtd.in ++++ b/src/security/apparmor/usr.sbin.libvirtd.in +@@ -141,6 +141,9 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) { + /etc/qemu/** r, + owner @{PROC}/*/status r, + ++ # for gathering information about available host resources ++ /sys/devices/system/node/ r, ++ + /usr/{lib,lib64,lib/qemu,libexec,libexec/qemu}/qemu-bridge-helper rmix, + } + diff -pruN 11.6.0-1/debian/patches/ubuntu-aa/lp2120278-virt-aa-helper-Avoid-duplicate-when-append-rule.patch 11.6.0-1ubuntu2/debian/patches/ubuntu-aa/lp2120278-virt-aa-helper-Avoid-duplicate-when-append-rule.patch --- 11.6.0-1/debian/patches/ubuntu-aa/lp2120278-virt-aa-helper-Avoid-duplicate-when-append-rule.patch 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/patches/ubuntu-aa/lp2120278-virt-aa-helper-Avoid-duplicate-when-append-rule.patch 2025-08-27 08:18:49.000000000 +0000 @@ -0,0 +1,59 @@ +From: Hector Cao +Subject: virt-aa-helper: Avoid duplicate when append rule + +when a device is dynamically attached to a VM, and it needs a special +system access for apparmor, libvirt calls virt-aa-helper (with argument -F) +to append a new rule to the apparmor profile of the VM. virt-aa-helper does +not check for duplicate and blindly appends the rule to the profile. since +there is no rule removal when a device is detached, this can make the profile +grow in size if a big number of attach/detach operations are done and the +profile might hit the size limit and futur attach operations might dysfunction +because no rule can be added into the apparmor profile. + +this patch tries to mitigate this issue by doing a duplicate check +when rules are appended into the profile. this fix does not guarantee +the absence of duplicates but should be enough to prevent the profile +to grow significantly in size and reach its size limit. + +Signed-off-by: Hector CAO +Signed-off-by: Michal Privoznik +Reviewed-by: Michal Privoznik + +Origin: upstream, https://github.com/libvirt/libvirt/commit/291dbefd074378df6b541fc1c19d3504279e069b +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+bug/2120278 + +--- + src/security/virt-aa-helper.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c +index b662d971cb..8a297d4b54 100644 +--- a/src/security/virt-aa-helper.c ++++ b/src/security/virt-aa-helper.c +@@ -208,10 +208,21 @@ update_include_file(const char *include_file, const char *included_files, + return -1; + } + +- if (append && virFileExists(include_file)) ++ if (append && existing) { ++ /* Duplicate check: include_files might contain multiple rules ++ * the best is to check for each rule (separated by \n) but ++ * it might be overkilled, just do the check for the whole ++ * include_files. ++ * Most of the time, include_files contains only one rule ++ * so this check is OK to avoid the overflow of the profile ++ * duplicates might still exist though. ++ */ ++ if (strstr(existing, included_files) != NULL) ++ return 0; + pcontent = g_strdup_printf("%s%s", existing, included_files); +- else ++ } else { + pcontent = g_strdup_printf("%s%s", warning, included_files); ++ } + + plen = strlen(pcontent); + if (plen > MAX_FILE_LEN) { +-- +2.45.2 + diff -pruN 11.6.0-1/debian/rules 11.6.0-1ubuntu2/debian/rules --- 11.6.0-1/debian/rules 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/rules 2025-08-27 08:18:49.000000000 +0000 @@ -153,7 +153,7 @@ DEB_CONFIGURE_EXTRA_ARGS := \ -Dopenwsman=disabled \ -Ddriver_vz=disabled \ -Dqemu_user=libvirt-qemu \ - -Dqemu_group=libvirt-qemu \ + -Dqemu_group=kvm \ -Dqemu_moddir=/usr/lib/$(DEB_HOST_MULTIARCH)/qemu \ -Dqemu_datadir=/usr/share/qemu \ -Ddocs=enabled \ @@ -164,7 +164,7 @@ DEB_CONFIGURE_EXTRA_ARGS := \ -Dtls_priority=NORMAL \ $(WITH_OPENVZ) \ -Dsasl=enabled \ - -Dlibssh2=enabled \ + -Dlibssh2=disabled \ -Dlibssh=enabled \ -Dreadline=enabled \ -Dbash_completion=enabled \ @@ -275,6 +275,16 @@ ifeq ($(DEB_HOST_ARCH_OS), linux) mkdir -p $(DEB_DESTDIR)/etc/apt/apt.conf.d/ cp debian/apt/* \ $(DEB_DESTDIR)/etc/apt/apt.conf.d/ + + # Install apport package hook + mkdir -p $(DEB_DESTDIR)/usr/share/apport/package-hooks/ + cp -f debian/libvirt-daemon-common.apport \ + $(DEB_DESTDIR)/usr/share/apport/package-hooks/source_libvirt.py + + # Copy dnsmasq configuration + mkdir -p $(DEB_DESTDIR)/etc/dnsmasq.d-available/ + cp debian/libvirt-daemon-config-network.dnsmasq \ + $(DEB_DESTDIR)/etc/dnsmasq.d-available/libvirt-daemon endif # Copy the release notes where dh_installdocs can find them diff -pruN 11.6.0-1/debian/tests/control 11.6.0-1ubuntu2/debian/tests/control --- 11.6.0-1/debian/tests/control 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/tests/control 2025-08-27 08:18:49.000000000 +0000 @@ -9,8 +9,9 @@ Tests: smoke-qemu-session, Depends: libvirt-clients, - libvirt-daemon, + libvirt-daemon-system, libxml2-utils, + linux-image-amd64 [amd64] | linux-generic [amd64], qemu-kvm, qemu-system, Restrictions: @@ -30,6 +31,7 @@ Restrictions: allow-stderr, isolation-machine, needs-root, + skippable, Tests: build-test, @@ -39,3 +41,24 @@ Depends: pkg-config, Restrictions: allow-stderr, + +Tests: + network, +Depends: + dnsmasq-base, + libvirt-clients, + libvirt-daemon, + libvirt-daemon-driver-qemu, +Restrictions: + allow-stderr, + needs-root, + +Tests: + default-uri, +Depends: + libvirt-clients, + libvirt-daemon, + libvirt-daemon-driver-qemu, +Restrictions: + allow-stderr, + needs-root, diff -pruN 11.6.0-1/debian/tests/default-uri 11.6.0-1ubuntu2/debian/tests/default-uri --- 11.6.0-1/debian/tests/default-uri 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/tests/default-uri 2025-08-27 08:18:49.000000000 +0000 @@ -0,0 +1,38 @@ +#!/bin/sh + +set -e +set -x + +# Setup +USER="testvirt" +adduser --disabled-password --gecos "" $USER +adduser $USER libvirt +cp /etc/libvirt/libvirt.conf /etc/libvirt/libvirt.conf.BAK + +# As root: +virsh uri | grep -q "qemu:///system" # Default + +# Config can override default +echo "uri_default = \"qemu:///conf_test\"" >> /etc/libvirt/libvirt.conf +virsh uri 2>&1 | grep -q "/conf_test" + +# ENV can override config +LIBVIRT_DEFAULT_URI="qemu:///test_env" virsh uri 2>&1 | grep -q "/test_env" + + +# As user: + +sudo -u $USER bash -ex <> ~/.config/libvirt/libvirt.conf +virsh uri 2>&1 | grep -q "/conf_test_user" + +# ENV can override config +LIBVIRT_DEFAULT_URI="qemu:///test_env_user" virsh uri 2>&1 | grep -q "/test_env_user" +EOF + +mv /etc/libvirt/libvirt.conf.BAK /etc/libvirt/libvirt.conf +exit 0 diff -pruN 11.6.0-1/debian/tests/network 11.6.0-1ubuntu2/debian/tests/network --- 11.6.0-1/debian/tests/network 1970-01-01 00:00:00.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/tests/network 2025-08-27 08:03:12.000000000 +0000 @@ -0,0 +1,32 @@ +#!/bin/sh + +set -e +set -x + +# Find primary interface (default route with lowest metric) +IFACE="$(ip -o -4 route show to default | sort -k11 -n | head -n 1 | awk '{print $5}')" + +# Verify libvirt IPs are not currently assigned +if $(ip addr | grep -q "192.168.122.1"); then + echo "ERROR: IP 192.168.122.1 shouldn't be there." + exit 1; +fi +if $(ip addr | grep -q "192.168.123.1"); then + echo "ERROR: IP 192.168.123.1 shouldn't be there." + exit 1; +fi + +# Consume primary libvirt IP, to trigger fallback condition +ip addr add 192.168.122.1 dev $IFACE + +# Set up virbr0 through maintainer scripts +apt -y install libvirt-daemon-config-network | grep -B2 -A2 "Changing to free 192.168.123.1/24" +cat /etc/libvirt/qemu/networks/default.xml +virsh net-list + +# Confirm IP addresses are correctly assigned +ip addr show $IFACE | grep -q "192.168.122.1" +ip addr show virbr0 | grep -q "192.168.123.1" + +echo 'Network test successful' +exit 0 diff -pruN 11.6.0-1/debian/tests/smoke-lxc 11.6.0-1ubuntu2/debian/tests/smoke-lxc --- 11.6.0-1/debian/tests/smoke-lxc 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/tests/smoke-lxc 2025-08-27 08:02:11.000000000 +0000 @@ -16,10 +16,36 @@ cleanup() fi } +try_check_domain() +{ + for _ in $(seq 10); do + check_domain && return + sleep 2s + done + echo "Known to be unreliable on test infrastructure - skipping" + exit 77 +} + check_domain() { + rc=0 virsh list | grep -qs "${DOMAIN}[[:space:]]\+running" + rc=$((rc+$?)) virsh lxc-enter-namespace --noseclabel ${DOMAIN} /bin/ls /bin/ls + rc=$((rc+$?)) + return $rc +} + +try_restart_libvirtd() +{ + for _ in $(seq 10); do + systemctl restart libvirtd && return + sleep 2s + done + # This turned out to be flaky, non reproducible outside of LP-infra and + # is not what we want to test, Skip the test in this case + echo "Restart failed while checking for container-survival-through restart - skipping". + exit 77 } trap cleanup EXIT @@ -35,11 +61,11 @@ rm -f /var/log/libvirt/lxc/sl.log virsh start ${DOMAIN} # Check virtlogd is running grep -qs "starting up" /var/log/libvirt/lxc/sl.log -check_domain +try_check_domain # Make sure a restart doesn't termiante the domain -/etc/init.d/libvirtd restart -check_domain -virsh destroy ${DOMAIN} +try_restart_libvirtd +try_check_domain +virsh destroy ${DOMAIN} || true virsh undefine ${DOMAIN} CLEANED_UP=1 set +x diff -pruN 11.6.0-1/debian/tests/smoke-qemu-session 11.6.0-1ubuntu2/debian/tests/smoke-qemu-session --- 11.6.0-1/debian/tests/smoke-qemu-session 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/tests/smoke-qemu-session 2025-08-27 08:02:11.000000000 +0000 @@ -27,8 +27,13 @@ if [ $(uname -m) != "x86_64" ]; then exit 77 fi +# to be able to load our simple guest from /vmlinuz later +sudo chown $USER /initrd.img +sudo chown $USER /vmlinuz + echo echo "Running as $USER" set -x + virt-host-validate qemu || true virsh capabilities virsh capabilities | grep -qs "arch name='x86_64'" diff -pruN 11.6.0-1/debian/tests/smoke-qemu-session.xml 11.6.0-1ubuntu2/debian/tests/smoke-qemu-session.xml --- 11.6.0-1/debian/tests/smoke-qemu-session.xml 2025-08-01 21:22:24.000000000 +0000 +++ 11.6.0-1ubuntu2/debian/tests/smoke-qemu-session.xml 2025-08-27 08:02:11.000000000 +0000 @@ -1,4 +1,4 @@ - + sqs 256000 256000 @@ -18,7 +18,7 @@ destroy destroy - /usr/bin/kvm + /usr/bin/qemu-system-x86_64