Release of libvirt 6.2.0

* docs/news.xml: update for the release Signed-off-by: Daniel Veillard <veillard@redhat.com>
Revert "logging: Use default timeout of 120 seconds for virtlogd"
2025-08-19 17:50:04 +03:00 · 2020-04-02 21:15:41 +02:00 · 2020-04-02 15:59:12 +02:00 · 2020-04-02 12:19:17 +02:00 · 2020-04-01 19:54:21 +02:00 · 2020-04-01 18:13:44 +02:00
1414 changed files with 115941 additions and 16203 deletions
--- a/.color_coded.in
+++ b/.color_coded.in
@ -1,7 +1,5 @@
 -I@abs_top_builddir@
 -I@abs_top_srcdir@
-I@abs_top_builddir@/gnulib/lib
-I@abs_top_srcdir@/gnulib/lib
 -I@abs_top_builddir@/include
 -I@abs_top_srcdir@/include
 -I@abs_top_builddir@/src
--- a/.gitignore
+++ b/.gitignore
@ -6,6 +6,7 @@
 *#*#
 *.#*#
 .#*
+*~

 # autotools related ignores
 !/m4/virt-*.m4
@ -14,9 +15,12 @@
 /INSTALL
 /aclocal.m4
 /autom4te.cache
-/build-aux/.gitignore
 /build-aux/compile
+/build-aux/config.guess
+/build-aux/config.sub
 /build-aux/depcomp
+/build-aux/install-sh
+/build-aux/ltmain.sh
 /build-aux/missing
 /build-aux/test-driver
 /config.h.in
@ -25,16 +29,8 @@
 /m4/*
 Makefile.in

-# gnulib related ignores
-!/gnulib/lib/Makefile.am
-!/gnulib/tests/Makefile.am
-*.rej
-*~
-/gnulib/lib/*
-/gnulib/m4/*
-/gnulib/tests/*
-
 # git related ignores
+*.rej
 *.orig
 .git-module-status

--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -1,46 +1,243 @@
-.job_template: &job_definition
+variables:
+  MAKE: make
+  GIT_DEPTH: 100
+
+stages:
+  - prebuild
+  - native_build
+  - cross_build
+
+.script_variables: &script_variables |
+  export MAKEFLAGS="-j$(getconf _NPROCESSORS_ONLN)"
+
+# Common templates
+
+# Default native build jobs that are always run
+.native_build_default_job_template: &native_build_default_job_definition
+  stage: native_build
+  cache:
+    paths:
+      - ccache/
+    key: "$CI_JOB_NAME"
+  before_script:
+    - *script_variables
+    - mkdir -p ccache
+    - export CC="ccache gcc"
+    - export CCACHE_BASEDIR=${PWD}
+    - export CCACHE_DIR=${PWD}/ccache
+  script:
+    - mkdir build
+    - cd build
+    - ../autogen.sh || (cat config.log && exit 1)
+    - $MAKE distcheck
+
+# Extra native build jobs that are only run post-merge, or
+# when code is pushed to a branch with "ci-full-" name prefix
+.native_build_extra_job_template: &native_build_extra_job_definition
+  <<: *native_build_default_job_definition
+  only:
+    - master
+    - /^ci-full-.*$/
+
+
+# Default cross build jobs that are always run
+.cross_build_default_job_template: &cross_build_default_job_definition
+  stage: cross_build
+  cache:
+    paths:
+      - ccache/
+    key: "$CI_JOB_NAME"
+  before_script:
+    - *script_variables
+    - mkdir -p ccache
+    - export CC="ccache ${ABI}-gcc"
+    - export CCACHE_BASEDIR=${PWD}
+    - export CCACHE_DIR=${PWD}/ccache
  script:
    - mkdir build
    - cd build
    - ../autogen.sh $CONFIGURE_OPTS || (cat config.log && exit 1)
-    - make -j $(getconf _NPROCESSORS_ONLN)
+    - $MAKE

-# We could run every arch on every versions, but it is a little
-# overkill. Instead we split jobs evenly across 9, 10 and sid
-# to achieve reasonable cross-coverage.
+# Extra cross build jobs that are only run post-merge, or
+# when code is pushed to a branch with "ci-full-" name prefix
+.cross_build_extra_job_template: &cross_build_extra_job_definition
+  <<: *cross_build_default_job_definition
+  only:
+    - master
+    - /^ci-full-.*$/

-debian-9-cross-armv6l:
-  <<: *job_definition
+
+# Native architecture build + test jobs
+
+x64-debian-9:
+  <<: *native_build_extra_job_definition
+  image: quay.io/libvirt/buildenv-libvirt-debian-9:latest
+
+x64-debian-10:
+  <<: *native_build_default_job_definition
+  image: quay.io/libvirt/buildenv-libvirt-debian-10:latest
+
+x64-debian-sid:
+  <<: *native_build_extra_job_definition
+  image: quay.io/libvirt/buildenv-libvirt-debian-sid:latest
+
+x64-centos-7:
+  <<: *native_build_default_job_definition
+  image: quay.io/libvirt/buildenv-libvirt-centos-7:latest
+
+x64-centos-8:
+  <<: *native_build_extra_job_definition
+  image: quay.io/libvirt/buildenv-libvirt-centos-8:latest
+
+x64-fedora-30:
+  <<: *native_build_default_job_definition
+  image: quay.io/libvirt/buildenv-libvirt-fedora-30:latest
+
+x64-fedora-31:
+  <<: *native_build_extra_job_definition
+  image: quay.io/libvirt/buildenv-libvirt-fedora-31:latest
+
+x64-fedora-rawhide:
+  <<: *native_build_default_job_definition
+  image: quay.io/libvirt/buildenv-libvirt-fedora-rawhide:latest
+
+x64-opensuse-151:
+  <<: *native_build_default_job_definition
+  image: quay.io/libvirt/buildenv-libvirt-opensuse-151:latest
+
+x64-ubuntu-1604:
+  <<: *native_build_default_job_definition
+  image: quay.io/libvirt/buildenv-libvirt-ubuntu-1604:latest
+
+x64-ubuntu-1804:
+  <<: *native_build_extra_job_definition
+  image: quay.io/libvirt/buildenv-libvirt-ubuntu-1804:latest
+
+
+# Cross compiled build jobs
+
+armv6l-debian-9:
+  <<: *cross_build_extra_job_definition
  image: quay.io/libvirt/buildenv-libvirt-debian-9-cross-armv6l:latest

-debian-9-cross-mips64el:
-  <<: *job_definition
+mips64el-debian-9:
+  <<: *cross_build_extra_job_definition
  image: quay.io/libvirt/buildenv-libvirt-debian-9-cross-mips64el:latest

-debian-9-cross-mips:
-  <<: *job_definition
+mips-debian-9:
+  <<: *cross_build_extra_job_definition
  image: quay.io/libvirt/buildenv-libvirt-debian-9-cross-mips:latest

-debian-10-cross-aarch64:
-  <<: *job_definition
+aarch64-debian-10:
+  <<: *cross_build_extra_job_definition
  image: quay.io/libvirt/buildenv-libvirt-debian-10-cross-aarch64:latest

-debian-10-cross-ppc64le:
-  <<: *job_definition
+ppc64le-debian-10:
+  <<: *cross_build_extra_job_definition
  image: quay.io/libvirt/buildenv-libvirt-debian-10-cross-ppc64le:latest

-debian-10-cross-s390x:
-  <<: *job_definition
+s390x-debian-10:
+  <<: *cross_build_default_job_definition
  image: quay.io/libvirt/buildenv-libvirt-debian-10-cross-s390x:latest

-debian-sid-cross-armv7l:
-  <<: *job_definition
+armv7l-debian-sid:
+  <<: *cross_build_default_job_definition
  image: quay.io/libvirt/buildenv-libvirt-debian-sid-cross-armv7l:latest

-debian-sid-cross-i686:
-  <<: *job_definition
+i686-debian-sid:
+  <<: *cross_build_extra_job_definition
  image: quay.io/libvirt/buildenv-libvirt-debian-sid-cross-i686:latest

-debian-sid-cross-mipsel:
-  <<: *job_definition
+mipsel-debian-sid:
+  <<: *cross_build_extra_job_definition
  image: quay.io/libvirt/buildenv-libvirt-debian-sid-cross-mipsel:latest
+
+mingw32-fedora-30:
+  <<: *cross_build_default_job_definition
+  image: quay.io/libvirt/buildenv-libvirt-fedora-30-cross-mingw32:latest
+
+mingw64-fedora-30:
+  <<: *cross_build_default_job_definition
+  image: quay.io/libvirt/buildenv-libvirt-fedora-30-cross-mingw64:latest
+
+
+# This artifact published by this job is downloaded by libvirt.org to
+# be deployed to the web root:
+#    https://gitlab.com/libvirt/libvirt/-/jobs/artifacts/master/download?job=website
+website:
+  stage: prebuild
+  before_script:
+    - *script_variables
+  script:
+    - mkdir build
+    - cd build
+    - ../autogen.sh --prefix=$(pwd)/../vroot || (cat config.log && exit 1)
+    - $MAKE -C docs
+    - $MAKE -C docs install
+    - cd ..
+    - mv vroot/share/doc/libvirt/html/ website
+  image: quay.io/libvirt/buildenv-libvirt-fedora-31:latest
+  artifacts:
+    expose_as: 'Website'
+    name: 'website'
+    when: on_success
+    expire_in: 30 days
+    paths:
+      - website
+
+
+codestyle:
+  stage: prebuild
+  before_script:
+    - *script_variables
+  script:
+    - mkdir build
+    - cd build
+    - ../autogen.sh || (cat config.log && exit 1)
+    - $MAKE syntax-check
+  image: quay.io/libvirt/buildenv-libvirt-fedora-31:latest
+
+
+# This artifact published by this job is downloaded to push to Weblate
+# for translation usage:
+#    https://gitlab.com/libvirt/libvirt/-/jobs/artifacts/master/download?job=potfile
+potfile:
+  stage: prebuild
+  only:
+    - master
+  before_script:
+    - *script_variables
+  script:
+    - mkdir build
+    - cd build
+    - ../autogen.sh || (cat config.log && exit 1)
+    - $MAKE -C src generated-sources
+    - $MAKE -C po libvirt.pot
+    - cd ..
+    - mv build/po/libvirt.pot libvirt.pot
+  image: quay.io/libvirt/buildenv-libvirt-fedora-31:latest
+  artifacts:
+    expose_as: 'Potfile'
+    name: 'potfile'
+    when: on_success
+    expire_in: 30 days
+    paths:
+      - libvirt.pot
+
+
+# Check that all commits are signed-off for the DCO. Skip
+# on master branch and -maint branches, since we only need
+# to test developer's personal branches.
+dco:
+  stage: prebuild
+  image: quay.io/libvirt/buildenv-libvirt-fedora-31:latest
+  before_script:
+    - *script_variables
+  script:
+    - ./scripts/require-dco.py
+  only:
+    - branches
+  except:
+    - /^v.*-maint$/
+    - master
--- a/.gitmodules
+++ b/.gitmodules
@ -1,6 +1,3 @@
-[submodule "gnulib"]
-	path = .gnulib
-	url = https://git.savannah.gnu.org/git/gnulib.git/
 [submodule "keycodemapdb"]
 	path = src/keycodemapdb
 	url = https://gitlab.com/keycodemap/keycodemapdb.git
--- a/.gitpublish
+++ b/.gitpublish
@ -1,3 +1,4 @@
 [gitpublishprofile "default"]
 base = master
 to = libvir-list@redhat.com
+prefix = libvirt PATCH
--- a/.gnulib
+++ b/.gnulib
--- a/.travis.yml
+++ b/.travis.yml
@ -18,55 +18,6 @@ addons:

 matrix:
  include:
-    - services:
-        - docker
-      env:
-        - IMAGE="ubuntu-1804"
-        - MAKE_ARGS="syntax-check distcheck"
-      script:
-        - make -C ci/ ci-build@$IMAGE CI_MAKE_ARGS="$MAKE_ARGS"
-    - services:
-        - docker
-      env:
-        - IMAGE="centos-7"
-        - MAKE_ARGS="syntax-check distcheck"
-      script:
-        - make -C ci/ ci-build@$IMAGE CI_MAKE_ARGS="$MAKE_ARGS"
-    - services:
-        - docker
-      env:
-        - IMAGE="debian-9"
-        - MAKE_ARGS="syntax-check distcheck"
-      script:
-        - make -C ci/ ci-build@$IMAGE CI_MAKE_ARGS="$MAKE_ARGS"
-    - services:
-        - docker
-      env:
-        - IMAGE="fedora-31"
-        - MAKE_ARGS="syntax-check distcheck"
-      script:
-        - make -C ci/ ci-build@$IMAGE CI_MAKE_ARGS="$MAKE_ARGS"
-    - services:
-        - docker
-      env:
-        - IMAGE="fedora-rawhide"
-        - MAKE_ARGS="syntax-check distcheck"
-      script:
-        - make -C ci/ ci-build@$IMAGE CI_MAKE_ARGS="$MAKE_ARGS"
-    - services:
-        - docker
-      env:
-        - IMAGE="fedora-30"
-        - MINGW="mingw32"
-      script:
-        - make -C ci/ ci-build@$IMAGE CI_CONFIGURE="$MINGW-configure"
-    - services:
-        - docker
-      env:
-        - IMAGE="fedora-30"
-        - MINGW="mingw64"
-      script:
-        - make -C ci/ ci-build@$IMAGE CI_CONFIGURE="$MINGW-configure"
    - compiler: clang
      language: c
      os: osx
--- a/.ycm_extra_conf.py.in
+++ b/.ycm_extra_conf.py.in
@ -1,8 +1,6 @@
 flags = [
  '-I@abs_top_builddir@',
  '-I@abs_top_srcdir@',
-  '-I@abs_top_builddir@/gnulib/lib',
-  '-I@abs_top_srcdir@/gnulib/lib',
  '-I@abs_top_builddir@/include',
  '-I@abs_top_srcdir@/include',
  '-I@abs_top_builddir@/src',
--- a/Makefile.am
+++ b/Makefile.am
@ -23,7 +23,7 @@ GENHTML = genhtml
 # so force it explicitly
 DISTCHECK_CONFIGURE_FLAGS = --enable-werror

-SUBDIRS = . gnulib/lib include/libvirt src tools docs gnulib/tests \
+SUBDIRS = . include/libvirt src tools docs \
  tests po examples

 XZ_OPT ?= -v -T0
@ -129,6 +129,9 @@ clean-cov:

 MAINTAINERCLEANFILES = .git-module-status

+BUILT_SOURCES = configmake.h
+CLEANFILES = configmake.h
+
 distclean-local: clean-GNUmakefile
 clean-GNUmakefile:
 	test '$(srcdir)' = . || rm -f $(top_builddir)/GNUmakefile
@ -154,3 +157,44 @@ gen-AUTHORS:

 ci-%:
 	$(MAKE) -C $(srcdir)/ci/ $@
+
+# Listed in the same order as the GNU makefile conventions, and
+# provided by autoconf 2.59c+ or 2.70.
+# The Automake-defined pkg* macros are appended, in the order
+# listed in the Automake 1.10a+ documentation.
+configmake.h: Makefile
+	$(AM_V_GEN)rm -f $@-t && \
+	{ echo '/* DO NOT EDIT! GENERATED AUTOMATICALLY! */'; \
+	  echo '#if WIN32'; \
+	  echo '# include <winsock2.h> /* avoid mingw pollution on DATADIR */'; \
+	  echo '#endif'; \
+	  echo '#define PREFIX "$(prefix)"'; \
+	  echo '#define EXEC_PREFIX "$(exec_prefix)"'; \
+	  echo '#define BINDIR "$(bindir)"'; \
+	  echo '#define SBINDIR "$(sbindir)"'; \
+	  echo '#define LIBEXECDIR "$(libexecdir)"'; \
+	  echo '#define DATAROOTDIR "$(datarootdir)"'; \
+	  echo '#define DATADIR "$(datadir)"'; \
+	  echo '#define SYSCONFDIR "$(sysconfdir)"'; \
+	  echo '#define SHAREDSTATEDIR "$(sharedstatedir)"'; \
+	  echo '#define LOCALSTATEDIR "$(localstatedir)"'; \
+	  echo '#define RUNSTATEDIR "$(runstatedir)"'; \
+	  echo '#define INCLUDEDIR "$(includedir)"'; \
+	  echo '#define OLDINCLUDEDIR "$(oldincludedir)"'; \
+	  echo '#define DOCDIR "$(docdir)"'; \
+	  echo '#define INFODIR "$(infodir)"'; \
+	  echo '#define HTMLDIR "$(htmldir)"'; \
+	  echo '#define DVIDIR "$(dvidir)"'; \
+	  echo '#define PDFDIR "$(pdfdir)"'; \
+	  echo '#define PSDIR "$(psdir)"'; \
+	  echo '#define LIBDIR "$(libdir)"'; \
+	  echo '#define LISPDIR "$(lispdir)"'; \
+	  echo '#define LOCALEDIR "$(localedir)"'; \
+	  echo '#define MANDIR "$(mandir)"'; \
+	  echo '#define MANEXT "$(manext)"'; \
+	  echo '#define PKGDATADIR "$(pkgdatadir)"'; \
+	  echo '#define PKGINCLUDEDIR "$(pkgincludedir)"'; \
+	  echo '#define PKGLIBDIR "$(pkglibdir)"'; \
+	  echo '#define PKGLIBEXECDIR "$(pkglibexecdir)"'; \
+	} | sed '/""/d' > $@-t && \
+	mv -f $@-t $@
--- a/9
+++ b/9
@ -28,18 +28,11 @@ You can get a copy of the source repository like this:
        $ git clone https://libvirt.org/git/libvirt.git
        $ cd libvirt

-As an optional step, if you already have a copy of the gnulib git
-repository on your hard drive, then you can use it as a reference to
-reduce download time and disk space requirements:
-
-        $ export GNULIB_SRCDIR=/path/to/gnulib
-
 We require to have the build directory different than the source directory:

        $ mkdir build && cd build

-The next step is to get all required pieces from gnulib,
-to run autoreconf, and to invoke ../autogen.sh:
+The next step is to invoke ../autogen.sh:

        $ ../autogen.sh

--- a/autogen.sh
+++ b/autogen.sh
@ -1,208 +1,44 @@
 #!/bin/sh
 # Run this to generate all the initial makefiles, etc.
+test -n "$srcdir" || srcdir=$(dirname "$0")
+test -n "$srcdir" || srcdir=.

-die()
-{
-    echo "error: $1" >&2
+olddir=$(pwd)
+
+cd "$srcdir"
+
+(test -f src/libvirt.c) || {
+    echo -n "**Error**: Directory "\`$srcdir\'" does not look like the"
+    echo " top-level libvirt directory"
    exit 1
 }

-starting_point=$(pwd)
+git submodule update --init || exit 1

-srcdir=$(dirname "$0")
-test "$srcdir" || srcdir=.
+autoreconf --verbose --force --install || exit 1

-cd "$srcdir" || {
-    die "Failed to cd into $srcdir"
-}
-
-test -f src/libvirt.c || {
-    die "$0 must live in the top-level libvirt directory"
-}
-
-dry_run=
-no_git=
-gnulib_srcdir=
-extra_args=
-while test "$#" -gt 0; do
-    case "$1" in
-    --dry-run)
-        # This variable will serve both as an indicator of the fact that
-        # a dry run has been requested, and to store the result of the
-        # dry run. It will be ultimately used as return code for the
-        # script: 0 means no action is necessary, 2 means that autogen.sh
-        # needs to be executed, and 1 is reserved for failures
-        dry_run=0
+if test "x$1" = "x--system"; then
    shift
-        ;;
-    --no-git)
-        no_git=" $1"
-        shift
-        ;;
-    --gnulib-srcdir=*)
-        gnulib_srcdir=" $1"
-        shift
-        ;;
-    --gnulib-srcdir)
-        gnulib_srcdir=" $1=$2"
-        shift
-        shift
-        ;;
-    --system)
    prefix=/usr
+    libdir=$prefix/lib
    sysconfdir=/etc
    localstatedir=/var
-        if test -d $prefix/lib64; then
+    if [ -d /usr/lib64 ]; then
      libdir=$prefix/lib64
-        else
-            libdir=$prefix/lib
-        fi
-        extra_args="--prefix=$prefix --localstatedir=$localstatedir"
-        extra_args="$extra_args --sysconfdir=$sysconfdir --libdir=$libdir"
-        shift
-        ;;
-    *)
-        # All remaining arguments will be passed to configure verbatim
-        break
-        ;;
-    esac
-done
-no_git="$no_git$gnulib_srcdir"
-
-gnulib_hash()
-{
-    local no_git=$1
-
-    if test "$no_git"; then
-        echo "no-git"
-        return
-    fi
-
-    # Compute the hash we'll use to determine whether rerunning bootstrap
-    # is required. The first is just the SHA1 that selects a gnulib snapshot.
-    # The second ensures that whenever we change the set of gnulib modules used
-    # by this package, we rerun bootstrap to pull in the matching set of files.
-    # The third ensures that whenever we change the set of local gnulib diffs,
-    # we rerun bootstrap to pull in those diffs.
-    git submodule status .gnulib | awk '{ print $1 }'
-    git hash-object bootstrap.conf
-    git ls-tree -d HEAD gnulib/local | awk '{ print $3 }'
-}
-
-# Only look into git submodules if we're in a git checkout
-if test -d .git || test -f .git; then
-
-    # Check for dirty submodules
-    if test -z "$CLEAN_SUBMODULE"; then
-        for path in $(git submodule status | awk '{ print $2 }'); do
-            case "$(git diff "$path")" in
-                *-dirty*)
-                    echo "error: $path is dirty, please investigate" >&2
-                    echo "set CLEAN_SUBMODULE to discard submodule changes" >&2
-                    exit 1
-                    ;;
-            esac
-        done
-    fi
-    if test "$CLEAN_SUBMODULE" && test -z "$no_git"; then
-        if test -z "$dry_run"; then
-            echo "Cleaning up submodules..."
-            git submodule foreach 'git clean -dfqx && git reset --hard' || {
-                die "Cleaning up submodules failed"
-            }
-        fi
-    fi
-
-    # Update all submodules. If any of the submodules has not been
-    # initialized yet, it will be initialized now; moreover, any submodule
-    # with uncommitted changes will be returned to the expected state
-    echo "Updating submodules..."
-    git submodule update --init || {
-        die "Updating submodules failed"
-    }
-
-    # The expected hash, eg. the one computed after the last
-    # successful bootstrap run, is stored on disk
-    state_file=.git-module-status
-    expected_hash=$(cat "$state_file" 2>/dev/null)
-    actual_hash=$(gnulib_hash "$no_git")
-
-    if test "$actual_hash" = "$expected_hash" && test -f AUTHORS; then
-        # The gnulib hash matches our expectations, and all the files
-        # that can only be generated through bootstrap are present:
-        # we just need to run autoreconf. Unless we're performing a
-        # dry run, of course...
-        if test -z "$dry_run"; then
-            echo "Running autoreconf..."
-            autoreconf -if || {
-                die "autoreconf failed"
-            }
-        fi
-    else
-        # Whenever the gnulib submodule or any of the related bits
-        # has been changed in some way (see gnulib_hash) we need to
-        # run bootstrap again. If we're performing a dry run, we
-        # change the return code instead to signal our caller
-        if test "$dry_run"; then
-            dry_run=2
-        else
-            echo "Running bootstrap..."
-            ./bootstrap$no_git --bootstrap-sync || {
-                die "bootstrap failed"
-            }
-            gnulib_hash >"$state_file"
-        fi
    fi
+    EXTRA_ARGS="--prefix=$prefix --sysconfdir=$sysconfdir --localstatedir=$localstatedir --libdir=$libdir"
 fi

-# When performing a dry run, we can stop here
-test "$dry_run" && exit "$dry_run"
+cd "$olddir"

-# If asked not to run configure, we can stop here
-test "$NOCONFIGURE" && exit 0
+if [ "$NOCONFIGURE" = "" ]; then
+        $srcdir/configure $EXTRA_ARGS "$@" || exit 1

-cd "$starting_point" || {
-    die "Failed to cd into $starting_point"
-}
-
-if test "$OBJ_DIR"; then
-    mkdir -p "$OBJ_DIR" || {
-        die "Failed to create $OBJ_DIR"
-    }
-    cd "$OBJ_DIR" || {
-        die "Failed to cd into $OBJ_DIR"
-    }
-fi
-
-# Make sure we can find GNU make and tell the user
-# the right command to run
-MAKE=
-for cmd in make gmake; do
-    if $cmd -v 2>&1 | grep -q "GNU Make"; then
-        MAKE=$cmd
-        break
+        if [ "$1" = "--help" ]; then
+                exit 0
+        else
+                echo "Now type 'make' to compile libvirt" || exit 1
        fi
-done
-test "$MAKE" || {
-    die "GNU make is required to build libvirt"
-}
-
-if test -z "$*" && test -z "$extra_args" && test -f config.status; then
-    echo "Running config.status..."
-    ./config.status --recheck || {
-        die "config.status failed"
-    }
 else
-    if test -z "$*" && test -z "$extra_args"; then
-        echo "I am going to run configure with no arguments - if you wish"
-        echo "to pass any to it, please specify them on the $0 command line."
-    else
-        echo "Running configure with $extra_args $@"
-    fi
-    "$srcdir/configure" $extra_args "$@" || {
-        die "configure failed"
-    }
+        echo "Skipping configure process."
 fi
-
-echo
-echo "Now type '$MAKE' to compile libvirt."
--- a/1073
+++ b/1073
--- a/bootstrap.conf
+++ b/bootstrap.conf
@ -1,201 +0,0 @@
-# Bootstrap configuration.
-
-# Copyright (C) 2010-2014 Red Hat, Inc.
-
-# This library is free software; you can redistribute it and/or
-# modify it under the terms of the GNU Lesser General Public
-# License as published by the Free Software Foundation; either
-# version 2.1 of the License, or (at your option) any later version.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU Lesser General Public License for more details.
-
-# You should have received a copy of the GNU Lesser General Public
-# License along with this library.  If not, see
-# <http://www.gnu.org/licenses/>.
-
-# gnulib modules used by this package.
-
-# NB the GSocket conversion is non-trivial due to the
-# different FD vs HANDLE usage in gnulib vs glib. Need
-# to find a way to duplicate a socket HANDLE before
-# turning it into a FD, since closing an FD also closes
-# the original HANDLE.
-
-# -> GSocket
-gnulib_modules="$gnulib_modules accept"
-# -> GSocket
-gnulib_modules="$gnulib_modules bind"
-# -> conditional build to avoid Win32
-gnulib_modules="$gnulib_modules chown"
-# -> GSocket
-gnulib_modules="$gnulib_modules close"
-# -> GSocket
-gnulib_modules="$gnulib_modules connect"
-# -> Meson
-gnulib_modules="$gnulib_modules configmake"
-# -> eliminate usage in some manner
-gnulib_modules="$gnulib_modules environ"
-# -> GSocket
-gnulib_modules="$gnulib_modules fcntl"
-# -> conditional build avoid win32
-gnulib_modules="$gnulib_modules fcntl-h"
-# -> GSocket
-gnulib_modules="$gnulib_modules getaddrinfo"
-# -> copy gnuliub win32 impl
-gnulib_modules="$gnulib_modules getpass"
-# -> GSocket
-gnulib_modules="$gnulib_modules getpeername"
-# -> GSocket
-gnulib_modules="$gnulib_modules getsockname"
-# -> copy gnulib STRBUFLEN macro
-gnulib_modules="$gnulib_modules intprops"
-# -> GSocket
-gnulib_modules="$gnulib_modules ioctl"
-# -> Meson
-gnulib_modules="$gnulib_modules largefile"
-# -> GSocket
-gnulib_modules="$gnulib_modules listen"
-# -> custom configure check
-gnulib_modules="$gnulib_modules localeconv"
-# -> Meson
-gnulib_modules="$gnulib_modules manywarnings"
-# -> painful copy gnulib
-gnulib_modules="$gnulib_modules mgetgroups"
-# -> GSocket
-gnulib_modules="$gnulib_modules net_if"
-# -> GSocket
-gnulib_modules="$gnulib_modules netdb"
-# -> GSocket
-gnulib_modules="$gnulib_modules nonblocking"
-# -> Just add -lutil to cli
-gnulib_modules="$gnulib_modules openpty"
-# -> GSocket
-gnulib_modules="$gnulib_modules passfd"
-# -> open code / copy gnulib code
-gnulib_modules="$gnulib_modules physmem"
-# -> open code / conditional comp
-gnulib_modules="$gnulib_modules pipe-posix"
-# -> open code / conditional comp
-gnulib_modules="$gnulib_modules pipe2"
-# -> GMainLoop
-gnulib_modules="$gnulib_modules poll"
-# -> Meson
-gnulib_modules="$gnulib_modules posix-shell"
-# -> open code conditional logic
-gnulib_modules="$gnulib_modules pthread_sigmask"
-# -> GSocket
-gnulib_modules="$gnulib_modules recv"
-# -> GSocket
-gnulib_modules="$gnulib_modules send"
-# -> GSocket
-gnulib_modules="$gnulib_modules setsockopt"
-# -> open code conditional logic
-gnulib_modules="$gnulib_modules sigaction"
-# -> open code conditional logic
-gnulib_modules="$gnulib_modules sigpipe"
-# -> GSocket
-gnulib_modules="$gnulib_modules socket"
-# -> open code conditional or use GIO GFileInfo
-gnulib_modules="$gnulib_modules stat-time"
-# -> remove use or open-code it. possibly add to glib
-gnulib_modules="$gnulib_modules strchrnul"
-# -> g_strsplit
-gnulib_modules="$gnulib_modules strtok_r"
-# -> remove sys/stat.h include from any win32 code paths
-gnulib_modules="$gnulib_modules sys_stat"
-# -> remove sys/wait.h include from any win32 code paths
-gnulib_modules="$gnulib_modules sys_wait"
-# -> remove from any win32 code paths
-gnulib_modules="$gnulib_modules termios"
-# -> GDateTime ?
-gnulib_modules="$gnulib_modules time_r"
-# -> obsolete - exists on Linux, MacOS >= ?? & FreeBSD >= 6
-gnulib_modules="$gnulib_modules ttyname_r"
-# -> g_get_os_info in GLib 2.64 but can't use that yet
-gnulib_modules="$gnulib_modules uname"
-# -> G_STATIC_ASSERT
-gnulib_modules="$gnulib_modules verify"
-# -> remove from Win32 code paths
-gnulib_modules="$gnulib_modules waitpid"
-# -> Meson
-gnulib_modules="$gnulib_modules warnings"
-# -> open code impl
-gnulib_modules="$gnulib_modules wcwidth"
-
-SKIP_PO=true
-
-# Enable copy-mode for MSYS/MinGW. MSYS' ln doesn't work well in the way
-# bootstrap uses it with relative paths.
-if test -n "$MSYSTEM"; then
-    copy=true
-fi
-
-
-# Tell gnulib to:
-#   require LGPLv2+
-#   apply any local diffs in gnulib/local/ dir
-#   put *.m4 files in m4/ dir
-#   put *.[ch] files in new gnulib/lib/ dir
-#   import gnulib tests in new gnulib/tests/ dir
-gnulib_name=libgnu
-m4_base=m4
-source_base=gnulib/lib
-tests_base=gnulib/tests
-gnulib_tool_option_extras="\
- --lgpl=2\
- --with-tests\
- --makefile-name=gnulib.mk\
- --avoid=pt_chown\
- --avoid=lock-tests\
-"
-local_gl_dir=gnulib/local
-
-# Build prerequisites
-# Note that some of these programs are only required for 'make dist' to
-# succeed from a fresh git checkout; not all of these programs are
-# required to run 'make dist' on a tarball.
-buildreq="\
-autoconf   2.59
-automake   1.9.6
-git        1.5.5
-gzip       -
-libtool    -
-patch      -
-perl       5.5
-pkg-config -
-rpcgen     -
-tar        -
-xmllint	   -
-xsltproc   -
-"
-
-# Automake requires that AUTHORS exist.
-touch AUTHORS || exit 1
-
-# Override bootstrap's list - we don't use mdate-sh or texinfo.tex.
-gnulib_extra_files="
-        build-aux/install-sh
-        build-aux/depcomp
-        build-aux/config.guess
-        build-aux/config.sub
-        doc/INSTALL
-"
-
-
-bootstrap_post_import_hook()
-{
-  # Change paths in gnulib/tests/gnulib.mk from "../../.." to "../..",
-  # and make tests conditional by changing "TESTS" to "GNULIB_TESTS".
-  m=gnulib/tests/gnulib.mk
-  sed 's,\.\./\.\./\.\.,../..,g; s/^TESTS /GNULIB_TESTS /' $m > $m-t
-  mv -f $m-t $m
-}
-
-bootstrap_epilogue()
-{
-    echo "$0: done.  Now you can run 'mkdir build && cd build && ../configure'."
-    exit 0
-}
--- a/build-aux/syntax-check.mk
+++ b/build-aux/syntax-check.mk
@ -44,10 +44,6 @@ VC = $(GIT)

 VC_LIST = $(srcdir)/$(_build-aux)/vc-list-files -C $(srcdir)

-# You can override this variable in syntax-check.mk if your gnulib submodule lives
-# in a different location.
-gnulib_dir ?= $(srcdir)/gnulib
-
 # You can override this variable in syntax-check.mk to set your own regexp
 # matching files to ignore.
 VC_LIST_ALWAYS_EXCLUDE_REGEX ?= ^$$
@ -73,8 +69,6 @@ _sc_excl = \
  $(or $(exclude_file_name_regexp--$@),^$$)
 VC_LIST_EXCEPT = \
  $(VC_LIST) | $(SED) 's|^$(_dot_escaped_srcdir)/||' \
-	| if test -f $(srcdir)/.x-$@; then $(GREP) -vEf $(srcdir)/.x-$@; \
-	  else $(GREP) -Ev -e "$${VC_LIST_EXCEPT_DEFAULT-ChangeLog}"; fi \
 	| $(GREP) -Ev -e '($(VC_LIST_ALWAYS_EXCLUDE_REGEX)|$(_sc_excl))' \
 	$(_prepend_srcdir_prefix)

@ -132,22 +126,7 @@ local-check :=								\

 syntax-check: $(local-check)

-# We use .gnulib, not gnulib.
-gnulib_dir = $(srcdir)/.gnulib
-
-# We haven't converted all scripts to using gnulib's init.sh yet.
-_test_script_regex = \<\(init\|test-lib\)\.sh\>
-
-# Most developers don't run 'make distcheck'.  We want the official
-# dist to be secure, but don't want to penalize other developers
-# using a distro that has not yet picked up the automake fix.
-# FIXME remove this ifeq (making the syntax check unconditional)
-# once fixed automake (1.11.6 or 1.12.2+) is more common.
-ifeq ($(filter dist%, $(MAKECMDGOALS)), )
-local-checks-to-skip +=	sc_vulnerable_makefile_CVE-2012-3386
-else
-distdir: sc_vulnerable_makefile_CVE-2012-3386.z
-endif
+_test_script_regex = \<test-lib\.sh\>

 # Files that should never cause syntax check failures.
 VC_LIST_ALWAYS_EXCLUDE_REGEX = \
@ -423,7 +402,6 @@ sc_prohibit_access_xok:
 	halt='use virFileIsExecutable instead of access(,X_OK)' \
 	  $(_sc_search_regexp)

-# Similar to the gnulib syntax-check.mk rule for sc_prohibit_strcmp
 # Use STREQLEN or STRPREFIX rather than comparing strncmp == 0, or != 0.
 snp_ = strncmp *\(.+\)
 sc_prohibit_strncmp:
@ -476,8 +454,6 @@ sc_prohibit_risky_id_promotion:
 	halt='cast -1 to ([ug]id_t) before comparing against id' \
 	  $(_sc_search_regexp)

-# Use g_snprintf rather than s'printf, even if buffer is provably large enough,
-# since gnulib has more guarantees for snprintf portability
 sc_prohibit_sprintf:
 	@prohibit='\<[s]printf\>' \
 	in_vc_files='\.[ch]$$' \
@ -570,9 +546,8 @@ sc_size_of_brackets:
 	  $(_sc_search_regexp)

 # Ensure that no C source file, docs, or rng schema uses TABs for
-# indentation.  Also match *.h.in files, to get libvirt.h.in.  Exclude
-# files in gnulib, since they're imported.
-space_indent_files=(\.(aug(\.in)?|rng|s?[ch](\.in)?|html.in|py|pl|syms)|(daemon|tools)/.*\.in)
+# indentation.  Also match *.h.in files, to get libvirt.h.in.
+space_indent_files=(\.(aug(\.in)?|rng|s?[ch](\.in)?|html.in|py|pl|syms)|tools/.*\.in)
 sc_TAB_in_indentation:
 	@prohibit='^ *	' \
 	in_vc_files='$(space_indent_files)$$' \
@ -712,8 +687,7 @@ msg_gen_function += virLastErrorPrefixMessage
 # msg_gen_function += vshPrint
 # msg_gen_function += vshError

-space =
-space +=
+space = $(null) $(null)
 func_re= ($(subst $(space),|,$(msg_gen_function)))

 # Look for diagnostics that aren't marked for translation.
@ -881,9 +855,9 @@ sc_prohibit_cross_inclusion:
 	    access/ | conf/) safe="($$dir|conf|util)";; \
 	    cpu/| network/| node_device/| rpc/| security/| storage/) \
 	      safe="($$dir|util|conf|storage)";; \
-	    *) safe="($$dir|$(mid_dirs)|util)";; \
+	    *) safe="($$dir|$(mid_dirs)|hypervisor|util)";; \
 	  esac; \
-	  in_vc_files="^src/$$dir" \
+	  in_vc_files="src/$$dir" \
 	  prohibit='^# *include .$(cross_dirs_re)' \
 	  exclude="# *include .$$safe" \
 	  halt='unsafe cross-directory include' \
@ -1121,7 +1095,7 @@ sc_gettext_init:
 	  $(_sc_search_regexp)

 sc_prohibit_obj_free_apis_in_virsh:
-	@prohibit='\bvir(Domain|DomainSnapshot)Free\b' \
+	@prohibit='\bvir(Domain|DomainSnapshot|Secret)Free\b' \
 	in_vc_files='virsh.*\.[ch]$$' \
 	exclude='sc_prohibit_obj_free_apis_in_virsh' \
 	halt='avoid using virDomain(Snapshot)Free in virsh, use virsh-prefixed wrappers instead' \
@ -1606,20 +1580,6 @@ sc_prohibit_strings_without_use:
 	re='\<(strn?casecmp|ffs(ll)?)\>'				\
 	  $(_sc_header_without_use)

-# Extract the raw list of symbol names with this:
-gl_extract_define_simple = \
-  /^\# *define ([A-Z]\w+)\(/ and print $$1
-# Filter out duplicates and convert to a space-separated list:
-_intprops_names = \
-  $(shell f=$(gnulib_dir)/lib/intprops.h;				\
-    perl -lne '$(gl_extract_define_simple)' $$f | sort -u | tr '\n' ' ')
-# Remove trailing space and convert to a regular expression:
-_intprops_syms_re = $(subst $(_sp),|,$(strip $(_intprops_names)))
-# Prohibit the inclusion of intprops.h without an actual use.
-sc_prohibit_intprops_without_use:
-	@h='intprops.h'							\
-	re='\<($(_intprops_syms_re)) *\('				\
-	  $(_sc_header_without_use)

 _stddef_syms_re = NULL|offsetof|ptrdiff_t|size_t|wchar_t
 # Prohibit the inclusion of stddef.h without an actual use.
@ -1638,23 +1598,10 @@ sc_prohibit_dirent_without_use:
 	re='\<($(_dirent_syms_re))\>'					\
 	  $(_sc_header_without_use)

-# Prohibit the inclusion of verify.h without an actual use.
-sc_prohibit_verify_without_use:
-	@h='verify.h'							\
-	re='\<(verify(true|expr)?|assume|static_assert) *\('		\
-	  $(_sc_header_without_use)
-
 # Don't include xfreopen.h unless you use one of its functions.
 sc_prohibit_xfreopen_without_use:
 	@h='xfreopen.h' re='\<xfreopen *\(' $(_sc_header_without_use)

-# Each nonempty ChangeLog line must start with a year number, or a TAB.
-sc_changelog:
-	@prohibit='^[^12	]'					\
-	in_vc_files='^ChangeLog$$'					\
-	halt='found unexpected prefix in a ChangeLog'			\
-	  $(_sc_search_regexp)
-
 # Ensure that each .c file containing a "main" function also
 # calls bindtextdomain.
 sc_bindtextdomain:
@ -1683,29 +1630,6 @@ sc_unmarked_diagnostics:
 	halt='found unmarked diagnostic(s)'				\
 	  $(_sc_search_regexp)

-# List headers for which HAVE_HEADER_H is always true, assuming you are
-# using the appropriate gnulib module.  CAUTION: for each "unnecessary"
-# #if HAVE_HEADER_H that you remove, be sure that your project explicitly
-# requires the gnulib module that guarantees the usability of that header.
-gl_assured_headers_ = \
-  cd $(gnulib_dir)/lib && echo *.in.h|$(SED) 's/\.in\.h//g'
-
-# Convert the list of names to upper case, and replace each space with "|".
-az_ = abcdefghijklmnopqrstuvwxyz
-AZ_ = ABCDEFGHIJKLMNOPQRSTUVWXYZ
-gl_header_upper_case_or_ =						\
-  $$($(gl_assured_headers_)						\
-    | tr $(az_)/.- $(AZ_)___						\
-    | tr -s ' ' '|'							\
-    )
-sc_prohibit_always_true_header_tests:
-	@or=$(gl_header_upper_case_or_);				\
-	re="HAVE_($$or)_H";						\
-	prohibit='\<'"$$re"'\>'						\
-	halt=$$(printf '%s\n'						\
-	'do not test the above HAVE_<header>_H symbol(s);'		\
-	'  with the corresponding gnulib module, they are always true')	\
-	  $(_sc_search_regexp)

 sc_prohibit_defined_have_decl_tests:
 	@prohibit='(#[	 ]*ifn?def|\<defined)\>[	 (]+HAVE_DECL_'	\
@ -1713,51 +1637,6 @@ sc_prohibit_defined_have_decl_tests:
 	  $(_sc_search_regexp)

 # ==================================================================
-gl_other_headers_ ?= \
-  intprops.h	\
-  openat.h	\
-  stat-macros.h
-
-# Perl -lne code to extract "significant" cpp-defined symbols from a
-# gnulib header file, eliminating a few common false-positives.
-# The exempted names below are defined only conditionally in gnulib,
-# and hence sometimes must/may be defined in application code.
-gl_extract_significant_defines_ = \
-  /^\# *define ([^_ (][^ (]*)(\s*\(|\s+\w+)/\
-    && $$2 !~ /(?:rpl_|_used_without_)/\
-    && $$1 !~ /^(?:NSIG|ENODATA)$$/\
-    && $$1 !~ /^(?:SA_RESETHAND|SA_RESTART)$$/\
-    and print $$1
-
-# Create a list of regular expressions matching the names
-# of macros that are guaranteed to be defined by parts of gnulib.
-define def_sym_regex
-	gen_h=$(gl_generated_headers_);					\
-	(cd $(gnulib_dir)/lib;						\
-	  for f in *.in.h $(gl_other_headers_); do			\
-	    test -f $$f							\
-	      && perl -lne '$(gl_extract_significant_defines_)' $$f;	\
-	  done;								\
-	) | sort -u							\
-	  | $(SED) 's/^/^ *# *(define|undef)  */;s/$$/\\>/'
-endef
-
-# Don't define macros that we already get from gnulib header files.
-sc_prohibit_always-defined_macros:
-	@if test -d $(gnulib_dir); then					\
-	  case $$(echo all: | $(GREP) -l -f - $(abs_top_builddir)/Makefile) in $(abs_top_builddir)/Makefile);; *) \
-	    echo '$(ME): skipping $@: you lack GNU grep' 1>&2; exit 0;;	\
-	  esac;								\
-	  regex=$$($(def_sym_regex)); export regex;			\
-	  $(VC_LIST_EXCEPT)						\
-	    | xargs sh -c 'echo $$regex | $(GREP) -E -f - "$$@"'	\
-		dummy /dev/null						\
-	    && { printf '$(ME): define the above'			\
-			' via some gnulib .h file\n' 1>&2;		\
-	         exit 1; }						\
-	    || :;							\
-	fi
-# ==================================================================

 # Prohibit checked in backup files.
 sc_prohibit_backup_files:
@ -1773,14 +1652,6 @@ sc_GFDL_version:
 	halt='GFDL vN, N!=3'						\
 	  $(_sc_search_regexp)

-cvs_keywords = \
-  Author|Date|Header|Id|Name|Locker|Log|RCSfile|Revision|Source|State
-
-sc_prohibit_cvs_keyword:
-	@prohibit='\$$($(cvs_keywords))\$$'				\
-	halt='do not use CVS keyword expansion'				\
-	  $(_sc_search_regexp)
-
 # This Perl code is slightly obfuscated.  Not only is each "$" doubled
 # because it's in a Makefile, but the $$c's are comments;  we cannot
 # use "#" due to the way the script ends up concatenated onto one line.
@ -1921,20 +1792,6 @@ sc_const_long_option:
 	halt='add "const" to the above declarations'			\
 	  $(_sc_search_regexp)

-NEWS_hash =								\
-  $$($(SED) -n '/^\*.* $(PREV_VERSION_REGEXP) ([0-9-]*)/,$$p'		\
-       $(srcdir)/NEWS							\
-     | perl -0777 -pe							\
-	's/^Copyright.+?Free\sSoftware\sFoundation,\sInc\.\n//ms'	\
-     | md5sum -								\
-     | $(SED) 's/ .*//')
-
-# Update the hash stored above.  Do this after each release and
-# for any corrections to old entries.
-update-NEWS-hash: NEWS
-	perl -pi -e 's/^(old_NEWS_hash[ \t]+:?=[ \t]+).*/$${1}'"$(NEWS_hash)/" \
-	  $(srcdir)/syntax-check.mk
-
 # Ensure that we use only the standard $(VAR) notation,
 # not @...@ in Makefile.am, now that we can rely on automake
 # to emit a definition for each substituted variable.
@ -1996,11 +1853,10 @@ perl_translatable_files_list_ =						\
 po_file ?= $(srcdir)/po/POTFILES.in

 # List of additional files that we want to pick up in our POTFILES.in
-# This is all gnulib files, as well as generated files for RPC code.
+# This is all generated files for RPC code.
 generated_files = \
  $(builddir)/src/*.[ch] \
-  $(builddir)/src/*/*.[ch] \
-  $(srcdir)/gnulib/lib/*.[ch]
+  $(builddir)/src/*/*.[ch]

 _gl_translatable_string_re ?= \b(N?_|gettext *)\([^)"]*("|$$)

@ -2036,25 +1892,6 @@ writable-files:
 	else :;								\
 	fi

-v_etc_file = $(gnulib_dir)/lib/version-etc.c
-sample-test = tests/sample-test
-texi = doc/$(PACKAGE).texi
-# Make sure that the copyright date in $(v_etc_file) is up to date.
-# Do the same for the $(sample-test) and the main doc/.texi file.
-sc_copyright_check:
-	@require='enum { COPYRIGHT_YEAR = '$$(date +%Y)' };'		\
-	in_files=$(v_etc_file)						\
-	halt='out of date copyright in $(v_etc_file); update it'	\
-	  $(_sc_search_regexp)
-	@require='# Copyright \(C\) '$$(date +%Y)' Free'		\
-	in_vc_files=$(sample-test)					\
-	halt='out of date copyright in $(sample-test); update it'	\
-	  $(_sc_search_regexp)
-	@require='Copyright @copyright\{\} .*'$$(date +%Y)		\
-	in_vc_files=$(texi)						\
-	halt='out of date copyright in $(texi); update it'		\
-	  $(_sc_search_regexp)
-

 # BRE regex of file contents to identify a test script.
 _test_script_regex ?= \<init\.sh\>
@ -2084,70 +1921,6 @@ sc_prohibit_path_max_allocation:
 	halt='Avoid stack allocations of size PATH_MAX'			\
 	  $(_sc_search_regexp)

-sc_vulnerable_makefile_CVE-2009-4029:
-	@prohibit='perm -777 -exec chmod a\+rwx|chmod 777 \$$\(distdir\)' \
-	in_files='(^|/)Makefile\.in$$'					\
-	halt=$$(printf '%s\n'						\
-	  'the above files are vulnerable; beware of running'		\
-	  '  "make dist*" rules, and upgrade to fixed automake'		\
-	  '  see https://bugzilla.redhat.com/show_bug.cgi?id=542609 for details') \
-	  $(_sc_search_regexp)
-
-sc_vulnerable_makefile_CVE-2012-3386:
-	@prohibit='chmod a\+w \$$\(distdir\)'				\
-	in_files='(^|/)Makefile\.in$$'					\
-	halt=$$(printf '%s\n'						\
-	  'the above files are vulnerable; beware of running'		\
-	  '  "make distcheck", and upgrade to fixed automake'		\
-	  '  see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3386 for details') \
-	  $(_sc_search_regexp)
-
-# We don't use this feature of syntax-check.mk.
-prev_version_file = /dev/null
-
-ifneq ($(_gl-Makefile),)
-ifeq (0,$(MAKELEVEL))
-  _dry_run_result := $(shell \
-      cd '$(srcdir)'; \
-      test -d .git || test -f .git || { echo 0; exit; }; \
-      $(srcdir)/autogen.sh --dry-run >/dev/null 2>&1; \
-      echo $$?; \
-  )
-  _clean_requested = $(filter %clean,$(MAKECMDGOALS))
-
-  # A return value of 0 means no action is required
-
-  # A return value of 1 means a genuine error has occurred while
-  # performing the dry run, and it should be reported so it can
-  # be investigated
-  ifeq (1,$(_dry_run_result))
-    $(info INFO: autogen.sh error, running again to show details)
-syntax-check.mk Makefile: _autogen_error
-  endif
-
-  # A return value of 2 means that autogen.sh needs to be executed
-  # in earnest before building, probably because of gnulib updates.
-  # We don't run autogen.sh if the clean target has been invoked,
-  # though, as it would be quite pointless
-  ifeq (2,$(_dry_run_result)$(_clean_requested))
-    $(info INFO: running autogen.sh is required, running it now...)
-    $(shell touch $(srcdir)/AUTHORS)
-syntax-check.mk Makefile: _autogen
-  endif
-endif
-endif
-
-# It is necessary to call autogen any time gnulib changes.  Autogen
-# reruns configure, then we regenerate all Makefiles at once.
-.PHONY: _autogen
-_autogen:
-	$(srcdir)/autogen.sh
-	./config.status
-
-.PHONY: _autogen_error
-_autogen_error:
-	$(srcdir)/autogen.sh --dry-run
-
 ifneq ($(_gl-Makefile),)
 syntax-check: spacing-check test-wrap-argv \
 	prohibit-duplicate-header mock-noinline group-qemu-caps \
@ -2193,14 +1966,14 @@ group-qemu-caps:
 # List all syntax-check exemptions:
 exclude_file_name_regexp--sc_avoid_strcase = ^tools/vsh\.h$$

-_src1=libvirt-stream|qemu/qemu_monitor|util/vir(command|file|fdstream)|xen/xend_internal|rpc/virnetsocket|lxc/lxc_controller|locking/lock_daemon|logging/log_daemon
+_src1=libvirt-stream|qemu/qemu_monitor|util/vir(command|file|fdstream)|rpc/virnetsocket|lxc/lxc_controller|locking/lock_daemon|logging/log_daemon
 _test1=shunloadtest|virnettlscontexttest|virnettlssessiontest|vircgroupmock|commandhelper
 exclude_file_name_regexp--sc_avoid_write = \
  ^(src/($(_src1))|tools/virsh-console|tests/($(_test1)))\.c$$

 exclude_file_name_regexp--sc_bindtextdomain = .*

-exclude_file_name_regexp--sc_gettext_init = ^((tests|examples)/|tools/virt-login-shell.c)
+exclude_file_name_regexp--sc_gettext_init = ^((tests|examples)/|tools/virt-login-shell.c|src/util/vireventglib\.c)

 exclude_file_name_regexp--sc_copyright_format = \
 	^build-aux/syntax-check\.mk$$
@ -2214,7 +1987,7 @@ exclude_file_name_regexp--sc_flags_usage = \
 exclude_file_name_regexp--sc_libvirt_unmarked_diagnostics = \
  ^(src/rpc/gendispatch\.pl$$|tests/)

-exclude_file_name_regexp--sc_po_check = ^(docs/|src/rpc/gendispatch\.pl$$)
+exclude_file_name_regexp--sc_po_check = ^(docs/|src/rpc/gendispatch\.pl$$|tests/commandtest.c$$)

 exclude_file_name_regexp--sc_prohibit_VIR_ERR_NO_MEMORY = \
  ^(build-aux/syntax-check\.mk|include/libvirt/virterror\.h|src/remote/remote_daemon_dispatch\.c|src/util/virerror\.c|docs/internals/oomtesting\.html\.in)$$
@ -2232,10 +2005,10 @@ exclude_file_name_regexp--sc_prohibit_access_xok = \
 	^(src/util/virutil\.c)$$

 exclude_file_name_regexp--sc_prohibit_asprintf = \
-  ^(build-aux/syntax-check\.mk|bootstrap.conf$$|examples/|src/util/virstring\.[ch]$$|tests/vircgroupmock\.c|tools/virt-login-shell\.c|tools/nss/libvirt_nss\.c$$)
+  ^(build-aux/syntax-check\.mk|examples/|tests/vircgroupmock\.c|tools/virt-login-shell\.c|tools/nss/libvirt_nss\.c$$)

 exclude_file_name_regexp--sc_prohibit_strdup = \
-  ^(docs/|examples/|src/util/virstring\.c|tests/vir(netserverclient|cgroup)mock.c|tests/commandhelper\.c|tools/nss/libvirt_nss_(leases|macs)\.c$$)
+  ^(docs/|examples/|tests/virnetserverclientmock.c|tests/commandhelper.c|tools/nss/libvirt_nss_(leases|macs)\.c$$)

 exclude_file_name_regexp--sc_prohibit_close = \
  (\.p[yl]$$|\.spec\.in$$|^docs/|^(src/util/vir(file|event)\.c|src/libvirt-stream\.c|tests/(vir.+mock\.c|commandhelper\.c|qemusecuritymock\.c)|tools/nss/libvirt_nss_(leases|macs)\.c)$$)
@ -2243,9 +2016,8 @@ exclude_file_name_regexp--sc_prohibit_close = \
 exclude_file_name_regexp--sc_prohibit_empty_lines_at_EOF = \
  (^tests/(virhostcpu|virpcitest)data/|docs/js/.*\.js|docs/fonts/.*\.woff|\.diff|tests/virconfdata/no-newline\.conf$$)

-_src2=src/(util/vircommand|libvirt|lxc/lxc_controller|locking/lock_daemon|logging/log_daemon|remote/remote_daemon)
 exclude_file_name_regexp--sc_prohibit_fork_wrappers = \
-  (^($(_src2)|tests/testutils)\.c$$)
+  (^(src/(util/(vircommand|virdaemon)|lxc/lxc_controller)|tests/testutils)\.c$$)

 exclude_file_name_regexp--sc_prohibit_gethostname = ^src/util/vir(util|log)\.c$$

@ -2278,8 +2050,6 @@ exclude_file_name_regexp--sc_prohibit_setuid = ^src/util/virutil\.c|tools/virt-l
 exclude_file_name_regexp--sc_prohibit_snprintf = \
  ^(build-aux/syntax-check\.mk|docs/hacking\.html\.in|tools/virt-login-shell\.c)$$

-exclude_file_name_regexp--sc_prohibit_strncpy = ^src/util/virstring\.c$$
-
 exclude_file_name_regexp--sc_prohibit_strtol = ^examples/.*$$

 exclude_file_name_regexp--sc_prohibit_xmlGetProp = ^src/util/virxml\.c$$
@ -2295,7 +2065,7 @@ exclude_file_name_regexp--sc_require_config_h_first = \
 	^(examples/|tools/virsh-edit\.c$$|tests/virmockstathelpers.c)

 exclude_file_name_regexp--sc_trailing_blank = \
-  /sysinfodata/.*\.data|/virhostcpudata/.*\.cpuinfo|^gnulib/local/.*/.*diff$$
+  /sysinfodata/.*\.data|/virhostcpudata/.*\.cpuinfo$$

 exclude_file_name_regexp--sc_unmarked_diagnostics = \
  ^(scripts/apibuild.py|tests/virt-aa-helper-test|docs/js/.*\.js)$$
@ -2326,7 +2096,7 @@ exclude_file_name_regexp--sc_prohibit_mixed_case_abbreviations = \
  ^src/(vbox/vbox_CAPI.*.h|esx/esx_vi.(c|h)|esx/esx_storage_backend_iscsi.c)$$

 exclude_file_name_regexp--sc_prohibit_empty_first_line = \
-  ^(README|src/esx/README|tests/(vmwarever|virhostcpu)data/.*)$$
+  ^(src/esx/README|tests/(vmwarever|virhostcpu)data/.*)$$

 exclude_file_name_regexp--sc_prohibit_useless_translation = \
  ^tests/virpolkittest.c
@ -2335,23 +2105,17 @@ exclude_file_name_regexp--sc_prohibit_devname = \
  ^(tools/virsh.pod|build-aux/syntax-check\.mk|docs/.*)$$

 exclude_file_name_regexp--sc_prohibit_virXXXFree = \
-  ^(docs/|tests/|examples/|tools/|build-aux/syntax-check\.mk|src/test/test_driver.c|src/libvirt_public.syms|include/libvirt/libvirt-(domain|network|nodedev|storage|stream|secret|nwfilter|interface|domain-snapshot).h|src/libvirt-(domain|qemu|network|nodedev|storage|stream|secret|nwfilter|interface|domain-snapshot).c$$)
+  ^(docs/|tests/|examples/|tools/|build-aux/syntax-check\.mk|src/test/test_driver.c|src/libvirt_public.syms|include/libvirt/libvirt-(domain|network|nodedev|storage|stream|secret|nwfilter|interface|domain-snapshot).h|src/libvirt-(domain|qemu|network|nodedev|storage|stream|secret|nwfilter|interface|domain-snapshot).c|src/qemu/qemu_shim.c$$)

 exclude_file_name_regexp--sc_prohibit_sysconf_pagesize = \
-  ^(build-aux/syntax-check\.mk|src/util/virutil\.c)$$
+  ^(build-aux/syntax-check\.mk|src/util/vir(hostmem|util)\.c)$$

 exclude_file_name_regexp--sc_prohibit_pthread_create = \
  ^(build-aux/syntax-check\.mk|src/util/virthread\.c|tests/.*)$$

-exclude_file_name_regexp--sc_prohibit_always-defined_macros = \
-  ^tests/virtestmock.c$$
-
 exclude_file_name_regexp--sc_prohibit_readdir = \
  ^(tests/(.*mock|virfilewrapper)\.c|tools/nss/libvirt_nss\.c)$$

-exclude_file_name_regexp--sc_prohibit_cross_inclusion = \
-  ^(src/util/virclosecallbacks\.h|src/util/virhostdev\.h)$$
-
 exclude_file_name_regexp--sc_prohibit_dirent_d_type = \
  ^(src/util/vircgroup.c)$

@ -2360,3 +2124,6 @@ exclude_file_name_regexp--sc_prohibit_strcmp = \

 exclude_file_name_regexp--sc_prohibit_backslash_alignment = \
  ^build-aux/syntax-check\.mk$$
+
+exclude_file_name_regexp--sc_prohibit_select = \
+  ^build-aux/syntax-check\.mk|src/util/vireventglibwatch\.c$$
--- a/ci/Makefile
+++ b/ci/Makefile
@ -220,6 +220,7 @@ ci-run-command@%: ci-prepare-tree
 		  --login \
 		  --user="#$(CI_UID)" \
 		  --group="#$(CI_GID)" \
+		  CONFIGURE_OPTS="$$CONFIGURE_OPTS" \
 		  CI_CONT_SRCDIR="$(CI_CONT_SRCDIR)" \
 		  CI_CONT_BUILDDIR="$(CI_CONT_BUILDDIR)" \
 		  CI_SMP="$(CI_SMP)" \
--- a/ci/build.sh
+++ b/ci/build.sh
@ -25,9 +25,7 @@ if test $? != 0; then
 fi
 find -name test-suite.log -delete

-# gl_public_submodule_commit= to disable gnulib's submodule check
-# which breaks due to way we clone the submodules
-make -j"$CI_SMP" gl_public_submodule_commit= $CI_MAKE_ARGS
+make -j"$CI_SMP" $CI_MAKE_ARGS

 if test $? != 0; then \
    LOGS=$(find -name test-suite.log)
--- a/config-post.h
+++ b/config-post.h
@ -22,10 +22,7 @@

 /*
 * Define __GNUC_PREREQ to a sane default if it isn't yet defined.
- * This is done here so that it's included as early as possible; gnulib relies
- * on this to be defined in features.h, which should be included from ctype.h.
- * This doesn't happen on many non-glibc systems.
- * When __GNUC_PREREQ is not defined, gnulib defines it to 0, which breaks things.
+ * This is done here so that it's included as early as possible;
 */
 #ifndef __GNUC_PREREQ
 # define __GNUC_PREREQ(maj, min) \
--- a/configure.ac
+++ b/configure.ac
@ -16,7 +16,7 @@ dnl You should have received a copy of the GNU Lesser General Public
 dnl License along with this library.  If not, see
 dnl <http://www.gnu.org/licenses/>.

-AC_INIT([libvirt], [6.0.0], [libvir-list@redhat.com], [], [https://libvirt.org])
+AC_INIT([libvirt], [6.2.0], [libvir-list@redhat.com], [], [https://libvirt.org])

 if test $srcdir = "."
 then
@ -42,11 +42,6 @@ dnl we don't really need the 'u' even in older toolchains.  Then there is
 dnl older libtool, which spelled it AR_FLAGS
 m4_divert_text([DEFAULTS], [: "${ARFLAGS=cr} ${AR_FLAGS=cr}"])

-# Maintainer note - comment this line out if you plan to rerun
-# GNULIB_POSIXCHECK testing to see if libvirt should be using more modules.
-# Leave it uncommented for normal releases, for faster ./configure.
-gl_ASSERT_NO_GNULIB_POSIXCHECK
-
 # Default to using the silent-rules feature when possible.  Formatting
 # chosen to bypass 'grep' checks that cause older automake to warn.
 # Users (include rpm) can still change the default at configure time.
@ -55,6 +50,8 @@ m4_ifndef([AM_SILENT_RULES],

 AC_CANONICAL_HOST

+AC_USE_SYSTEM_EXTENSIONS
+
 # First extract pieces from the version number string
 LIBVIRT_MAJOR_VERSION=`echo $VERSION | awk -F. '{print $1}'`
 LIBVIRT_MINOR_VERSION=`echo $VERSION | awk -F. '{print $2}'`
@ -132,14 +129,12 @@ AC_PROG_CPP
 dnl autoconf 2.70 adds a --runstatedir option so that downstreams
 dnl can point to /run instead of the historic /var/run, but
 dnl autoconf hasn't had a release since 2012.
-dnl
-dnl gnulib sets configmake.h to include runstatedir, but sets
-dnl it to $localstatedir/run if $runstatedir env var is not set
-dnl which is useless for apps that need to use /run without
-dnl waiting for autoconf 2.70
-dnl
+if test "x$runstatedir" = x; then
+  AC_SUBST([runstatedir], ['${localstatedir}/run'])
+fi
+
 dnl we introduce --with-runstatedir and then overwrite the
-dnl value of $runstatedir so gnulib's configmake.h becomes useful
+dnl value of $runstatedir so configmake.h is more useful
 AC_ARG_WITH(
    [runstatedir],
    [AS_HELP_STRING(
@ -152,8 +147,8 @@ then
 fi


-gl_EARLY
-gl_INIT
+dnl get 64-int interfaces on 32-bit platforms
+AC_SYS_LARGEFILE

 AC_TYPE_UID_T

@ -183,8 +178,6 @@ case "$host" in
    # mingw's ld has the --version-script parameter, but it requires a .def file
    # instead to work properly, therefore clear --version-script here and use
    # -Wl, to pass the .def file to the linker
-    # cygwin's ld has the --version-script parameter too, but for some reason
-    # it's working there as expected
    VERSION_SCRIPT_FLAGS="-Wl,"
    ;;
  * )
@ -206,13 +199,12 @@ dnl are also linux specific.  The "network" and storage_fs drivers are known
 dnl to not work on macOS presently, so we also make a note if compiling
 dnl for that

-with_linux=no with_macos=no with_freebsd=no with_win=no with_cygwin=no
+with_linux=no with_macos=no with_freebsd=no with_win=no
 case $host in
  *-*-linux*) with_linux=yes ;;
  *-*-darwin*) with_macos=yes ;;
  *-*-freebsd*) with_freebsd=yes ;;
  *-*-mingw* | *-*-msvc* ) with_win=yes ;;
-  *-*-cygwin*) with_cygwin=yes ;;
 esac

 if test $with_linux = no; then
@ -229,17 +221,18 @@ if test $with_freebsd = yes; then
    with_firewalld=no
 fi

-if test $with_cygwin = yes; then
-    with_vbox=no
-fi

 AM_CONDITIONAL([WITH_LINUX], [test "$with_linux" = "yes"])
 AM_CONDITIONAL([WITH_FREEBSD], [test "$with_freebsd" = "yes"])
 AM_CONDITIONAL([WITH_MACOS], [test "$with_macos" = "yes"])

-# We don't support the daemon yet
 if test "$with_win" = "yes" ; then
+  # We don't support the daemon yet
  with_libvirtd=no
+
+  # For AI_ADDRCONFIG
+  AC_DEFINE([_WIN32_WINNT], [0x0600], [Win Vista / Server 2008])
+  AC_DEFINE([WINVER], [0x0600], [Win Vista / Server 2008])
 fi

 # The daemon requires remote support.  Likewise, if we are not using
@ -304,7 +297,6 @@ LIBVIRT_ARG_YAJL

 LIBVIRT_CHECK_ACL
 LIBVIRT_CHECK_APPARMOR
-LIBVIRT_CHECK_ATOMIC
 LIBVIRT_CHECK_ATTR
 LIBVIRT_CHECK_AUDIT
 LIBVIRT_CHECK_BASH_COMPLETION
@ -353,8 +345,8 @@ AC_CHECK_SIZEOF([long])
 dnl Availability of various common functions (non-fatal if missing),
 dnl and various less common threadsafe functions
 AC_CHECK_FUNCS_ONCE([\
-  cfmakeraw \
  fallocate \
+  getegid \
  geteuid \
  getgid \
  getifaddrs \
@ -368,6 +360,7 @@ AC_CHECK_FUNCS_ONCE([\
  newlocale \
  posix_fallocate \
  posix_memalign \
+  pipe2 \
  prlimit \
  sched_getaffinity \
  sched_setscheduler \
@ -383,18 +376,22 @@ dnl Availability of various common headers (non-fatal if missing).
 AC_CHECK_HEADERS([\
  ifaddrs.h \
  libtasn1.h \
+  util.h \
+  libutil.h \
  linux/magic.h \
  mntent.h \
  net/ethernet.h \
-  netinet/tcp.h \
+  net/if.h \
+  pty.h \
  pwd.h \
  stdarg.h \
  syslog.h \
+  sys/ioctl.h \
  sys/mount.h \
  sys/syscall.h \
  sys/sysctl.h \
  sys/ucred.h \
-  sys/un.h \
+  xlocale.h \
  ])
 dnl Check whether endian provides handy macros.
 AC_CHECK_DECLS([htole64], [], [], [[#include <endian.h>]])
@ -430,6 +427,7 @@ dnl header could be found.
 AM_CONDITIONAL([HAVE_LIBTASN1], [test "x$ac_cv_header_libtasn1_h" = "xyes"])

 AC_CHECK_LIB([intl],[gettext],[])
+AC_CHECK_LIB([util],[openpty],[])


 dnl
@ -740,7 +738,7 @@ AM_CONDITIONAL([WITH_TESTS], [test "$with_test_suite" = "yes"])

 LIBVIRT_ARG_ENABLE([EXPENSIVE_TESTS],
                   [set the default for enabling expensive tests ]
-                     [(gnulib and long timeouts), use VIR_TEST_EXPENSIVE to ]
+                     [(long timeouts), use VIR_TEST_EXPENSIVE to ]
                     [override during make],
                   [check])
 case "$enable_expensive_tests" in
@ -776,9 +774,8 @@ if test "$enable_test_coverage" = yes; then
  WARN_CFLAGS=$save_WARN_CFLAGS
 fi

-dnl Cygwin, MinGW and MSVC checks
+dnl MinGW checks
 LIBVIRT_WIN_CHECK_COMMON
-LIBVIRT_WIN_CHECK_CYGWIN
 LIBVIRT_WIN_CHECK_MINGW
 LIBVIRT_WIN_CHECK_SYMBOLS
 LIBVIRT_WIN_CHECK_WINDRES
@ -920,8 +917,6 @@ AC_CONFIG_FILES([run],
                [chmod +x,-w run])
 AC_CONFIG_FILES([\
        Makefile src/Makefile include/libvirt/Makefile docs/Makefile \
-        gnulib/lib/Makefile \
-        gnulib/tests/Makefile \
        .color_coded \
        .ycm_extra_conf.py \
        libvirt.pc \
--- a/docs/Makefile.am
+++ b/docs/Makefile.am
@ -248,6 +248,11 @@ if WITH_SANLOCK
 else ! WITH_SANLOCK
  manpages_rst += manpages/virt-sanlock-cleanup.rst
 endif ! WITH_SANLOCK
+if WITH_QEMU
+  manpages1_rst += manpages/virt-qemu-run.rst
+else ! WITH_QEMU
+  manpages_rst += manpages/virt-qemu-run.rst
+endif ! WITH_QEMU
 manpages_rst_html_in = \
  $(manpages_rst:%.rst=%.html.in)
 manpages_html = \
@ -262,21 +267,21 @@ man8_MANS = $(manpages8_rst:%.rst=%.8)
 	   grep -v '^\.\. contents::' < $< | \
 	   sed -e 's|SYSCONFDIR|$(sysconfdir)|g' \
 	       -e 's|RUNSTATEDIR|$(runstatedir)|g' | \
-	   $(RST2MAN) > $@ || { rm $@ && exit 1; }
+	   $(RST2MAN) --strict > $@ || { rm $@ && exit 1; }

 %.7: %.rst
 	$(AM_V_GEN)$(MKDIR_P) `dirname $@` && \
 	   grep -v '^\.\. contents::' < $< | \
 	   sed -e 's|SYSCONFDIR|$(sysconfdir)|g' \
 	       -e 's|RUNSTATEDIR|$(runstatedir)|g' | \
-	   $(RST2MAN) > $@ || { rm $@ && exit 1; }
+	   $(RST2MAN) --strict > $@ || { rm $@ && exit 1; }

 %.8: %.rst
 	$(AM_V_GEN)$(MKDIR_P) `dirname $@` && \
 	   grep -v '^\.\. contents::' < $< | \
 	   sed -e 's|SYSCONFDIR|$(sysconfdir)|g' \
 	       -e 's|RUNSTATEDIR|$(runstatedir)|g' | \
-	   $(RST2MAN) > $@ || { rm $@ && exit 1; }
+	   $(RST2MAN) --strict > $@ || { rm $@ && exit 1; }

 manpages/virkeycode-%.rst: $(top_srcdir)/src/keycodemapdb/data/keymaps.csv \
 		$(top_srcdir)/src/keycodemapdb/tools/keymap-gen Makefile.am
@ -415,11 +420,11 @@ manpages/%.html.in: manpages/%.rst
 	 grep -v '^:Manual ' < $< | \
 	  sed -e 's|SYSCONFDIR|$(sysconfdir)|g' \
 	     -e 's|RUNSTATEDIR|$(runstatedir)|g' | \
-	  $(RST2HTML) > $@ || { rm $@ && exit 1; }
+	  $(RST2HTML) --strict > $@ || { rm $@ && exit 1; }

 %.html.in: %.rst
 	$(AM_V_GEN)$(MKDIR_P) `dirname $@` && \
-	  $(RST2HTML) $< > $@ || { rm $@ && exit 1; }
+	  $(RST2HTML) --strict $< > $@ || { rm $@ && exit 1; }

 %.html.tmp: %.html.in site.xsl subsite.xsl page.xsl \
 		$(acl_generated)
--- a/docs/apps.html.in
+++ b/docs/apps.html.in
@ -224,7 +224,7 @@
      <dd>
        Eucalyptus is an on-premise Infrastructure as a Service cloud
        software platform that is open source and
-        AWS-compatible. Eucalyptus uses libivrt virtualization API to
+        AWS-compatible. Eucalyptus uses libvirt virtualization API to
        directly interact with Xen and KVM hypervisors.
      </dd>

--- a/docs/auditlog.html.in
+++ b/docs/auditlog.html.in
@ -42,7 +42,7 @@
      In addition to have formal messages sent to the audit subsystem it is
      possible to tell libvirt to inject messages into its own logging
      layer. This will result in messages ending up in the systemd journal
-      or <code>/var/log/libvirt/libivrtd.log</code> on non-systemd hosts.
+      or <code>/var/log/libvirt/libvirtd.log</code> on non-systemd hosts.
      This is disabled by default, but can be requested by setting the
      <code>audit_logging=1</code> configuration parameter in the same file
      mentioned above.
--- a/docs/compiling.html.in
+++ b/docs/compiling.html.in
@ -70,31 +70,6 @@ $ <b>sudo</b> <i>make install</i></pre>
      will turn on -Werror for builds. This can be disabled with
      --disable-werror, but this is not recommended.
    </p>
-    <p>
-      Libvirt takes advantage of
-      the <a href="http://www.gnu.org/software/gnulib/">gnulib</a>
-      project to provide portability to a number of platforms.  This
-      is normally done dynamically via a git submodule in
-      the <code>.gnulib</code> subdirectory, which is auto-updated as
-      needed when you do incremental builds.  Setting the environment
-      variable <code>GNULIB_SRCDIR</code> to a local directory
-      containing a git checkout of gnulib will let you reduce local
-      disk space requirements and network download time, regardless of
-      which actual commit you have in that reference directory.
-    </p>
-    <p>
-      However, if you are developing on a platform where git is not
-      available, or are behind a firewall that does not allow for git
-      to easily obtain the gnulib submodule, it is possible to instead
-      use a static mode of operation where you are then responsible
-      for updating the git submodule yourself.  In this mode, you must
-      track the exact gnulib commit needed by libvirt (usually not the
-      latest gnulib.git) via alternative means, such as a shared NFS
-      drive or manual download, and run this any time libvirt.git
-      updates the commit stored in the .gnulib submodule:</p>
-    <pre>
-$ GNULIB_SRCDIR=/path/to/gnulib ./autogen.sh --no-git
-    </pre>

    <p>To build &amp; install libvirt to your home
      directory the following commands can be run:
--- a/docs/daemons.rst
+++ b/docs/daemons.rst
@ -0,0 +1,692 @@
+===============
+Libvirt Daemons
+===============
+
+.. contents::
+
+A libvirt deployment for accessing one of the stateful drivers will require
+one or more daemons to be deployed on the virtualization host. There are a
+number of ways the daemons can be configured which will be outlined in this
+page.
+
+Architectural options
+=====================
+
+Monolithic vs modular daemons
+-----------------------------
+
+Traditionally libvirt provided a single monolithic daemon called ``libvirtd``
+which exposed support for all the stateful drivers, both primary hypervisor
+drivers and secondary supporting drivers. It also enables secure remote access
+from clients running off host.
+
+Work is underway for the monolithic daemon to be replaced by a new set of
+modular daemons ``virt${DRIVER}d``, each one servicing a single stateful
+driver. A further ``virtproxyd`` daemon will provide secure remote access, as
+well as backcompatibility for clients using the UNIX socket path of the
+monolithic daemon.
+
+The change to modular daemons should not affect API functionality used by
+management applications. It will, however, have an impact on host provisioning
+tools since there are new systemd services and configuration files to be
+managed.
+
+Currently both monolithic and modular daemons are built by default, but the RPC
+client still prefers connecting to the monolithic daemon. It is intended to
+switch the RPC client to prefer the modular daemons in the near future. At
+least 1 year after this switch (but not more than 2 years), the monolithic
+daemon will be deleted entirely.
+
+Operating modes
+---------------
+
+The libvirt daemons, whether monolithic or modular, can often operate in two
+modes
+
+* *System mode* - the daemon is running as the root user account, enabling
+  access to its full range of functionality. A read-write connection to
+  daemons in system mode **typically implies privileges equivalent to having
+  a root shell**. Suitable `authentication mechanisms <auth.html>`__ **must
+  be enabled** to secure it against untrustworthy clients/users.
+
+* *Session mode* - the daemon is running as any non-root user account,
+  providing access to a more restricted range of functionality. Only client
+  apps/users running under **the same UID are permitted to connect**, thus a
+  connection does not imply any elevation of privileges.
+
+  Not all drivers support session mode and as such the corresponding
+  modular daemon may not support running in this mode
+
+
+Monolithic driver daemon
+========================
+
+The monolithic daemon is known as ``libvirtd`` and has historically been the
+default in libvirt. It is configured via the file ``/etc/libvirt/libvirtd.conf``
+
+
+Monolithic sockets
+------------------
+
+When running in system mode, ``libvirtd`` exposes three UNIX domain sockets, and
+optionally, one or two TCP sockets:
+
+* ``/var/run/libvirt/libvirt-sock`` - the primary socket for accessing libvirt
+  APIs, with full read-write privileges. A connection to this socket gives the
+  client privileges that are equivalent to having a root shell. This is the
+  socket that most management applications connect to by default.
+
+* ``/var/run/libvirt/libvirt-sock-ro`` - the secondary socket for accessing
+  libvirt APIs, with limited read-only privileges. A connection to this socket
+  gives the ability to query the existence of objects and monitor some aspects
+  of their operation. This is the socket that most management applications
+  connect to when requesting read only mode. Typically this is what a
+  monitoring app would use.
+
+* ``/var/run/libvirt/libvirt-admin-sock`` - the administrative socket for
+  controlling operation of the daemon itself (as opposed to drivers it is
+  running). This can be used to dynamically reconfigure some aspects of the
+  daemon and monitor/control connected clients.
+
+* ``TCP 16509`` - the non-TLS socket for remotely accessing the libvirt APIs,
+  with full read-write privileges. A connection to this socket gives the
+  client privileges that are equivalent to having a root shell. Since it does
+  not use TLS, an `authentication mechanism <auth.html>`__ that provides
+  encryption must be used. Only the GSSAPI/Kerberos mechanism is capable of
+  satisfying this requirement. In general applications should not use this
+  socket except for debugging in a development/test environment.
+
+* ``TCP 16514`` - the TLS socket for remotely accessing the libvirt APIs,
+  with full read-write privileges. A connection to this socket gives the
+  client privileges that are equivalent to having a root shell. Access control
+  can be enforced either through validation of `x509 certificates
+  <tlscerts.html>`__, and/or by enabling an `authentication mechanism
+  <auth.html>`__.
+
+NB, some distros will use ``/run`` instead of ``/var/run``.
+
+When running in session mode, ``libvirtd`` exposes two UNIX domain sockets:
+
+* ``$XDG_RUNTIME_DIR/libvirt/libvirt-sock`` - the primary socket for accessing
+  libvirt APIs, with full read-write privileges. A connection to this socket
+  does not alter the privileges that the client already has. This is the
+  socket that most management applications connect to by default.
+
+* ``$XDG_RUNTIME_DIR/libvirt/libvirt-admin-sock`` - the administrative socket
+  for controlling operation of the daemon itself (as opposed to drivers it is
+  running). This can be used to dynamically reconfigure some aspects of the
+  daemon and monitor/control connected clients.
+
+Notice that the session mode does not have a separate read-only socket. Since
+the clients must be running as the same user as the daemon itself, there is
+not any security benefit from attempting to enforce a read-only mode.
+
+``$XDG_RUNTIME_DIR`` commonly points to a per-user private location on tmpfs,
+such as ``/run/user/$UID``.
+
+
+Monolithic Systemd Integration
+------------------------------
+
+When the ``libvirtd`` daemon is managed by ``systemd`` a number of desirable
+features are available, most notably socket activation.
+
+Libvirt ships a number of unit files for controlling ``libvirtd``:
+
+* ``libvirtd.service`` - the main unit file for launching the ``libvirtd``
+  daemon in system mode. The command line arguments passed can be configured by
+  editing ``/etc/sysconfig/libvirtd``. This is typically only needed to control
+  the use of the auto shutdown timeout value. It is recommended that this
+  service unit be configured to start on boot. This is because various
+  libvirt drivers support autostart of their objects. If it is known that
+  autostart is not required, this unit can be left to start on demand.
+
+* ``libvirtd.socket`` - the unit file corresponding to the main read-write
+  UNIX socket ``/var/run/libvirt/libvirt-sock``. This socket is recommended to
+  be started on boot by default.
+
+* ``libvirtd-ro.socket`` - the unit file corresponding to the main read-write
+  UNIX socket ``/var/run/libvirt/libvirt-sock-ro``. This socket is recommended
+  to be started on boot by default.
+
+* ``libvirtd-admin.socket`` - the unit file corresponding to the administrative
+  UNIX socket ``/var/run/libvirt/libvirt-admin-sock``. This socket is
+  recommended to be started on boot by default.
+
+* ``libvirtd-tcp.socket`` - the unit file corresponding to the TCP 16509 port
+  for non-TLS remote access. This socket should not be configured to start on
+  boot until the administrator has configured a suitable authentication
+  mechanism.
+
+* ``libvirtd-tls.socket`` - the unit file corresponding to the TCP 16509 port
+  for TLS remote access. This socket should not be configured to start on boot
+  until the administrator has deployed x509 certificates and optionally
+  configured a suitable authentication mechanism.
+
+NB, some distros will use ``/etc/default`` instead of ``/etc/sysconfig``.
+
+The socket unit files are newly introduced in 5.6.0. On newly installed hosts
+the UNIX socket units should be enabled by default. When upgrading an existing
+host from a previous version of libvirt, the socket unit files will be masked
+if ``libvirtd`` is currently configured to use the ``--listen`` argument, since
+the ``--listen`` argument is mutually exclusive with use of socket activation.
+
+When systemd socket activation is used a number of configuration settings in
+``libvirtd.conf`` are no longer honoured. Instead these settings must be
+controlled via the system unit files
+
+* ``listen_tcp`` - TCP socket usage is enabled by starting the
+  ``libvirtd-tcp.socket`` unit file.
+
+* ``listen_tls`` - TLS socket usage is enabled by starting the
+  ``libvirtd-tls.socket`` unit file.
+
+* ``tcp_port`` - Port for the non-TLS TCP socket, controlled via the
+  ``ListenStream`` parameter in the ``libvirtd-tcp.socket`` unit file.
+
+* ``tls_port`` - Port for the TLS TCP socket, controlled via the
+  ``ListenStream`` parameter in the ``libvirtd-tls.socket`` unit file.
+
+* ``listen_addr`` - IP address to listen on, independently controlled via the
+  ``ListenStream`` parameter in the ``libvirtd-tcp.socket``  or
+  ``libvirtd-tls.socket`` unit files.
+
+* ``unix_sock_group`` - UNIX socket group owner, controlled via the
+  ``SocketGroup`` parameter in the ``libvirtd.socket`` and
+  ``libvirtd-ro.socket`` unit files
+
+* ``unix_sock_ro_perms`` - read-only UNIX socket permissions, controlled via the
+  ``SocketMode`` parameter in the ``libvirtd-ro.socket`` unit file
+
+* ``unix_sock_rw_perms`` - read-write UNIX socket permissions, controlled via
+  the ``SocketMode`` parameter in the ``libvirtd.socket`` unit file
+
+* ``unix_sock_admin_perms`` - admin UNIX socket permissions, controlled via the
+  ``SocketMode`` parameter in the ``libvirtd-admin.socket`` unit file
+
+* ``unix_sock_dir`` - directory in which all UNIX sockets are created
+  independently controlled via the ``ListenStream`` parameter in any of the
+  ``libvirtd.socket``, ``libvirtd-ro.socket`` and ``libvirtd-admin.socket`` unit
+  files.
+
+Systemd releases prior to version 227 lacked support for passing the activation
+socket unit names into the service. When using these old versions, the
+``tcp_port``, ``tls_port`` and ``unix_sock_dir`` settings in ``libvirtd.conf``
+must be changed in lock-step with the equivalent settings in the unit files to
+ensure that ``libvirtd`` can identify the sockets.
+
+
+Modular driver daemons
+======================
+
+The modular daemons are named after the driver which they are running, with
+the pattern ``virt${DRIVER}d`` and will become the default in future libvirt.
+They are configured via the files ``/etc/libvirt/virt${DRIVER}d.conf``
+
+The following modular daemons currently exist for hypervisor drivers
+
+* ``virtqemud`` - the QEMU management daemon, for running virtual machines
+  on UNIX platforms, optionally with KVM acceleration, in either system or
+  session mode
+* ``virtxend`` - the Xen management daemon, for running virtual machines
+  on the Xen hypervisor, in system mode only
+* ``virtlxcd`` - the Linux Container management daemon, for running LXC guests
+  in system mode only
+* ``virtbhyved`` - the BHyve management daemon, for running virtual machines
+  on FreeBSD with the BHyve hypervisor, in system mode.
+* ``virtvboxd`` - the VirtualBox management daemon, for running virtual machines
+  on UNIX platforms.
+
+The additional modular daemons service secondary drivers
+
+* ``virtinterfaced`` - the host NIC management daemon, in system mode only
+* ``virtnetworkd`` - the virtual network management daemon, in system mode only
+* ``virtnodedevd`` - the host physical device management daemon, in system mode
+  only
+* ``virtnwfilterd`` - the host firewall management daemon, in system mode only
+* ``virtsecretd`` - the host secret management daemon, in system or session mode
+* ``virtstoraged`` - the host storage management daemon, in system or session
+  mode
+
+
+Modular Sockets
+---------------
+
+When running in system mode, ``virt${DRIVER}d`` exposes three UNIX domain
+sockets:
+
+* ``/var/run/libvirt/virt${DRIVER}d-sock`` - the primary socket for accessing
+  libvirt APIs, with full read-write privileges. For many of the daemons, a
+  connection to this socket gives the client privileges that are equivalent to
+  having a root shell. This is the socket that most management applications
+  connect to by default.
+
+* ``/var/run/libvirt/virt${DRIVER}d-sock-ro`` - the secondary socket for
+  accessing libvirt APIs, with limited read-only privileges. A connection to
+  this socket gives the ability to query the existence of objects and monitor
+  some aspects of their operation. This is the socket that most management
+  applications connect to when requesting read only mode. Typically this is
+  what a monitoring app would use.
+
+* ``/var/run/libvirt/virt${DRIVER}d-admin-sock`` - the administrative socket for
+  controlling operation of the daemon itself (as opposed to drivers it is
+  running). This can be used to dynamically reconfigure some aspects of the
+  daemon and monitor/control connected clients.
+
+NB, some distros will use ``/run`` instead of ``/var/run``.
+
+When running in session mode, ``virt${DRIVER}d`` exposes two UNIX domain sockets:
+
+* ``$XDG_RUNTIME_DIR/libvirt/virt${DRIVER}d-sock`` - the primary socket for
+  accessing libvirt APIs, with full read-write privileges. A connection to this
+  socket does not alter the privileges that the client already has. This is the
+  socket that most management applications connect to by default.
+
+* ``$XDG_RUNTIME_DIR/libvirt/virt${DRIVER}d-admin-sock`` - the administrative
+  socket for controlling operation of the daemon itself (as opposed to drivers
+  it is running). This can be used to dynamically reconfigure some aspects of
+  the daemon and monitor/control connected clients.
+
+Notice that the session mode does not have a separate read-only socket. Since
+the clients must be running as the same user as the daemon itself, there is
+not any security benefit from attempting to enforce a read-only mode.
+
+``$XDG_RUNTIME_DIR`` commonly points to a per-user private location on tmpfs,
+such as ``/run/user/$UID``.
+
+Modular Systemd Integration
+---------------------------
+
+When the ``virt${DRIVER}d`` daemon is managed by ``systemd`` a number of
+desirable features are available, most notably socket activation.
+
+Libvirt ships a number of unit files for controlling ``virt${DRIVER}d``:
+
+* ``virt${DRIVER}d.service`` - the main unit file for launching the
+  ``virt${DRIVER}d`` daemon in system mode. The command line arguments passed
+  can be configured by editing ``/etc/sysconfig/virt${DRIVER}d``. This is
+  typically only needed to control the use of the auto shutdown timeout value.
+  It is recommended that this service unit be configured to start on boot.
+  This is because various libvirt drivers support autostart of their objects.
+  If it is known that autostart is not required, this unit can be left to start
+  on demand.
+
+* ``virt${DRIVER}d.socket`` - the unit file corresponding to the main read-write
+  UNIX socket ``/var/run/libvirt/virt${DRIVER}d-sock``. This socket is
+  recommended to be started on boot by default.
+
+* ``virt${DRIVER}d-ro.socket`` - the unit file corresponding to the main
+  read-write UNIX socket ``/var/run/libvirt/virt${DRIVER}d-sock-ro``. This
+  socket is recommended to be started on boot by default.
+
+* ``virt${DRIVER}d-admin.socket`` - the unit file corresponding to the
+  administrative UNIX socket ``/var/run/libvirt/virt${DRIVER}d-admin-sock``.
+  This socket is recommended to be started on boot by default.
+
+NB, some distros will use ``/etc/default`` instead of ``/etc/sysconfig``.
+
+The socket unit files are newly introduced in 5.6.0. On newly installed hosts
+the UNIX socket units should be enabled by default. When upgrading an existing
+host from a previous version of libvirt, the socket unit files will be masked
+if ``virt${DRIVER}d`` is currently configured to use the ``--listen`` argument,
+since the ``--listen`` argument is mutually exclusive with use of socket
+activation.
+
+When systemd socket activation is used a number of configuration settings in
+``virt${DRIVER}d.conf`` are no longer honoured. Instead these settings must be
+controlled via the system unit files:
+
+* ``unix_sock_group`` - UNIX socket group owner, controlled via the
+  ``SocketGroup`` parameter in the ``virt${DRIVER}d.socket`` and
+  ``virt${DRIVER}d-ro.socket`` unit files
+
+* ``unix_sock_ro_perms`` - read-only UNIX socket permissions, controlled via the
+  ``SocketMode`` parameter in the ``virt${DRIVER}d-ro.socket`` unit file
+
+* ``unix_sock_rw_perms`` - read-write UNIX socket permissions, controlled via
+  the ``SocketMode`` parameter in the ``virt${DRIVER}d.socket`` unit file
+
+* ``unix_sock_admin_perms`` - admin UNIX socket permissions, controlled via the
+  ``SocketMode`` parameter in the ``virt${DRIVER}d-admin.socket`` unit file
+
+* ``unix_sock_dir`` - directory in which all UNIX sockets are created
+  independently controlled via the ``ListenStream`` parameter in any of the
+  ``virt${DRIVER}d.socket``, ``virt${DRIVER}d-ro.socket`` and
+  ``virt${DRIVER}d-admin.socket`` unit files.
+
+Systemd releases prior to version 227 lacked support for passing the activation
+socket unit names into the service. When using these old versions, the
+``unix_sock_dir`` setting in ``virt${DRIVER}d.conf`` must be changed in
+lock-step with the equivalent setting in the unit files to ensure that
+``virt${DRIVER}d`` can identify the sockets.
+
+
+Switching to modular daemons
+----------------------------
+
+If a host is currently set to use the monolithic ``libvirtd`` daemon and needs
+to be migrated to the monolithic daemons a number of services need to be
+changed. The steps below outline the process on hosts using the systemd init
+service.
+
+While it is technically possible to do this while virtual machines are running,
+it is recommended that virtual machines be stopped or live migrated to a new
+host first.
+
+#. Stop the current monolithic daemon and its socket units
+
+   ::
+
+      $ systemctl stop libvirtd.service
+      $ systemctl stop libvirtd{,-ro,-admin,-tcp,-tls}.socket
+
+#. Disable future start of the monolithic daemon
+
+   ::
+
+      $ systemctl disable libvirtd.service
+      $ systemctl disable libvirtd{,-ro,-admin,-tcp,-tls}.socket
+
+   For stronger protection it is valid to use ``mask`` instead of ``disable``
+   too.
+
+#. Enable the new daemons for the particular virtualizationd driver desired,
+   and any of the secondary drivers to accompany it. The following example
+   enables the QEMU driver and all the secondary drivers:
+
+   ::
+
+      $ for drv in qemu interface network nodedev nwfilter secret storage
+        do
+          systemctl unmask virt${drv}d.service
+          systemctl unmask virt${drv}d{,-ro,-admin}.socket
+          systemctl enable virt${drv}d.service
+          systemctl enable virt${drv}d{,-ro,-admin}.socket
+	done
+
+#. Start the sockets for the same set of daemons. There is no need to start the
+   services as they will get started when the first socket connection is
+   established
+
+   ::
+
+      $ for drv in qemu network nodedev nwfilter secret storage
+        do
+          systemctl start virt${drv}d{,-ro,-admin}.socket
+	done
+
+#. If connections from remote hosts need to be supported the proxy daemon
+   must be enabled and started
+
+   ::
+
+      $ systemctl unmask virtproxyd.service
+      $ systemctl unmask virtproxyd{,-ro,-admin}.socket
+      $ systemctl enable virtproxyd.service
+      $ systemctl enable virtproxyd{,-ro,-admin}.socket
+      $ systemctl start virtproxyd{,-ro,-admin}.socket
+
+   The UNIX sockets allow for remote access using SSH tunneling. If ``libvirtd``
+   had TCP or TLS sockets configured, those should be started too
+
+   ::
+
+      $ systemctl unmask virtproxyd-tls.socket
+      $ systemctl enable virtproxyd-tls.socket
+      $ systemctl start virtproxyd-tls.socket
+
+
+Proxy daemon
+============
+
+The monolithic daemon is known as ``libvirtd`` and has historically been the
+default in libvirt. It is configured via the file ``/etc/libvirt/libvirtd.conf``
+
+
+Proxy sockets
+-------------
+
+When running in system mode, ``virtproxyd`` exposes three UNIX domain sockets,
+and optionally, one or two TCP sockets. These sockets are identical to those
+provided by the traditional ``libvirtd`` so refer to earlier documentation in
+this page.
+
+When running in session mode, ``virtproxyd`` exposes two UNIX domain sockets,
+which are again identical to those provided by ``libvirtd``.
+
+Proxy Systemd Integration
+-------------------------
+
+When the ``virtproxyd`` daemon is managed by ``systemd`` a number of desirable
+features are available, most notably socket activation.
+
+Libvirt ships a number of unit files for controlling ``virtproxyd``:
+
+* ``virtproxyd.service`` - the main unit file for launching the ``virtproxyd``
+  daemon in system mode. The command line arguments passed can be configured by
+  editing ``/etc/sysconfig/virtproxyd``. This is typically only needed to
+  control the use of the auto shutdown timeout value.
+
+* ``virtproxyd.socket`` - the unit file corresponding to the main read-write
+  UNIX socket ``/var/run/libvirt/libvirt-sock``. This socket is recommended to
+  be started on boot by default.
+
+* ``virtproxyd-ro.socket`` - the unit file corresponding to the main read-write
+  UNIX socket ``/var/run/libvirt/libvirt-sock-ro``. This socket is recommended
+  to be started on boot by default.
+
+* ``virtproxyd-admin.socket`` - the unit file corresponding to the
+  administrative UNIX socket ``/var/run/libvirt/libvirt-admin-sock``. This
+  socket is recommended to be started on boot by default.
+
+* ``virtproxyd-tcp.socket`` - the unit file corresponding to the TCP 16509 port
+  for non-TLS remote access. This socket should not be configured to start on
+  boot until the administrator has configured a suitable authentication
+  mechanism.
+
+* ``virtproxyd-tls.socket`` - the unit file corresponding to the TCP 16509 port
+  for TLS remote access. This socket should not be configured to start on boot
+  until the administrator has deployed x509 certificates and optionally
+  configured a suitable authentication mechanism.
+
+NB, some distros will use ``/etc/default`` instead of ``/etc/sysconfig``.
+
+The socket unit files are newly introduced in 5.6.0. On newly installed hosts
+the UNIX socket units should be enabled by default. When upgrading an existing
+host from a previous version of libvirt, the socket unit files will be masked
+if ``virtproxyd`` is currently configured to use the ``--listen`` argument, since
+the ``--listen`` argument is mutually exclusive with use of socket activation.
+
+When systemd socket activation is used a number of configuration settings in
+``virtproxyd.conf`` are no longer honoured. Instead these settings must be
+controlled via the system unit files. Refer to the earlier documentation on
+the ``libvirtd`` service socket configuration for further information.
+
+
+Logging daemon
+==============
+
+The ``virtlogd`` daemon provides a service for managing log files associated
+with QEMU virtual machines. The QEMU process is given one or more pipes, the
+other end of which are owned by the ``virtlogd`` daemon. It will then write
+data on those pipes to log files, while enforcing a maximum file size and
+performing log rollover at the size limit.
+
+Since the daemon holds open anoymous pipe file descriptors, it must never be
+stopped while any QEMU virtual machines are running. To enable software updates
+to be applied, the daemon is capable of re-executing itself while keeping all
+file descriptors open. This can be triggered by sending the daemon ``SIGUSR1``
+
+Logging Sockets
+---------------
+
+When running in system mode, ``virtlogd`` exposes two UNIX domain sockets:
+
+* ``/var/run/libvirt/virtlogd-sock`` - the primary socket for accessing
+  libvirt APIs, with full read-write privileges. Access to the socket is
+  restricted to the root user.
+
+* ``/var/run/libvirt/virtlogd-admin-sock`` - the administrative socket for
+  controlling operation of the daemon itself (as opposed to drivers it is
+  running). This can be used to dynamically reconfigure some aspects of the
+  daemon and monitor/control connected clients.
+
+NB, some distros will use ``/run`` instead of ``/var/run``.
+
+When running in session mode, ``virtlogd`` exposes two UNIX domain sockets:
+
+* ``$XDG_RUNTIME_DIR/libvirt/virtlogd-sock`` - the primary socket for
+  accessing libvirt APIs, with full read-write privileges. Access to the
+  socket is restricted to the unprivileged user running the daemon.
+
+* ``$XDG_RUNTIME_DIR/libvirt/virtlogd-admin-sock`` - the administrative
+  socket for controlling operation of the daemon itself (as opposed to drivers
+  it is running). This can be used to dynamically reconfigure some aspects of
+  the daemon and monitor/control connected clients.
+
+``$XDG_RUNTIME_DIR`` commonly points to a per-user private location on tmpfs,
+such as ``/run/user/$UID``.
+
+Logging Systemd Integration
+---------------------------
+
+When the ``virtlogd`` daemon is managed by ``systemd`` a number of desirable
+features are available, most notably socket activation.
+
+Libvirt ships a number of unit files for controlling ``virtlogd``:
+
+* ``virtlogd.service`` - the main unit file for launching the
+  ``virtlogd`` daemon in system mode. The command line arguments passed
+  can be configured by editing ``/etc/sysconfig/virtlogd``. This is
+  typically only needed to control the use of the auto shutdown timeout value.
+
+* ``virtlogd.socket`` - the unit file corresponding to the main read-write
+  UNIX socket ``/var/run/libvirt/virtlogd-sock``. This socket is recommended
+  to be started on boot by default.
+
+* ``virtlogd-admin.socket`` - the unit file corresponding to the administrative
+  UNIX socket ``/var/run/libvirt/virtlogd-admin-sock``. This socket is
+  recommended to be started on boot by default.
+
+NB, some distros will use ``/etc/default`` instead of ``/etc/sysconfig``.
+
+When systemd socket activation is used a number of configuration settings in
+``virtlogd.conf`` are no longer honoured. Instead these settings must be
+controlled via the system unit files:
+
+* ``unix_sock_group`` - UNIX socket group owner, controlled via the
+  ``SocketGroup`` parameter in the ``virtlogd.socket`` and
+  ``virtlogd-ro.socket`` unit files
+
+* ``unix_sock_ro_perms`` - read-only UNIX socket permissions, controlled via the
+  ``SocketMode`` parameter in the ``virtlogd-ro.socket`` unit file
+
+* ``unix_sock_rw_perms`` - read-write UNIX socket permissions, controlled via
+  the ``SocketMode`` parameter in the ``virtlogd.socket`` unit file
+
+* ``unix_sock_admin_perms`` - admin UNIX socket permissions, controlled via the
+  ``SocketMode`` parameter in the ``virtlogd-admin.socket`` unit file
+
+* ``unix_sock_dir`` - directory in which all UNIX sockets are created
+  independently controlled via the ``ListenStream`` parameter in any of the
+  ``virtlogd.socket`` and ``virtlogd-admin.socket`` unit files.
+
+Systemd releases prior to version 227 lacked support for passing the activation
+socket unit names into the service. When using these old versions, the
+``unix_sock_dir`` setting in ``virtlogd.conf`` must be changed in
+lock-step with the equivalent setting in the unit files to ensure that
+``virtlogd`` can identify the sockets.
+
+Locking daemon
+==============
+
+The ``virtlockd`` daemon provides a service for holding locks against file
+images and devices serving as backing storage for virtual disks. The locks
+will be held for as long as there is a QEMU process running with the disk
+open.
+
+To ensure continuity of locking, the daemon holds open anoymous file
+descriptors, it must never be stopped while any QEMU virtual machines are
+running. To enable software updates to be applied, the daemon is capable of
+re-executing itself while keeping all file descriptors open. This can be
+triggered by sending the daemon ``SIGUSR1``
+
+Locking Sockets
+---------------
+
+When running in system mode, ``virtlockd`` exposes two UNIX domain sockets:
+
+* ``/var/run/libvirt/virtlockd-sock`` - the primary socket for accessing
+  libvirt APIs, with full read-write privileges. Access to the socket is
+  restricted to the root user.
+
+* ``/var/run/libvirt/virtlockd-admin-sock`` - the administrative socket for
+  controlling operation of the daemon itself (as opposed to drivers it is
+  running). This can be used to dynamically reconfigure some aspects of the
+  daemon and monitor/control connected clients.
+
+NB, some distros will use ``/run`` instead of ``/var/run``.
+
+When running in session mode, ``virtlockd`` exposes two UNIX domain sockets:
+
+* ``$XDG_RUNTIME_DIR/libvirt/virtlockd-sock`` - the primary socket for
+  accessing libvirt APIs, with full read-write privileges. Access to the
+  socket is restricted to the unprivileged user running the daemon.
+
+* ``$XDG_RUNTIME_DIR/libvirt/virtlockd-admin-sock`` - the administrative
+  socket for controlling operation of the daemon itself (as opposed to drivers
+  it is running). This can be used to dynamically reconfigure some aspects of
+  the daemon and monitor/control connected clients.
+
+``$XDG_RUNTIME_DIR`` commonly points to a per-user private location on tmpfs,
+such as ``/run/user/$UID``.
+
+Locking Systemd Integration
+---------------------------
+
+When the ``virtlockd`` daemon is managed by ``systemd`` a number of desirable
+features are available, most notably socket activation.
+
+Libvirt ships a number of unit files for controlling ``virtlockd``:
+
+* ``virtlockd.service`` - the main unit file for launching the
+  ``virtlockd`` daemon in system mode. The command line arguments passed
+  can be configured by editing ``/etc/sysconfig/virtlockd``. This is
+  typically only needed to control the use of the auto shutdown timeout value.
+
+* ``virtlockd.socket`` - the unit file corresponding to the main read-write
+  UNIX socket ``/var/run/libvirt/virtlockd-sock``. This socket is recommended
+  to be started on boot by default.
+
+* ``virtlockd-admin.socket`` - the unit file corresponding to the administrative
+  UNIX socket ``/var/run/libvirt/virtlockd-admin-sock``. This socket is
+  recommended to be started on boot by default.
+
+NB, some distros will use ``/etc/default`` instead of ``/etc/sysconfig``.
+
+When systemd socket activation is used a number of configuration settings in
+``virtlockd.conf`` are no longer honoured. Instead these settings must be
+controlled via the system unit files:
+
+* ``unix_sock_group`` - UNIX socket group owner, controlled via the
+  ``SocketGroup`` parameter in the ``virtlockd.socket`` and
+  ``virtlockd-ro.socket`` unit files
+
+* ``unix_sock_ro_perms`` - read-only UNIX socket permissions, controlled via the
+  ``SocketMode`` parameter in the ``virtlockd-ro.socket`` unit file
+
+* ``unix_sock_rw_perms`` - read-write UNIX socket permissions, controlled via
+  the ``SocketMode`` parameter in the ``virtlockd.socket`` unit file
+
+* ``unix_sock_admin_perms`` - admin UNIX socket permissions, controlled via the
+  ``SocketMode`` parameter in the ``virtlockd-admin.socket`` unit file
+
+* ``unix_sock_dir`` - directory in which all UNIX sockets are created
+  independently controlled via the ``ListenStream`` parameter in any of the
+  ``virtlockd.socket`` and ``virtlockd-admin.socket`` unit files.
+
+Systemd releases prior to version 227 lacked support for passing the activation
+socket unit names into the service. When using these old versions, the
+``unix_sock_dir`` setting in ``virtlockd.conf`` must be changed in
+lock-step with the equivalent setting in the unit files to ensure that
+``virtlockd`` can identify the sockets.
--- a/docs/docs.html.in
+++ b/docs/docs.html.in
@ -18,6 +18,9 @@
        <dt><a href="migration.html">Migration</a></dt>
        <dd>Migrating guests between machines</dd>

+        <dt><a href="daemons.html">Daemons</a></dt>
+        <dd>Overview of the daemons provided by libvirt</dd>
+
        <dt><a href="remote.html">Remote access</a></dt>
        <dd>Enable remote access over TCP</dd>

--- a/docs/downloads.html.in
+++ b/docs/downloads.html.in
@ -61,7 +61,7 @@
        <tr>
          <td>Go</td>
          <td>
-            <a href="https://libvirt.org/sources/go/">libvirt</a>
+            <a href="https://libvirt.org/libvirt-go">libvirt</a>
          </td>
          <td>
            <a href="https://libvirt.org/git/?p=libvirt-go.git;a=summary">libvirt</a>
@ -71,7 +71,7 @@
            <a href="https://github.com/libvirt/libvirt-go">github</a>
          </td>
          <td>
-            <a href="https://godoc.org/github.com/libvirt/libvirt-go">api ref</a>
+            <a href="https://godoc.org/libvirt.org/libvirt-go">api ref</a>
          </td>
        </tr>
        <tr>
@ -165,7 +165,7 @@
        <tr>
          <td>Rust</td>
          <td>
-            <a href="https://libvirt.org/sources/rust/">libvirt</a>
+            <a href="https://crates.io/crates/virt">crates.io</a>
          </td>
          <td>
            <a href="https://libvirt.org/git/?p=libvirt-rust.git;a=summary">libvirt</a>
@ -174,7 +174,9 @@
            <a href="https://gitlab.com/libvirt/libvirt-rust">gitlab</a>
            <a href="https://github.com/libvirt/libvirt-rust">github</a>
          </td>
-          <td></td>
+          <td>
+            <a href="https://docs.rs/virt">api ref</a>
+          </td>
        </tr>
        <tr>
          <th colspan="7">Integration modules</th>
@ -196,7 +198,7 @@
        <tr>
          <td>Go XML</td>
          <td>
-            <a href="https://libvirt.org/sources/go/">libvirt</a>
+            <a href="https://libvirt.org/libvirt-go-xml">libvirt</a>
          </td>
          <td>
            <a href="https://libvirt.org/git/?p=libvirt-go-xml.git;a=summary">libvirt</a>
@ -206,7 +208,7 @@
            <a href="https://github.com/libvirt/libvirt-go-xml">github</a>
          </td>
          <td>
-            <a href="https://godoc.org/github.com/libvirt/libvirt-go-xml">api ref</a>
+            <a href="https://godoc.org/libvirt.org/libvirt-go-xml">api ref</a>
          </td>
        </tr>
        <tr>
--- a/docs/drivers.html.in
+++ b/docs/drivers.html.in
@ -8,6 +8,7 @@
      <li><a href="#hypervisor">Hypervisor drivers</a></li>
      <li><a href="storage.html">Storage drivers</a></li>
      <li><a href="drvnodedev.html">Node device driver</a></li>
+      <li><a href="drvsecret.html">Secret driver</a></li>
    </ul>

    <p>
--- a/docs/drvqemu.html.in
+++ b/docs/drvqemu.html.in
@ -63,6 +63,105 @@ qemu+tcp://example.com/system        (remote access, SASl/Kerberos)
 qemu+ssh://root@example.com/system   (remote access, SSH tunnelled)
 </pre>

+    <h3><a id="uriembedded">Embedded driver</a></h3>
+
+    <p>
+      Since 6.1.0 the QEMU driver has experimental support for operating
+      in an embedded mode. In this scenario, rather than connecting to
+      the libvirtd daemon, the QEMU driver runs in the client application
+      process directly. To use this the client application must have
+      registered &amp; be running an instance of the event loop. To open
+      the driver in embedded mode the app use the new URI path and specify
+      a virtual root directory under which the driver will create content.
+    </p>
+
+    <pre>
+      qemu:///embed?root=/some/dir
+    </pre>
+
+    <p>
+      Broadly speaking the range of functionality is intended to be
+      on a par with that seen when using the traditional system or
+      session libvirt connections to QEMU. The features will of course
+      differ depending on whether the application using the embedded
+      driver is running privileged or unprivileged. For example PCI
+      device assignment or TAP based networking are only available
+      when running privileged. While the embedded mode is still classed
+      as experimental some features may change their default settings
+      between releases.
+    </p>
+
+    <p>
+      By default if the application uses any APIs associated with
+      secondary drivers, these will result in a connection being
+      opened to the corresponding driver in libvirtd. For example,
+      this allows a virtual machine from the embedded QEMU to connect
+      its NIC to a virtual network or connect its disk to a storage
+      volume. Some of the secondary drivers will also be able to support
+      running in embedded mode. Currently this is supported by the
+      secrets driver, to allow for use of VMs with encrypted disks
+    </p>
+
+    <h4><a id="embedTree">Directory tree</a></h4>
+
+    <p>
+      Under the specified root directory the following locations will
+      be used
+    </p>
+
+    <pre>
+/some/dir
+  |
+  +- log
+  |   |
+  |   +- qemu
+  |   +- swtpm
+  |
+  +- etc
+  |   |
+  |   +- qemu
+  |   +- pki
+  |       |
+  |       +- qemu
+  |
+  +- run
+  |   |
+  |   +- qemu
+  |   +- swtpm
+  |
+  +- cache
+  |   |
+  |   +- qemu
+  |
+  +- lib
+      |
+      +- qemu
+      +- swtpm
+    </pre>
+
+    <p>
+      Note that UNIX domain sockets used for QEMU virtual machines had
+      a maximum filename length of 108 characters. Bear this in mind
+      when picking a root directory to avoid risk of exhausting the
+      filename space. The application is responsible for recursively
+      purging the contents of this directory tree once they no longer
+      require a connection, though it can also be left intact for reuse
+      when opening a future connection.
+    </p>
+
+    <h4><a id="embedAPI">API usage with event loop</a></h4>
+
+    <p>
+      To use the QEMU driver in embedded mode the application must
+      register an event loop with libvirt. Many of the QEMU driver
+      API calls will rely on the event loop processing data. With this
+      in mind, applications must <strong>NEVER</strong> invoke API
+      calls from the event loop thread itself, only other threads.
+      Not following this rule will lead to deadlocks in the API.
+      This restriction is intended to be lifted in a future release
+      of libvirt, once QMP processing moves to a dedicated thread.
+    </p>
+
    <h2><a id="security">Driver security architecture</a></h2>

    <p>
@ -340,7 +439,8 @@ chmod o+x /path/to/directory
    <p>
      While users can define their own AppArmor profile scheme, a typical
      configuration will include a profile for <code>/usr/sbin/libvirtd</code>,
-      <code>/usr/lib/libvirt/virt-aa-helper</code> (a helper program which the
+      <code>/usr/lib/libvirt/virt-aa-helper</code> or
+      <code>/usr/libexec/virt-aa-helper</code>(a helper program which the
      libvirtd daemon uses instead of manipulating AppArmor directly), and
      an abstraction to be included by <code>/etc/apparmor.d/libvirt/TEMPLATE</code>
      (typically <code>/etc/apparmor.d/abstractions/libvirt-qemu</code>).
--- a/docs/drvsecret.html.in
+++ b/docs/drvsecret.html.in
@ -0,0 +1,82 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <body>
+    <h1>Secret information management</h1>
+
+    <p>
+      The secrets driver in libvirt provides a simple interface for
+      storing and retrieving secret information.
+    </p>
+
+        <h2><a id="uris">Connections to SECRET driver</a></h2>
+
+    <p>
+    The libvirt SECRET driver is a multi-instance driver, providing a single
+    system wide privileged driver (the "system" instance), and per-user
+    unprivileged drivers (the "session" instance). A connection to the secret
+    driver is automatically available when opening a connection to one of the
+    stateful primary hypervisor drivers. It is none the less also possible to
+    explicitly open just the secret driver, using the URI protocol "secret"
+    Some example connection URIs for the driver are:
+    </p>
+
+<pre>
+secret:///session                      (local access to per-user instance)
+secret+unix:///session                 (local access to per-user instance)
+
+secret:///system                       (local access to system instance)
+secret+unix:///system                  (local access to system instance)
+secret://example.com/system            (remote access, TLS/x509)
+secret+tcp://example.com/system        (remote access, SASl/Kerberos)
+secret+ssh://root@example.com/system   (remote access, SSH tunnelled)
+</pre>
+
+    <h3><a id="uriembedded">Embedded driver</a></h3>
+
+    <p>
+      Since 6.1.0 the secret driver has experimental support for operating
+      in an embedded mode. In this scenario, rather than connecting to
+      the libvirtd daemon, the secret driver runs in the client application
+      process directly. To open the driver in embedded mode the app use the
+      new URI path and specify a virtual root directory under which the
+      driver will create content.
+    </p>
+
+    <pre>
+      secret:///embed?root=/some/dir
+    </pre>
+
+    <p>
+      Under the specified root directory the following locations will
+      be used
+    </p>
+
+    <pre>
+/some/dir
+  |
+  +- etc
+  |   |
+  |   +- secrets
+  |
+  +- run
+      |
+      +- secrets
+    </pre>
+
+    <p>
+      The application is responsible for recursively purging the contents
+      of this directory tree once they no longer require a connection,
+      though it can also be left intact for reuse when opening a future
+      connection.
+    </p>
+
+    <p>
+      The range of functionality is intended to be on a par with that
+      seen when using the traditional system or session libvirt connections
+      to QEMU. Normal practice would be to open the secret driver in embedded
+      mode any time one of the other drivers is opened in embedded mode so
+      that the two drivers can interact in-process.
+    </p>
+  </body>
+</html>
--- a/docs/formatbackup.html.in
+++ b/docs/formatbackup.html.in
@ -14,7 +14,7 @@
      description of the actions to perform, as well as an optional
      second XML document <a href="formatcheckpoint.html">describing a
      checkpoint</a> to create at the same point in time. See
-      also <a href="domainstatecapture.html">a comparison</a> between
+      also <a href="kbase/domainstatecapture.html">a comparison</a> between
      the various state capture APIs.
    </p>
    <p>
@ -85,6 +85,15 @@
              <dd>Setting this attribute to <code>yes</code>(default) specifies
                that the disk should take part in the backup and using
                <code>no</code> excludes the disk from the backup.</dd>
+              <dt><code>exportname</code></dt>
+              <dd>Allows modification of the NBD export name for the given disk.
+                By default equal to disk target.
+                Valid only for pull mode backups.</dd>
+              <dt><code>exportbitmap</code></dt>
+              <dd>Allows modification of the name of the bitmap describing dirty
+                blocks for an incremental backup exported via NBD export name
+                for the given disk.
+                Valid only for pull mode backups.</dd>
              <dt><code>type</code></dt>
              <dd>A mandatory attribute to describe the type of the
                disk, except when <code>backup='no'</code> is
--- a/docs/formatcaps.html.in
+++ b/docs/formatcaps.html.in
@ -173,7 +173,7 @@
      &lt;/features&gt;
      &lt;model&gt;core2duo&lt;/model&gt;
      &lt;vendor&gt;Intel&lt;/vendor&gt;
-      &lt;topology sockets="1" cores="2" threads="1"/&gt;
+      &lt;topology sockets="1" dies="1" cores="2" threads="1"/&gt;
      &lt;feature name="lahf_lm"/&gt;
      &lt;feature name='xtpr'/&gt;
      ...
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@ -1470,7 +1470,7 @@
 &lt;cpu match='exact'&gt;
  &lt;model fallback='allow'&gt;core2duo&lt;/model&gt;
  &lt;vendor&gt;Intel&lt;/vendor&gt;
-  &lt;topology sockets='1' cores='2' threads='1'/&gt;
+  &lt;topology sockets='1' dies='1' cores='2' threads='1'/&gt;
  &lt;cache level='3' mode='emulate'/&gt;
  &lt;feature policy='disable' name='lahf_lm'/&gt;
 &lt;/cpu&gt;
@ -1479,7 +1479,7 @@
 <pre>
 &lt;cpu mode='host-model'&gt;
  &lt;model fallback='forbid'/&gt;
-  &lt;topology sockets='1' cores='2' threads='1'/&gt;
+  &lt;topology sockets='1' dies='1' cores='2' threads='1'/&gt;
 &lt;/cpu&gt;
 ...</pre>

@ -1498,7 +1498,7 @@
 <pre>
 ...
 &lt;cpu&gt;
-  &lt;topology sockets='1' cores='2' threads='1'/&gt;
+  &lt;topology sockets='1' dies='1' cores='2' threads='1'/&gt;
 &lt;/cpu&gt;
 ...</pre>

@ -1673,13 +1673,15 @@

      <dt><code>topology</code></dt>
      <dd>The <code>topology</code> element specifies requested topology of
-        virtual CPU provided to the guest. Three non-zero values have to be
-        given for <code>sockets</code>, <code>cores</code>, and
-        <code>threads</code>: total number of CPU sockets, number of cores per
-        socket, and number of threads per core, respectively. Hypervisors may
-        require that the maximum number of vCPUs specified by the
-        <code>cpus</code> element equals to the number of vcpus resulting
-        from the topology.</dd>
+        virtual CPU provided to the guest. Four attributes, <code>sockets</code>,
+        <code>dies</code>, <code>cores</code>, and <code>threads</code>,
+        accept non-zero positive integer values. They refer to the total number
+        of CPU sockets, number of dies per socket, number of cores per die, and
+        number of threads per core, respectively. The <code>dies</code>
+        attribute is optional and will default to 1 if omitted, while the other
+        attributes are all mandatory. Hypervisors may require that the maximum
+        number of vCPUs specified by the <code>cpus</code> element equals to
+        the number of vcpus resulting from the topology.</dd>

      <dt><code>feature</code></dt>
      <dd>The <code>cpu</code> element can contain zero or more
@ -2462,11 +2464,11 @@
            The <code>name</code> attribute selects which timer is
            being modified, and can be one of
            "platform" (currently unsupported),
-            "hpet" (libxl, xen, qemu), "kvmclock" (qemu),
-            "pit" (qemu), "rtc" (qemu), "tsc" (libxl, qemu -
-            <span class="since">since 3.2.0</span>)
-            or "hypervclock"
-            (qemu - <span class="since">since 1.2.2</span>).
+            "hpet" (libxl, xen, qemu, lxc), "kvmclock" (qemu),
+            "pit" (qemu), "rtc" (qemu, lxc), "tsc" (libxl, qemu -
+            <span class="since">since 3.2.0</span>), "hypervclock"
+            (qemu - <span class="since">since 1.2.2</span>) or
+            "armvtimer" (qemu - <span class="since">since 6.1.0</span>).

            The <code>hypervclock</code> timer adds support for the
            reference time counter and the reference page for iTSC
@ -2485,26 +2487,36 @@
            <p>
            The <code>tickpolicy</code> attribute determines what
            happens when QEMU misses a deadline for injecting a
-            tick to the guest:
+            tick to the guest. This can happen, for example, because the
+            guest was paused.
            </p>
            <dl>
              <dt><code>delay</code></dt>
-              <dd>Continue to deliver ticks at the normal rate.
-                The guest time will be delayed due to the late
-                tick</dd>
+              <dd>Continue to deliver ticks at the normal rate. The guest OS
+                will not notice anything is amiss, as from its point of view
+                time will have continued to flow normally. The time in the
+                guest should now be behind the time in the host by exactly
+                the amount of time during which ticks have been missed.</dd>
              <dt><code>catchup</code></dt>
-              <dd>Deliver ticks at a higher rate to catch up
-                with the missed tick. The guest time should
-                not be delayed once catchup is complete.</dd>
+              <dd>Deliver ticks at a higher rate to catch up with the missed
+                ticks. The guest OS will not notice anything is amiss, as
+                from its point of view time will have continued to flow
+                normally. Once the timer has managed to catch up with all
+                the missing ticks, the time in the guest and in the host
+                should match.</dd>
              <dt><code>merge</code></dt>
              <dd>Merge the missed tick(s) into one tick and
                inject. The guest time may be delayed, depending
                on how the OS reacts to the merging of ticks</dd>
              <dt><code>discard</code></dt>
-              <dd>Throw away the missed tick(s) and continue
-                with future injection normally. The guest time
-                may be delayed, unless the OS has explicit
-                handling of lost ticks</dd>
+              <dd>Throw away the missed ticks and continue with future
+                injection normally. The guest OS will see the timer jump
+                ahead by a potentially quite significant amount all at once,
+                as if the intervening chunk of time had simply not existed;
+                needless to say, such a sudden jump can easily confuse a
+                guest OS which is not specifically prepared to deal with it.
+                Assuming the guest OS can deal correctly with the time jump,
+                the time in the guest and in the host should now match.</dd>
            </dl>
            <p>If the policy is "catchup", there can be further details in
            the <code>catchup</code> sub-element.</p>
@ -2835,8 +2847,13 @@
  &lt;/disk&gt;
  &lt;disk type='network' device='cdrom'&gt;
    &lt;driver name='qemu' type='raw'/&gt;
-    &lt;source protocol="http" name="url_path"&gt;
+    &lt;source protocol="http" name="url_path" query="foo=bar&amp;amp;baz=flurb&gt;
      &lt;host name="hostname" port="80"/&gt;
+      &lt;cookies&gt;
+        &lt;cookie name="test"&gt;somevalue&lt;/cookie&gt;
+      &lt;/cookies&gt;
+      &lt;readahead size='65536'/&gt;
+      &lt;timeout seconds='6'/&gt;
    &lt;/source&gt;
    &lt;target dev='hde' bus='ide' tray='open'/&gt;
    &lt;readonly/&gt;
@ -2845,6 +2862,7 @@
    &lt;driver name='qemu' type='raw'/&gt;
    &lt;source protocol="https" name="url_path"&gt;
      &lt;host name="hostname" port="443"/&gt;
+      &lt;ssl verify="no"/&gt;
    &lt;/source&gt;
    &lt;target dev='hdf' bus='ide' tray='open'/&gt;
    &lt;readonly/&gt;
@ -2876,9 +2894,13 @@
  &lt;disk type='block' device='lun'&gt;
    &lt;driver name='qemu' type='raw'/&gt;
    &lt;source dev='/dev/sda'&gt;
+      &lt;slices&gt;
+        &lt;slice type='storage' offset='12345' size='123'/&gt;
+      &lt;/slices&gt;
      &lt;reservations managed='no'&gt;
        &lt;source type='unix' path='/path/to/qemu-pr-helper' mode='client'/&gt;
      &lt;/reservations&gt;
+    &lt;/source&gt;
    &lt;target dev='sda' bus='scsi'/&gt;
    &lt;address type='drive' controller='0' bus='0' target='3' unit='0'/&gt;
  &lt;/disk&gt;
@ -3074,10 +3096,11 @@
              <dd>
              The <code>protocol</code> attribute specifies the protocol to
              access to the requested image. Possible values are "nbd",
-              "iscsi", "rbd", "sheepdog", "gluster" or "vxhs".
+              "iscsi", "rbd", "sheepdog", "gluster", "vxhs", "http", "https",
+              "ftp", ftps", or "tftp".

-              <p>If the <code>protocol</code> attribute is "rbd", "sheepdog",
-              "gluster", or "vxhs", an additional attribute <code>name</code>
+              <p>For any <code>protocol</code> other than <code>nbd</code>
+              an additional attribute <code>name</code>
              is mandatory to specify which volume/image will be used.
              </p>

@ -3090,6 +3113,11 @@
              ('tls' <span class="since">Since 4.5.0</span>)
              </p>

+              <p>For protocols <code>http</code> and <code>https</code> an
+              optional attribute <code>query</code> specifies the query string.
+              (<span class="since">Since 6.2.0</span>)
+              </p>
+
              <p>For "iscsi" (<span class="since">since 1.0.4</span>), the
              <code>name</code> attribute may include a logical unit number,
              separated from the target's name by a slash (e.g.,
@ -3357,6 +3385,45 @@
            controller.
            <span class="since">Since 6.0.0</span>
          </dd>
+          <dt><code>slices</code></dt>
+          <dd>The <code>slices</code> element using its <code>slice</code>
+            sub-elements allows configuring offset and size of either the
+            location of the image format (<code>slice type='storage'</code>)
+            inside the storage source or the guest data inside the image format
+            container (future expansion).
+
+            The <code>offset</code> and <code>size</code> values are in bytes.
+            <span class="since">Since 6.1.0</span>
+          </dd>
+          <dt><code>ssl</code></dt>
+          <dd>
+            For <code>https</code> and <code>ftps</code> accessed storage it's
+            possible to tweak the SSL transport parameters with this element.
+            The <code>verify</code> attribute allows to turn on or off SSL
+            certificate validation. Supported values are <code>yes</code> and
+            <code>no</code>. <span class="since">Since 6.2.0</span>
+          </dd>
+          <dt><code>cookies</code></dt>
+          <dd>
+            For <code>http</code> and <code>https</code> accessed storage it's
+            possible to pass one or more cookies. The cookie name and value
+            must conform to the HTTP specification.
+            <span class="since">Since 6.2.0</span>
+          </dd>
+          <dt><code>readahead</code></dt>
+          <dd>
+            Specifies the size of the readahead buffer for protocols
+            which support it. (all 'curl' based drivers in qemu). The size
+            is in bytes. Note that '0' is considered as if the value is not
+            provided.
+            <span class="since">Since 6.2.0</span>
+          </dd>
+          <dt><code>timeout</code></dt>
+          <dd>
+            Specifies the connection timeout for protocols which support it.
+            Note that '0' is considered as if the value is not provided.
+            <span class="since">Since 6.2.0</span>
+          </dd>
        </dl>

        <p>
@ -3919,6 +3986,15 @@
    &lt;target dir='/import/from/host'/&gt;
    &lt;readonly/&gt;
  &lt;/filesystem&gt;
+  &lt;filesystem type='mount' accessmode='passthrough'&gt;
+      &lt;driver type='virtiofs' queue='1024'/&gt;
+      &lt;binary path='/usr/libexec/virtiofsd' xattr='on'&gt;
+         &lt;cache mode='always'/&gt;
+         &lt;lock posix='on' flock='on'/&gt;
+      &lt;/binary&gt;
+      &lt;source dir='/path'/&gt;
+      &lt;target dir='mount_tag'/&gt;
+  &lt;/filesystem&gt;
  ...
 &lt;/devices&gt;
 ...</pre>
@ -3947,6 +4023,9 @@
        while the value <code>immediate</code> means that a host writeback
        is immediately triggered for all pages touched during a guest file
        write operation <span class="since">(since 0.9.10)</span>.
+        <span class="since">Since 6.2.0</span>, <code>type='virtiofs'</code>
+        is also supported. Using virtiofs requires setting up shared memory,
+        see the guide: <a href="kbase/virtiofs.html">Virtio-FS</a>
        </dd>
        <dt><code>template</code></dt>
        <dd>
@ -3982,7 +4061,9 @@
      The filesystem element has an optional attribute <code>accessmode</code>
      which specifies the security mode for accessing the source
      <span class="since">(since 0.8.5)</span>. Currently this only works
-      with <code>type='mount'</code> for the QEMU/KVM driver. The possible
+      with <code>type='mount'</code> for the QEMU/KVM driver.
+      For driver type <code>virtiofs</code>, only <code>passthrough</code> is
+      supported. For other driver types, the possible
      values are:

        <dl>
@ -4009,13 +4090,20 @@
        </dd>
        </dl>

+      <p>
      <span class="since">Since 5.2.0</span>, the filesystem element
      has an optional attribute <code>model</code> with supported values
      "virtio-transitional", "virtio-non-transitional", or "virtio".
      See <a href="#elementsVirtioTransitional">Virtio transitional devices</a>
      for more details.
+      </p>
+
      </dd>

+      <p>
+      The <code>filesystem</code> element may contain the following subelements:
+      </p>
+
      <dt><code>driver</code></dt>
      <dd>
        The optional driver element allows specifying further details
@ -4037,9 +4125,28 @@
          <a href="#elementsVirtio">Virtio-specific options</a> can also be
          set. (<span class="since">Since 3.5.0</span>)
          </li>
+          <li>
+            For <code>virtiofs</code>, the <code>queue</code> attribute can be used
+            to specify the queue size (i.e. how many requests can the queue fit).
+            (<span class="since">Since 6.2.0</span>)
+          </li>
        </ul>
      </dd>

+      <dt><code>binary</code></dt>
+      <dd>
+        The optional <code>binary</code> element can tune the options for virtiofsd.
+        All of the following attributes and elements are optional.
+        The attribute <code>path</code> can be used to override the path to the daemon.
+        Attribute <code>xattr</code> enables the use of filesystem extended attributes.
+        Caching can be tuned via the <code>cache</code> element, possible <code>mode</code>
+        values being <code>none</code> and <code>always</code>.
+        Locking can be controlled via the <code>lock</code>
+        element - attributes <code>posix</code> and <code>flock</code> both accepting
+        values <code>on</code> or <code>off</code>.
+        (<span class="since">Since 6.2.0</span>)
+      </dd>
+
      <dt><code>source</code></dt>
      <dd>
        The resource on the host that is being accessed in the guest. The
@ -5871,6 +5978,107 @@
 &lt;/devices&gt;
 ...</pre>

+    <h5><a id="elementsTeaming">Teaming a virtio/hostdev NIC pair</a></h5>
+
+    <p>
+      <span class="since">Since 6.1.0 (QEMU and KVM only, requires
+        QEMU 4.2.0 or newer and a guest virtio-net driver supporting
+        the "failover" feature, such as the one included in Linux
+        kernel 4.18 and newer)
+      </span>
+      The <code>&lt;teaming&gt;</code> element of two interfaces can
+      be used to connect them as a team/bond device in the guest
+      (assuming proper support in the hypervisor and the guest
+      network driver).
+    </p>
+
+<pre>
+...
+&lt;devices&gt;
+  &lt;interface type='network'&gt;
+    &lt;source network='mybridge'/&gt;
+    &lt;mac address='00:11:22:33:44:55'/&gt;
+    &lt;model type='virtio'/&gt;
+    &lt;teaming type='persistent'/&gt;
+    &lt;alias name='ua-backup0'/&gt;
+  &lt;/interface&gt;
+  &lt;interface type='network'&gt;
+    &lt;source network='hostdev-pool'/&gt;
+    &lt;mac address='00:11:22:33:44:55'/&gt;
+    &lt;model type='virtio'/&gt;
+    &lt;teaming type='transient' persistent='ua-backup0'/&gt;
+  &lt;/interface&gt;
+&lt;/devices&gt;
+...</pre>
+
+    <p>
+      The <code>&lt;teaming&gt;</code> element required
+      attribute <code>type</code> will be set to
+      either <code>"persistent"</code> to indicate a device that
+      should always be present in the domain,
+      or <code>"transient"</code> to indicate a device that may
+      periodically be removed, then later re-added to the domain. When
+      type="transient", there should be a second attribute
+      to <code>&lt;teaming&gt;</code> called <code>"persistent"</code>
+      - this attribute should be set to the alias name of the other
+      device in the pair (the one that has <code>&lt;teaming
+      type="persistent'/&gt;</code>).
+    </p>
+    <p>
+      In the particular case of QEMU,
+      libvirt's <code>&lt;teaming&gt;</code> element is used to setup
+      a virtio-net "failover" device pair. For this setup, the
+      persistent device must be an interface with <code>&lt;model
+      type="virtio"/&gt;</code>, and the transient device must
+      be <code>&lt;interface type='hostdev'/&gt;</code>
+      (or <code>&lt;interface type='network'/&gt;</code> where the
+      referenced network defines a pool of SRIOV VFs). The guest will
+      then have a simple network team/bond device made of the virtio
+      NIC + hostdev NIC pair. In this configuration, the
+      higher-performing hostdev NIC will normally be preferred for all
+      network traffic, but when the domain is migrated, QEMU will
+      automatically unplug the VF from the guest, and then hotplug a
+      similar device once migration is completed; while migration is
+      taking place, network traffic will use the virtio NIC. (Of
+      course the emulated virtio NIC and the hostdev NIC must be
+      connected to the same subnet for bonding to work properly).
+    </p>
+    <p>
+      NB1: Since you must know the alias name of the virtio NIC when
+      configuring the hostdev NIC, it will need to be manually set in
+      the virtio NIC's configuration (as with all other manually set
+      alias names, this means it must start with "ua-").
+    </p>
+    <p>
+      NB2: Currently the only implementation of the guest OS
+      virtio-net driver supporting virtio-net failover requires that
+      the MAC addresses of the virtio and hostdev NIC must
+      match. Since that may not always be a requirement in the future,
+      libvirt doesn't enforce this limitation - it is up to the
+      person/management application that is creating the configuration
+      to assure the MAC addresses of the two devices match.
+    </p>
+    <p>
+      NB3: Since the PCI addresses of the SRIOV VFs on the hosts that
+      are the source and destination of the migration will almost
+      certainly be different, either higher level management software
+      will need to modify the <code>&lt;source&gt;</code> of the
+      hostdev NIC (<code>&lt;interface type='hostdev'&gt;</code>) at
+      the start of migration, or (a simpler solution) the
+      configuration will need to use a libvirt "hostdev" virtual
+      network that maintains a pool of such devices, as is implied in
+      the example's use of the libvirt network named "hostdev-pool" -
+      as long as the hostdev network pools on both hosts have the same
+      name, libvirt itself will take care of allocating an appropriate
+      device on both ends of the migration. Similarly the XML for the
+      virtio interface must also either work correctly unmodified on
+      both the source and destination of the migration (e.g. by
+      connecting to the same bridge device on both hosts, or by using
+      the same virtual network), or the management software must
+      properly modify the interface XML during migration so that the
+      virtio device remains connected to the same network segment
+      before and after migration.
+    </p>

    <h5><a id="elementsNICSMulticast">Multicast tunnel</a></h5>

@ -6412,6 +6620,37 @@ qemu-kvm -net nic,model=? /dev/null
      traffic for that VLAN will be tagged.
    </p>

+    <h5><a id="elementPort">Isolating guests's network traffic from each other</a></h5>
+
+<pre>
+...
+&lt;devices&gt;
+  &lt;interface type='network'&gt;
+    &lt;source network='default'/&gt;
+    <b>&lt;port isolated='yes'/&gt;</b>
+  &lt;/interface&gt;
+&lt;/devices&gt;
+...</pre>
+
+    <p>
+      <span class="since">Since 6.1.0.</span> The <code>port</code>
+      element property <code>isolated</code>, when set
+      to <code>yes</code> (default setting is <code>no</code>) is used
+      to isolate this interface's network traffic from that of other
+      guest interfaces connected to the same network that also
+      have <code>&lt;port isolated='yes'/&gt;</code>.  This setting is
+      only supported for emulated interface devices that use a
+      standard tap device to connect to the network via a Linux host
+      bridge. This property can be inherited from a libvirt network,
+      so if all guests that will be connected to the network should be
+      isolated, it is better to put the setting in the network
+      configuration. (NB: this only prevents guests that
+      have <code>isolated='yes'</code> from communicating with each
+      other; if there is a guest on the same bridge that doesn't
+      have <code>isolated='yes'</code>, even the isolated guests will
+      be able to communicate with it.)
+    </p>
+
    <h5><a id="elementLink">Modifying virtual link state</a></h5>
 <pre>
 ...
@ -7407,7 +7646,10 @@ qemu-kvm -net nic,model=? /dev/null
      <span class="since">since 4.7.0</span>, <code>16550a</code> (usable
      with the <code>system-serial</code> target type);
      <code>sclpconsole</code> and <code>sclplmconsole</code> (usable with
-      the <code>sclp-serial</code> target type).
+      the <code>sclp-serial</code> target type). Providing a target model is
+      usually unnecessary: libvirt will automatically pick one that's suitable
+      for the chosen target type, and overriding that value is generally not
+      recommended.
    </p>

    <p>
@ -7553,7 +7795,8 @@ qemu-kvm -net nic,model=? /dev/null
      for early boot logging / interactive / recovery use, and one
      paravirtualized serial console to be used eg. as a side channel. Most
      people will be fine with having just the first <code>console</code>
-      element in their configuration.
+      element in their configuration, but if a specific configuration is
+      desired then both elements should be specified.
    </p>

    <p>
@ -8257,6 +8500,8 @@ qemu-kvm -net nic,model=? /dev/null
      &lt;source mode='bind' service='1234'/&gt;
      &lt;source mode='connect' host='1.2.3.4' service='1234'/&gt;
    &lt;/backend&gt;
+    &lt;!-- OR --&gt;
+    &lt;backend model='builtin'/&gt;
  &lt;/rng&gt;
 &lt;/devices&gt;
 ...
@ -8321,6 +8566,14 @@ qemu-kvm -net nic,model=? /dev/null
              for more information.
            </p>
          </dd>
+          <dt><code>builtin</code></dt>
+          <dd>
+            <p>
+              This backend uses qemu builtin random generator, which uses
+              <code>getrandom()</code> syscall as the source of entropy.
+              (<span class="since">Since 6.1.0 and QEMU 4.2</span>)
+            </p>
+          </dd>
        </dl>
      </dd>
      <dt><code>driver</code></dt>
@ -8395,10 +8648,13 @@ qemu-kvm -net nic,model=? /dev/null
        <p>
          The <code>model</code> attribute specifies what device
          model QEMU provides to the guest. If no model name is provided,
-          <code>tpm-tis</code> will automatically be chosen.
+          <code>tpm-tis</code> will automatically be chosen for non-PPC64
+          architectures.
          <span class="since">Since 4.4.0</span>, another available choice
          is the <code>tpm-crb</code>, which should only be used when the
-          backend device is a TPM 2.0.
+          backend device is a TPM 2.0. <span class="since">Since 6.1.0</span>,
+          pSeries guests on PPC64 are supported and the default is
+          <code>tpm-spapr</code>.
        </p>
      </dd>
      <dt><code>backend</code></dt>
@ -8649,6 +8905,7 @@ qemu-kvm -net nic,model=? /dev/null
    &lt;/target&gt;
  &lt;/memory&gt;
  &lt;memory model='nvdimm'&gt;
+    &lt;uuid&gt;
    &lt;source&gt;
      &lt;path&gt;/tmp/nvdimm&lt;/path&gt;
    &lt;/source&gt;
@ -8662,6 +8919,7 @@ qemu-kvm -net nic,model=? /dev/null
    &lt;/target&gt;
  &lt;/memory&gt;
  &lt;memory model='nvdimm' access='shared'&gt;
+    &lt;uuid&gt;
    &lt;source&gt;
      &lt;path&gt;/dev/dax0.0&lt;/path&gt;
      &lt;alignsize unit='KiB'&gt;2048&lt;/alignsize&gt;
@ -8717,6 +8975,17 @@ qemu-kvm -net nic,model=? /dev/null
        </p>
      </dd>

+      <dt><code>uuid</code></dt>
+      <dd>
+        <p>
+          For pSeries guests, an uuid can be set to identify the
+          nvdimm module. If absent, libvirt will generate an uuid.
+          automatically. This attribute is allowed only for
+          <code>model='nvdimm'</code> for pSeries guests.
+          <span class="since">Since 6.2.0</span>
+        </p>
+      </dd>
+
      <dt><code>source</code></dt>
      <dd>
        <p>
@ -8805,12 +9074,13 @@ qemu-kvm -net nic,model=? /dev/null
          <dt><code>label</code></dt>
          <dd>
            <p>
-              For NVDIMM type devices one can optionally use
-              <code>label</code> and its subelement <code>size</code>
-              to configure the size of namespaces label storage
-              within the NVDIMM module. The <code>size</code> element
-              has usual meaning described
+              For NVDIMM type devices one can use <code>label</code> and its
+              subelement <code>size</code> to configure the size of
+              namespaces label storage within the NVDIMM module. The
+              <code>size</code> element has usual meaning described
              <a href="#elementsMemoryAllocation">here</a>.
+              <code>label</code> is mandatory for pSeries guests and optional
+              for all other architectures.
              For QEMU domains the following restrictions apply:
            </p>
            <ol>
--- a/docs/formatdomaincaps.html.in
+++ b/docs/formatdomaincaps.html.in
@ -249,9 +249,11 @@
        The <code>mode</code> element contains a list of supported CPU
        models, each described by a dedicated <code>model</code> element.
        The <code>usable</code> attribute specifies whether the model can
-        be used on the host. A special value <code>unknown</code> indicates
-        libvirt does not have enough information to provide the usability
-        data.
+        be used directly on the host. When usable='no' the corresponding model
+        cannot be used without disabling some features that the CPU of such
+        model is expected to have. A special value <code>unknown</code>
+        indicates libvirt does not have enough information to provide the
+        usability data.
      </dd>
    </dl>

@ -481,6 +483,7 @@
      &lt;enum name='backendModel'&gt;
        &lt;value&gt;random&lt;/value&gt;
        &lt;value&gt;egd&lt;/value&gt;
+        &lt;value&gt;builtin&lt;/value&gt;
      &lt;/enum&gt;
    &lt;/rng&gt;
    ...
@ -565,7 +568,10 @@

    <p>Reports whether the hypervisor supports the backup, checkpoint, and
    related features. (<code>virDomainBackupBegin</code>,
-    <code>virDomainCheckpointCreateXML</code> etc).
+    <code>virDomainCheckpointCreateXML</code> etc). The presence of the
+    <code>backup</code> element even if <code>supported='no'</code> implies that
+    the <code>VIR_DOMAIN_UNDEFINE_CHECKPOINTS_METADATA</code> flag for
+    <code>virDomainUndefine</code> is supported.
    </p>

    <h4><a id="elementsSEV">SEV capabilities</a></h4>
--- a/docs/formatnetwork.html.in
+++ b/docs/formatnetwork.html.in
@ -548,10 +548,10 @@
        (<span class="since">since 0.9.4</span>). Setting
        <code>bandwidth</code> for a network is supported only
        for networks with a <code>&lt;forward&gt;</code> mode
-        of <code>route</code>, <code>nat</code>, or no mode at all
-        (i.e. an "isolated" network). Setting <code>bandwidth</code>
-        is <b>not</b> supported for forward modes
-        of <code>bridge</code>, <code>passthrough</code>, <code>private</code>,
+        of <code>route</code>, <code>nat</code>, <code>bridge</code>,
+        or no mode at all (i.e. an "isolated" network). Setting
+        <code>bandwidth</code> is <b>not</b> supported for forward modes
+        <code>passthrough</code>, <code>private</code>,
        or <code>hostdev</code>. Attempts to do this will lead to
        a failure to define the network or to create a transient network.
      </p>
@ -631,7 +631,7 @@
          goes through one point where QoS decisions can take place, hence
          why this attribute works only for virtual networks for now
          (that is <code>&lt;interface type='network'/&gt;</code> with a
-          forward type of route, nat, or no forward at all). Moreover, the
+          forward type of route, nat, open or no forward at all). Moreover, the
          virtual network the interface is connected to is required to have
          at least inbound QoS set (<code>average</code> at least). If
          using the <code>floor</code> attribute users don't need to specify
@ -729,6 +729,31 @@
      or <code>&lt;interface&gt;</code>.
    </p>

+    <h5><a id="elementPort">Isolating ports from one another</a></h5>
+
+<pre>
+&lt;network&gt;
+  &lt;name&gt;isolated-ports&lt;/name&gt;
+  &lt;forward mode='bridge'/&gt;
+  &lt;bridge name='br0'/&gt;
+  &lt;port isolated='yes'/&gt;
+&lt;/network&gt;
+</pre>
+
+    <p>
+      <span class="since">Since 6.1.0.</span> The <code>port</code>
+      element property <code>isolated</code>, when set
+      to <code>yes</code> (default setting is <code>no</code>) is used
+      to isolate the network traffic of each guest on the network from
+      all other guests connected to the network; it does not have an
+      effect on communication between the guests and the host, or
+      between the guests and destinations beyond this network. This
+      setting is only supported for networks that use a Linux host
+      bridge to connect guest interfaces via a standard tap device
+      (i.e. those with a forward mode of nat, route, open, bridge, or
+      no forward mode).
+    </p>
+
    <h5><a id="elementsPortgroup">Portgroups</a></h5>

 <pre>
--- a/docs/formatnetworkport.html.in
+++ b/docs/formatnetworkport.html.in
@ -84,6 +84,7 @@
    &lt;outbound average='128' peak='256' burst='256'/&gt;
  &lt;/bandwidth&gt;
  &lt;rxfilters trustGuest='yes'/&gt;
+  &lt;port isolated='yes'/&gt;
  &lt;virtualport type='802.1Qbg'&gt;
    &lt;parameters managerid='11' typeid='1193047' typeidversion='2'/&gt;
  &lt;/virtualport&gt;
@ -110,6 +111,16 @@
        only supported for the virtio device model and for macvtap
        connections on the host.
      </dd>
+      <dt><code>port</code></dt>
+      <dd> <span class="since">Since 6.1.0.</span>
+        The <code>port</code> element property
+        <code>isolated</code>, when set to <code>yes</code> (default
+        setting is <code>no</code>) is used to isolate this port's
+        network traffic from other ports on the same network that also
+        have <code>&lt;port isolated='yes'/&gt;</code>. This setting
+        is only supported for emulated network devices connected to a
+        Linux host bridge via a standard tap device.
+      </dd>
      <dt><code>virtualport</code></dt>
      <dd>The <code>virtualport</code> element describes metadata that
        needs to be provided to the underlying network subsystem. It
--- a/docs/formatsecret.html.in
+++ b/docs/formatsecret.html.in
@ -76,13 +76,13 @@
    <pre>
 # virsh secret-define volume-secret.xml
 Secret 0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f created
-#
-# MYSECRET=`printf %s "open sesame" | base64`
-# virsh secret-set-value 0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f $MYSECRET
-Secret value set
-#
    </pre>

+    <p>
+      See <a href="#settingSecrets">virsh secret-set-value</a> on how
+      to set the value of the secret.
+    </p>
+
    <p>
      The volume type secret can be supplied either in volume XML during
      creation of a <a href="formatstorage.html#StorageVol">storage volume</a>
@ -103,12 +103,11 @@ Secret value set

 # virsh secret-define luks-secret.xml
 Secret f52a81b2-424e-490c-823d-6bd4235bc57 created
-#
-# MYSECRET=`printf %s "letmein" | base64`
-# virsh secret-set-value f52a81b2-424e-490c-823d-6bd4235bc57 $MYSECRET
-Secret value set
-#
    </pre>
+    <p>
+      See <a href="#settingSecrets">virsh secret-set-value</a> on how
+      to set the value of the secret.
+    </p>

    <p>
      The volume type secret can be supplied in domain XML for a luks storage
@ -156,13 +155,11 @@ Secret 1b40a534-8301-45d5-b1aa-11894ebb1735 created
 UUID                                 Usage
 -----------------------------------------------------------
 1b40a534-8301-45d5-b1aa-11894ebb1735 cephx ceph_example
-#
-# CEPHPHRASE=`printf %s "pass phrase" | base64`
-# virsh secret-set-value 1b40a534-8301-45d5-b1aa-11894ebb1735 $CEPHPHRASE
-Secret value set
-
-#
    </pre>
+    <p>
+      See <a href="#settingSecrets">virsh secret-set-value</a> on how
+      to set the value of the secret.
+    </p>

    <p>
      The ceph secret can then be used by UUID or by the
@ -229,7 +226,9 @@ incominguser myname mysecret

    <p>
      Next, use <code>virsh secret-define iscsi-secret.xml</code> to define
-      the secret and <code>virsh secret-set-value</code> using the generated
+      the secret and
+      <code><a href="#settingSecrets">virsh secret-set-value</a></code>
+      using the generated
      UUID value and a base64 generated secret value in order to define the
      chosen secret pass phrase.  The pass phrase must match the password
      used in the iSCSI authentication configuration file.
@ -243,12 +242,13 @@ Secret c4dbe20b-b1a3-4ac1-b6e6-2ac97852ebb6 created
 -----------------------------------------------------------
 c4dbe20b-b1a3-4ac1-b6e6-2ac97852ebb6 iscsi libvirtiscsi

-# MYSECRET=`printf %s "mysecret" | base64`
-# virsh secret-set-value c4dbe20b-b1a3-4ac1-b6e6-2ac97852ebb6 $MYSECRET
-Secret value set
-#
    </pre>

+    <p>
+      See <a href="#settingSecrets">virsh secret-set-value</a> on how
+      to set the value of the secret.
+    </p>
+
    <p>
      The iSCSI secret can then be used by UUID or by the
      usage name via the <code>&lt;auth&gt;</code> element in a domain's
@ -313,19 +313,13 @@ Secret 718c71bd-67b5-4a2b-87ec-a24e8ca200dc created
      Once the secret is defined, a secret value will need to be set. The
      secret would be the passphrase used to access the TLS credentials.
      The following is a simple example of using
-      <code>virsh secret-set-value</code> to set the secret value. The
+      <code><a href="#settingSecrets">virsh secret-set-value</a></code> to set
+      the secret value. The
      <a href="html/libvirt-libvirt-secret.html#virSecretSetValue">
      <code>virSecretSetValue</code></a> API may also be used to set
      a more secure secret without using printable/readable characters.
    </p>

-    <pre>
-# MYSECRET=`printf %s "letmein" | base64`
-# virsh secret-set-value 718c71bd-67b5-4a2b-87ec-a24e8ca200dc $MYSECRET
-Secret value set
-
-    </pre>
-
    <h3><a id="vTPMUsageType">Usage type "vtpm"</a></h3>

    <p>
@ -370,17 +364,50 @@ Secret 6dd3e4a5-1d76-44ce-961f-f119f5aad935 created
      Once the secret is defined, a secret value will need to be set. The
      secret would be the passphrase used to decrypt the vTPM state.
      The following is a simple example of using
-      <code>virsh secret-set-value</code> to set the secret value. The
+      <code><a href="#settingSecrets">virsh secret-set-value</a></code>
+      to set the secret value. The
      <a href="html/libvirt-libvirt-secret.html#virSecretSetValue">
      <code>virSecretSetValue</code></a> API may also be used to set
      a more secure secret without using printable/readable characters.
    </p>

+    <h2><a id="settingSecrets">Setting secret values in virsh</a></h2>
+
+    <p>
+      To set the value of the secret you can use the following virsh commands.
+      If the secret is a password-like string (printable characters, no newline)
+      you can use:
+    </p>
+    <pre>
+# virsh secret-set-value --interactive 6dd3e4a5-1d76-44ce-961f-f119f5aad935
+Enter new value for secret:
+Secret value set
+    </pre>
+
+    <p>
+      Another secure option is to read the secret from a file. This way the
+      secret can contain any bytes (even NUL and non-printable characters). The
+      length of the secret is the length of the input file. Alternatively the
+      <code>--plain</code> option can be omitted if the file contents are
+      base64-encoded.
+    </p>
+
+    <pre>
+# virsh secret-set-value 6dd3e4a5-1d76-44ce-961f-f119f5aad935 --file --plain secretinfile
+Secret value set
+    </pre>
+
+    <p>
+      <b>WARNING</b> The following approach is <b>insecure</b> and deprecated.
+      The secret can also be set via an argument. Note that other users may see
+      the actual secret in the process listing!
+      The secret must be base64 encoded.
+    </p>
+
    <pre>
 # MYSECRET=`printf %s "open sesame" | base64`
 # virsh secret-set-value 6dd3e4a5-1d76-44ce-961f-f119f5aad935 $MYSECRET
 Secret value set
-
    </pre>

  </body>
--- a/docs/gitdm/aliases
+++ b/docs/gitdm/aliases
@ -2,6 +2,7 @@

 "jdenemar redhat com" jdenemar@redhat.com
 "pkrempa@redhat st.com" pkrempa@redhat.com
+berrange@localhost.localdomain berrange@redhat.com
 jyang@redhat jyang@redhat.com
 wangjie88.huawei.com wangjie88@huawei.com

--- a/docs/gitdm/companies/others
+++ b/docs/gitdm/companies/others
@ -10,9 +10,11 @@ av-test.de AV-TEST
 b1-systems.de B1 Systems
 baidu.com Baidu
 brightbox.co.uk Brightbox
+bytedance.com ByteDance
 cisco.com Cisco
 citrix.com Citrix
 cloudwatt.com Cloudwatt
+cmss.chinamobile.com China Mobile
 codethink.co.uk Codethink
 cumulusnetworks.com Cumulus Networks
 dataductus.se Data Ductus
@ -37,10 +39,13 @@ hitachi.com Hitachi
 hoster-ok.com hoster-ok.com
 hp.com HP
 huawei.com Huawei
+hupstream.com hupstream
+hygon.cn Hygon
 inktank.com Inktank Storage
 intel.com Intel
 intellilink.co.jp NTT DATA INTELLILINK
 invisiblethingslab.com Invisible Things Lab
+ixsystems.com iXsystems
 jtan.com JTAN
 juniper.net Juniper Networks
 laposte.net La Poste
@ -60,6 +65,7 @@ nicira.com Nicira
 nimboxx.com NIMBOXX
 novell.com Novell
 ntt.co.jp NTT Group
+nutanix.com Nutanix
 ohmu.fi OHMU
 open-minds.org OpenThink
 oracle.com Oracle
--- a/docs/gitdm/groups/unaffiliated
+++ b/docs/gitdm/groups/unaffiliated
@ -1,3 +1,8 @@
+# This domain will show up because of a mistake, and for that reason we
+# can't really pin it to a specific company or community, so here it is :)
+
+example.com
+
 # These are all domains you can get a personal email address from, so it's
 # fair to assume people using such addresses are contributing in their spare
 # time rather than on behalf of their respective employers.
@ -5,6 +10,7 @@
 126.com
 gmail.com
 gmx.com
+gmx.de
 googlemail.com
 hotmail.com
 mail.ru
@ -24,6 +30,7 @@ adam@pandorasboxen.com
 agx@sigxcpu.org
 alexander.nusov@nfvexpress.com
 andres@lagarcavilla.org
+andrew@interpretmath.pw
 asad.saeed@acidseed.com
 atler@pld-linux.org
 benoar@dolka.fr
@ -40,6 +47,7 @@ exo@tty.sk
 fritz@fritz-elfert.de
 gene@czarc.net
 gordon@dragonsdawn.net
+gregor@kopka.net
 heathpetersen@kandre.com
 ibaldo@adinet.com.uy
 igor47@moomers.org
--- a/docs/hacking.html.in
+++ b/docs/hacking.html.in
@ -932,8 +932,7 @@ BAD:
        type is at least four bytes wide).</li>
      <li>If a variable has boolean semantics, give it the <code>bool</code> type
        and use the corresponding <code>true</code> and <code>false</code> macros.
-         It's ok to include &lt;stdbool.h&gt;, since libvirt's use of gnulib ensures
-          that it exists and is usable.</li>
+      </li>
      <li>In the unusual event that you require a specific width, use a
        standard type like <code>int32_t</code>, <code>uint32_t</code>,
        <code>uint64_t</code>, etc.</li>
@ -1071,8 +1070,6 @@ BAD:
        <tr><td><code>virAsprintf</code></td><td><code>g_strdup_printf</code></td><td></td></tr>
        <tr><td><code>virVasprintf</code></td><td><code>g_strdup_vprint</code></td>
            <td>use <code>g_vasprintf</code> if you really need to know the returned length</td></tr>
-        <tr><td><code>virStrerror</code></td><td><code>g_strerror</code></td>
-            <td>the error strings are cached globally so no need to free it</td></tr>
    </table>
    </dl>

@ -1128,6 +1125,7 @@ BAD:
        <tr><td><code>ATTRIBUTE_UNUSED</code></td><td><code>G_GNUC_UNUSED</code></td><td></td></tr>
        <tr><td><code>VIR_STRDUP</code></td><td><code>g_strdup</code></td><td></td></tr>
        <tr><td><code>VIR_STRNDUP</code></td><td><code>g_strndup</code></td><td></td></tr>
+        <tr><td><code>virStrerror</code></td><td><code>g_strerror</code></td><td></td></tr>
    </table>


@ -1549,7 +1547,7 @@ int foo()
        in the same way, but still make sure they get reviewed if non-trivial.
      </li>
      <li>(ir)regular pulls from other repositories or automated updates, such
-        as the .gnulib submodule updates, pulling in new translations or updating
+        as the keycodemap submodule updates, pulling in new translations or updating
        the container images for the CI system
      </li>
    </ul>
--- a/docs/internals/command.html.in
+++ b/docs/internals/command.html.in
@ -226,7 +226,9 @@ virCommandSetPidFile(cmd, "/var/run/dnsmasq.pid");

    <p>
      This PID file is guaranteed to be written before
-      the intermediate process exits.
+      the intermediate process exits. Moreover, the daemonized
+      process will inherit the FD of the opened and locked PID
+      file.
    </p>

    <h3><a id="privs">Reducing command privileges</a></h3>
--- a/docs/kbase.html.in
+++ b/docs/kbase.html.in
@ -2,7 +2,7 @@
 <!DOCTYPE html>
 <html xmlns="http://www.w3.org/1999/xhtml">
  <body class="docs">
-    <h2>Knowledge base</h2>
+    <h1>Knowledge base</h1>

    <div class="panel">
      <dl>
@ -29,6 +29,13 @@
        <dt><a href="kbase/backing_chains.html">Backing chain management</a></dt>
        <dd>Explanation of how disk backing chain specification impacts libvirt's
          behaviour and basic troubleshooting steps of disk problems.</dd>
+
+        <dt><a href="kbase/qemu-passthrough-security.html">Security with QEMU passthrough</a></dt>
+        <dd>Examination of the security protections used for QEMU and how they need
+          configuring to allow use of QEMU passthrough with host files/devices.</dd>
+
+        <dt><a href="kbase/virtiofs.html">Virtio-FS</a></dt>
+        <dd>Share a filesystem between the guest and the host</dd>
      </dl>
    </div>

--- a/docs/kbase/backing_chains.rst
+++ b/docs/kbase/backing_chains.rst
@ -46,14 +46,17 @@ system used on the host so that the hypervisor can access the files and possibly
 also directly to configure the hypervisor to use the appropriate images. Thus
 it's important to properly setup the formats and paths of the backing images.

+Any externally created image should always use the -F switch of ``qemu-img``
+to specify the format of the backing file to avoid probing.
+
 Image detection caveats
 -----------------------

 Detection of the backing chain requires libvirt to read and understand the
 ``backing file`` field recorded in the image metadata and also being able to
 recurse and read the backing file. Due to security implications libvirt
-will not attempt to detect the format of the backing image if the image metadata
-doesn't contain it.
+will refuse to use backing images of any image whose format was not specified
+explicitly in the XML or the overlay image itself.

 Libvirt also might lack support for a network disk storage technology and thus
 may be unable to visit and detect backing chains on such storage. This may
@ -104,6 +107,8 @@ Note that it's also possible to partially specify the chain in the XML but omit
 the terminating element. This will result into probing from the last specified
 ``<backingStore>``

+Any image specified explicitly will not be probed for backing file or format.
+

 Manual image creation
 =====================
@ -113,6 +118,13 @@ them properly so that they work with libvirt as expected. The created disk
 images must contain the format of the backing image in the metadata. This
 means that the **-F** parameter of ``qemu-img`` must always be used.

+::
+
+  qemu-img -f qcow2 -F qcow2 -b /path/to/backing /path/to/overlay
+
+Note that if '/path/to/backing' is relative the path is considered relative to
+the location of '/path/to/overlay'.
+
 Troubleshooting
 ===============

@ -164,6 +176,21 @@ properly. ``$BACKING_IMAGE_PATH`` should be specified as a full absolute path.
 If relative referencing of the backing image is desired, the path must be
 relative to the location of image described by ``$IMAGE_PATH``.

+**Important:** If the ``$BACKING_IMAGE_FORMAT`` is not known it can be queried
+using ``qemu-img info $BACKING_IMAGE_PATH`` and looking for the ``file format:``
+field, but for security reasons should be used *only* if at least one of the
+following criteria is met:
+
+- ``file format`` is ``raw``
+- ``backing file`` is NOT present
+- ``backing file`` is present AND is correct/trusted
+
+Note that the last criteria may require manual inspection and thus should not
+be scripted unless the trust for the image can be expressed programatically.
+
+Also note that the above steps may need to be repeated recursively for any
+subsequent backing images.
+
 Missing images reported after after moving disk images into a different path
 ----------------------------------------------------------------------------

--- a/docs/kbase/qemu-passthrough-security.rst
+++ b/docs/kbase/qemu-passthrough-security.rst
@ -0,0 +1,157 @@
+=============================
+QEMU command-line passthrough
+=============================
+
+.. contents::
+
+Libvirt aims to provide explicit modelling of virtualization features in
+the domain XML document schema. QEMU has a very broad range of features
+and not all of these can be mapped to elements in the domain XML. Libvirt
+would like to reduce the gap to QEMU, however, with finite resources there
+will always be cases which aren't covered by the domain XML schema.
+
+
+XML document additions
+======================
+
+To deal with the problem, libvirt introduced support for command-line
+passthrough of QEMU arguments. This is achieved by supporting a custom
+XML namespace, under which some QEMU driver specific elements are defined.
+
+The canonical place to declare the namespace is on the top level ``<domain>``
+element. At the very end of the document, arbitrary command-line arguments
+can now be added, using the namespace prefix ``qemu:``
+
+::
+
+   <domain type='kvm' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'>
+     <name>QEMUGuest1</name>
+     <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+     ...
+     <qemu:commandline>
+       <qemu:arg value='-newarg'/>
+       <qemu:arg value='parameter'/>
+       <qemu:env name='ID' value='wibble'/>
+       <qemu:env name='BAR'/>
+     </qemu:commandline>
+   </domain>
+
+Note that when an argument takes a value eg ``-newarg parameter``, the argument
+and the value must be passed as separate ``<qemu:arg>`` entries.
+
+Instead of declaring the XML namespace on the top level ``<domain>`` it is also
+possible to declare it at time of use, which is more convenient for humans
+writing the XML documents manually. So the following example is functionally
+identical:
+
+::
+
+   <domain type='kvm'>
+     <name>QEMUGuest1</name>
+     <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+     ...
+     <commandline xmlns="http://libvirt.org/schemas/domain/qemu/1.0">
+       <arg value='-newarg'/>
+       <arg value='parameter'/>
+       <env name='ID' value='wibble'/>
+       <env name='BAR'/>
+     </commandline>
+   </domain>
+
+Note that when querying the XML from libvirt, it will have been translated into
+the canonical syntax once more with the namespace on the top level element.
+
+Security confinement / sandboxing
+=================================
+
+When libvirt launches a QEMU process it makes use of a number of security
+technologies to confine QEMU and thus protect the host from malicious VM
+breakouts.
+
+When configuring security protection, however, libvirt generally needs to know
+exactly which host resources the VM is permitted to access. It gets this
+information from the domain XML document. This only works for elements in the
+regular schema, the arguments used with command-line passthrough are completely
+opaque to libvirt.
+
+As a result, if command-line passthrough is used to expose a file on the host
+to QEMU, the security protections will activate and either kill QEMU or deny it
+access.
+
+There are two strategies for dealing with this problem, either figure out what
+steps are needed to grant QEMU access to the device, or disable the security
+protections.  The former is harder, but more secure, while the latter is simple.
+
+Granting access per VM
+----------------------
+
+* SELinux - the file on the host needs an SELinux label that will grant access
+  to QEMU's ``svirt_t`` policy.
+
+  - Read-only access - use the ``virt_content_t`` label
+  - Shared, write access - use the ``svirt_image_t:s0`` label (ie no Multi-
+    Category Security (MCS) value appended)
+  - Exclusive, write access - use the ``svirt_image_t:s0:MCS`` label for the VM.
+    The MCS is auto-generatd at boot time, so this may require re-configuring
+    the VM to have a fixed MCS label
+
+* Discretionary Access Control (DAC) - the file on the host needs to be
+  readable/writable to the ``qemu`` user or ``qemu`` group. This can be done
+  by changing the file ownership to ``qemu``, or relaxing the permissions to
+  allow world read, or adding file ACLs to allow access to ``qemu``.
+
+* Namespaces - a private ``mount`` namespace is used for QEMU by default
+  which populates a new ``/dev`` with only the device nodes needed by QEMU.
+  There is no way to augment the set of device nodes ahead of time.
+
+* Seccomp - libvirt launches QEMU with its built-in seccomp policy enabled with
+  ``obsolete=deny``, ``elevateprivileges=deny``, ``spawn=deny`` and
+  ``resourcecontrol=deny`` settings active. There is no way to change this
+  policy on a per VM basis.
+
+* Cgroups - a custom cgroup is created per VM and this will either use the
+  ``devices`` controller or an ``BPF`` rule to whitelist a set of device nodes.
+  There is no way to change this policy on a per VM basis.
+
+Disabling security protection per VM
+------------------------------------
+
+Some of the security protections can be disabled per-VM:
+
+* SELinux - in the domain XML the ``<seclabel>`` model can be changed to
+  ``none`` instead of ``selinux``, which will make the VM run unconfined.
+
+* DAC - in the domain XML an ``<seclabel>`` element with the ``dac`` model can
+  be added, configured with a user / group account of ``root`` to make QEMU run
+  with full privileges.
+
+* Namespaces - there is no way to disable this per VM.
+
+* Seccomp - there is no way to disable this per VM.
+
+* Cgroups - there is no way to disable this per VM.
+
+Disabling security protection host-wide
+---------------------------------------
+
+As a last resort it is possible to disable security protection host wide which
+will affect all virtual machines. These settings are all made in
+``/etc/libvirt/qemu.conf``
+
+* SELinux - set ``security_default_confied = 0`` to make QEMU run unconfined by
+  default, while still allowing explicit opt-in to SELinux for VMs.
+
+* DAC - set ``user = root`` and ``group = root`` to make QEMU run as the root
+  account.
+
+* SELinux, DAC - set ``security_driver = []`` to entirely disable both the
+  SELinux and DAC security drivers.
+
+* Namespaces - set ``namespaces = []`` to disable use of the ``mount``
+  namespaces, causing QEMU to see the normal fully popualated ``dev``.
+
+* Seccomp - set ``seccomp_sandbox = 0`` to disable use of the Seccomp sandboxing
+  in QEMU.
+
+* Cgroups - set ``cgroup_device_acl`` to include the desired device node, or
+  ``cgroup_controllers = [...]`` to exclude the ``devices`` controller.
--- a/docs/kbase/virtiofs.rst
+++ b/docs/kbase/virtiofs.rst
@ -0,0 +1,147 @@
+============================
+Sharing files with Virtio-FS
+============================
+
+.. contents::
+
+=========
+Virtio-FS
+=========
+
+Virtio-FS is a shared file system that lets virtual machines access
+a directory tree on the host. Unlike existing approaches, it
+is designed to offer local file system semantics and performance.
+
+See https://virtio-fs.gitlab.io/
+
+==========
+Host setup
+==========
+
+The host-side virtiofsd daemon, like other vhost-user backed devices,
+requires shared memory between the host and the guest. As of QEMU 4.2, this
+requires specifying a NUMA topology for the guest and explicitly specifying
+a memory backend. Multiple options are available:
+
+Either of the following:
+
+* Use file-backed memory
+
+  Configure the directory where the files backing the memory will be stored
+  with the ``memory_backing_dir`` option in ``/etc/libvirt/qemu.conf``
+
+  ::
+
+    # This directory is used for memoryBacking source if configured as file.
+    # NOTE: big files will be stored here
+    memory_backing_dir = "/dev/shm/"
+
+* Use hugepage-backed memory
+
+  Make sure there are enough huge pages allocated for the requested guest memory.
+  For example, for one guest with 2 GiB of RAM backed by 2 MiB hugepages:
+
+  ::
+
+      # virsh allocpages 2M 1024
+
+===========
+Guest setup
+===========
+
+#. Specify the NUMA topology
+
+   in the domain XML of the guest.
+   For the simplest one-node topology for a guest with 2GiB of RAM and 8 vCPUs:
+
+   ::
+
+      <domain>
+        ...
+        <cpu ...>
+          <numa>
+            <cell id='0' cpus='0-7' memory='2' unit='GiB' memAccess='shared'/>
+          </numa>
+        </cpu>
+       ...
+      </domain>
+
+   Note that the CPU element might already be specified and only one is allowed.
+
+#. Specify the memory backend
+
+   Either of the following:
+
+   * File-backed memory
+
+     ::
+
+        <domain>
+          ...
+          <memoryBacking>
+            <access mode='shared'/>
+          </memoryBacking>
+          ...
+        </domain>
+
+     This will create a file in the directory specified in ``qemu.conf``
+
+   * Hugepage-backed memory
+
+     ::
+
+        <domain>
+          ...
+          <memoryBacking>
+            <hugepages>
+              <page size='2' unit='M'/>
+            </hugepages>
+            <access mode='shared'/>
+          </memoryBacking>
+          ...
+        </domain>
+
+#. Add the ``vhost-user-fs`` QEMU device via the ``filesystem`` element
+
+   ::
+
+      <domain>
+        ...
+        <devices>
+          ...
+          <filesystem type='mount' accessmode='passthrough'>
+            <driver type='virtiofs'/>
+            <source dir='/path'/>
+            <target dir='mount_tag'/>
+          </filesystem>
+          ...
+        </devices>
+      </domain>
+
+   Note that despite its name, the ``target dir`` is actually a mount tag and does
+   not have to correspond to the desired mount point in the guest.
+
+   So far, ``passthrough`` is the only supported access mode and it requires
+   running the ``virtiofsd`` daemon as root.
+
+#. Boot the guest and mount the filesystem
+
+   ::
+
+      guest# mount -t virtiofs mount_tag /mnt/mount/path
+
+   Note: this requires virtiofs support in the guest kernel (Linux v5.4 or later)
+
+===================
+Optional parameters
+===================
+
+More optional elements can be specified
+
+::
+
+  <driver type='virtiofs' queue='1024'/>
+  <binary path='/usr/libexec/virtiofsd' xattr='on'>
+    <cache mode='always'/>
+    <lock posix_lock='on' flock='on'/>
+  </binary>
--- a/docs/libvirt-go-xml.rst
+++ b/docs/libvirt-go-xml.rst
@ -0,0 +1,10 @@
+==========================
+Libvirt Go XML parsing API
+==========================
+
+The `Go <https://golang.org/>`__ package ``libvirt.org/libvirt-go-xml`` provides
+annotated Go struct definitions for parsing (and formatting) XML documents used
+with libvirt APIs.
+
+For details of Go specific behaviour consult the
+`Go package documentation <https://godoc.org/libvirt.org/libvirt-go-xml>`__
--- a/docs/libvirt-go.rst
+++ b/docs/libvirt-go.rst
@ -0,0 +1,13 @@
+=======================
+Libvirt Go Language API
+=======================
+
+The `Go <https://golang.org/>`__ package ``libvirt.org/libvirt-go`` provides
+`CGo <https://golang.org/cmd/cgo/>`__ binding from the OS native Libvirt API.
+
+In general the Go representation is a direct 1-1 mapping from native API
+concepts to Go, so the native API documentation should serve as a reference
+for most behaviour.
+
+For details of Go specific behaviour consult the
+`Go package documentation <https://godoc.org/libvirt.org/libvirt-go>`__
--- a/docs/libvirt.css
+++ b/docs/libvirt.css
@ -574,3 +574,12 @@ ul.news-section-content li dl dd {
    margin-top: 0.5em;
    margin-bottom: 0.5em;
 }
+
+.literal, code {
+    font-family: monospace;
+    background: #eeeeee;
+}
+
+.contents li p {
+    margin: 2px;
+}
--- a/docs/manpages/index.rst
+++ b/docs/manpages/index.rst
@ -19,6 +19,7 @@ Tools
 * `virt-login-shell(1) <virt-login-shell.html>`__ - tool to execute a shell within a container
 * `virt-admin(1) <virt-admin.html>`__ - daemon administration interface
 * `virsh(1) <virsh.html>`__ - management user interface
+* `virt-qemu-run(1) <virt-qemu-run.html>`__ - run standalone QEMU instances

 Key codes
 =========
--- a/docs/manpages/virsh.rst
+++ b/docs/manpages/virsh.rst
@ -356,7 +356,7 @@ connect
 is automatically run with the *URI* parameter requested by the ``-c``
 option on the command line. The *URI* parameter specifies how to
 connect to the hypervisor. The URI docs
-`https://libvirt.org/uri.html <https://libvirt.org/uri.html>`_ list the
+`https://libvirt.org/uri.html <https://libvirt.org/uri.html>`__ list the
 values supported, but the most common are:


@ -379,7 +379,7 @@ values supported, but the most common are:
 To find the currently used URI, check the *uri* command documented below.

 For remote access see the URI docs
-`https://libvirt.org/uri.html <https://libvirt.org/uri.html>`_ on how
+`https://libvirt.org/uri.html <https://libvirt.org/uri.html>`__ on how
 to make URIs. The *--readonly* option allows for read-only connection


@ -879,7 +879,7 @@ domain capabilities XML (printed by ``domcapabilities`` command). In
 addition to the <cpu> element itself, this command accepts
 full domain XML, capabilities XML, or domain capabilities XML containing
 the CPU definition. For more information on guest CPU definition see:
-`https://libvirt.org/formatdomain.html#elementsCPU <https://libvirt.org/formatdomain.html#elementsCPU>`_. If *--error* is
+`https://libvirt.org/formatdomain.html#elementsCPU <https://libvirt.org/formatdomain.html#elementsCPU>`__. If *--error* is
 specified, the command will return an error when the given CPU is
 incompatible with host CPU and a message providing more details about the
 incompatibility will be printed out.
@ -943,7 +943,7 @@ host CPU model found in the domain capabilities XML (printed by the
 ``domcapabilities`` command). In addition to the <cpu> element itself, this
 command accepts full domain XML, capabilities XML, or domain capabilities XML
 containing the CPU definition. For more information on guest CPU definition
-see: `https://libvirt.org/formatdomain.html#elementsCPU <https://libvirt.org/formatdomain.html#elementsCPU>`_.
+see: `https://libvirt.org/formatdomain.html#elementsCPU <https://libvirt.org/formatdomain.html#elementsCPU>`__.

 The *virttype* option specifies the virtualization type (usable in the 'type'
 attribute of the <domain> top level element from the domain XML). *emulator*
@ -1797,10 +1797,15 @@ domhostname

 .. code-block::

-   domhostname domain
+   domhostname domain [--source lease|agent]

 Returns the hostname of a domain, if the hypervisor makes it available.

+The *--source* argument specifies what data source to use for the
+hostnames, currently 'lease' to read DHCP leases or 'agent' to query
+the guest OS via an agent. If unspecified, driver returns the default
+method available (some drivers support only one type of source).
+

 domid
 -----
@ -1814,8 +1819,8 @@ domid
 Convert a domain name (or UUID) to a domain id


-domif
-----
+domif-getlink
+-------------

 **Syntax:**

@ -1830,8 +1835,8 @@ purposes, *--persistent* is alias of *--config*.
 *interface-device* can be the interface's target name or the MAC address.


-domif
-----
+domif-setlink
+-------------

 **Syntax:**

@ -1974,7 +1979,7 @@ inbound or outbound bandwidth. *average,peak,burst,floor* is the same as
 in command *attach-interface*.  Values for *average*, *peak* and *floor*
 are expressed in kilobytes per second, while *burst* is expressed in kilobytes
 in a single burst at *peak* speed as described in the Network XML
-documentation at `https://libvirt.org/formatnetwork.html#elementQoS <https://libvirt.org/formatnetwork.html#elementQoS>`_.
+documentation at `https://libvirt.org/formatnetwork.html#elementQoS <https://libvirt.org/formatnetwork.html#elementQoS>`__.

 To clear inbound or outbound settings, use *--inbound* or *--outbound*
 respectfully with average value of zero.
@ -2439,8 +2444,8 @@ domuuid
 Convert a domain name or id to domain UUID


-domxml
------
+domxml-from-native
+------------------

 **Syntax:**

@ -2457,8 +2462,8 @@ VMware/ESX hypervisor, the *format* argument must be ``vmware-vmx``.
 For the Bhyve hypervisor, the *format* argument must be ``bhyve-argv``.


-domxml
------
+domxml-to-native
+----------------

 **Syntax:**

@ -4387,7 +4392,7 @@ attach-device
 Attach a device to the domain, using a device definition in an XML
 file using a device definition element such as <disk> or <interface>
 as the top-level element.  See the documentation at
-`https://libvirt.org/formatdomain.html#elementsDevices <https://libvirt.org/formatdomain.html#elementsDevices>`_ to learn about
+`https://libvirt.org/formatdomain.html#elementsDevices <https://libvirt.org/formatdomain.html#elementsDevices>`__ to learn about
 libvirt XML format for a device.  If *--config* is specified the
 command alters the persistent domain configuration with the device
 attach taking effect the next time libvirt starts the domain.
@ -4544,7 +4549,7 @@ specified.  The other two *peak* and *burst* are optional, so
 are expressed in kilobytes per second, while *burst* is expressed in
 kilobytes in a single burst at *peak* speed as described in the
 Network XML documentation at
-`https://libvirt.org/formatnetwork.html#elementQoS <https://libvirt.org/formatnetwork.html#elementQoS>`_.
+`https://libvirt.org/formatnetwork.html#elementQoS <https://libvirt.org/formatnetwork.html#elementQoS>`__.

 ``--managed`` is usable only for *hostdev* type and tells libvirt
 that the interface should be managed, which means detached and reattached
@ -4714,7 +4719,7 @@ Update the characteristics of a device associated with *domain*,
 based on the device definition in an XML *file*.  The *--force* option
 can be used to force device update, e.g., to eject a CD-ROM even if it is
 locked/mounted in the domain. See the documentation at
-`https://libvirt.org/formatdomain.html#elementsDevices <https://libvirt.org/formatdomain.html#elementsDevices>`_ to learn about
+`https://libvirt.org/formatdomain.html#elementsDevices <https://libvirt.org/formatdomain.html#elementsDevices>`__ to learn about
 libvirt XML format for a device.

 If *--live* is specified, affect a running domain.
@ -4952,7 +4957,7 @@ VIRTUAL NETWORK COMMANDS
 The following commands manipulate networks. Libvirt has the capability to
 define virtual networks which can then be used by domains and linked to
 actual network devices. For more detailed information about this feature
-see the documentation at `https://libvirt.org/formatnetwork.html <https://libvirt.org/formatnetwork.html>`_ . Many
+see the documentation at `https://libvirt.org/formatnetwork.html <https://libvirt.org/formatnetwork.html>`__ . Many
 of the commands for virtual networks are similar to the ones used for domains,
 but the way to name a virtual network is either by its name or UUID.

@ -4981,7 +4986,7 @@ net-create

 Create a transient (temporary) virtual network from an
 XML *file* and instantiate (start) the network.
-See the documentation at `https://libvirt.org/formatnetwork.html <https://libvirt.org/formatnetwork.html>`_
+See the documentation at `https://libvirt.org/formatnetwork.html <https://libvirt.org/formatnetwork.html>`__
 to get a description of the XML network format used by libvirt.


@ -6558,10 +6563,20 @@ secret-set-value

 .. code-block::

-   secret-set-value secret base64
+   secret-set-value secret (--file filename [--plain] | --interactive | base64)

 Set the value associated with *secret* (specified by its UUID) to the value
-Base64-encoded value *base64*.
+Base64-encoded value *base64* or Base-64-encoded contents of file named
+*filename*. Using the *--plain* flag is together with *--file* allows to use
+the file contents directly as the secret value.
+
+If *--interactive* flag is used the secret value is read as a password from the
+terminal.
+
+Note that *--file*, *--interactive* and *base64* options are mutually exclusive.
+
+Passing secrets via the *base64* option on command line is INSECURE and
+deprecated. Use the *--file* option instead.


 secret-get-value
@ -6571,11 +6586,15 @@ secret-get-value

 .. code-block::

-   secret-get-value secret
+   secret-get-value [--plain] secret

 Output the value associated with *secret* (specified by its UUID) to stdout,
 encoded using Base64.

+If the *--plain* flag is used the value is not base64 encoded, but rather
+printed raw. Note that unless virsh is started in quiet mode (*virsh -q*) it
+prints a newline at the end of the command. This newline is not part of the
+secret.

 secret-undefine
 ---------------
@ -7463,16 +7482,24 @@ qemu-monitor-command

 .. code-block::

-   qemu-monitor-command domain { [--hmp] | [--pretty] } command...
+   qemu-monitor-command domain { [--hmp] | [--pretty] [--return-value] } command...

 Send an arbitrary monitor command *command* to domain *domain* through the
-QEMU monitor.  The results of the command will be printed on stdout.  If
-*--hmp* is passed, the command is considered to be a human monitor command
-and libvirt will automatically convert it into QMP if needed.  In that case
-the result will also be converted back from QMP.  If *--pretty* is given,
-and the monitor uses QMP, then the output will be pretty-printed.  If more
-than one argument is provided for *command*, they are concatenated with a
-space in between before passing the single command to the monitor.
+QEMU monitor.  The results of the command will be printed on stdout.
+
+If more than one argument is provided for *command*, they are concatenated with
+a space in between before passing the single command to the monitor.
+
+Note that libvirt uses the QMP to talk to qemu so *command* must be valid JSON
+in QMP format to work properly.
+
+If *--pretty* is given the QMP reply is pretty-printed.
+
+If *--return-value* is given the 'return' key of the QMP response object is
+extracted rather than passing through the full reply from QEMU.
+
+If *--hmp* is passed, the command is considered to be a human monitor command
+and libvirt will automatically convert it into QMP and convert the result back.


 qemu-agent-command
--- a/docs/manpages/virt-admin.rst
+++ b/docs/manpages/virt-admin.rst
@ -442,6 +442,22 @@ Set new client-related limits on *server*.
  *--max-clients*.


+server-update-tls
+-----------------
+
+**Syntax:**
+
+.. code-block::
+
+   server-update-tls server
+
+Update tls context on *server*.
+
+- *server*
+
+  Available servers on a daemon. Currently only supports 'libvirtd'.
+
+
 CLIENT COMMANDS
 ===============

--- a/docs/manpages/virt-qemu-run.rst
+++ b/docs/manpages/virt-qemu-run.rst
@ -0,0 +1,119 @@
+=============
+virt-qemu-run
+=============
+
+---------------------------
+Run a standalone QEMU guest
+---------------------------
+
+:Manual section: 1
+:Manual group: Virtualization Support
+
+.. contents::
+
+SYNOPSIS
+========
+
+``virt-qemu-run [OPTIONS...] [GUEST-XML]``
+
+DESCRIPTION
+===========
+
+This tool provides a way to run a standalone QEMU guest such that it
+is completely independent of libvirtd. It makes use of the embedded
+QEMU driver support to run the VM placing files under an isolated
+directory tree. When the guest is run with this tool it is invisible
+to libvirtd and thus also invisible to other libvirt tools such as
+virsh.
+
+The virt-qemu-run program will run the QEMU virtual machine, and then
+block until the guest OS shuts down, at which point it will exit.
+
+If the virt-qemu-run program is interrupted (eg Ctrl-C) it will
+immediately terminate the virtual machine without giving the guest
+OS any opportunity to gracefully shutdown.
+
+**NOTE: this tool is currently considered experimental.** Its
+usage and behaviour is still subject to change in future libvirt
+releases. For further information on its usage consult the
+`QEMU driver documentation <https://libvirt.org/drvqemu.html#uriembedded>`_.
+
+OPTIONS
+=======
+
+``GUEST-XML``
+
+The full path to the XML file describing the guest virtual machine
+to be booted.
+
+``-h``, ``--help``
+
+Display the command line help
+
+``-v``, ``--verbose``
+
+Display verbose information about startup
+
+``-r DIR``, ``--root=DIR``
+
+Specify the root directory to use for storing state associated with
+the virtual machine. The caller is responsible for deleting this
+directory when it is no longer required.
+
+If this parameter is omitted, then a random temporary directory
+will be created, and its contents be automaticlaly deleted at
+VM shutdown.
+
+``-s XML-FILE,VALUE-FILE``, ``--secret=XML-FILE,VALUE-FILE``
+
+Specify a secret to be loaded into the secret driver. The ``XML-FILE``
+is a path to the XML description of the secret, whose UUID should
+match a secret referenced in the guest domain XML. The ``VALUE-FILE``
+is a path containing the raw value of the secret.
+
+EXIT STATUS
+===========
+
+Upon successful shutdown, an exit status of 0 will be set. Upon
+failure a non-zero status will be set.
+
+AUTHOR
+======
+
+Daniel P. Berrangé
+
+
+BUGS
+====
+
+Please report all bugs you discover.  This should be done via either:
+
+#. the mailing list
+
+   `https://libvirt.org/contact.html <https://libvirt.org/contact.html>`_
+
+#. the bug tracker
+
+   `https://libvirt.org/bugs.html <https://libvirt.org/bugs.html>`_
+
+Alternatively, you may report bugs to your software distributor / vendor.
+
+
+COPYRIGHT
+=========
+
+Copyright (C) 2019 by Red Hat, Inc.
+
+
+LICENSE
+=======
+
+``virt-run-qemu`` is distributed under the terms of the GNU LGPL v2+.
+This is free software; see the source for copying conditions. There
+is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
+PURPOSE
+
+SEE ALSO
+========
+
+virsh(1), `https://libvirt.org/ <https://libvirt.org/>`_
--- a/docs/manpages/virt-sanlock-cleanup.rst
+++ b/docs/manpages/virt-sanlock-cleanup.rst
@ -6,7 +6,7 @@ virt-sanlock-cleanup
 remove stale sanlock resource lease files
 -----------------------------------------

-:Manual section: 1
+:Manual section: 8
 :Manual group: Virtualization Support

 .. contents::
--- a/docs/news.xml
+++ b/docs/news.xml
@ -42,6 +42,275 @@
     -->

 <libvirt>
+  <release version="v6.2.0" date="2020-04-02">
+    <section title="New features">
+      <change>
+        <summary>
+          qemu: NVDIMM support for pSeries guests
+        </summary>
+        <description>
+          QEMU 5.0 implements NVDIMM memory support for pSeries guests. This
+          is done by adding an 'uuid' element in the memory XML, which can
+          either be provided in the XML or, if omitted, generated
+          automatically.
+        </description>
+      </change>
+      <change>
+        <summary>
+          qemu: Add virtiofs support
+        </summary>
+        <description>
+          This feature, introduced in QEMU 4.2, is a more modern alternative
+          to virtio-9p, which is exposed through the same
+          <code>&lt;filesystem/&gt;</code> element.
+        </description>
+      </change>
+      <change>
+        <summary>
+          admin: Support reloading TLS certificates
+        </summary>
+        <description>
+          After renewing TLS certificates, it was usually necessary to restart
+          libvirtd for the new ones to be loaded: now the same result can be
+          obtained without restarting the daemon by using <code>virt-admin
+          server-update-tls</code>.
+        </description>
+      </change>
+    </section>
+    <section title="Removed features">
+      <change>
+        <summary>
+          Removed support for INI style of comments
+        </summary>
+        <description>
+          With switching of our internal code to GLib, parsing of client
+          authentication config files is handed over to GLib which does not
+          support <code>INI</code> style of comments starting with a semicolon
+          (<code>;</code>). Use number sign (<code>#</code>) instead.
+        </description>
+      </change>
+    </section>
+    <section title="Improvements">
+      <change>
+        <summary>
+          qemu: Don't compare local and remote hostnames on migration
+        </summary>
+        <description>
+          This check was introduced to prevent same-host migration, but did
+          not work as expected when multiple libvirtd instances were running
+          on the same host but in different containers. With this release, the
+          host UUID (which should be unique to the container) is checked
+          instead.
+        </description>
+      </change>
+      <change>
+        <summary>
+          qemu: Use per-VM event loops
+        </summary>
+        <description>
+          Instead of using a single even loop to process communication with
+          the QEMU monitor and guest agent, create a separate one for each VM.
+          This helps with scalability and prevents scenarios where a single
+          malfunctioning VM could affect all those running on the same host.
+        </description>
+      </change>
+      <change>
+        <summary>
+          qemu: Support migration with SLIRP helper interface
+        </summary>
+        <description>
+          With QEMU 5.0, a new D-Bus backend allows migration of external
+          processes. When needed, libvirt will start a per-vm D-Bus bus, and
+          migrate the slirp-helper along with QEMU.
+        </description>
+      </change>
+    </section>
+    <section title="Bug fixes">
+      <change>
+        <summary>
+          qemu: Open backing chain late for shallow block copy reusing external images
+        </summary>
+        <description>
+          With introduction of -blockdev for QEMU storage configuration
+          in libvirt-5.10 we've started opening the backing chain of the
+          destination/mirror of a virDomainBlockcopy started with
+          VIR_DOMAIN_BLOCK_COPY_REUSE_EXT | VIR_DOMAIN_BLOCK_COPY_SHALLOW flags
+          when starting the job rather than when virDomainBlockJobAbort with
+          VIR_DOMAIN_BLOCK_JOB_ABORT_PIVOT is issued. For users depending on
+          this undocumented quirky pre-blockdev behaviour this caused a
+          regression as the backing chain could not be modified while the copy
+          of the top image was progressing due to QEMU image locking. Note that
+          this fix also requires qemu-5.0 while -blockdev is used starting from
+          QEMU-4.2.
+        </description>
+      </change>
+      <change>
+        <summary>
+          Don't generate machine names containing dots
+        </summary>
+        <description>
+          Even though the guest name containing dots is not a problem for
+          libvirt itself, we need to strip them out when registering with
+          machined because of the latter's requirements.
+        </description>
+      </change>
+    </section>
+  </release>
+  <release version="v6.1.0" date="2020-03-03">
+    <section title="New features">
+      <change>
+        <summary>
+          qemu: new rng backend type: builtin
+        </summary>
+        <description>
+          It implements qemu builtin rng backend. That uses getrandom syscall
+          to generate random, no external rng source needed. Available since
+          QEMU 4.2.
+        </description>
+      </change>
+      <change>
+        <summary>
+          support for virtio+hostdev NIC &lt;teaming&gt;
+        </summary>
+        <description>
+          QEMU 4.2.0 and later, combined with a sufficiently recent
+          guest virtio-net driver (e.g. the driver included in Linux
+          kernel 4.18 and later), supports setting up a simple network
+          bond device comprised of one virtio emulated NIC and one
+          hostdev NIC (which must be an SRIOV VF). (in QEMU, this is
+          known as the "virtio failover" feature). The allure of this
+          setup is that the bond will always favor the hostdev device,
+          providing better performance, until the guest is migrated -
+          at that time QEMU will automatically unplug the hostdev NIC
+          and the bond will send all traffic via the virtio NIC until
+          migration is completed, then QEMU on the destination side
+          will hotplug a new hostdev NIC and the bond will switch back
+          to using the hostdev for network traffic. The result is that
+          guests desiring the extra performance of a hostdev NIC are
+          now migratable without network downtime (performance is just
+          degraded during migration) and without requiring a
+          complicated bonding configuration in the guest OS network
+          config and complicated unplug/replug logic in the management
+          application on the host - it can instead all be accomplished
+          in libvirt with the interface &lt;teaming&gt; subelement
+          "type" and "persistent" attributes.
+        </description>
+      </change>
+      <change>
+        <summary>
+          support BR_ISOLATED flag for guest interfaces attached to a Linux host bridge
+        </summary>
+        <description>
+          Since Linux kernel 4.18, the Linux host bridge has had a
+          flag BR_ISOLATED that can be applied to individual
+          ports. When this flag is set for a port, traffic is blocked
+          between that port and any other port that also has the
+          BR_ISOLATED flag set. libvirt domain interface config now
+          supports setting this flag via the &lt;port
+          isolated='yes'/&gt; setting. It can also be set for all
+          connections to a particular libvirt network by setting the
+          same option in the network config - since the port for the
+          host itself does not have BR_ISOLATED set, the guests can
+          communicate with the host and the outside world, but guests
+          on that network can't communicate with each other. This
+          feature works for QEMU and LXC guests with interfaces
+          attached to a Linux host bridge.
+        </description>
+      </change>
+      <change>
+        <summary>
+          qemu: Introduce the 'armvtimer' timer type
+        </summary>
+        <description>
+          QEMU 5.0 introduces the ability to control the behavior of the
+          virtual timer for KVM ARM/virt guests, and this new timer type
+          exposes the same capability to libvirt users.
+        </description>
+      </change>
+      <change>
+        <summary>
+          qemu: Storage configuration improvements
+        </summary>
+        <description>
+          Libvirt now accepts <code>&lt;backingStore type='volume'&gt;</code>
+          and allows specifying the offset and size of the image format
+          container inside the storage source via the <code>&lt;slices&gt;</code>
+          subelement.
+        </description>
+      </change>
+      <change>
+        <summary>
+          qemu: Introduce the 'tpm-spapr' TPM model
+        </summary>
+        <description>
+          This device, available starting from QEMU 5.0, is limited to
+          pSeries guests.
+        </description>
+      </change>
+    </section>
+    <section title="Improvements">
+      <change>
+        <summary>
+          qemu: Image format probing is allowed in certain cases
+        </summary>
+        <description>
+          To resolve regressions when users didn't specify the backing image
+          format in the overlay, libvirt now probes the format in certain
+          secure scenarios which fixes a few common existing cases. Additionally
+          the knowledge base was extended to provide more information on how
+          to rectify the problem.
+        </description>
+      </change>
+      <change>
+        <summary>
+          qemu: Support "dies" in CPU topology
+        </summary>
+        <description>
+          This CPU topology concept, new in QEMU 4.1.0, sits between the
+          existing "socket" and "core".
+        </description>
+      </change>
+      <change>
+        <summary>
+          libxl: Add support for Credit2 scheduler parameters
+        </summary>
+      </change>
+      <change>
+        <summary>
+          lxc: Add support LXC 3 network configuration format
+        </summary>
+      </change>
+    </section>
+    <section title="Bug fixes">
+      <change>
+        <summary>
+          conf: Do not generate machine names ending with a dash
+        </summary>
+        <description>
+          Recent systemd versions do not allow them.
+        </description>
+      </change>
+    </section>
+    <section title="Packaging changes">
+      <change>
+        <summary>
+          use of gnulib has been completely eliminated
+        </summary>
+        <description>
+          Historically libvirt has embedded gnulib to provide fixes for
+          various platform portability problems. This usage has now been
+          eliminated and alternative approaches for platform portability
+          problems adopted where required. This has been validated on the
+          set of platforms covered by automated CI build testing. Other
+          modern Linux distros using glibc are expected to work. Linux
+          distros using non-glibc packages, and other non-Linux platforms
+          may encounter regressions when building this release. Please
+          report any build problems encountered back to the project
+          maintainers for evaluation.
+        </description>
+      </change>
+    </section>
+  </release>
  <release version="v6.0.0" date="2020-01-15">
    <section title="Packaging changes">
      <change>
--- a/docs/page.xsl
+++ b/docs/page.xsl
@ -99,6 +99,12 @@
        <meta name="theme-color" content="#ffffff"/>
        <title>libvirt: <xsl:value-of select="html:html/html:body//html:h1"/></title>
        <meta name="description" content="libvirt, virtualization, virtualization API"/>
+        <xsl:if test="$pagename = 'libvirt-go.html'">
+          <meta name="go-import" content="libvirt.org/libvirt-go git https://libvirt.org/git/libvirt-go.git"/>
+        </xsl:if>
+        <xsl:if test="$pagename = 'libvirt-go-xml.html'">
+          <meta name="go-import" content="libvirt.org/libvirt-go-xml git https://libvirt.org/git/libvirt-go-xml.git"/>
+        </xsl:if>
        <xsl:apply-templates select="/html:html/html:head/html:script" mode="content"/>

        <script type="text/javascript" src="{$href_base}js/main.js">
--- a/docs/schemas/capability.rng
+++ b/docs/schemas/capability.rng
@ -265,6 +265,9 @@
        <attribute name='socket_id'>
          <ref name='unsignedInt'/>
        </attribute>
+        <attribute name='die_id'>
+          <ref name='unsignedInt'/>
+        </attribute>
        <attribute name='core_id'>
          <ref name='unsignedInt'/>
        </attribute>
--- a/docs/schemas/cputypes.rng
+++ b/docs/schemas/cputypes.rng
@ -86,6 +86,11 @@
      <attribute name="sockets">
        <ref name="positiveInteger"/>
      </attribute>
+      <optional>
+        <attribute name="dies">
+          <ref name="positiveInteger"/>
+        </attribute>
+      </optional>
      <attribute name="cores">
        <ref name="positiveInteger"/>
      </attribute>
--- a/docs/schemas/domainbackup.rng
+++ b/docs/schemas/domainbackup.rng
@ -165,6 +165,14 @@
            <attribute name='name'>
              <ref name='diskTarget'/>
            </attribute>
+            <optional>
+              <attribute name='exportname'>
+                <text/>
+              </attribute>
+              <attribute name='exportbitmap'>
+                <text/>
+              </attribute>
+            </optional>
            <choice>
              <group>
                <attribute name='backup'>
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@ -1239,6 +1239,7 @@
            <choice>
              <value>hpet</value>
              <value>pit</value>
+              <value>armvtimer</value>
            </choice>
          </attribute>
          <optional>
@ -1595,12 +1596,31 @@
    </optional>
  </define>

+  <define name="diskSourceSlice">
+    <attribute name='offset'>
+      <ref name="positiveInteger"/>
+    </attribute>
+    <attribute name='size'>
+      <ref name="positiveInteger"/>
+    </attribute>
+  </define>
+
  <define name="diskSourceCommon">
    <optional>
      <attribute name="index">
        <ref name="positiveInteger"/>
      </attribute>
    </optional>
+    <optional>
+      <element name='slices'>
+        <element name='slice'>
+          <attribute name='type'>
+            <value>storage</value>
+          </attribute>
+          <ref name="diskSourceSlice"/>
+        </element>
+      </element>
+    </optional>
  </define>

  <define name="diskSource">
@ -1622,6 +1642,7 @@
    </optional>
    <optional>
      <element name="source">
+        <interleave>
          <optional>
            <attribute name="file">
              <ref name="absFilePath"/>
@ -1637,6 +1658,7 @@
          <zeroOrMore>
            <ref name='devSeclabel'/>
          </zeroOrMore>
+        </interleave>
      </element>
    </optional>
  </define>
@ -1647,6 +1669,7 @@
    </attribute>
    <optional>
      <element name="source">
+        <interleave>
          <optional>
            <attribute name="dev">
              <ref name="absFilePath"/>
@ -1665,6 +1688,7 @@
          <zeroOrMore>
            <ref name='devSeclabel'/>
          </zeroOrMore>
+        </interleave>
      </element>
    </optional>
  </define>
@ -1675,6 +1699,7 @@
    </attribute>
    <optional>
      <element name="source">
+        <interleave>
          <attribute name="dir">
            <ref name="absFilePath"/>
          </attribute>
@ -1686,6 +1711,7 @@
            <ref name="encryption"/>
          </optional>
          <empty/>
+        </interleave>
      </element>
    </optional>
  </define>
@ -1788,12 +1814,111 @@
    </element>
  </define>

+  <define name="diskSourceNetworkProtocolPropsCommon">
+    <optional>
+      <element name="readahead">
+        <attribute name="size">
+          <ref name="positiveInteger"/>
+        </attribute>
+        <empty/>
+      </element>
+    </optional>
+    <optional>
+      <element name="timeout">
+        <attribute name="seconds">
+          <ref name="positiveInteger"/>
+        </attribute>
+        <empty/>
+      </element>
+    </optional>
+  </define>
+
+  <define name="diskSourceNetworkProtocolSSLVerify">
+    <element name="ssl">
+      <attribute name="verify">
+        <ref name="virYesNo"/>
+      </attribute>
+      <empty/>
+    </element>
+  </define>
+
+  <define name="diskSourceNetworkProtocolHTTPCookies">
+    <element name="cookies">
+      <oneOrMore>
+        <element name="cookie">
+          <attribute name="name">
+            <data type="string">
+              <param name="pattern">[!#$%&amp;'*+\-.0-9A-Z\^_`a-z|~]+</param>
+            </data>
+          </attribute>
+          <data type="string">
+            <param name="pattern">"?[!#$%&amp;'()*+\-./0-9:&gt;=&lt;?@A-Z\^_`\[\]a-z|~]+"?</param>
+          </data>
+        </element>
+      </oneOrMore>
+      <empty/>
+    </element>
+  </define>
+
+  <define name="diskSourceNetworkProtocolHTTPS">
+    <element name="source">
+      <interleave>
+        <attribute name="protocol">
+          <choice>
+            <value>https</value>
+          </choice>
+        </attribute>
+        <attribute name="name"/>
+        <optional>
+          <attribute name="query"/>
+        </optional>
+        <ref name="diskSourceCommon"/>
+        <ref name="diskSourceNetworkHost"/>
+        <optional>
+          <ref name="encryption"/>
+        </optional>
+        <optional>
+          <ref name="diskSourceNetworkProtocolSSLVerify"/>
+        </optional>
+        <optional>
+          <ref name="diskSourceNetworkProtocolHTTPCookies"/>
+        </optional>
+        <ref name="diskSourceNetworkProtocolPropsCommon"/>
+        </interleave>
+    </element>
+  </define>
+
  <define name="diskSourceNetworkProtocolHTTP">
    <element name="source">
+      <interleave>
        <attribute name="protocol">
          <choice>
            <value>http</value>
-          <value>https</value>
+          </choice>
+        </attribute>
+        <attribute name="name"/>
+        <optional>
+          <attribute name="query"/>
+        </optional>
+        <ref name="diskSourceCommon"/>
+        <ref name="diskSourceNetworkHost"/>
+        <optional>
+          <ref name="encryption"/>
+        </optional>
+        <optional>
+          <ref name="diskSourceNetworkProtocolHTTPCookies"/>
+        </optional>
+        <ref name="diskSourceNetworkProtocolPropsCommon"/>
+      </interleave>
+    </element>
+  </define>
+
+  <define name="diskSourceNetworkProtocolFTPS">
+    <element name="source">
+      <interleave>
+        <attribute name="protocol">
+          <choice>
+            <value>ftps</value>
          </choice>
        </attribute>
        <attribute name="name"/>
@ -1802,16 +1927,21 @@
        <optional>
          <ref name="encryption"/>
        </optional>
+        <optional>
+          <ref name="diskSourceNetworkProtocolSSLVerify"/>
+        </optional>
+        <ref name="diskSourceNetworkProtocolPropsCommon"/>
+      </interleave>
    </element>
  </define>

  <define name="diskSourceNetworkProtocolSimple">
    <element name="source">
+      <interleave>
        <attribute name="protocol">
          <choice>
            <value>sheepdog</value>
            <value>ftp</value>
-          <value>ftps</value>
            <value>tftp</value>
          </choice>
        </attribute>
@ -1821,11 +1951,14 @@
        <optional>
          <ref name="encryption"/>
        </optional>
+        <ref name="diskSourceNetworkProtocolPropsCommon"/>
+      </interleave>
    </element>
  </define>

  <define name="diskSourceNetworkProtocolNBD">
    <element name="source">
+      <interleave>
        <attribute name="protocol">
          <value>nbd</value>
        </attribute>
@ -1842,11 +1975,13 @@
        <optional>
          <ref name="encryption"/>
        </optional>
+      </interleave>
    </element>
  </define>

  <define name="diskSourceNetworkProtocolGluster">
    <element name="source">
+      <interleave>
        <attribute name="protocol">
          <value>gluster</value>
        </attribute>
@ -1858,11 +1993,13 @@
        <optional>
          <ref name="encryption"/>
        </optional>
+      </interleave>
    </element>
  </define>

  <define name="diskSourceNetworkProtocolVxHS">
    <element name="source">
+      <interleave>
        <attribute name="protocol">
          <choice>
            <value>vxhs</value>
@ -1876,6 +2013,7 @@
          </attribute>
        </optional>
        <ref name="diskSourceNetworkHost"/>
+      </interleave>
    </element>
  </define>

@ -1889,6 +2027,8 @@
      <ref name="diskSourceNetworkProtocolRBD"/>
      <ref name="diskSourceNetworkProtocolISCSI"/>
      <ref name="diskSourceNetworkProtocolHTTP"/>
+      <ref name="diskSourceNetworkProtocolHTTPS"/>
+      <ref name="diskSourceNetworkProtocolFTPS"/>
      <ref name="diskSourceNetworkProtocolSimple"/>
      <ref name="diskSourceNetworkProtocolVxHS"/>
    </choice>
@ -1900,6 +2040,7 @@
    </attribute>
    <optional>
      <element name="source">
+        <interleave>
          <attribute name="pool">
            <ref name="poolName"/>
          </attribute>
@ -1924,6 +2065,7 @@
          <zeroOrMore>
            <ref name='devSeclabel'/>
          </zeroOrMore>
+        </interleave>
      </element>
    </optional>
  </define>
@ -1934,6 +2076,7 @@
    </attribute>
    <optional>
      <element name="source">
+        <interleave>
          <attribute name="type">
            <value>pci</value>
          </attribute>
@ -1955,6 +2098,7 @@
          <optional>
            <ref name="encryption"/>
          </optional>
+        </interleave>
      </element>
    </optional>
  </define>
@ -2480,6 +2624,9 @@
          <optional>
            <ref name="fsDriver"/>
          </optional>
+          <optional>
+            <ref name="fsBinary"/>
+          </optional>
          <interleave>
            <element name="source">
              <attribute name="dir">
@ -2600,6 +2747,8 @@
           for this kind of info, and 'type' for the
           storage format. We need the latter too, so
           had to invent a new attribute name -->
+      <choice>
+        <group>
          <optional>
            <attribute name="type">
              <choice>
@ -2622,7 +2771,60 @@
            </attribute>
          </optional>
          <ref name='virtioOptions'/>
+        </group>
+        <group>
+          <attribute name="type">
+            <value>virtiofs</value>
+          </attribute>
+          <optional>
+            <attribute name="queue">
+              <ref name="unsignedInt"/>
+            </attribute>
+          </optional>
+          <ref name='virtioOptions'/>
+        </group>
        <empty/>
+      </choice>
+    </element>
+  </define>
+  <define name="fsBinary">
+    <element name="binary">
+      <optional>
+        <attribute name="path">
+          <ref name="absFilePath"/>
+        </attribute>
+      </optional>
+      <optional>
+        <attribute name="xattr">
+          <ref name="virOnOff"/>
+        </attribute>
+      </optional>
+      <optional>
+        <element name="cache">
+          <optional>
+            <attribute name="mode">
+              <choice>
+                <value>none</value>
+                <value>always</value>
+              </choice>
+            </attribute>
+          </optional>
+        </element>
+      </optional>
+      <optional>
+        <element name="lock">
+          <optional>
+            <attribute name="posix">
+              <ref name="virOnOff"/>
+            </attribute>
+          </optional>
+          <optional>
+            <attribute name="flock">
+              <ref name="virOnOff"/>
+            </attribute>
+          </optional>
+        </element>
+      </optional>
    </element>
  </define>

@ -3158,6 +3360,28 @@
      <optional>
        <ref name="vlan"/>
      </optional>
+      <optional>
+        <ref name="portOptions"/>
+      </optional>
+      <optional>
+        <element name="teaming">
+          <choice>
+            <group>
+              <attribute name="type">
+                <value>persistent</value>
+              </attribute>
+            </group>
+            <group>
+              <attribute name="type">
+                <value>transient</value>
+              </attribute>
+              <attribute name="persistent">
+                <ref name="aliasName"/>
+              </attribute>
+            </group>
+          </choice>
+        </element>
+      </optional>
    </interleave>
  </define>

@ -4364,6 +4588,7 @@
          <choice>
            <value>tpm-tis</value>
            <value>tpm-crb</value>
+            <value>tpm-spapr</value>
          </choice>
        </attribute>
      </optional>
@ -4371,6 +4596,9 @@
      <optional>
        <ref name="alias"/>
      </optional>
+      <optional>
+        <ref name="address"/>
+      </optional>
    </element>
  </define>

@ -5556,6 +5784,11 @@
        </attribute>
      </optional>
      <interleave>
+        <optional>
+          <element name="uuid">
+            <ref name="UUID"/>
+          </element>
+        </optional>
        <optional>
          <ref name="memorydev-source"/>
        </optional>
@ -5683,6 +5916,12 @@
          <ref name="qemucdevSrcType"/>
          <ref name="qemucdevSrcDef"/>
        </group>
+        <group>
+          <attribute name="model">
+            <value>builtin</value>
+          </attribute>
+          <empty/>
+        </group>
      </choice>
    </element>
  </define>
--- a/docs/schemas/network.rng
+++ b/docs/schemas/network.rng
@ -332,6 +332,9 @@
        <optional>
          <ref name="vlan"/>
        </optional>
+        <optional>
+          <ref name="portOptions"/>
+        </optional>

        <!-- <ip> element -->
        <zeroOrMore>
--- a/docs/schemas/networkcommon.rng
+++ b/docs/schemas/networkcommon.rng
@ -280,4 +280,15 @@
      </attribute>
    </element>
  </define>
+
+  <define name="portOptions">
+    <element name="port">
+      <optional>
+        <attribute name="isolated">
+          <ref name="virYesNo"/>
+        </attribute>
+      </optional>
+    </element>
+  </define>
+
 </grammar>
--- a/docs/schemas/networkport.rng
+++ b/docs/schemas/networkport.rng
@ -29,6 +29,12 @@
        <optional>
          <ref name="bandwidth"/>
        </optional>
+        <optional>
+          <ref name="vlan"/>
+        </optional>
+        <optional>
+          <ref name="portOptions"/>
+        </optional>
        <optional>
          <ref name="plug"/>
        </optional>
--- a/examples/c/domain/domtop.c
+++ b/examples/c/domain/domtop.c
@ -34,21 +34,6 @@
 static bool debug;
 static bool run_top;

-/* On mingw, there's a header file that poisons the well:
- *
- *
- *  CC       domtop.o
- *domtop.c:40:0: warning: "ERROR" redefined [enabled by default]
- * #define ERROR(...) \
- * ^
- *In file included from /usr/i686-w64-mingw32/sys-root/mingw/include/windows.h:71:0,
- *                 from /usr/i686-w64-mingw32/sys-root/mingw/include/winsock2.h:23,
- *                 from ../../gnulib/lib/unistd.h:48,
- *                 from domtop.c:35:
- * /usr/i686-w64-mingw32/sys-root/mingw/include/wingdi.h:75:0: note: this is the location of the previous definition
- * #define ERROR 0
- */
-#undef ERROR
 #define ERROR(...) \
 do { \
    fprintf(stderr, "ERROR %s:%d : ", __FUNCTION__, __LINE__); \
--- a/examples/c/domain/suspend.c
+++ b/examples/c/domain/suspend.c
@ -30,20 +30,6 @@

 static int debug;

-/* On mingw, there's a header file that poisons the well:
- *
- *
- *  CC       domtop.o
- *domtop.c:40:0: warning: "ERROR" redefined [enabled by default]
- * #define ERROR(...) \
- * ^
- *In file included from /usr/i686-w64-mingw32/sys-root/mingw/include/windows.h:71:0,
- *                 from /usr/i686-w64-mingw32/sys-root/mingw/include/winsock2.h:23,
- *                 from ../../gnulib/lib/unistd.h:48,
- *                 from domtop.c:35:
- * /usr/i686-w64-mingw32/sys-root/mingw/include/wingdi.h:75:0: note: this is the location of the previous definition
- * #define ERROR 0
- */
 #undef ERROR
 #define ERROR(...) \
 do { \
--- a/examples/c/misc/event-test.c
+++ b/examples/c/misc/event-test.c
@ -16,9 +16,9 @@
 #if (4 < __GNUC__ + (6 <= __GNUC_MINOR__) \
     && (201112L <= __STDC_VERSION__  || !defined __STRICT_ANSI__) \
     && !defined __cplusplus)
-# define verify(cond) _Static_assert(cond, "verify (" #cond ")")
+# define G_STATIC_ASSERT(cond) _Static_assert(cond, "verify (" #cond ")")
 #else
-# define verify(cond)
+# define G_STATIC_ASSERT(cond)
 #endif

 #ifndef G_GNUC_UNUSED
@ -273,6 +273,9 @@ eventDetailToString(int event,
           case VIR_DOMAIN_EVENT_CRASHED_PANICKED:
               return "Panicked";

+           case VIR_DOMAIN_EVENT_CRASHED_CRASHLOADED:
+               return "Crashloaded";
+
           case VIR_DOMAIN_EVENT_CRASHED_LAST:
               break;
           }
@ -1138,10 +1141,10 @@ struct secretEventData secretEvents[] = {
 };

 /* make sure that the events are kept in sync */
-verify(G_N_ELEMENTS(domainEvents) == VIR_DOMAIN_EVENT_ID_LAST);
-verify(G_N_ELEMENTS(storagePoolEvents) == VIR_STORAGE_POOL_EVENT_ID_LAST);
-verify(G_N_ELEMENTS(nodeDeviceEvents) == VIR_NODE_DEVICE_EVENT_ID_LAST);
-verify(G_N_ELEMENTS(secretEvents) == VIR_SECRET_EVENT_ID_LAST);
+G_STATIC_ASSERT(G_N_ELEMENTS(domainEvents) == VIR_DOMAIN_EVENT_ID_LAST);
+G_STATIC_ASSERT(G_N_ELEMENTS(storagePoolEvents) == VIR_STORAGE_POOL_EVENT_ID_LAST);
+G_STATIC_ASSERT(G_N_ELEMENTS(nodeDeviceEvents) == VIR_NODE_DEVICE_EVENT_ID_LAST);
+G_STATIC_ASSERT(G_N_ELEMENTS(secretEvents) == VIR_SECRET_EVENT_ID_LAST);

 int
 main(int argc, char **argv)
--- a/gnulib/lib/Makefile.am
+++ b/gnulib/lib/Makefile.am
@ -1,30 +0,0 @@
-## Makefile for gnulib/lib				-*-Makefile-*-
-
-## Copyright (C) 2011-2013 Red Hat, Inc.
-##
-## This library is free software; you can redistribute it and/or
-## modify it under the terms of the GNU Lesser General Public
-## License as published by the Free Software Foundation; either
-## version 2.1 of the License, or (at your option) any later version.
-##
-## This library is distributed in the hope that it will be useful,
-## but WITHOUT ANY WARRANTY; without even the implied warranty of
-## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-## Lesser General Public License for more details.
-##
-## You should have received a copy of the GNU Lesser General Public
-## License along with this library.  If not, see
-## <http://www.gnu.org/licenses/>.
-
-# Initialize variables, so gnulib.mk can append to them
-BUILT_SOURCES =
-CLEANFILES =
-EXTRA_DIST =
-MOSTLYCLEANDIRS =
-MOSTLYCLEANFILES =
-SUFFIXES =
-noinst_LTLIBRARIES =
-
-include gnulib.mk
-
-AM_CPPFLAGS = -I$(top_srcdir)
--- a/gnulib/tests/Makefile.am
+++ b/gnulib/tests/Makefile.am
@ -1,32 +0,0 @@
-## Makefile for gnulib/lib
-
-## Copyright (C) 2011, 2013 Red Hat, Inc.
-##
-## This library is free software; you can redistribute it and/or
-## modify it under the terms of the GNU Lesser General Public
-## License as published by the Free Software Foundation; either
-## version 2.1 of the License, or (at your option) any later version.
-##
-## This library is distributed in the hope that it will be useful,
-## but WITHOUT ANY WARRANTY; without even the implied warranty of
-## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-## Lesser General Public License for more details.
-##
-## You should have received a copy of the GNU Lesser General Public
-## License along with this library.  If not, see
-## <http://www.gnu.org/licenses/>.
-
-include gnulib.mk
-
-GNULIB_TESTS0 =
-GNULIB_TESTS1 = $(GNULIB_TESTS)
-if WITH_EXPENSIVE_TESTS
-## Automake requires that at least one conditional call out all tests to
-## be run, for those tests to be shipped in the tarball
-TESTS = $(GNULIB_TESTS)
-endif WITH_EXPENSIVE_TESTS
-## However, we want to change the set of tests based on the make environment,
-## where the default was set at configure time.  Use GNU make constructs to
-## hide our actions from Automake, so we don't get it too confused.
-VIR_TEST_EXPENSIVE ?= $(VIR_TEST_EXPENSIVE_DEFAULT)
-$(eval TESTS=$(GNULIB_TESTS$(VIR_TEST_EXPENSIVE)))
--- a/include/libvirt/libvirt-admin.h
+++ b/include/libvirt/libvirt-admin.h
@ -402,6 +402,9 @@ int virAdmServerSetClientLimits(virAdmServerPtr srv,
                                int nparams,
                                unsigned int flags);

+int virAdmServerUpdateTlsFiles(virAdmServerPtr srv,
+                               unsigned int flags);
+
 int virAdmConnectGetLoggingOutputs(virAdmConnectPtr conn,
                                   char **outputs,
                                   unsigned int flags);
--- a/include/libvirt/libvirt-domain.h
+++ b/include/libvirt/libvirt-domain.h
@ -1428,7 +1428,7 @@ char *                  virDomainGetSchedulerType(virDomainPtr domain,
 # define VIR_DOMAIN_BLKIO_DEVICE_WRITE_BPS "device_write_bytes_sec"


-/* Set Blkio tunables for the domain*/
+/* Set Blkio tunables for the domain */
 int     virDomainSetBlkioParameters(virDomainPtr domain,
                                    virTypedParameterPtr params,
                                    int nparams, unsigned int flags);
@ -1483,7 +1483,7 @@ int     virDomainGetBlkioParameters(virDomainPtr domain,

 # define VIR_DOMAIN_MEMORY_SWAP_HARD_LIMIT "swap_hard_limit"

-/* Set memory tunables for the domain*/
+/* Set memory tunables for the domain */
 int     virDomainSetMemoryParameters(virDomainPtr domain,
                                     virTypedParameterPtr params,
                                     int nparams, unsigned int flags);
@ -1567,6 +1567,12 @@ int                     virDomainSetMemoryStatsPeriod (virDomainPtr domain,
 int                     virDomainGetMaxVcpus    (virDomainPtr domain);
 int                     virDomainGetSecurityLabel (virDomainPtr domain,
                                                   virSecurityLabelPtr seclabel);
+
+typedef enum {
+    VIR_DOMAIN_GET_HOSTNAME_LEASE = (1 << 0), /* Parse DHCP lease file */
+    VIR_DOMAIN_GET_HOSTNAME_AGENT = (1 << 1), /* Query qemu guest agent */
+} virDomainGetHostnameFlags;
+
 char *                  virDomainGetHostname    (virDomainPtr domain,
                                                 unsigned int flags);
 int                     virDomainGetSecurityLabelList (virDomainPtr domain,
@ -1762,7 +1768,7 @@ struct _virDomainBlockInfo {
                                    * holes, similar to 'du') */
    unsigned long long physical;   /* host physical size in bytes of
                                    * the image container (last
-                                    * offset, similar to 'ls')*/
+                                    * offset, similar to 'ls') */
 };

 int                     virDomainGetBlockInfo(virDomainPtr dom,
@ -3169,6 +3175,7 @@ typedef enum {
 */
 typedef enum {
    VIR_DOMAIN_EVENT_CRASHED_PANICKED = 0, /* Guest was panicked */
+    VIR_DOMAIN_EVENT_CRASHED_CRASHLOADED = 1, /* Guest was crashloaded */

 # ifdef VIR_ENUM_SENTINELS
    VIR_DOMAIN_EVENT_CRASHED_LAST
--- a/include/libvirt/libvirt-host.h
+++ b/include/libvirt/libvirt-host.h
@ -167,7 +167,7 @@ struct _virNodeInfo {
    unsigned int sockets; /* number of CPU sockets per node if nodes > 1,
                             1 in case of unusual NUMA topology */
    unsigned int cores;   /* number of cores per socket, total number of
-                             processors in case of unusual NUMA topology*/
+                             processors in case of unusual NUMA topology */
    unsigned int threads; /* number of threads per core, 1 in case of
                             unusual numa topology */
 };
--- a/include/libvirt/virterror.h
+++ b/include/libvirt/virterror.h
@ -313,15 +313,14 @@ typedef enum {
                                           was denied */
    VIR_ERR_DBUS_SERVICE = 89,          /* error from a dbus service */
    VIR_ERR_STORAGE_VOL_EXIST = 90,     /* the storage vol already exists */
-    VIR_ERR_CPU_INCOMPATIBLE = 91,      /* given CPU is incompatible with host
-                                           CPU*/
+    VIR_ERR_CPU_INCOMPATIBLE = 91,      /* given CPU is incompatible with host CPU */
    VIR_ERR_XML_INVALID_SCHEMA = 92,    /* XML document doesn't validate against schema */
    VIR_ERR_MIGRATE_FINISH_OK = 93,     /* Finish API succeeded but it is expected to return NULL */
    VIR_ERR_AUTH_UNAVAILABLE = 94,      /* authentication unavailable */
    VIR_ERR_NO_SERVER = 95,             /* Server was not found */
    VIR_ERR_NO_CLIENT = 96,             /* Client was not found */
    VIR_ERR_AGENT_UNSYNCED = 97,        /* guest agent replies with wrong id
-                                           to guest-sync command (DEPRECATED)*/
+                                           to guest-sync command (DEPRECATED) */
    VIR_ERR_LIBSSH = 98,                /* error in libssh transport driver */
    VIR_ERR_DEVICE_MISSING = 99,        /* fail to find the desired device */
    VIR_ERR_INVALID_NWFILTER_BINDING = 100,  /* invalid nwfilter binding */
@ -332,6 +331,7 @@ typedef enum {
    VIR_ERR_INVALID_NETWORK_PORT = 105, /* invalid network port object */
    VIR_ERR_NETWORK_PORT_EXIST = 106,   /* the network port already exist */
    VIR_ERR_NO_NETWORK_PORT = 107,      /* network port not found */
+    VIR_ERR_NO_HOSTNAME = 108,          /* no domain's hostname found */

 # ifdef VIR_ENUM_SENTINELS
    VIR_ERR_NUMBER_LAST
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@ -302,7 +302,7 @@ BuildRequires: yajl-devel
 %if %{with_sanlock}
 BuildRequires: sanlock-devel >= 2.4
 %endif
-BuildRequires: libpcap-devel
+BuildRequires: libpcap-devel >= 1.5.0
 BuildRequires: libnl3-devel
 BuildRequires: libselinux-devel
 BuildRequires: dnsmasq >= 2.41
@ -414,8 +414,6 @@ BuildRequires: libtirpc-devel
 BuildRequires: firewalld-filesystem
 %endif

-Provides: bundled(gnulib)
-
 %description
 Libvirt is a C toolkit to interact with the virtualization capabilities
 of recent versions of Linux (and other OSes). The main package includes
@ -1749,6 +1747,8 @@ exit 0
 %{_libdir}/%{name}/connection-driver/libvirt_driver_qemu.so
 %dir %attr(0711, root, root) %{_localstatedir}/lib/libvirt/swtpm/
 %dir %attr(0711, root, root) %{_localstatedir}/log/swtpm/libvirt/qemu/
+%{_bindir}/virt-qemu-run
+%{_mandir}/man1/virt-qemu-run.1*
 %endif

 %if %{with_lxc}
--- a/m4/virt-atomic.m4
+++ b/m4/virt-atomic.m4
@ -1,77 +0,0 @@
-dnl The atomic implementation check
-dnl
-dnl Copyright (C) 2016 Red Hat, Inc.
-dnl
-dnl This library is free software; you can redistribute it and/or
-dnl modify it under the terms of the GNU Lesser General Public
-dnl License as published by the Free Software Foundation; either
-dnl version 2.1 of the License, or (at your option) any later version.
-dnl
-dnl This library is distributed in the hope that it will be useful,
-dnl but WITHOUT ANY WARRANTY; without even the implied warranty of
-dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-dnl Lesser General Public License for more details.
-dnl
-dnl You should have received a copy of the GNU Lesser General Public
-dnl License along with this library.  If not, see
-dnl <http://www.gnu.org/licenses/>.
-dnl
-
-AC_DEFUN([LIBVIRT_CHECK_ATOMIC], [
-  AC_REQUIRE([LIBVIRT_CHECK_PTHREAD])
-
-  dnl We need to decide at configure time if libvirt will use real atomic
-  dnl operations ("lock free") or emulated ones with a mutex.
-  dnl
-  dnl Note that the atomic ops are only available with GCC on x86 when
-  dnl using -march=i486 or higher.  If we detect that the atomic ops are
-  dnl not available but would be available given the right flags, we want
-  dnl to abort and advise the user to fix their CFLAGS.  It's better to do
-  dnl that then to silently fall back on emulated atomic ops just because
-  dnl the user had the wrong build environment.
-
-  atomic_ops=
-
-  AC_MSG_CHECKING([for atomic ops implementation])
-
-  AC_TRY_COMPILE([], [__GCC_HAVE_SYNC_COMPARE_AND_SWAP_4;],[
-    atomic_ops=gcc
-  ],[])
-
-  if test "$atomic_ops" = "" ; then
-    SAVE_CFLAGS="${CFLAGS}"
-    CFLAGS="-march=i486"
-    AC_TRY_COMPILE([],
-                   [__GCC_HAVE_SYNC_COMPARE_AND_SWAP_4;],
-                   [AC_MSG_ERROR([Libvirt must be built with -march=i486 or later.])],
-                   [])
-    CFLAGS="${SAVE_CFLAGS}"
-
-    case "$host" in
-      *-*-mingw* | *-*-msvc* )
-        atomic_ops=win32
-        ;;
-      *)
-        if test "$ac_cv_header_pthread_h" = "yes" ; then
-          atomic_ops=pthread
-        else
-          AC_MSG_ERROR([Libvirt must be built with GCC or have pthread.h on non-Win32 platforms])
-        fi
-        ;;
-    esac
-  fi
-
-  case "$atomic_ops" in
-    gcc)
-      AC_DEFINE([VIR_ATOMIC_OPS_GCC],[1],[Use GCC atomic ops])
-      ;;
-    win32)
-      AC_DEFINE([VIR_ATOMIC_OPS_WIN32],[1],[Use Win32 atomic ops])
-      ;;
-    pthread)
-      AC_DEFINE([VIR_ATOMIC_OPS_PTHREAD],[1],[Use pthread atomic ops emulation])
-      ;;
-  esac
-  AM_CONDITIONAL([WITH_ATOMIC_OPS_PTHREAD],[test "$atomic_ops" = "pthread"])
-  AC_MSG_RESULT([$atomic_ops])
-])
--- a/m4/virt-compile-pie.m4
+++ b/m4/virt-compile-pie.m4
@ -22,7 +22,7 @@ AC_DEFUN([LIBVIRT_COMPILE_PIE],[
    PIE_CFLAGS=
    PIE_LDFLAGS=
    case "$host" in
-      *-*-mingw* | *-*-msvc* | *-*-cygwin* )
+      *-*-mingw* )
         ;; dnl All code is position independent on Win32 target
      *)
      gl_COMPILER_OPTION_IF([-fPIE -DPIE -pie], [
--- a/m4/virt-compile-warnings.m4
+++ b/m4/virt-compile-warnings.m4
@ -37,10 +37,6 @@ AC_DEFUN([LIBVIRT_COMPILE_WARNINGS],[
    dontwarn="$dontwarn -Wconversion"
    # Too many to deal with
    dontwarn="$dontwarn -Wsign-conversion"
-    # GNULIB gettext.h violates
-    dontwarn="$dontwarn -Wvla"
-    # Many GNULIB header violations
-    dontwarn="$dontwarn -Wundef"
    # Need to allow bad cast for execve()
    dontwarn="$dontwarn -Wcast-qual"
    # We need to use long long in many places
@ -51,8 +47,6 @@ AC_DEFUN([LIBVIRT_COMPILE_WARNINGS],[
    dontwarn="$dontwarn -Wstrict-overflow"
    # Not a problem since we don't use -funsafe-loop-optimizations
    dontwarn="$dontwarn -Wunsafe-loop-optimizations"
-    # Gnulib's stat-time.h violates this
-    dontwarn="$dontwarn -Waggregate-return"
    # gcc 4.4.6 complains this is C++ only; gcc 4.7.0 implies this from -Wall
    dontwarn="$dontwarn -Wenum-compare"
    # gcc 5.1 -Wformat-signedness mishandles enums, not ready for prime time
@ -139,7 +133,7 @@ AC_DEFUN([LIBVIRT_COMPILE_WARNINGS],[
      wantwarn="$wantwarn -Wno-unused-function"
    fi

-    # GNULIB uses '-W' (aka -Wextra) which includes a bunch of stuff.
+    # manywarnings uses '-W' (aka -Wextra) which includes a bunch of stuff.
    # Unfortunately, this means you can't simply use '-Wsign-compare'
    # with gl_MANYWARN_COMPLEMENT
    # So we have -W enabled, and then have to explicitly turn off...
@ -151,16 +145,16 @@ AC_DEFUN([LIBVIRT_COMPILE_WARNINGS],[
    # so use this CLang-specific arg to keep it quiet
    wantwarn="$wantwarn -Wno-typedef-redefinition"

-    # GNULIB expects this to be part of -Wc++-compat, but we turn
+    # manywarnings expects this to be part of -Wc++-compat, but we turn
    # that one off, so we need to manually enable this again
    wantwarn="$wantwarn -Wjump-misses-init"

-    # GNULIB explicitly filters it out, preferring -Wswitch
+    # manywarnings explicitly filters it out, preferring -Wswitch
    # but that doesn't report missing enums if a default:
    # is present.
    wantwarn="$wantwarn -Wswitch-enum"

-    # GNULIB turns on -Wformat=2 which implies -Wformat-nonliteral,
+    # manywarnings turns on -Wformat=2 which implies -Wformat-nonliteral,
    # so we need to manually re-exclude it.
    wantwarn="$wantwarn -Wno-format-nonliteral"

@ -244,9 +238,7 @@ AC_DEFUN([LIBVIRT_COMPILE_WARNINGS],[
        ;;
    esac

-    # Silence certain warnings in gnulib, and use improved glibc headers
-    AC_DEFINE([lint], [1],
-      [Define to 1 if the compiler is checking for lint.])
+    # Use security checked glibc headers
    AH_VERBATIM([FORTIFY_SOURCE],
    [/* Enable compile-time and run-time bounds-checking, and some warnings,
        without upsetting newer glibc. */
--- a/m4/virt-driver-libxl.m4
+++ b/m4/virt-driver-libxl.m4
@ -30,7 +30,7 @@ AC_DEFUN([LIBVIRT_DRIVER_CHECK_LIBXL], [

  dnl search for libxl, aka libxenlight
  old_with_libxl="$with_libxl"
-  LIBVIRT_CHECK_PKG([LIBXL], [xenlight], [4.6.0], [true])
+  LIBVIRT_CHECK_PKG([LIBXL], [xenlight], [4.6.0])
  if test "x$with_libxl" = "xyes" ; then
    LIBXL_FIRMWARE_DIR=$($PKG_CONFIG --variable xenfirmwaredir xenlight)
    LIBXL_EXECBIN_DIR=$($PKG_CONFIG --variable libexec_bin xenlight)
--- a/m4/virt-driver-qemu.m4
+++ b/m4/virt-driver-qemu.m4
@ -110,6 +110,12 @@ AC_DEFUN([LIBVIRT_DRIVER_CHECK_QEMU], [
               [/usr/bin:/usr/libexec])
  AC_DEFINE_UNQUOTED([QEMU_SLIRP_HELPER], ["$QEMU_SLIRP_HELPER"],
                     [QEMU slirp helper])
+
+  AC_PATH_PROG([QEMU_DBUS_DAEMON], [dbus-daemon],
+               [/usr/bin/dbus-daemon],
+               [/usr/bin:/usr/libexec])
+  AC_DEFINE_UNQUOTED([QEMU_DBUS_DAEMON], ["$QEMU_DBUS_DAEMON"],
+                     [QEMU dbus daemon])
 ])

 AC_DEFUN([LIBVIRT_DRIVER_RESULT_QEMU], [
--- a/m4/virt-libpcap.m4
+++ b/m4/virt-libpcap.m4
@ -22,7 +22,7 @@ AC_DEFUN([LIBVIRT_ARG_LIBPCAP], [
 ])

 AC_DEFUN([LIBVIRT_CHECK_LIBPCAP], [
-  LIBPCAP_REQUIRED="1.0.0"
+  LIBPCAP_REQUIRED="1.5.0"
  LIBPCAP_CONFIG="pcap-config"
  LIBPCAP_CFLAGS=""
  LIBPCAP_LIBS=""
--- a/m4/virt-manywarnings.m4
+++ b/m4/virt-manywarnings.m4
@ -0,0 +1,339 @@
+# manywarnings.m4 serial 18
+dnl Copyright (C) 2008-2020 Free Software Foundation, Inc.
+dnl This file is free software; the Free Software Foundation
+dnl gives unlimited permission to copy and/or distribute it,
+dnl with or without modifications, as long as this notice is preserved.
+
+dnl From Simon Josefsson
+
+# gl_MANYWARN_COMPLEMENT(OUTVAR, LISTVAR, REMOVEVAR)
+# --------------------------------------------------
+# Copy LISTVAR to OUTVAR except for the entries in REMOVEVAR.
+# Elements separated by whitespace.  In set logic terms, the function
+# does OUTVAR = LISTVAR \ REMOVEVAR.
+AC_DEFUN([gl_MANYWARN_COMPLEMENT],
+[
+  gl_warn_set=
+  set x $2; shift
+  for gl_warn_item
+  do
+    case " $3 " in
+      *" $gl_warn_item "*)
+        ;;
+      *)
+        gl_warn_set="$gl_warn_set $gl_warn_item"
+        ;;
+    esac
+  done
+  $1=$gl_warn_set
+])
+
+# gl_MANYWARN_ALL_GCC(VARIABLE)
+# -----------------------------
+# Add all documented GCC warning parameters to variable VARIABLE.
+# Note that you need to test them using gl_WARN_ADD if you want to
+# make sure your gcc understands it.
+#
+# The effects of this macro depend on the current language (_AC_LANG).
+AC_DEFUN([gl_MANYWARN_ALL_GCC],
+[_AC_LANG_DISPATCH([$0], _AC_LANG, $@)])
+
+# Specialization for _AC_LANG = C.
+# Use of m4_defun rather than AC_DEFUN works around a bug in autoconf < 2.63b.
+m4_defun([gl_MANYWARN_ALL_GCC(C)],
+[
+  AC_LANG_PUSH([C])
+
+  dnl First, check for some issues that only occur when combining multiple
+  dnl gcc warning categories.
+  AC_REQUIRE([AC_PROG_CC])
+  if test -n "$GCC"; then
+
+    dnl Check if -W -Werror -Wno-missing-field-initializers is supported
+    dnl with the current $CC $CFLAGS $CPPFLAGS.
+    AC_CACHE_CHECK([whether -Wno-missing-field-initializers is supported],
+      [gl_cv_cc_nomfi_supported],
+      [gl_save_CFLAGS="$CFLAGS"
+       CFLAGS="$CFLAGS -W -Werror -Wno-missing-field-initializers"
+       AC_COMPILE_IFELSE(
+         [AC_LANG_PROGRAM([[]], [[]])],
+         [gl_cv_cc_nomfi_supported=yes],
+         [gl_cv_cc_nomfi_supported=no])
+       CFLAGS="$gl_save_CFLAGS"
+      ])
+
+    if test "$gl_cv_cc_nomfi_supported" = yes; then
+      dnl Now check whether -Wno-missing-field-initializers is needed
+      dnl for the { 0, } construct.
+      AC_CACHE_CHECK([whether -Wno-missing-field-initializers is needed],
+        [gl_cv_cc_nomfi_needed],
+        [gl_save_CFLAGS="$CFLAGS"
+         CFLAGS="$CFLAGS -W -Werror"
+         AC_COMPILE_IFELSE(
+           [AC_LANG_PROGRAM(
+              [[int f (void)
+                {
+                  typedef struct { int a; int b; } s_t;
+                  s_t s1 = { 0, };
+                  return s1.b;
+                }
+              ]],
+              [[]])],
+           [gl_cv_cc_nomfi_needed=no],
+           [gl_cv_cc_nomfi_needed=yes])
+         CFLAGS="$gl_save_CFLAGS"
+        ])
+    fi
+
+    dnl Next, check if -Werror -Wuninitialized is useful with the
+    dnl user's choice of $CFLAGS; some versions of gcc warn that it
+    dnl has no effect if -O is not also used
+    AC_CACHE_CHECK([whether -Wuninitialized is supported],
+      [gl_cv_cc_uninitialized_supported],
+      [gl_save_CFLAGS="$CFLAGS"
+       CFLAGS="$CFLAGS -Werror -Wuninitialized"
+       AC_COMPILE_IFELSE(
+         [AC_LANG_PROGRAM([[]], [[]])],
+         [gl_cv_cc_uninitialized_supported=yes],
+         [gl_cv_cc_uninitialized_supported=no])
+       CFLAGS="$gl_save_CFLAGS"
+      ])
+
+  fi
+
+  # List all gcc warning categories.
+  # To compare this list to your installed GCC's, run this Bash command:
+  #
+  # comm -3 \
+  #  <((sed -n 's/^  *\(-[^ 0-9][^ ]*\) .*/\1/p' manywarnings.m4; \
+  #     awk '/^[^#]/ {print $1}' ../build-aux/gcc-warning.spec) | sort) \
+  #  <(LC_ALL=C gcc --help=warnings | sed -n 's/^  \(-[^ ]*\) .*/\1/p' | sort)
+
+  gl_manywarn_set=
+  for gl_manywarn_item in -fno-common \
+    -W \
+    -Wabsolute-value \
+    -Waddress \
+    -Waddress-of-packed-member \
+    -Waggressive-loop-optimizations \
+    -Wall \
+    -Wattribute-warning \
+    -Wattributes \
+    -Wbad-function-cast \
+    -Wbool-compare \
+    -Wbool-operation \
+    -Wbuiltin-declaration-mismatch \
+    -Wbuiltin-macro-redefined \
+    -Wcannot-profile \
+    -Wcast-align \
+    -Wcast-align=strict \
+    -Wcast-function-type \
+    -Wchar-subscripts \
+    -Wclobbered \
+    -Wcomment \
+    -Wcomments \
+    -Wcoverage-mismatch \
+    -Wcpp \
+    -Wdangling-else \
+    -Wdate-time \
+    -Wdeprecated \
+    -Wdeprecated-declarations \
+    -Wdesignated-init \
+    -Wdisabled-optimization \
+    -Wdiscarded-array-qualifiers \
+    -Wdiscarded-qualifiers \
+    -Wdiv-by-zero \
+    -Wdouble-promotion \
+    -Wduplicated-branches \
+    -Wduplicated-cond \
+    -Wduplicate-decl-specifier \
+    -Wempty-body \
+    -Wendif-labels \
+    -Wenum-compare \
+    -Wexpansion-to-defined \
+    -Wextra \
+    -Wformat-contains-nul \
+    -Wformat-extra-args \
+    -Wformat-nonliteral \
+    -Wformat-security \
+    -Wformat-signedness \
+    -Wformat-y2k \
+    -Wformat-zero-length \
+    -Wframe-address \
+    -Wfree-nonheap-object \
+    -Whsa \
+    -Wif-not-aligned \
+    -Wignored-attributes \
+    -Wignored-qualifiers \
+    -Wimplicit \
+    -Wimplicit-function-declaration \
+    -Wimplicit-int \
+    -Wincompatible-pointer-types \
+    -Winit-self \
+    -Winline \
+    -Wint-conversion \
+    -Wint-in-bool-context \
+    -Wint-to-pointer-cast \
+    -Winvalid-memory-model \
+    -Winvalid-pch \
+    -Wlogical-not-parentheses \
+    -Wlogical-op \
+    -Wmain \
+    -Wmaybe-uninitialized \
+    -Wmemset-elt-size \
+    -Wmemset-transposed-args \
+    -Wmisleading-indentation \
+    -Wmissing-attributes \
+    -Wmissing-braces \
+    -Wmissing-declarations \
+    -Wmissing-field-initializers \
+    -Wmissing-include-dirs \
+    -Wmissing-parameter-type \
+    -Wmissing-profile \
+    -Wmissing-prototypes \
+    -Wmultichar \
+    -Wmultistatement-macros \
+    -Wnarrowing \
+    -Wnested-externs \
+    -Wnonnull \
+    -Wnonnull-compare \
+    -Wnull-dereference \
+    -Wodr \
+    -Wold-style-declaration \
+    -Wold-style-definition \
+    -Wopenmp-simd \
+    -Woverflow \
+    -Woverlength-strings \
+    -Woverride-init \
+    -Wpacked \
+    -Wpacked-bitfield-compat \
+    -Wpacked-not-aligned \
+    -Wparentheses \
+    -Wpointer-arith \
+    -Wpointer-compare \
+    -Wpointer-sign \
+    -Wpointer-to-int-cast \
+    -Wpragmas \
+    -Wpsabi \
+    -Wrestrict \
+    -Wreturn-local-addr \
+    -Wreturn-type \
+    -Wscalar-storage-order \
+    -Wsequence-point \
+    -Wshadow \
+    -Wshift-count-negative \
+    -Wshift-count-overflow \
+    -Wshift-negative-value \
+    -Wsizeof-array-argument \
+    -Wsizeof-pointer-div \
+    -Wsizeof-pointer-memaccess \
+    -Wstack-protector \
+    -Wstrict-aliasing \
+    -Wstrict-overflow \
+    -Wstrict-prototypes \
+    -Wstringop-truncation \
+    -Wsuggest-attribute=cold \
+    -Wsuggest-attribute=const \
+    -Wsuggest-attribute=format \
+    -Wsuggest-attribute=malloc \
+    -Wsuggest-attribute=noreturn \
+    -Wsuggest-attribute=pure \
+    -Wsuggest-final-methods \
+    -Wsuggest-final-types \
+    -Wswitch \
+    -Wswitch-bool \
+    -Wswitch-unreachable \
+    -Wsync-nand \
+    -Wsystem-headers \
+    -Wtautological-compare \
+    -Wtrampolines \
+    -Wtrigraphs \
+    -Wtype-limits \
+    -Wuninitialized \
+    -Wunknown-pragmas \
+    -Wunsafe-loop-optimizations \
+    -Wunused \
+    -Wunused-but-set-parameter \
+    -Wunused-but-set-variable \
+    -Wunused-function \
+    -Wunused-label \
+    -Wunused-local-typedefs \
+    -Wunused-macros \
+    -Wunused-parameter \
+    -Wunused-result \
+    -Wunused-value \
+    -Wunused-variable \
+    -Wvarargs \
+    -Wvariadic-macros \
+    -Wvector-operation-performance \
+    -Wvla \
+    -Wvolatile-register-var \
+    -Wwrite-strings \
+    \
+    ; do
+    gl_manywarn_set="$gl_manywarn_set $gl_manywarn_item"
+  done
+
+  # gcc --help=warnings outputs an unusual form for these options; list
+  # them here so that the above 'comm' command doesn't report a false match.
+  # Would prefer "min (PTRDIFF_MAX, SIZE_MAX)", but it must be a literal.
+  # Also, AC_COMPUTE_INT requires it to fit in a long; it is 2**63 on
+  # the only platforms where it does not fit in a long, so make that
+  # a special case.
+  AC_MSG_CHECKING([max safe object size])
+  AC_COMPUTE_INT([gl_alloc_max],
+    [LONG_MAX < (PTRDIFF_MAX < (size_t) -1 ? PTRDIFF_MAX : (size_t) -1)
+     ? -1
+     : PTRDIFF_MAX < (size_t) -1 ? (long) PTRDIFF_MAX : (long) (size_t) -1],
+    [[#include <limits.h>
+      #include <stddef.h>
+      #include <stdint.h>
+    ]],
+    [gl_alloc_max=2147483647])
+  case $gl_alloc_max in
+    -1) gl_alloc_max=9223372036854775807;;
+  esac
+  AC_MSG_RESULT([$gl_alloc_max])
+  gl_manywarn_set="$gl_manywarn_set -Walloc-size-larger-than=$gl_alloc_max"
+  gl_manywarn_set="$gl_manywarn_set -Warray-bounds=2"
+  gl_manywarn_set="$gl_manywarn_set -Wattribute-alias=2"
+  gl_manywarn_set="$gl_manywarn_set -Wformat-overflow=2"
+  gl_manywarn_set="$gl_manywarn_set -Wformat-truncation=2"
+  gl_manywarn_set="$gl_manywarn_set -Wimplicit-fallthrough=5"
+  gl_manywarn_set="$gl_manywarn_set -Wnormalized=nfc"
+  gl_manywarn_set="$gl_manywarn_set -Wshift-overflow=2"
+  gl_manywarn_set="$gl_manywarn_set -Wstringop-overflow=2"
+  gl_manywarn_set="$gl_manywarn_set -Wunused-const-variable=2"
+  gl_manywarn_set="$gl_manywarn_set -Wvla-larger-than=4031"
+
+  # These are needed for older GCC versions.
+  if test -n "$GCC"; then
+    case `($CC --version) 2>/dev/null` in
+      'gcc (GCC) '[[0-3]].* | \
+      'gcc (GCC) '4.[[0-7]].*)
+        gl_manywarn_set="$gl_manywarn_set -fdiagnostics-show-option"
+        gl_manywarn_set="$gl_manywarn_set -funit-at-a-time"
+          ;;
+    esac
+  fi
+
+  # Disable specific options as needed.
+  if test "$gl_cv_cc_nomfi_needed" = yes; then
+    gl_manywarn_set="$gl_manywarn_set -Wno-missing-field-initializers"
+  fi
+
+  if test "$gl_cv_cc_uninitialized_supported" = no; then
+    gl_manywarn_set="$gl_manywarn_set -Wno-uninitialized"
+  fi
+
+  $1=$gl_manywarn_set
+
+  AC_LANG_POP([C])
+])
+
+# Specialization for _AC_LANG = C++.
+# Use of m4_defun rather than AC_DEFUN works around a bug in autoconf < 2.63b.
+m4_defun([gl_MANYWARN_ALL_GCC(C++)],
+[
+  gl_MANYWARN_ALL_GCC_CXX_IMPL([$1])
+])
--- a/m4/virt-polkit.m4
+++ b/m4/virt-polkit.m4
@ -25,6 +25,10 @@ AC_DEFUN([LIBVIRT_ARG_POLKIT], [
 AC_DEFUN([LIBVIRT_CHECK_POLKIT], [
  AC_REQUIRE([LIBVIRT_CHECK_DBUS])

+  if test "x$with_win" = "xyes"; then
+    with_polkit=no
+  fi
+
  if test "x$with_polkit" = "xcheck"; then
    dnl For --with-polkit=check, also require the pkcheck binary, even
    dnl though we talk to polkit directly over D-Bus.
--- a/m4/virt-pthread.m4
+++ b/m4/virt-pthread.m4
@ -18,20 +18,24 @@ dnl <http://www.gnu.org/licenses/>.
 dnl

 AC_DEFUN([LIBVIRT_CHECK_PTHREAD], [
-  old_LIBS="$LIBS"
+  dnl Availability of pthread functions

-  dnl Availability of pthread functions. Because of $LIB_PTHREAD, we
-  dnl cannot use AC_CHECK_FUNCS_ONCE. LIB_PTHREAD and LIBMULTITHREAD
-  dnl were set during gl_INIT by gnulib.
-  LIBS="$LIBS $LIB_PTHREAD $LIBMULTITHREAD"
-  pthread_found=yes
-  AC_CHECK_FUNCS([pthread_mutexattr_init])
-  AC_CHECK_HEADER([pthread.h],,[pthread_found=no])
+  AC_SEARCH_LIBS([pthread_mutexattr_init],[pthread ""])

-  if test "$ac_cv_func_pthread_mutexattr_init:$pthread_found" != "yes:yes"
+  if test "$ac_cv_func_pthread_mutexattr_init" = "no"
  then
-    AC_MSG_ERROR([A pthreads impl is required for building libvirt])
+    AC_MSG_ERROR([libpthread is required for building libvirt])
  fi
+  THREAD_LIBS=""
+  if test "x$ac_cv_func_pthread_mutexattr_init" != "x"
+  then
+    THREAD_LIBS="-l$ac_cv_func_pthread_mutexattr_init"
+  fi
+  AC_SUBST([THREAD_LIBS])
+
+  AC_CHECK_HEADER([pthread.h],,[
+    AC_MSG_ERROR([pthread.h is required for building libvirt])
+  ])

  dnl At least mingw64-winpthreads #defines pthread_sigmask to 0,
  dnl which in turn causes compilation to complain about unused variables.
@ -51,6 +55,4 @@ AC_DEFUN([LIBVIRT_CHECK_PTHREAD], [
    AC_DEFINE([FUNC_PTHREAD_SIGMASK_BROKEN], [1],
      [Define to 1 if pthread_sigmask is not a real function])
  fi
-
-  LIBS="$old_LIBS"
 ])
--- a/m4/virt-warnings.m4
+++ b/m4/virt-warnings.m4
@ -0,0 +1,115 @@
+# warnings.m4 serial 14
+dnl Copyright (C) 2008-2020 Free Software Foundation, Inc.
+dnl This file is free software; the Free Software Foundation
+dnl gives unlimited permission to copy and/or distribute it,
+dnl with or without modifications, as long as this notice is preserved.
+
+dnl From Simon Josefsson
+
+# gl_AS_VAR_APPEND(VAR, VALUE)
+# ----------------------------
+# Provide the functionality of AS_VAR_APPEND if Autoconf does not have it.
+m4_ifdef([AS_VAR_APPEND],
+[m4_copy([AS_VAR_APPEND], [gl_AS_VAR_APPEND])],
+[m4_define([gl_AS_VAR_APPEND],
+[AS_VAR_SET([$1], [AS_VAR_GET([$1])$2])])])
+
+
+# gl_COMPILER_OPTION_IF(OPTION, [IF-SUPPORTED], [IF-NOT-SUPPORTED],
+#                       [PROGRAM = AC_LANG_PROGRAM()])
+# -----------------------------------------------------------------
+# Check if the compiler supports OPTION when compiling PROGRAM.
+#
+# The effects of this macro depend on the current language (_AC_LANG).
+AC_DEFUN([gl_COMPILER_OPTION_IF],
+[
+dnl FIXME: gl_Warn must be used unquoted until we can assume Autoconf
+dnl 2.64 or newer.
+AS_VAR_PUSHDEF([gl_Warn], [gl_cv_warn_[]_AC_LANG_ABBREV[]_$1])dnl
+AS_VAR_PUSHDEF([gl_Flags], [_AC_LANG_PREFIX[]FLAGS])dnl
+AS_LITERAL_IF([$1],
+  [m4_pushdef([gl_Positive], m4_bpatsubst([$1], [^-Wno-], [-W]))],
+  [gl_positive="$1"
+case $gl_positive in
+  -Wno-*) gl_positive=-W`expr "X$gl_positive" : 'X-Wno-\(.*\)'` ;;
+esac
+m4_pushdef([gl_Positive], [$gl_positive])])dnl
+AC_CACHE_CHECK([whether _AC_LANG compiler handles $1], m4_defn([gl_Warn]), [
+  gl_save_compiler_FLAGS="$gl_Flags"
+  gl_AS_VAR_APPEND(m4_defn([gl_Flags]),
+    [" $gl_unknown_warnings_are_errors ]m4_defn([gl_Positive])["])
+  AC_LINK_IFELSE([m4_default([$4], [AC_LANG_PROGRAM([])])],
+                 [AS_VAR_SET(gl_Warn, [yes])],
+                 [AS_VAR_SET(gl_Warn, [no])])
+  gl_Flags="$gl_save_compiler_FLAGS"
+])
+AS_VAR_IF(gl_Warn, [yes], [$2], [$3])
+m4_popdef([gl_Positive])dnl
+AS_VAR_POPDEF([gl_Flags])dnl
+AS_VAR_POPDEF([gl_Warn])dnl
+])
+
+# gl_UNKNOWN_WARNINGS_ARE_ERRORS
+# ------------------------------
+# Clang doesn't complain about unknown warning options unless one also
+# specifies -Wunknown-warning-option -Werror.  Detect this.
+#
+# The effects of this macro depend on the current language (_AC_LANG).
+AC_DEFUN([gl_UNKNOWN_WARNINGS_ARE_ERRORS],
+[_AC_LANG_DISPATCH([$0], _AC_LANG, $@)])
+
+# Specialization for _AC_LANG = C. This macro can be AC_REQUIREd.
+# Use of m4_defun rather than AC_DEFUN works around a bug in autoconf < 2.63b.
+m4_defun([gl_UNKNOWN_WARNINGS_ARE_ERRORS(C)],
+[
+  AC_LANG_PUSH([C])
+  gl_UNKNOWN_WARNINGS_ARE_ERRORS_IMPL
+  AC_LANG_POP([C])
+])
+
+# Specialization for _AC_LANG = C++. This macro can be AC_REQUIREd.
+# Use of m4_defun rather than AC_DEFUN works around a bug in autoconf < 2.63b.
+m4_defun([gl_UNKNOWN_WARNINGS_ARE_ERRORS(C++)],
+[
+  AC_LANG_PUSH([C++])
+  gl_UNKNOWN_WARNINGS_ARE_ERRORS_IMPL
+  AC_LANG_POP([C++])
+])
+
+# Specialization for _AC_LANG = Objective C. This macro can be AC_REQUIREd.
+# Use of m4_defun rather than AC_DEFUN works around a bug in autoconf < 2.63b.
+m4_defun([gl_UNKNOWN_WARNINGS_ARE_ERRORS(Objective C)],
+[
+  AC_LANG_PUSH([Objective C])
+  gl_UNKNOWN_WARNINGS_ARE_ERRORS_IMPL
+  AC_LANG_POP([Objective C])
+])
+
+AC_DEFUN([gl_UNKNOWN_WARNINGS_ARE_ERRORS_IMPL],
+[gl_COMPILER_OPTION_IF([-Werror -Wunknown-warning-option],
+   [gl_unknown_warnings_are_errors='-Wunknown-warning-option -Werror'],
+   [gl_unknown_warnings_are_errors=])])
+
+# gl_WARN_ADD(OPTION, [VARIABLE = WARN_CFLAGS/WARN_CXXFLAGS],
+#             [PROGRAM = AC_LANG_PROGRAM()])
+# -----------------------------------------------------------
+# Adds parameter to WARN_CFLAGS/WARN_CXXFLAGS if the compiler supports it
+# when compiling PROGRAM.  For example, gl_WARN_ADD([-Wparentheses]).
+#
+# If VARIABLE is a variable name, AC_SUBST it.
+#
+# The effects of this macro depend on the current language (_AC_LANG).
+AC_DEFUN([gl_WARN_ADD],
+[AC_REQUIRE([gl_UNKNOWN_WARNINGS_ARE_ERRORS(]_AC_LANG[)])
+gl_COMPILER_OPTION_IF([$1],
+  [gl_AS_VAR_APPEND(m4_if([$2], [], [[WARN_]_AC_LANG_PREFIX[FLAGS]], [[$2]]), [" $1"])],
+  [],
+  [$3])
+m4_ifval([$2],
+         [AS_LITERAL_IF([$2], [AC_SUBST([$2])])],
+         [AC_SUBST([WARN_]_AC_LANG_PREFIX[FLAGS])])dnl
+])
+
+# Local Variables:
+# mode: autoconf
+# End:
--- a/m4/virt-win-common.m4
+++ b/m4/virt-win-common.m4
@ -1,4 +1,4 @@
-dnl The Cygwin, MinGW and MSVC common checks
+dnl The MinGW common checks
 dnl
 dnl Copyright (C) 2016 Red Hat, Inc.
 dnl
@ -22,7 +22,7 @@ AC_DEFUN([LIBVIRT_WIN_CHECK_COMMON], [
  WIN32_EXTRA_LIBS=

  case "$host" in
-    *-*-mingw* | *-*-cygwin* | *-*-msvc* )
+    *-*-mingw* )
      WIN32_EXTRA_LIBS="-lole32 -loleaut32"
      # If the host is Windows, and shared libraries are disabled, we
      # need to add -DLIBVIRT_STATIC to the CFLAGS for proper linking
@ -38,7 +38,5 @@ AC_DEFUN([LIBVIRT_WIN_CHECK_COMMON], [

 AC_DEFUN([LIBVIRT_WIN_RESULT_COMMON], [
  details="CFLAGS='$WIN32_EXTRA_CFLAGS' LIBS='$WIN32_EXTRA_LIBS'"
-  LIBVIRT_RESULT([Cygwin], [$with_cygwin], [$details])
-  LIBVIRT_RESULT([MinGW], [$with_cygwin], [$details])
-  LIBVIRT_RESULT([MSVC], [$with_cygwin], [$details])
+  LIBVIRT_RESULT([MinGW], [$with_win], [$details])
 ])
--- a/m4/virt-win-cygwin.m4
+++ b/m4/virt-win-cygwin.m4
@ -1,32 +0,0 @@
-dnl The Cygwin check
-dnl
-dnl Copyright (C) 2016 Red Hat, Inc.
-dnl
-dnl This library is free software; you can redistribute it and/or
-dnl modify it under the terms of the GNU Lesser General Public
-dnl License as published by the Free Software Foundation; either
-dnl version 2.1 of the License, or (at your option) any later version.
-dnl
-dnl This library is distributed in the hope that it will be useful,
-dnl but WITHOUT ANY WARRANTY; without even the implied warranty of
-dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-dnl Lesser General Public License for more details.
-dnl
-dnl You should have received a copy of the GNU Lesser General Public
-dnl License along with this library.  If not, see
-dnl <http://www.gnu.org/licenses/>.
-dnl
-
-AC_DEFUN([LIBVIRT_WIN_CHECK_CYGWIN], [
-  CYGWIN_EXTRA_LDFLAGS=
-  CYGWIN_EXTRA_LIBADD=
-  case "$host" in
-    *-*-cygwin*)
-      CYGWIN_EXTRA_LDFLAGS="-no-undefined"
-      CYGWIN_EXTRA_LIBADD="${INTLLIBS}"
-      ;;
-  esac
-
-  AC_SUBST([CYGWIN_EXTRA_LDFLAGS])
-  AC_SUBST([CYGWIN_EXTRA_LIBADD])
-])
--- a/m4/virt-win-symbols.m4
+++ b/m4/virt-win-symbols.m4
@ -1,4 +1,4 @@
-dnl The Cygwin, MinGW and MSVC symbols checks
+dnl The MinGW symbols checks
 dnl
 dnl Copyright (C) 2016 Red Hat, Inc.
 dnl
@ -23,7 +23,7 @@ AC_DEFUN([LIBVIRT_WIN_CHECK_SYMBOLS], [
  LIBVIRT_LXC_SYMBOL_FILE='$(srcdir)/libvirt_lxc.syms'
  LIBVIRT_QEMU_SYMBOL_FILE='$(srcdir)/libvirt_qemu.syms'
  case "$host" in
-    *-*-mingw* | *-*-msvc* )
+    *-*-mingw* )
      # Also set the symbol file to .def, so src/Makefile generates libvirt.def
      # from libvirt.syms and passes libvirt.def instead of libvirt.syms to the
      # linker
--- a/m4/virt-win-windres.m4
+++ b/m4/virt-win-windres.m4
@ -1,4 +1,4 @@
-dnl The Cygwin, MinGW and MSVC windres checks
+dnl The MinGW windres checks
 dnl
 dnl Copyright (C) 2016 Red Hat, Inc.
 dnl
@ -21,7 +21,7 @@ AC_DEFUN([LIBVIRT_WIN_CHECK_WINDRES], [
  dnl Look for windres to build a Windows icon resource.
  with_windres=no
  case "$host" in
-    *-*-mingw* | *-*-cygwin* | *-*-msvc* )
+    *-*-mingw* )
      AC_CHECK_TOOL([WINDRES], [windres], [])
      if test "x$WINDRES" != "x"; then
        with_windres=yes
--- a/m4/virt-xdr.m4
+++ b/m4/virt-xdr.m4
@ -22,18 +22,15 @@ AC_DEFUN([LIBVIRT_CHECK_XDR], [
  if test x"$with_remote" = x"yes" || test x"$with_libvirtd" = x"yes"; then
    dnl Where are the XDR functions?
    dnl If portablexdr is installed, prefer that.
-    dnl Otherwise try -lrpc (Cygwin) -lxdr (some MinGW), -lnsl (Solaris)
+    dnl Otherwise try -lxdr (some MinGW)
    dnl -ltirpc (glibc 2.13.90 or newer) or none (most Unix)
    AC_CHECK_LIB([portablexdr],[xdrmem_create],[],[
-      AC_SEARCH_LIBS([xdrmem_create],[rpc xdr nsl tirpc],[],
+      AC_SEARCH_LIBS([xdrmem_create],[xdr tirpc],[],
        [AC_MSG_ERROR([Cannot find a XDR library])])
    ])
    with_xdr="yes"

-    dnl check for cygwin's variation in xdr function names
-    AC_CHECK_FUNCS([xdr_u_int64_t],[],[],[#include <rpc/xdr.h>])
-
-    dnl Cygwin/recent glibc requires -I/usr/include/tirpc for <rpc/rpc.h>
+    dnl Recent glibc requires -I/usr/include/tirpc for <rpc/rpc.h>
    old_CFLAGS=$CFLAGS
    AC_CACHE_CHECK([where to find <rpc/rpc.h>], [lv_cv_xdr_cflags], [
      for add_CFLAGS in '' '-I/usr/include/tirpc' 'missing'; do
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@ -5,7 +5,6 @@
@BUILDDIR@/src/admin/admin_server_dispatch_stubs.h
@BUILDDIR@/src/remote/remote_client_bodies.h
@BUILDDIR@/src/remote/remote_daemon_dispatch_stubs.h
-@SRCDIR@/gnulib/lib/gai_strerror.c
@SRCDIR@/src/access/viraccessdriverpolkit.c
@SRCDIR@/src/access/viraccessmanager.c
@SRCDIR@/src/admin/admin_server.c
@ -79,6 +78,10 @@
@SRCDIR@/src/hyperv/hyperv_driver.c
@SRCDIR@/src/hyperv/hyperv_util.c
@SRCDIR@/src/hyperv/hyperv_wmi.c
+@SRCDIR@/src/hypervisor/domain_cgroup.c
+@SRCDIR@/src/hypervisor/domain_driver.c
+@SRCDIR@/src/hypervisor/virclosecallbacks.c
+@SRCDIR@/src/hypervisor/virhostdev.c
@SRCDIR@/src/interface/interface_backend_netcf.c
@SRCDIR@/src/interface/interface_backend_udev.c
@SRCDIR@/src/internal.h
@ -169,6 +172,7 @@
@SRCDIR@/src/qemu/qemu_tpm.c
@SRCDIR@/src/qemu/qemu_vhost_user.c
@SRCDIR@/src/qemu/qemu_vhost_user_gpu.c
+@SRCDIR@/src/qemu/qemu_virtiofs.c
@SRCDIR@/src/remote/remote_daemon.c
@SRCDIR@/src/remote/remote_daemon_config.c
@SRCDIR@/src/remote/remote_daemon_dispatch.c
@ -190,7 +194,6 @@
@SRCDIR@/src/rpc/virnetsshsession.c
@SRCDIR@/src/rpc/virnettlscontext.c
@SRCDIR@/src/secret/secret_driver.c
-@SRCDIR@/src/secret/secret_util.c
@SRCDIR@/src/security/security_apparmor.c
@SRCDIR@/src/security/security_dac.c
@SRCDIR@/src/security/security_driver.c
@ -224,23 +227,22 @@
@SRCDIR@/src/util/virauth.c
@SRCDIR@/src/util/virauthconfig.c
@SRCDIR@/src/util/virbitmap.c
-@SRCDIR@/src/util/virbpf.c
@SRCDIR@/src/util/vircgroup.c
@SRCDIR@/src/util/vircgroupbackend.c
@SRCDIR@/src/util/vircgroupbackend.h
@SRCDIR@/src/util/vircgroupv1.c
@SRCDIR@/src/util/vircgroupv2.c
@SRCDIR@/src/util/vircgroupv2devices.c
-@SRCDIR@/src/util/virclosecallbacks.c
@SRCDIR@/src/util/vircommand.c
@SRCDIR@/src/util/virconf.c
@SRCDIR@/src/util/vircrypto.c
+@SRCDIR@/src/util/virdaemon.c
@SRCDIR@/src/util/virdbus.c
@SRCDIR@/src/util/virdnsmasq.c
@SRCDIR@/src/util/virerror.c
@SRCDIR@/src/util/virerror.h
@SRCDIR@/src/util/virevent.c
-@SRCDIR@/src/util/vireventpoll.c
+@SRCDIR@/src/util/vireventthread.c
@SRCDIR@/src/util/virfcp.c
@SRCDIR@/src/util/virfdstream.c
@SRCDIR@/src/util/virfile.c
@ -251,7 +253,6 @@
@SRCDIR@/src/util/virhash.c
@SRCDIR@/src/util/virhook.c
@SRCDIR@/src/util/virhostcpu.c
-@SRCDIR@/src/util/virhostdev.c
@SRCDIR@/src/util/virhostmem.c
@SRCDIR@/src/util/virhostuptime.c
@SRCDIR@/src/util/viridentity.c
@ -259,7 +260,6 @@
@SRCDIR@/src/util/viriptables.c
@SRCDIR@/src/util/viriscsi.c
@SRCDIR@/src/util/virjson.c
-@SRCDIR@/src/util/virkeyfile.c
@SRCDIR@/src/util/virlease.c
@SRCDIR@/src/util/virlockspace.c
@SRCDIR@/src/util/virlog.c
--- a/run.in
+++ b/run.in
@ -21,12 +21,10 @@
 # With this script you can run libvirt programs without needing to
 # install them first.  You just have to do for example:
 #
-#   ./run ./tools/virsh [args ...]
+#   ./run virsh [args ...]
 #
-# If you are already in the tools/ subdirectory, then the following
-# command will also work:
-#
-#   ../run ./virsh [...]
+# Note that this runs the locally compiled copy of virsh which
+# is usually want you want.
 #
 # You can also run the C programs under valgrind like this:
 #
@ -38,28 +36,29 @@
 #
 # This also works with sudo (eg. if you need root access for libvirt):
 #
-#   sudo ./run ./tools/virsh list --all
+#   sudo ./run virsh list --all
 #
 #----------------------------------------------------------------------

+# Function to intelligently prepend a path to an environment variable.
+# See http://stackoverflow.com/a/9631350
+prepend()
+{
+    eval $1="$2\${$1:+:\$$1}"
+}
+
 # Find this script.
 b=@abs_builddir@

-library_path="$b/src/.libs"
-if [ -z "$LD_LIBRARY_PATH" ]; then
-    LD_LIBRARY_PATH=$library_path
-else
-    LD_LIBRARY_PATH="$library_path:$LD_LIBRARY_PATH"
-fi
+prepend LD_LIBRARY_PATH "$b/src/.libs"
 export LD_LIBRARY_PATH

-if [ -z "$PKG_CONFIG_PATH" ]; then
-    PKG_CONFIG_PATH="$b/src"
-else
-    PKG_CONFIG_PATH="$b/src:$PKG_CONFIG_PATH"
-fi
+prepend PKG_CONFIG_PATH "$b/src"
 export PKG_CONFIG_PATH

+prepend PATH "$b/tools"
+export PATH
+
 # Ensure that any 3rd party apps using libvirt.so from the build tree get
 # files resolved to the build/source tree too. Typically useful for language
 # bindings running tests against non-installed libvirt.
--- a/scripts/require-dco.py
+++ b/scripts/require-dco.py
@ -0,0 +1,99 @@
+#!/usr/bin/env python3
+
+# require-dco.py: validate all commits are signed off
+#
+# Copyright (C) 2020 Red Hat, Inc.
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library.  If not, see
+# <http://www.gnu.org/licenses/>.
+
+import os
+import os.path
+import sys
+import subprocess
+
+cwd = os.getcwd()
+reponame = os.path.basename(cwd)
+repourl = "https://gitlab.com/libvirt/%s.git" % reponame
+
+subprocess.check_call(["git", "remote", "add", "dcocheck", repourl])
+subprocess.check_call(["git", "fetch", "dcocheck", "master"],
+                      stdout=subprocess.DEVNULL,
+                      stderr=subprocess.DEVNULL)
+
+ancestor = subprocess.check_output(["git", "merge-base", "dcocheck/master", "HEAD"],
+                                   universal_newlines=True)
+
+ancestor = ancestor.strip()
+
+subprocess.check_call(["git", "remote", "rm", "dcocheck"])
+
+errors = False
+
+print("\nChecking for 'Signed-off-by: NAME <EMAIL>' on all commits since %s...\n" % ancestor)
+
+log = subprocess.check_output(["git", "log", "--format=%H %s", ancestor + "..."],
+                              universal_newlines=True)
+
+if log == "":
+    commits = []
+else:
+    commits = [[c[0:40], c[41:]] for c in log.strip().split("\n")]
+
+for sha, subject in commits:
+
+    msg = subprocess.check_output(["git", "show", "-s", sha],
+                                  universal_newlines=True)
+    lines = msg.strip().split("\n")
+
+    print("🔍 %s %s" % (sha, subject))
+    sob = False
+    for line in lines:
+        if "Signed-off-by:" in line:
+            sob = True
+            if "localhost" in line:
+                print("    ❌ FAIL: bad email in %s" % line)
+                errors = True
+
+    if not sob:
+        print("    ❌ FAIL missing Signed-off-by tag")
+        errors = True
+
+if errors:
+    print("""
+
+❌ ERROR: One or more commits are missing a valid Signed-off-By tag.
+
+
+This project requires all contributors to assert that their contributions
+are provided in compliance with the terms of the Developer's Certificate
+of Origin 1.1 (DCO):
+
+  https://developercertificate.org/
+
+To indicate acceptance of the DCO every commit must have a tag
+
+  Signed-off-by: REAL NAME <EMAIL>
+
+This can be achieved by passing the "-s" flag to the "git commit" command.
+
+To bulk update all commits on current branch "git rebase" can be used:
+
+  git rebase -i master -x 'git commit --amend --no-edit -s'
+
+""")
+
+    sys.exit(1)
+
+sys.exit(0)
--- a/src/Makefile.am
+++ b/src/Makefile.am
@ -19,9 +19,7 @@
 # No libraries with the exception of LIBXML should be listed
 # here. List them against the individual XXX_la_CFLAGS targets
 # that actually use them.
-AM_CPPFLAGS =	-I../gnulib/lib \
-		-I$(top_srcdir)/gnulib/lib \
-		-I$(top_srcdir) \
+AM_CPPFLAGS =	-I$(top_srcdir) \
 		-I../include \
 		-I$(top_srcdir)/include \
 		-I$(srcdir)/util \
@ -42,7 +40,6 @@ AM_LDFLAGS =	$(DRIVER_MODULES_LDFLAGS) \
 		$(COVERAGE_LDFLAGS) \
 		$(RELRO_LDFLAGS) \
 		$(NO_INDIRECT_LDFLAGS) \
-		$(CYGWIN_EXTRA_LDFLAGS) \
 		$(MINGW_EXTRA_LDFLAGS) \
 		$(NULL)
 AM_LDFLAGS_MOD = \
@ -87,6 +84,7 @@ OPENRC_INIT_FILES_IN =
 OPENRC_CONF_FILES =
 SYSCONF_FILES =
 sbin_PROGRAMS =
+bin_PROGRAMS =
 DRIVER_SOURCES =

 COMMON_UNIT_VARS = \
@ -110,6 +108,7 @@ include locking/Makefile.inc.am
 include admin/Makefile.inc.am
 include rpc/Makefile.inc.am
 include test/Makefile.inc.am
+include hypervisor/Makefile.inc.am
 include esx/Makefile.inc.am
 include hyperv/Makefile.inc.am
 include vmx/Makefile.inc.am
@ -130,8 +129,6 @@ include storage/Makefile.inc.am
 include remote/Makefile.inc.am


-THREAD_LIBS = $(LIB_PTHREAD) $(LTLIBMULTITHREAD)
-
 SECDRIVER_CFLAGS =
 SECDRIVER_LIBS =
 if WITH_SECDRIVER_SELINUX
@ -390,12 +387,6 @@ else ! WITH_SSH2
 SYM_FILES += $(srcdir)/libvirt_libssh2.syms
 endif ! WITH_SSH2

-if WITH_ATOMIC_OPS_PTHREAD
-USED_SYM_FILES += $(srcdir)/libvirt_atomic.syms
-else ! WITH_ATOMIC_OPS_PTHREAD
-SYM_FILES += $(srcdir)/libvirt_atomic.syms
-endif ! WITH_ATOMIC_OPS_PTHREAD
-
 if WITH_LIBSSH
 USED_SYM_FILES += $(srcdir)/libvirt_libssh.syms
 else ! WITH_LIBSSH
@ -447,10 +438,8 @@ if WITH_MACOS
 libvirt_la_LDFLAGS += -Wl,-flat_namespace
 endif WITH_MACOS
 libvirt_la_LDFLAGS += $(NULL)
-libvirt_la_BUILT_LIBADD += ../gnulib/lib/libgnu.la
 libvirt_la_LIBADD += \
-		    $(DRIVER_MODULES_LIBS) \
-		    $(CYGWIN_EXTRA_LIBADD)
+		    $(DRIVER_MODULES_LIBS)
 libvirt_la_CFLAGS = -DIN_LIBVIRT $(AM_CFLAGS)
 # Because we specify libvirt_la_DEPENDENCIES for $(LIBVIRT_SYMBOL_FILE), we
 # lose automake's automatic dependencies on an appropriate subset of
@ -517,7 +506,7 @@ libvirt_qemu_la_LDFLAGS = \
 		$(AM_LDFLAGS) \
 		$(NULL)
 libvirt_qemu_la_CFLAGS = $(AM_CFLAGS)
-libvirt_qemu_la_LIBADD = libvirt.la $(CYGWIN_EXTRA_LIBADD)
+libvirt_qemu_la_LIBADD = libvirt.la

 libvirt_lxc_la_SOURCES = libvirt-lxc.c
 libvirt_lxc_la_LDFLAGS = \
@ -527,7 +516,7 @@ libvirt_lxc_la_LDFLAGS = \
 		$(AM_LDFLAGS) \
 		$(NULL)
 libvirt_lxc_la_CFLAGS = $(AM_CFLAGS)
-libvirt_lxc_la_LIBADD = libvirt.la $(CYGWIN_EXTRA_LIBADD)
+libvirt_lxc_la_LIBADD = libvirt.la

 EXTRA_DIST += \
 	$(SYSCONF_FILES) \
@ -671,7 +660,7 @@ libvirt_iohelper_LDFLAGS = \
 libvirt_iohelper_LDADD = \
 		libvirt.la \
 		$(GLIB_LIBS) \
-		../gnulib/lib/libgnu.la
+		$(NULL)
 if WITH_DTRACE_PROBES
 libvirt_iohelper_LDADD += libvirt_probes.lo
 endif WITH_DTRACE_PROBES
--- a/src/access/viraccessperm.h
+++ b/src/access/viraccessperm.h
@ -21,7 +21,6 @@
 #pragma once

 #include "internal.h"
-#include "virutil.h"
 #include "virenum.h"

 typedef enum {
--- a/src/admin/Makefile.inc.am
+++ b/src/admin/Makefile.inc.am
@ -32,7 +32,6 @@ libvirt_driver_admin_la_CFLAGS = \
 	-I$(top_srcdir)/src/util \
 	-I$(top_builddir)/src/rpc \
 	$(NULL)
-libvirt_driver_admin_la_LIBADD = ../gnulib/lib/libgnu.la
 libvirt_driver_admin_la_LDFLAGS = -module -avoid-version $(AM_LDFLAGS)

 if WITH_SASL
@ -73,7 +72,6 @@ libvirt_admin_la_LDFLAGS = \

 libvirt_admin_la_LIBADD = \
 	libvirt.la \
-	$(CYGWIN_EXTRA_LIBADD) \
 	$(CAPNG_LIBS) \
 	$(YAJL_LIBS) \
 	$(DEVMAPPER_LIBS) \
--- a/src/admin/admin_protocol.x
+++ b/src/admin/admin_protocol.x
@ -181,6 +181,11 @@ struct admin_server_set_client_limits_args {
    unsigned int flags;
 };

+struct admin_server_update_tls_files_args {
+    admin_nonnull_server srv;
+    unsigned int flags;
+};
+
 struct admin_connect_get_logging_outputs_args {
    unsigned int flags;
 };
@ -314,5 +319,10 @@ enum admin_procedure {
    /**
     * @generate: both
     */
-    ADMIN_PROC_CONNECT_SET_LOGGING_FILTERS = 17
+    ADMIN_PROC_CONNECT_SET_LOGGING_FILTERS = 17,
+
+    /**
+     * @generate: both
+     */
+    ADMIN_PROC_SERVER_UPDATE_TLS_FILES = 18
 };
--- a/src/admin/admin_server.c
+++ b/src/admin/admin_server.c
@ -367,3 +367,12 @@ adminServerSetClientLimits(virNetServerPtr srv,

    return 0;
 }
+
+int
+adminServerUpdateTlsFiles(virNetServerPtr srv,
+                          unsigned int flags)
+{
+    virCheckFlags(0, -1);
+
+    return virNetServerUpdateTlsFiles(srv);
+}
--- a/src/admin/admin_server.h
+++ b/src/admin/admin_server.h
@ -67,3 +67,6 @@ int adminServerSetClientLimits(virNetServerPtr srv,
                               virTypedParameterPtr params,
                               int nparams,
                               unsigned int flags);
+
+int adminServerUpdateTlsFiles(virNetServerPtr srv,
+                              unsigned int flags);
--- a/src/admin/admin_server_dispatch.c
+++ b/src/admin/admin_server_dispatch.c
@ -34,6 +34,7 @@
 #include "virstring.h"
 #include "virthreadjob.h"
 #include "virtypedparam.h"
+#include "virutil.h"

 #define VIR_FROM_THIS VIR_FROM_ADMIN

@ -118,9 +119,6 @@ virJSONValuePtr remoteAdmClientPreExecRestart(virNetServerClientPtr client G_GNU
 {
    virJSONValuePtr object = virJSONValueNewObject();

-    if (!object)
-        return NULL;
-
    /* No content to add at this time - just need empty object */

    return object;
--- a/src/admin/libvirt-admin.c
+++ b/src/admin/libvirt-admin.c
@ -111,7 +111,7 @@ getSocketPath(virURIPtr uri)
        virURIParamPtr param = &uri->params[i];

        if (STREQ(param->name, "socket")) {
-            VIR_FREE(sock_path);
+            g_free(sock_path);
            sock_path = g_strdup(param->value);
        } else {
            virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
@ -203,11 +203,11 @@ virAdmGetDefaultURI(virConfPtr conf, char **uristr)
 virAdmConnectPtr
 virAdmConnectOpen(const char *name, unsigned int flags)
 {
-    char *sock_path = NULL;
+    g_autofree char *sock_path = NULL;
    char *alias = NULL;
    virAdmConnectPtr conn = NULL;
    g_autoptr(virConf) conf = NULL;
-    char *uristr = NULL;
+    g_autofree char *uristr = NULL;

    if (virAdmInitialize() < 0)
        goto error;
@ -233,7 +233,7 @@ virAdmConnectOpen(const char *name, unsigned int flags)
        goto error;

    if (alias) {
-        VIR_FREE(uristr);
+        g_free(uristr);
        uristr = alias;
    }

@ -251,16 +251,12 @@ virAdmConnectOpen(const char *name, unsigned int flags)
    if (remoteAdminConnectOpen(conn, flags) < 0)
        goto error;

- cleanup:
-    VIR_FREE(sock_path);
-    VIR_FREE(uristr);
    return conn;

 error:
    virDispatchError(NULL);
    virObjectUnref(conn);
-    conn = NULL;
-    goto cleanup;
+    return NULL;
 }

 /**
@ -1082,6 +1078,36 @@ virAdmServerSetClientLimits(virAdmServerPtr srv,
    return ret;
 }

+/**
+ * virAdmServerUpdateTlsFiles:
+ * @srv: a valid server object reference
+ * @flags: extra flags; not used yet, so callers should always pass 0
+ *
+ * Notify server to update tls file, such as cacert, cacrl, server cert / key.
+ *
+ * Returns 0 if the TLS files have been updated successfully or -1 in case of an
+ * error.
+ */
+int
+virAdmServerUpdateTlsFiles(virAdmServerPtr srv,
+                           unsigned int flags)
+{
+    int ret = -1;
+
+    VIR_DEBUG("srv=%p, flags=0x%x", srv, flags);
+    virResetLastError();
+
+    virCheckAdmServerGoto(srv, error);
+
+    if ((ret = remoteAdminServerUpdateTlsFiles(srv, flags)) < 0)
+        goto error;
+
+    return ret;
+ error:
+    virDispatchError(NULL);
+    return ret;
+}
+
 /**
 * virAdmConnectGetLoggingOutputs:
 * @conn: pointer to an active admin connection
--- a/src/admin/libvirt_admin_private.syms
+++ b/src/admin/libvirt_admin_private.syms
@ -31,6 +31,7 @@ xdr_admin_server_lookup_client_args;
 xdr_admin_server_lookup_client_ret;
 xdr_admin_server_set_client_limits_args;
 xdr_admin_server_set_threadpool_parameters_args;
+xdr_admin_server_update_tls_files_args;

 # datatypes.h
 virAdmClientClass;
--- a/src/admin/libvirt_admin_public.syms
+++ b/src/admin/libvirt_admin_public.syms
@ -38,6 +38,7 @@ LIBVIRT_ADMIN_2.0.0 {
        virAdmClientClose;
        virAdmServerGetClientLimits;
        virAdmServerSetClientLimits;
+        virAdmServerUpdateTlsFiles;
 };

 LIBVIRT_ADMIN_3.0.0 {
--- a/src/admin_protocol-structs
+++ b/src/admin_protocol-structs
@ -118,6 +118,10 @@ struct admin_server_set_client_limits_args {
        } params;
        u_int                      flags;
 };
+struct admin_server_update_tls_files_args {
+        admin_nonnull_server       srv;
+        u_int                      flags;
+};
 struct admin_connect_get_logging_outputs_args {
        u_int                      flags;
 };
@ -158,4 +162,5 @@ enum admin_procedure {
        ADMIN_PROC_CONNECT_GET_LOGGING_FILTERS = 15,
        ADMIN_PROC_CONNECT_SET_LOGGING_OUTPUTS = 16,
        ADMIN_PROC_CONNECT_SET_LOGGING_FILTERS = 17,
+        ADMIN_PROC_SERVER_UPDATE_TLS_FILES = 18,
 };
--- a/Show More
+++ b/Show More