Release of libvirt-11.10.0

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>

NEWS.rst

@@ -8,6 +8,106 @@ the changes introduced by each of them.
 For a more fine-grained view, use the `git log`_.
 
 
+v11.10.0 (2025-12-01)
+=====================
+
+* **Security**
+
+  * CVE-2025-12748: Denial of service by some ACL-limited accounts
+
+    Parsing of user provided XMLs in APIs which needed the identification
+    information from those XML definitions was done in full before ACL checks
+    were performed.  Some valid, but useless, definitions could cause allocation
+    of too much memory, leading to denial of service. APIs which do equate to
+    full root access (such as ``domain:write``), and were parsing XML
+    definitions in full before performing ACL checks could, potentially, be
+    exploited in a way that would allow users (which were about to be denied the
+    API call) to cause aforementioned overallocation even before the ACL checks
+    were performed.
+
+    A change was made so that parsing before ACL checks are done only for the
+    identification parts of the XML definition (which is needed to perform the
+    checks) and full parsing is done only after checking all ACLs.
+
+  * CVE-2025-13193: Incorrect permissions on images after external snapshot of an inactive VM
+
+    The overlay ``qcow2`` images which are created as part of creation of an
+    external snapshot of an inactive VM had world-readable (644) permissions
+    which would allow unauthorized users to see contents of blocks written by
+    the VM after snapshot was taken. Libvirt now sets proper umask so that
+    the images are created with 600 mode.
+
+* **New features**
+
+  * Hyper-V virttype support for Qemu domains
+
+    Libvirt now supports Hyper-V virttype while lauching QEMU domains. This
+    feature requires Qemu version 10.2.0 or later and is available on Linux
+    hosts where the /dev/mshv is present.
+
+  * Add more statistics for block devices on QEMU domains
+
+    The block devices now report optimal access request sizes as well as
+    statistics such as the queue depth.
+
+* **Improvements**
+
+  * bhyve: VNC ``wait`` attribute support
+
+    Bhyve guests can now be configured to wait for a VNC connection before
+    booting.
+
+  * remote: multiple certificate support
+
+    The remote daemon and client can be configured to load multiple x509
+    certificate identities. This facilitates a transition to certificates
+    supporting Post-Quantum Crytographic algorithms.
+
+  * tools: improved virt-host-validate output
+
+    The virt-host-validate tool will now report extra details when certain
+    checks pass.
+
+  * qemu: Allow backup jobs to continue if guest OS shuts down
+
+    When starting a backup job users can now use a flag which prevents the VM
+    to be completely cleaned up if the guest OS shuts down while the backup is
+    running so that the backup can be finalized.
+
+* **Bug fixes**
+
+  * ch: Use correct domain definition in chDomainGetXMLDesc()
+
+    Cloud-Hypervisor driver claims to support ``VIR_DOMAIN_XML_INACTIVE`` but
+    in fact it never formatted the inactive XML. This is now fixed.
+
+  * esx: Allow disk images in subdirectories
+
+    If a domain has a disk image that's not in a datastore path but in a
+    subdirectory, the ESX driver would have failed to parse that and an error
+    was reported when obtaining domain XML. This is now fixed.
+
+ * qemu: Fix incoming migration to QEMU 10.0.0 and newer
+
+    Due to a change in the way QEMU 10.0.0 reports the state of "ht" CPU
+    feature, incoming migration of a domain with multiple CPU threads would
+    fail with "guest CPU doesn't match specification: extra features: ht"
+    error.
+
+  * qemu: fix incorrect reporting of the TDX launch security type
+
+    The TDX launch security type was incorrectly reported on all platforms
+    if the QEMU binary had it built-in. It is now limited to only platforms
+    with the TDX kernel feature available for use.
+
+  * qemu: set ``detect_zeroes`` for all backing chain layers
+
+    Some block jobs (snapshots, block commit) could modify the backing chain in
+    a way where ``detect_zeroes`` would no longer be honoured. We now set
+    it for all images in the backing chain, so that it will behave correctly
+    even after those operations.
+
+
 v11.9.0 (2025-11-03)
 ====================
 

ci/buildenv/almalinux-10.sh

@@ -0,0 +1,93 @@
+# THIS FILE WAS AUTO-GENERATED
+#
+#  $ lcitool manifest ci/manifest.yml
+#
+# https://gitlab.com/libvirt/libvirt-ci
+
+function install_buildenv() {
+    dnf update -y
+    dnf install 'dnf-command(config-manager)' -y
+    dnf config-manager --set-enabled -y crb
+    dnf install -y epel-release
+    dnf install -y \
+        audit-libs-devel \
+        augeas \
+        bash-completion \
+        ca-certificates \
+        ccache \
+        clang \
+        compiler-rt \
+        cpp \
+        cyrus-sasl-devel \
+        device-mapper-devel \
+        diffutils \
+        dwarves \
+        ebtables \
+        firewalld-filesystem \
+        fuse3-devel \
+        gcc \
+        gettext \
+        git \
+        glib2-devel \
+        glibc-devel \
+        glibc-langpack-en \
+        gnutls-devel \
+        grep \
+        json-c-devel \
+        libacl-devel \
+        libattr-devel \
+        libblkid-devel \
+        libcap-ng-devel \
+        libcurl-devel \
+        libnbd-devel \
+        libnl3-devel \
+        libpcap-devel \
+        libpciaccess-devel \
+        librbd-devel \
+        libselinux-devel \
+        libssh-devel \
+        libssh2-devel \
+        libtirpc-devel \
+        libwsman-devel \
+        libxml2 \
+        libxml2-devel \
+        libxslt \
+        make \
+        meson \
+        ninja-build \
+        numactl-devel \
+        parted-devel \
+        perl-base \
+        pkgconfig \
+        python3 \
+        python3-docutils \
+        python3-pip \
+        python3-pytest \
+        python3-setuptools \
+        python3-wheel \
+        qemu-img \
+        readline-devel \
+        rpm-build \
+        sanlock-devel \
+        sed \
+        systemd-devel \
+        systemd-rpm-macros \
+        systemtap-sdt-devel \
+        systemtap-sdt-dtrace \
+        wireshark-devel
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
+    rpm -qa | sort > /packages.txt
+    mkdir -p /usr/libexec/ccache-wrappers
+    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/cc
+    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/clang
+    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/gcc
+    /usr/bin/pip3 install \
+                  black \
+                  flake8
+}
+
+export CCACHE_WRAPPERSDIR="/usr/libexec/ccache-wrappers"
+export LANG="en_US.UTF-8"
+export MAKE="/usr/bin/make"
+export NINJA="/usr/bin/ninja"
+export PYTHON="/usr/bin/python3"

ci/buildenv/almalinux-9.sh

@@ -24,7 +24,7 @@ function install_buildenv() {
         dwarves \
         ebtables \
         firewalld-filesystem \
-        fuse-devel \
+        fuse3-devel \
         gcc \
         gettext \
         git \

ci/buildenv/alpine-322.sh

@@ -22,7 +22,7 @@ function install_buildenv() {
         cyrus-sasl-dev \
         diffutils \
         eudev-dev \
-        fuse-dev \
+        fuse3-dev \
         gcc \
         gettext \
         git \

ci/buildenv/alpine-edge.sh

@@ -22,7 +22,7 @@ function install_buildenv() {
         cyrus-sasl-dev \
         diffutils \
         eudev-dev \
-        fuse-dev \
+        fuse3-dev \
         gcc \
         gettext \
         git \

ci/buildenv/centos-stream-10.sh

@@ -0,0 +1,92 @@
+# THIS FILE WAS AUTO-GENERATED
+#
+#  $ lcitool manifest ci/manifest.yml
+#
+# https://gitlab.com/libvirt/libvirt-ci
+
+function install_buildenv() {
+    dnf distro-sync -y
+    dnf install 'dnf-command(config-manager)' -y
+    dnf config-manager --set-enabled -y crb
+    dnf install -y epel-release
+    dnf install -y \
+        audit-libs-devel \
+        augeas \
+        bash-completion \
+        ca-certificates \
+        ccache \
+        clang \
+        compiler-rt \
+        cpp \
+        cyrus-sasl-devel \
+        device-mapper-devel \
+        diffutils \
+        dwarves \
+        ebtables \
+        firewalld-filesystem \
+        fuse3-devel \
+        gcc \
+        gettext \
+        git \
+        glib2-devel \
+        glibc-devel \
+        glibc-langpack-en \
+        gnutls-devel \
+        grep \
+        json-c-devel \
+        libacl-devel \
+        libattr-devel \
+        libblkid-devel \
+        libcap-ng-devel \
+        libcurl-devel \
+        libnbd-devel \
+        libnl3-devel \
+        libpcap-devel \
+        libpciaccess-devel \
+        librbd-devel \
+        libselinux-devel \
+        libssh-devel \
+        libssh2-devel \
+        libtirpc-devel \
+        libwsman-devel \
+        libxml2 \
+        libxml2-devel \
+        libxslt \
+        make \
+        meson \
+        ninja-build \
+        numactl-devel \
+        parted-devel \
+        perl-base \
+        pkgconfig \
+        python3 \
+        python3-docutils \
+        python3-pip \
+        python3-pytest \
+        python3-setuptools \
+        python3-wheel \
+        qemu-img \
+        readline-devel \
+        rpm-build \
+        sanlock-devel \
+        sed \
+        systemd-devel \
+        systemd-rpm-macros \
+        systemtap-sdt-devel \
+        wireshark-devel
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
+    rpm -qa | sort > /packages.txt
+    mkdir -p /usr/libexec/ccache-wrappers
+    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/cc
+    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/clang
+    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/gcc
+    /usr/bin/pip3 install \
+                  black \
+                  flake8
+}
+
+export CCACHE_WRAPPERSDIR="/usr/libexec/ccache-wrappers"
+export LANG="en_US.UTF-8"
+export MAKE="/usr/bin/make"
+export NINJA="/usr/bin/ninja"
+export PYTHON="/usr/bin/python3"

ci/buildenv/centos-stream-9.sh

@@ -25,7 +25,7 @@ function install_buildenv() {
         dwarves \
         ebtables \
         firewalld-filesystem \
-        fuse-devel \
+        fuse3-devel \
         gcc \
         gettext \
         git \

ci/buildenv/debian-12-cross-aarch64.sh

@@ -58,7 +58,7 @@ function install_buildenv() {
             libcap-ng-dev:arm64 \
             libcurl4-gnutls-dev:arm64 \
             libdevmapper-dev:arm64 \
-            libfuse-dev:arm64 \
+            libfuse3-dev:arm64 \
             libglib2.0-dev:arm64 \
             libglusterfs-dev:arm64 \
             libgnutls28-dev:arm64 \

ci/buildenv/debian-12-cross-armv6l.sh

@@ -58,7 +58,7 @@ function install_buildenv() {
             libcap-ng-dev:armel \
             libcurl4-gnutls-dev:armel \
             libdevmapper-dev:armel \
-            libfuse-dev:armel \
+            libfuse3-dev:armel \
             libglib2.0-dev:armel \
             libglusterfs-dev:armel \
             libgnutls28-dev:armel \

ci/buildenv/debian-12-cross-armv7l.sh

@@ -58,7 +58,7 @@ function install_buildenv() {
             libcap-ng-dev:armhf \
             libcurl4-gnutls-dev:armhf \
             libdevmapper-dev:armhf \
-            libfuse-dev:armhf \
+            libfuse3-dev:armhf \
             libglib2.0-dev:armhf \
             libglusterfs-dev:armhf \
             libgnutls28-dev:armhf \

ci/buildenv/debian-12-cross-i686.sh

@@ -58,7 +58,7 @@ function install_buildenv() {
             libcap-ng-dev:i386 \
             libcurl4-gnutls-dev:i386 \
             libdevmapper-dev:i386 \
-            libfuse-dev:i386 \
+            libfuse3-dev:i386 \
             libglib2.0-dev:i386 \
             libglusterfs-dev:i386 \
             libgnutls28-dev:i386 \

ci/buildenv/debian-12-cross-mips64el.sh

@@ -58,7 +58,7 @@ function install_buildenv() {
             libcap-ng-dev:mips64el \
             libcurl4-gnutls-dev:mips64el \
             libdevmapper-dev:mips64el \
-            libfuse-dev:mips64el \
+            libfuse3-dev:mips64el \
             libglib2.0-dev:mips64el \
             libglusterfs-dev:mips64el \
             libgnutls28-dev:mips64el \

ci/buildenv/debian-12-cross-mipsel.sh

@@ -58,7 +58,7 @@ function install_buildenv() {
             libcap-ng-dev:mipsel \
             libcurl4-gnutls-dev:mipsel \
             libdevmapper-dev:mipsel \
-            libfuse-dev:mipsel \
+            libfuse3-dev:mipsel \
             libglib2.0-dev:mipsel \
             libglusterfs-dev:mipsel \
             libgnutls28-dev:mipsel \

ci/buildenv/debian-12-cross-ppc64le.sh

@@ -58,7 +58,7 @@ function install_buildenv() {
             libcap-ng-dev:ppc64el \
             libcurl4-gnutls-dev:ppc64el \
             libdevmapper-dev:ppc64el \
-            libfuse-dev:ppc64el \
+            libfuse3-dev:ppc64el \
             libglib2.0-dev:ppc64el \
             libglusterfs-dev:ppc64el \
             libgnutls28-dev:ppc64el \

ci/buildenv/debian-12-cross-s390x.sh

@@ -58,7 +58,7 @@ function install_buildenv() {
             libcap-ng-dev:s390x \
             libcurl4-gnutls-dev:s390x \
             libdevmapper-dev:s390x \
-            libfuse-dev:s390x \
+            libfuse3-dev:s390x \
             libglib2.0-dev:s390x \
             libglusterfs-dev:s390x \
             libgnutls28-dev:s390x \

ci/buildenv/debian-12.sh

@@ -36,7 +36,7 @@ function install_buildenv() {
             libclang-rt-dev \
             libcurl4-gnutls-dev \
             libdevmapper-dev \
-            libfuse-dev \
+            libfuse3-dev \
             libglib2.0-dev \
             libglusterfs-dev \
             libgnutls28-dev \

ci/buildenv/debian-sid-cross-aarch64.sh

@@ -58,7 +58,7 @@ function install_buildenv() {
             libcap-ng-dev:arm64 \
             libcurl4-gnutls-dev:arm64 \
             libdevmapper-dev:arm64 \
-            libfuse-dev:arm64 \
+            libfuse3-dev:arm64 \
             libglib2.0-dev:arm64 \
             libglusterfs-dev:arm64 \
             libgnutls28-dev:arm64 \

ci/buildenv/debian-sid-cross-armv6l.sh

@@ -58,7 +58,7 @@ function install_buildenv() {
             libcap-ng-dev:armel \
             libcurl4-gnutls-dev:armel \
             libdevmapper-dev:armel \
-            libfuse-dev:armel \
+            libfuse3-dev:armel \
             libglib2.0-dev:armel \
             libgnutls28-dev:armel \
             libiscsi-dev:armel \

ci/buildenv/debian-sid-cross-armv7l.sh

@@ -58,7 +58,7 @@ function install_buildenv() {
             libcap-ng-dev:armhf \
             libcurl4-gnutls-dev:armhf \
             libdevmapper-dev:armhf \
-            libfuse-dev:armhf \
+            libfuse3-dev:armhf \
             libglib2.0-dev:armhf \
             libgnutls28-dev:armhf \
             libiscsi-dev:armhf \

ci/buildenv/debian-sid-cross-i686.sh

@@ -58,7 +58,7 @@ function install_buildenv() {
             libcap-ng-dev:i386 \
             libcurl4-gnutls-dev:i386 \
             libdevmapper-dev:i386 \
-            libfuse-dev:i386 \
+            libfuse3-dev:i386 \
             libglib2.0-dev:i386 \
             libgnutls28-dev:i386 \
             libiscsi-dev:i386 \

ci/buildenv/debian-sid-cross-mips64el.sh

@@ -58,7 +58,7 @@ function install_buildenv() {
             libcap-ng-dev:mips64el \
             libcurl4-gnutls-dev:mips64el \
             libdevmapper-dev:mips64el \
-            libfuse-dev:mips64el \
+            libfuse3-dev:mips64el \
             libglib2.0-dev:mips64el \
             libglusterfs-dev:mips64el \
             libgnutls28-dev:mips64el \

ci/buildenv/debian-sid-cross-ppc64le.sh

@@ -58,7 +58,7 @@ function install_buildenv() {
             libcap-ng-dev:ppc64el \
             libcurl4-gnutls-dev:ppc64el \
             libdevmapper-dev:ppc64el \
-            libfuse-dev:ppc64el \
+            libfuse3-dev:ppc64el \
             libglib2.0-dev:ppc64el \
             libglusterfs-dev:ppc64el \
             libgnutls28-dev:ppc64el \

ci/buildenv/debian-sid-cross-s390x.sh

@@ -58,7 +58,7 @@ function install_buildenv() {
             libcap-ng-dev:s390x \
             libcurl4-gnutls-dev:s390x \
             libdevmapper-dev:s390x \
-            libfuse-dev:s390x \
+            libfuse3-dev:s390x \
             libglib2.0-dev:s390x \
             libglusterfs-dev:s390x \
             libgnutls28-dev:s390x \

ci/buildenv/debian-sid.sh

@@ -36,7 +36,7 @@ function install_buildenv() {
             libclang-rt-dev \
             libcurl4-gnutls-dev \
             libdevmapper-dev \
-            libfuse-dev \
+            libfuse3-dev \
             libglib2.0-dev \
             libglusterfs-dev \
             libgnutls28-dev \

ci/buildenv/fedora-42.sh

@@ -23,7 +23,7 @@ function install_buildenv() {
         dwarves \
         ebtables \
         firewalld-filesystem \
-        fuse-devel \
+        fuse3-devel \
         gcc \
         gettext \
         git \

ci/buildenv/fedora-43.sh

@@ -23,7 +23,7 @@ function install_buildenv() {
         dwarves \
         ebtables \
         firewalld-filesystem \
-        fuse-devel \
+        fuse3-devel \
         gcc \
         gettext \
         git \

ci/buildenv/fedora-rawhide.sh

@@ -24,7 +24,7 @@ function install_buildenv() {
         dwarves \
         ebtables \
         firewalld-filesystem \
-        fuse-devel \
+        fuse3-devel \
         gcc \
         gettext \
         git \

ci/buildenv/opensuse-leap-15.sh

@@ -24,7 +24,7 @@ function install_buildenv() {
            diffutils \
            dwarves \
            ebtables \
-           fuse-devel \
+           fuse3-devel \
            gcc \
            gettext-runtime \
            git \

ci/buildenv/opensuse-tumbleweed.sh

@@ -23,7 +23,7 @@ function install_buildenv() {
            diffutils \
            dwarves \
            ebtables \
-           fuse-devel \
+           fuse3-devel \
            gcc \
            gettext-runtime \
            git \

ci/buildenv/ubuntu-2204.sh

@@ -36,7 +36,7 @@ function install_buildenv() {
             libclang-dev \
             libcurl4-gnutls-dev \
             libdevmapper-dev \
-            libfuse-dev \
+            libfuse3-dev \
             libglib2.0-dev \
             libglusterfs-dev \
             libgnutls28-dev \

ci/buildenv/ubuntu-2404.sh

@@ -36,7 +36,7 @@ function install_buildenv() {
             libclang-rt-dev \
             libcurl4-gnutls-dev \
             libdevmapper-dev \
-            libfuse-dev \
+            libfuse3-dev \
             libglib2.0-dev \
             libglusterfs-dev \
             libgnutls28-dev \

ci/cirrus/freebsd-13.vars

@@ -11,6 +11,6 @@ MAKE='/usr/local/bin/gmake'
 NINJA='/usr/local/bin/ninja'
 PACKAGING_COMMAND='pkg'
 PIP3='/usr/local/bin/pip-3.8'
-PKGS='augeas bash-completion ca_root_nss ccache4 codespell cppi curl cyrus-sasl diffutils fusefs-libs gettext git glib gmake gnugrep gnutls gsed json-c libpcap libpciaccess libssh libssh2 libxml2 libxslt meson ninja perl5 pkgconf py311-black py311-docutils py311-flake8 py311-pytest python3 qemu readline'
+PKGS='augeas bash-completion ca_root_nss ccache4 codespell cppi curl cyrus-sasl diffutils fusefs-libs3 gettext git glib gmake gnugrep gnutls gsed json-c libpcap libpciaccess libssh libssh2 libxml2 libxslt meson ninja perl5 pkgconf py311-black py311-docutils py311-flake8 py311-pytest python3 qemu readline'
 PYPI_PKGS=''
 PYTHON='/usr/local/bin/python3'

ci/cirrus/freebsd-14.vars

@@ -11,6 +11,6 @@ MAKE='/usr/local/bin/gmake'
 NINJA='/usr/local/bin/ninja'
 PACKAGING_COMMAND='pkg'
 PIP3='/usr/local/bin/pip'
-PKGS='augeas bash-completion ca_root_nss ccache4 codespell cppi curl cyrus-sasl diffutils fusefs-libs gettext git glib gmake gnugrep gnutls gsed json-c libpcap libpciaccess libssh libssh2 libxml2 libxslt meson ninja perl5 pkgconf py311-black py311-docutils py311-flake8 py311-pytest python3 qemu readline'
+PKGS='augeas bash-completion ca_root_nss ccache4 codespell cppi curl cyrus-sasl diffutils fusefs-libs3 gettext git glib gmake gnugrep gnutls gsed json-c libpcap libpciaccess libssh libssh2 libxml2 libxslt meson ninja perl5 pkgconf py311-black py311-docutils py311-flake8 py311-pytest python3 qemu readline'
 PYPI_PKGS=''
 PYTHON='/usr/local/bin/python3'

ci/containers/almalinux-10.Dockerfile

@@ -0,0 +1,96 @@
+# THIS FILE WAS AUTO-GENERATED
+#
+#  $ lcitool manifest ci/manifest.yml
+#
+# https://gitlab.com/libvirt/libvirt-ci
+
+FROM docker.io/library/almalinux:10
+
+RUN dnf update -y && \
+    dnf install 'dnf-command(config-manager)' -y && \
+    dnf config-manager --set-enabled -y crb && \
+    dnf install -y epel-release && \
+    dnf install -y \
+        audit-libs-devel \
+        augeas \
+        bash-completion \
+        ca-certificates \
+        ccache \
+        clang \
+        compiler-rt \
+        cpp \
+        cyrus-sasl-devel \
+        device-mapper-devel \
+        diffutils \
+        dwarves \
+        ebtables \
+        firewalld-filesystem \
+        fuse3-devel \
+        gcc \
+        gettext \
+        git \
+        glib2-devel \
+        glibc-devel \
+        glibc-langpack-en \
+        gnutls-devel \
+        grep \
+        json-c-devel \
+        libacl-devel \
+        libattr-devel \
+        libblkid-devel \
+        libcap-ng-devel \
+        libcurl-devel \
+        libnbd-devel \
+        libnl3-devel \
+        libpcap-devel \
+        libpciaccess-devel \
+        librbd-devel \
+        libselinux-devel \
+        libssh-devel \
+        libssh2-devel \
+        libtirpc-devel \
+        libwsman-devel \
+        libxml2 \
+        libxml2-devel \
+        libxslt \
+        make \
+        meson \
+        ninja-build \
+        numactl-devel \
+        parted-devel \
+        perl-base \
+        pkgconfig \
+        python3 \
+        python3-docutils \
+        python3-pip \
+        python3-pytest \
+        python3-setuptools \
+        python3-wheel \
+        qemu-img \
+        readline-devel \
+        rpm-build \
+        sanlock-devel \
+        sed \
+        systemd-devel \
+        systemd-rpm-macros \
+        systemtap-sdt-devel \
+        systemtap-sdt-dtrace \
+        wireshark-devel && \
+    dnf autoremove -y && \
+    dnf clean all -y && \
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED && \
+    rpm -qa | sort > /packages.txt && \
+    mkdir -p /usr/libexec/ccache-wrappers && \
+    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/cc && \
+    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/clang && \
+    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/gcc
+
+RUN /usr/bin/pip3 install \
+                  black \
+                  flake8
+
+ENV CCACHE_WRAPPERSDIR="/usr/libexec/ccache-wrappers"
+ENV LANG="en_US.UTF-8"
+ENV MAKE="/usr/bin/make"
+ENV NINJA="/usr/bin/ninja"
+ENV PYTHON="/usr/bin/python3"

ci/containers/almalinux-9.Dockerfile

@@ -25,7 +25,7 @@ RUN dnf update -y && \
         dwarves \
         ebtables \
         firewalld-filesystem \
-        fuse-devel \
+        fuse3-devel \
         gcc \
         gettext \
         git \

ci/containers/alpine-322.Dockerfile

@@ -23,7 +23,7 @@ RUN apk update && \
         cyrus-sasl-dev \
         diffutils \
         eudev-dev \
-        fuse-dev \
+        fuse3-dev \
         gcc \
         gettext \
         git \

ci/containers/alpine-edge.Dockerfile

@@ -23,7 +23,7 @@ RUN apk update && \
         cyrus-sasl-dev \
         diffutils \
         eudev-dev \
-        fuse-dev \
+        fuse3-dev \
         gcc \
         gettext \
         git \

ci/containers/centos-stream-10.Dockerfile

@@ -0,0 +1,95 @@
+# THIS FILE WAS AUTO-GENERATED
+#
+#  $ lcitool manifest ci/manifest.yml
+#
+# https://gitlab.com/libvirt/libvirt-ci
+
+FROM quay.io/centos/centos:stream10
+
+RUN dnf distro-sync -y && \
+    dnf install 'dnf-command(config-manager)' -y && \
+    dnf config-manager --set-enabled -y crb && \
+    dnf install -y epel-release && \
+    dnf install -y \
+        audit-libs-devel \
+        augeas \
+        bash-completion \
+        ca-certificates \
+        ccache \
+        clang \
+        compiler-rt \
+        cpp \
+        cyrus-sasl-devel \
+        device-mapper-devel \
+        diffutils \
+        dwarves \
+        ebtables \
+        firewalld-filesystem \
+        fuse3-devel \
+        gcc \
+        gettext \
+        git \
+        glib2-devel \
+        glibc-devel \
+        glibc-langpack-en \
+        gnutls-devel \
+        grep \
+        json-c-devel \
+        libacl-devel \
+        libattr-devel \
+        libblkid-devel \
+        libcap-ng-devel \
+        libcurl-devel \
+        libnbd-devel \
+        libnl3-devel \
+        libpcap-devel \
+        libpciaccess-devel \
+        librbd-devel \
+        libselinux-devel \
+        libssh-devel \
+        libssh2-devel \
+        libtirpc-devel \
+        libwsman-devel \
+        libxml2 \
+        libxml2-devel \
+        libxslt \
+        make \
+        meson \
+        ninja-build \
+        numactl-devel \
+        parted-devel \
+        perl-base \
+        pkgconfig \
+        python3 \
+        python3-docutils \
+        python3-pip \
+        python3-pytest \
+        python3-setuptools \
+        python3-wheel \
+        qemu-img \
+        readline-devel \
+        rpm-build \
+        sanlock-devel \
+        sed \
+        systemd-devel \
+        systemd-rpm-macros \
+        systemtap-sdt-devel \
+        wireshark-devel && \
+    dnf autoremove -y && \
+    dnf clean all -y && \
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED && \
+    rpm -qa | sort > /packages.txt && \
+    mkdir -p /usr/libexec/ccache-wrappers && \
+    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/cc && \
+    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/clang && \
+    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/gcc
+
+RUN /usr/bin/pip3 install \
+                  black \
+                  flake8
+
+ENV CCACHE_WRAPPERSDIR="/usr/libexec/ccache-wrappers"
+ENV LANG="en_US.UTF-8"
+ENV MAKE="/usr/bin/make"
+ENV NINJA="/usr/bin/ninja"
+ENV PYTHON="/usr/bin/python3"

ci/containers/centos-stream-9.Dockerfile

@@ -26,7 +26,7 @@ RUN dnf distro-sync -y && \
         dwarves \
         ebtables \
         firewalld-filesystem \
-        fuse-devel \
+        fuse3-devel \
         gcc \
         gettext \
         git \

ci/containers/debian-12-cross-aarch64.Dockerfile

@@ -69,7 +69,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       libcap-ng-dev:arm64 \
                       libcurl4-gnutls-dev:arm64 \
                       libdevmapper-dev:arm64 \
-                      libfuse-dev:arm64 \
+                      libfuse3-dev:arm64 \
                       libglib2.0-dev:arm64 \
                       libglusterfs-dev:arm64 \
                       libgnutls28-dev:arm64 \

ci/containers/debian-12-cross-armv6l.Dockerfile

@@ -69,7 +69,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       libcap-ng-dev:armel \
                       libcurl4-gnutls-dev:armel \
                       libdevmapper-dev:armel \
-                      libfuse-dev:armel \
+                      libfuse3-dev:armel \
                       libglib2.0-dev:armel \
                       libglusterfs-dev:armel \
                       libgnutls28-dev:armel \

ci/containers/debian-12-cross-armv7l.Dockerfile

@@ -69,7 +69,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       libcap-ng-dev:armhf \
                       libcurl4-gnutls-dev:armhf \
                       libdevmapper-dev:armhf \
-                      libfuse-dev:armhf \
+                      libfuse3-dev:armhf \
                       libglib2.0-dev:armhf \
                       libglusterfs-dev:armhf \
                       libgnutls28-dev:armhf \

ci/containers/debian-12-cross-i686.Dockerfile

@@ -69,7 +69,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       libcap-ng-dev:i386 \
                       libcurl4-gnutls-dev:i386 \
                       libdevmapper-dev:i386 \
-                      libfuse-dev:i386 \
+                      libfuse3-dev:i386 \
                       libglib2.0-dev:i386 \
                       libglusterfs-dev:i386 \
                       libgnutls28-dev:i386 \

ci/containers/debian-12-cross-mips64el.Dockerfile

@@ -69,7 +69,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       libcap-ng-dev:mips64el \
                       libcurl4-gnutls-dev:mips64el \
                       libdevmapper-dev:mips64el \
-                      libfuse-dev:mips64el \
+                      libfuse3-dev:mips64el \
                       libglib2.0-dev:mips64el \
                       libglusterfs-dev:mips64el \
                       libgnutls28-dev:mips64el \

ci/containers/debian-12-cross-mipsel.Dockerfile

@@ -69,7 +69,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       libcap-ng-dev:mipsel \
                       libcurl4-gnutls-dev:mipsel \
                       libdevmapper-dev:mipsel \
-                      libfuse-dev:mipsel \
+                      libfuse3-dev:mipsel \
                       libglib2.0-dev:mipsel \
                       libglusterfs-dev:mipsel \
                       libgnutls28-dev:mipsel \

ci/containers/debian-12-cross-ppc64le.Dockerfile

@@ -69,7 +69,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       libcap-ng-dev:ppc64el \
                       libcurl4-gnutls-dev:ppc64el \
                       libdevmapper-dev:ppc64el \
-                      libfuse-dev:ppc64el \
+                      libfuse3-dev:ppc64el \
                       libglib2.0-dev:ppc64el \
                       libglusterfs-dev:ppc64el \
                       libgnutls28-dev:ppc64el \

ci/containers/debian-12-cross-s390x.Dockerfile

@@ -69,7 +69,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       libcap-ng-dev:s390x \
                       libcurl4-gnutls-dev:s390x \
                       libdevmapper-dev:s390x \
-                      libfuse-dev:s390x \
+                      libfuse3-dev:s390x \
                       libglib2.0-dev:s390x \
                       libglusterfs-dev:s390x \
                       libgnutls28-dev:s390x \

ci/containers/debian-12.Dockerfile

@@ -38,7 +38,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       libclang-rt-dev \
                       libcurl4-gnutls-dev \
                       libdevmapper-dev \
-                      libfuse-dev \
+                      libfuse3-dev \
                       libglib2.0-dev \
                       libglusterfs-dev \
                       libgnutls28-dev \

ci/containers/debian-sid-cross-aarch64.Dockerfile

@@ -69,7 +69,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       libcap-ng-dev:arm64 \
                       libcurl4-gnutls-dev:arm64 \
                       libdevmapper-dev:arm64 \
-                      libfuse-dev:arm64 \
+                      libfuse3-dev:arm64 \
                       libglib2.0-dev:arm64 \
                       libglusterfs-dev:arm64 \
                       libgnutls28-dev:arm64 \

ci/containers/debian-sid-cross-armv6l.Dockerfile

@@ -69,7 +69,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       libcap-ng-dev:armel \
                       libcurl4-gnutls-dev:armel \
                       libdevmapper-dev:armel \
-                      libfuse-dev:armel \
+                      libfuse3-dev:armel \
                       libglib2.0-dev:armel \
                       libgnutls28-dev:armel \
                       libiscsi-dev:armel \

ci/containers/debian-sid-cross-armv7l.Dockerfile

@@ -69,7 +69,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       libcap-ng-dev:armhf \
                       libcurl4-gnutls-dev:armhf \
                       libdevmapper-dev:armhf \
-                      libfuse-dev:armhf \
+                      libfuse3-dev:armhf \
                       libglib2.0-dev:armhf \
                       libgnutls28-dev:armhf \
                       libiscsi-dev:armhf \

ci/containers/debian-sid-cross-i686.Dockerfile

@@ -69,7 +69,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       libcap-ng-dev:i386 \
                       libcurl4-gnutls-dev:i386 \
                       libdevmapper-dev:i386 \
-                      libfuse-dev:i386 \
+                      libfuse3-dev:i386 \
                       libglib2.0-dev:i386 \
                       libgnutls28-dev:i386 \
                       libiscsi-dev:i386 \

ci/containers/debian-sid-cross-mips64el.Dockerfile

@@ -69,7 +69,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       libcap-ng-dev:mips64el \
                       libcurl4-gnutls-dev:mips64el \
                       libdevmapper-dev:mips64el \
-                      libfuse-dev:mips64el \
+                      libfuse3-dev:mips64el \
                       libglib2.0-dev:mips64el \
                       libglusterfs-dev:mips64el \
                       libgnutls28-dev:mips64el \

ci/containers/debian-sid-cross-ppc64le.Dockerfile

@@ -69,7 +69,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       libcap-ng-dev:ppc64el \
                       libcurl4-gnutls-dev:ppc64el \
                       libdevmapper-dev:ppc64el \
-                      libfuse-dev:ppc64el \
+                      libfuse3-dev:ppc64el \
                       libglib2.0-dev:ppc64el \
                       libglusterfs-dev:ppc64el \
                       libgnutls28-dev:ppc64el \

ci/containers/debian-sid-cross-s390x.Dockerfile

@@ -69,7 +69,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       libcap-ng-dev:s390x \
                       libcurl4-gnutls-dev:s390x \
                       libdevmapper-dev:s390x \
-                      libfuse-dev:s390x \
+                      libfuse3-dev:s390x \
                       libglib2.0-dev:s390x \
                       libglusterfs-dev:s390x \
                       libgnutls28-dev:s390x \

ci/containers/debian-sid.Dockerfile

@@ -38,7 +38,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       libclang-rt-dev \
                       libcurl4-gnutls-dev \
                       libdevmapper-dev \
-                      libfuse-dev \
+                      libfuse3-dev \
                       libglib2.0-dev \
                       libglusterfs-dev \
                       libgnutls28-dev \

ci/containers/fedora-42.Dockerfile

@@ -34,7 +34,7 @@ exec "$@"\n' > /usr/bin/nosync && \
                dwarves \
                ebtables \
                firewalld-filesystem \
-               fuse-devel \
+               fuse3-devel \
                gcc \
                gettext \
                git \

ci/containers/fedora-43-cross-mingw32.Dockerfile

@@ -4,7 +4,7 @@
 #
 # https://gitlab.com/libvirt/libvirt-ci
 
-FROM registry.fedoraproject.org/fedora:42
+FROM registry.fedoraproject.org/fedora:43
 
 RUN dnf install -y nosync && \
     printf '#!/bin/sh\n\

ci/containers/fedora-43-cross-mingw64.Dockerfile

@@ -4,7 +4,7 @@
 #
 # https://gitlab.com/libvirt/libvirt-ci
 
-FROM registry.fedoraproject.org/fedora:42
+FROM registry.fedoraproject.org/fedora:43
 
 RUN dnf install -y nosync && \
     printf '#!/bin/sh\n\

ci/containers/fedora-43.Dockerfile

@@ -4,7 +4,7 @@
 #
 # https://gitlab.com/libvirt/libvirt-ci
 
-FROM registry.fedoraproject.org/fedora:41
+FROM registry.fedoraproject.org/fedora:43
 
 RUN dnf install -y nosync && \
     printf '#!/bin/sh\n\
@@ -34,7 +34,7 @@ exec "$@"\n' > /usr/bin/nosync && \
                dwarves \
                ebtables \
                firewalld-filesystem \
-               fuse-devel \
+               fuse3-devel \
                gcc \
                gettext \
                git \

ci/containers/fedora-rawhide.Dockerfile

@@ -35,7 +35,7 @@ exec "$@"\n' > /usr/bin/nosync && \
                dwarves \
                ebtables \
                firewalld-filesystem \
-               fuse-devel \
+               fuse3-devel \
                gcc \
                gettext \
                git \

ci/containers/opensuse-leap-15.Dockerfile

@@ -25,7 +25,7 @@ RUN zypper update -y && \
            diffutils \
            dwarves \
            ebtables \
-           fuse-devel \
+           fuse3-devel \
            gcc \
            gettext-runtime \
            git \

ci/containers/opensuse-tumbleweed.Dockerfile

@@ -24,7 +24,7 @@ RUN zypper dist-upgrade -y && \
            diffutils \
            dwarves \
            ebtables \
-           fuse-devel \
+           fuse3-devel \
            gcc \
            gettext-runtime \
            git \

ci/containers/ubuntu-2204.Dockerfile

@@ -38,7 +38,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       libclang-dev \
                       libcurl4-gnutls-dev \
                       libdevmapper-dev \
-                      libfuse-dev \
+                      libfuse3-dev \
                       libglib2.0-dev \
                       libglusterfs-dev \
                       libgnutls28-dev \

ci/containers/ubuntu-2404.Dockerfile

@@ -38,7 +38,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                       libclang-rt-dev \
                       libcurl4-gnutls-dev \
                       libdevmapper-dev \
-                      libfuse-dev \
+                      libfuse3-dev \
                       libglib2.0-dev \
                       libglusterfs-dev \
                       libgnutls28-dev \

ci/gitlab/builds.yml

@@ -33,6 +33,32 @@ x86_64-almalinux-9-clang:
     TARGET_BASE_IMAGE: docker.io/library/almalinux:9
 
 
+x86_64-almalinux-10:
+  extends: .native_build_job
+  needs:
+    - job: x86_64-almalinux-10-container
+      optional: true
+  allow_failure: false
+  variables:
+    JOB_OPTIONAL: 1
+    NAME: almalinux-10
+    RPM: skip
+    TARGET_BASE_IMAGE: docker.io/library/almalinux:10
+
+
+x86_64-almalinux-10-clang:
+  extends: .native_build_job
+  needs:
+    - job: x86_64-almalinux-10-container
+      optional: true
+  allow_failure: false
+  variables:
+    CC: clang
+    NAME: almalinux-10
+    RPM: skip
+    TARGET_BASE_IMAGE: docker.io/library/almalinux:10
+
+
 x86_64-alpine-322:
   extends: .native_build_job
   needs:
@@ -70,6 +96,21 @@ x86_64-centos-stream-9:
       - libvirt-rpms
 
 
+x86_64-centos-stream-10:
+  extends: .native_build_job
+  needs:
+    - job: x86_64-centos-stream-10-container
+      optional: true
+  allow_failure: false
+  variables:
+    NAME: centos-stream-10
+    TARGET_BASE_IMAGE: quay.io/centos/centos:stream10
+  artifacts:
+    expire_in: 1 day
+    paths:
+      - libvirt-rpms
+
+
 x86_64-debian-12:
   extends: .native_build_job
   needs:
@@ -103,21 +144,6 @@ x86_64-debian-sid:
     TARGET_BASE_IMAGE: docker.io/library/debian:sid-slim
 
 
-x86_64-fedora-41:
-  extends: .native_build_job
-  needs:
-    - job: x86_64-fedora-41-container
-      optional: true
-  allow_failure: false
-  variables:
-    NAME: fedora-41
-    TARGET_BASE_IMAGE: registry.fedoraproject.org/fedora:41
-  artifacts:
-    expire_in: 1 day
-    paths:
-      - libvirt-rpms
-
-
 x86_64-fedora-42:
   extends: .native_build_job
   needs:
@@ -133,6 +159,21 @@ x86_64-fedora-42:
       - libvirt-rpms
 
 
+x86_64-fedora-43:
+  extends: .native_build_job
+  needs:
+    - job: x86_64-fedora-43-container
+      optional: true
+  allow_failure: false
+  variables:
+    NAME: fedora-43
+    TARGET_BASE_IMAGE: registry.fedoraproject.org/fedora:43
+  artifacts:
+    expire_in: 1 day
+    paths:
+      - libvirt-rpms
+
+
 x86_64-fedora-rawhide:
   extends: .native_build_job
   needs:
@@ -416,29 +457,29 @@ s390x-debian-sid:
     TARGET_BASE_IMAGE: docker.io/library/debian:sid-slim
 
 
-mingw32-fedora-42:
+mingw32-fedora-43:
   extends: .cross_build_job
   needs:
-    - job: mingw32-fedora-42-container
+    - job: mingw32-fedora-43-container
       optional: true
   allow_failure: false
   variables:
     CROSS: mingw32
     JOB_OPTIONAL: 1
-    NAME: fedora-42
-    TARGET_BASE_IMAGE: registry.fedoraproject.org/fedora:42
+    NAME: fedora-43
+    TARGET_BASE_IMAGE: registry.fedoraproject.org/fedora:43
 
 
-mingw64-fedora-42:
+mingw64-fedora-43:
   extends: .cross_build_job
   needs:
-    - job: mingw64-fedora-42-container
+    - job: mingw64-fedora-43-container
       optional: true
   allow_failure: false
   variables:
     CROSS: mingw64
-    NAME: fedora-42
-    TARGET_BASE_IMAGE: registry.fedoraproject.org/fedora:42
+    NAME: fedora-43
+    TARGET_BASE_IMAGE: registry.fedoraproject.org/fedora:43
 
 
 mingw32-fedora-rawhide:

ci/gitlab/containers.yml

@@ -14,6 +14,13 @@ x86_64-almalinux-9-container:
     NAME: almalinux-9
 
 
+x86_64-almalinux-10-container:
+  extends: .container_job
+  allow_failure: false
+  variables:
+    NAME: almalinux-10
+
+
 x86_64-alpine-322-container:
   extends: .container_job
   allow_failure: false
@@ -35,6 +42,13 @@ x86_64-centos-stream-9-container:
     NAME: centos-stream-9
 
 
+x86_64-centos-stream-10-container:
+  extends: .container_job
+  allow_failure: false
+  variables:
+    NAME: centos-stream-10
+
+
 x86_64-debian-12-container:
   extends: .container_job
   allow_failure: false
@@ -49,13 +63,6 @@ x86_64-debian-sid-container:
     NAME: debian-sid
 
 
-x86_64-fedora-41-container:
-  extends: .container_job
-  allow_failure: false
-  variables:
-    NAME: fedora-41
-
-
 x86_64-fedora-42-container:
   extends: .container_job
   allow_failure: false
@@ -63,6 +70,13 @@ x86_64-fedora-42-container:
     NAME: fedora-42
 
 
+x86_64-fedora-43-container:
+  extends: .container_job
+  allow_failure: false
+  variables:
+    NAME: fedora-43
+
+
 x86_64-fedora-rawhide-container:
   extends: .container_job
   allow_failure: true
@@ -220,19 +234,19 @@ s390x-debian-sid-container:
     NAME: debian-sid-cross-s390x
 
 
-mingw32-fedora-42-container:
+mingw32-fedora-43-container:
   extends: .container_job
   allow_failure: false
   variables:
     JOB_OPTIONAL: 1
-    NAME: fedora-42-cross-mingw32
+    NAME: fedora-43-cross-mingw32
 
 
-mingw64-fedora-42-container:
+mingw64-fedora-43-container:
   extends: .container_job
   allow_failure: false
   variables:
-    NAME: fedora-42-cross-mingw64
+    NAME: fedora-43-cross-mingw64
 
 
 mingw32-fedora-rawhide-container:

ci/integration.yml

@@ -29,23 +29,23 @@ centos-stream-9-tests:
 # and libvirt-python CI jobs, so the new target needs to be introduced
 # there before it can be used here. The VM template for the target
 # also needs to be created on the runner host.
-fedora-41-tests:
+fedora-43-tests:
   extends: .integration_tests
   variables:
     # needed by libvirt-gitlab-executor
-    DISTRO: fedora-41
+    DISTRO: fedora-43
     # can be overridden in forks to set a different runner tag
     LIBVIRT_CI_INTEGRATION_RUNNER_TAG: redhat-vm-host
   tags:
     - $LIBVIRT_CI_INTEGRATION_RUNNER_TAG
   needs:
-    - x86_64-fedora-41
+    - x86_64-fedora-43
     - project: libvirt/libvirt-perl
-      job: x86_64-fedora-41
+      job: x86_64-fedora-43
       ref: master
       artifacts: true
     - project: libvirt/libvirt-python
-      job: x86_64-fedora-41
+      job: x86_64-fedora-43
       ref: master
       artifacts: true
 
@@ -53,22 +53,22 @@ fedora-41-tests:
 # and libvirt-python CI jobs, so the new target needs to be introduced
 # there before it can be used here. The VM template for the target
 # also needs to be created on the runner host.
-.fedora-41-upstream-qemu-tests:
+.fedora-43-upstream-qemu-tests:
   extends: .integration_tests
   variables:
     # needed by libvirt-gitlab-executor
-    DISTRO: fedora-41
+    DISTRO: fedora-43
     # can be overridden in forks to set a different runner tag
     LIBVIRT_CI_INTEGRATION_RUNNER_TAG: redhat-vm-host
   tags:
     - $LIBVIRT_CI_INTEGRATION_RUNNER_TAG
   needs:
-    - x86_64-fedora-41
+    - x86_64-fedora-43
     - project: libvirt/libvirt-perl
-      job: x86_64-fedora-41
+      job: x86_64-fedora-43
       ref: master
       artifacts: true
     - project: libvirt/libvirt-python
-      job: x86_64-fedora-41
+      job: x86_64-fedora-43
       ref: master
       artifacts: true

ci/lcitool/projects/libvirt.yml

@@ -19,7 +19,7 @@ packages:
   - ebtables
   - firewalld-filesystem
   - flake8
-  - fuse
+  - fuse3
   - gcc
   - gettext
   - gettext-native

ci/manifest.yml

@@ -19,6 +19,19 @@ targets:
           RPM: skip
           CC: clang
 
+  almalinux-10:
+    jobs:
+      - arch: x86_64
+        builds: false
+        variables:
+          RPM: skip
+
+      - arch: x86_64
+        suffix: -clang
+        variables:
+          RPM: skip
+          CC: clang
+
   alpine-322: x86_64
 
   alpine-edge:
@@ -34,6 +47,14 @@ targets:
           paths:
             - libvirt-rpms
 
+  centos-stream-10:
+    jobs:
+      - arch: x86_64
+        artifacts:
+          expire_in: 1 day
+          paths:
+            - libvirt-rpms
+
   debian-12:
     jobs:
       - arch: x86_64
@@ -104,7 +125,7 @@ targets:
         containers: false
         builds: false
 
-  fedora-41:
+  fedora-42:
     jobs:
       - arch: x86_64
         artifacts:
@@ -112,7 +133,7 @@ targets:
           paths:
             - libvirt-rpms
 
-  fedora-42:
+  fedora-43:
     jobs:
       - arch: x86_64
         artifacts:

docs/apps.rst

@@ -185,6 +185,10 @@ Infrastructure as a Service (IaaS)
    software-defined datacenter. The key strengths of ZStack in terms of
    management are scalability, performance, and a fast, user-friendly
    deployment.
+`Apache CloudStack <https://cloudstack.apache.org/>`__
+   Apache CloudStack™ is an open-source software system designed to
+   deploy and manage large networks of virtual machines, as a highly available,
+   highly scalable Infrastructure as a Service (IaaS) cloud computing platform.
 
 Libraries
 ---------

docs/css/local.css

@@ -0,0 +1,3 @@
+@import url(libvirt.css);
+@import url(libvirt-api.css);
+@import url(mobile-libvirt.css);

docs/css/main.css

@@ -1,7 +1,5 @@
 @import url(fonts.css);
 @import url(generic.css);
-@import url(libvirt.css);
-@import url(libvirt-api.css);
 @import url(libvirt-template.css);
 @import url(mobile-template.css);
-@import url(mobile-libvirt.css);
+@import url(local.css);

docs/css/meson.build

@@ -4,6 +4,7 @@ docs_css_files = [
   'libvirt.css',
   'libvirt-api.css',
   'libvirt-template.css',
+  'local.css',
   'main.css',
   'mobile-template.css',
   'mobile-libvirt.css',

docs/drvbhyve.rst

@@ -393,7 +393,7 @@ exposed to the guest using the ``vgaconf`` attribute:
 
 If not specified, bhyve's default mode for ``vgaconf`` will be used. Please
 refer to the
-`bhyve(8) <https://www.freebsd.org/cgi/man.cgi?query=bhyve&sektion=8&manpath=FreeBSD+12-current>`__
+`bhyve(8) <https://www.freebsd.org/cgi/man.cgi?query=bhyve&sektion=8>`__
 manual page and the `bhyve wiki <https://wiki.freebsd.org/bhyve>`__ for more
 details on using the ``vgaconf`` option.
 
@@ -429,6 +429,16 @@ Note: VNC password authentication is known to be cryptographically weak.
 Additionally, the password is passed as a command line argument in clear text.
 Make sure you understand the risks associated with this feature before using it.
 
+:since:`Since 11.10.0`, the guest can be configured to wait for an incoming
+VNC connection before booting:
+
+::
+
+    <graphics type='vnc' port='5904' wait='yes'>
+      <listen type='address' address='127.0.0.1'/>
+    </graphics>
+
+
 Clock configuration
 ~~~~~~~~~~~~~~~~~~~
 
@@ -659,3 +669,43 @@ As ``bhyve(1)`` uses one NVMe device per PCI address, it's modeled in a way
 that there is one device per controller. That is, if using more than one
 NVMe device, for device name users should increment controller number rather
 than namespace number, i.e.: ``nvme0n1``, ``nvme1n1``, etc.
+
+Device passthrough
+~~~~~~~~~~~~~~~~~~
+:since:`Since 11.10.0`, it is possible to passthrough PCI devices.
+
+Example:
+
+::
+
+  ...
+    <hostdev mode='subsystem' type='pci' managed='no'>
+      <source>
+        <address domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
+      </source>
+    </hostdev>
+  ...
+
+Using passthrough devices requires wiring guest memory, see `Wiring guest memory`_.
+
+Note: currently, the `nodedev <drvnodedev.html>`_ driver is not supported
+on FreeBSD.
+Users must configure the device for passthrough manually either by
+using ``devctl(8)`` or by setting ``pptdevs`` in ``loader.conf(5)``.
+Please refer to the ``vmm(4)`` manual page for more details.
+
+Guest-specific considerations
+-----------------------------
+
+Windows
+~~~~~~~
+
+For Windows guests, it is recommended to have the LPC controller on slot 31.
+As the libvirt driver allocates slot 1 for the LPC controller by default,
+the address must be specified explicitly:
+
+::
+
+    <controller type='isa' index='0'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x0'/>
+    </controller>

docs/formatdomain.rst

@@ -3378,6 +3378,11 @@ paravirtualized driver is specified via the ``disk`` element.
    :since:`since after 0.4.4`; "sata" attribute value :since:`since 0.9.7`;
    "removable" attribute value :since:`since 1.1.3`;
    "rotation_rate" attribute value :since:`since 7.3.0`
+   The optional attribute ``dpofua`` (:since:`Since 11.10.0, only QEMU driver`)
+   controls the support of DPO(Disable Page Out) and FUA(Force Unit Access)
+   properties of a SCSI disk cache access (both must be present or absent).
+   If the value is omitted hypervisor default is applied (which may depend on
+   the machine type version) and is the suggested setting.
 ``throttlefilters``
    The optional ``throttlefilters`` element provides the ability to provide additional
    per-device throttle chain :since:`Since 11.2.0`
@@ -3597,6 +3602,23 @@ paravirtualized driver is specified via the ``disk`` element.
           </iothreads>
         </driver>
 
+   - The optional ``statistics`` sub-element allows configuring statistics
+     collection in configurable intervals for the given disk. Intervals are
+     configured by ``<statistic>`` sub-elements with ``interval`` attribute
+     configuring the collection window duration in seconds. The statistics
+     are available via the bulk statistics API.
+
+     Example::
+
+       <driver name='qemu'>
+         <statistics>
+           <statistic interval='1'/>
+           <statistic interval='10'/>
+         </statistics>
+       </driver>
+
+    :since:`Since 11.9.0 (QEMU 10.2, virtio, ide, scsi disks only)`.
+
    -  The optional ``queues`` attribute specifies the number of virt queues for
       virtio-blk ( :since:`Since 3.9.0` ) or vhost-user-blk
       ( :since:`Since 7.1.0` )
@@ -6885,6 +6907,10 @@ interaction with the admin.
       ID is specified, then the default audio backend will be used.
       :since:`Since 7.2.0, qemu`.
 
+      The optional ``wait`` attribute, when set to ``yes``, causes the guest
+      to wait for an incoming VNC connection before booting.
+      :since:`Since 11.10.0, bhyve`.
+
    ``spice`` :since:`Since 0.8.6`
       Starts a SPICE server. The ``port`` attribute specifies the TCP port
       number (with -1 as legacy syntax indicating that it should be
@@ -8359,8 +8385,8 @@ The watchdog device requires an additional driver and management daemon in the
 guest. Just enabling the watchdog in the libvirt configuration does not do
 anything useful on its own.
 
-Currently libvirt does not support notification when the watchdog fires. This
-feature is planned for a future version of libvirt.
+:since:`Since 0.8.0`, a notification is available when the watchdog fires, using
+the event ID ``VIR_DOMAIN_EVENT_ID_WATCHDOG``.
 
 Having multiple watchdogs is usually not something very common, but be aware
 that this might happen, for example, when an implicit watchdog device is added
@@ -9221,6 +9247,10 @@ Example:
       Enable x2APIC mode. Useful for higher number of guest CPUs.
       :since:`Since 11.5.0` (QEMU/KVM and ``amd`` model only)
 
+   ``pciBus``
+      The ``pciBus`` attribute notes the index of the controller that an
+      IOMMU device is attached to. (QEMU/KVM and ``smmuv3`` model only)
+
 The ``virtio`` IOMMU devices can further have ``address`` element as described
 in `Device addresses`_ (address has to by type of ``pci``).
 

docs/formatdomaincaps.rst

@@ -871,7 +871,7 @@ are supported. The ``features`` enum corresponds to the ``<hyperv/>`` element
 (well, its children) as documented in `Hypervisor features
 <formatdomain.html#hypervisor-features>`__. The ``defaults`` element then
 contains child elements describing default values as reported by hypervisor,
-e.h. whether direct or extended TLB flushes are available. :since:`(since
+e.g. whether direct or extended TLB flushes are available. :since:`(since
 11.9.0)`
 
 Launch security

docs/go/meson.build

@@ -33,7 +33,9 @@ foreach data : html_xslt_gen
       '--stringparam', 'pagesrc', data.get('source', ''),
       '--stringparam', 'builddir', meson.project_build_root(),
       '--stringparam', 'timestamp', docs_timestamp,
-      '--stringparam', 'href_base', data.get('href_base', ''),
+      '--stringparam', 'link_href_base', data.get('href_base', ''),
+      '--stringparam', 'asset_href_base', data.get('href_base', ''),
+      '--stringparam', 'edit_href_base', 'https://gitlab.com/libvirt/libvirt/-/blob/master/',
       '--nonet',
       site_xsl,
       '@INPUT@',

docs/html/meson.build

@@ -101,7 +101,9 @@ foreach data : html_xslt_gen
       '--stringparam', 'pagesrc', data.get('source', ''),
       '--stringparam', 'builddir', meson.project_build_root(),
       '--stringparam', 'timestamp', docs_timestamp,
-      '--stringparam', 'href_base', data.get('href_base', ''),
+      '--stringparam', 'link_href_base', data.get('href_base', ''),
+      '--stringparam', 'asset_href_base', data.get('href_base', ''),
+      '--stringparam', 'edit_href_base', 'https://gitlab.com/libvirt/libvirt/-/blob/master/',
       '--nonet',
       site_xsl,
       '@INPUT@',

docs/index.rst

@@ -34,7 +34,8 @@ Quick Links
   Already a regular open source contributor and have git set up? Have a quick
   look at how to propose your changes to libvirt correctly
 `Security vulnerabilities <securityprocess.html>`__
-  View security notices and report vulnerabilities to the libvirt security
+  View `security notices <https://security.libvirt.org>`__ and
+  `report vulnerabilities <securityprocess.html>`__ to the libvirt security
   response team
 `Bug reporting <bugs.html>`__
   View and report bugs in libvirt packages

docs/kbase/internals/meson.build

@@ -42,7 +42,9 @@ foreach data : html_xslt_gen
       '--stringparam', 'pagesrc', data.get('source', ''),
       '--stringparam', 'builddir', meson.project_build_root(),
       '--stringparam', 'timestamp', docs_timestamp,
-      '--stringparam', 'href_base', data.get('href_base', ''),
+      '--stringparam', 'link_href_base', data.get('href_base', ''),
+      '--stringparam', 'asset_href_base', data.get('href_base', ''),
+      '--stringparam', 'edit_href_base', 'https://gitlab.com/libvirt/libvirt/-/blob/master/',
       '--nonet',
       site_xsl,
       '@INPUT@',

docs/kbase/live_full_disk_backup.rst

@@ -1,3 +1,5 @@
+.. role:: since
+
 ===============================
 Efficient live full disk backup
 ===============================
@@ -84,6 +86,24 @@ This requires libvirt-7.2.0 and QEMU-4.2, or higher versions.
     15M -rw-r--r--. 1 qemu qemu 15M May 10 12:22 vm1.qcow2
     21M -rw-------. 1 root root 21M May 10 12:23 vm1.qcow2.1620642185
 
+Shutdown of the guest OS during backup
+--------------------------------------
+
+The backup job is a long running job, potentially copying a lot of data, which
+requires the VM to be active (The backup is done by the qemu process) and
+can't be continued if the VM shuts down. This includes shut down initiated by
+the guest OS itself.
+
+:since:`Since libvirt-11.10` the ``virDomainBackupBegin()`` supports the
+``VIR_DOMAIN_BACKUP_BEGIN_PRESERVE_SHUTDOWN_DOMAIN`` flag
+(``virsh backup-begin --preserve-domain-on-shutdown``) which instructs libvirt
+to avoid termination of the VM if the guest OS shuts down while the backup is
+still running. The VM is in that scenario reset and paused instead of terminated
+allowing the backup to finish. Once the backup finishes the VM process is
+terminated. Users can resume the VM (e.g. ``virsh resume``) which causes it
+to boot normally using the existing VM process and will continue to run after
+completion of the backup job.
+
 
 Full backup with older libvirt versions
 =======================================

docs/kbase/meson.build

@@ -53,7 +53,9 @@ foreach data : html_xslt_gen
       '--stringparam', 'pagesrc', data.get('source', ''),
       '--stringparam', 'builddir', meson.project_build_root(),
       '--stringparam', 'timestamp', docs_timestamp,
-      '--stringparam', 'href_base', data.get('href_base', ''),
+      '--stringparam', 'link_href_base', data.get('href_base', ''),
+      '--stringparam', 'asset_href_base', data.get('href_base', ''),
+      '--stringparam', 'edit_href_base', 'https://gitlab.com/libvirt/libvirt/-/blob/master/',
       '--nonet',
       site_xsl,
       '@INPUT@',

docs/kbase/tlscerts.rst

@@ -75,6 +75,25 @@ in the path specified, otherwise the connection will fail with a fatal error. If
 
 -  For the root user, the global default locations will always be used.
 
+Multiple parallel certificate identities
+----------------------------------------
+
+Any scenario that requires a certificate identify (``servercert.pem`` /
+``serverkey.pem`` and ``clientcert.pem`` / ``clientkey.pem``) can optionally
+provide multiple parallel identities via a new indexed file naming
+scheme. The new filenames are ``servercertNN.pem`` / ``serverkeyNN.pem``
+and ``clientcertNN.pem`` / ``clientkeyNN.pem``, for values of ``NN`` between
+0 and 3 inclusive.
+
+The new naming can be used instead of the old naming, or concurrently
+with the old naming. The old file names will be loaded first (if
+present), followed by the indexed file names. Loading will stop at
+the first missing index value. ie if ``servercert1.pem`` is not present,
+then no attempt will be made to load ``servercert2.pem`` or ``servercert3.pem``.
+
+If multiple CA certificates are required they must all be concatenated
+into the single ``cacert.pem`` file.
+
 Background to TLS certificates
 ------------------------------
 
@@ -326,6 +345,75 @@ briefly cover the steps.
       cp clientkey.pem /etc/pki/libvirt/private/clientkey.pem
       cp clientcert.pem /etc/pki/libvirt/clientcert.pem
 
+Configuring for Post-Quantum Cryptography
+-----------------------------------------
+
+Given a new enough gnutls release, suitably integrated & configured with the
+operating system crypto policies, libvirt is able to support post-quantum
+crytography on TLS enabled services, either exclusively or in a hybrid mode.
+
+In exclusive mode, only a single set of certificates need to be configured
+for libvirt, with PQC compliant algorithms. Such a libvirt configuration will
+only be able to interoperate with other libvirt daemons that also have PQC
+enabled. This can result in compatibility concerns during the period of
+transition over to PQC compliant algorithms.
+
+In hybrid mode, multiple sets of certificates need to be configured for libvirt,
+at least one set with traditional (non-PQC compliant) algorithms, and at least
+one other set with modern (PQC compliant) algorithms. At time of the TLS
+handshake, the GNUTLS algorithm priorities should ensure that PQC compliant
+algorithms are negotiated if both sides of the connection support PQC. If one
+side lacks PQC, the TLS handshake should fallback to the non-PQC algorithms.
+This can assist with interoperability during the transition to PQC, but has a
+potential weakness wrt downgrade attacks forcing use of non-PQC algorithms.
+Exclusive PQC mode should be preferred where both peers in the TLS connections
+are known to support PQC.
+
+Key generation parameters
+^^^^^^^^^^^^^^^^^^^^^^^^^
+
+To create certificates with PQC compliant algorithms, the ``--key-type``
+argument must be passed to ``certtool`` when creating private keys. No
+extra arguments are required for the other ``certtool`` commands, as
+their behaviour will be determined by the private key type.
+
+The typical PQC compliant algorithms to use are ``ML-DSA-44``, ``ML-DSA-65``
+and ``ML-DSA-87``, with ``ML-DSA-65`` being a suitable default choice in
+the absence of explicit requirements.
+
+Taking the example earlier, for creating a key for a client certificate,
+to use ``ML-DSA-65`` the command line would be modified to look like::
+
+   # certtool --generate-privkey --key-type=mldsa65 > clientkey.pem
+
+The equivalent modification applies to the creation of the private keys
+used for server certs, or root/intermediate CA certs.
+
+For hybrid mode, the additional indexed certificate naming must be used.
+If multiple configured certificates are compatible with the mutually
+supported crypto algorithms between the client and server, then the
+first matching certificate will be used.
+
+IOW, to ensure that PQC certificates are preferred, they must use a
+non-index based filename, or use an index that is smaller than any
+non-PQC certificates. ie, ``servercert.pem`` for PQC and ``servercert0.pem``
+for non-PQC, or ``servercert0.pem`` for PQC and ``servercert1.pem`` for
+non-PQC.
+
+Force disabling PQC via crypto priority
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+If the OS configuration for system crypto algorithm priorities has
+enabled PQC, this can (optionally) be overriden in libvirt server
+configuration. To disable use of PQC set the ``tls_priority``
+parameter in the ``libvirtd.conf`` / ``virtproxyd.conf`` files:
+
+  tls_priority = "@SYSTEM:-SIGN-ML-DSA-65:-SIGN-ML-DSA-44:-SIGN-ML-DSA-87:-GROUP-X25519-MLKEM768:-GROUP-SECP256R1-MLKEM768:-GROUP-SECP384R1-MLKEM1024"
+
+On the client side this can be overriden using the ``tls_priority``
+URI parameter in the libvirt connection address.
+
+
 Troubleshooting TLS certificate problems
 ----------------------------------------
 

docs/logos/meson.build

@@ -62,7 +62,9 @@ foreach data : html_xslt_gen
       '--stringparam', 'pagesrc', data.get('source', ''),
       '--stringparam', 'builddir', meson.project_build_root(),
       '--stringparam', 'timestamp', docs_timestamp,
-      '--stringparam', 'href_base', data.get('href_base', ''),
+      '--stringparam', 'link_href_base', data.get('href_base', ''),
+      '--stringparam', 'asset_href_base', data.get('href_base', ''),
+      '--stringparam', 'edit_href_base', 'https://gitlab.com/libvirt/libvirt/-/blob/master/',
       '--nonet',
       site_xsl,
       '@INPUT@',

docs/manpages/meson.build

@@ -152,7 +152,9 @@ foreach data : html_xslt_gen
       '--stringparam', 'pagesrc', data.get('source', ''),
       '--stringparam', 'builddir', meson.project_build_root(),
       '--stringparam', 'timestamp', docs_timestamp,
-      '--stringparam', 'href_base', data.get('href_base', ''),
+      '--stringparam', 'link_href_base', data.get('href_base', ''),
+      '--stringparam', 'asset_href_base', data.get('href_base', ''),
+      '--stringparam', 'edit_href_base', 'https://gitlab.com/libvirt/libvirt/-/blob/master/',
       '--nonet',
       site_xsl,
       '@INPUT@',

docs/manpages/virsh.rst

@@ -2186,6 +2186,7 @@ backup-begin
 ::
 
    backup-begin domain [backupxml] [checkpointxml] [--reuse-external]
+       [--preserve-domain-on-shutdown]
 
 Begin a new backup job. If *backupxml* is omitted, this defaults to a full
 backup using a push model to filenames generated by libvirt; supplying XML
@@ -2199,6 +2200,11 @@ libvirt. For more information on backup XML, see:
 If *--reuse-external* is used it instructs libvirt to reuse temporary
 and output files provided by the user in *backupxml*.
 
+When the *--preserve-domain-on-shutdown* flag is used libvirt will not
+terminate the VM if the guest OS shuts down while the backup is running. The VM
+will be instead kept in VIR_DOMAIN_PAUSED state until the backup job finishes.
+The vm can be also resumed in order to boot again.
+
 If *checkpointxml* is specified, a second file with a top-level
 element of *domaincheckpoint* is used to create a simultaneous
 checkpoint, for doing a later incremental backup relative to the time
@@ -2751,6 +2757,60 @@ Information listed includes:
 * ``block.<num>.physical`` - physical size of source file in bytes
 * ``block.<num>.threshold`` - threshold (in bytes) for delivering the
   VIR_DOMAIN_EVENT_ID_BLOCK_THRESHOLD event. See domblkthreshold.
+* ``block.<num>.limits.request_alignment`` - Alignment requirement for requests
+  in bytes
+* ``block.<num>.limits.discard_max`` - Maximum number of bytes that can be
+  discarded at once
+* ``block.<num>.limits.discard_alignment`` - Optimal alignment for discard
+  requests in bytes
+* ``block.<num>.limits.write_zeroes_max`` - Maximum number of bytes that can be
+  zeroed out at once
+* ``block.<num>.limits.write_zeroes_alignment`` - Optimal alignment for
+  write_zeroes requests in bytes
+* ``block.<num>.limits.transfer_optimal`` - Optimal transfer length in bytes
+* ``block.<num>.limits.transfer_max`` - Maximal transfer length in bytes
+* ``block.<num>.limits.transfer_hw_max`` - Maximal hardware transfer length of
+  requests bypassing kernel IO scheduler in bytes
+* ``block.<num>.limits.iov_max`` - Maximum number of scatter/gather elements
+* ``block.<num>.limits.iov_hw_max`` - Maximal number of scatter/gather elements
+  of requests bypassing kernel IO scheduler
+* ``block.<num>.limits.memory_alignment_minimal`` - memory alignment in bytes so
+  that no bounce buffer is needed
+* ``block.<num>.limits.memory_alignment_optimal`` - memory alignment in bytes
+  that is used for bounce buffers
+* ``block.<num>.timed_group.count`` - number of blocks of timed group statistics
+* ``block.<num>.timed_group.<num>.interval_length`` - The time interval in
+  seconds for which the statistics in this group were collected.
+* ``block.<num>.timed_group.<num>.rd_latency_min`` - minimum latency of read
+  operations in the defined interval in nanoseconds
+* ``block.<num>.timed_group.<num>.rd_latency_max`` - maximum latency of read
+  operations in the defined interval in nanoseconds
+* ``block.<num>.timed_group.<num>.rd_latency_avg`` - average latency of read
+  operations in the defined interval in nanoseconds
+* ``block.<num>.timed_group.<num>.wr_latency_min`` - minimum latency of write
+  operations in the defined interval in nanoseconds
+* ``block.<num>.timed_group.<num>.wr_latency_max`` - maximum latency of write
+  operations in the defined interval in nanoseconds
+* ``block.<num>.timed_group.<num>.wr_latency_avg`` - average latency of write
+  operations in the defined interval in nanoseconds
+* ``block.<num>.timed_group.<num>.zone_append_latency_min`` - minimum latency
+  of zone append operations in the defined interval in nanoseconds
+* ``block.<num>.timed_group.<num>.zone_append_latency_max`` - maximum latency
+  of zone append operations in the defined interval in nanoseconds
+* ``block.<num>.timed_group.<num>.zone_append_latency_avg`` - average latency
+  of zone append operations in the defined interval in nanoseconds
+* ``block.<num>.timed_group.<num>.flush_latency_min`` - minimum latency
+  of flush operations in the defined interval in nanoseconds
+* ``block.<num>.timed_group.<num>.flush_latency_max`` - maximum latency of flush
+  operations in the defined interval in nanoseconds
+* ``block.<num>.timed_group.<num>.flush_latency_avg`` - average latency of flush
+  operations in the defined interval in nanoseconds
+* ``block.<num>.timed_group.<num>.rd_queue_depth_avg`` - average number of
+  pending read operations in the defined interval
+* ``block.<num>.timed_group.<num>.wr_queue_depth_avg`` - average number of
+  pending write operations in the defined interval
+* ``block.<num>.timed_group.<num>.zone_append_queue_depth_avg`` - average number
+  of pending zone append operations in the defined interval
 
 
 *--iothread* returns information about IOThreads on the running guest

docs/meson.build

@@ -301,7 +301,9 @@ foreach data : html_xslt_gen
       '--stringparam', 'pagesrc', data.get('source', ''),
       '--stringparam', 'builddir', meson.project_build_root(),
       '--stringparam', 'timestamp', docs_timestamp,
-      '--stringparam', 'href_base', data.get('href_base', ''),
+      '--stringparam', 'link_href_base', data.get('href_base', ''),
+      '--stringparam', 'asset_href_base', data.get('href_base', ''),
+      '--stringparam', 'edit_href_base', 'https://gitlab.com/libvirt/libvirt/-/blob/master/',
       '--nonet',
       site_xsl,
       '@INPUT@',

docs/page.xsl

@@ -19,6 +19,7 @@
     <xsl:param name="timestamp"/>
     <xsl:param name="link_href_base"/>
     <xsl:param name="asset_href_base"/>
+    <xsl:param name="edit_href_base"/>
     <xsl:text disable-output-escaping="yes">&lt;!DOCTYPE html&gt;
 </xsl:text>
     <html lang="en" data-sourcedoc="{$pagesrc}">
@@ -105,11 +106,11 @@
               <li><a href="https://serverfault.com/questions/tagged/libvirt">serverfault</a></li>
             </ul>
           </div>
-          <xsl:if test="$pagesrc != ''">
+          <xsl:if test="$pagesrc != '' and $edit_href_base != ''">
             <div id="contribute">
               <h3>Contribute</h3>
               <ul>
-                <li><a href="https://gitlab.com/libvirt/libvirt/-/blob/master/{$pagesrc}">edit this page</a></li>
+                <li><a href="{$edit_href_base}{$pagesrc}">edit this page</a></li>
               </ul>
             </div>
           </xsl:if>

docs/site.xsl

@@ -28,8 +28,9 @@
     <xsl:apply-templates select="." mode="page">
       <xsl:with-param name="pagesrc" select="$pagesrc"/>
       <xsl:with-param name="timestamp" select="$timestamp"/>
-      <xsl:with-param name="link_href_base" select="$href_base"/>
-      <xsl:with-param name="asset_href_base" select="$href_base"/>
+      <xsl:with-param name="link_href_base" select="$link_href_base"/>
+      <xsl:with-param name="asset_href_base" select="$asset_href_base"/>
+      <xsl:with-param name="edit_href_base" select="$edit_href_base"/>
     </xsl:apply-templates>
   </xsl:template>
 

examples/c/misc/event-test.c

@@ -180,6 +180,9 @@ eventDetailToString(int event,
             case VIR_DOMAIN_EVENT_SUSPENDED_POSTCOPY_FAILED:
                 return "Post-copy Error";
 
+            case VIR_DOMAIN_EVENT_SUSPENDED_GUEST_SHUTDOWN:
+                return "guest OS shutdown";
+
             case VIR_DOMAIN_EVENT_SUSPENDED_LAST:
                 break;
             }

include/libvirt/libvirt-domain.h

@@ -3488,6 +3488,332 @@ struct _virDomainStatsRecord {
  */
 # define VIR_DOMAIN_STATS_BLOCK_SUFFIX_THRESHOLD ".threshold"
 
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_LIMITS_REQUEST_ALIGNMENT:
+ *
+ * limits represent constraints on individual operations as imposed by the
+ * backing file storage technology.
+ *
+ * Alignment requirement, in bytes, for offset/length of I/O requests, as
+ * unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_LIMITS_REQUEST_ALIGNMENT ".limits.request_alignment"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_LIMITS_DISCARD_MAX:
+ *
+ * limits represent constraints on individual operations as imposed by the
+ * backing file storage technology.
+ *
+ * Maximum number of bytes that can be discarded at once, as unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_LIMITS_DISCARD_MAX ".limits.discard_max"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_LIMITS_DISCARD_ALIGNMENT:
+ *
+ * limits represent constraints on individual operations as imposed by the
+ * backing file storage technology.
+ *
+ * Optimal alignment for discard requests in bytes, as unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_LIMITS_DISCARD_ALIGNMENT ".limits.discard_alignment"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_LIMITS_WRITE_ZEROES_MAX:
+ *
+ * limits represent constraints on individual operations as imposed by the
+ * backing file storage technology.
+ *
+ * Maximum number of bytes that can be zeroed out at once, as unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_LIMITS_WRITE_ZEROES_MAX ".limits.write_zeroes_max"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_LIMITS_WRITE_ZEROES_ALIGNMENT:
+ *
+ * limits represent constraints on individual operations as imposed by the
+ * backing file storage technology.
+ *
+ * Optimal alignment for write_zeroes requests in bytes, as unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_LIMITS_WRITE_ZEROES_ALIGNMENT ".limits.write_zeroes_alignment"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_LIMITS_TRANSFER_OPTIMAL:
+ *
+ * limits represent constraints on individual operations as imposed by the
+ * backing file storage technology.
+ *
+ * Optimal transfer length in bytes, as unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_LIMITS_TRANSFER_OPTIMAL ".limits.transfer_optimal"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_LIMITS_TRANSFER_MAX:
+ *
+ * limits represent constraints on individual operations as imposed by the
+ * backing file storage technology.
+ *
+ * Maximal transfer length in bytes, as unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_LIMITS_TRANSFER_MAX ".limits.transfer_max"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_LIMITS_TRANSFER_HW_MAX:
+ *
+ * limits represent constraints on individual operations as imposed by the
+ * backing file storage technology.
+ *
+ * Maximal hardware transfer length of requests bypassing kernel IO scheduler
+ * in bytes, as unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_LIMITS_TRANSFER_HW_MAX ".limits.transfer_hw_max"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_LIMITS_IOV_MAX:
+ *
+ * limits represent constraints on individual operations as imposed by the
+ * backing file storage technology.
+ *
+ * Maximum number of scatter/gather elements, as unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_LIMITS_IOV_MAX ".limits.iov_max"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_LIMITS_IOV_HW_MAX:
+ *
+ * limits represent constraints on individual operations as imposed by the
+ * backing file storage technology.
+ *
+ * Maximal number of scatter/gather elements of requests bypassing kernel IO
+ * scheduler, as unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_LIMITS_IOV_HW_MAX ".limits.iov_hw_max"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_LIMITS_MEMORY_ALIGNMENT_MINIMAL:
+ *
+ * limits represent constraints on individual operations as imposed by the
+ * backing file storage technology.
+ *
+ * memory alignment in bytes so that no bounce buffer is needed, as
+ * unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_LIMITS_MEMORY_ALIGNMENT_MINIMAL ".limits.memory_alignment_minimal"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_LIMITS_MEMORY_ALIGNMENT_OPTIMAL:
+ *
+ * limits represent constraints on individual operations as imposed by the
+ * backing file storage technology.
+ *
+ * memory alignment in bytes that is used for bounce buffers, as
+ * unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_LIMITS_MEMORY_ALIGNMENT_OPTIMAL ".limits.memory_alignment_optimal"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_COUNT:
+ *
+ * Number of groups of statistics accounted in a configured time intervals as
+ * unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_COUNT ".timed_group.count"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_PREFIX:
+ *
+ * The parameter name prefix to access each group of timed stats. Concatenate the
+ * prefix, the entry number formatted as an unsigned integer and one of the
+ * timed group suffix parameters to form a complete paramter name.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_PREFIX ".timed_group."
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_INTERVAL:
+ *
+ * The time interval in seconds as unsigned long long for which the statistics
+ * in this group were collected.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_INTERVAL ".interval"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_RD_LATENCY_MIN:
+ *
+ * Minimum latency of read operations in the defined interval, in nanoseconds as
+ * unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_RD_LATENCY_MIN ".rd_latency_min"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_RD_LATENCY_MAX:
+ *
+ * Maximum latency of read operations in the defined interval, in nanoseconds as
+ * unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_RD_LATENCY_MAX ".rd_latency_max"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_RD_LATENCY_AVG:
+ *
+ * Average latency of read operations in the defined interval, in nanoseconds as
+ * unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_RD_LATENCY_AVG ".rd_latency_avg"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_WR_LATENCY_MIN:
+ *
+ * Minimum latency of write operations in the defined interval, in nanoseconds
+ * as unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_WR_LATENCY_MIN ".wr_latency_min"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_WR_LATENCY_MAX:
+ *
+ * Maximum latency of write operations in the defined interval, in nanoseconds
+ * as unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_WR_LATENCY_MAX ".wr_latency_max"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_WR_LATENCY_AVG:
+ *
+ * Average latency of write operations in the defined interval, in nanoseconds
+ * as unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_WR_LATENCY_AVG ".wr_latency_avg"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_ZONE_APPEND_LATENCY_MIN:
+ * Minimum latency of zone append operations in the defined interval, in
+ * nanoseconds as unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_ZONE_APPEND_LATENCY_MIN ".zone_append_latency_min"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_ZONE_APPEND_LATENCY_MAX:
+ *
+ * Maximum latency of zone append operations in the defined interval, in
+ * nanoseconds as unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_ZONE_APPEND_LATENCY_MAX ".zone_append_latency_max"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_ZONE_APPEND_LATENCY_AVG:
+ *
+ * Average latency of zone append operations in the defined interval, in
+ * nanoseconds as unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_ZONE_APPEND_LATENCY_AVG ".zone_append_latency_avg"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_FLUSH_LATENCY_MIN:
+ *
+ * Minimum latency of flush operations in the defined interval, in nanoseconds
+ * as unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_FLUSH_LATENCY_MIN ".flush_latency_min"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_FLUSH_LATENCY_MAX:
+ *
+ * Maximum latency of flush operations in the defined interval, in nanoseconds
+ * as unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_FLUSH_LATENCY_MAX ".flush_latency_max"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_FLUSH_LATENCY_AVG:
+ *
+ * Average latency of flush operations in the defined interval, in nanoseconds
+ * as unsigned long long.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_FLUSH_LATENCY_AVG ".flush_latency_avg"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_RD_QUEUE_DEPTH_AVG:
+ *
+ * Average number of pending read operations in the defined interval as double.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_RD_QUEUE_DEPTH_AVG ".rd_queue_depth_avg"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_WR_QUEUE_DEPTH_AVG:
+ *
+ * Average number of pending write operations in the defined interval as double.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_WR_QUEUE_DEPTH_AVG ".wr_queue_depth_avg"
+
+/**
+ * VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_ZONE_APPEND_QUEUE_DEPTH_AVG:
+ *
+ * Average number of pending zone append operations in the defined interval as
+ * double.
+ *
+ * Since: 11.10.0
+ */
+# define VIR_DOMAIN_STATS_BLOCK_SUFFIX_TIMED_GROUP_SUFFIX_ZONE_APPEND_QUEUE_DEPTH_AVG ".zone_append_queue_depth_avg"
 
 /**
  * VIR_DOMAIN_STATS_PERF_CMT:
@@ -5075,6 +5401,7 @@ typedef enum {
     VIR_DOMAIN_EVENT_SUSPENDED_API_ERROR = 6, /* Some APIs (e.g., migration, snapshot) internally need to suspend a domain. This event detail is used when resume operation at the end of such API fails. (Since: 1.0.1) */
     VIR_DOMAIN_EVENT_SUSPENDED_POSTCOPY = 7, /* suspended for post-copy migration (Since: 1.3.3) */
     VIR_DOMAIN_EVENT_SUSPENDED_POSTCOPY_FAILED = 8, /* suspended after failed post-copy (Since: 1.3.3) */
+    VIR_DOMAIN_EVENT_SUSPENDED_GUEST_SHUTDOWN = 9, /* suspended after guest os shut-down (a long running job is preserving the VM until completion) (Since: 11.10.0) */
 
 # ifdef VIR_ENUM_SENTINELS
     VIR_DOMAIN_EVENT_SUSPENDED_LAST /* (Since: 0.9.10) */
@@ -8191,8 +8518,10 @@ int virDomainAgentSetResponseTimeout(virDomainPtr domain,
  * Since: 6.0.0
  */
 typedef enum {
-    VIR_DOMAIN_BACKUP_BEGIN_REUSE_EXTERNAL = (1 << 0), /* reuse separately
-                                                          provided images (Since: 6.0.0) */
+    /* reuse separately provided images (Since: 6.0.0) */
+    VIR_DOMAIN_BACKUP_BEGIN_REUSE_EXTERNAL = (1 << 0),
+    /* preserve the domain if the guest OS shuts down while the backup is running (Since: 11.10.0) */
+    VIR_DOMAIN_BACKUP_BEGIN_PRESERVE_SHUTDOWN_DOMAIN = (1 << 1),
 } virDomainBackupBeginFlags;
 
 int virDomainBackupBegin(virDomainPtr domain,

libvirt.spec.in

@@ -6,7 +6,7 @@
 %define min_rhel 9
 %define min_fedora 41
 
-%define arches_qemu_kvm         %{ix86} x86_64 %{power64} %{arm} aarch64 s390x riscv64
+%define arches_qemu_kvm         %{ix86} x86_64 %{power64} aarch64 s390x riscv64
 %if 0%{?rhel}
     %if 0%{?rhel} >= 10
         %define arches_qemu_kvm     x86_64 aarch64 s390x riscv64
@@ -32,12 +32,22 @@
 %define arches_ch               x86_64 aarch64
 
 # The hypervisor drivers that run in libvirtd
-%define with_qemu          0%{!?_without_qemu:1}
 %define with_lxc           0%{!?_without_lxc:1}
 %define with_libxl         0%{!?_without_libxl:1}
 %define with_vbox          0%{!?_without_vbox:1}
 %define with_ch            0%{!?_without_ch:1}
 
+%ifarch %{arches_64bit}
+    %define with_qemu      0%{!?_without_qemu:1}
+%else
+    # QEMU drops 32-bit in Fedora 44
+    %if %{?fedora} > 43
+        %define with_qemu  0
+    %else
+        %define with_qemu  0%{!?_without_qemu:1}
+    %endif
+%endif
+
 %ifarch %{arches_qemu_kvm}
     %define with_qemu_kvm      %{with_qemu}
 %else
@@ -76,8 +86,10 @@
     %define with_storage_gluster 0
 %endif
 
-# Fedora had zfs-fuse until F43
-%if 0%{?fedora} && 0%{?fedora} < 43
+# On Fedora 43, the 'zfs-fuse' package was removed, but is obtainable via
+# other means. Build the backend, but it's no longer considered to be part
+# of 'daemon-driver-storage'.
+%if 0%{?fedora}
     %define with_storage_zfs      0%{!?_without_storage_zfs:1}
 %else
     %define with_storage_zfs      0
@@ -91,7 +103,6 @@
 
 # Other optional features
 %define with_numactl          0%{!?_without_numactl:1}
-%define with_userfaultfd_sysctl 0%{!?_without_userfaultfd_sysctl:1}
 
 # A few optional bits off by default, we enable later
 %define with_fuse             0
@@ -259,12 +270,6 @@
     %define enable_werror -Dwerror=false -Dgit_werror=disabled
 %endif
 
-# Fedora and RHEL-9 are new enough to support /dev/userfaultfd, which
-# does not require enabling vm.unprivileged_userfaultfd sysctl.
-%if 0%{?fedora} || 0%{?rhel}
-    %define with_userfaultfd_sysctl 0
-%endif
-
 %define tls_priority "@LIBVIRT,SYSTEM"
 
 # libvirt 8.1.0 stops distributing any sysconfig files.
@@ -404,7 +409,7 @@ BuildRequires: numactl-devel
     %endif
 BuildRequires: libcap-ng-devel >= 0.5.0
     %if %{with_fuse}
-BuildRequires: fuse-devel >= 2.8.6
+BuildRequires: fuse3-devel
     %endif
     %if %{with_libssh2}
 BuildRequires: libssh2-devel >= 1.3.0
@@ -674,9 +679,6 @@ Requires: /usr/bin/qemu-img
 Obsoletes: libvirt-daemon-driver-storage-rbd < 5.2.0
     %endif
 Obsoletes: libvirt-daemon-driver-storage-sheepdog < 8.8.0
-    %if !%{with_storage_zfs}
-Obsoletes: libvirt-daemon-driver-storage-zfs < 11.4.0
-    %endif
 
 %description daemon-driver-storage-core
 The storage driver plugin for the libvirtd daemon, providing
@@ -777,9 +779,13 @@ volumes using the ceph protocol.
 Summary: Storage driver plugin for ZFS
 Requires: libvirt-daemon-driver-storage-core = %{version}-%{release}
 Requires: libvirt-libs = %{version}-%{release}
-# Support any conforming implementation of zfs
+# Starting with Fedora 43 the 'zfs-fuse' is no longer shipped but obtainable
+# externally. The package builds fine without these. Users will have to provide
+# their own implementation.
+        %if 0%{?fedora} && 0%{?fedora} < 43
 Requires: /sbin/zfs
 Requires: /sbin/zpool
+        %endif
 
 %description daemon-driver-storage-zfs
 The storage driver backend adding implementation of the storage APIs for
@@ -803,7 +809,10 @@ Requires: libvirt-daemon-driver-storage-gluster = %{version}-%{release}
     %if %{with_storage_rbd}
 Requires: libvirt-daemon-driver-storage-rbd = %{version}-%{release}
     %endif
-    %if %{with_storage_zfs}
+# Starting with Fedora 43 the 'zfs-fuse' is no longer shipped but obtainable
+# externally. We do not want to install this as part of 'daemon-driver-storage'
+# any more.
+    %if %{with_storage_zfs} && 0%{?fedora} && 0%{?fedora} < 43
 Requires: libvirt-daemon-driver-storage-zfs = %{version}-%{release}
     %endif
 
@@ -1329,12 +1338,6 @@ exit 1
     %define arg_remote_mode -Dremote_default_mode=legacy
 %endif
 
-%if %{with_userfaultfd_sysctl}
-    %define arg_userfaultfd_sysctl -Duserfaultfd_sysctl=enabled
-%else
-    %define arg_userfaultfd_sysctl -Duserfaultfd_sysctl=disabled
-%endif
-
 %define when  %(date +"%%F-%%T")
 %define where %(hostname)
 %define who   %{?packager}%{!?packager:Unknown}
@@ -1418,7 +1421,6 @@ export SOURCE_DATE_EPOCH=$(stat --printf='%Y' %{_specdir}/libvirt.spec)
            -Dqemu_datadir=%{qemu_datadir} \
            -Dtls_priority=%{tls_priority} \
            -Dsysctl_config=enabled \
-           %{?arg_userfaultfd_sysctl} \
            -Dssh_proxy=enabled \
            %{?enable_werror} \
            -Dexpensive_tests=enabled \
@@ -1506,7 +1508,6 @@ export SOURCE_DATE_EPOCH=$(stat --printf='%Y' %{_specdir}/libvirt.spec)
   -Dstorage_vstorage=disabled \
   -Dstorage_zfs=disabled \
   -Dsysctl_config=disabled \
-  -Duserfaultfd_sysctl=disabled \
   -Dssh_proxy=disabled \
   -Dtests=disabled \
   -Dudev=disabled \
@@ -2314,9 +2315,6 @@ exit 0
     %if %{with_qemu}
 %files daemon-driver-qemu
 %config(noreplace) %{_sysconfdir}/libvirt/virtqemud.conf
-        %if %{with_userfaultfd_sysctl}
-%config(noreplace) %{_prefix}/lib/sysctl.d/60-qemu-postcopy-migration.conf
-        %endif
 %{_datadir}/augeas/lenses/virtqemud.aug
 %{_datadir}/augeas/lenses/tests/test_virtqemud.aug
 %{_unitdir}/virtqemud.service

meson.build

@@ -1,6 +1,6 @@
 project(
   'libvirt', 'c',
-  version: '11.9.0',
+  version: '11.10.0',
   license: 'LGPLv2+',
   meson_version: '>= 0.57.0',
   default_options: [
@@ -2029,13 +2029,18 @@ elif get_option('sysctl_config').enabled()
   error('sysctl configuration is supported only on linux')
 endif
 
-if not get_option('userfaultfd_sysctl').disabled() and conf.has('WITH_SYSCTL')
-  conf.set('WITH_USERFAULTFD_SYSCTL', 1)
-elif get_option('userfaultfd_sysctl').enabled()
-  error('userfaultfd_sysctl option requires sysctl_config to be enabled')
+prio = get_option('tls_priority')
+if prio == 'auto'
+    # If local OS has 'crypto-policies' then default to that
+    policy = '/etc/crypto-policies/config'
+    if get_option('system') and \
+       run_command('test', '-f', policy, check: false).returncode() == 0
+        prio = '@LIBVIRT,SYSTEM'
+    else
+        prio = 'NORMAL'
+    endif
 endif
-
-conf.set_quoted('TLS_PRIORITY', get_option('tls_priority'))
+conf.set_quoted('TLS_PRIORITY', prio)
 
 
 # test options
@@ -2334,7 +2339,6 @@ misc_summary = {
   'sysctl config': conf.has('WITH_SYSCTL'),
   'tests': tests_enabled,
   'TLS priority': conf.get_unquoted('TLS_PRIORITY'),
-  'userfaultfd sysctl': conf.has('WITH_USERFAULTFD_SYSCTL'),
   'virt-host-validate': conf.has('WITH_HOST_VALIDATE'),
   'virt-login-shell': conf.has('WITH_LOGIN_SHELL'),
   'Warning Flags': supported_cc_flags,

meson_options.txt

@@ -132,6 +132,4 @@ option('nbdkit_config_default', type: 'feature', value: 'auto', description: 'Wh
 option('pm_utils', type: 'feature', value: 'auto', description: 'use pm-utils for power management')
 option('ssh_proxy', type: 'feature', value: 'auto', description: 'Build ssh-proxy for ssh over vsock')
 option('sysctl_config', type: 'feature', value: 'auto', description: 'Whether to install sysctl configs')
-# dep:sysctl_config
-option('userfaultfd_sysctl', type: 'feature', value: 'auto', description: 'Whether to install sysctl config for enabling unprivileged userfaultfd')
-option('tls_priority', type: 'string', value: 'NORMAL', description: 'set the default TLS session priority string')
+option('tls_priority', type: 'string', value: 'auto', description: 'set the default TLS session priority string')

po/POTFILES

@@ -230,6 +230,7 @@ src/rpc/virnetserverservice.c
 src/rpc/virnetsocket.c
 src/rpc/virnetsshsession.c
 src/rpc/virnettlscert.c
+src/rpc/virnettlsconfig.c
 src/rpc/virnettlscontext.c
 src/secret/secret_driver.c
 src/security/security_apparmor.c

po/ar.po

@@ -6,7 +6,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: libvirt 11.7.0\n"
 "Report-Msgid-Bugs-To: https://libvirt.org/bugs.html\n"
-"POT-Creation-Date: 2025-10-29 11:46+0000\n"
+"POT-Creation-Date: 2025-11-25 09:28+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: Automatically generated\n"
 "Language-Team: none\n"
@@ -1122,6 +1122,9 @@ msgstr ""
 msgid "'disk' missing or not an array in reply of guest-get-fsinfo"
 msgstr ""
 
+msgid "'dpofua' option is available only for SCSI disks"
+msgstr ""
+
 #, c-format
 msgid "'extended_l2' not supported with compat level %1$s"
 msgstr ""
@@ -2120,6 +2123,10 @@ msgstr ""
 msgid "Busy"
 msgstr ""
 
+#, c-format
+msgid "CA certificate '%1$s' does not exist"
+msgstr ""
+
 msgid "CA certificate:"
 msgstr ""
 
@@ -3107,10 +3114,6 @@ msgstr ""
 msgid "Cannot print data type %1$x"
 msgstr ""
 
-#, c-format
-msgid "Cannot read %1$s '%2$s'"
-msgstr ""
-
 msgid "Cannot read cputime for domain"
 msgstr ""
 
@@ -3359,6 +3362,14 @@ msgstr ""
 msgid "Certificate %1$s usage does not permit digital signature"
 msgstr ""
 
+#, c-format
+msgid "Certificate '%1$s' does not exist"
+msgstr ""
+
+#, c-format
+msgid "Certificate '%1$s' does not exist, but key '%2$s' does"
+msgstr ""
+
 #, c-format
 msgid "Certificate failed validation: %1$s"
 msgstr ""
@@ -3466,15 +3477,6 @@ msgstr ""
 msgid "Checking for %1$s module"
 msgstr ""
 
-msgid ""
-"Checking for AMD Secure Encrypted Virtualization-Encrypted State (SEV-ES)"
-msgstr ""
-
-msgid ""
-"Checking for AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-"
-"SNP)"
-msgstr ""
-
 #, c-format
 msgid "Checking for Linux >= %1$d.%2$d.%3$d"
 msgstr ""
@@ -4098,6 +4100,9 @@ msgstr ""
 msgid "Could not find PhysicalNic with name '%1$s'"
 msgstr ""
 
+msgid "Could not find a suitable controller for smmuv3"
+msgstr ""
+
 msgid "Could not find any 'network' element in status file"
 msgstr ""
 
@@ -5482,6 +5487,10 @@ msgstr ""
 msgid "Domain %1$s didn't show up"
 msgstr ""
 
+#, c-format
+msgid "Domain %1$s didn't show up in /dev/vmm"
+msgstr ""
+
 #, c-format
 msgid "Domain '%1$d' has to be running because libxenlight will suspend it"
 msgstr ""
@@ -7697,6 +7706,10 @@ msgstr ""
 msgid "Failed to parse MAC address from '%1$s'"
 msgstr ""
 
+#, c-format
+msgid "Failed to parse PCI address %1$s"
+msgstr ""
+
 #, c-format
 msgid "Failed to parse PCI config address '%1$s'"
 msgstr ""
@@ -9249,6 +9262,9 @@ msgid ""
 "IOMMU interrupt remapping requires split I/O APIC (ioapic driver='qemu')"
 msgstr ""
 
+msgid "IOMMU model smmuv3 must be specified for multiple IOMMU definitions"
+msgstr ""
+
 msgid "IORT table header ended early"
 msgstr ""
 
@@ -10494,6 +10510,10 @@ msgstr ""
 msgid "Kernel image path is not defined. With sev_snp=on, pass an igvm path"
 msgstr ""
 
+#, c-format
+msgid "Key '%1$s' does not exist, but certificate '%2$s' does"
+msgstr ""
+
 msgid "Key file path must be provided for private key authentication"
 msgstr ""
 
@@ -12093,7 +12113,7 @@ msgstr ""
 msgid "Nicdev support unavailable"
 msgstr ""
 
-msgid "No CA certificate path set to match server key/cert"
+msgid "No CA certificate path set to match server key(s)/cert(s)"
 msgstr ""
 
 msgid "No DRM render nodes available"
@@ -12113,6 +12133,9 @@ msgstr ""
 msgid "No JSON parser implementation is available"
 msgstr ""
 
+msgid "No PCI address provided"
+msgstr ""
+
 msgid "No PCI buses available"
 msgstr ""
 
@@ -12369,10 +12392,10 @@ msgstr ""
 msgid "No runstatedir specified"
 msgstr ""
 
-msgid "No server certificate path set to match server key"
+msgid "No server certificate path(s) set to match server key(s)"
 msgstr ""
 
-msgid "No server key path set to match server cert"
+msgid "No server key path(s) set to match server cert(s)"
 msgstr ""
 
 #, c-format
@@ -12588,6 +12611,10 @@ msgstr ""
 msgid "Number of CPUs in <numa> exceeds the desired maximum vcpu count"
 msgstr ""
 
+#, c-format
+msgid "Number of certificates (%1$zu) must match number of keys (%2$zu)"
+msgstr ""
+
 #, c-format
 msgid "Number of domain stats records is %1$d, which exceeds max limit: %2$d"
 msgstr ""
@@ -15579,6 +15606,14 @@ msgstr ""
 msgid "Target disk %1$s does not match source %2$s"
 msgstr ""
 
+#, c-format
+msgid "Target disk 'dpofua' property %1$s does not match source %2$s"
+msgstr ""
+
+#, c-format
+msgid "Target disk 'removable' property %1$s does not match source %2$s"
+msgstr ""
+
 msgid "Target disk access mode does not match source"
 msgstr ""
 
@@ -15636,7 +15671,8 @@ msgid ""
 "Target domain IOMMU device caching mode '%1$s' does not match source '%2$s'"
 msgstr ""
 
-msgid "Target domain IOMMU device count does not match source"
+#, c-format
+msgid "Target domain IOMMU device count %1$zu does not match source %2$zu"
 msgstr ""
 
 #, c-format
@@ -15664,6 +15700,11 @@ msgstr ""
 msgid "Target domain IOMMU device model '%1$s' does not match source '%2$s'"
 msgstr ""
 
+#, c-format
+msgid ""
+"Target domain IOMMU device pci_bus value '%1$d' does not match source '%2$d'"
+msgstr ""
+
 #, c-format
 msgid "Target domain OS type %1$s does not match source %2$s"
 msgstr ""
@@ -16288,8 +16329,8 @@ msgstr ""
 
 #, c-format
 msgid ""
-"The client key %1$s must be accessible to all users. As root run: chown root."
-"root %2$s; chmod 0644 %3$s"
+"The client key %1$s must be accessible to all users. As root run: chown "
+"root.root %2$s; chmod 0644 %3$s"
 msgstr ""
 
 #, c-format
@@ -16360,14 +16401,14 @@ msgstr ""
 
 #, c-format
 msgid ""
-"The machine cannot act as a client. See https://libvirt.org/kbase/tlscerts."
-"html#issuing-client-certificates on how to regenerate %1$s"
+"The machine cannot act as a client. See https://libvirt.org/kbase/"
+"tlscerts.html#issuing-client-certificates on how to regenerate %1$s"
 msgstr ""
 
 #, c-format
 msgid ""
-"The machine cannot act as a server. See https://libvirt.org/kbase/tlscerts."
-"html#issuing-server-certificates on how to regenerate %1$s"
+"The machine cannot act as a server. See https://libvirt.org/kbase/"
+"tlscerts.html#issuing-server-certificates on how to regenerate %1$s"
 msgstr ""
 
 msgid "The machine has no snapshot and it should have it"
@@ -17066,6 +17107,9 @@ msgstr ""
 msgid "Unable to add hardware machine"
 msgstr ""
 
+msgid "Unable to add keepalive timer"
+msgstr ""
+
 #, c-format
 msgid "Unable to add lockspace %1$s"
 msgstr ""
@@ -17074,6 +17118,9 @@ msgstr ""
 msgid "Unable to add lockspace %1$s: %2$s"
 msgstr ""
 
+msgid "Unable to add log cleanup timer"
+msgstr ""
+
 msgid "Unable to add media registry other media"
 msgstr ""
 
@@ -17081,6 +17128,15 @@ msgstr ""
 msgid "Unable to add port %1$s to OVS bridge %2$s: %3$s"
 msgstr ""
 
+msgid "Unable to add service timer"
+msgstr ""
+
+msgid "Unable to add shutdown timer"
+msgstr ""
+
+msgid "Unable to add socket timer"
+msgstr ""
+
 msgid "Unable to add storage controller"
 msgstr ""
 
@@ -17098,6 +17154,23 @@ msgid ""
 "machine"
 msgstr ""
 
+msgid "Unable to add timer to event loop"
+msgstr ""
+
+#, c-format
+msgid "Unable to add watch on log FD %1$d"
+msgstr ""
+
+msgid "Unable to add watch on stdin"
+msgstr ""
+
+msgid "Unable to add watch on stdout"
+msgstr ""
+
+#, c-format
+msgid "Unable to add watch on udev FD %1$d"
+msgstr ""
+
 msgid "Unable to add/delete fdb entries on this platform"
 msgstr ""
 
@@ -21037,6 +21110,9 @@ msgstr ""
 msgid "avoid file system cache when saving"
 msgstr ""
 
+msgid "avoid shutdown of the domain while the backup is running"
+msgstr ""
+
 msgid "await a domain event"
 msgstr ""
 
@@ -22929,8 +23005,8 @@ msgid "cannot update guest CPU for %1$s architecture"
 msgstr ""
 
 msgid ""
-"cannot update lifecycle action because QEMU was started with incompatible -"
-"no-reboot setting"
+"cannot update lifecycle action because QEMU was started with incompatible "
+"-no-reboot setting"
 msgstr ""
 
 #, c-format
@@ -23017,6 +23093,9 @@ msgstr ""
 msgid "cellNum in %1$s only accepts %2$d as a negative value"
 msgstr ""
 
+msgid "cert_file/key_file are mutually exclusive with cert_files/key_files"
+msgstr ""
+
 #, c-format
 msgid "cfs_period '%1$llu' must be in range (%2$llu, %3$llu)"
 msgstr ""
@@ -24450,6 +24529,11 @@ msgstr ""
 msgid "device type '%1$s' cannot hot unplugged"
 msgstr ""
 
+msgid ""
+"device-pluggable IOMMU with pciBus attribute must be specified for multiple "
+"IOMMU definitions"
+msgstr ""
+
 msgid "devices cgroup isn't mounted"
 msgstr ""
 
@@ -27744,6 +27828,9 @@ msgstr ""
 msgid "guest is missing vCPUs '%1$s'"
 msgstr ""
 
+msgid "guest shutdown"
+msgstr ""
+
 msgid "guest unexpectedly quit"
 msgstr ""
 
@@ -32732,9 +32819,6 @@ msgstr ""
 msgid "only USB input devices are supported"
 msgstr ""
 
-msgid "only a single IOMMU device is supported"
-msgstr ""
-
 msgid "only a single QGS element is supported"
 msgstr ""
 
@@ -33267,23 +33351,23 @@ msgid "per-device boot elements cannot be used together with os/boot elements"
 msgstr ""
 
 msgid ""
-"per-device bytes read per second, in the form of /path/to/device,"
-"read_bytes_sec,..."
+"per-device bytes read per second, in the form of /path/to/"
+"device,read_bytes_sec,..."
 msgstr ""
 
 msgid ""
-"per-device bytes wrote per second, in the form of /path/to/device,"
-"write_bytes_sec,..."
+"per-device bytes wrote per second, in the form of /path/to/"
+"device,write_bytes_sec,..."
 msgstr ""
 
 msgid ""
-"per-device read I/O limit per second, in the form of /path/to/device,"
-"read_iops_sec,..."
+"per-device read I/O limit per second, in the form of /path/to/"
+"device,read_iops_sec,..."
 msgstr ""
 
 msgid ""
-"per-device write I/O limit per second, in the form of /path/to/device,"
-"write_iops_sec,..."
+"per-device write I/O limit per second, in the form of /path/to/"
+"device,write_iops_sec,..."
 msgstr ""
 
 #, c-format
@@ -33812,6 +33896,9 @@ msgstr ""
 msgid "query or modify state of vcpu in the guest (via agent)"
 msgstr ""
 
+msgid "query-accelerators was missing 'enabled'"
+msgstr ""
+
 msgid "query-block device entry was not in expected format"
 msgstr ""
 
@@ -33969,6 +34056,9 @@ msgid ""
 "querying maximum post-copy migration speed is not supported by QEMU binary"
 msgstr ""
 
+msgid "queue configuration is only valid for NVMe bus"
+msgstr ""
+
 msgid "queue-size property isn't supported by this QEMU binary"
 msgstr ""
 
@@ -35315,6 +35405,13 @@ msgstr ""
 msgid "statistic value too large"
 msgstr ""
 
+#, c-format
+msgid "statistics collection is not supported by disks on bus '%1$s'"
+msgstr ""
+
+msgid "statistics collection is not supported by this QEMU binary"
+msgstr ""
+
 #, c-format
 msgid "status mismatch in event (actual 0x%1$x, expected 0x%2$x)"
 msgstr ""
@@ -38409,6 +38506,9 @@ msgstr ""
 msgid "using host CPU definition as input may provide incorrect results"
 msgstr ""
 
+msgid "using passthrough devices requires locking guest memory"
+msgstr ""
+
 #, c-format
 msgid "using unix socket and remote server '%1$s' is not supported."
 msgstr ""

po/as.po

@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: libvirt 6.0.0\n"
 "Report-Msgid-Bugs-To: https://libvirt.org/bugs.html\n"
-"POT-Creation-Date: 2025-10-29 11:46+0000\n"
+"POT-Creation-Date: 2025-11-25 09:28+0000\n"
 "PO-Revision-Date: 2015-02-26 06:48+0000\n"
 "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
 "Language-Team: Assamese (http://www.transifex.com/projects/p/libvirt/"
@@ -1215,6 +1215,9 @@ msgstr ""
 msgid "'disk' missing or not an array in reply of guest-get-fsinfo"
 msgstr ""
 
+msgid "'dpofua' option is available only for SCSI disks"
+msgstr ""
+
 #, c-format
 msgid "'extended_l2' not supported with compat level %1$s"
 msgstr ""
@@ -2289,6 +2292,10 @@ msgstr "বাচ 0 অনুকুলিত PIIX3 USB অথবা IDE নি
 msgid "Busy"
 msgstr "ব্যস্ত"
 
+#, c-format
+msgid "CA certificate '%1$s' does not exist"
+msgstr ""
+
 #, fuzzy
 msgid "CA certificate:"
 msgstr "ডিভাইচৰ প্ৰকৃতি বৈধ নহয়: %s"
@@ -3330,10 +3337,6 @@ msgstr ""
 msgid "Cannot print data type %1$x"
 msgstr "তথ্য লিখিব নোৱাৰি"
 
-#, c-format
-msgid "Cannot read %1$s '%2$s'"
-msgstr "%1$s '%2$s' পঢ়িব নোৱাৰি"
-
 msgid "Cannot read cputime for domain"
 msgstr "ডোমেইনৰ বাবে cputime পঢ়িবলৈ ব্যৰ্থয়"
 
@@ -3590,6 +3593,14 @@ msgstr "প্ৰমাণপত্ৰ %1$s ব্যৱহাৰে প্ৰ
 msgid "Certificate %1$s usage does not permit digital signature"
 msgstr "প্ৰমাণপত্ৰ %1$s ৰ ব্যৱহাৰে ডিজিটেল স্বাক্ষৰৰ অনুমতি নিদিয়ে"
 
+#, c-format
+msgid "Certificate '%1$s' does not exist"
+msgstr ""
+
+#, c-format
+msgid "Certificate '%1$s' does not exist, but key '%2$s' does"
+msgstr ""
+
 #, c-format
 msgid "Certificate failed validation: %1$s"
 msgstr "প্ৰমাণপত্ৰৰ সতা সত্য নিৰূপণ ব্যৰ্থ হল: %1$s"
@@ -3707,15 +3718,6 @@ msgstr ""
 msgid "Checking for %1$s module"
 msgstr ""
 
-msgid ""
-"Checking for AMD Secure Encrypted Virtualization-Encrypted State (SEV-ES)"
-msgstr ""
-
-msgid ""
-"Checking for AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-"
-"SNP)"
-msgstr ""
-
 #, c-format
 msgid "Checking for Linux >= %1$d.%2$d.%3$d"
 msgstr ""
@@ -4364,6 +4366,9 @@ msgstr "কি '%1$s' ৰ সৈতে PhysicalNic পোৱা নগল"
 msgid "Could not find PhysicalNic with name '%1$s'"
 msgstr "নাম '%1$s' ৰ সৈতে PhysicalNic পোৱা নগল"
 
+msgid "Could not find a suitable controller for smmuv3"
+msgstr ""
+
 msgid "Could not find any 'network' element in status file"
 msgstr "অৱস্থা ফাইলত কোনো 'network' উপাদান পোৱা নগল"
 
@@ -5818,6 +5823,10 @@ msgstr ""
 msgid "Domain %1$s didn't show up"
 msgstr "ডমেইন %1$s দেখা পোৱা নগল"
 
+#, c-format
+msgid "Domain %1$s didn't show up in /dev/vmm"
+msgstr ""
+
 #, c-format
 msgid "Domain '%1$d' has to be running because libxenlight will suspend it"
 msgstr "ডমেইন '%1$d' চলি থকািব লাগিব কাৰণ libxenlight এ ইয়াক নিলম্বিত কৰিব"
@@ -8150,6 +8159,10 @@ msgstr ""
 msgid "Failed to parse MAC address from '%1$s'"
 msgstr "'%1$s' ৰ পৰা uid আৰু gid বিশ্লেষণ কৰিবলে ব্যৰ্থ"
 
+#, c-format
+msgid "Failed to parse PCI address %1$s"
+msgstr ""
+
 #, c-format
 msgid "Failed to parse PCI config address '%1$s'"
 msgstr "PCI config ঠিকনা '%1$s' বিশ্লেষণ কৰিবলে ব্যৰ্থ"
@@ -9752,6 +9765,9 @@ msgid ""
 "IOMMU interrupt remapping requires split I/O APIC (ioapic driver='qemu')"
 msgstr ""
 
+msgid "IOMMU model smmuv3 must be specified for multiple IOMMU definitions"
+msgstr ""
+
 msgid "IORT table header ended early"
 msgstr ""
 
@@ -11040,6 +11056,10 @@ msgstr ""
 msgid "Kernel image path is not defined. With sev_snp=on, pass an igvm path"
 msgstr ""
 
+#, c-format
+msgid "Key '%1$s' does not exist, but certificate '%2$s' does"
+msgstr ""
+
 #, fuzzy
 msgid "Key file path must be provided for private key authentication"
 msgstr "ব্যক্তিগত কি' প্ৰমাণীকৰণৰ বাবে ব্যৱহাৰকাৰীনাম আৰু কি' পথ প্ৰদান কৰিব লাগিব"
@@ -12733,7 +12753,7 @@ msgstr "খণ্ড ডিভাইচৰ নতুন আকাৰ, স্ক
 msgid "Nicdev support unavailable"
 msgstr "চিস্টেম উপলব্ধ নহয়"
 
-msgid "No CA certificate path set to match server key/cert"
+msgid "No CA certificate path set to match server key(s)/cert(s)"
 msgstr ""
 
 #, fuzzy
@@ -12755,6 +12775,9 @@ msgstr "হস্ট '%1$s' ৰ বাবে কোনো IP ঠিকনা প
 msgid "No JSON parser implementation is available"
 msgstr "কোনো JSON বিশ্লেষকৰ বাস্তবায়ন উপলব্ধ নাই"
 
+msgid "No PCI address provided"
+msgstr ""
+
 msgid "No PCI buses available"
 msgstr "কোনো PCI বাচ উপলব্ধ নাই"
 
@@ -13027,11 +13050,10 @@ msgstr "কোনো qemu পৰিৱেশ নাম ধাৰ্য্য ক
 msgid "No runstatedir specified"
 msgstr "কোনো ব্ৰিজ নাম ধাৰ্য্য কৰা হোৱা নাই"
 
-#, fuzzy
-msgid "No server certificate path set to match server key"
-msgstr "চাৰ্ভাৰ প্ৰমাণপত্ৰ %s এতিয়াও সক্ৰিয় নহয়"
+msgid "No server certificate path(s) set to match server key(s)"
+msgstr ""
 
-msgid "No server key path set to match server cert"
+msgid "No server key path(s) set to match server cert(s)"
 msgstr ""
 
 #, fuzzy, c-format
@@ -13261,6 +13283,10 @@ msgstr "<numa> ত CPUসমূহৰ সংখ্যা <vcpu> গণনা অ
 msgid "Number of CPUs in <numa> exceeds the desired maximum vcpu count"
 msgstr "<numa> ত CPUসমূহৰ সংখ্যা <vcpu> গণনা অতিক্ৰম কৰে"
 
+#, c-format
+msgid "Number of certificates (%1$zu) must match number of keys (%2$zu)"
+msgstr ""
+
 #, c-format
 msgid "Number of domain stats records is %1$d, which exceeds max limit: %2$d"
 msgstr "ডমেইন পৰিসংখ্যা ৰেকৰ্ডসমূহৰ সংখ্যা %1$d, যি সৰ্বাধিক সীমাক অতিক্ৰম কৰে: %2$d"
@@ -16451,6 +16477,14 @@ msgstr ""
 msgid "Target disk %1$s does not match source %2$s"
 msgstr "লক্ষ্য ডিস্ক %1$s উৎস %2$s ৰ সৈতে মিল নাখায়"
 
+#, c-format
+msgid "Target disk 'dpofua' property %1$s does not match source %2$s"
+msgstr ""
+
+#, c-format
+msgid "Target disk 'removable' property %1$s does not match source %2$s"
+msgstr ""
+
 msgid "Target disk access mode does not match source"
 msgstr "লক্ষ্য ডিস্ক অভিগম অৱস্থা উৎসৰ সৈতে মিল নাখায়"
 
@@ -16508,9 +16542,9 @@ msgid ""
 "Target domain IOMMU device caching mode '%1$s' does not match source '%2$s'"
 msgstr "লক্ষ্য ডমেইন নাম '%1$s' এ উৎস '%2$s' ৰ সৈতে মিল নাখায়"
 
-#, fuzzy
-msgid "Target domain IOMMU device count does not match source"
-msgstr "লক্ষ্য ডমেইন RNG ডিভাইচ গণনা %zu উৎস %zu ৰ সৈতে মিল নাখায়"
+#, c-format
+msgid "Target domain IOMMU device count %1$zu does not match source %2$zu"
+msgstr ""
 
 #, c-format
 msgid ""
@@ -16537,6 +16571,11 @@ msgstr "লক্ষ্য ডমেইন নাম '%1$s' এ উৎস '%2$s'
 msgid "Target domain IOMMU device model '%1$s' does not match source '%2$s'"
 msgstr "লক্ষ্য ডমেইন নাম '%1$s' এ উৎস '%2$s' ৰ সৈতে মিল নাখায়"
 
+#, c-format
+msgid ""
+"Target domain IOMMU device pci_bus value '%1$d' does not match source '%2$d'"
+msgstr ""
+
 #, c-format
 msgid "Target domain OS type %1$s does not match source %2$s"
 msgstr "লক্ষ্য ডমেইন OS ধৰণ %1$s উৎস %2$s ৰ সৈতে মিল নাখায়"
@@ -17177,8 +17216,8 @@ msgstr "ক্লাএণ্ট প্ৰমাণপত্ৰ %1$s এতি
 
 #, c-format
 msgid ""
-"The client key %1$s must be accessible to all users. As root run: chown root."
-"root %2$s; chmod 0644 %3$s"
+"The client key %1$s must be accessible to all users. As root run: chown "
+"root.root %2$s; chmod 0644 %3$s"
 msgstr ""
 
 #, c-format
@@ -17251,14 +17290,14 @@ msgstr ""
 
 #, c-format
 msgid ""
-"The machine cannot act as a client. See https://libvirt.org/kbase/tlscerts."
-"html#issuing-client-certificates on how to regenerate %1$s"
+"The machine cannot act as a client. See https://libvirt.org/kbase/"
+"tlscerts.html#issuing-client-certificates on how to regenerate %1$s"
 msgstr ""
 
 #, c-format
 msgid ""
-"The machine cannot act as a server. See https://libvirt.org/kbase/tlscerts."
-"html#issuing-server-certificates on how to regenerate %1$s"
+"The machine cannot act as a server. See https://libvirt.org/kbase/"
+"tlscerts.html#issuing-server-certificates on how to regenerate %1$s"
 msgstr ""
 
 #, fuzzy
@@ -17986,6 +18025,9 @@ msgstr "ব্ৰিজ %s পোৰ্ট %s যোগ কৰিবলে অ
 msgid "Unable to add hardware machine"
 msgstr "vmware লগ ফাইল পঢ়িবলে অক্ষম"
 
+msgid "Unable to add keepalive timer"
+msgstr ""
+
 #, c-format
 msgid "Unable to add lockspace %1$s"
 msgstr "লকস্পেইচ %1$s যোগ কৰিবলে অক্ষম"
@@ -17994,6 +18036,9 @@ msgstr "লকস্পেইচ %1$s যোগ কৰিবলে অক্ষ
 msgid "Unable to add lockspace %1$s: %2$s"
 msgstr "লকস্পেইচ %s যোগ কৰিবলে অক্ষম"
 
+msgid "Unable to add log cleanup timer"
+msgstr ""
+
 #, fuzzy
 msgid "Unable to add media registry other media"
 msgstr "মনিটৰ ঘটনা নিবন্ধন কৰিবলৈ ব্যৰ্থ"
@@ -18002,6 +18047,15 @@ msgstr "মনিটৰ ঘটনা নিবন্ধন কৰিবলৈ
 msgid "Unable to add port %1$s to OVS bridge %2$s: %3$s"
 msgstr ""
 
+msgid "Unable to add service timer"
+msgstr ""
+
+msgid "Unable to add shutdown timer"
+msgstr ""
+
+msgid "Unable to add socket timer"
+msgstr ""
+
 #, fuzzy
 msgid "Unable to add storage controller"
 msgstr "নিয়ন্ত্ৰণ চকেট খোলিবলে অক্ষম"
@@ -18023,6 +18077,23 @@ msgid ""
 "machine"
 msgstr ""
 
+msgid "Unable to add timer to event loop"
+msgstr ""
+
+#, c-format
+msgid "Unable to add watch on log FD %1$d"
+msgstr ""
+
+msgid "Unable to add watch on stdin"
+msgstr ""
+
+msgid "Unable to add watch on stdout"
+msgstr ""
+
+#, c-format
+msgid "Unable to add watch on udev FD %1$d"
+msgstr ""
+
 #, fuzzy
 msgid "Unable to add/delete fdb entries on this platform"
 msgstr "এই প্লেটফৰ্মত TAP ডিভাইচসমূহ মচি পেলাবলে অক্ষম"
@@ -22146,6 +22217,9 @@ msgstr "পুনৰুদ্ধাৰ কৰোতে ফাইলচিস্
 msgid "avoid file system cache when saving"
 msgstr "সংৰক্ষণ কৰোতে ফাইল চিস্টেম ক্যাশ বাদ দিয়ক"
 
+msgid "avoid shutdown of the domain while the backup is running"
+msgstr ""
+
 msgid "await a domain event"
 msgstr ""
 
@@ -24112,8 +24186,8 @@ msgid "cannot update guest CPU for %1$s architecture"
 msgstr "%1$s স্থাপত্যৰ বাবে CPU ৰ বাবে ডি-কোড কৰা সম্ভৱ নহয়"
 
 msgid ""
-"cannot update lifecycle action because QEMU was started with incompatible -"
-"no-reboot setting"
+"cannot update lifecycle action because QEMU was started with incompatible "
+"-no-reboot setting"
 msgstr ""
 
 #, c-format
@@ -24205,6 +24279,9 @@ msgstr "%1$s ত cellNum %2$d কে কম বা সমান হব লাগ
 msgid "cellNum in %1$s only accepts %2$d as a negative value"
 msgstr "%1$s ত cellNum এ %2$d ক কেৱল ধনাত্মক মান হিচাপে গ্ৰহণ কৰে"
 
+msgid "cert_file/key_file are mutually exclusive with cert_files/key_files"
+msgstr ""
+
 #, c-format
 msgid "cfs_period '%1$llu' must be in range (%2$llu, %3$llu)"
 msgstr ""
@@ -25715,6 +25792,11 @@ msgstr "ডিভাইচ ধৰণ '%1$s' আপডেইট কৰিব ন
 msgid "device type '%1$s' cannot hot unplugged"
 msgstr "ডিভাইচ ধৰণ '%1$s' হট আনপ্লাগ কৰিব নোৱাৰি"
 
+msgid ""
+"device-pluggable IOMMU with pciBus attribute must be specified for multiple "
+"IOMMU definitions"
+msgstr ""
+
 msgid "devices cgroup isn't mounted"
 msgstr "ডিভাইচসমূহ cgroup মাউন্টেড নহয়"
 
@@ -29160,6 +29242,9 @@ msgstr "স্থায়ী আন্তঃপৃষ্ঠ নাম"
 msgid "guest is missing vCPUs '%1$s'"
 msgstr "প্ৰবিষ্টিত 'speed' নাছিল"
 
+msgid "guest shutdown"
+msgstr ""
+
 msgid "guest unexpectedly quit"
 msgstr "অতিথি অপ্ৰত্যাশিতভাৱে প্ৰস্থান কৰিলে"
 
@@ -34419,10 +34504,6 @@ msgstr ""
 msgid "only USB input devices are supported"
 msgstr "কেৱল এটা TPM ডিভাইচ সমৰ্থিত"
 
-#, fuzzy
-msgid "only a single IOMMU device is supported"
-msgstr "কেৱল এটা TPM ডিভাইচ সমৰ্থিত"
-
 msgid "only a single QGS element is supported"
 msgstr ""
 
@@ -34982,26 +35063,26 @@ msgstr ""
 
 #, fuzzy
 msgid ""
-"per-device bytes read per second, in the form of /path/to/device,"
-"read_bytes_sec,..."
+"per-device bytes read per second, in the form of /path/to/"
+"device,read_bytes_sec,..."
 msgstr "প্ৰতি-ডিভাইচ IO উজনসমূহ, /path/to/device,উজন,... বিন্যাসত"
 
 #, fuzzy
 msgid ""
-"per-device bytes wrote per second, in the form of /path/to/device,"
-"write_bytes_sec,..."
+"per-device bytes wrote per second, in the form of /path/to/"
+"device,write_bytes_sec,..."
 msgstr "প্ৰতি-ডিভাইচ IO উজনসমূহ, /path/to/device,উজন,... বিন্যাসত"
 
 #, fuzzy
 msgid ""
-"per-device read I/O limit per second, in the form of /path/to/device,"
-"read_iops_sec,..."
+"per-device read I/O limit per second, in the form of /path/to/"
+"device,read_iops_sec,..."
 msgstr "প্ৰতি-ডিভাইচ IO উজনসমূহ, /path/to/device,উজন,... বিন্যাসত"
 
 #, fuzzy
 msgid ""
-"per-device write I/O limit per second, in the form of /path/to/device,"
-"write_iops_sec,..."
+"per-device write I/O limit per second, in the form of /path/to/"
+"device,write_iops_sec,..."
 msgstr "প্ৰতি-ডিভাইচ IO উজনসমূহ, /path/to/device,উজন,... বিন্যাসত"
 
 #, fuzzy, c-format
@@ -35552,6 +35633,9 @@ msgstr ""
 msgid "query or modify state of vcpu in the guest (via agent)"
 msgstr "অতিথিত cpu অৱস্থা পৰিবৰ্তন কৰক"
 
+msgid "query-accelerators was missing 'enabled'"
+msgstr ""
+
 #, fuzzy
 msgid "query-block device entry was not in expected format"
 msgstr "blockstats ডিভাইচৰ এনট্ৰি প্ৰত্যাশিত বিন্যাসত নাই"
@@ -35720,6 +35804,9 @@ msgid ""
 "querying maximum post-copy migration speed is not supported by QEMU binary"
 msgstr "QEMU বাইনাৰি দ্বাৰা সংকেচিত প্ৰব্ৰজন সমৰ্থিত নহয়"
 
+msgid "queue configuration is only valid for NVMe bus"
+msgstr ""
+
 msgid "queue-size property isn't supported by this QEMU binary"
 msgstr ""
 
@@ -37143,6 +37230,13 @@ msgstr "'%1$s' ৰ stat কৰিবলৈ ব্যৰ্থবলৈ ব্য
 msgid "statistic value too large"
 msgstr "মান অত্যাধিক ডাঙৰ: %llu%s"
 
+#, c-format
+msgid "statistics collection is not supported by disks on bus '%1$s'"
+msgstr ""
+
+msgid "statistics collection is not supported by this QEMU binary"
+msgstr ""
+
 #, fuzzy, c-format
 msgid "status mismatch in event (actual 0x%1$x, expected 0x%2$x)"
 msgstr "প্ৰোগ্ৰাম অমিল (প্ৰকৃত %1$x, প্ৰত্যাশিত %2$x)"
@@ -40345,6 +40439,9 @@ msgstr ""
 msgid "using host CPU definition as input may provide incorrect results"
 msgstr ""
 
+msgid "using passthrough devices requires locking guest memory"
+msgstr ""
+
 #, c-format
 msgid "using unix socket and remote server '%1$s' is not supported."
 msgstr "unix চকেট আৰু দূৰৱৰ্তী চাৰ্ভাৰ '%1$s' ব্যৱহাৰ কৰাটো সমৰ্থিত নহয়।"
@@ -41314,6 +41411,22 @@ msgid ""
 "zone %1$s requested for network %2$s but firewalld is not supported on BSD"
 msgstr ""
 
+#, c-format
+#~ msgid "Cannot read %1$s '%2$s'"
+#~ msgstr "%1$s '%2$s' পঢ়িব নোৱাৰি"
+
+#, fuzzy
+#~ msgid "No server certificate path set to match server key"
+#~ msgstr "চাৰ্ভাৰ প্ৰমাণপত্ৰ %s এতিয়াও সক্ৰিয় নহয়"
+
+#, fuzzy
+#~ msgid "Target domain IOMMU device count does not match source"
+#~ msgstr "লক্ষ্য ডমেইন RNG ডিভাইচ গণনা %zu উৎস %zu ৰ সৈতে মিল নাখায়"
+
+#, fuzzy
+#~ msgid "only a single IOMMU device is supported"
+#~ msgstr "কেৱল এটা TPM ডিভাইচ সমৰ্থিত"
+
 #, fuzzy
 #~ msgid "incoming RDMA migration is not supported with this QEMU binary"
 #~ msgstr "vhost-net এই QEMU বাইনাৰিৰ সৈতে সমৰ্থিত নহয়"