Release of libvirt-11.10.0

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>

NEWS.rst

@@ -8,6 +8,181 @@ the changes introduced by each of them.
 For a more fine-grained view, use the `git log`_.
 
 
+v11.10.0 (2025-12-01)
+=====================
+
+* **Security**
+
+  * CVE-2025-12748: Denial of service by some ACL-limited accounts
+
+    Parsing of user provided XMLs in APIs which needed the identification
+    information from those XML definitions was done in full before ACL checks
+    were performed.  Some valid, but useless, definitions could cause allocation
+    of too much memory, leading to denial of service. APIs which do equate to
+    full root access (such as ``domain:write``), and were parsing XML
+    definitions in full before performing ACL checks could, potentially, be
+    exploited in a way that would allow users (which were about to be denied the
+    API call) to cause aforementioned overallocation even before the ACL checks
+    were performed.
+
+    A change was made so that parsing before ACL checks are done only for the
+    identification parts of the XML definition (which is needed to perform the
+    checks) and full parsing is done only after checking all ACLs.
+
+  * CVE-2025-13193: Incorrect permissions on images after external snapshot of an inactive VM
+
+    The overlay ``qcow2`` images which are created as part of creation of an
+    external snapshot of an inactive VM had world-readable (644) permissions
+    which would allow unauthorized users to see contents of blocks written by
+    the VM after snapshot was taken. Libvirt now sets proper umask so that
+    the images are created with 600 mode.
+
+* **New features**
+
+  * Hyper-V virttype support for Qemu domains
+
+    Libvirt now supports Hyper-V virttype while lauching QEMU domains. This
+    feature requires Qemu version 10.2.0 or later and is available on Linux
+    hosts where the /dev/mshv is present.
+
+  * Add more statistics for block devices on QEMU domains
+
+    The block devices now report optimal access request sizes as well as
+    statistics such as the queue depth.
+
+* **Improvements**
+
+  * bhyve: VNC ``wait`` attribute support
+
+    Bhyve guests can now be configured to wait for a VNC connection before
+    booting.
+
+  * remote: multiple certificate support
+
+    The remote daemon and client can be configured to load multiple x509
+    certificate identities. This facilitates a transition to certificates
+    supporting Post-Quantum Crytographic algorithms.
+
+  * tools: improved virt-host-validate output
+
+    The virt-host-validate tool will now report extra details when certain
+    checks pass.
+
+  * qemu: Allow backup jobs to continue if guest OS shuts down
+
+    When starting a backup job users can now use a flag which prevents the VM
+    to be completely cleaned up if the guest OS shuts down while the backup is
+    running so that the backup can be finalized.
+
+* **Bug fixes**
+
+  * ch: Use correct domain definition in chDomainGetXMLDesc()
+
+    Cloud-Hypervisor driver claims to support ``VIR_DOMAIN_XML_INACTIVE`` but
+    in fact it never formatted the inactive XML. This is now fixed.
+
+  * esx: Allow disk images in subdirectories
+
+    If a domain has a disk image that's not in a datastore path but in a
+    subdirectory, the ESX driver would have failed to parse that and an error
+    was reported when obtaining domain XML. This is now fixed.
+
+ * qemu: Fix incoming migration to QEMU 10.0.0 and newer
+
+    Due to a change in the way QEMU 10.0.0 reports the state of "ht" CPU
+    feature, incoming migration of a domain with multiple CPU threads would
+    fail with "guest CPU doesn't match specification: extra features: ht"
+    error.
+
+  * qemu: fix incorrect reporting of the TDX launch security type
+
+    The TDX launch security type was incorrectly reported on all platforms
+    if the QEMU binary had it built-in. It is now limited to only platforms
+    with the TDX kernel feature available for use.
+
+  * qemu: set ``detect_zeroes`` for all backing chain layers
+
+    Some block jobs (snapshots, block commit) could modify the backing chain in
+    a way where ``detect_zeroes`` would no longer be honoured. We now set
+    it for all images in the backing chain, so that it will behave correctly
+    even after those operations.
+
+
+v11.9.0 (2025-11-03)
+====================
+
+* **New features**
+
+  * Introduce Hyper-V ``host-model`` mode
+
+    Similarly to CPUs, ``host-model`` mode expands available Hyper-V
+    enlightenments at domain startup into the live XML so that's obvious which
+    enlightenments are enabled.
+
+  * Add support for Hyper-V ``spinlocks`` "never notify" mechanism
+
+    The ``retries`` attribute - which defines after how many failed
+    acquisition attempts to notify the hypervisor - can now hold the
+    special value of 4294967295 which means to never notify the
+    hypervisor.
+
+    If the ``retries`` attribute is omitted this value is used.
+
+  * ch: Network hotplug Support
+
+    Users can now attach and detach network interfaces of Cloud Hypervisor
+    domains at runtime.
+
+  * bhyve: NVMe device support
+
+    Domain XMLs now can use NVMe devices::
+
+     <disk type='file'>
+       <driver name='file' type='raw'/>
+       <source file='/path/to/disk.img'/>
+       <target dev='nvme0n1' bus='nvme'/>
+     </disk>
+
+* **Improvements**
+
+  * qemu: Improvements to USB controller model selection
+
+    Virtualization-friendly USB3 controllers are now used in more situations,
+    Intel-specific USB controllers are relegated to x86 guests, and model
+    selection overall behaves more consistently across architectures.
+
+  * qemu: Validate Hyper-V enlightenment dependencies
+
+    Some Hyper-V enlightenments may require some other enlightenments to be
+    turned on. Libvirt now validates these for new domains.
+
+  * qemu: Introduce virtio options for virtio memory models
+
+    Both virtio-mem and virtio-pmem memory models are virtio devices and as
+    such now support setting various virtio knobs (iommu, ats, packed,
+    page_per_vq) common to other virtio devices.
+
+  * wireshark: Adapt to wireshark-4.6.0
+
+    Libvirt's wireshark dissector plugin adapted to changes made to wireshark
+    dissector API in its 4.6.0 release.
+
+  * qemu: 'manual' disk snapshot mode improvements
+
+    The 'manual' snapshot mode now ensures that also metadata of the images is
+    written out to disk so that user can take snapshots of e.g. qcow2 image
+    safely.
+
+* **Bug fixes**
+
+  * ch: Load ``ch.conf`` from ``SYSCONFDIR``
+
+    Previously, the ``ch.conf`` file for ``ch:///system`` URI was mistakenly
+    loaded from a path under ``LOCALSTATEDIR`` (``/var/...``). This is now
+    fixed and the configuration file is loaded from the ``SYSCONFDIR``
+    (``/etc/...``) location where it's also installed.
+
+
 v11.8.0 (2025-10-01)
 ====================
 

build-aux/syntax-check.mk

@@ -92,7 +92,7 @@ sc_prohibit_raw_virclassnew:
 
 # Avoid raw malloc and free, except in documentation comments.
 sc_prohibit_raw_allocation:
-	@prohibit='^.[^*].*\<((m|c|re)alloc|free|g_malloc) *\([^)]' \
+	@prohibit='^.[^*].*\<((m|c|re)alloc|free|g_malloc|g_new) *\([^)]' \
 	halt='use g_new0/g_malloc0/g_free instead of malloc/free/g_malloc' \
 	  $(_sc_search_regexp)
 

ci/buildenv/almalinux-10.sh

@@ -0,0 +1,93 @@
+# THIS FILE WAS AUTO-GENERATED
+#
+#  $ lcitool manifest ci/manifest.yml
+#
+# https://gitlab.com/libvirt/libvirt-ci
+
+function install_buildenv() {
+    dnf update -y
+    dnf install 'dnf-command(config-manager)' -y
+    dnf config-manager --set-enabled -y crb
+    dnf install -y epel-release
+    dnf install -y \
+        audit-libs-devel \
+        augeas \
+        bash-completion \
+        ca-certificates \
+        ccache \
+        clang \
+        compiler-rt \
+        cpp \
+        cyrus-sasl-devel \
+        device-mapper-devel \
+        diffutils \
+        dwarves \
+        ebtables \
+        firewalld-filesystem \
+        fuse3-devel \
+        gcc \
+        gettext \
+        git \
+        glib2-devel \
+        glibc-devel \
+        glibc-langpack-en \
+        gnutls-devel \
+        grep \
+        json-c-devel \
+        libacl-devel \
+        libattr-devel \
+        libblkid-devel \
+        libcap-ng-devel \
+        libcurl-devel \
+        libnbd-devel \
+        libnl3-devel \
+        libpcap-devel \
+        libpciaccess-devel \
+        librbd-devel \
+        libselinux-devel \
+        libssh-devel \
+        libssh2-devel \
+        libtirpc-devel \
+        libwsman-devel \
+        libxml2 \
+        libxml2-devel \
+        libxslt \
+        make \
+        meson \
+        ninja-build \
+        numactl-devel \
+        parted-devel \
+        perl-base \
+        pkgconfig \
+        python3 \
+        python3-docutils \
+        python3-pip \
+        python3-pytest \
+        python3-setuptools \
+        python3-wheel \
+        qemu-img \
+        readline-devel \
+        rpm-build \
+        sanlock-devel \
+        sed \
+        systemd-devel \
+        systemd-rpm-macros \
+        systemtap-sdt-devel \
+        systemtap-sdt-dtrace \
+        wireshark-devel
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
+    rpm -qa | sort > /packages.txt
+    mkdir -p /usr/libexec/ccache-wrappers
+    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/cc
+    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/clang
+    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/gcc
+    /usr/bin/pip3 install \
+                  black \
+                  flake8
+}
+
+export CCACHE_WRAPPERSDIR="/usr/libexec/ccache-wrappers"
+export LANG="en_US.UTF-8"
+export MAKE="/usr/bin/make"
+export NINJA="/usr/bin/ninja"
+export PYTHON="/usr/bin/python3"

ci/buildenv/almalinux-9.sh

@@ -24,7 +24,7 @@ function install_buildenv() {
         dwarves \
         ebtables \
         firewalld-filesystem \
-        fuse-devel \
+        fuse3-devel \
         gcc \
         gettext \
         git \

ci/buildenv/alpine-322.sh

@@ -22,7 +22,7 @@ function install_buildenv() {
         cyrus-sasl-dev \
         diffutils \
         eudev-dev \
-        fuse-dev \
+        fuse3-dev \
         gcc \
         gettext \
         git \

ci/buildenv/alpine-edge.sh

@@ -22,7 +22,7 @@ function install_buildenv() {
         cyrus-sasl-dev \
         diffutils \
         eudev-dev \
-        fuse-dev \
+        fuse3-dev \
         gcc \
         gettext \
         git \

ci/buildenv/centos-stream-10.sh

@@ -0,0 +1,92 @@
+# THIS FILE WAS AUTO-GENERATED
+#
+#  $ lcitool manifest ci/manifest.yml
+#
+# https://gitlab.com/libvirt/libvirt-ci
+
+function install_buildenv() {
+    dnf distro-sync -y
+    dnf install 'dnf-command(config-manager)' -y
+    dnf config-manager --set-enabled -y crb
+    dnf install -y epel-release
+    dnf install -y \
+        audit-libs-devel \
+        augeas \
+        bash-completion \
+        ca-certificates \
+        ccache \
+        clang \
+        compiler-rt \
+        cpp \
+        cyrus-sasl-devel \
+        device-mapper-devel \
+        diffutils \
+        dwarves \
+        ebtables \
+        firewalld-filesystem \
+        fuse3-devel \
+        gcc \
+        gettext \
+        git \
+        glib2-devel \
+        glibc-devel \
+        glibc-langpack-en \
+        gnutls-devel \
+        grep \
+        json-c-devel \
+        libacl-devel \
+        libattr-devel \
+        libblkid-devel \
+        libcap-ng-devel \
+        libcurl-devel \
+        libnbd-devel \
+        libnl3-devel \
+        libpcap-devel \
+        libpciaccess-devel \
+        librbd-devel \
+        libselinux-devel \
+        libssh-devel \
+        libssh2-devel \
+        libtirpc-devel \
+        libwsman-devel \
+        libxml2 \
+        libxml2-devel \
+        libxslt \
+        make \
+        meson \
+        ninja-build \
+        numactl-devel \
+        parted-devel \
+        perl-base \
+        pkgconfig \
+        python3 \
+        python3-docutils \
+        python3-pip \
+        python3-pytest \
+        python3-setuptools \
+        python3-wheel \
+        qemu-img \
+        readline-devel \
+        rpm-build \
+        sanlock-devel \
+        sed \
+        systemd-devel \
+        systemd-rpm-macros \
+        systemtap-sdt-devel \
+        wireshark-devel
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
+    rpm -qa | sort > /packages.txt
+    mkdir -p /usr/libexec/ccache-wrappers
+    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/cc
+    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/clang
+    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/gcc
+    /usr/bin/pip3 install \
+                  black \
+                  flake8
+}
+
+export CCACHE_WRAPPERSDIR="/usr/libexec/ccache-wrappers"
+export LANG="en_US.UTF-8"
+export MAKE="/usr/bin/make"
+export NINJA="/usr/bin/ninja"
+export PYTHON="/usr/bin/python3"

ci/buildenv/centos-stream-9.sh

@@ -25,7 +25,7 @@ function install_buildenv() {
         dwarves \
         ebtables \
         firewalld-filesystem \
-        fuse-devel \
+        fuse3-devel \
         gcc \
         gettext \
         git \

ci/buildenv/debian-12-cross-aarch64.sh

@@ -58,7 +58,7 @@ function install_buildenv() {
             libcap-ng-dev:arm64 \
             libcurl4-gnutls-dev:arm64 \
             libdevmapper-dev:arm64 \
-            libfuse-dev:arm64 \
+            libfuse3-dev:arm64 \
             libglib2.0-dev:arm64 \
             libglusterfs-dev:arm64 \
             libgnutls28-dev:arm64 \

ci/buildenv/debian-12-cross-armv6l.sh

@@ -58,7 +58,7 @@ function install_buildenv() {
             libcap-ng-dev:armel \
             libcurl4-gnutls-dev:armel \
             libdevmapper-dev:armel \
-            libfuse-dev:armel \
+            libfuse3-dev:armel \
             libglib2.0-dev:armel \
             libglusterfs-dev:armel \
             libgnutls28-dev:armel \

ci/buildenv/debian-12-cross-armv7l.sh

@@ -58,7 +58,7 @@ function install_buildenv() {
             libcap-ng-dev:armhf \
             libcurl4-gnutls-dev:armhf \
             libdevmapper-dev:armhf \
-            libfuse-dev:armhf \
+            libfuse3-dev:armhf \
             libglib2.0-dev:armhf \
             libglusterfs-dev:armhf \
             libgnutls28-dev:armhf \

ci/buildenv/debian-12-cross-i686.sh

@@ -58,7 +58,7 @@ function install_buildenv() {
             libcap-ng-dev:i386 \
             libcurl4-gnutls-dev:i386 \
             libdevmapper-dev:i386 \
-            libfuse-dev:i386 \
+            libfuse3-dev:i386 \
             libglib2.0-dev:i386 \
             libglusterfs-dev:i386 \
             libgnutls28-dev:i386 \

ci/buildenv/debian-12-cross-mips64el.sh

@@ -58,7 +58,7 @@ function install_buildenv() {
             libcap-ng-dev:mips64el \
             libcurl4-gnutls-dev:mips64el \
             libdevmapper-dev:mips64el \
-            libfuse-dev:mips64el \
+            libfuse3-dev:mips64el \
             libglib2.0-dev:mips64el \
             libglusterfs-dev:mips64el \
             libgnutls28-dev:mips64el \

ci/buildenv/debian-12-cross-mipsel.sh

@@ -58,7 +58,7 @@ function install_buildenv() {
             libcap-ng-dev:mipsel \
             libcurl4-gnutls-dev:mipsel \
             libdevmapper-dev:mipsel \
-            libfuse-dev:mipsel \
+            libfuse3-dev:mipsel \
             libglib2.0-dev:mipsel \
             libglusterfs-dev:mipsel \
             libgnutls28-dev:mipsel \

ci/buildenv/debian-12-cross-ppc64le.sh

@@ -58,7 +58,7 @@ function install_buildenv() {
             libcap-ng-dev:ppc64el \
             libcurl4-gnutls-dev:ppc64el \
             libdevmapper-dev:ppc64el \
-            libfuse-dev:ppc64el \
+            libfuse3-dev:ppc64el \
             libglib2.0-dev:ppc64el \
             libglusterfs-dev:ppc64el \
             libgnutls28-dev:ppc64el \

ci/buildenv/debian-12-cross-s390x.sh

@@ -58,7 +58,7 @@ function install_buildenv() {
             libcap-ng-dev:s390x \
             libcurl4-gnutls-dev:s390x \
             libdevmapper-dev:s390x \
-            libfuse-dev:s390x \
+            libfuse3-dev:s390x \
             libglib2.0-dev:s390x \
             libglusterfs-dev:s390x \
             libgnutls28-dev:s390x \

ci/buildenv/debian-12.sh

@@ -36,7 +36,7 @@ function install_buildenv() {
             libclang-rt-dev \
             libcurl4-gnutls-dev \
             libdevmapper-dev \
-            libfuse-dev \
+            libfuse3-dev \
             libglib2.0-dev \
             libglusterfs-dev \
             libgnutls28-dev \

ci/buildenv/debian-sid-cross-aarch64.sh

@@ -58,7 +58,7 @@ function install_buildenv() {
             libcap-ng-dev:arm64 \
             libcurl4-gnutls-dev:arm64 \
             libdevmapper-dev:arm64 \
-            libfuse-dev:arm64 \
+            libfuse3-dev:arm64 \
             libglib2.0-dev:arm64 \
             libglusterfs-dev:arm64 \
             libgnutls28-dev:arm64 \

ci/buildenv/debian-sid-cross-armv6l.sh

@@ -58,7 +58,7 @@ function install_buildenv() {
             libcap-ng-dev:armel \
             libcurl4-gnutls-dev:armel \
             libdevmapper-dev:armel \
-            libfuse-dev:armel \
+            libfuse3-dev:armel \
             libglib2.0-dev:armel \
             libgnutls28-dev:armel \
             libiscsi-dev:armel \

ci/buildenv/debian-sid-cross-armv7l.sh

@@ -58,7 +58,7 @@ function install_buildenv() {
             libcap-ng-dev:armhf \
             libcurl4-gnutls-dev:armhf \
             libdevmapper-dev:armhf \
-            libfuse-dev:armhf \
+            libfuse3-dev:armhf \
             libglib2.0-dev:armhf \
             libgnutls28-dev:armhf \
             libiscsi-dev:armhf \

ci/buildenv/debian-sid-cross-i686.sh

@@ -58,7 +58,7 @@ function install_buildenv() {
             libcap-ng-dev:i386 \
             libcurl4-gnutls-dev:i386 \
             libdevmapper-dev:i386 \
-            libfuse-dev:i386 \
+            libfuse3-dev:i386 \
             libglib2.0-dev:i386 \
             libgnutls28-dev:i386 \
             libiscsi-dev:i386 \

ci/buildenv/debian-sid-cross-mips64el.sh

@@ -58,7 +58,7 @@ function install_buildenv() {
             libcap-ng-dev:mips64el \
             libcurl4-gnutls-dev:mips64el \
             libdevmapper-dev:mips64el \
-            libfuse-dev:mips64el \
+            libfuse3-dev:mips64el \
             libglib2.0-dev:mips64el \
             libglusterfs-dev:mips64el \
             libgnutls28-dev:mips64el \

ci/buildenv/debian-sid-cross-ppc64le.sh

@@ -58,7 +58,7 @@ function install_buildenv() {
             libcap-ng-dev:ppc64el \
             libcurl4-gnutls-dev:ppc64el \
             libdevmapper-dev:ppc64el \
-            libfuse-dev:ppc64el \
+            libfuse3-dev:ppc64el \
             libglib2.0-dev:ppc64el \
             libglusterfs-dev:ppc64el \
             libgnutls28-dev:ppc64el \

ci/buildenv/debian-sid-cross-s390x.sh

@@ -58,7 +58,7 @@ function install_buildenv() {
             libcap-ng-dev:s390x \
             libcurl4-gnutls-dev:s390x \
             libdevmapper-dev:s390x \
-            libfuse-dev:s390x \
+            libfuse3-dev:s390x \
             libglib2.0-dev:s390x \
             libglusterfs-dev:s390x \
             libgnutls28-dev:s390x \

ci/buildenv/debian-sid.sh

@@ -36,7 +36,7 @@ function install_buildenv() {
             libclang-rt-dev \
             libcurl4-gnutls-dev \
             libdevmapper-dev \
-            libfuse-dev \
+            libfuse3-dev \
             libglib2.0-dev \
             libglusterfs-dev \
             libgnutls28-dev \

ci/buildenv/fedora-42.sh

@@ -23,7 +23,7 @@ function install_buildenv() {
         dwarves \
         ebtables \
         firewalld-filesystem \
-        fuse-devel \
+        fuse3-devel \
         gcc \
         gettext \
         git \

ci/buildenv/fedora-43.sh

@@ -23,7 +23,7 @@ function install_buildenv() {
         dwarves \
         ebtables \
         firewalld-filesystem \
-        fuse-devel \
+        fuse3-devel \
         gcc \
         gettext \
         git \

ci/buildenv/fedora-rawhide.sh

@@ -24,7 +24,7 @@ function install_buildenv() {
         dwarves \
         ebtables \
         firewalld-filesystem \
-        fuse-devel \
+        fuse3-devel \
         gcc \
         gettext \
         git \

ci/buildenv/opensuse-leap-15.sh

@@ -24,7 +24,7 @@ function install_buildenv() {
            diffutils \
            dwarves \
            ebtables \
-           fuse-devel \
+           fuse3-devel \
            gcc \
            gettext-runtime \
            git \

ci/buildenv/opensuse-tumbleweed.sh

@@ -23,7 +23,7 @@ function install_buildenv() {
            diffutils \
            dwarves \
            ebtables \
-           fuse-devel \
+           fuse3-devel \
            gcc \
            gettext-runtime \
            git \

ci/buildenv/ubuntu-2204.sh

@@ -36,7 +36,7 @@ function install_buildenv() {
             libclang-dev \
             libcurl4-gnutls-dev \
             libdevmapper-dev \
-            libfuse-dev \
+            libfuse3-dev \
             libglib2.0-dev \
             libglusterfs-dev \
             libgnutls28-dev \

ci/buildenv/ubuntu-2404.sh

@@ -36,7 +36,7 @@ function install_buildenv() {
             libclang-rt-dev \
             libcurl4-gnutls-dev \
             libdevmapper-dev \
-            libfuse-dev \
+            libfuse3-dev \
             libglib2.0-dev \
             libglusterfs-dev \
             libgnutls28-dev \

ci/cirrus/freebsd-13.vars

@@ -11,6 +11,6 @@ MAKE='/usr/local/bin/gmake'
 NINJA='/usr/local/bin/ninja'
 PACKAGING_COMMAND='pkg'
 PIP3='/usr/local/bin/pip-3.8'
-PKGS='augeas bash-completion ca_root_nss ccache4 codespell cppi curl cyrus-sasl diffutils fusefs-libs gettext git glib gmake gnugrep gnutls gsed json-c libpcap libpciaccess libssh libssh2 libxml2 libxslt meson ninja perl5 pkgconf py311-black py311-docutils py311-flake8 py311-pytest python3 qemu readline'
+PKGS='augeas bash-completion ca_root_nss ccache4 codespell cppi curl cyrus-sasl diffutils fusefs-libs3 gettext git glib gmake gnugrep gnutls gsed json-c libpcap libpciaccess libssh libssh2 libxml2 libxslt meson ninja perl5 pkgconf py311-black py311-docutils py311-flake8 py311-pytest python3 qemu readline'
 PYPI_PKGS=''
 PYTHON='/usr/local/bin/python3'

ci/cirrus/freebsd-14.vars

@@ -11,6 +11,6 @@ MAKE='/usr/local/bin/gmake'
 NINJA='/usr/local/bin/ninja'
 PACKAGING_COMMAND='pkg'
 PIP3='/usr/local/bin/pip'
-PKGS='augeas bash-completion ca_root_nss ccache4 codespell cppi curl cyrus-sasl diffutils fusefs-libs gettext git glib gmake gnugrep gnutls gsed json-c libpcap libpciaccess libssh libssh2 libxml2 libxslt meson ninja perl5 pkgconf py311-black py311-docutils py311-flake8 py311-pytest python3 qemu readline'
+PKGS='augeas bash-completion ca_root_nss ccache4 codespell cppi curl cyrus-sasl diffutils fusefs-libs3 gettext git glib gmake gnugrep gnutls gsed json-c libpcap libpciaccess libssh libssh2 libxml2 libxslt meson ninja perl5 pkgconf py311-black py311-docutils py311-flake8 py311-pytest python3 qemu readline'
 PYPI_PKGS=''
 PYTHON='/usr/local/bin/python3'

ci/containers/almalinux-10.Dockerfile

@@ -0,0 +1,96 @@
+# THIS FILE WAS AUTO-GENERATED
+#
+#  $ lcitool manifest ci/manifest.yml
+#
+# https://gitlab.com/libvirt/libvirt-ci
+
+FROM docker.io/library/almalinux:10
+
+RUN dnf update -y && \
+    dnf install 'dnf-command(config-manager)' -y && \
+    dnf config-manager --set-enabled -y crb && \
+    dnf install -y epel-release && \
+    dnf install -y \
+        audit-libs-devel \
+        augeas \
+        bash-completion \
+        ca-certificates \
+        ccache \
+        clang \
+        compiler-rt \
+        cpp \
+        cyrus-sasl-devel \
+        device-mapper-devel \
+        diffutils \
+        dwarves \
+        ebtables \
+        firewalld-filesystem \
+        fuse3-devel \
+        gcc \
+        gettext \
+        git \
+        glib2-devel \
+        glibc-devel \
+        glibc-langpack-en \
+        gnutls-devel \
+        grep \
+        json-c-devel \
+        libacl-devel \
+        libattr-devel \
+        libblkid-devel \
+        libcap-ng-devel \
+        libcurl-devel \
+        libnbd-devel \
+        libnl3-devel \
+        libpcap-devel \
+        libpciaccess-devel \
+        librbd-devel \
+        libselinux-devel \
+        libssh-devel \
+        libssh2-devel \
+        libtirpc-devel \
+        libwsman-devel \
+        libxml2 \
+        libxml2-devel \
+        libxslt \
+        make \
+        meson \
+        ninja-build \
+        numactl-devel \
+        parted-devel \
+        perl-base \
+        pkgconfig \
+        python3 \
+        python3-docutils \
+        python3-pip \
+        python3-pytest \
+        python3-setuptools \
+        python3-wheel \
+        qemu-img \
+        readline-devel \
+        rpm-build \
+        sanlock-devel \
+        sed \
+        systemd-devel \
+        systemd-rpm-macros \
+        systemtap-sdt-devel \
+        systemtap-sdt-dtrace \
+        wireshark-devel && \
+    dnf autoremove -y && \
+    dnf clean all -y && \
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED && \
+    rpm -qa | sort > /packages.txt && \
+    mkdir -p /usr/libexec/ccache-wrappers && \
+    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/cc && \
+    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/clang && \
+    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/gcc
+
+RUN /usr/bin/pip3 install \
+                  black \
+                  flake8
+
+ENV CCACHE_WRAPPERSDIR="/usr/libexec/ccache-wrappers"
+ENV LANG="en_US.UTF-8"
+ENV MAKE="/usr/bin/make"
+ENV NINJA="/usr/bin/ninja"
+ENV PYTHON="/usr/bin/python3"

ci/containers/almalinux-9.Dockerfile

@@ -25,7 +25,7 @@ RUN dnf update -y && \
         dwarves \
         ebtables \
         firewalld-filesystem \
-        fuse-devel \
+        fuse3-devel \
         gcc \
         gettext \
         git \

ci/containers/alpine-322.Dockerfile

@@ -23,7 +23,7 @@ RUN apk update && \
         cyrus-sasl-dev \
         diffutils \
         eudev-dev \
-        fuse-dev \
+        fuse3-dev \
         gcc \
         gettext \
         git \

ci/containers/alpine-edge.Dockerfile

@@ -23,7 +23,7 @@ RUN apk update && \
         cyrus-sasl-dev \
         diffutils \
         eudev-dev \
-        fuse-dev \
+        fuse3-dev \
         gcc \
         gettext \
         git \

ci/containers/centos-stream-10.Dockerfile

@@ -0,0 +1,95 @@
+# THIS FILE WAS AUTO-GENERATED
+#
+#  $ lcitool manifest ci/manifest.yml
+#
+# https://gitlab.com/libvirt/libvirt-ci
+
+FROM quay.io/centos/centos:stream10
+
+RUN dnf distro-sync -y && \
+    dnf install 'dnf-command(config-manager)' -y && \
+    dnf config-manager --set-enabled -y crb && \
+    dnf install -y epel-release && \
+    dnf install -y \
+        audit-libs-devel \
+        augeas \
+        bash-completion \
+        ca-certificates \
+        ccache \
+        clang \
+        compiler-rt \
+        cpp \
+        cyrus-sasl-devel \
+        device-mapper-devel \
+        diffutils \
+        dwarves \
+        ebtables \
+        firewalld-filesystem \
+        fuse3-devel \
+        gcc \
+        gettext \
+        git \
+        glib2-devel \
+        glibc-devel \
+        glibc-langpack-en \
+        gnutls-devel \
+        grep \
+        json-c-devel \
+        libacl-devel \
+        libattr-devel \
+        libblkid-devel \
+        libcap-ng-devel \
+        libcurl-devel \
+        libnbd-devel \
+        libnl3-devel \
+        libpcap-devel \
+        libpciaccess-devel \
+        librbd-devel \
+        libselinux-devel \
+        libssh-devel \
+        libssh2-devel \
+        libtirpc-devel \
+        libwsman-devel \
+        libxml2 \
+        libxml2-devel \
+        libxslt \
+        make \
+        meson \
+        ninja-build \
+        numactl-devel \
+        parted-devel \
+        perl-base \
+        pkgconfig \
+        python3 \
+        python3-docutils \
+        python3-pip \
+        python3-pytest \
+        python3-setuptools \
+        python3-wheel \
+        qemu-img \
+        readline-devel \
+        rpm-build \
+        sanlock-devel \
+        sed \
+        systemd-devel \
+        systemd-rpm-macros \
+        systemtap-sdt-devel \
+        wireshark-devel && \
+    dnf autoremove -y && \
+    dnf clean all -y && \
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED && \
+    rpm -qa | sort > /packages.txt && \
+    mkdir -p /usr/libexec/ccache-wrappers && \
+    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/cc && \
+    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/clang && \
+    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/gcc
+
+RUN /usr/bin/pip3 install \
+                  black \
+                  flake8
+
+ENV CCACHE_WRAPPERSDIR="/usr/libexec/ccache-wrappers"
+ENV LANG="en_US.UTF-8"
+ENV MAKE="/usr/bin/make"
+ENV NINJA="/usr/bin/ninja"
+ENV PYTHON="/usr/bin/python3"

ci/containers/centos-stream-9.Dockerfile

@@ -26,7 +26,7 @@ RUN dnf distro-sync -y && \
         dwarves \
         ebtables \
         firewalld-filesystem \
-        fuse-devel \
+        fuse3-devel \
         gcc \
         gettext \
         git \

ci/containers/debian-12-cross-aarch64.Dockerfile

@@ -69,7 +69,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       libcap-ng-dev:arm64 \
                       libcurl4-gnutls-dev:arm64 \
                       libdevmapper-dev:arm64 \
-                      libfuse-dev:arm64 \
+                      libfuse3-dev:arm64 \
                       libglib2.0-dev:arm64 \
                       libglusterfs-dev:arm64 \
                       libgnutls28-dev:arm64 \

ci/containers/debian-12-cross-armv6l.Dockerfile

@@ -69,7 +69,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       libcap-ng-dev:armel \
                       libcurl4-gnutls-dev:armel \
                       libdevmapper-dev:armel \
-                      libfuse-dev:armel \
+                      libfuse3-dev:armel \
                       libglib2.0-dev:armel \
                       libglusterfs-dev:armel \
                       libgnutls28-dev:armel \

ci/containers/debian-12-cross-armv7l.Dockerfile

@@ -69,7 +69,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       libcap-ng-dev:armhf \
                       libcurl4-gnutls-dev:armhf \
                       libdevmapper-dev:armhf \
-                      libfuse-dev:armhf \
+                      libfuse3-dev:armhf \
                       libglib2.0-dev:armhf \
                       libglusterfs-dev:armhf \
                       libgnutls28-dev:armhf \

ci/containers/debian-12-cross-i686.Dockerfile

@@ -69,7 +69,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       libcap-ng-dev:i386 \
                       libcurl4-gnutls-dev:i386 \
                       libdevmapper-dev:i386 \
-                      libfuse-dev:i386 \
+                      libfuse3-dev:i386 \
                       libglib2.0-dev:i386 \
                       libglusterfs-dev:i386 \
                       libgnutls28-dev:i386 \

ci/containers/debian-12-cross-mips64el.Dockerfile

@@ -69,7 +69,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       libcap-ng-dev:mips64el \
                       libcurl4-gnutls-dev:mips64el \
                       libdevmapper-dev:mips64el \
-                      libfuse-dev:mips64el \
+                      libfuse3-dev:mips64el \
                       libglib2.0-dev:mips64el \
                       libglusterfs-dev:mips64el \
                       libgnutls28-dev:mips64el \

ci/containers/debian-12-cross-mipsel.Dockerfile

@@ -69,7 +69,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       libcap-ng-dev:mipsel \
                       libcurl4-gnutls-dev:mipsel \
                       libdevmapper-dev:mipsel \
-                      libfuse-dev:mipsel \
+                      libfuse3-dev:mipsel \
                       libglib2.0-dev:mipsel \
                       libglusterfs-dev:mipsel \
                       libgnutls28-dev:mipsel \

ci/containers/debian-12-cross-ppc64le.Dockerfile

@@ -69,7 +69,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       libcap-ng-dev:ppc64el \
                       libcurl4-gnutls-dev:ppc64el \
                       libdevmapper-dev:ppc64el \
-                      libfuse-dev:ppc64el \
+                      libfuse3-dev:ppc64el \
                       libglib2.0-dev:ppc64el \
                       libglusterfs-dev:ppc64el \
                       libgnutls28-dev:ppc64el \

ci/containers/debian-12-cross-s390x.Dockerfile

@@ -69,7 +69,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       libcap-ng-dev:s390x \
                       libcurl4-gnutls-dev:s390x \
                       libdevmapper-dev:s390x \
-                      libfuse-dev:s390x \
+                      libfuse3-dev:s390x \
                       libglib2.0-dev:s390x \
                       libglusterfs-dev:s390x \
                       libgnutls28-dev:s390x \

ci/containers/debian-12.Dockerfile

@@ -38,7 +38,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       libclang-rt-dev \
                       libcurl4-gnutls-dev \
                       libdevmapper-dev \
-                      libfuse-dev \
+                      libfuse3-dev \
                       libglib2.0-dev \
                       libglusterfs-dev \
                       libgnutls28-dev \

ci/containers/debian-sid-cross-aarch64.Dockerfile

@@ -69,7 +69,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       libcap-ng-dev:arm64 \
                       libcurl4-gnutls-dev:arm64 \
                       libdevmapper-dev:arm64 \
-                      libfuse-dev:arm64 \
+                      libfuse3-dev:arm64 \
                       libglib2.0-dev:arm64 \
                       libglusterfs-dev:arm64 \
                       libgnutls28-dev:arm64 \

ci/containers/debian-sid-cross-armv6l.Dockerfile

@@ -69,7 +69,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       libcap-ng-dev:armel \
                       libcurl4-gnutls-dev:armel \
                       libdevmapper-dev:armel \
-                      libfuse-dev:armel \
+                      libfuse3-dev:armel \
                       libglib2.0-dev:armel \
                       libgnutls28-dev:armel \
                       libiscsi-dev:armel \

ci/containers/debian-sid-cross-armv7l.Dockerfile

@@ -69,7 +69,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       libcap-ng-dev:armhf \
                       libcurl4-gnutls-dev:armhf \
                       libdevmapper-dev:armhf \
-                      libfuse-dev:armhf \
+                      libfuse3-dev:armhf \
                       libglib2.0-dev:armhf \
                       libgnutls28-dev:armhf \
                       libiscsi-dev:armhf \

ci/containers/debian-sid-cross-i686.Dockerfile

@@ -69,7 +69,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       libcap-ng-dev:i386 \
                       libcurl4-gnutls-dev:i386 \
                       libdevmapper-dev:i386 \
-                      libfuse-dev:i386 \
+                      libfuse3-dev:i386 \
                       libglib2.0-dev:i386 \
                       libgnutls28-dev:i386 \
                       libiscsi-dev:i386 \

ci/containers/debian-sid-cross-mips64el.Dockerfile

@@ -69,7 +69,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       libcap-ng-dev:mips64el \
                       libcurl4-gnutls-dev:mips64el \
                       libdevmapper-dev:mips64el \
-                      libfuse-dev:mips64el \
+                      libfuse3-dev:mips64el \
                       libglib2.0-dev:mips64el \
                       libglusterfs-dev:mips64el \
                       libgnutls28-dev:mips64el \

ci/containers/debian-sid-cross-ppc64le.Dockerfile

@@ -69,7 +69,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       libcap-ng-dev:ppc64el \
                       libcurl4-gnutls-dev:ppc64el \
                       libdevmapper-dev:ppc64el \
-                      libfuse-dev:ppc64el \
+                      libfuse3-dev:ppc64el \
                       libglib2.0-dev:ppc64el \
                       libglusterfs-dev:ppc64el \
                       libgnutls28-dev:ppc64el \

ci/containers/debian-sid-cross-s390x.Dockerfile

@@ -69,7 +69,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       libcap-ng-dev:s390x \
                       libcurl4-gnutls-dev:s390x \
                       libdevmapper-dev:s390x \
-                      libfuse-dev:s390x \
+                      libfuse3-dev:s390x \
                       libglib2.0-dev:s390x \
                       libglusterfs-dev:s390x \
                       libgnutls28-dev:s390x \

ci/containers/debian-sid.Dockerfile

@@ -38,7 +38,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       libclang-rt-dev \
                       libcurl4-gnutls-dev \
                       libdevmapper-dev \
-                      libfuse-dev \
+                      libfuse3-dev \
                       libglib2.0-dev \
                       libglusterfs-dev \
                       libgnutls28-dev \

ci/containers/fedora-42.Dockerfile

@@ -34,7 +34,7 @@ exec "$@"\n' > /usr/bin/nosync && \
                dwarves \
                ebtables \
                firewalld-filesystem \
-               fuse-devel \
+               fuse3-devel \
                gcc \
                gettext \
                git \

ci/containers/fedora-43-cross-mingw32.Dockerfile

@@ -4,7 +4,7 @@
 #
 # https://gitlab.com/libvirt/libvirt-ci
 
-FROM registry.fedoraproject.org/fedora:42
+FROM registry.fedoraproject.org/fedora:43
 
 RUN dnf install -y nosync && \
     printf '#!/bin/sh\n\

ci/containers/fedora-43-cross-mingw64.Dockerfile

@@ -4,7 +4,7 @@
 #
 # https://gitlab.com/libvirt/libvirt-ci
 
-FROM registry.fedoraproject.org/fedora:42
+FROM registry.fedoraproject.org/fedora:43
 
 RUN dnf install -y nosync && \
     printf '#!/bin/sh\n\

ci/containers/fedora-43.Dockerfile

@@ -4,7 +4,7 @@
 #
 # https://gitlab.com/libvirt/libvirt-ci
 
-FROM registry.fedoraproject.org/fedora:41
+FROM registry.fedoraproject.org/fedora:43
 
 RUN dnf install -y nosync && \
     printf '#!/bin/sh\n\
@@ -34,7 +34,7 @@ exec "$@"\n' > /usr/bin/nosync && \
                dwarves \
                ebtables \
                firewalld-filesystem \
-               fuse-devel \
+               fuse3-devel \
                gcc \
                gettext \
                git \

ci/containers/fedora-rawhide.Dockerfile

@@ -35,7 +35,7 @@ exec "$@"\n' > /usr/bin/nosync && \
                dwarves \
                ebtables \
                firewalld-filesystem \
-               fuse-devel \
+               fuse3-devel \
                gcc \
                gettext \
                git \

ci/containers/opensuse-leap-15.Dockerfile

@@ -25,7 +25,7 @@ RUN zypper update -y && \
            diffutils \
            dwarves \
            ebtables \
-           fuse-devel \
+           fuse3-devel \
            gcc \
            gettext-runtime \
            git \

ci/containers/opensuse-tumbleweed.Dockerfile

@@ -24,7 +24,7 @@ RUN zypper dist-upgrade -y && \
            diffutils \
            dwarves \
            ebtables \
-           fuse-devel \
+           fuse3-devel \
            gcc \
            gettext-runtime \
            git \

ci/containers/ubuntu-2204.Dockerfile

@@ -38,7 +38,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       libclang-dev \
                       libcurl4-gnutls-dev \
                       libdevmapper-dev \
-                      libfuse-dev \
+                      libfuse3-dev \
                       libglib2.0-dev \
                       libglusterfs-dev \
                       libgnutls28-dev \

ci/containers/ubuntu-2404.Dockerfile

@@ -38,7 +38,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       libclang-rt-dev \
                       libcurl4-gnutls-dev \
                       libdevmapper-dev \
-                      libfuse-dev \
+                      libfuse3-dev \
                       libglib2.0-dev \
                       libglusterfs-dev \
                       libgnutls28-dev \

ci/gitlab/builds.yml

@@ -33,6 +33,32 @@ x86_64-almalinux-9-clang:
     TARGET_BASE_IMAGE: docker.io/library/almalinux:9
 
 
+x86_64-almalinux-10:
+  extends: .native_build_job
+  needs:
+    - job: x86_64-almalinux-10-container
+      optional: true
+  allow_failure: false
+  variables:
+    JOB_OPTIONAL: 1
+    NAME: almalinux-10
+    RPM: skip
+    TARGET_BASE_IMAGE: docker.io/library/almalinux:10
+
+
+x86_64-almalinux-10-clang:
+  extends: .native_build_job
+  needs:
+    - job: x86_64-almalinux-10-container
+      optional: true
+  allow_failure: false
+  variables:
+    CC: clang
+    NAME: almalinux-10
+    RPM: skip
+    TARGET_BASE_IMAGE: docker.io/library/almalinux:10
+
+
 x86_64-alpine-322:
   extends: .native_build_job
   needs:
@@ -70,6 +96,21 @@ x86_64-centos-stream-9:
       - libvirt-rpms
 
 
+x86_64-centos-stream-10:
+  extends: .native_build_job
+  needs:
+    - job: x86_64-centos-stream-10-container
+      optional: true
+  allow_failure: false
+  variables:
+    NAME: centos-stream-10
+    TARGET_BASE_IMAGE: quay.io/centos/centos:stream10
+  artifacts:
+    expire_in: 1 day
+    paths:
+      - libvirt-rpms
+
+
 x86_64-debian-12:
   extends: .native_build_job
   needs:
@@ -103,21 +144,6 @@ x86_64-debian-sid:
     TARGET_BASE_IMAGE: docker.io/library/debian:sid-slim
 
 
-x86_64-fedora-41:
-  extends: .native_build_job
-  needs:
-    - job: x86_64-fedora-41-container
-      optional: true
-  allow_failure: false
-  variables:
-    NAME: fedora-41
-    TARGET_BASE_IMAGE: registry.fedoraproject.org/fedora:41
-  artifacts:
-    expire_in: 1 day
-    paths:
-      - libvirt-rpms
-
-
 x86_64-fedora-42:
   extends: .native_build_job
   needs:
@@ -133,6 +159,21 @@ x86_64-fedora-42:
       - libvirt-rpms
 
 
+x86_64-fedora-43:
+  extends: .native_build_job
+  needs:
+    - job: x86_64-fedora-43-container
+      optional: true
+  allow_failure: false
+  variables:
+    NAME: fedora-43
+    TARGET_BASE_IMAGE: registry.fedoraproject.org/fedora:43
+  artifacts:
+    expire_in: 1 day
+    paths:
+      - libvirt-rpms
+
+
 x86_64-fedora-rawhide:
   extends: .native_build_job
   needs:
@@ -416,29 +457,29 @@ s390x-debian-sid:
     TARGET_BASE_IMAGE: docker.io/library/debian:sid-slim
 
 
-mingw32-fedora-42:
+mingw32-fedora-43:
   extends: .cross_build_job
   needs:
-    - job: mingw32-fedora-42-container
+    - job: mingw32-fedora-43-container
       optional: true
   allow_failure: false
   variables:
     CROSS: mingw32
     JOB_OPTIONAL: 1
-    NAME: fedora-42
-    TARGET_BASE_IMAGE: registry.fedoraproject.org/fedora:42
+    NAME: fedora-43
+    TARGET_BASE_IMAGE: registry.fedoraproject.org/fedora:43
 
 
-mingw64-fedora-42:
+mingw64-fedora-43:
   extends: .cross_build_job
   needs:
-    - job: mingw64-fedora-42-container
+    - job: mingw64-fedora-43-container
       optional: true
   allow_failure: false
   variables:
     CROSS: mingw64
-    NAME: fedora-42
-    TARGET_BASE_IMAGE: registry.fedoraproject.org/fedora:42
+    NAME: fedora-43
+    TARGET_BASE_IMAGE: registry.fedoraproject.org/fedora:43
 
 
 mingw32-fedora-rawhide:

ci/gitlab/containers.yml

@@ -14,6 +14,13 @@ x86_64-almalinux-9-container:
     NAME: almalinux-9
 
 
+x86_64-almalinux-10-container:
+  extends: .container_job
+  allow_failure: false
+  variables:
+    NAME: almalinux-10
+
+
 x86_64-alpine-322-container:
   extends: .container_job
   allow_failure: false
@@ -35,6 +42,13 @@ x86_64-centos-stream-9-container:
     NAME: centos-stream-9
 
 
+x86_64-centos-stream-10-container:
+  extends: .container_job
+  allow_failure: false
+  variables:
+    NAME: centos-stream-10
+
+
 x86_64-debian-12-container:
   extends: .container_job
   allow_failure: false
@@ -49,13 +63,6 @@ x86_64-debian-sid-container:
     NAME: debian-sid
 
 
-x86_64-fedora-41-container:
-  extends: .container_job
-  allow_failure: false
-  variables:
-    NAME: fedora-41
-
-
 x86_64-fedora-42-container:
   extends: .container_job
   allow_failure: false
@@ -63,6 +70,13 @@ x86_64-fedora-42-container:
     NAME: fedora-42
 
 
+x86_64-fedora-43-container:
+  extends: .container_job
+  allow_failure: false
+  variables:
+    NAME: fedora-43
+
+
 x86_64-fedora-rawhide-container:
   extends: .container_job
   allow_failure: true
@@ -220,19 +234,19 @@ s390x-debian-sid-container:
     NAME: debian-sid-cross-s390x
 
 
-mingw32-fedora-42-container:
+mingw32-fedora-43-container:
   extends: .container_job
   allow_failure: false
   variables:
     JOB_OPTIONAL: 1
-    NAME: fedora-42-cross-mingw32
+    NAME: fedora-43-cross-mingw32
 
 
-mingw64-fedora-42-container:
+mingw64-fedora-43-container:
   extends: .container_job
   allow_failure: false
   variables:
-    NAME: fedora-42-cross-mingw64
+    NAME: fedora-43-cross-mingw64
 
 
 mingw32-fedora-rawhide-container:

ci/integration.yml

@@ -29,23 +29,23 @@ centos-stream-9-tests:
 # and libvirt-python CI jobs, so the new target needs to be introduced
 # there before it can be used here. The VM template for the target
 # also needs to be created on the runner host.
-fedora-41-tests:
+fedora-43-tests:
   extends: .integration_tests
   variables:
     # needed by libvirt-gitlab-executor
-    DISTRO: fedora-41
+    DISTRO: fedora-43
     # can be overridden in forks to set a different runner tag
     LIBVIRT_CI_INTEGRATION_RUNNER_TAG: redhat-vm-host
   tags:
     - $LIBVIRT_CI_INTEGRATION_RUNNER_TAG
   needs:
-    - x86_64-fedora-41
+    - x86_64-fedora-43
     - project: libvirt/libvirt-perl
-      job: x86_64-fedora-41
+      job: x86_64-fedora-43
       ref: master
       artifacts: true
     - project: libvirt/libvirt-python
-      job: x86_64-fedora-41
+      job: x86_64-fedora-43
       ref: master
       artifacts: true
 
@@ -53,22 +53,22 @@ fedora-41-tests:
 # and libvirt-python CI jobs, so the new target needs to be introduced
 # there before it can be used here. The VM template for the target
 # also needs to be created on the runner host.
-.fedora-41-upstream-qemu-tests:
+.fedora-43-upstream-qemu-tests:
   extends: .integration_tests
   variables:
     # needed by libvirt-gitlab-executor
-    DISTRO: fedora-41
+    DISTRO: fedora-43
     # can be overridden in forks to set a different runner tag
     LIBVIRT_CI_INTEGRATION_RUNNER_TAG: redhat-vm-host
   tags:
     - $LIBVIRT_CI_INTEGRATION_RUNNER_TAG
   needs:
-    - x86_64-fedora-41
+    - x86_64-fedora-43
     - project: libvirt/libvirt-perl
-      job: x86_64-fedora-41
+      job: x86_64-fedora-43
       ref: master
       artifacts: true
     - project: libvirt/libvirt-python
-      job: x86_64-fedora-41
+      job: x86_64-fedora-43
       ref: master
       artifacts: true

ci/lcitool/projects/libvirt.yml

@@ -19,7 +19,7 @@ packages:
   - ebtables
   - firewalld-filesystem
   - flake8
-  - fuse
+  - fuse3
   - gcc
   - gettext
   - gettext-native

ci/manifest.yml

@@ -19,6 +19,19 @@ targets:
           RPM: skip
           CC: clang
 
+  almalinux-10:
+    jobs:
+      - arch: x86_64
+        builds: false
+        variables:
+          RPM: skip
+
+      - arch: x86_64
+        suffix: -clang
+        variables:
+          RPM: skip
+          CC: clang
+
   alpine-322: x86_64
 
   alpine-edge:
@@ -34,6 +47,14 @@ targets:
           paths:
             - libvirt-rpms
 
+  centos-stream-10:
+    jobs:
+      - arch: x86_64
+        artifacts:
+          expire_in: 1 day
+          paths:
+            - libvirt-rpms
+
   debian-12:
     jobs:
       - arch: x86_64
@@ -104,7 +125,7 @@ targets:
         containers: false
         builds: false
 
-  fedora-41:
+  fedora-42:
     jobs:
       - arch: x86_64
         artifacts:
@@ -112,7 +133,7 @@ targets:
           paths:
             - libvirt-rpms
 
-  fedora-42:
+  fedora-43:
     jobs:
       - arch: x86_64
         artifacts:

docs/apps.rst

@@ -185,6 +185,10 @@ Infrastructure as a Service (IaaS)
    software-defined datacenter. The key strengths of ZStack in terms of
    management are scalability, performance, and a fast, user-friendly
    deployment.
+`Apache CloudStack <https://cloudstack.apache.org/>`__
+   Apache CloudStack™ is an open-source software system designed to
+   deploy and manage large networks of virtual machines, as a highly available,
+   highly scalable Infrastructure as a Service (IaaS) cloud computing platform.
 
 Libraries
 ---------

docs/css/local.css

@@ -0,0 +1,3 @@
+@import url(libvirt.css);
+@import url(libvirt-api.css);
+@import url(mobile-libvirt.css);

docs/css/main.css

@@ -1,7 +1,5 @@
 @import url(fonts.css);
 @import url(generic.css);
-@import url(libvirt.css);
-@import url(libvirt-api.css);
 @import url(libvirt-template.css);
 @import url(mobile-template.css);
-@import url(mobile-libvirt.css);
+@import url(local.css);

docs/css/meson.build

@@ -4,6 +4,7 @@ docs_css_files = [
   'libvirt.css',
   'libvirt-api.css',
   'libvirt-template.css',
+  'local.css',
   'main.css',
   'mobile-template.css',
   'mobile-libvirt.css',

docs/drvbhyve.rst

@@ -393,7 +393,7 @@ exposed to the guest using the ``vgaconf`` attribute:
 
 If not specified, bhyve's default mode for ``vgaconf`` will be used. Please
 refer to the
-`bhyve(8) <https://www.freebsd.org/cgi/man.cgi?query=bhyve&sektion=8&manpath=FreeBSD+12-current>`__
+`bhyve(8) <https://www.freebsd.org/cgi/man.cgi?query=bhyve&sektion=8>`__
 manual page and the `bhyve wiki <https://wiki.freebsd.org/bhyve>`__ for more
 details on using the ``vgaconf`` option.
 
@@ -429,6 +429,16 @@ Note: VNC password authentication is known to be cryptographically weak.
 Additionally, the password is passed as a command line argument in clear text.
 Make sure you understand the risks associated with this feature before using it.
 
+:since:`Since 11.10.0`, the guest can be configured to wait for an incoming
+VNC connection before booting:
+
+::
+
+    <graphics type='vnc' port='5904' wait='yes'>
+      <listen type='address' address='127.0.0.1'/>
+    </graphics>
+
+
 Clock configuration
 ~~~~~~~~~~~~~~~~~~~
 
@@ -638,3 +648,64 @@ Example:
 Note: there's no direct way to check if the actual ``bhyve`` binary supports
 the TCP console. Thus, libvirt always assumes it's supported. Please
 refer to the ``bhyve(1)`` manual page to make sure.
+
+NVMe device
+~~~~~~~~~~~
+:since:`Since 11.9.0`, it's possible to use NVMe device.
+
+Example:
+
+::
+
+   ...
+     <disk type='file'>
+       <driver name='file' type='raw'/>
+       <source file='/tmp/freebsd.img'/>
+       <target dev='nvme0n1' bus='nvme'/>
+     </disk>
+    ...
+
+As ``bhyve(1)`` uses one NVMe device per PCI address, it's modeled in a way
+that there is one device per controller. That is, if using more than one
+NVMe device, for device name users should increment controller number rather
+than namespace number, i.e.: ``nvme0n1``, ``nvme1n1``, etc.
+
+Device passthrough
+~~~~~~~~~~~~~~~~~~
+:since:`Since 11.10.0`, it is possible to passthrough PCI devices.
+
+Example:
+
+::
+
+  ...
+    <hostdev mode='subsystem' type='pci' managed='no'>
+      <source>
+        <address domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
+      </source>
+    </hostdev>
+  ...
+
+Using passthrough devices requires wiring guest memory, see `Wiring guest memory`_.
+
+Note: currently, the `nodedev <drvnodedev.html>`_ driver is not supported
+on FreeBSD.
+Users must configure the device for passthrough manually either by
+using ``devctl(8)`` or by setting ``pptdevs`` in ``loader.conf(5)``.
+Please refer to the ``vmm(4)`` manual page for more details.
+
+Guest-specific considerations
+-----------------------------
+
+Windows
+~~~~~~~
+
+For Windows guests, it is recommended to have the LPC controller on slot 31.
+As the libvirt driver allocates slot 1 for the LPC controller by default,
+the address must be specified explicitly:
+
+::
+
+    <controller type='isa' index='0'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x0'/>
+    </controller>

docs/drvch.rst

@@ -12,17 +12,40 @@ customers inside a cloud provider. For our purposes this means modern
 operating systems with most I/O handled by paravirtualised devices
 (i.e. virtio), no requirement for legacy devices, and 64-bit CPUs.
 
-The libvirt Cloud Hypervisor driver is intended to be run as a session
-driver without privileges. The cloud-hypervisor binary itself should be
-``setcap cap_net_admin+ep`` (in order to create tap interfaces).
+The libvirt Cloud Hypervisor (CH) driver is intended to be run as a
+session driver without privileges. The cloud-hypervisor binary itself
+should be ``setcap cap_net_admin+ep`` (in order to create tap
+interfaces). Though, system-wide connection URI is also supported.
 
 Expected connection URI would be
 
-``ch:///session``
+::
 
+  ch:///session         (local access to per-user instance)
+  ch:///system          (local access to system instance)
+
+But all other transport modes are supported too
+(see `documentation <uri.html#remote-uris>`__).
+
+
+Location of configuration files
+-------------------------------
+
+The CH driver comes with sane default values. However, during its
+initialization it reads a configuration file which offers system
+administrator or an user to override some of that default. The location
+of the file depends on the connection URI, as follows:
+
+=================== ======================================
+``ch:///system``    ``/etc/libvirt/ch.conf``
+``ch:///session``   ``$XDG_CONFIG_HOME/libvirt/ch/ch.conf``
+=================== ======================================
+
+If ``$XDG_CONFIG_HOME`` is not set in the environment, it defaults to
+``$HOME/.config``.
 
 Example guest domain XML configurations
-=======================================
+---------------------------------------
 
 The Cloud Hypervisor driver in libvirt is in its early stage under active
 development only supporting a limited number of Cloud Hypervisor features.

docs/formatdomain.rst

@@ -2155,7 +2155,10 @@ are:
    =============== ====================================================================== ============================================ ========================================================================
    relaxed         Relax constraints on timers                                            on, off                                      :since:`1.0.0 (QEMU 2.0), 11.3.0 (Xen, always on)`
    vapic           Enable virtual APIC                                                    on, off                                      :since:`1.1.0 (QEMU 2.0), 11.3.0 (Xen)`
-   spinlocks       Enable spinlock support                                                on, off; retries - at least 4095             :since:`1.1.0 (QEMU 2.0)`
+   spinlocks       Enable spinlock support - retries attribute defines after how many     on, off;                                     :since:`1.1.0 (QEMU 2.0), never-notify mode 11.9.0 (QEMU 2.0)`
+                   failed acquisition attempts to notify the hypervisor                   retries - between 4095 and 4294967295, the
+                                                                                          special value 4294967295 means to never
+                                                                                          notify the hypervisor (default if omitted)
    vpindex         Virtual processor index                                                on, off                                      :since:`1.3.3 (QEMU 2.5), 11.3.0 (Xen, always on)`
    runtime         Processor time spent on running guest code and on behalf of guest code on, off                                      :since:`1.3.3 (QEMU 2.5)`
    synic           Enable Synthetic Interrupt Controller (SynIC)                          on, off                                      :since:`1.3.3 (QEMU 2.6), 11.3.0 (Xen)`
@@ -2189,6 +2192,12 @@ are:
       virtual CPU may or may not contain features which may block migration
       even to an identical host.
 
+   ``host-model``
+      Similar to the ``passthrough`` mode, except libvirt detects which
+      enlightenments are supported by hypervisor and expands them on domain
+      startup into the live XML. In a sense, this is similar to ``host-model``
+      CPU mode (See `CPU model and topology`_). :since:`Since 11.9.0`
+
    The ``mode`` attribute can be omitted and will default to ``custom``.
 
 ``pvspinlock``
@@ -3369,6 +3378,11 @@ paravirtualized driver is specified via the ``disk`` element.
    :since:`since after 0.4.4`; "sata" attribute value :since:`since 0.9.7`;
    "removable" attribute value :since:`since 1.1.3`;
    "rotation_rate" attribute value :since:`since 7.3.0`
+   The optional attribute ``dpofua`` (:since:`Since 11.10.0, only QEMU driver`)
+   controls the support of DPO(Disable Page Out) and FUA(Force Unit Access)
+   properties of a SCSI disk cache access (both must be present or absent).
+   If the value is omitted hypervisor default is applied (which may depend on
+   the machine type version) and is the suggested setting.
 ``throttlefilters``
    The optional ``throttlefilters`` element provides the ability to provide additional
    per-device throttle chain :since:`Since 11.2.0`
@@ -3588,6 +3602,23 @@ paravirtualized driver is specified via the ``disk`` element.
           </iothreads>
         </driver>
 
+   - The optional ``statistics`` sub-element allows configuring statistics
+     collection in configurable intervals for the given disk. Intervals are
+     configured by ``<statistic>`` sub-elements with ``interval`` attribute
+     configuring the collection window duration in seconds. The statistics
+     are available via the bulk statistics API.
+
+     Example::
+
+       <driver name='qemu'>
+         <statistics>
+           <statistic interval='1'/>
+           <statistic interval='10'/>
+         </statistics>
+       </driver>
+
+    :since:`Since 11.9.0 (QEMU 10.2, virtio, ide, scsi disks only)`.
+
    -  The optional ``queues`` attribute specifies the number of virt queues for
       virtio-blk ( :since:`Since 3.9.0` ) or vhost-user-blk
       ( :since:`Since 7.1.0` )
@@ -6876,6 +6907,10 @@ interaction with the admin.
       ID is specified, then the default audio backend will be used.
       :since:`Since 7.2.0, qemu`.
 
+      The optional ``wait`` attribute, when set to ``yes``, causes the guest
+      to wait for an incoming VNC connection before booting.
+      :since:`Since 11.10.0, bhyve`.
+
    ``spice`` :since:`Since 0.8.6`
       Starts a SPICE server. The ``port`` attribute specifies the TCP port
       number (with -1 as legacy syntax indicating that it should be
@@ -8350,8 +8385,8 @@ The watchdog device requires an additional driver and management daemon in the
 guest. Just enabling the watchdog in the libvirt configuration does not do
 anything useful on its own.
 
-Currently libvirt does not support notification when the watchdog fires. This
-feature is planned for a future version of libvirt.
+:since:`Since 0.8.0`, a notification is available when the watchdog fires, using
+the event ID ``VIR_DOMAIN_EVENT_ID_WATCHDOG``.
 
 Having multiple watchdogs is usually not something very common, but be aware
 that this might happen, for example, when an implicit watchdog device is added
@@ -9212,6 +9247,10 @@ Example:
       Enable x2APIC mode. Useful for higher number of guest CPUs.
       :since:`Since 11.5.0` (QEMU/KVM and ``amd`` model only)
 
+   ``pciBus``
+      The ``pciBus`` attribute notes the index of the controller that an
+      IOMMU device is attached to. (QEMU/KVM and ``smmuv3`` model only)
+
 The ``virtio`` IOMMU devices can further have ``address`` element as described
 in `Device addresses`_ (address has to by type of ``pci``).
 

docs/formatdomaincaps.rst

@@ -869,11 +869,10 @@ Hyper-V Enlightenments
 Report which features improving behavior of guests running Microsoft Windows
 are supported. The ``features`` enum corresponds to the ``<hyperv/>`` element
 (well, its children) as documented in `Hypervisor features
-<formatdomain.html#hypervisor-features>`__.
-
-Please note that depending on the QEMU version some capabilities might be
-missing even though QEMU does support them. This is because prior to QEMU-6.1.0
-not all features were reported by QEMU.
+<formatdomain.html#hypervisor-features>`__. The ``defaults`` element then
+contains child elements describing default values as reported by hypervisor,
+e.g. whether direct or extended TLB flushes are available. :since:`(since
+11.9.0)`
 
 Launch security
 ^^^^^^^^^^^^^^^

docs/formatsnapshot.rst

@@ -127,9 +127,12 @@ The top-level ``domainsnapshot`` element may contain the following elements:
 
       :since:`Since 8.2.0` the ``snapshot`` attribute supports the ``manual``
       value which instructs the hypervisor to create the snapshot and keep a
-      synchronized state by pausing the VM which allows to snapshot disk
+      synchronized state by pausing the VM (and where supported deactivating
+      the storage backends of the hypervisor), which allows to snapshot disk
       storage from outside of the hypervisor if the storage provider supports
-      it.  The caller is responsible for resuming a VM paused by requesting a
+      it.  VM operations requiring the storage (e.g. blockjobs, migration) should
+      be avoided to ensure that the storage backends can stay deactivated.
+      The caller is responsible for resuming a VM paused by requesting a
       ``manual`` snapshot. When reverting such snapshot, the expectation is that
       the storage is configured in a way where the hypervisor will see the
       correct image state.

docs/go/meson.build

@@ -33,7 +33,9 @@ foreach data : html_xslt_gen
       '--stringparam', 'pagesrc', data.get('source', ''),
       '--stringparam', 'builddir', meson.project_build_root(),
       '--stringparam', 'timestamp', docs_timestamp,
-      '--stringparam', 'href_base', data.get('href_base', ''),
+      '--stringparam', 'link_href_base', data.get('href_base', ''),
+      '--stringparam', 'asset_href_base', data.get('href_base', ''),
+      '--stringparam', 'edit_href_base', 'https://gitlab.com/libvirt/libvirt/-/blob/master/',
       '--nonet',
       site_xsl,
       '@INPUT@',

docs/html/meson.build

@@ -101,7 +101,9 @@ foreach data : html_xslt_gen
       '--stringparam', 'pagesrc', data.get('source', ''),
       '--stringparam', 'builddir', meson.project_build_root(),
       '--stringparam', 'timestamp', docs_timestamp,
-      '--stringparam', 'href_base', data.get('href_base', ''),
+      '--stringparam', 'link_href_base', data.get('href_base', ''),
+      '--stringparam', 'asset_href_base', data.get('href_base', ''),
+      '--stringparam', 'edit_href_base', 'https://gitlab.com/libvirt/libvirt/-/blob/master/',
       '--nonet',
       site_xsl,
       '@INPUT@',

docs/index.rst

@@ -34,7 +34,8 @@ Quick Links
   Already a regular open source contributor and have git set up? Have a quick
   look at how to propose your changes to libvirt correctly
 `Security vulnerabilities <securityprocess.html>`__
-  View security notices and report vulnerabilities to the libvirt security
+  View `security notices <https://security.libvirt.org>`__ and
+  `report vulnerabilities <securityprocess.html>`__ to the libvirt security
   response team
 `Bug reporting <bugs.html>`__
   View and report bugs in libvirt packages

docs/kbase/internals/meson.build

@@ -42,7 +42,9 @@ foreach data : html_xslt_gen
       '--stringparam', 'pagesrc', data.get('source', ''),
       '--stringparam', 'builddir', meson.project_build_root(),
       '--stringparam', 'timestamp', docs_timestamp,
-      '--stringparam', 'href_base', data.get('href_base', ''),
+      '--stringparam', 'link_href_base', data.get('href_base', ''),
+      '--stringparam', 'asset_href_base', data.get('href_base', ''),
+      '--stringparam', 'edit_href_base', 'https://gitlab.com/libvirt/libvirt/-/blob/master/',
       '--nonet',
       site_xsl,
       '@INPUT@',

docs/kbase/live_full_disk_backup.rst

@@ -1,3 +1,5 @@
+.. role:: since
+
 ===============================
 Efficient live full disk backup
 ===============================
@@ -84,6 +86,24 @@ This requires libvirt-7.2.0 and QEMU-4.2, or higher versions.
     15M -rw-r--r--. 1 qemu qemu 15M May 10 12:22 vm1.qcow2
     21M -rw-------. 1 root root 21M May 10 12:23 vm1.qcow2.1620642185
 
+Shutdown of the guest OS during backup
+--------------------------------------
+
+The backup job is a long running job, potentially copying a lot of data, which
+requires the VM to be active (The backup is done by the qemu process) and
+can't be continued if the VM shuts down. This includes shut down initiated by
+the guest OS itself.
+
+:since:`Since libvirt-11.10` the ``virDomainBackupBegin()`` supports the
+``VIR_DOMAIN_BACKUP_BEGIN_PRESERVE_SHUTDOWN_DOMAIN`` flag
+(``virsh backup-begin --preserve-domain-on-shutdown``) which instructs libvirt
+to avoid termination of the VM if the guest OS shuts down while the backup is
+still running. The VM is in that scenario reset and paused instead of terminated
+allowing the backup to finish. Once the backup finishes the VM process is
+terminated. Users can resume the VM (e.g. ``virsh resume``) which causes it
+to boot normally using the existing VM process and will continue to run after
+completion of the backup job.
+
 
 Full backup with older libvirt versions
 =======================================

docs/kbase/meson.build

@@ -53,7 +53,9 @@ foreach data : html_xslt_gen
       '--stringparam', 'pagesrc', data.get('source', ''),
       '--stringparam', 'builddir', meson.project_build_root(),
       '--stringparam', 'timestamp', docs_timestamp,
-      '--stringparam', 'href_base', data.get('href_base', ''),
+      '--stringparam', 'link_href_base', data.get('href_base', ''),
+      '--stringparam', 'asset_href_base', data.get('href_base', ''),
+      '--stringparam', 'edit_href_base', 'https://gitlab.com/libvirt/libvirt/-/blob/master/',
       '--nonet',
       site_xsl,
       '@INPUT@',

docs/kbase/tlscerts.rst

@@ -75,6 +75,25 @@ in the path specified, otherwise the connection will fail with a fatal error. If
 
 -  For the root user, the global default locations will always be used.
 
+Multiple parallel certificate identities
+----------------------------------------
+
+Any scenario that requires a certificate identify (``servercert.pem`` /
+``serverkey.pem`` and ``clientcert.pem`` / ``clientkey.pem``) can optionally
+provide multiple parallel identities via a new indexed file naming
+scheme. The new filenames are ``servercertNN.pem`` / ``serverkeyNN.pem``
+and ``clientcertNN.pem`` / ``clientkeyNN.pem``, for values of ``NN`` between
+0 and 3 inclusive.
+
+The new naming can be used instead of the old naming, or concurrently
+with the old naming. The old file names will be loaded first (if
+present), followed by the indexed file names. Loading will stop at
+the first missing index value. ie if ``servercert1.pem`` is not present,
+then no attempt will be made to load ``servercert2.pem`` or ``servercert3.pem``.
+
+If multiple CA certificates are required they must all be concatenated
+into the single ``cacert.pem`` file.
+
 Background to TLS certificates
 ------------------------------
 
@@ -326,6 +345,75 @@ briefly cover the steps.
       cp clientkey.pem /etc/pki/libvirt/private/clientkey.pem
       cp clientcert.pem /etc/pki/libvirt/clientcert.pem
 
+Configuring for Post-Quantum Cryptography
+-----------------------------------------
+
+Given a new enough gnutls release, suitably integrated & configured with the
+operating system crypto policies, libvirt is able to support post-quantum
+crytography on TLS enabled services, either exclusively or in a hybrid mode.
+
+In exclusive mode, only a single set of certificates need to be configured
+for libvirt, with PQC compliant algorithms. Such a libvirt configuration will
+only be able to interoperate with other libvirt daemons that also have PQC
+enabled. This can result in compatibility concerns during the period of
+transition over to PQC compliant algorithms.
+
+In hybrid mode, multiple sets of certificates need to be configured for libvirt,
+at least one set with traditional (non-PQC compliant) algorithms, and at least
+one other set with modern (PQC compliant) algorithms. At time of the TLS
+handshake, the GNUTLS algorithm priorities should ensure that PQC compliant
+algorithms are negotiated if both sides of the connection support PQC. If one
+side lacks PQC, the TLS handshake should fallback to the non-PQC algorithms.
+This can assist with interoperability during the transition to PQC, but has a
+potential weakness wrt downgrade attacks forcing use of non-PQC algorithms.
+Exclusive PQC mode should be preferred where both peers in the TLS connections
+are known to support PQC.
+
+Key generation parameters
+^^^^^^^^^^^^^^^^^^^^^^^^^
+
+To create certificates with PQC compliant algorithms, the ``--key-type``
+argument must be passed to ``certtool`` when creating private keys. No
+extra arguments are required for the other ``certtool`` commands, as
+their behaviour will be determined by the private key type.
+
+The typical PQC compliant algorithms to use are ``ML-DSA-44``, ``ML-DSA-65``
+and ``ML-DSA-87``, with ``ML-DSA-65`` being a suitable default choice in
+the absence of explicit requirements.
+
+Taking the example earlier, for creating a key for a client certificate,
+to use ``ML-DSA-65`` the command line would be modified to look like::
+
+   # certtool --generate-privkey --key-type=mldsa65 > clientkey.pem
+
+The equivalent modification applies to the creation of the private keys
+used for server certs, or root/intermediate CA certs.
+
+For hybrid mode, the additional indexed certificate naming must be used.
+If multiple configured certificates are compatible with the mutually
+supported crypto algorithms between the client and server, then the
+first matching certificate will be used.
+
+IOW, to ensure that PQC certificates are preferred, they must use a
+non-index based filename, or use an index that is smaller than any
+non-PQC certificates. ie, ``servercert.pem`` for PQC and ``servercert0.pem``
+for non-PQC, or ``servercert0.pem`` for PQC and ``servercert1.pem`` for
+non-PQC.
+
+Force disabling PQC via crypto priority
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+If the OS configuration for system crypto algorithm priorities has
+enabled PQC, this can (optionally) be overriden in libvirt server
+configuration. To disable use of PQC set the ``tls_priority``
+parameter in the ``libvirtd.conf`` / ``virtproxyd.conf`` files:
+
+  tls_priority = "@SYSTEM:-SIGN-ML-DSA-65:-SIGN-ML-DSA-44:-SIGN-ML-DSA-87:-GROUP-X25519-MLKEM768:-GROUP-SECP256R1-MLKEM768:-GROUP-SECP384R1-MLKEM1024"
+
+On the client side this can be overriden using the ``tls_priority``
+URI parameter in the libvirt connection address.
+
+
 Troubleshooting TLS certificate problems
 ----------------------------------------
 

docs/logos/meson.build

@@ -62,7 +62,9 @@ foreach data : html_xslt_gen
       '--stringparam', 'pagesrc', data.get('source', ''),
       '--stringparam', 'builddir', meson.project_build_root(),
       '--stringparam', 'timestamp', docs_timestamp,
-      '--stringparam', 'href_base', data.get('href_base', ''),
+      '--stringparam', 'link_href_base', data.get('href_base', ''),
+      '--stringparam', 'asset_href_base', data.get('href_base', ''),
+      '--stringparam', 'edit_href_base', 'https://gitlab.com/libvirt/libvirt/-/blob/master/',
       '--nonet',
       site_xsl,
       '@INPUT@',

docs/manpages/meson.build

@@ -152,7 +152,9 @@ foreach data : html_xslt_gen
       '--stringparam', 'pagesrc', data.get('source', ''),
       '--stringparam', 'builddir', meson.project_build_root(),
       '--stringparam', 'timestamp', docs_timestamp,
-      '--stringparam', 'href_base', data.get('href_base', ''),
+      '--stringparam', 'link_href_base', data.get('href_base', ''),
+      '--stringparam', 'asset_href_base', data.get('href_base', ''),
+      '--stringparam', 'edit_href_base', 'https://gitlab.com/libvirt/libvirt/-/blob/master/',
       '--nonet',
       site_xsl,
       '@INPUT@',

docs/manpages/virsh.rst

@@ -2186,6 +2186,7 @@ backup-begin
 ::
 
    backup-begin domain [backupxml] [checkpointxml] [--reuse-external]
+       [--preserve-domain-on-shutdown]
 
 Begin a new backup job. If *backupxml* is omitted, this defaults to a full
 backup using a push model to filenames generated by libvirt; supplying XML
@@ -2199,6 +2200,11 @@ libvirt. For more information on backup XML, see:
 If *--reuse-external* is used it instructs libvirt to reuse temporary
 and output files provided by the user in *backupxml*.
 
+When the *--preserve-domain-on-shutdown* flag is used libvirt will not
+terminate the VM if the guest OS shuts down while the backup is running. The VM
+will be instead kept in VIR_DOMAIN_PAUSED state until the backup job finishes.
+The vm can be also resumed in order to boot again.
+
 If *checkpointxml* is specified, a second file with a top-level
 element of *domaincheckpoint* is used to create a simultaneous
 checkpoint, for doing a later incremental backup relative to the time
@@ -2751,6 +2757,60 @@ Information listed includes:
 * ``block.<num>.physical`` - physical size of source file in bytes
 * ``block.<num>.threshold`` - threshold (in bytes) for delivering the
   VIR_DOMAIN_EVENT_ID_BLOCK_THRESHOLD event. See domblkthreshold.
+* ``block.<num>.limits.request_alignment`` - Alignment requirement for requests
+  in bytes
+* ``block.<num>.limits.discard_max`` - Maximum number of bytes that can be
+  discarded at once
+* ``block.<num>.limits.discard_alignment`` - Optimal alignment for discard
+  requests in bytes
+* ``block.<num>.limits.write_zeroes_max`` - Maximum number of bytes that can be
+  zeroed out at once
+* ``block.<num>.limits.write_zeroes_alignment`` - Optimal alignment for
+  write_zeroes requests in bytes
+* ``block.<num>.limits.transfer_optimal`` - Optimal transfer length in bytes
+* ``block.<num>.limits.transfer_max`` - Maximal transfer length in bytes
+* ``block.<num>.limits.transfer_hw_max`` - Maximal hardware transfer length of
+  requests bypassing kernel IO scheduler in bytes
+* ``block.<num>.limits.iov_max`` - Maximum number of scatter/gather elements
+* ``block.<num>.limits.iov_hw_max`` - Maximal number of scatter/gather elements
+  of requests bypassing kernel IO scheduler
+* ``block.<num>.limits.memory_alignment_minimal`` - memory alignment in bytes so
+  that no bounce buffer is needed
+* ``block.<num>.limits.memory_alignment_optimal`` - memory alignment in bytes
+  that is used for bounce buffers
+* ``block.<num>.timed_group.count`` - number of blocks of timed group statistics
+* ``block.<num>.timed_group.<num>.interval_length`` - The time interval in
+  seconds for which the statistics in this group were collected.
+* ``block.<num>.timed_group.<num>.rd_latency_min`` - minimum latency of read
+  operations in the defined interval in nanoseconds
+* ``block.<num>.timed_group.<num>.rd_latency_max`` - maximum latency of read
+  operations in the defined interval in nanoseconds
+* ``block.<num>.timed_group.<num>.rd_latency_avg`` - average latency of read
+  operations in the defined interval in nanoseconds
+* ``block.<num>.timed_group.<num>.wr_latency_min`` - minimum latency of write
+  operations in the defined interval in nanoseconds
+* ``block.<num>.timed_group.<num>.wr_latency_max`` - maximum latency of write
+  operations in the defined interval in nanoseconds
+* ``block.<num>.timed_group.<num>.wr_latency_avg`` - average latency of write
+  operations in the defined interval in nanoseconds
+* ``block.<num>.timed_group.<num>.zone_append_latency_min`` - minimum latency
+  of zone append operations in the defined interval in nanoseconds
+* ``block.<num>.timed_group.<num>.zone_append_latency_max`` - maximum latency
+  of zone append operations in the defined interval in nanoseconds
+* ``block.<num>.timed_group.<num>.zone_append_latency_avg`` - average latency
+  of zone append operations in the defined interval in nanoseconds
+* ``block.<num>.timed_group.<num>.flush_latency_min`` - minimum latency
+  of flush operations in the defined interval in nanoseconds
+* ``block.<num>.timed_group.<num>.flush_latency_max`` - maximum latency of flush
+  operations in the defined interval in nanoseconds
+* ``block.<num>.timed_group.<num>.flush_latency_avg`` - average latency of flush
+  operations in the defined interval in nanoseconds
+* ``block.<num>.timed_group.<num>.rd_queue_depth_avg`` - average number of
+  pending read operations in the defined interval
+* ``block.<num>.timed_group.<num>.wr_queue_depth_avg`` - average number of
+  pending write operations in the defined interval
+* ``block.<num>.timed_group.<num>.zone_append_queue_depth_avg`` - average number
+  of pending zone append operations in the defined interval
 
 
 *--iothread* returns information about IOThreads on the running guest

docs/meson.build

@@ -301,7 +301,9 @@ foreach data : html_xslt_gen
       '--stringparam', 'pagesrc', data.get('source', ''),
       '--stringparam', 'builddir', meson.project_build_root(),
       '--stringparam', 'timestamp', docs_timestamp,
-      '--stringparam', 'href_base', data.get('href_base', ''),
+      '--stringparam', 'link_href_base', data.get('href_base', ''),
+      '--stringparam', 'asset_href_base', data.get('href_base', ''),
+      '--stringparam', 'edit_href_base', 'https://gitlab.com/libvirt/libvirt/-/blob/master/',
       '--nonet',
       site_xsl,
       '@INPUT@',

docs/page.xsl

@@ -19,6 +19,7 @@
     <xsl:param name="timestamp"/>
     <xsl:param name="link_href_base"/>
     <xsl:param name="asset_href_base"/>
+    <xsl:param name="edit_href_base"/>
     <xsl:text disable-output-escaping="yes">&lt;!DOCTYPE html&gt;
 </xsl:text>
     <html lang="en" data-sourcedoc="{$pagesrc}">
@@ -105,11 +106,11 @@
               <li><a href="https://serverfault.com/questions/tagged/libvirt">serverfault</a></li>
             </ul>
           </div>
-          <xsl:if test="$pagesrc != ''">
+          <xsl:if test="$pagesrc != '' and $edit_href_base != ''">
             <div id="contribute">
               <h3>Contribute</h3>
               <ul>
-                <li><a href="https://gitlab.com/libvirt/libvirt/-/blob/master/{$pagesrc}">edit this page</a></li>
+                <li><a href="{$edit_href_base}{$pagesrc}">edit this page</a></li>
               </ul>
             </div>
           </xsl:if>

docs/site.xsl

@@ -28,8 +28,9 @@
     <xsl:apply-templates select="." mode="page">
       <xsl:with-param name="pagesrc" select="$pagesrc"/>
       <xsl:with-param name="timestamp" select="$timestamp"/>
-      <xsl:with-param name="link_href_base" select="$href_base"/>
-      <xsl:with-param name="asset_href_base" select="$href_base"/>
+      <xsl:with-param name="link_href_base" select="$link_href_base"/>
+      <xsl:with-param name="asset_href_base" select="$asset_href_base"/>
+      <xsl:with-param name="edit_href_base" select="$edit_href_base"/>
     </xsl:apply-templates>
   </xsl:template>
 

examples/c/misc/event-test.c

@@ -180,6 +180,9 @@ eventDetailToString(int event,
             case VIR_DOMAIN_EVENT_SUSPENDED_POSTCOPY_FAILED:
                 return "Post-copy Error";
 
+            case VIR_DOMAIN_EVENT_SUSPENDED_GUEST_SHUTDOWN:
+                return "guest OS shutdown";
+
             case VIR_DOMAIN_EVENT_SUSPENDED_LAST:
                 break;
             }

include/libvirt/libvirt-domain.h

@@ -3488,6 +3488,332 @@ struct _virDomainStatsRecord {
  */
 # define VIR_DOMAIN_STATS_BLOCK_SUFFIX_THRESHOLD ".threshold"
 
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_LIMITS_REQUEST_ALIGNMENT:
+ *
+ * limits represent constraints on individual operations as imposed by the
+ * backing file storage technology.
+ *
+ * Alignment requirement, in bytes, for offset/length of I/O requests, as
+ * unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_LIMITS_REQUEST_ALIGNMENT ".limits.request_alignment"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_LIMITS_DISCARD_MAX:
+ *
+ * limits represent constraints on individual operations as imposed by the
+ * backing file storage technology.
+ *
+ * Maximum number of bytes that can be discarded at once, as unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_LIMITS_DISCARD_MAX ".limits.discard_max"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_LIMITS_DISCARD_ALIGNMENT:
+ *
+ * limits represent constraints on individual operations as imposed by the
+ * backing file storage technology.
+ *
+ * Optimal alignment for discard requests in bytes, as unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_LIMITS_DISCARD_ALIGNMENT ".limits.discard_alignment"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_LIMITS_WRITE_ZEROES_MAX:
+ *
+ * limits represent constraints on individual operations as imposed by the
+ * backing file storage technology.
+ *
+ * Maximum number of bytes that can be zeroed out at once, as unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_LIMITS_WRITE_ZEROES_MAX ".limits.write_zeroes_max"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_LIMITS_WRITE_ZEROES_ALIGNMENT:
+ *
+ * limits represent constraints on individual operations as imposed by the
+ * backing file storage technology.
+ *
+ * Optimal alignment for write_zeroes requests in bytes, as unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_LIMITS_WRITE_ZEROES_ALIGNMENT ".limits.write_zeroes_alignment"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_LIMITS_TRANSFER_OPTIMAL:
+ *
+ * limits represent constraints on individual operations as imposed by the
+ * backing file storage technology.
+ *
+ * Optimal transfer length in bytes, as unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_LIMITS_TRANSFER_OPTIMAL ".limits.transfer_optimal"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_LIMITS_TRANSFER_MAX:
+ *
+ * limits represent constraints on individual operations as imposed by the
+ * backing file storage technology.
+ *
+ * Maximal transfer length in bytes, as unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_LIMITS_TRANSFER_MAX ".limits.transfer_max"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_LIMITS_TRANSFER_HW_MAX:
+ *
+ * limits represent constraints on individual operations as imposed by the
+ * backing file storage technology.
+ *
+ * Maximal hardware transfer length of requests bypassing kernel IO scheduler
+ * in bytes, as unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_LIMITS_TRANSFER_HW_MAX ".limits.transfer_hw_max"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_LIMITS_IOV_MAX:
+ *
+ * limits represent constraints on individual operations as imposed by the
+ * backing file storage technology.
+ *
+ * Maximum number of scatter/gather elements, as unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_LIMITS_IOV_MAX ".limits.iov_max"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_LIMITS_IOV_HW_MAX:
+ *
+ * limits represent constraints on individual operations as imposed by the
+ * backing file storage technology.
+ *
+ * Maximal number of scatter/gather elements of requests bypassing kernel IO
+ * scheduler, as unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_LIMITS_IOV_HW_MAX ".limits.iov_hw_max"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_LIMITS_MEMORY_ALIGNMENT_MINIMAL:
+ *
+ * limits represent constraints on individual operations as imposed by the
+ * backing file storage technology.
+ *
+ * memory alignment in bytes so that no bounce buffer is needed, as
+ * unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_LIMITS_MEMORY_ALIGNMENT_MINIMAL ".limits.memory_alignment_minimal"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_LIMITS_MEMORY_ALIGNMENT_OPTIMAL:
+ *
+ * limits represent constraints on individual operations as imposed by the
+ * backing file storage technology.
+ *
+ * memory alignment in bytes that is used for bounce buffers, as
+ * unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_LIMITS_MEMORY_ALIGNMENT_OPTIMAL ".limits.memory_alignment_optimal"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_COUNT:
+ *
+ * Number of groups of statistics accounted in a configured time intervals as
+ * unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_COUNT ".timed_group.count"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_PREFIX:
+ *
+ * The parameter name prefix to access each group of timed stats. Concatenate the
+ * prefix, the entry number formatted as an unsigned integer and one of the
+ * timed group suffix parameters to form a complete paramter name.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_PREFIX ".timed_group."
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_INTERVAL:
+ *
+ * The time interval in seconds as unsigned long long for which the statistics
+ * in this group were collected.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_INTERVAL ".interval"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_RD_LATENCY_MIN:
+ *
+ * Minimum latency of read operations in the defined interval, in nanoseconds as
+ * unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_RD_LATENCY_MIN ".rd_latency_min"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_RD_LATENCY_MAX:
+ *
+ * Maximum latency of read operations in the defined interval, in nanoseconds as
+ * unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_RD_LATENCY_MAX ".rd_latency_max"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_RD_LATENCY_AVG:
+ *
+ * Average latency of read operations in the defined interval, in nanoseconds as
+ * unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_RD_LATENCY_AVG ".rd_latency_avg"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_WR_LATENCY_MIN:
+ *
+ * Minimum latency of write operations in the defined interval, in nanoseconds
+ * as unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_WR_LATENCY_MIN ".wr_latency_min"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_WR_LATENCY_MAX:
+ *
+ * Maximum latency of write operations in the defined interval, in nanoseconds
+ * as unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_WR_LATENCY_MAX ".wr_latency_max"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_WR_LATENCY_AVG:
+ *
+ * Average latency of write operations in the defined interval, in nanoseconds
+ * as unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_WR_LATENCY_AVG ".wr_latency_avg"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_ZONE_APPEND_LATENCY_MIN:
+ * Minimum latency of zone append operations in the defined interval, in
+ * nanoseconds as unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_ZONE_APPEND_LATENCY_MIN ".zone_append_latency_min"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_ZONE_APPEND_LATENCY_MAX:
+ *
+ * Maximum latency of zone append operations in the defined interval, in
+ * nanoseconds as unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_ZONE_APPEND_LATENCY_MAX ".zone_append_latency_max"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_ZONE_APPEND_LATENCY_AVG:
+ *
+ * Average latency of zone append operations in the defined interval, in
+ * nanoseconds as unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_ZONE_APPEND_LATENCY_AVG ".zone_append_latency_avg"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_FLUSH_LATENCY_MIN:
+ *
+ * Minimum latency of flush operations in the defined interval, in nanoseconds
+ * as unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_FLUSH_LATENCY_MIN ".flush_latency_min"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_FLUSH_LATENCY_MAX:
+ *
+ * Maximum latency of flush operations in the defined interval, in nanoseconds
+ * as unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_FLUSH_LATENCY_MAX ".flush_latency_max"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_FLUSH_LATENCY_AVG:
+ *
+ * Average latency of flush operations in the defined interval, in nanoseconds
+ * as unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_FLUSH_LATENCY_AVG ".flush_latency_avg"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_RD_QUEUE_DEPTH_AVG:
+ *
+ * Average number of pending read operations in the defined interval as double.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_RD_QUEUE_DEPTH_AVG ".rd_queue_depth_avg"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_WR_QUEUE_DEPTH_AVG:
+ *
+ * Average number of pending write operations in the defined interval as double.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_WR_QUEUE_DEPTH_AVG ".wr_queue_depth_avg"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_ZONE_APPEND_QUEUE_DEPTH_AVG:
+ *
+ * Average number of pending zone append operations in the defined interval as
+ * double.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_ZONE_APPEND_QUEUE_DEPTH_AVG ".zone_append_queue_depth_avg"
 
 /**
  * VIR_DOMAIN_STATS_PERF_CMT:
@@ -5075,6 +5401,7 @@ typedef enum {
     VIR_DOMAIN_EVENT_SUSPENDED_API_ERROR = 6, /* Some APIs (e.g., migration, snapshot) internally need to suspend a domain. This event detail is used when resume operation at the end of such API fails. (Since: 1.0.1) */
     VIR_DOMAIN_EVENT_SUSPENDED_POSTCOPY = 7, /* suspended for post-copy migration (Since: 1.3.3) */
     VIR_DOMAIN_EVENT_SUSPENDED_POSTCOPY_FAILED = 8, /* suspended after failed post-copy (Since: 1.3.3) */
+    VIR_DOMAIN_EVENT_SUSPENDED_GUEST_SHUTDOWN = 9, /* suspended after guest os shut-down (a long running job is preserving the VM until completion) (Since: 11.10.0) */
 
 # ifdef VIR_ENUM_SENTINELS
     VIR_DOMAIN_EVENT_SUSPENDED_LAST /* (Since: 0.9.10) */
@@ -8191,8 +8518,10 @@ int virDomainAgentSetResponseTimeout(virDomainPtr domain,
  * Since: 6.0.0
  */
 typedef enum {
-    VIR_DOMAIN_BACKUP_BEGIN_REUSE_EXTERNAL = (1 << 0), /* reuse separately
-                                                          provided images (Since: 6.0.0) */
+    /* reuse separately provided images (Since: 6.0.0) */
+    VIR_DOMAIN_BACKUP_BEGIN_REUSE_EXTERNAL = (1 << 0),
+    /* preserve the domain if the guest OS shuts down while the backup is running (Since: 11.10.0) */
+    VIR_DOMAIN_BACKUP_BEGIN_PRESERVE_SHUTDOWN_DOMAIN = (1 << 1),
 } virDomainBackupBeginFlags;
 
 int virDomainBackupBegin(virDomainPtr domain,

libvirt.spec.in

@@ -6,7 +6,7 @@
 %define min_rhel 9
 %define min_fedora 41
 
-%define arches_qemu_kvm         %{ix86} x86_64 %{power64} %{arm} aarch64 s390x riscv64
+%define arches_qemu_kvm         %{ix86} x86_64 %{power64} aarch64 s390x riscv64
 %if 0%{?rhel}
     %if 0%{?rhel} >= 10
         %define arches_qemu_kvm     x86_64 aarch64 s390x riscv64
@@ -32,12 +32,22 @@
 %define arches_ch               x86_64 aarch64
 
 # The hypervisor drivers that run in libvirtd
-%define with_qemu          0%{!?_without_qemu:1}
 %define with_lxc           0%{!?_without_lxc:1}
 %define with_libxl         0%{!?_without_libxl:1}
 %define with_vbox          0%{!?_without_vbox:1}
 %define with_ch            0%{!?_without_ch:1}
 
+%ifarch %{arches_64bit}
+    %define with_qemu      0%{!?_without_qemu:1}
+%else
+    # QEMU drops 32-bit in Fedora 44
+    %if %{?fedora} > 43
+        %define with_qemu  0
+    %else
+        %define with_qemu  0%{!?_without_qemu:1}
+    %endif
+%endif
+
 %ifarch %{arches_qemu_kvm}
     %define with_qemu_kvm      %{with_qemu}
 %else
@@ -76,8 +86,10 @@
     %define with_storage_gluster 0
 %endif
 
-# Fedora had zfs-fuse until F43
-%if 0%{?fedora} && 0%{?fedora} < 43
+# On Fedora 43, the 'zfs-fuse' package was removed, but is obtainable via
+# other means. Build the backend, but it's no longer considered to be part
+# of 'daemon-driver-storage'.
+%if 0%{?fedora}
     %define with_storage_zfs      0%{!?_without_storage_zfs:1}
 %else
     %define with_storage_zfs      0
@@ -91,7 +103,6 @@
 
 # Other optional features
 %define with_numactl          0%{!?_without_numactl:1}
-%define with_userfaultfd_sysctl 0%{!?_without_userfaultfd_sysctl:1}
 
 # A few optional bits off by default, we enable later
 %define with_fuse             0
@@ -259,12 +270,6 @@
     %define enable_werror -Dwerror=false -Dgit_werror=disabled
 %endif
 
-# Fedora and RHEL-9 are new enough to support /dev/userfaultfd, which
-# does not require enabling vm.unprivileged_userfaultfd sysctl.
-%if 0%{?fedora} || 0%{?rhel}
-    %define with_userfaultfd_sysctl 0
-%endif
-
 %define tls_priority "@LIBVIRT,SYSTEM"
 
 # libvirt 8.1.0 stops distributing any sysconfig files.
@@ -404,7 +409,7 @@ BuildRequires: numactl-devel
     %endif
 BuildRequires: libcap-ng-devel >= 0.5.0
     %if %{with_fuse}
-BuildRequires: fuse-devel >= 2.8.6
+BuildRequires: fuse3-devel
     %endif
     %if %{with_libssh2}
 BuildRequires: libssh2-devel >= 1.3.0
@@ -674,9 +679,6 @@ Requires: /usr/bin/qemu-img
 Obsoletes: libvirt-daemon-driver-storage-rbd < 5.2.0
     %endif
 Obsoletes: libvirt-daemon-driver-storage-sheepdog < 8.8.0
-    %if !%{with_storage_zfs}
-Obsoletes: libvirt-daemon-driver-storage-zfs < 11.4.0
-    %endif
 
 %description daemon-driver-storage-core
 The storage driver plugin for the libvirtd daemon, providing
@@ -777,9 +779,13 @@ volumes using the ceph protocol.
 Summary: Storage driver plugin for ZFS
 Requires: libvirt-daemon-driver-storage-core = %{version}-%{release}
 Requires: libvirt-libs = %{version}-%{release}
-# Support any conforming implementation of zfs
+# Starting with Fedora 43 the 'zfs-fuse' is no longer shipped but obtainable
+# externally. The package builds fine without these. Users will have to provide
+# their own implementation.
+        %if 0%{?fedora} && 0%{?fedora} < 43
 Requires: /sbin/zfs
 Requires: /sbin/zpool
+        %endif
 
 %description daemon-driver-storage-zfs
 The storage driver backend adding implementation of the storage APIs for
@@ -803,7 +809,10 @@ Requires: libvirt-daemon-driver-storage-gluster = %{version}-%{release}
     %if %{with_storage_rbd}
 Requires: libvirt-daemon-driver-storage-rbd = %{version}-%{release}
     %endif
-    %if %{with_storage_zfs}
+# Starting with Fedora 43 the 'zfs-fuse' is no longer shipped but obtainable
+# externally. We do not want to install this as part of 'daemon-driver-storage'
+# any more.
+    %if %{with_storage_zfs} && 0%{?fedora} && 0%{?fedora} < 43
 Requires: libvirt-daemon-driver-storage-zfs = %{version}-%{release}
     %endif
 
@@ -1329,12 +1338,6 @@ exit 1
     %define arg_remote_mode -Dremote_default_mode=legacy
 %endif
 
-%if %{with_userfaultfd_sysctl}
-    %define arg_userfaultfd_sysctl -Duserfaultfd_sysctl=enabled
-%else
-    %define arg_userfaultfd_sysctl -Duserfaultfd_sysctl=disabled
-%endif
-
 %define when  %(date +"%%F-%%T")
 %define where %(hostname)
 %define who   %{?packager}%{!?packager:Unknown}
@@ -1418,7 +1421,6 @@ export SOURCE_DATE_EPOCH=$(stat --printf='%Y' %{_specdir}/libvirt.spec)
            -Dqemu_datadir=%{qemu_datadir} \
            -Dtls_priority=%{tls_priority} \
            -Dsysctl_config=enabled \
-           %{?arg_userfaultfd_sysctl} \
            -Dssh_proxy=enabled \
            %{?enable_werror} \
            -Dexpensive_tests=enabled \
@@ -1506,7 +1508,6 @@ export SOURCE_DATE_EPOCH=$(stat --printf='%Y' %{_specdir}/libvirt.spec)
   -Dstorage_vstorage=disabled \
   -Dstorage_zfs=disabled \
   -Dsysctl_config=disabled \
-  -Duserfaultfd_sysctl=disabled \
   -Dssh_proxy=disabled \
   -Dtests=disabled \
   -Dudev=disabled \
@@ -2314,9 +2315,6 @@ exit 0
     %if %{with_qemu}
 %files daemon-driver-qemu
 %config(noreplace) %{_sysconfdir}/libvirt/virtqemud.conf
-        %if %{with_userfaultfd_sysctl}
-%config(noreplace) %{_prefix}/lib/sysctl.d/60-qemu-postcopy-migration.conf
-        %endif
 %{_datadir}/augeas/lenses/virtqemud.aug
 %{_datadir}/augeas/lenses/tests/test_virtqemud.aug
 %{_unitdir}/virtqemud.service

meson.build

@@ -1,6 +1,6 @@
 project(
   'libvirt', 'c',
-  version: '11.8.0',
+  version: '11.10.0',
   license: 'LGPLv2+',
   meson_version: '>= 0.57.0',
   default_options: [
@@ -1365,6 +1365,26 @@ if wireshark_dep.found()
   if cc.check_header('wireshark/ws_version.h')
     conf.set('WITH_WS_VERSION', 1)
   endif
+
+  # Find wmem.h
+  # But it's not as easy as you'd think. Ubuntu 20.04 has split parts of
+  # libwireshark.so into libwsutil.so but:
+  # a) wireshark.pc never mentions it,
+  # b) libwsutil-dev package doesn't install pkg-config file.
+  # Fortunately, it's fixed in 24.04.
+  if cc.check_header('wireshark/epan/wmem/wmem.h', dependencies: wireshark_dep)
+    conf.set('WITH_WS_EPAN_WMEM', 1)
+  elif cc.check_header('wireshark/wsutil/wmem/wmem.h', dependencies: wireshark_dep)
+    conf.set('WITH_WS_WSUTIL_WMEM', 1)
+  else
+    error('Unable to locate wmem.h file')
+  endif
+
+  # TODO: drop wsutil dep once support for Ubuntu 20.04 is dropped
+  wsutil_dep = dependency('', required: false)
+  if not cc.has_function('wmem_free', dependencies: wireshark_dep)
+    wsutil_dep = cc.find_library('wsutil', required: true)
+  endif
 endif
 
 # generic build dependencies checks
@@ -2009,13 +2029,18 @@ elif get_option('sysctl_config').enabled()
   error('sysctl configuration is supported only on linux')
 endif
 
-if not get_option('userfaultfd_sysctl').disabled() and conf.has('WITH_SYSCTL')
-  conf.set('WITH_USERFAULTFD_SYSCTL', 1)
-elif get_option('userfaultfd_sysctl').enabled()
-  error('userfaultfd_sysctl option requires sysctl_config to be enabled')
+prio = get_option('tls_priority')
+if prio == 'auto'
+    # If local OS has 'crypto-policies' then default to that
+    policy = '/etc/crypto-policies/config'
+    if get_option('system') and \
+       run_command('test', '-f', policy, check: false).returncode() == 0
+        prio = '@LIBVIRT,SYSTEM'
+    else
+        prio = 'NORMAL'
+    endif
 endif
-
-conf.set_quoted('TLS_PRIORITY', get_option('tls_priority'))
+conf.set_quoted('TLS_PRIORITY', prio)
 
 
 # test options
@@ -2314,7 +2339,6 @@ misc_summary = {
   'sysctl config': conf.has('WITH_SYSCTL'),
   'tests': tests_enabled,
   'TLS priority': conf.get_unquoted('TLS_PRIORITY'),
-  'userfaultfd sysctl': conf.has('WITH_USERFAULTFD_SYSCTL'),
   'virt-host-validate': conf.has('WITH_HOST_VALIDATE'),
   'virt-login-shell': conf.has('WITH_LOGIN_SHELL'),
   'Warning Flags': supported_cc_flags,

meson_options.txt

@@ -132,6 +132,4 @@ option('nbdkit_config_default', type: 'feature', value: 'auto', description: 'Wh
 option('pm_utils', type: 'feature', value: 'auto', description: 'use pm-utils for power management')
 option('ssh_proxy', type: 'feature', value: 'auto', description: 'Build ssh-proxy for ssh over vsock')
 option('sysctl_config', type: 'feature', value: 'auto', description: 'Whether to install sysctl configs')
-# dep:sysctl_config
-option('userfaultfd_sysctl', type: 'feature', value: 'auto', description: 'Whether to install sysctl config for enabling unprivileged userfaultfd')
-option('tls_priority', type: 'string', value: 'NORMAL', description: 'set the default TLS session priority string')
+option('tls_priority', type: 'string', value: 'auto', description: 'set the default TLS session priority string')