virt-aa-helper: Avoid duplicate when append rule

when a device is dynamically attached to a VM, and it needs a special
system access for apparmor, libvirt calls virt-aa-helper (with argument -F)
to append a new rule to the apparmor profile of the VM. virt-aa-helper does
not check for duplicate and blindly appends the rule to the profile. since
there is no rule removal when a device is detached, this can make the profile
grow in size if a big number of attach/detach operations are done and the
profile might hit the size limit and futur attach operations might dysfunction
because no rule can be added into the apparmor profile.

this patch tries to mitigate this issue by doing a duplicate check
when rules are appended into the profile. this fix does not guarantee
the absence of duplicates but should be enough to prevent the profile
to grow significantly in size and reach its size limit.

Signed-off-by: Hector CAO <hector.cao@canonical.com>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>

NEWS.rst

@@ -8,6 +8,340 @@ the changes introduced by each of them.
 For a more fine-grained view, use the `git log`_.
 
 
+v11.7.0 (unreleased)
+====================
+
+* **Security**
+
+* **Removed features**
+
+* **New features**
+
+  * Allow setting the log level of Cloud Hypervisor
+
+    Users can now configure the verbosity of Cloud Hypervisor by setting
+    the "log_level" option in ch.conf
+
+* **Improvements**
+
+* **Bug fixes**
+
+
+v11.6.0 (2025-08-01)
+====================
+
+* **New features**
+
+  * Introduce VIR_CONNECT_BASELINE_CPU_IGNORE_HOST flag
+
+    This new flag for virConnectBaselineHypervisorCPU can be used for computing
+    a baseline CPU on any host. Without the VIR_CONNECT_BASELINE_CPU_IGNORE_HOST
+    flag the baseline API would return reasonable output only when run on one of
+    the hosts that the input CPU definitions were collected from.
+
+  * Allow control over QEMU TLS priority strings
+
+    The qemu.conf file now has multiple settings allowing control over the
+    QEMU TLS priority strings, for the different subsystems in QEMU that
+    can support TLS. This can be used to workaround a current bug in GNUTLS
+    that is liable to cause crashes of the source QEMU when performing long
+    running live migration operations with TLS enabled.
+
+  * Add support for disabling deprecated CPU model features by default for s390 domains
+
+    Starting an s390 domain with host-model will now default to setting the
+    ``deprecated_features`` attribute to ``off``, ensuring the domain starts
+    with a migration-compatible CPU model to newer systems. This behavior can
+    be modified by setting the ``default_cpu_deprecated_features`` option in
+    the qemu.conf file.
+
+  * bhyve: Add TCP console support
+
+    TCP serial devices can now be configured with ``<serial type='tcp'>``::
+
+      <serial type='tcp'>
+        <source mode='bind' host='127.0.0.1' service='12345'/>
+        <target type='serial' port='0'/>
+      </serial>
+
+    Additionally, number of supported consoles increased to 4.
+
+  * qemu: Add support for RBD namespaces
+
+    Allow specifying the 'namespace' within a RBD image pool.
+
+* **Improvements**
+
+  * qemu: Change default SCSI controller model to ``virtio-scsi`` for ARM and RISC-V
+
+    The previous default of ``lsilogic`` is unsupported by modern operating
+    systems. ``virtio-scsi`` is a more suitable default for ARM and RISC-V
+    ``virt`` machine types.
+
+  * Clarify documentation of virConnectBaselineHypervisorCPU
+
+    The documentation makes it clear virConnectBaselineHypervisorCPU is
+    supposed to be called on one of the hosts represented in the input CPU
+    definitions. Otherwise the API will give unexpected results.
+
+  * Allow specifying zero discard granularity for block devices
+
+    This can be used to tell some guest operating systems (notably Windows) to
+    not trim the disk.
+
+  * bhyve: Add timeout handling for bhyveload
+
+    It is now possible to run ``bhyveload`` with the ``timeout`` tool, which
+    can send ``SIGTERM`` and ``SIGKILL`` signals when timeout is reached.
+    Timeout values are set using the ``bhyveload_timeout`` and
+    ``bhyveload_timeout_kill`` configuration options in ``bhyve.conf``.
+
+  * nss: Improve debugging
+
+    Debugging messages from NSS modules can be now enabled by setting the
+    ``LIBVIRT_NSS_DEBUG`` environment variable. So far, there is no special
+    meaning to its value.
+
+  * rpc: Removed requirement for TLS certificates to support 'key encipherment'
+
+    With TLS 1.3, key encipherment is not required even for RSA keys. Other key
+    types didn't even support it so they were wrongly refused even in cases when
+    they would work with libvirt. The TLS certificate validation now no longer
+    requires 'key encipherment' to be enabled.
+
+* **Bug fixes**
+
+  * bhyve: Fix resetting of the autostart flag of the domain on destroy.
+
+  * The nwfilter driver no longer recreates the base iptable/ip6tables chains
+
+    The nwfilter driver had a impl mistake causing it to recreate the
+    base chains for iptables/ip6tables every time a VM was started.
+    This allowed a small window where traffic might not be fully
+    filtered. It now handles iptables/ip6tables the same way as
+    ebtables, creating the base chains only if they did not already
+    exist.
+
+  * Fix systemd unit ordering for auto-shutdown of domains via the daemon
+
+    The ordering of systemd units created by libvirt for individual machines
+    needed to be adapted when the shutdown of VMs on host shutdown is done
+    via the virt daemon itself (rather than ``libvirt-guests.service``) to
+    ensure that the VMs are not terminated before the virt daemon can deal with
+    them.
+
+
+v11.5.0 (2025-07-01)
+====================
+
+* **Removed features**
+
+  * qemu: Don't accept VIR_DUMP_LIVE flag in virDomainCoreDumpWithFormat()
+
+    Unfortunately, QEMU always pauses vCPUs when doing a core dump. Therefore,
+    there is no way for Libvirt to honor VIR_DUMP_LIVE flag semantics. Instead
+    of silently pretending the flag works, an appropriate error is now
+    reported.
+
+* **New features**
+
+  * vmx: Add support for reporting NVMe disks in the domain XML
+
+  * qemu: Add support for NVMe disks
+
+    NVMe disks can now be emulated by using an ``nvme`` bus, but require a
+    serial due to the hypervisor::
+
+      <target dev='nvme0n1' bus='nvme'/>
+      <serial>qwertyuiop</serial>
+
+    Multiple disks can be represented as different namespaces on the same
+    controller, but they cannot have a different serial number due to the fact
+    that it is the controller which ultimately has the serial number attached to
+    it, but for ease of use it is automatically copied from the disk serial.
+
+  * esx: Add support for specifying alternative CA bundle for remote peer verification
+
+    Users can now use ``cacert`` parameter in the URI to specify a file path
+    with CA certificate(s) that will be used for remote peer certificate
+    validation.
+
+  * qemu: add support for AMD IOMMU device
+
+    The ``amd`` model for the ``<iommu>`` device is now supported.
+    New attributes ``passtrhough`` and ``xtsup`` are also supported for this
+    model.
+
+* **Improvements**
+
+  * Include supported console types in domain capabilities
+
+    Domain capabilities now include information about supported console types, such as::
+
+      <console supported='yes'>
+        <enum name='type'>
+          <value>pty</value>
+          <value>tcp</value>
+        </enum>
+      </console>
+
+  * virsh: Add waiting for domain state via ``virsh await``
+
+    The new helper command ``virsh await`` simplifies waiting on domain state
+    which is normally announced via events. Currently two waiting conditions are
+    implemented: ``domain-inactive``, and ``guest-agent-available``.
+
+* **Bug fixes**
+
+  * qemu: Be more forgiving when acquiring QUERY job when formatting domain XML
+
+    Since ``libvirt-11.0.0`` the ``virDomainGetXMLDesc()`` API used to format
+    domain XML acquires QUERY job. But this caused a regression when the API
+    might timeout for incoming migration. This is now fixed.
+
+  * qemu: Fix shared filesystem detection on nonexistent paths
+
+    Since ``libvirt-11.1.0`` nonexistent paths within directories marked as
+    shared filesystem (via the ``shared_filesystems`` option in ``qemu.conf``
+    would not be properly detected as being on a shared filesystem.
+
+  * qemu: Properly emulate USB cdrom device
+
+    CD-ROM devices on USB bus are now properly emulated as such which was not
+    the case since libvirt switched to the modern qemu commandline syntax for
+    storage backends.
+
+
+v11.4.0 (2025-06-02)
+====================
+
+* **New features**
+
+  * qemu: ppc64 POWER11 processor support
+
+    Support for the recently released IBM POWER11 processor was added.
+
+* **Packaging changes**
+
+  * All helper programs are now detected from ``$PATH`` during runtime
+
+    All of the code was now converted to dynamically look up helper programs
+    in ``$PATH`` rather than doing the lookup at build time and then compiling
+    in the result.
+
+    Programs ``mount``, ``umount``, ``mkfs``, ``modprobe``, ``rmmod``,
+    ``numad``, ``dmidecode``, ``ip``, ``tc``, ``mdevctl``, ``mm-ctl``,
+    ``iscsiadm``, ``ovs-vsctl``, ``pkttyagent``, ``bhyveload``, ``bhyvectl``,
+    ``bhyve``, ``ifconfig``, ``vzlist``, ``vzctl``, ``vzmigrate``, and the
+    tools from the lvm suite (``vgchange``, ``lvcreate``, etc..) are now not
+    needed during build and will still work properly if placed in ``$PATH``.
+
+    This also ensures that libvirt works correctly on distros that are
+    transitioning ``/sbin`` into ``/bin`` and upgraded installations have
+    a different layout from fresh installations.
+
+* **Improvements**
+
+  * virsh: Add option ``--no-pkttyagent``
+
+    That option suppresses registration of pkttyagent with polkitd.
+
+  * bhyve: support NVRAM configuration for UEFI firmwares
+
+    The bhyve driver now supports specifying NVRAM store file, such as::
+
+      <os firmware='efi'>
+        <nvram/>
+      </os>
+
+  * qemu: Improve accuracy of FDC/floppy device support statement in capabilities XML
+
+    The data is now based on the presence of the controller in qemu rather than
+    just a denylist of machine types where floppies not work.
+
+* **Bug fixes**
+
+  * qemu: Fix failure when reverting to internal snapshots
+
+    A regression in ``libvirt-11.2`` and ``libvirt-11.3`` prevents reverting to
+    an internal snapshot. Attempts to revert would produce the following error::
+
+      error: operation failed: load of internal snapshot 'foo1' job failed: Device 'libvirt-1-format' is writable but does not support snapshots
+
+    The only workaround is to avoid the broken versions.
+
+  * qemu: Fix virtqemud crash when resuming failed post-copy migration
+
+    A regression introduced in ``libvirt-11.2.0`` caused virtqemud on the
+    destination host to crash when trying to resume failed post-copy
+    migration.
+
+  * qemu: Treat the ``queues`` configuration of ``virtio-net`` as guest ABI
+
+    The queue count itself isn't a device frontend property but libvirt uses
+    it to calculate ``vectors`` option of the device which is a guest OS visible
+    property, thus ``queues`` must not change during migration. The ABI stability
+    check now handles this properly.
+
+
+v11.3.0 (2025-05-02)
+====================
+
+* **Removed features**
+
+  * Support for AppArmor versions prior to 3.0.0 has been dropped.
+
+* **New features**
+
+  * xen: Support configuration of ``<hyperv/>`` flags for Xen domains.
+
+    The following flags are now configurable for Xen: ``vapic``, ``synic``,
+    ``stimer``, ``frequencies``, ``tlbflush`` and ``ipi``.
+
+  * bhyve: Support virtio random number generator devices
+
+    Domain XMLs can now include virtio random number generator devices.
+    They are configured with::
+
+     <rng model='virtio'>
+       <backend model='random'/>
+     </rng>
+
+  * bhyve: Support ``<interface type='network'>``
+
+    At the moment it doesn't provide any new features compared to
+    ``<interface type='bridge'>``, but allows a more flexible configuration.
+
+* **Bug fixes**
+
+  * cpu_map: Install Ampere-1 ARM CPU models
+
+    The Ampere-1 CPU models added in the previous release were not properly
+    installed and thus every attempt to start an ARM domain with custom
+    CPU definition would fail.
+
+  * storage: Fix new volume creation
+
+    No more errors occur when new storage volume is being created using ``virsh
+    vol-create`` with ``--validate`` option and/or ``virStorageVolCreateXML()``
+    with ``VIR_VOL_XML_PARSE_VALIDATE`` flag.
+
+  * Don't spam logs with error about ``qemu-rdp`` when starting a qemu VM
+
+    On hosts where the ``qemu-rdp`` binary is not installed a start of a VM
+    would cause an error such as ::
+
+      error : qemuRdpNewForHelper:103 : 'qemu-rdp' is not a suitable qemu-rdp helper name: No such file or directory
+
+    to be logged in the system log. It is safe to ignore the error. The code
+    was fixed to avoid the message when probing for support.
+
+  * Fix libvirt daemon crash on failure to hotplug a disk into a ``qemu`` VM
+
+    Some failures of disk hotplug could cause the libvirt daemon to crash due
+    to a bug when rolling back disk throttling filters.
+
+
 v11.2.0 (2025-04-01)
 ====================
 
@@ -181,7 +515,7 @@ v11.1.0 (2025-03-03)
   * ch: Support handling events from cloud-hypervisor
 
     The ch driver now supports handling events from the cloud-hypervisor.
-    Events include VM lifecyle operations such as  shutdown, pause, resume,
+    Events include VM lifecycle operations such as  shutdown, pause, resume,
     etc. Libvirt will now read these events and take actions such as
     updating domain state, etc.
 
@@ -335,7 +669,7 @@ v10.10.0 (2024-12-02)
   * qemu: Support for the 'data-file' QCOW2 image feature
 
     The QEMU hypervisor driver now supports QCOW2 images with 'data-file'
-    feature present (both when probing form the image itself and when specified
+    feature present (both when probing from the image itself and when specified
     explicitly via ``<dataStore>`` element). This can be useful when it's
     required to keep data "raw" on disk, but the use case requires features
     of the QCOW2 format such as incremental backups.
@@ -417,7 +751,7 @@ v10.9.0 (2024-11-01)
 
       warning : qemuSnapshotActiveInternalDeleteGetDevices:3841 : inconsistent internal snapshot state (deletion): VM='snap' snapshot='1727959843' missing='vda ' unexpected='' extra=''
 
-    Users are encouraged to report any occurence of the above message along
+    Users are encouraged to report any occurrence of the above message along
     with steps they took to the upstream tracker.
 
   * qemu: improve documentation of image format settings
@@ -434,6 +768,7 @@ v10.9.0 (2024-11-01)
     ``<blockers model='...'>`` element is added for that CPU model listing
     features required by the CPU model, but not supported on the host.
 
+
 v10.8.0 (2024-10-01)
 ====================
 
@@ -452,7 +787,7 @@ v10.8.0 (2024-10-01)
     the bridge interface (normally it would not be set, as is done
     with other forward modes).
 
-  * storage: Lessen dependancy on the ``showmount`` program
+  * storage: Lessen dependency on the ``showmount`` program
 
     Libvirt now automatically detects presence of ``showmount`` during runtime
     as we do with other helper programs and also the
@@ -499,7 +834,7 @@ v10.8.0 (2024-10-01)
   * qemu: backup: Fix possible crashes when running monitoring commands during backup job
 
     The qemu monitor code was fixed to not crash in specific cases when
-    monitoing APIs are called during a backup job.
+    monitoring APIs are called during a backup job.
 
   * Fix various memleaks and overflows
 
@@ -569,6 +904,7 @@ v10.7.0 (2024-09-02)
     Cloud-Hypervisor driver now supports Ethernet, Network (NAT) and Bridge
     networking modes.
 
+
 v10.6.0 (2024-08-05)
 ====================
 
@@ -1006,7 +1342,7 @@ v10.1.0 (2024-03-01)
 
     ``virt-admin`` doesn't try to guess the URI of the daemon to manage so a
     failure to connect may be confusing for users if modular daemons are used.
-    Add a hint to use the URI of the dameon to manage.
+    Add a hint to use the URI of the daemon to manage.
 
 * **Bug fixes**
 
@@ -1052,7 +1388,7 @@ v10.1.0 (2024-03-01)
 
   * qemu: Fix reservation of manually specified port for disk migration
 
-    A manually specified port would not be relased after disk migration making
+    A manually specified port would not be released after disk migration making
     it impossible to use it again.
 
 
@@ -1405,7 +1741,8 @@ v9.5.0 (2023-07-03)
 
 * **Bug fixes**
 
-  * lxc: Allow seeking in ``/proc/meminfo`` to resove failure with new ``procps`` package
+  * lxc: Allow seeking in ``/proc/meminfo`` to resolve failure with new
+    ``procps`` package
 
     New version of the ``free`` command from ``procps`` package seeks into the
     ``/proc/meminfo`` file, which was not supported by the instance of the file
@@ -5647,7 +5984,7 @@ v4.5.0 (2018-07-02)
   * qemu: Fix a potential libvirtd crash on VM reconnect
 
     Initialization of the driver worker pool needs to come before libvirtd
-    trying to reconnect to all machines, since one of the QEMU processes migh
+    trying to reconnect to all machines, since one of the QEMU processes might
     have already emitted events which need to be handled prior to us getting to
     the worker pool initialization.
 
@@ -6987,7 +7324,7 @@ v3.0.0 (2017-01-17)
 
   * Event notifications for the secret object
 
-    The secret object now supports event notifications, covering lifcycle
+    The secret object now supports event notifications, covering lifecycle
     changes and secret value changes.
 
   * New localPtr attribute for "ip" element in network XML

build-aux/Makefile.in

@@ -6,6 +6,7 @@ FLAKE8 = @flake8_path@
 BLACK = @black_path@
 RUNUTF8 = @runutf8@
 PYTHON = @PYTHON3@
+PERL = @PERL@
 GREP = @GREP@
 SED = @SED@
 AWK = @AWK@

build-aux/meson.build

@@ -13,23 +13,10 @@ if git and tests_enabled[0]
   if host_machine.system() == 'freebsd' or host_machine.system() == 'darwin'
     make_prog = find_program('gmake')
     sed_prog = find_program('gsed')
+    grep_prog = find_program('ggrep')
   else
     make_prog = find_program('make')
     sed_prog = find_program('sed')
-  endif
-
-  if host_machine.system() == 'freebsd'
-    grep_prog = find_program('grep')
-    grep_cmd = run_command(grep_prog, '--version', check: true)
-    if grep_cmd.stdout().startswith('grep (BSD grep')
-      grep_prog = find_program('/usr/local/bin/grep', required: false)
-      if not grep_prog.found()
-        error('GNU grep not found')
-      endif
-    endif
-  elif host_machine.system() == 'darwin'
-    grep_prog = find_program('ggrep')
-  else
     grep_prog = find_program('grep')
   endif
 
@@ -42,6 +29,7 @@ if git and tests_enabled[0]
     'black_path': black_path,
     'runutf8': ' '.join(runutf8),
     'PYTHON3': python3_prog.full_path(),
+    'PERL': perl_prog.full_path(),
     'GREP': grep_prog.full_path(),
     'SED': sed_prog.full_path(),
     'AWK': awk_prog.full_path(),

build-aux/syntax-check.mk

@@ -247,6 +247,12 @@ sc_prohibit_canonicalize_file_name:
 	halt='use virFileCanonicalizePath() instead of canonicalize_file_name()' \
 	  $(_sc_search_regexp)
 
+sc_prohibit_realpath:
+	@prohibit='\<realpath\(' \
+	exclude='exempt from syntax-check' \
+	halt='use virFileCanonicalizePath() instead of realpath()' \
+	  $(_sc_search_regexp)
+
 # qsort from glibc has unstable sort ordering for "equal" members
 sc_prohibit_qsort:
 	@prohibit='\<(qsort|qsort_r) *\(' \
@@ -1326,9 +1332,9 @@ sc_spacing-check:
 	$(PERL) $(top_srcdir)/build-aux/check-spacing.pl || \
 	  { echo 'incorrect formatting' 1>&2; exit 1; }
 
-sc_mock-noinline:
+sc_mockable-attribute:
 	$(AM_V_GEN)$(VC_LIST_EXCEPT) | $(GREP) '\.[ch]$$' | $(RUNUTF8) \
-	$(PYTHON) $(top_srcdir)/scripts/mock-noinline.py
+	$(PYTHON) $(top_srcdir)/scripts/mockable-attribute.py
 
 sc_header-ifdef:
 	$(AM_V_GEN)$(VC_LIST_EXCEPT) | $(GREP) '\.[h]$$' | $(RUNUTF8) xargs \
@@ -1349,6 +1355,13 @@ sc_rst_since:
 	halt='format :since: correctly' \
 	  $(_sc_search_regexp)
 
+sc_prohibit_inline_functions:
+	@prohibit='\binline\b' \
+	in_vc_files='\.c$$' \
+	exclude='exempt from syntax-check' \
+	halt='avoid inline functions in .c files' \
+	  $(_sc_search_regexp)
+
 
 ## ---------- ##
 ## Exceptions ##
@@ -1413,8 +1426,11 @@ exclude_file_name_regexp--sc_prohibit_nonreentrant = \
 exclude_file_name_regexp--sc_prohibit_canonicalize_file_name = \
   ^(build-aux/syntax-check\.mk|tests/virfilemock\.c)$$
 
+exclude_file_name_regexp--sc_prohibit_realpath = \
+  ^(build-aux/syntax-check\.mk|src/cpu_map/sync_qemu_features_i386\.py|tests/virfilemock\.c)$$
+
 exclude_file_name_regexp--sc_prohibit_raw_allocation = \
-  ^(docs/advanced-tests\.rst|src/util/viralloc\.[ch]|examples/.*|tests/(securityselinuxhelper|(vircgroup|nss)mock|commandhelper)\.c|tools/wireshark/src/packet-libvirt\.c|tools/nss/libvirt_nss(_leases|_macs)?\.c)$$
+  ^(docs/advanced-tests\.rst|src/util/viralloc\.[ch]|examples/.*|tests/(securityselinuxhelper|(vircgroup|nss)mock|commandhelper)\.c|tools/wireshark/src/packet-libvirt\.c|tools/nss/libvirt_nss(_leases|_log|_macs)?\.[ch])$$
 
 exclude_file_name_regexp--sc_prohibit_readlink = \
   ^src/(util/virutil|lxc/lxc_container)\.c$$
@@ -1506,6 +1522,9 @@ exclude_file_name_regexp--sc_black = \
 exclude_file_name_regexp--sc_spacing-check = \
   ^scripts/rpcgen/tests/test_demo\.[ch]$$
 
+exclude_file_name_regexp--sc_prohibit_inline_functions = \
+  ^src/storage_file/storage_source.*.c$$
+
 ## -------------- ##
 ## Implementation ##
 ## -------------- ##

ci/buildenv/almalinux-9.sh

@@ -33,12 +33,7 @@ function install_buildenv() {
         glibc-langpack-en \
         gnutls-devel \
         grep \
-        iproute \
-        iproute-tc \
-        iptables \
-        iscsi-initiator-utils \
         json-c-devel \
-        kmod \
         libacl-devel \
         libattr-devel \
         libblkid-devel \
@@ -58,17 +53,13 @@ function install_buildenv() {
         libxml2 \
         libxml2-devel \
         libxslt \
-        lvm2 \
         make \
         meson \
-        nfs-utils \
         ninja-build \
         numactl-devel \
-        numad \
         parted-devel \
         perl-base \
         pkgconfig \
-        polkit \
         python3 \
         python3-docutils \
         python3-flake8 \

ci/buildenv/alpine-322.sh

@@ -29,10 +29,8 @@ function install_buildenv() {
         glib-dev \
         gnutls-dev \
         grep \
-        iproute2 \
         iptables \
         json-c-dev \
-        kmod \
         libcap-ng-dev \
         libnl3-dev \
         libpcap-dev \
@@ -44,19 +42,15 @@ function install_buildenv() {
         libxml2-dev \
         libxml2-utils \
         libxslt \
-        lvm2 \
         lvm2-dev \
         make \
         meson \
         musl-dev \
         netcf-dev \
-        nfs-utils \
         numactl-dev \
-        open-iscsi \
         parted-dev \
         perl \
         pkgconf \
-        polkit \
         py3-docutils \
         py3-flake8 \
         py3-pytest \

ci/buildenv/alpine-edge.sh

@@ -29,10 +29,8 @@ function install_buildenv() {
         glib-dev \
         gnutls-dev \
         grep \
-        iproute2 \
         iptables \
         json-c-dev \
-        kmod \
         libcap-ng-dev \
         libnl3-dev \
         libpcap-dev \
@@ -44,19 +42,15 @@ function install_buildenv() {
         libxml2-dev \
         libxml2-utils \
         libxslt \
-        lvm2 \
         lvm2-dev \
         make \
         meson \
         musl-dev \
         netcf-dev \
-        nfs-utils \
         numactl-dev \
-        open-iscsi \
         parted-dev \
         perl \
         pkgconf \
-        polkit \
         py3-docutils \
         py3-flake8 \
         py3-pytest \

ci/buildenv/centos-stream-9.sh

@@ -34,12 +34,7 @@ function install_buildenv() {
         glibc-langpack-en \
         gnutls-devel \
         grep \
-        iproute \
-        iproute-tc \
-        iptables \
-        iscsi-initiator-utils \
         json-c-devel \
-        kmod \
         libacl-devel \
         libattr-devel \
         libblkid-devel \
@@ -59,17 +54,13 @@ function install_buildenv() {
         libxml2 \
         libxml2-devel \
         libxslt \
-        lvm2 \
         make \
         meson \
-        nfs-utils \
         ninja-build \
         numactl-devel \
-        numad \
         parted-devel \
         perl-base \
         pkgconfig \
-        polkit \
         python3 \
         python3-docutils \
         python3-flake8 \

ci/buildenv/debian-12-cross-aarch64.sh

@@ -24,23 +24,15 @@ function install_buildenv() {
             gettext \
             git \
             grep \
-            iproute2 \
-            iptables \
-            kmod \
             libclang-rt-dev \
             libnbd-dev \
             libxml2-utils \
             locales \
-            lvm2 \
             make \
             meson \
-            nfs-common \
             ninja-build \
-            numad \
-            open-iscsi \
             perl-base \
             pkgconf \
-            polkitd \
             python3 \
             python3-docutils \
             python3-pytest \

ci/buildenv/debian-12-cross-armv6l.sh

@@ -24,23 +24,15 @@ function install_buildenv() {
             gettext \
             git \
             grep \
-            iproute2 \
-            iptables \
-            kmod \
             libclang-rt-dev \
             libnbd-dev \
             libxml2-utils \
             locales \
-            lvm2 \
             make \
             meson \
-            nfs-common \
             ninja-build \
-            numad \
-            open-iscsi \
             perl-base \
             pkgconf \
-            polkitd \
             python3 \
             python3-docutils \
             python3-pytest \

ci/buildenv/debian-12-cross-armv7l.sh

@@ -24,23 +24,15 @@ function install_buildenv() {
             gettext \
             git \
             grep \
-            iproute2 \
-            iptables \
-            kmod \
             libclang-rt-dev \
             libnbd-dev \
             libxml2-utils \
             locales \
-            lvm2 \
             make \
             meson \
-            nfs-common \
             ninja-build \
-            numad \
-            open-iscsi \
             perl-base \
             pkgconf \
-            polkitd \
             python3 \
             python3-docutils \
             python3-pytest \

ci/buildenv/debian-12-cross-i686.sh

@@ -24,23 +24,15 @@ function install_buildenv() {
             gettext \
             git \
             grep \
-            iproute2 \
-            iptables \
-            kmod \
             libclang-rt-dev \
             libnbd-dev \
             libxml2-utils \
             locales \
-            lvm2 \
             make \
             meson \
-            nfs-common \
             ninja-build \
-            numad \
-            open-iscsi \
             perl-base \
             pkgconf \
-            polkitd \
             python3 \
             python3-docutils \
             python3-pytest \

ci/buildenv/debian-12-cross-mips64el.sh

@@ -24,23 +24,15 @@ function install_buildenv() {
             gettext \
             git \
             grep \
-            iproute2 \
-            iptables \
-            kmod \
             libclang-rt-dev \
             libnbd-dev \
             libxml2-utils \
             locales \
-            lvm2 \
             make \
             meson \
-            nfs-common \
             ninja-build \
-            numad \
-            open-iscsi \
             perl-base \
             pkgconf \
-            polkitd \
             python3 \
             python3-docutils \
             python3-pytest \

ci/buildenv/debian-12-cross-mipsel.sh

@@ -24,23 +24,15 @@ function install_buildenv() {
             gettext \
             git \
             grep \
-            iproute2 \
-            iptables \
-            kmod \
             libclang-rt-dev \
             libnbd-dev \
             libxml2-utils \
             locales \
-            lvm2 \
             make \
             meson \
-            nfs-common \
             ninja-build \
-            numad \
-            open-iscsi \
             perl-base \
             pkgconf \
-            polkitd \
             python3 \
             python3-docutils \
             python3-pytest \

ci/buildenv/debian-12-cross-ppc64le.sh

@@ -24,23 +24,15 @@ function install_buildenv() {
             gettext \
             git \
             grep \
-            iproute2 \
-            iptables \
-            kmod \
             libclang-rt-dev \
             libnbd-dev \
             libxml2-utils \
             locales \
-            lvm2 \
             make \
             meson \
-            nfs-common \
             ninja-build \
-            numad \
-            open-iscsi \
             perl-base \
             pkgconf \
-            polkitd \
             python3 \
             python3-docutils \
             python3-pytest \

ci/buildenv/debian-12-cross-s390x.sh

@@ -24,23 +24,15 @@ function install_buildenv() {
             gettext \
             git \
             grep \
-            iproute2 \
-            iptables \
-            kmod \
             libclang-rt-dev \
             libnbd-dev \
             libxml2-utils \
             locales \
-            lvm2 \
             make \
             meson \
-            nfs-common \
             ninja-build \
-            numad \
-            open-iscsi \
             perl-base \
             pkgconf \
-            polkitd \
             python3 \
             python3-docutils \
             python3-pytest \

ci/buildenv/debian-12.sh

@@ -26,9 +26,6 @@ function install_buildenv() {
             gettext \
             git \
             grep \
-            iproute2 \
-            iptables \
-            kmod \
             libacl1-dev \
             libapparmor-dev \
             libattr1-dev \
@@ -65,16 +62,11 @@ function install_buildenv() {
             libxml2-dev \
             libxml2-utils \
             locales \
-            lvm2 \
             make \
             meson \
-            nfs-common \
             ninja-build \
-            numad \
-            open-iscsi \
             perl-base \
             pkgconf \
-            polkitd \
             python3 \
             python3-docutils \
             python3-pytest \

ci/buildenv/debian-sid-cross-aarch64.sh

@@ -24,23 +24,15 @@ function install_buildenv() {
             gettext \
             git \
             grep \
-            iproute2 \
-            iptables \
-            kmod \
             libclang-rt-dev \
             libnbd-dev \
             libxml2-utils \
             locales \
-            lvm2 \
             make \
             meson \
-            nfs-common \
             ninja-build \
-            numad \
-            open-iscsi \
             perl-base \
             pkgconf \
-            polkitd \
             python3 \
             python3-docutils \
             python3-pytest \

ci/buildenv/debian-sid-cross-armv6l.sh

@@ -24,23 +24,15 @@ function install_buildenv() {
             gettext \
             git \
             grep \
-            iproute2 \
-            iptables \
-            kmod \
             libclang-rt-dev \
             libnbd-dev \
             libxml2-utils \
             locales \
-            lvm2 \
             make \
             meson \
-            nfs-common \
             ninja-build \
-            numad \
-            open-iscsi \
             perl-base \
             pkgconf \
-            polkitd \
             python3 \
             python3-docutils \
             python3-pytest \
@@ -77,7 +69,6 @@ function install_buildenv() {
             libparted-dev:armel \
             libpcap0.8-dev:armel \
             libpciaccess-dev:armel \
-            librbd-dev:armel \
             libreadline-dev:armel \
             libsanlock-dev:armel \
             libsasl2-dev:armel \

ci/buildenv/debian-sid-cross-armv7l.sh

@@ -24,23 +24,15 @@ function install_buildenv() {
             gettext \
             git \
             grep \
-            iproute2 \
-            iptables \
-            kmod \
             libclang-rt-dev \
             libnbd-dev \
             libxml2-utils \
             locales \
-            lvm2 \
             make \
             meson \
-            nfs-common \
             ninja-build \
-            numad \
-            open-iscsi \
             perl-base \
             pkgconf \
-            polkitd \
             python3 \
             python3-docutils \
             python3-pytest \
@@ -77,7 +69,6 @@ function install_buildenv() {
             libparted-dev:armhf \
             libpcap0.8-dev:armhf \
             libpciaccess-dev:armhf \
-            librbd-dev:armhf \
             libreadline-dev:armhf \
             libsanlock-dev:armhf \
             libsasl2-dev:armhf \
@@ -86,7 +77,6 @@ function install_buildenv() {
             libssh2-1-dev:armhf \
             libtirpc-dev:armhf \
             libudev-dev:armhf \
-            libxen-dev:armhf \
             libxml2-dev:armhf \
             systemtap-sdt-dev:armhf
     mkdir -p /usr/local/share/meson/cross

ci/buildenv/debian-sid-cross-i686.sh

@@ -24,23 +24,15 @@ function install_buildenv() {
             gettext \
             git \
             grep \
-            iproute2 \
-            iptables \
-            kmod \
             libclang-rt-dev \
             libnbd-dev \
             libxml2-utils \
             locales \
-            lvm2 \
             make \
             meson \
-            nfs-common \
             ninja-build \
-            numad \
-            open-iscsi \
             perl-base \
             pkgconf \
-            polkitd \
             python3 \
             python3-docutils \
             python3-pytest \
@@ -77,7 +69,6 @@ function install_buildenv() {
             libparted-dev:i386 \
             libpcap0.8-dev:i386 \
             libpciaccess-dev:i386 \
-            librbd-dev:i386 \
             libreadline-dev:i386 \
             libsanlock-dev:i386 \
             libsasl2-dev:i386 \

ci/buildenv/debian-sid-cross-mips64el.sh

@@ -24,23 +24,15 @@ function install_buildenv() {
             gettext \
             git \
             grep \
-            iproute2 \
-            iptables \
-            kmod \
             libclang-rt-dev \
             libnbd-dev \
             libxml2-utils \
             locales \
-            lvm2 \
             make \
             meson \
-            nfs-common \
             ninja-build \
-            numad \
-            open-iscsi \
             perl-base \
             pkgconf \
-            polkitd \
             python3 \
             python3-docutils \
             python3-pytest \

ci/buildenv/debian-sid-cross-ppc64le.sh

@@ -24,23 +24,15 @@ function install_buildenv() {
             gettext \
             git \
             grep \
-            iproute2 \
-            iptables \
-            kmod \
             libclang-rt-dev \
             libnbd-dev \
             libxml2-utils \
             locales \
-            lvm2 \
             make \
             meson \
-            nfs-common \
             ninja-build \
-            numad \
-            open-iscsi \
             perl-base \
             pkgconf \
-            polkitd \
             python3 \
             python3-docutils \
             python3-pytest \

ci/buildenv/debian-sid-cross-s390x.sh

@@ -24,23 +24,15 @@ function install_buildenv() {
             gettext \
             git \
             grep \
-            iproute2 \
-            iptables \
-            kmod \
             libclang-rt-dev \
             libnbd-dev \
             libxml2-utils \
             locales \
-            lvm2 \
             make \
             meson \
-            nfs-common \
             ninja-build \
-            numad \
-            open-iscsi \
             perl-base \
             pkgconf \
-            polkitd \
             python3 \
             python3-docutils \
             python3-pytest \

ci/buildenv/debian-sid.sh

@@ -26,9 +26,6 @@ function install_buildenv() {
             gettext \
             git \
             grep \
-            iproute2 \
-            iptables \
-            kmod \
             libacl1-dev \
             libapparmor-dev \
             libattr1-dev \
@@ -65,16 +62,11 @@ function install_buildenv() {
             libxml2-dev \
             libxml2-utils \
             locales \
-            lvm2 \
             make \
             meson \
-            nfs-common \
             ninja-build \
-            numad \
-            open-iscsi \
             perl-base \
             pkgconf \
-            polkitd \
             python3 \
             python3-docutils \
             python3-pytest \

ci/buildenv/fedora-41.sh

@@ -33,12 +33,7 @@ function install_buildenv() {
         glusterfs-api-devel \
         gnutls-devel \
         grep \
-        iproute \
-        iproute-tc \
-        iptables \
-        iscsi-initiator-utils \
         json-c-devel \
-        kmod \
         libacl-devel \
         libattr-devel \
         libblkid-devel \
@@ -58,17 +53,13 @@ function install_buildenv() {
         libxml2 \
         libxml2-devel \
         libxslt \
-        lvm2 \
         make \
         meson \
-        nfs-utils \
         ninja-build \
         numactl-devel \
-        numad \
         parted-devel \
         perl-base \
         pkgconfig \
-        polkit \
         python3 \
         python3-black \
         python3-docutils \

ci/buildenv/fedora-42-cross-mingw32.sh

@@ -23,22 +23,13 @@ function install_buildenv() {
         git \
         glibc-langpack-en \
         grep \
-        iproute \
-        iproute-tc \
-        iptables \
-        iscsi-initiator-utils \
-        kmod \
         libnbd-devel \
         libxml2 \
         libxslt \
-        lvm2 \
         make \
         meson \
-        nfs-utils \
         ninja-build \
-        numad \
         perl-base \
-        polkit \
         python3 \
         python3-black \
         python3-docutils \

ci/buildenv/fedora-42-cross-mingw64.sh

@@ -23,22 +23,13 @@ function install_buildenv() {
         git \
         glibc-langpack-en \
         grep \
-        iproute \
-        iproute-tc \
-        iptables \
-        iscsi-initiator-utils \
-        kmod \
         libnbd-devel \
         libxml2 \
         libxslt \
-        lvm2 \
         make \
         meson \
-        nfs-utils \
         ninja-build \
-        numad \
         perl-base \
-        polkit \
         python3 \
         python3-black \
         python3-docutils \

ci/buildenv/fedora-42.sh

@@ -9,7 +9,7 @@ function install_buildenv() {
     dnf install -y \
         audit-libs-devel \
         augeas \
-        bash-completion \
+        bash-completion-devel \
         ca-certificates \
         ccache \
         clang \
@@ -33,12 +33,7 @@ function install_buildenv() {
         glusterfs-api-devel \
         gnutls-devel \
         grep \
-        iproute \
-        iproute-tc \
-        iptables \
-        iscsi-initiator-utils \
         json-c-devel \
-        kmod \
         libacl-devel \
         libattr-devel \
         libblkid-devel \
@@ -58,17 +53,13 @@ function install_buildenv() {
         libxml2 \
         libxml2-devel \
         libxslt \
-        lvm2 \
         make \
         meson \
-        nfs-utils \
         ninja-build \
         numactl-devel \
-        numad \
         parted-devel \
         perl-base \
         pkgconfig \
-        polkit \
         python3 \
         python3-black \
         python3-docutils \
@@ -82,6 +73,7 @@ function install_buildenv() {
         systemd-devel \
         systemd-rpm-macros \
         systemtap-sdt-devel \
+        systemtap-sdt-dtrace \
         wireshark-devel \
         xen-devel
     rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED

ci/buildenv/fedora-rawhide-cross-mingw32.sh

@@ -24,22 +24,13 @@ function install_buildenv() {
         git \
         glibc-langpack-en \
         grep \
-        iproute \
-        iproute-tc \
-        iptables \
-        iscsi-initiator-utils \
-        kmod \
         libnbd-devel \
         libxml2 \
         libxslt \
-        lvm2 \
         make \
         meson \
-        nfs-utils \
         ninja-build \
-        numad \
         perl-base \
-        polkit \
         python3 \
         python3-black \
         python3-docutils \

ci/buildenv/fedora-rawhide-cross-mingw64.sh

@@ -24,22 +24,13 @@ function install_buildenv() {
         git \
         glibc-langpack-en \
         grep \
-        iproute \
-        iproute-tc \
-        iptables \
-        iscsi-initiator-utils \
-        kmod \
         libnbd-devel \
         libxml2 \
         libxslt \
-        lvm2 \
         make \
         meson \
-        nfs-utils \
         ninja-build \
-        numad \
         perl-base \
-        polkit \
         python3 \
         python3-black \
         python3-docutils \

ci/buildenv/fedora-rawhide.sh

@@ -34,12 +34,7 @@ function install_buildenv() {
         glusterfs-api-devel \
         gnutls-devel \
         grep \
-        iproute \
-        iproute-tc \
-        iptables \
-        iscsi-initiator-utils \
         json-c-devel \
-        kmod \
         libacl-devel \
         libattr-devel \
         libblkid-devel \
@@ -59,17 +54,13 @@ function install_buildenv() {
         libxml2 \
         libxml2-devel \
         libxslt \
-        lvm2 \
         make \
         meson \
-        nfs-utils \
         ninja-build \
         numactl-devel \
-        numad \
         parted-devel \
         perl-base \
         pkgconfig \
-        polkit \
         python3 \
         python3-black \
         python3-docutils \

ci/buildenv/opensuse-leap-15.sh

@@ -33,9 +33,6 @@ function install_buildenv() {
            glibc-locale \
            glusterfs-devel \
            grep \
-           iproute2 \
-           iptables \
-           kmod \
            libacl-devel \
            libapparmor-devel \
            libattr-devel \
@@ -60,17 +57,12 @@ function install_buildenv() {
            libxml2 \
            libxml2-devel \
            libxslt \
-           lvm2 \
            make \
            meson \
-           nfs-utils \
            ninja \
-           numad \
-           open-iscsi \
            parted-devel \
            perl-base \
            pkgconfig \
-           polkit \
            python3-base \
            python3-docutils \
            python3-flake8 \

ci/buildenv/opensuse-tumbleweed.sh

@@ -32,9 +32,6 @@ function install_buildenv() {
            glibc-locale \
            glusterfs-devel \
            grep \
-           iproute2 \
-           iptables \
-           kmod \
            libacl-devel \
            libapparmor-devel \
            libattr-devel \
@@ -59,17 +56,12 @@ function install_buildenv() {
            libxml2 \
            libxml2-devel \
            libxslt \
-           lvm2 \
            make \
            meson \
-           nfs-utils \
            ninja \
-           numad \
-           open-iscsi \
            parted-devel \
            perl-base \
            pkgconfig \
-           polkit \
            python3-base \
            python3-black \
            python3-docutils \

ci/buildenv/ubuntu-2204.sh

@@ -26,9 +26,6 @@ function install_buildenv() {
             gettext \
             git \
             grep \
-            iproute2 \
-            iptables \
-            kmod \
             libacl1-dev \
             libapparmor-dev \
             libattr1-dev \
@@ -66,16 +63,11 @@ function install_buildenv() {
             libxml2-dev \
             libxml2-utils \
             locales \
-            lvm2 \
             make \
             meson \
-            nfs-common \
             ninja-build \
-            numad \
-            open-iscsi \
             perl-base \
             pkgconf \
-            polkitd \
             python3 \
             python3-docutils \
             python3-pytest \

ci/buildenv/ubuntu-2404.sh

@@ -26,9 +26,6 @@ function install_buildenv() {
             gettext \
             git \
             grep \
-            iproute2 \
-            iptables \
-            kmod \
             libacl1-dev \
             libapparmor-dev \
             libattr1-dev \
@@ -66,16 +63,11 @@ function install_buildenv() {
             libxml2-dev \
             libxml2-utils \
             locales \
-            lvm2 \
             make \
             meson \
-            nfs-common \
             ninja-build \
-            numad \
-            open-iscsi \
             perl-base \
             pkgconf \
-            polkitd \
             python3 \
             python3-docutils \
             python3-pytest \

ci/cirrus/freebsd-13.vars

@@ -11,6 +11,6 @@ MAKE='/usr/local/bin/gmake'
 NINJA='/usr/local/bin/ninja'
 PACKAGING_COMMAND='pkg'
 PIP3='/usr/local/bin/pip-3.8'
-PKGS='augeas bash-completion ca_root_nss ccache4 codespell cppi curl cyrus-sasl diffutils fusefs-libs gettext git glib gmake gnugrep gnutls gsed json-c libpcap libpciaccess libssh libssh2 libxml2 libxslt meson ninja perl5 pkgconf polkit py311-black py311-docutils py311-flake8 py311-pytest python3 qemu readline'
+PKGS='augeas bash-completion ca_root_nss ccache4 codespell cppi curl cyrus-sasl diffutils fusefs-libs gettext git glib gmake gnugrep gnutls gsed json-c libpcap libpciaccess libssh libssh2 libxml2 libxslt meson ninja perl5 pkgconf py311-black py311-docutils py311-flake8 py311-pytest python3 qemu readline'
 PYPI_PKGS=''
 PYTHON='/usr/local/bin/python3'

ci/cirrus/freebsd-14.vars

@@ -11,6 +11,6 @@ MAKE='/usr/local/bin/gmake'
 NINJA='/usr/local/bin/ninja'
 PACKAGING_COMMAND='pkg'
 PIP3='/usr/local/bin/pip'
-PKGS='augeas bash-completion ca_root_nss ccache4 codespell cppi curl cyrus-sasl diffutils fusefs-libs gettext git glib gmake gnugrep gnutls gsed json-c libpcap libpciaccess libssh libssh2 libxml2 libxslt meson ninja perl5 pkgconf polkit py311-black py311-docutils py311-flake8 py311-pytest python3 qemu readline'
+PKGS='augeas bash-completion ca_root_nss ccache4 codespell cppi curl cyrus-sasl diffutils fusefs-libs gettext git glib gmake gnugrep gnutls gsed json-c libpcap libpciaccess libssh libssh2 libxml2 libxslt meson ninja perl5 pkgconf py311-black py311-docutils py311-flake8 py311-pytest python3 qemu readline'
 PYPI_PKGS=''
 PYTHON='/usr/local/bin/python3'

ci/containers/almalinux-9.Dockerfile

@@ -34,12 +34,7 @@ RUN dnf update -y && \
         glibc-langpack-en \
         gnutls-devel \
         grep \
-        iproute \
-        iproute-tc \
-        iptables \
-        iscsi-initiator-utils \
         json-c-devel \
-        kmod \
         libacl-devel \
         libattr-devel \
         libblkid-devel \
@@ -59,17 +54,13 @@ RUN dnf update -y && \
         libxml2 \
         libxml2-devel \
         libxslt \
-        lvm2 \
         make \
         meson \
-        nfs-utils \
         ninja-build \
         numactl-devel \
-        numad \
         parted-devel \
         perl-base \
         pkgconfig \
-        polkit \
         python3 \
         python3-docutils \
         python3-flake8 \

ci/containers/alpine-322.Dockerfile

@@ -4,7 +4,7 @@
 #
 # https://gitlab.com/libvirt/libvirt-ci
 
-FROM docker.io/library/alpine:3.21
+FROM docker.io/library/alpine:3.22
 
 RUN apk update && \
     apk upgrade && \
@@ -30,10 +30,8 @@ RUN apk update && \
         glib-dev \
         gnutls-dev \
         grep \
-        iproute2 \
         iptables \
         json-c-dev \
-        kmod \
         libcap-ng-dev \
         libnl3-dev \
         libpcap-dev \
@@ -45,19 +43,15 @@ RUN apk update && \
         libxml2-dev \
         libxml2-utils \
         libxslt \
-        lvm2 \
         lvm2-dev \
         make \
         meson \
         musl-dev \
         netcf-dev \
-        nfs-utils \
         numactl-dev \
-        open-iscsi \
         parted-dev \
         perl \
         pkgconf \
-        polkit \
         py3-docutils \
         py3-flake8 \
         py3-pytest \

ci/containers/alpine-edge.Dockerfile

@@ -30,10 +30,8 @@ RUN apk update && \
         glib-dev \
         gnutls-dev \
         grep \
-        iproute2 \
         iptables \
         json-c-dev \
-        kmod \
         libcap-ng-dev \
         libnl3-dev \
         libpcap-dev \
@@ -45,19 +43,15 @@ RUN apk update && \
         libxml2-dev \
         libxml2-utils \
         libxslt \
-        lvm2 \
         lvm2-dev \
         make \
         meson \
         musl-dev \
         netcf-dev \
-        nfs-utils \
         numactl-dev \
-        open-iscsi \
         parted-dev \
         perl \
         pkgconf \
-        polkit \
         py3-docutils \
         py3-flake8 \
         py3-pytest \

ci/containers/centos-stream-9.Dockerfile

@@ -35,12 +35,7 @@ RUN dnf distro-sync -y && \
         glibc-langpack-en \
         gnutls-devel \
         grep \
-        iproute \
-        iproute-tc \
-        iptables \
-        iscsi-initiator-utils \
         json-c-devel \
-        kmod \
         libacl-devel \
         libattr-devel \
         libblkid-devel \
@@ -60,17 +55,13 @@ RUN dnf distro-sync -y && \
         libxml2 \
         libxml2-devel \
         libxslt \
-        lvm2 \
         make \
         meson \
-        nfs-utils \
         ninja-build \
         numactl-devel \
-        numad \
         parted-devel \
         perl-base \
         pkgconfig \
-        polkit \
         python3 \
         python3-docutils \
         python3-flake8 \

ci/containers/debian-12-cross-aarch64.Dockerfile

@@ -26,23 +26,15 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       gettext \
                       git \
                       grep \
-                      iproute2 \
-                      iptables \
-                      kmod \
                       libclang-rt-dev \
                       libnbd-dev \
                       libxml2-utils \
                       locales \
-                      lvm2 \
                       make \
                       meson \
-                      nfs-common \
                       ninja-build \
-                      numad \
-                      open-iscsi \
                       perl-base \
                       pkgconf \
-                      polkitd \
                       python3 \
                       python3-docutils \
                       python3-pytest \

ci/containers/debian-12-cross-armv6l.Dockerfile

@@ -26,23 +26,15 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       gettext \
                       git \
                       grep \
-                      iproute2 \
-                      iptables \
-                      kmod \
                       libclang-rt-dev \
                       libnbd-dev \
                       libxml2-utils \
                       locales \
-                      lvm2 \
                       make \
                       meson \
-                      nfs-common \
                       ninja-build \
-                      numad \
-                      open-iscsi \
                       perl-base \
                       pkgconf \
-                      polkitd \
                       python3 \
                       python3-docutils \
                       python3-pytest \

ci/containers/debian-12-cross-armv7l.Dockerfile

@@ -26,23 +26,15 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       gettext \
                       git \
                       grep \
-                      iproute2 \
-                      iptables \
-                      kmod \
                       libclang-rt-dev \
                       libnbd-dev \
                       libxml2-utils \
                       locales \
-                      lvm2 \
                       make \
                       meson \
-                      nfs-common \
                       ninja-build \
-                      numad \
-                      open-iscsi \
                       perl-base \
                       pkgconf \
-                      polkitd \
                       python3 \
                       python3-docutils \
                       python3-pytest \

ci/containers/debian-12-cross-i686.Dockerfile

@@ -26,23 +26,15 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       gettext \
                       git \
                       grep \
-                      iproute2 \
-                      iptables \
-                      kmod \
                       libclang-rt-dev \
                       libnbd-dev \
                       libxml2-utils \
                       locales \
-                      lvm2 \
                       make \
                       meson \
-                      nfs-common \
                       ninja-build \
-                      numad \
-                      open-iscsi \
                       perl-base \
                       pkgconf \
-                      polkitd \
                       python3 \
                       python3-docutils \
                       python3-pytest \

ci/containers/debian-12-cross-mips64el.Dockerfile

@@ -26,23 +26,15 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       gettext \
                       git \
                       grep \
-                      iproute2 \
-                      iptables \
-                      kmod \
                       libclang-rt-dev \
                       libnbd-dev \
                       libxml2-utils \
                       locales \
-                      lvm2 \
                       make \
                       meson \
-                      nfs-common \
                       ninja-build \
-                      numad \
-                      open-iscsi \
                       perl-base \
                       pkgconf \
-                      polkitd \
                       python3 \
                       python3-docutils \
                       python3-pytest \

ci/containers/debian-12-cross-mipsel.Dockerfile

@@ -26,23 +26,15 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       gettext \
                       git \
                       grep \
-                      iproute2 \
-                      iptables \
-                      kmod \
                       libclang-rt-dev \
                       libnbd-dev \
                       libxml2-utils \
                       locales \
-                      lvm2 \
                       make \
                       meson \
-                      nfs-common \
                       ninja-build \
-                      numad \
-                      open-iscsi \
                       perl-base \
                       pkgconf \
-                      polkitd \
                       python3 \
                       python3-docutils \
                       python3-pytest \

ci/containers/debian-12-cross-ppc64le.Dockerfile

@@ -26,23 +26,15 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       gettext \
                       git \
                       grep \
-                      iproute2 \
-                      iptables \
-                      kmod \
                       libclang-rt-dev \
                       libnbd-dev \
                       libxml2-utils \
                       locales \
-                      lvm2 \
                       make \
                       meson \
-                      nfs-common \
                       ninja-build \
-                      numad \
-                      open-iscsi \
                       perl-base \
                       pkgconf \
-                      polkitd \
                       python3 \
                       python3-docutils \
                       python3-pytest \

ci/containers/debian-12-cross-s390x.Dockerfile

@@ -26,23 +26,15 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       gettext \
                       git \
                       grep \
-                      iproute2 \
-                      iptables \
-                      kmod \
                       libclang-rt-dev \
                       libnbd-dev \
                       libxml2-utils \
                       locales \
-                      lvm2 \
                       make \
                       meson \
-                      nfs-common \
                       ninja-build \
-                      numad \
-                      open-iscsi \
                       perl-base \
                       pkgconf \
-                      polkitd \
                       python3 \
                       python3-docutils \
                       python3-pytest \

ci/containers/debian-12.Dockerfile

@@ -28,9 +28,6 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       gettext \
                       git \
                       grep \
-                      iproute2 \
-                      iptables \
-                      kmod \
                       libacl1-dev \
                       libapparmor-dev \
                       libattr1-dev \
@@ -67,16 +64,11 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       libxml2-dev \
                       libxml2-utils \
                       locales \
-                      lvm2 \
                       make \
                       meson \
-                      nfs-common \
                       ninja-build \
-                      numad \
-                      open-iscsi \
                       perl-base \
                       pkgconf \
-                      polkitd \
                       python3 \
                       python3-docutils \
                       python3-pytest \

ci/containers/debian-sid-cross-aarch64.Dockerfile

@@ -26,23 +26,15 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       gettext \
                       git \
                       grep \
-                      iproute2 \
-                      iptables \
-                      kmod \
                       libclang-rt-dev \
                       libnbd-dev \
                       libxml2-utils \
                       locales \
-                      lvm2 \
                       make \
                       meson \
-                      nfs-common \
                       ninja-build \
-                      numad \
-                      open-iscsi \
                       perl-base \
                       pkgconf \
-                      polkitd \
                       python3 \
                       python3-docutils \
                       python3-pytest \

ci/containers/debian-sid-cross-armv6l.Dockerfile

@@ -26,23 +26,15 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       gettext \
                       git \
                       grep \
-                      iproute2 \
-                      iptables \
-                      kmod \
                       libclang-rt-dev \
                       libnbd-dev \
                       libxml2-utils \
                       locales \
-                      lvm2 \
                       make \
                       meson \
-                      nfs-common \
                       ninja-build \
-                      numad \
-                      open-iscsi \
                       perl-base \
                       pkgconf \
-                      polkitd \
                       python3 \
                       python3-docutils \
                       python3-pytest \
@@ -88,7 +80,6 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       libparted-dev:armel \
                       libpcap0.8-dev:armel \
                       libpciaccess-dev:armel \
-                      librbd-dev:armel \
                       libreadline-dev:armel \
                       libsanlock-dev:armel \
                       libsasl2-dev:armel \

ci/containers/debian-sid-cross-armv7l.Dockerfile

@@ -26,23 +26,15 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       gettext \
                       git \
                       grep \
-                      iproute2 \
-                      iptables \
-                      kmod \
                       libclang-rt-dev \
                       libnbd-dev \
                       libxml2-utils \
                       locales \
-                      lvm2 \
                       make \
                       meson \
-                      nfs-common \
                       ninja-build \
-                      numad \
-                      open-iscsi \
                       perl-base \
                       pkgconf \
-                      polkitd \
                       python3 \
                       python3-docutils \
                       python3-pytest \
@@ -88,7 +80,6 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       libparted-dev:armhf \
                       libpcap0.8-dev:armhf \
                       libpciaccess-dev:armhf \
-                      librbd-dev:armhf \
                       libreadline-dev:armhf \
                       libsanlock-dev:armhf \
                       libsasl2-dev:armhf \
@@ -97,7 +88,6 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       libssh2-1-dev:armhf \
                       libtirpc-dev:armhf \
                       libudev-dev:armhf \
-                      libxen-dev:armhf \
                       libxml2-dev:armhf \
                       systemtap-sdt-dev:armhf && \
     eatmydata apt-get autoremove -y && \

ci/containers/debian-sid-cross-i686.Dockerfile

@@ -26,23 +26,15 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       gettext \
                       git \
                       grep \
-                      iproute2 \
-                      iptables \
-                      kmod \
                       libclang-rt-dev \
                       libnbd-dev \
                       libxml2-utils \
                       locales \
-                      lvm2 \
                       make \
                       meson \
-                      nfs-common \
                       ninja-build \
-                      numad \
-                      open-iscsi \
                       perl-base \
                       pkgconf \
-                      polkitd \
                       python3 \
                       python3-docutils \
                       python3-pytest \
@@ -88,7 +80,6 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       libparted-dev:i386 \
                       libpcap0.8-dev:i386 \
                       libpciaccess-dev:i386 \
-                      librbd-dev:i386 \
                       libreadline-dev:i386 \
                       libsanlock-dev:i386 \
                       libsasl2-dev:i386 \

ci/containers/debian-sid-cross-mips64el.Dockerfile

@@ -26,23 +26,15 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       gettext \
                       git \
                       grep \
-                      iproute2 \
-                      iptables \
-                      kmod \
                       libclang-rt-dev \
                       libnbd-dev \
                       libxml2-utils \
                       locales \
-                      lvm2 \
                       make \
                       meson \
-                      nfs-common \
                       ninja-build \
-                      numad \
-                      open-iscsi \
                       perl-base \
                       pkgconf \
-                      polkitd \
                       python3 \
                       python3-docutils \
                       python3-pytest \

ci/containers/debian-sid-cross-ppc64le.Dockerfile

@@ -26,23 +26,15 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       gettext \
                       git \
                       grep \
-                      iproute2 \
-                      iptables \
-                      kmod \
                       libclang-rt-dev \
                       libnbd-dev \
                       libxml2-utils \
                       locales \
-                      lvm2 \
                       make \
                       meson \
-                      nfs-common \
                       ninja-build \
-                      numad \
-                      open-iscsi \
                       perl-base \
                       pkgconf \
-                      polkitd \
                       python3 \
                       python3-docutils \
                       python3-pytest \

ci/containers/debian-sid-cross-s390x.Dockerfile

@@ -26,23 +26,15 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       gettext \
                       git \
                       grep \
-                      iproute2 \
-                      iptables \
-                      kmod \
                       libclang-rt-dev \
                       libnbd-dev \
                       libxml2-utils \
                       locales \
-                      lvm2 \
                       make \
                       meson \
-                      nfs-common \
                       ninja-build \
-                      numad \
-                      open-iscsi \
                       perl-base \
                       pkgconf \
-                      polkitd \
                       python3 \
                       python3-docutils \
                       python3-pytest \

ci/containers/debian-sid.Dockerfile

@@ -28,9 +28,6 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       gettext \
                       git \
                       grep \
-                      iproute2 \
-                      iptables \
-                      kmod \
                       libacl1-dev \
                       libapparmor-dev \
                       libattr1-dev \
@@ -67,16 +64,11 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       libxml2-dev \
                       libxml2-utils \
                       locales \
-                      lvm2 \
                       make \
                       meson \
-                      nfs-common \
                       ninja-build \
-                      numad \
-                      open-iscsi \
                       perl-base \
                       pkgconf \
-                      polkitd \
                       python3 \
                       python3-docutils \
                       python3-pytest \

ci/containers/fedora-41.Dockerfile

@@ -44,12 +44,7 @@ exec "$@"\n' > /usr/bin/nosync && \
                glusterfs-api-devel \
                gnutls-devel \
                grep \
-               iproute \
-               iproute-tc \
-               iptables \
-               iscsi-initiator-utils \
                json-c-devel \
-               kmod \
                libacl-devel \
                libattr-devel \
                libblkid-devel \
@@ -69,17 +64,13 @@ exec "$@"\n' > /usr/bin/nosync && \
                libxml2 \
                libxml2-devel \
                libxslt \
-               lvm2 \
                make \
                meson \
-               nfs-utils \
                ninja-build \
                numactl-devel \
-               numad \
                parted-devel \
                perl-base \
                pkgconfig \
-               polkit \
                python3 \
                python3-black \
                python3-docutils \

ci/containers/fedora-42-cross-mingw32.Dockerfile

@@ -4,7 +4,7 @@
 #
 # https://gitlab.com/libvirt/libvirt-ci
 
-FROM registry.fedoraproject.org/fedora:41
+FROM registry.fedoraproject.org/fedora:42
 
 RUN dnf install -y nosync && \
     printf '#!/bin/sh\n\
@@ -34,22 +34,13 @@ exec "$@"\n' > /usr/bin/nosync && \
                git \
                glibc-langpack-en \
                grep \
-               iproute \
-               iproute-tc \
-               iptables \
-               iscsi-initiator-utils \
-               kmod \
                libnbd-devel \
                libxml2 \
                libxslt \
-               lvm2 \
                make \
                meson \
-               nfs-utils \
                ninja-build \
-               numad \
                perl-base \
-               polkit \
                python3 \
                python3-black \
                python3-docutils \

ci/containers/fedora-42-cross-mingw64.Dockerfile

@@ -4,7 +4,7 @@
 #
 # https://gitlab.com/libvirt/libvirt-ci
 
-FROM registry.fedoraproject.org/fedora:41
+FROM registry.fedoraproject.org/fedora:42
 
 RUN dnf install -y nosync && \
     printf '#!/bin/sh\n\
@@ -34,22 +34,13 @@ exec "$@"\n' > /usr/bin/nosync && \
                git \
                glibc-langpack-en \
                grep \
-               iproute \
-               iproute-tc \
-               iptables \
-               iscsi-initiator-utils \
-               kmod \
                libnbd-devel \
                libxml2 \
                libxslt \
-               lvm2 \
                make \
                meson \
-               nfs-utils \
                ninja-build \
-               numad \
                perl-base \
-               polkit \
                python3 \
                python3-black \
                python3-docutils \

ci/containers/fedora-42.Dockerfile

@@ -4,7 +4,7 @@
 #
 # https://gitlab.com/libvirt/libvirt-ci
 
-FROM registry.fedoraproject.org/fedora:40
+FROM registry.fedoraproject.org/fedora:42
 
 RUN dnf install -y nosync && \
     printf '#!/bin/sh\n\
@@ -20,7 +20,7 @@ exec "$@"\n' > /usr/bin/nosync && \
     nosync dnf install -y \
                audit-libs-devel \
                augeas \
-               bash-completion \
+               bash-completion-devel \
                ca-certificates \
                ccache \
                clang \
@@ -44,12 +44,7 @@ exec "$@"\n' > /usr/bin/nosync && \
                glusterfs-api-devel \
                gnutls-devel \
                grep \
-               iproute \
-               iproute-tc \
-               iptables \
-               iscsi-initiator-utils \
                json-c-devel \
-               kmod \
                libacl-devel \
                libattr-devel \
                libblkid-devel \
@@ -69,17 +64,13 @@ exec "$@"\n' > /usr/bin/nosync && \
                libxml2 \
                libxml2-devel \
                libxslt \
-               lvm2 \
                make \
                meson \
-               nfs-utils \
                ninja-build \
                numactl-devel \
-               numad \
                parted-devel \
                perl-base \
                pkgconfig \
-               polkit \
                python3 \
                python3-black \
                python3-docutils \
@@ -93,6 +84,7 @@ exec "$@"\n' > /usr/bin/nosync && \
                systemd-devel \
                systemd-rpm-macros \
                systemtap-sdt-devel \
+               systemtap-sdt-dtrace \
                wireshark-devel \
                xen-devel && \
     nosync dnf autoremove -y && \

ci/containers/fedora-rawhide-cross-mingw32.Dockerfile

@@ -35,22 +35,13 @@ exec "$@"\n' > /usr/bin/nosync && \
                git \
                glibc-langpack-en \
                grep \
-               iproute \
-               iproute-tc \
-               iptables \
-               iscsi-initiator-utils \
-               kmod \
                libnbd-devel \
                libxml2 \
                libxslt \
-               lvm2 \
                make \
                meson \
-               nfs-utils \
                ninja-build \
-               numad \
                perl-base \
-               polkit \
                python3 \
                python3-black \
                python3-docutils \

ci/containers/fedora-rawhide-cross-mingw64.Dockerfile

@@ -35,22 +35,13 @@ exec "$@"\n' > /usr/bin/nosync && \
                git \
                glibc-langpack-en \
                grep \
-               iproute \
-               iproute-tc \
-               iptables \
-               iscsi-initiator-utils \
-               kmod \
                libnbd-devel \
                libxml2 \
                libxslt \
-               lvm2 \
                make \
                meson \
-               nfs-utils \
                ninja-build \
-               numad \
                perl-base \
-               polkit \
                python3 \
                python3-black \
                python3-docutils \

ci/containers/fedora-rawhide.Dockerfile

@@ -45,12 +45,7 @@ exec "$@"\n' > /usr/bin/nosync && \
                glusterfs-api-devel \
                gnutls-devel \
                grep \
-               iproute \
-               iproute-tc \
-               iptables \
-               iscsi-initiator-utils \
                json-c-devel \
-               kmod \
                libacl-devel \
                libattr-devel \
                libblkid-devel \
@@ -70,17 +65,13 @@ exec "$@"\n' > /usr/bin/nosync && \
                libxml2 \
                libxml2-devel \
                libxslt \
-               lvm2 \
                make \
                meson \
-               nfs-utils \
                ninja-build \
                numactl-devel \
-               numad \
                parted-devel \
                perl-base \
                pkgconfig \
-               polkit \
                python3 \
                python3-black \
                python3-docutils \

ci/containers/opensuse-leap-15.Dockerfile

@@ -34,9 +34,6 @@ RUN zypper update -y && \
            glibc-locale \
            glusterfs-devel \
            grep \
-           iproute2 \
-           iptables \
-           kmod \
            libacl-devel \
            libapparmor-devel \
            libattr-devel \
@@ -61,17 +58,12 @@ RUN zypper update -y && \
            libxml2 \
            libxml2-devel \
            libxslt \
-           lvm2 \
            make \
            meson \
-           nfs-utils \
            ninja \
-           numad \
-           open-iscsi \
            parted-devel \
            perl-base \
            pkgconfig \
-           polkit \
            python3-base \
            python3-docutils \
            python3-flake8 \

ci/containers/opensuse-tumbleweed.Dockerfile

@@ -33,9 +33,6 @@ RUN zypper dist-upgrade -y && \
            glibc-locale \
            glusterfs-devel \
            grep \
-           iproute2 \
-           iptables \
-           kmod \
            libacl-devel \
            libapparmor-devel \
            libattr-devel \
@@ -60,17 +57,12 @@ RUN zypper dist-upgrade -y && \
            libxml2 \
            libxml2-devel \
            libxslt \
-           lvm2 \
            make \
            meson \
-           nfs-utils \
            ninja \
-           numad \
-           open-iscsi \
            parted-devel \
            perl-base \
            pkgconfig \
-           polkit \
            python3-base \
            python3-black \
            python3-docutils \

ci/containers/ubuntu-2204.Dockerfile

@@ -28,9 +28,6 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       gettext \
                       git \
                       grep \
-                      iproute2 \
-                      iptables \
-                      kmod \
                       libacl1-dev \
                       libapparmor-dev \
                       libattr1-dev \
@@ -68,16 +65,11 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       libxml2-dev \
                       libxml2-utils \
                       locales \
-                      lvm2 \
                       make \
                       meson \
-                      nfs-common \
                       ninja-build \
-                      numad \
-                      open-iscsi \
                       perl-base \
                       pkgconf \
-                      polkitd \
                       python3 \
                       python3-docutils \
                       python3-pytest \

ci/containers/ubuntu-2404.Dockerfile

@@ -28,9 +28,6 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       gettext \
                       git \
                       grep \
-                      iproute2 \
-                      iptables \
-                      kmod \
                       libacl1-dev \
                       libapparmor-dev \
                       libattr1-dev \
@@ -68,16 +65,11 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       libxml2-dev \
                       libxml2-utils \
                       locales \
-                      lvm2 \
                       make \
                       meson \
-                      nfs-common \
                       ninja-build \
-                      numad \
-                      open-iscsi \
                       perl-base \
                       pkgconf \
-                      polkitd \
                       python3 \
                       python3-docutils \
                       python3-pytest \

ci/gitlab/builds.yml

@@ -33,15 +33,15 @@ x86_64-almalinux-9-clang:
     TARGET_BASE_IMAGE: docker.io/library/almalinux:9
 
 
-x86_64-alpine-321:
+x86_64-alpine-322:
   extends: .native_build_job
   needs:
-    - job: x86_64-alpine-321-container
+    - job: x86_64-alpine-322-container
       optional: true
   allow_failure: false
   variables:
-    NAME: alpine-321
-    TARGET_BASE_IMAGE: docker.io/library/alpine:3.21
+    NAME: alpine-322
+    TARGET_BASE_IMAGE: docker.io/library/alpine:3.22
 
 
 x86_64-alpine-edge:
@@ -103,21 +103,6 @@ x86_64-debian-sid:
     TARGET_BASE_IMAGE: docker.io/library/debian:sid-slim
 
 
-x86_64-fedora-40:
-  extends: .native_build_job
-  needs:
-    - job: x86_64-fedora-40-container
-      optional: true
-  allow_failure: false
-  variables:
-    NAME: fedora-40
-    TARGET_BASE_IMAGE: registry.fedoraproject.org/fedora:40
-  artifacts:
-    expire_in: 1 day
-    paths:
-      - libvirt-rpms
-
-
 x86_64-fedora-41:
   extends: .native_build_job
   needs:
@@ -133,6 +118,21 @@ x86_64-fedora-41:
       - libvirt-rpms
 
 
+x86_64-fedora-42:
+  extends: .native_build_job
+  needs:
+    - job: x86_64-fedora-42-container
+      optional: true
+  allow_failure: false
+  variables:
+    NAME: fedora-42
+    TARGET_BASE_IMAGE: registry.fedoraproject.org/fedora:42
+  artifacts:
+    expire_in: 1 day
+    paths:
+      - libvirt-rpms
+
+
 x86_64-fedora-rawhide:
   extends: .native_build_job
   needs:
@@ -416,29 +416,29 @@ s390x-debian-sid:
     TARGET_BASE_IMAGE: docker.io/library/debian:sid-slim
 
 
-mingw32-fedora-41:
+mingw32-fedora-42:
   extends: .cross_build_job
   needs:
-    - job: mingw32-fedora-41-container
+    - job: mingw32-fedora-42-container
       optional: true
   allow_failure: false
   variables:
     CROSS: mingw32
     JOB_OPTIONAL: 1
-    NAME: fedora-41
-    TARGET_BASE_IMAGE: registry.fedoraproject.org/fedora:41
+    NAME: fedora-42
+    TARGET_BASE_IMAGE: registry.fedoraproject.org/fedora:42
 
 
-mingw64-fedora-41:
+mingw64-fedora-42:
   extends: .cross_build_job
   needs:
-    - job: mingw64-fedora-41-container
+    - job: mingw64-fedora-42-container
       optional: true
   allow_failure: false
   variables:
     CROSS: mingw64
-    NAME: fedora-41
-    TARGET_BASE_IMAGE: registry.fedoraproject.org/fedora:41
+    NAME: fedora-42
+    TARGET_BASE_IMAGE: registry.fedoraproject.org/fedora:42
 
 
 mingw32-fedora-rawhide:

ci/gitlab/containers.yml

@@ -14,11 +14,11 @@ x86_64-almalinux-9-container:
     NAME: almalinux-9
 
 
-x86_64-alpine-321-container:
+x86_64-alpine-322-container:
   extends: .container_job
   allow_failure: false
   variables:
-    NAME: alpine-321
+    NAME: alpine-322
 
 
 x86_64-alpine-edge-container:
@@ -49,13 +49,6 @@ x86_64-debian-sid-container:
     NAME: debian-sid
 
 
-x86_64-fedora-40-container:
-  extends: .container_job
-  allow_failure: false
-  variables:
-    NAME: fedora-40
-
-
 x86_64-fedora-41-container:
   extends: .container_job
   allow_failure: false
@@ -63,6 +56,13 @@ x86_64-fedora-41-container:
     NAME: fedora-41
 
 
+x86_64-fedora-42-container:
+  extends: .container_job
+  allow_failure: false
+  variables:
+    NAME: fedora-42
+
+
 x86_64-fedora-rawhide-container:
   extends: .container_job
   allow_failure: true
@@ -220,19 +220,19 @@ s390x-debian-sid-container:
     NAME: debian-sid-cross-s390x
 
 
-mingw32-fedora-41-container:
+mingw32-fedora-42-container:
   extends: .container_job
   allow_failure: false
   variables:
     JOB_OPTIONAL: 1
-    NAME: fedora-41-cross-mingw32
+    NAME: fedora-42-cross-mingw32
 
 
-mingw64-fedora-41-container:
+mingw64-fedora-42-container:
   extends: .container_job
   allow_failure: false
   variables:
-    NAME: fedora-41-cross-mingw64
+    NAME: fedora-42-cross-mingw64
 
 
 mingw32-fedora-rawhide-container:

ci/lcitool/projects/libvirt.yml

@@ -27,9 +27,6 @@ packages:
   - glusterfs
   - gnutls
   - grep
-  - ip
-  - iptables
-  - iscsiadm
   - json-c
   - libacl
   - libattr
@@ -54,16 +51,12 @@ packages:
   - libtirpc
   - libudev
   - libxml2
-  - lvm2
   - make
   - meson
-  - modprobe
   - netcf
   - ninja
-  - numad
   - openwsman
   - perl
-  - pkcheck
   - pkg-config
   - portablexdr
   - python3
@@ -74,10 +67,8 @@ packages:
   - rpmbuild
   - sanlock
   - sed
-  - showmount
   - systemd-rpm-macros
   - systemtap
-  - tc
   - wireshark
   - xen
   - xmllint

ci/manifest.yml

@@ -19,7 +19,7 @@ targets:
           RPM: skip
           CC: clang
 
-  alpine-321: x86_64
+  alpine-322: x86_64
 
   alpine-edge:
     jobs:
@@ -104,7 +104,7 @@ targets:
         containers: false
         builds: false
 
-  fedora-40:
+  fedora-41:
     jobs:
       - arch: x86_64
         artifacts:
@@ -112,7 +112,7 @@ targets:
           paths:
             - libvirt-rpms
 
-  fedora-41:
+  fedora-42:
     jobs:
       - arch: x86_64
         artifacts:

docs/bugs.rst

@@ -76,6 +76,20 @@ Linux Distribution specific bug reports
    like to have your procedure for filing bugs mentioned here, please mail the
    libvirt development list.
 
+Use of automated tools / AI agents
+----------------------------------
+
+If any automated tool / AI agent is used to identify a bug / security
+flaw, the following additional expectations apply when filing a report:
+
+- The tool / agent used **MUST** be clearly declared in the description
+- All stated facts **MUST** be validated as correct and free from AI
+  hallucinations prior to filing
+- The problem **MUST** be described against an upstream release that is
+  no more than 3 months old.
+- The problem **SHOULD** be analysed and accompanied with a proposed
+  patch that can be directly applied to current git
+
 How to file high quality bug reports
 ------------------------------------
 

docs/coding-style.rst

@@ -633,7 +633,7 @@ analysis tools understand the code better:
 ``G_GNUC_FALLTHROUGH``
    allow code reuse by multiple switch cases
 
-``G_NO_INLINE``
+``ATTRIBUTE_MOCKABLE``
    the function is mocked in the test suite
 
 ``G_GNUC_NORETURN``

docs/compiling.rst

@@ -105,8 +105,8 @@ Notes:
 ~~~~~~
 
 By default when the ``meson`` is run from within a GIT checkout, it will turn
-on -Werror for builds. This can be disabled with --werror=false, but this is
-not recommended.
+on -Werror for builds. This can be disabled with
+``-Dwerror=false -Dgit_werror=disabled``, but this is not recommended.
 
 Please ensure that you have the appropriate minimal ``meson`` version installed
 in your build environment. The minimal version for a specific package can be

docs/css/libvirt.css

@@ -123,6 +123,17 @@ img.diagram {
     margin-bottom: 1em;
 }
 
+#documentation #application-development ul li p {
+    padding-bottom: 0px;
+    padding-top: 0px;
+}
+
+#documentation #application-development ul {
+    margin-left: 2em;
+    padding-top: 0px;
+    padding-bottom: 0px;
+}
+
 .removedhv {
     color: darkred;
 }

docs/docs.rst

@@ -60,24 +60,46 @@ Application development
 -----------------------
 
 `API reference <html/index.html>`__
-   Reference manual for the C public API, split in
-   `common <html/libvirt-libvirt-common.html>`__,
-   `domain <html/libvirt-libvirt-domain.html>`__,
-   `domain checkpoint <html/libvirt-libvirt-domain-checkpoint.html>`__,
-   `domain snapshot <html/libvirt-libvirt-domain-snapshot.html>`__,
-   `error <html/libvirt-virterror.html>`__,
-   `event <html/libvirt-libvirt-event.html>`__,
-   `host <html/libvirt-libvirt-host.html>`__,
-   `interface <html/libvirt-libvirt-interface.html>`__,
-   `network <html/libvirt-libvirt-network.html>`__,
-   `node device <html/libvirt-libvirt-nodedev.html>`__,
-   `network filter <html/libvirt-libvirt-nwfilter.html>`__,
-   `secret <html/libvirt-libvirt-secret.html>`__,
-   `storage <html/libvirt-libvirt-storage.html>`__,
-   `stream <html/libvirt-libvirt-stream.html>`__ and
-   `admin <html/libvirt-libvirt-admin.html>`__,
-   `QEMU <html/libvirt-libvirt-qemu.html>`__,
-   `LXC <html/libvirt-libvirt-lxc.html>`__ libs
+   Reference manual for the C public API, split in:
+
+   * `common <html/libvirt-libvirt-common.html>`__
+   * `domain <html/libvirt-libvirt-domain.html>`__
+   * `domain checkpoint <html/libvirt-libvirt-domain-checkpoint.html>`__
+   * `domain snapshot <html/libvirt-libvirt-domain-snapshot.html>`__
+   * `error <html/libvirt-virterror.html>`__
+   * `event <html/libvirt-libvirt-event.html>`__
+   * `host <html/libvirt-libvirt-host.html>`__
+   * `interface <html/libvirt-libvirt-interface.html>`__
+   * `network <html/libvirt-libvirt-network.html>`__
+   * `node device <html/libvirt-libvirt-nodedev.html>`__
+   * `network filter <html/libvirt-libvirt-nwfilter.html>`__
+   * `secret <html/libvirt-libvirt-secret.html>`__
+   * `storage <html/libvirt-libvirt-storage.html>`__
+   * `stream <html/libvirt-libvirt-stream.html>`__
+
+   and the documentation for the API of the additional libs:
+
+   * `admin <html/libvirt-libvirt-admin.html>`__
+   * `QEMU <html/libvirt-libvirt-qemu.html>`__
+   * `LXC <html/libvirt-libvirt-lxc.html>`__
+
+`XML schemas <format.html>`__
+   Description of the XML schemas for
+
+   * `domains <formatdomain.html>`__
+   * `networks <formatnetwork.html>`__
+   * `network ports <formatnetworkport.html>`__
+   * `network filtering <formatnwfilter.html>`__
+   * `storage <formatstorage.html>`__
+   * `storage encryption <formatstorageencryption.html>`__
+   * `capabilities <formatcaps.html>`__
+   * `domain capabilities <formatdomaincaps.html>`__
+   * `storage pool capabilities <formatstoragecaps.html>`__
+   * `node devices <formatnode.html>`__
+   * `secrets <formatsecret.html>`__
+   * `snapshots <formatsnapshot.html>`__
+   * `checkpoints <formatcheckpoint.html>`__
+   * `backup jobs <formatbackup.html>`__
 
 `Language bindings and API modules <bindings.html>`__
    Bindings of the libvirt API for
@@ -92,23 +114,6 @@ Application development
    and integration API modules for
    `D-Bus <dbus.html>`__
 
-`XML schemas <format.html>`__
-   Description of the XML schemas for
-   `domains <formatdomain.html>`__,
-   `networks <formatnetwork.html>`__,
-   `network ports <formatnetworkport.html>`__,
-   `network filtering <formatnwfilter.html>`__,
-   `storage <formatstorage.html>`__,
-   `storage encryption <formatstorageencryption.html>`__,
-   `capabilities <formatcaps.html>`__,
-   `domain capabilities <formatdomaincaps.html>`__,
-   `storage pool capabilities <formatstoragecaps.html>`__,
-   `node devices <formatnode.html>`__,
-   `secrets <formatsecret.html>`__,
-   `snapshots <formatsnapshot.html>`__,
-   `checkpoints <formatcheckpoint.html>`__,
-   `backup jobs <formatbackup.html>`__
-
 `URI format <uri.html>`__
    The URI formats used for connecting to libvirt
 

docs/downloads.rst

@@ -326,13 +326,7 @@ repositories on GitHub:
 
 ::
 
-   https://github.com/libvirt/
-
-And there are also read-only mirrors on libvirt.org:
-
-::
-
-   git clone https://libvirt.org/git/[module name].git
+   git clone https://github.com/libvirt/[module name].git
 
 Note that for most repositories, development happens via merge requests
 on GitLab. However, for the main `libvirt.git` repository all patch review and

docs/drvbhyve.rst

@@ -7,8 +7,10 @@ Bhyve driver
 .. contents::
 
 Bhyve is a FreeBSD hypervisor. It first appeared in FreeBSD 10.0. However, it's
-recommended to keep tracking FreeBSD 10-STABLE to make sure all new features of
-bhyve are supported. In order to enable bhyve on your FreeBSD host, you'll need
+recommended to use the
+`latest supported release <https://www.freebsd.org/releases/>`__
+to make sure all new features of bhyve are supported.
+In order to enable bhyve on your FreeBSD host, you'll need
 to load the ``vmm`` kernel module. Additionally, ``if_tap`` and ``if_bridge``
 modules should be loaded for networking support. Also, :since:`since 3.2.0` the
 ``virt-host-validate(1)`` supports the bhyve host validation and could be used
@@ -327,6 +329,26 @@ This uses the UEFI firmware provided by the
 `sysutils/bhyve-firmware <https://www.freshports.org/sysutils/bhyve-firmware/>`__
 FreeBSD port.
 
+:since:`Since 11.4.0`, it's possible to configure an NVRAM file:
+
+::
+
+    <os>
+      <type>hvm</type>
+      <loader readonly="yes" type="pflash">/usr/local/share/uefi-firmware/BHYVE_UEFI.fd</loader>
+      <nvram template='/usr/local/share/edk2-bhyve/BHYVE_UEFI_VARS.fd'>/var/lib/libvirt/bhyve/nvram/myvm.fd</nvram>
+    </os>
+
+Alternatively, it's also possible to let the driver automatically configure
+the firmware and NVRAM:
+
+::
+
+    <os firmware='efi'>
+      <type>hvm</type>
+      <nvram/>
+    </os>
+
 VNC and the tablet input device could be configured this way:
 
 ::
@@ -582,3 +604,37 @@ Note that these extensions are for testing and development purposes only. They
 are **unsupported**, using them may result in inconsistent state, and upgrading
 either bhyve or libvirtd maybe break behavior of a domain that was relying on a
 specific commands pass-through.
+
+Random number generator device
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+:since:`Since 11.3.0` it's possible to use the virtio random number generator devices.
+
+Example:
+
+::
+
+   ...
+     <rng model='virtio'>
+       <backend model='random'/>
+     </rng>
+   ...
+
+TCP console
+~~~~~~~~~~~
+:since:`Since 11.6.0` it's possible to configure TCP console.
+
+Example:
+
+::
+
+   ...
+     <serial type='tcp'>
+       <source mode='bind' host='127.0.0.1' service='12345'/>
+       <target type='serial' port='0'/>
+     </serial>
+   ...
+
+Note: there's no direct way to check if the actual ``bhyve`` binary supports
+the TCP console. Thus, libvirt always assumes it's supported. Please
+refer to the ``bhyve(1)`` manual page to make sure.

docs/drvesx.rst

@@ -91,7 +91,7 @@ Multiple parameters are separated by ``&``.
 
 ::
 
-   ?no_verify=1&auto_answer=1&proxy=socks://example-proxy.com:23456
+   ?no_verify=1&auto_answer=1&proxy=socks://example-proxy.com:23456&cacert=certs/ca-bundle.pem
 
 The driver understands the extra parameters shown below.
 
@@ -146,6 +146,16 @@ The driver understands the extra parameters shown below.
 |                 |                             | ``port`` allows to override |
 |                 |                             | the default port 1080.      |
 +-----------------+-----------------------------+-----------------------------+
+| ``cacert``      | Path to a file with one     | The specified file will be  |
+|                 | or more certificates        | used for verifying the      |
+|                 |                             | remote host certificate     |
+|                 |                             | instead of the default      |
+|                 |                             | system one.                 |
+|                 |                             | :since:`Since 11.5.0`.      |
+|                 |                             | Does nothing if             |
+|                 |                             | ``no_verify`` is set        |
+|                 |                             | to ``1``.                   |
++-----------------+-----------------------------+-----------------------------+
 
 Authentication
 ~~~~~~~~~~~~~~
@@ -181,8 +191,10 @@ error like this one:
 
    error: internal error curl_easy_perform() returned an error: Peer certificate cannot be authenticated with known CA certificates (60)
 
-Where are two ways to solve this problem:
+Where are three ways to solve this problem:
 
+-  Use the ``cacert`` `Extra parameters`_ to point to a certificate bundle
+   with the CA that signed the SSL certificate used on the ESX server.
 -  Use the ``no_verify=1`` `Extra parameters`_ to disable server
    certificate verification.
 -  Generate new SSL certificates signed by a CA known to your client computer

docs/drvqemu.rst

@@ -5,7 +5,7 @@
 QEMU/KVM/HVF hypervisor driver
 ==============================
 
-The libvirt KVM/QEMU driver can manage any QEMU emulator from version 4.2.0 or
+The libvirt KVM/QEMU driver can manage any QEMU emulator from version 6.2.0 or
 later.
 
 It supports multiple QEMU accelerators: software

docs/firewall.rst

@@ -285,7 +285,6 @@ useful rules:
    fb57c546-76dc-a372-513f-e8179011b48a  no-mac-spoofing
    dba10ea7-446d-76de-346f-335bd99c1d05  no-other-l2-traffic
    f5c78134-9da4-0c60-a9f0-fb37bc21ac1f  no-other-rarp-traffic
-   7637e405-4ccf-42ac-5b41-14f8d03d8cf3  qemu-announce-self
    9aed52e7-f0f3-343e-fe5c-7dcb27b594e5  qemu-announce-self-rarp
 
 Most of these are just building blocks. The interesting one here is

docs/formatbackup.rst

@@ -1,3 +1,5 @@
+ .. role:: since
+
 Backup XML format
 =================
 
@@ -42,6 +44,29 @@ were supplied). The following child elements and attributes are supported:
    necessary to set up an NBD server that exposes the content of each disk at
    the time the backup is started.
 
+   In addition to the above the NBD server used for backups allows using
+   ``transport='fd' fdgroup='NAME'`` where ``NAME`` is the name used with
+   ``virDomainFDAssociate()`` to pass a pre-opened server socket file descriptor
+   to qemu. :since:`Since 11.3.0`
+
+   Example code to pass a socket with libvirt-python bindings::
+
+     import socket
+     import libvirt
+     import selinux
+
+     # Optionally setup selinux context for the socket if the distro uses it
+     # selinux.setsockcreatecon_raw("system_u:object_r:svirt_t:s0")
+
+     s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
+     s.bind("/path/to/socket")
+
+     fdlist = [ s.fileno() ]
+
+     conn = libvirt.open()
+     dom = conn.lookupByName("VMNAME")
+     dom.FDAssociate("NAME", fdlist)
+
    Note that for the QEMU hypervisor the TLS environment in controlled using
    ``backup_tls_x509_cert_dir``, ``backup_tls_x509_verify``, and
    ``backup_tls_x509_secret_uuid`` properties in ``/etc/libvirt/qemu.conf``.

docs/formatdomain.rst

@@ -54,6 +54,13 @@ General metadata
 
    :since:`Since 0.8.7`, it is also possible to provide the UUID via a
    `SMBIOS System Information`_ specification.
+``hwuuid``
+   The optional ``hwuuid`` element can be used to supply an alternative UUID for
+   identifying the virtual machine from the domain ``uuid`` above. The difference
+   between using the ``hwuuid`` element and simply providing an alternative UUID
+   via a `SMBIOS System Information`_ specification is that the ``hwuuid`` affects
+   all devices that expose the UUID to the guest.
+   :since:`Since 11.7.0 QEMU/KVM only`
 ``genid``
    :since:`Since 4.4.0`, the ``genid`` element can be used to add a Virtual
    Machine Generation ID which exposes a 128-bit, cryptographically random,
@@ -1139,7 +1146,7 @@ influence how virtual memory pages are backed by host pages.
    element is introduced. It has one compulsory attribute ``size`` which
    specifies which hugepages should be used (especially useful on systems
    supporting hugepages of different sizes). The default unit for the ``size``
-   attribute is kilobytes (multiplier of 1024). If you want to use different
+   attribute is kiB (multiplier of 1024). If you want to use different
    unit, use optional ``unit`` attribute. For systems with NUMA, the optional
    ``nodeset`` attribute may come handy as it ties given guest's NUMA nodes to
    certain hugepage sizes. From the example snippet, one gigabyte hugepages are
@@ -1674,6 +1681,14 @@ In case no restrictions need to be put on CPU model and its features, a simpler
       </cpu>
       ...
 
+``deprecated_features``
+   :since:`Since 11.0.0`, S390 guests may utilize the ``deprecated_features``
+   attribute to specify toggling of CPU model features that are flagged as
+   deprecated by the hypervisor. When this attribute is set to ``off``, the
+   active guest XML will reflect the respective features with the disable
+   policy. When this attribute is set to ``on``, the respective features will
+   be enabled.
+
 ``cache``
    :since:`Since 3.3.0` the ``cache`` element describes the virtual CPU cache.
    If the element is missing, the hypervisor will use a sensible default.
@@ -2132,32 +2147,34 @@ are:
    based virtualization drivers, such as LXC.
 ``hyperv``
    Enable various features improving behavior of guests running Microsoft
-   Windows.
+   Windows. :since:`Since 11.3.0` some of these flags are also available for
+   Xen domains running Microsoft Windows.
 
    =============== ====================================================================== ============================================ ========================================================================
    Feature         Description                                                            Value                                        Since
    =============== ====================================================================== ============================================ ========================================================================
-   relaxed         Relax constraints on timers                                            on, off                                      :since:`1.0.0 (QEMU 2.0)`
-   vapic           Enable virtual APIC                                                    on, off                                      :since:`1.1.0 (QEMU 2.0)`
+   relaxed         Relax constraints on timers                                            on, off                                      :since:`1.0.0 (QEMU 2.0), 11.3.0 (Xen, always on)`
+   vapic           Enable virtual APIC                                                    on, off                                      :since:`1.1.0 (QEMU 2.0), 11.3.0 (Xen)`
    spinlocks       Enable spinlock support                                                on, off; retries - at least 4095             :since:`1.1.0 (QEMU 2.0)`
-   vpindex         Virtual processor index                                                on, off                                      :since:`1.3.3 (QEMU 2.5)`
+   vpindex         Virtual processor index                                                on, off                                      :since:`1.3.3 (QEMU 2.5), 11.3.0 (Xen, always on)`
    runtime         Processor time spent on running guest code and on behalf of guest code on, off                                      :since:`1.3.3 (QEMU 2.5)`
-   synic           Enable Synthetic Interrupt Controller (SynIC)                          on, off                                      :since:`1.3.3 (QEMU 2.6)`
-   stimer          Enable SynIC timers, optionally with Direct Mode support               on, off; direct - on,off                     :since:`1.3.3 (QEMU 2.6), direct mode 5.7.0 (QEMU 4.1)`
+   synic           Enable Synthetic Interrupt Controller (SynIC)                          on, off                                      :since:`1.3.3 (QEMU 2.6), 11.3.0 (Xen)`
+   stimer          Enable SynIC timers, optionally with Direct Mode support               on, off; direct - on,off                     :since:`1.3.3 (QEMU 2.6), direct mode 5.7.0 (QEMU 4.1), 11.3.0 (Xen, on/off only)`
    reset           Enable hypervisor reset                                                on, off                                      :since:`1.3.3 (QEMU 2.5)`
    vendor_id       Set hypervisor vendor id                                               on, off; value - string, up to 12 characters :since:`1.3.3 (QEMU 2.5)`
-   frequencies     Expose frequency MSRs                                                  on, off                                      :since:`4.7.0 (QEMU 2.12)`
+   frequencies     Expose frequency MSRs                                                  on, off                                      :since:`4.7.0 (QEMU 2.12), 11.3.0 (Xen)`
    reenlightenment Enable re-enlightenment notification on migration                      on, off                                      :since:`4.7.0 (QEMU 3.0)`
-   tlbflush        Enable PV TLB flush support                                            on, off; direct - on,off; extended - on,off  :since:`4.7.0 (QEMU 3.0), direct and extended modes 11.0.0 (QEMU 7.1.0)`
-   ipi             Enable PV IPI support                                                  on, off                                      :since:`4.10.0 (QEMU 3.1)`
+   tlbflush        Enable PV TLB flush support                                            on, off; direct - on,off; extended - on,off  :since:`4.7.0 (QEMU 3.0), direct and extended modes 11.0.0 (QEMU 7.1.0), 11.3.0 (Xen, on/off only)`
+   ipi             Enable PV IPI support                                                  on, off                                      :since:`4.10.0 (QEMU 3.1), 11.3.0 (Xen)`
    evmcs           Enable Enlightened VMCS                                                on, off                                      :since:`4.10.0 (QEMU 3.1)`
    avic            Enable use Hyper-V SynIC with hardware APICv/AVIC                      on, off                                      :since:`8.10.0 (QEMU 6.2)`
    emsr_bitmap     Avoid unnecessary updates to L2 MSR Bitmap upon vmexits.               on, off                                      :since:`10.7.0 (QEMU 7.1)`
    xmm_input       Enable XMM Fast Hypercall Input                                        on, off                                      :since:`10.7.0 (QEMU 7.1)`
    =============== ====================================================================== ============================================ ========================================================================
 
-   :since:`Since 8.0.0`, the hypervisor can be configured further by setting
-   the ``mode`` attribute to one of the following values:
+   :since:`Since 8.0.0 (QEMU) Since 11.3.0 (Xen)`, the hypervisor can be
+   configured further by setting the ``mode`` attribute to one of the following
+   values:
 
    ``custom``
       Set exactly the specified features.
@@ -2822,7 +2839,7 @@ paravirtualized driver is specified via the ``disk`` element.
      <disk type='file' device='disk'>
        <driver name='qemu' type='qcow2' />
        <source file='/var/lib/libvirt/images/disk.qcow2'/>
-       <target dev='vdh' bus='virtio'/>
+       <target dev='nvme0n1' bus='nvme'/>
        <throttlefilters>
          <throttlefilter group='limit2'/>
          <throttlefilter group='limit012'/>
@@ -2860,10 +2877,25 @@ paravirtualized driver is specified via the ``disk`` element.
 
    ``model``
       Indicates the emulated device model of the disk. Typically this is
-      indicated solely by the ``bus`` property but for ``bus`` "virtio" the
-      model can be specified further with "virtio", "virtio-transitional" or
-      "virtio-non-transitional". See `virtio device models`_
-      for more details. :since:`Since 5.2.0`
+      indicated solely by the ``bus`` property.
+
+      For ``bus`` "virtio" the model can be specified further with "virtio",
+      "virtio-transitional" or "virtio-non-transitional". See `virtio device
+      models`_ for more details. :since:`Since 5.2.0`
+
+      For ``bus`` "usb" the model can be specified further with ``usb-storage``
+      or ``usb-bot``. There is no difference between the two models for
+      ``<disk type='disk'>``. However  with ``usb-bot`` a device configured as
+      ``<disk type='cdrom'>`` is properly exposed as a cdrom device inside the
+      guest OS. Unfortunately this configuration is not ABI compatible with
+      ``usb-storage`` and thus it can't be interchanged during migration.
+
+      The QEMU hypervisor driver will pick ``usb-bot`` for cold starts or
+      hotplug for cdrom devices to properly configure the devices. This is
+      not compatible for migration to older versions of libvirt and explicit
+      configuration needs to be used.
+      :since:`Since 11.5.0`; relevant only for ``QEMU`` hypervisor.
+
    ``rawio``
       Indicates whether the disk needs rawio capability. Valid settings are
       "yes" or "no" (default is "no"). If any one disk in a domain has
@@ -2941,6 +2973,12 @@ paravirtualized driver is specified via the ``disk`` element.
       the optional attribute ``tlsHostname`` can be used to override the
       expected host name of the NBD server used for TLS certificate verification.
 
+      For "rbd", the ``name`` attribute could be two formats: the format of
+      ``pool_name/image_name`` includes the rbd pool name and image name with
+      default rbd pool namespace; for the customized namespace, the format is
+      ``pool_name/namespace/image_name`` ( :since:`Since 11.6.0 and QEMU 5.0` ).
+      The pool name, namespace and image are separated by slash.
+
       For protocols ``http`` and ``https`` an optional attribute ``query``
       specifies the query string. ( :since:`Since 6.2.0` )
 
@@ -3311,7 +3349,8 @@ paravirtualized driver is specified via the ``disk`` element.
    name in the guest OS. Treat it as a device ordering hint. The optional
    ``bus`` attribute specifies the type of disk device to emulate; possible
    values are driver specific, with typical values being "ide", "scsi",
-   "virtio", "xen", "usb", "sata", or "sd" :since:`"sd" since 1.1.2`. If
+   "virtio", "xen", "usb", "sata", "sd", or "nvme"
+   :since:`"sd" since 1.1.2, "nvme" since 11.5.0`. If
    omitted, the bus type is inferred from the style of the device name (e.g. a
    device named 'sda' will typically be exported using a SCSI bus). The optional
    attribute ``tray`` indicates the tray status of the removable disks (i.e.
@@ -3449,8 +3488,12 @@ paravirtualized driver is specified via the ``disk`` element.
       and sync requests from guest are ignored).
       :since:`Since 0.6.0`
    -  The optional ``error_policy`` attribute controls how the hypervisor will
-      behave on a disk read or write error, possible values are "stop",
-      "report" (:since:`since 0.9.7`), "ignore", and "enospace".
+      behave on a disk read or write error, possible values are ``stop``
+      (suspend/pause the domain on error), ``report`` (report the error to the
+      guest OS; :since:`since 0.9.7`), ``ignore`` (ignore the error and try to
+      continue), and ``enospace`` (suspend/pause the domain only if host storage
+      is full; report the error to the guest OS otherwise).
+
       The default is left to the discretion of the hypervisor.
       :since:`Since 0.8.0`.
    -  The optional ``rerror_policy`` attribute controls behavior for read
@@ -3645,7 +3688,9 @@ paravirtualized driver is specified via the ``disk`` element.
    If present, this specify serial number of virtual hard drive. For example, it
    may look like ``<serial>WD-WMAP9A966149</serial>``. Not supported for
    scsi-block devices, that is those using disk ``type`` 'block' using
-   ``device`` 'lun' on ``bus`` 'scsi'. :since:`Since 0.7.1`
+   ``device`` 'lun' on ``bus`` 'scsi'. Also not supported for multiple NVMe
+   devices on the same controller since those have serial number per controller
+   and not per disk. :since:`Since 0.7.1`
 
    Note that depending on hypervisor and device type the serial number may be
    truncated silently. IDE/SATA devices are commonly limited to 20 characters.
@@ -4134,6 +4179,10 @@ device hotplug is expected.
        <address type='pci' domain='0x0000' bus='0x00' slot='0x0b' function='0x0'/>
      </controller>
      <controller type='xenbus' maxGrantFrames='64' maxEventChannels='2047'/>
+     <controller type='nvme'>
+       <serial>
+       ...
+       </serial>
      ...
    </devices>
    ...
@@ -4180,6 +4229,12 @@ specific features, such as:
    specifies maximum number of event channels (PV interrupts) that can be used
    by the guest.
 
+``nvme``
+   Supported :since:`Since 11.5.0`, the ``nvme`` controller can be used to
+   support NVMe disks.  It has an optional ``serial`` sub-element just like
+   regular disks do.
+
+
 Note: The PowerPC64 "spapr-vio" addresses do not have an associated controller.
 
 For controllers that are themselves devices on a PCI or USB bus, an optional
@@ -4292,7 +4347,7 @@ attribute are
 -  ``pcie-to-pci-bridge`` ( :since:`since 4.3.0` )
 
 The root controllers (``pci-root`` and ``pcie-root``) have an optional
-``pcihole64`` element specifying how big (in kilobytes, or in the unit specified
+``pcihole64`` element specifying how big (in kiB, or in the unit specified
 by ``pcihole64``'s ``unit`` attribute) the 64-bit PCI hole should be. Some
 guests (like Windows XP or Windows Server 2003) might crash when QEMU and
 Seabios are recent enough to support 64-bit PCI holes, unless this is disabled
@@ -5054,8 +5109,8 @@ MAC address is outside of the reserved VMWare ranges.
 
 :since:`Since 11.2.0`, the ``<mac/>`` element can optionally contain
 ``currentAddress`` attribute (output only), which contains new MAC address if the
-guest changed it. This is currently implemented only for QEMU/KVM and requires
-setting ``trustGuestRxFilters`` to ``yes``.
+guest changed it. This is currently implemented only for the model type ``virtio``
+in QEMU/KVM and requires setting ``trustGuestRxFilters`` to ``yes``.
 
 :since:`Since 7.3.0`, one can set the ACPI index against network interfaces.
 With some operating systems (eg Linux with systemd), the ACPI index is used
@@ -5244,15 +5299,7 @@ network address by including an ``ip`` element specifying an IPv4
 address in its one mandatory attribute, ``address``. Optionally, a
 second ``ip`` element with a ``family`` attribute set to "ipv6" can be
 specified to add an IPv6 address to the interface. ``address``.
-Optionally, an address ``prefix`` can be specified. These settings are
-surprisingly **not** used by SLIRP to set the exact IP address;
-instead they are used to determine what network/subnet the guest's IP
-address should be on, and the guest will be given an address in that
-subnet, but the host portion of the address will still be "2.15". In
-the example below, for example, the guest will be given the IP address
-172.17.2.15 (**note that the '1.1' in the host portion of the address
-has been ignored**), default route of 172.17.2.2, and DNS server
-172.17.2.3.
+Optionally, an address ``prefix`` can be specified.
 
 ::
 
@@ -5268,6 +5315,59 @@ has been ignored**), default route of 172.17.2.2, and DNS server
    </devices>
    ...
 
+These settings are surprisingly **not** used by SLIRP to set the exact
+IP address; instead they are used to determine what **network/subnet**
+the guest's IP address should be on, and the guest will be given an
+address in that subnet, but the host portion of the address will still
+be the host portion of "10.0.2.15" (based on the configured prefix (or
+a prefix of 24 if no prefix is specified). The DNS and default gateway
+addresses given to the guest will be similarly based on the network
+portion of the configuration-provided <ip> combined with the host
+portion of SLIRPs default settings for DNS/gateway
+(10.0.2.3/10.0.2.2). To help resolve the confusion of the previous
+sentences, the table below shows examples of the settings that will be
+provided to the guest (via a DHCP response) to use for its interface
+config (ip/prefix, DNS, default gateway) for various settings of <ip>
+element address and prefix in libvirt's <interface type='user'>
+config:
+
+.. list-table::
+   :header-rows: 1
+
+   * - libvirt <ip> element
+     - guest ip/prefix
+     - guest DNS
+     - guest default gateway
+
+   * - (unspecified)
+     - 10.0.2.15/24
+     - 10.0.2.3
+     - 10.0.2.2
+
+   * - address='172.17.1.1'
+       prefix='16'
+     - 172.17.2.15/16
+     - 172.17.2.3
+     - 172.17.2.2
+
+   * - address='172.17.1.1'
+       prefix='24'
+     - 172.17.1.15/24
+     - 172.17.1.3
+     - 172.17.1.2
+
+   * - address='172.17.1.1'
+       prefix='8'
+     - 172.0.2.15/16
+     - 172.0.2.3
+     - 172.0.2.2
+
+   * - address='172.17.1.1'
+       prefix='23'
+     - 172.17.0.15/23
+     - 172.17.0.3
+     - 172.17.0.2
+
 Userspace connection using passt
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
@@ -5309,8 +5409,10 @@ any conflict).
 Also different from SLIRP's behavior: if you do specify IP
 address(es), the exact address and netmask/prefix you specify will be
 provided to the guest (i.e. passt doesn't interpret the <ip> settings
-as a network address like SLIRP does, but as a host address). In
-example given above, the guest IP would be set to exactly 172.17.1.1.
+as a network address like SLIRP does, but as a host address). In the
+table of examples given above, the guest IP would be set to exactly
+172.17.1.1 in all cases (the DNS and default gateway will be set
+the same as they are on the host).
 
 Just as with SLIRP, though, once traffic from the guest leaves the
 host towards the rest of the network, it will always appear as if it
@@ -6509,7 +6611,7 @@ setting guest-side IP addresses with ``<ip>`` and port forwarding with
        <backend type='passt'/>
        <mac address='52:54:00:3b:83:1a'/>
        <source dev='enp1s0'/>
-       <ip address='10.30.0.5 prefix='24'/>
+       <ip address='10.30.0.5' prefix='24'/>
      </interface>
    </devices>
    ...
@@ -6644,7 +6746,7 @@ interaction with the admin.
        <listen type='address' address='1.2.3.4'/>
      </graphics>
      <graphics type='rdp' autoport='yes' multiUser='yes'/>
-     <graphics type='desktop' fullscreen='yes'/>
+     <graphics type='desktop'/>
      <graphics type='spice'>
        <listen type='network' network='rednet'/>
      </graphics>
@@ -6825,8 +6927,7 @@ interaction with the admin.
    ``desktop``
       This value is reserved for VirtualBox domains for the moment. It displays
       a window on the host desktop, similarly to "sdl", but using the VirtualBox
-      viewer. Just like "sdl", it accepts the optional attributes ``display``
-      and ``fullscreen``.
+      viewer. Just like "sdl", it accepts the optional attribute ``display``.
 
    ``egl-headless`` :since:`Since 4.6.0`
       This display type provides support for an OpenGL accelerated display
@@ -7009,6 +7110,14 @@ A video device.
    sub-element is valid for model types "vga", "qxl", "bochs", "gop",
    and "virtio".
 
+   :since:`Since 11.7.0` (QEMU driver only), the ``model`` element may have an
+   optional ``edid`` attribute that can be set to ``on`` or ``off``. If the
+   ``edid`` attribute is not specified then the device will use its default value.
+   Otherwise setting ``edid`` to ``on`` will expose the device EDID blob to the
+   guest, whilst setting it to ``off`` will hide the device EDID blob from the
+   guest. The ``edid`` attribute is only valid for model types ``vga``, ``bochs``,
+   and ``virtio``.
+
 ``acceleration``
    Configure if video acceleration should be enabled.
 
@@ -8995,8 +9104,9 @@ Example:
 
 ``model``
    Supported values are ``intel`` (for Q35 guests) ``smmuv3``
-   (:since:`since 5.5.0`, for ARM virt guests), and ``virtio``
-   (:since:`since 8.3.0`, for Q35 and ARM virt guests).
+   (:since:`since 5.5.0`, for ARM virt guests), ``virtio``
+   (:since:`since 8.3.0`, for Q35 and ARM virt guests) and
+   ``amd`` (:since:`since 11.5.0`).
 
 ``driver``
    The ``driver`` subelement can be used to configure additional options, some
@@ -9011,14 +9121,15 @@ Example:
    ``caching_mode``
       The ``caching_mode`` attribute with possible values ``on`` and ``off`` can
       be used to turn on the VT-d caching mode (useful for assigned devices).
-      :since:`Since 3.4.0` (QEMU/KVM only)
+      :since:`Since 3.4.0` (QEMU/KVM and ``intel`` model only)
 
    ``eim``
       The ``eim`` attribute (with possible values ``on`` and ``off``) can be
       used to configure Extended Interrupt Mode. A q35 domain with split I/O
       APIC (as described in `Hypervisor features`_), and
       both interrupt remapping and EIM turned on for the IOMMU, will be able to
-      use more than 255 vCPUs. :since:`Since 3.4.0` (QEMU/KVM only)
+      use more than 255 vCPUs. :since:`Since 3.4.0` (QEMU/KVM and ``intel`` model
+      only)
 
    ``iotlb``
       The ``iotlb`` attribute with possible values ``on`` and ``off`` can be
@@ -9028,14 +9139,22 @@ Example:
    ``aw_bits``
       The ``aw_bits`` attribute can be used to set the address width to allow
       mapping larger iova addresses in the guest. :since:`Since 6.5.0` (QEMU/KVM
-      only)
+      and ``intel`` model only)
 
    ``dma_translation``
       The ``dma_translation`` attribute with possible values ``on`` and ``off`` can
       be used to turn off the dma translation for IOMMU. It is useful when only
       interrupt remapping is required but dma translation overhead is unwanted, for
       example to efficiently enable more than 255 vCPUs.
-      :since:`Since 10.7.0` (QEMU/KVM only)
+      :since:`Since 10.7.0` (QEMU/KVM and ``intel`` model only)
+
+   ``passthrough``
+      Enable passthrough. In this mode, DMA read/writes are not translated.
+      :since:`Since 11.5.0` (QEMU/KVM and ``amd`` model only)
+
+   ``xtsup``
+      Enable x2APIC mode. Useful for higher number of guest CPUs.
+      :since:`Since 11.5.0` (QEMU/KVM and ``amd`` model only)
 
 The ``virtio`` IOMMU devices can further have ``address`` element as described
 in `Device addresses`_ (address has to by type of ``pci``).
@@ -9438,6 +9557,69 @@ The ``<launchSecurity/>`` element then accepts the following child elements:
    the SNP_LAUNCH_FINISH command in the SEV-SNP firmware ABI.
 
 
+The contents of the ``<launchSecurity type='tdx'>`` element is used to provide
+the guest owners input used for creating an encrypted VM using the Intel TDX
+(Trusted Domain eXtensions). Intel TDX refers to an Intel technology that
+extends Virtual Machine Extensions (VMX) and Multi-Key Total Memory Encryption
+(MKTME) with a new kind of virtual machine guest called a Trust Domain (TD).
+A TD runs in a CPU mode that is designed to protect the confidentiality of its
+memory contents and its CPU state from any other software, including the hosting
+Virtual Machine Monitor (VMM), unless explicitly shared by the TD itself.
+Example configuration:
+
+::
+
+   <domain>
+     ...
+     <launchSecurity type='tdx'>
+       <policy>0x10000001</policy>
+       <mrConfigId>xxx</mrConfigId>
+       <mrOwner>xxx</mrOwner>
+       <mrOwnerConfig>xxx</mrOwnerConfig>
+       <quoteGenerationService path="/var/run/tdx-qgs/qgs.socket"/>
+     </launchSecurity>
+     ...
+   </domain>
+
+``policy``
+   The optional ``policy`` element provides the guest TD attributes which is
+   passed by the host VMM as a guest TD initialization parameter as part of
+   TD_PARAMS, it exactly matches the definition of TD_PARAMS.ATTRIBUTES in
+   (Intel TDX Module Spec Table 22.2: ATTRIBUTES Definition). It is reported
+   to the guest TD by TDG.VP.INFO and as part of TDREPORT_STRUCT returned by
+   TDG.MR.REPORT. The guest policy is 64bit unsigned with the fields shown
+   in Table:
+
+   ====== ====================================================================================
+   Bit(s) Description
+   ====== ====================================================================================
+   0      Guest TD runs in off-TD debug mode when set
+   1:27   reserved
+   28     Disable EPT violation conversion to #VE on guest TD access of PENDING pages when set
+   29:63  reserved
+   ====== ====================================================================================
+
+``mrConfigId``
+   The optional ``mrConfigId`` element provides ID for non-owner-defined
+   configuration of the guest TD, e.g., run-time or OS configuration
+   (base64 encoded SHA384 digest).
+
+``@mrOwner``
+   The optional ``@mrOwner`` element provides ID for the guest TD’s owner
+   (base64 encoded SHA384 digest).
+
+``mrOwnerConfig``
+   The optional ``mrOwnerConfig`` element provides ID for owner-defined
+   configuration of the guest TD, e.g., specific to the workload rather than
+   the run-time or OS (base64 encoded SHA384 digest).
+
+``quoteGenerationService``
+   The optional ``quoteGenerationService`` subelement provides Quote Generation
+   Service(QGS) daemon socket address configuration. It includes an optional
+   ``path`` attribute to determine the UNIX socket address, when omitted,
+   ``/var/run/tdx-qgs/qgs.socket`` is used as default. User in TD guest cannot
+   get TD quoting for attestation if this subelement is not provided.
+
 Example configs
 ===============
 

docs/formatdomaincaps.rst

@@ -720,6 +720,7 @@ capabilities. All features occur as children of the main ``features`` element.
        <backingStoreInput supported='yes'/>
        <backup supported='yes'/>
        <async-teardown supported='yes'/>
+       <tdx supported='yes'/>
        <sev>
          <cbitpos>47</cbitpos>
          <reduced-phys-bits>1</reduced-phys-bits>

docs/formatnetwork.rst

@@ -468,10 +468,10 @@ follows, where accepted values for each attribute is an integer number.
 
 ``average``
    Specifies the desired average bit rate for the interface being shaped (in
-   kilobytes/second).
+   kiB/second).
 ``peak``
    Optional attribute which specifies the maximum rate at which the bridge can
-   send data (in kilobytes/second). Note the limitation of implementation: this
+   send data (in kiB/second). Note the limitation of implementation: this
    attribute in the ``outbound`` element is ignored (as Linux ingress filters
    don't know it yet).
 ``burst``

docs/formatnwfilter.rst

@@ -438,7 +438,7 @@ several other filters.
      <filterref filter='allow-incoming-ipv4'/>
      <filterref filter='no-arp-spoofing'/>
      <filterref filter='no-other-l2-traffic'/>
-     <filterref filter='qemu-announce-self'/>
+     <filterref filter='qemu-announce-self-rarp'/>
    </filter>
 
 To reference another filter, the XML node ``filterref`` needs to be provided

docs/hacking.rst

@@ -90,6 +90,58 @@ formal ID documents, but should not be anonymous, nor misrepresent
 who you are. The presence of this line attests that the contributor
 has read the above linked DCO and agrees with its statements.
 
+Use of AI content generators
+============================
+
+TL;DR:
+
+  **Current libvirt project policy is to DECLINE any contributions which are
+  believed to include or derive from AI generated content. This includes
+  ChatGPT, Claude, Copilot, Llama and similar tools.**
+
+The increasing prevalence of AI-assisted software development results in a
+number of difficult legal questions and risks for software projects, including
+libvirt. Of particular concern is content generated by `Large Language Models
+<https://en.wikipedia.org/wiki/Large_language_model>`__ (LLMs).
+
+The libvirt community requires that contributors certify their patch submissions
+are made in accordance with the rules of the `Developer Certificate of
+Origin`_.
+
+To satisfy the DCO, the patch contributor has to fully understand the
+copyright and license status of content they are contributing to libvirt. With
+AI content generators, the copyright and license status of the output is
+ill-defined with no generally accepted, settled legal foundation.
+
+Where the training material is known, it is common for it to include large
+volumes of material under restrictive licensing/copyright terms. Even where
+the training material is all known to be under open source licenses, it is
+likely to be under a variety of terms, not all of which will be compatible
+with libvirt's licensing requirements.
+
+How contributors could comply with DCO terms (b) or (c) for the output of AI
+content generators commonly available today is unclear. The libvirt project is
+not willing or able to accept the legal risks of non-compliance.
+
+The libvirt project thus requires that contributors refrain from using AI
+content generators on patches intended to be submitted to the project, and
+will decline any contribution if use of AI is either known or suspected.
+
+This policy does not apply to other uses of AI, such as researching APIs or
+algorithms, static analysis, or debugging, provided their output is not to be
+included in contributions.
+
+Examples of tools impacted by this policy includes GitHub's CoPilot, OpenAI's
+ChatGPT, Anthropic's Claude, and Meta's Code Llama, and code/content
+generation agents which are built on top of such tools.
+
+This policy may evolve as AI tools mature and the legal situation is
+clarified. In the meanwhile, requests for exceptions to this policy will be
+evaluated by the libvirt project on a case by case basis. To be granted an
+exception, a contributor will need to demonstrate clarity of the license and
+copyright status for the tool's output in relation to its training model and
+code, to the satisfaction of the project maintainers.
+
 Further reading
 ===============
 

docs/hooks.rst

@@ -211,7 +211,10 @@ operation. There is no specific operation to indicate a "restart" is occurring.
       /etc/libvirt/hooks/qemu guest_name stopped end -
 
    Then, after libvirt has released all resources, the hook is called again,
-   :since:`since 0.9.0`, to allow any additional resource cleanup:
+   :since:`since 0.9.0`, to allow any additional resource cleanup.
+   The ``shutoff-reason`` argument (:since:`since 10.5.0`; before that
+   '-' was passed instead) provides the reason for the shutdown of
+   the domain.
 
    ::
 
@@ -331,7 +334,10 @@ operation. There is no specific operation to indicate a "restart" is occurring.
       /etc/libvirt/hooks/lxc guest_name stopped end -
 
    Then, after libvirt has released all resources, the hook is called again,
-   :since:`since 0.9.0`, to allow any additional resource cleanup:
+   :since:`since 0.9.0`, to allow any additional resource cleanup.
+   The ``shutoff-reason`` argument (:since:`since 10.5.0`; before that
+   '-' was passed instead) provides the reason for the shutdown of
+   the domain.
 
    ::
 

docs/kbase/failed_connection_after_install.rst

@@ -28,6 +28,16 @@ not work when run as root:
    error: Operation not supported: Cannot use direct socket mode if no URI is set.
    For more information see https://libvirt.org/kbase/failed_connection_after_install.html
 
+Or
+
+::
+
+   # virsh list
+   error: failed to connect to the hypervisor
+   error: Operation not supported: No URI is provided and cannot identify any listening
+   daemon socket path to attempt to connect to. For more information see
+   https://libvirt.org/kbase/failed_connection_after_install.html
+
 Root cause
 ==========
 

docs/kbase/qemu-passthrough-security.rst

@@ -139,7 +139,7 @@ As a last resort it is possible to disable security protection host wide which
 will affect all virtual machines. These settings are all made in
 ``/etc/libvirt/qemu.conf``
 
-* SELinux - set ``security_default_confied = 0`` to make QEMU run unconfined by
+* SELinux - set ``security_default_confined = 0`` to make QEMU run unconfined by
   default, while still allowing explicit opt-in to SELinux for VMs.
 
 * DAC - set ``user = root`` and ``group = root`` to make QEMU run as the root

docs/kbase/tlscerts.rst

@@ -104,6 +104,18 @@ connect provided they have a valid certificate issued by the CA for their own IP
 address. You may want to change this to make it less (or more) permissive,
 depending on your needs.
 
+The following sections will describe how to created the data needed for the TLS
+setup. They use templates to create Certificate Authority, server and client
+certificates.
+
+Important: versions of libvirt before 11.6.0 also required the ``encryption_key``
+flag in the server and client template. This is no longer mandated since it is
+not applicable for use with many modern cryptographic algorithms, but it is
+harmless if present as it will be ignored. If compatibility with both old and
+new libvirt versions is required, then this extra flag must be added when
+creating the certificate.
+
+
 Setting up a Certificate Authority (CA)
 ---------------------------------------
 
@@ -204,7 +216,6 @@ define the server as follows:
    ip_address = 2001:cafe::74
    ip_address = fe20::24
    tls_www_server
-   encryption_key
    signing_key
 
 The 'cn' field should refer to the fully qualified public hostname of the
@@ -298,7 +309,6 @@ briefly cover the steps.
       organization = Libvirt Project
       cn = client1
       tls_www_client
-      encryption_key
       signing_key
 
    and sign by doing:
@@ -319,7 +329,29 @@ briefly cover the steps.
 Troubleshooting TLS certificate problems
 ----------------------------------------
 
-failed to verify client's certificate
+* TLS socket
+
+  After setting up your sever certificates you'll have to start libvirt's
+  tls socket and restart the corresponding daemon if it was already running,
+  i.e.
+
+ * for modular daemon setup run
+
+   ::
+
+       systemctl start virtproxyd-tls.socket
+       systemctl try-start virtproxyd.service
+
+ * for monolithic daemon setup run
+
+   ::
+
+       systemctl start libvirtd-tls.socket
+       systemctl try-start libvirtd.service
+
+
+* failed to verify client's certificate
+
   On the server side, run the libvirtd server with the '--listen' and
   '--verbose' options while the client is connecting. The verbose log messages
   should tell you enough to diagnose the problem.

docs/manpages/virsh.rst

@@ -140,6 +140,14 @@ Output elapsed time information for each command.
 
 
 
+- ``--no-pkttyagent``
+
+Do not register ``pkttyagent`` as authentication agent with the
+polkit system daemon, even if ``virsh`` has been started from a
+terminal.
+
+
+
 - ``-v``, ``--version[=short]``
 
 Ignore all other arguments, and prints the version of the libvirt library
@@ -427,10 +435,25 @@ nodeinfo
    nodeinfo
 
 Returns basic information about the node, like number and type of CPU,
-and size of the physical memory. The output corresponds to virNodeInfo
-structure. Specifically, the "CPU socket(s)" field means number of CPU
-sockets per NUMA cell. The information libvirt displays is dependent
-upon what each architecture may provide.
+and size of the physical memory.
+
+Use of this command is strongly discouraged as the information provided
+is not guaranteed to be accurate on all hardware platforms.
+
+The *CPU frequency* value merely reflects the speed that the first CPU in the
+machine is currently running at. This speed may vary across CPUs and changes
+continually as the host OS throttles.
+
+The data structure used to fetch the data is not extensible thus only supports
+global nodes/sockets/cores/threads (sockets/cores/threads is per NUMA node)
+topology information. If the host CPU has any further groupings (e.g.
+dies, clusters, etc) or the NUMA topology is non-symmetrical the data structure
+can't faithfully represent the system. In such cases a fake topology
+(nodes = 1, sockets = 1, cores = number of host cpus, threads = 1) which
+only correctly represents the total host CPU count is reported.
+
+Recommended replacement is to use the *capabilities* command which reports
+the data (except frequency) under ``/capabilities/host/topology`` XPath.
 
 
 nodecpumap
@@ -989,12 +1012,18 @@ hypervisor-cpu-baseline
 ::
 
    hypervisor-cpu-baseline [FILE] [virttype] [emulator] [arch] [machine]
-      [--features] [--migratable] [model]
+      [--features] [--migratable] [--ignore-host] [model]
 
 Compute a baseline CPU which will be compatible with all CPUs defined in an XML
-*file* and with the CPU the hypervisor is able to provide on the host. (This
-is different from ``cpu-baseline`` which does not consider any hypervisor
-abilities when computing the baseline CPU.)
+*FILE*. This command must be called on one of the hosts described in *FILE*.
+Calling it on another host results in an undefined behavior as the computed CPU
+model is influenced by the hypervisor (the result may use an unexpected CPU
+model or some features may disabled even though they are supported on all input
+CPUs). The undefined behavior can be avoided using *--ignore-host* option (see
+below).
+
+This is different from ``cpu-baseline`` which does not consider any hypervisor
+abilities when computing the baseline CPU.
 
 As an alternative for *FILE* in case the XML would only contain a CPU model
 with no additional features the CPU model name itself can be passed as *model*.
@@ -1031,7 +1060,11 @@ specifies the path to the emulator, *arch* specifies the CPU architecture, and
 resulting XML description will explicitly include all features that make up the
 CPU, without this option features that are part of the CPU model will not be
 listed in the XML description. If *--migratable* is specified, features that
-block migration will not be included in the resulting CPU.
+block migration will not be included in the resulting CPU. If *--ignore-host*
+is specified and *FILE* contains more than one CPU, the command will not
+consider hypervisor abilities when computing the baseline. With this option
+baseline can be safely computed on any host (even those not described in
+*FILE*).
 
 
 hypervisor-cpu-models
@@ -1073,12 +1106,17 @@ autostart
 
 ::
 
-   autostart [--disable] domain
+   autostart [--disable] [--once] domain
 
 
-Configure a domain to be automatically started at boot.
+Configure a domain to be automatically started at each boot of the host. The
+*--once* option configures the domain to be started on the next boot of the host.
 
-The option *--disable* disables autostarting.
+The option *--disable* disables the corresponding autostarting.
+
+Note that autostart configured via the *--once* option is independent from the
+autostart configured without it. Enabling either of them will cause the VM to
+be started on the next boot of the host.
 
 
 blkdeviotune
@@ -2246,7 +2284,7 @@ If no *--inbound* or *--outbound* is specified, this command will
 query and show the bandwidth settings. Otherwise, it will set the
 inbound or outbound bandwidth. *average,peak,burst,floor* is the same as
 in command *attach-interface*.  Values for *average*, *peak* and *floor*
-are expressed in kilobytes per second, while *burst* is expressed in kilobytes
+are expressed in kiB per second, while *burst* is expressed in kiB
 in a single burst at *peak* speed as described in the Network XML
 documentation at
 `https://libvirt.org/formatnetwork.html#quality-of-service <https://libvirt.org/formatnetwork.html#quality-of-service>`__.
@@ -3034,6 +3072,36 @@ When *--timestamp* is used, a human-readable timestamp will be printed
 before the event.
 
 
+await
+-----
+
+**Syntax:**
+
+::
+
+  await <domain> --condition <string> [--timeout seconds]
+
+Wait until the *--condition* for <domain> is satisfied. Uses events for
+efficient state updates.
+
+Supported conditions:
+
+ *domain-inactive*
+
+    domain is or becomes inactive
+
+ *guest-agent-available*
+
+    the guest agent inside the guest connects and becomes available for commands
+    (usually means that the guest has booted)
+
+If *--timeout* is specified, the command gives up waiting for the condition to
+satisfy after *seconds* have elapsed. If SIGINT is delivered to virsh
+(usually via ``Ctrl-C``) the wait is given up immediately. In non-interactive
+mode virsh will return '2' if either of those cases instead of '1' which means
+an error happened.
+
+
 get-user-sshkeys
 ----------------
 
@@ -3613,10 +3681,9 @@ host. By default only non-shared non-readonly images are transferred. Use
 transfer via the comma separated ``disk-list`` argument.
 The *--migrate-disks-detect-zeroes* option which takes a comma separated list of
 disk target names enables zeroed block detection for the listed migrated disks.
-These blocks are not transferred or allocated on destination, effectively
-sparsifying the disk at the cost of CPU overhead. Users must ensure that any
-pre-created storage source is cleared and thus reads all-zeroes before using
-this option as otherwise the destination image may become corrupted.
+These blocks are not transferred or allocated (requires that 'discard' option
+on given disk is set to 'unmap') on destination, effectively sparsifying the
+disk at the cost of CPU overhead.
 With *--copy-storage-synchronous-writes* flag used the disk data migration will
 synchronously handle guest disk writes to both the original source and the
 destination to ensure that the disk migration converges at the price of possibly
@@ -5233,8 +5300,8 @@ interface.  At least one from the *average*, *floor* pair must be
 specified.  The other two *peak* and *burst* are optional, so
 "average,peak", "average,,burst", "average,,,floor", "average" and
 ",,,floor" are also legal.  Values for *average*, *floor* and *peak*
-are expressed in kilobytes per second, while *burst* is expressed in
-kilobytes in a single burst at *peak* speed as described in the
+are expressed in kiB per second, while *burst* is expressed in
+kiB in a single burst at *peak* speed as described in the
 Network XML documentation at
 `https://libvirt.org/formatnetwork.html#quality-of-service <https://libvirt.org/formatnetwork.html#quality-of-service>`__.
 

docs/meson.build

@@ -176,7 +176,6 @@ docs_programs_groups = [
 foreach item : docs_programs_groups
   prog = find_program(item.get('prog'), dirs: libvirt_sbin_path)
   varname = item.get('name').underscorify()
-  conf.set_quoted(varname.to_upper(), prog.full_path())
   set_variable('@0@_prog'.format(varname), prog)
 endforeach
 

docs/nss.rst

@@ -111,6 +111,19 @@ their IP addresses in any other way (usermode networking, assigned network
 devices and so on) will not be able to have their hostnames resolved through
 it.
 
+Debugging
+---------
+
+:since:`Since 11.6.0` both NSS modules check for ``LIBVIRT_NSS_DEBUG``
+environment variable¸ which if set to any value turns on printing of debug and
+error messages onto standard error output. This can be useful when debugging
+either of the module.
+
+::
+
+  $ LIBVIRT_NSS_DEBUG=1 getent hosts mydomain
+
+
 Alternatives
 ------------
 

docs/securityprocess.rst

@@ -27,6 +27,10 @@ and moderated for non-members. As such you will receive an auto-reply indicating
 the report is held for moderation. Postings by non-members will be approved by a
 moderator and the reporter copied on any replies.
 
+Refer to the `bug reporting <bugs.html#use-of-automated-tools-ai-agents>`__
+page for the *expectations around the use of automated tools and AI agents*,
+**prior** to filing any security report.
+
 Security notices
 ----------------
 

docs/storage.rst

@@ -719,7 +719,7 @@ FreeBSD, and :since:`since 1.3.2` experimental support for `ZFS on
 Linux <https://zfsonlinux.org/>`__ version 0.6.4 or newer is available.
 
 A pool could either be created manually using the ``zpool create`` command and
-its name specified in the source section or :since:` since 1.2.9` source devices
+its name specified in the source section or :since:`since 1.2.9` source devices
 could be specified to create a pool using libvirt.
 
 Please refer to the ZFS documentation for details on a pool creation.

docs/uri.rst

@@ -296,7 +296,6 @@ Supported extra parameters:
     **Example:** ``no_verify=1``
 
   ``pkipath``
-
     Specifies x509 certificates path for the client. If any of the CA
     certificate, client certificate, or client key is missing, the connection
     will fail with a fatal error.