Backport fix for IPv6 connections to ESXi

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

0001-esx-Allow-connecting-to-IPv6-server.patch

@@ -0,0 +1,41 @@
+From 845210011a9ffd9d17e30c51cbc81ba67c5d3166 Mon Sep 17 00:00:00 2001
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Tue, 20 Jan 2026 10:08:29 +0100
+Subject: [PATCH] esx: Allow connecting to IPv6 server
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When connecting to a VMWare server, the hostname from URI is
+resolved using esxUtil_ResolveHostname() which in turn calls
+getaddrinfo(). But in the hints argument, we restrict the return
+address to be IPv4 (AF_INET) which obviously fails if the address
+to resolve is an IPv6 address. Set the hint to AF_UNSPEC which
+allows both IPv4 and IPv6. While at it, also allow IPv4 addresses
+mapped in IPv6 by setting AI_V4MAPPED flag.
+
+Resolves: https://issues.redhat.com/browse/RHEL-138300
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+---
+ src/esx/esx_util.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/esx/esx_util.c b/src/esx/esx_util.c
+index 88b3dc893f..a6275babd5 100644
+--- a/src/esx/esx_util.c
++++ b/src/esx/esx_util.c
+@@ -275,8 +275,8 @@ esxUtil_ResolveHostname(const char *hostname, char **ipAddress)
+     int errcode;
+     g_autofree char *address = NULL;
+ 
+-    hints.ai_flags = AI_ADDRCONFIG;
+-    hints.ai_family = AF_INET;
++    hints.ai_flags = AI_ADDRCONFIG | AI_V4MAPPED;
++    hints.ai_family = AF_UNSPEC;
+     hints.ai_socktype = SOCK_STREAM;
+     hints.ai_protocol = 0;
+ 
+-- 
+2.52.0
+

0001-interface-fix-udev-reference-leak-with-invalid-flags.patch

@@ -1,41 +0,0 @@
-From 3499354e12a1c1832bf4030693a64e03ceb79d05 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
-Date: Wed, 5 Jun 2024 11:16:21 +0100
-Subject: [PATCH] interface: fix udev reference leak with invalid flags
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The udevInterfaceGetXMLDesc method takes a reference on the udev
-driver as its first action. If the virCheckFlags() condition
-fails, however, this reference is never released.
-
-Reviewed-by: Peter Krempa <pkrempa@redhat.com>
-Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
----
- src/interface/interface_backend_udev.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/src/interface/interface_backend_udev.c b/src/interface/interface_backend_udev.c
-index fdf11a8318..e1a50389c9 100644
---- a/src/interface/interface_backend_udev.c
-+++ b/src/interface/interface_backend_udev.c
-@@ -1027,12 +1027,14 @@ static char *
- udevInterfaceGetXMLDesc(virInterfacePtr ifinfo,
-                         unsigned int flags)
- {
--    struct udev *udev = udev_ref(driver->udev);
-+    struct udev *udev = NULL;
-     g_autoptr(virInterfaceDef) ifacedef = NULL;
-     char *xmlstr = NULL;
- 
-     virCheckFlags(VIR_INTERFACE_XML_INACTIVE, NULL);
- 
-+    udev = udev_ref(driver->udev);
-+
-     /* Recursively build up the interface XML based on the requested
-      * interface name
-      */
--- 
-2.45.1
-

0001-rpc-avoid-leak-of-GSource-in-use-for-interrupting-ma.patch

@@ -1,49 +0,0 @@
-From 98f1cf88fa7e0f992d93f376418fbfb3996a9690 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
-Date: Fri, 17 May 2024 14:55:24 +0100
-Subject: [PATCH] rpc: avoid leak of GSource in use for interrupting main loop
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-We never release the reference on the GSource created for
-interrupting the main loop, nor do we remove it from the
-main context if our thread is woken up prior to the wakeup
-callback firing.
-
-This can result in a leak of GSource objects, along with an
-ever growing list of GSources attached to the main context,
-which will gradually slow down execution of the loop, as
-several operations are O(N) for the number of attached GSource
-objects.
-
-Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
-Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
----
- src/rpc/virnetclient.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/src/rpc/virnetclient.c b/src/rpc/virnetclient.c
-index 147b0d661a..6d424eb599 100644
---- a/src/rpc/virnetclient.c
-+++ b/src/rpc/virnetclient.c
-@@ -1946,7 +1946,7 @@ static int virNetClientIO(virNetClient *client,
-     /* Check to see if another thread is dispatching */
-     if (client->haveTheBuck) {
-         /* Force other thread to wakeup from poll */
--        GSource *wakeup = g_idle_source_new();
-+        g_autoptr(GSource) wakeup = g_idle_source_new();
-         g_source_set_callback(wakeup, virNetClientIOWakeup, client->eventLoop, NULL);
-         g_source_attach(wakeup, client->eventCtx);
- 
-@@ -1968,6 +1968,7 @@ static int virNetClientIO(virNetClient *client,
-             return -1;
-         }
- 
-+        g_source_destroy(wakeup);
-         VIR_DEBUG("Woken up from sleep head=%p call=%p",
-                   client->waitDispatch, thiscall);
-         /* Three reasons we can be woken up
--- 
-2.45.1
-

0001-rpc-ensure-temporary-GSource-is-removed-from-client-.patch

@@ -1,99 +0,0 @@
-From 8074d64dc2eca846d6a61efe1a9b7428a0ce1dd1 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
-Date: Tue, 30 Apr 2024 11:51:15 +0100
-Subject: [PATCH] rpc: ensure temporary GSource is removed from client event
- loop
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Users are seeing periodic segfaults from libvirt client apps,
-especially thread heavy ones like virt-manager. A typical
-stack trace would end up in the virNetClientIOEventFD method,
-with illegal access to stale stack data. eg
-
-==238721==ERROR: AddressSanitizer: stack-use-after-return on address 0x75cd18709788 at pc 0x75cd3111f907 bp 0x75cd181ff550 sp 0x75cd181ff548
-WRITE of size 4 at 0x75cd18709788 thread T11
-    #0 0x75cd3111f906 in virNetClientIOEventFD /usr/src/debug/libvirt/libvirt-10.2.0/build/../src/rpc/virnetclient.c:1634:15
-    #1 0x75cd3210d198  (/usr/lib/libglib-2.0.so.0+0x5a198) (BuildId: 0a2311dfbbc6c215dc36f4b6bdd2b4b6fbae55a2)
-    #2 0x75cd3216c3be  (/usr/lib/libglib-2.0.so.0+0xb93be) (BuildId: 0a2311dfbbc6c215dc36f4b6bdd2b4b6fbae55a2)
-    #3 0x75cd3210ddc6 in g_main_loop_run (/usr/lib/libglib-2.0.so.0+0x5adc6) (BuildId: 0a2311dfbbc6c215dc36f4b6bdd2b4b6fbae55a2)
-    #4 0x75cd3111a47c in virNetClientIOEventLoop /usr/src/debug/libvirt/libvirt-10.2.0/build/../src/rpc/virnetclient.c:1722:9
-    #5 0x75cd3111a47c in virNetClientIO /usr/src/debug/libvirt/libvirt-10.2.0/build/../src/rpc/virnetclient.c:2002:10
-    #6 0x75cd3111a47c in virNetClientSendInternal /usr/src/debug/libvirt/libvirt-10.2.0/build/../src/rpc/virnetclient.c:2170:11
-    #7 0x75cd311198a8 in virNetClientSendWithReply /usr/src/debug/libvirt/libvirt-10.2.0/build/../src/rpc/virnetclient.c:2198:11
-    #8 0x75cd31111653 in virNetClientProgramCall /usr/src/debug/libvirt/libvirt-10.2.0/build/../src/rpc/virnetclientprogram.c:318:9
-    #9 0x75cd31241c8f in callFull /usr/src/debug/libvirt/libvirt-10.2.0/build/../src/remote/remote_driver.c:6054:10
-    #10 0x75cd31241c8f in call /usr/src/debug/libvirt/libvirt-10.2.0/build/../src/remote/remote_driver.c:6076:12
-    #11 0x75cd31241c8f in remoteNetworkGetXMLDesc /usr/src/debug/libvirt/libvirt-10.2.0/build/src/remote/remote_client_bodies.h:5959:9
-    #12 0x75cd31410ff7 in virNetworkGetXMLDesc /usr/src/debug/libvirt/libvirt-10.2.0/build/../src/libvirt-network.c:952:15
-
-The root cause is a bad assumption in the virNetClientIOEventLoop
-method. This method is run by whichever thread currently owns the
-buck, and is responsible for handling I/O. Inside a for(;;) loop,
-this method creates a temporary GSource, adds it to the event loop
-and runs g_main_loop_run(). When I/O is ready, the GSource callback
-(virNetClientIOEventFD) will fire and call g_main_loop_quit(), and
-return G_SOURCE_REMOVE which results in the temporary GSource being
-destroyed. A g_autoptr() will then remove the last reference.
-
-What was overlooked, is that a second thread can come along and
-while it can't enter virNetClientIOEventLoop, it will register an
-idle source that uses virNetClientIOWakeup to interrupt the
-original thread's 'g_main_loop_run' call. When this happens the
-virNetClientIOEventFD callback never runs, and so the temporary
-GSource is not destroyed. The g_autoptr() will remove a reference,
-but by virtue of still being attached to the event context, there
-is an extra reference held causing GSource to be leaked. The
-next time 'g_main_loop_run' is called, the original GSource will
-trigger its callback, and access data that was allocated on the
-stack by the previous thread, and likely SEGV.
-
-To solve this, the thread calling 'g_main_loop_run' must call
-g_source_destroy, immediately upon return, to guarantee that
-the temporary GSource is removed.
-
-CVE-2024-4418
-Reviewed-by: Ján Tomko <jtomko@redhat.com>
-Reported-by: Martin Shirokov <shirokovmartin@gmail.com>
-Tested-by: Martin Shirokov <shirokovmartin@gmail.com>
-Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
----
- src/rpc/virnetclient.c | 14 +++++++++++++-
- 1 file changed, 13 insertions(+), 1 deletion(-)
-
-diff --git a/src/rpc/virnetclient.c b/src/rpc/virnetclient.c
-index 68098b1c8d..147b0d661a 100644
---- a/src/rpc/virnetclient.c
-+++ b/src/rpc/virnetclient.c
-@@ -1657,7 +1657,7 @@ static int virNetClientIOEventLoop(virNetClient *client,
- #endif /* !WIN32 */
-         int timeout = -1;
-         virNetMessage *msg = NULL;
--        g_autoptr(GSource) G_GNUC_UNUSED source = NULL;
-+        g_autoptr(GSource) source = NULL;
-         GIOCondition ev = 0;
-         struct virNetClientIOEventData data = {
-             .client = client,
-@@ -1721,6 +1721,18 @@ static int virNetClientIOEventLoop(virNetClient *client,
- 
-         g_main_loop_run(client->eventLoop);
- 
-+        /*
-+         * If virNetClientIOEventFD ran, this GSource will already be
-+         * destroyed due to G_SOURCE_REMOVE. It is harmless to re-destroy
-+         * it, since we still own a reference.
-+         *
-+         * If virNetClientIOWakeup ran, it will have interrupted the
-+         * g_main_loop_run call, before virNetClientIOEventFD could
-+         * run, and thus the GSource is still registered, and we need
-+         * to destroy it since it is referencing stack memory for 'data'
-+         */
-+        g_source_destroy(source);
-+
- #ifndef WIN32
-         ignore_value(pthread_sigmask(SIG_SETMASK, &oldmask, NULL));
- #endif /* !WIN32 */
--- 
-2.45.1
-

0001-virarptable-Properly-calculate-rtattr-length.patch

@@ -1,35 +0,0 @@
-From adfdb79f1e01401349e1321d0f5059d7b6489f00 Mon Sep 17 00:00:00 2001
-Message-ID: <adfdb79f1e01401349e1321d0f5059d7b6489f00.1724763718.git.crobinso@redhat.com>
-From: Martin Kletzander <mkletzan@redhat.com>
-Date: Fri, 16 Aug 2024 13:56:51 +0200
-Subject: [PATCH 1/3] virarptable: Properly calculate rtattr length
-Content-type: text/plain
-
-Use convenience macro which does almost the same thing we were doing,
-but also pads out the payload length to a multiple of NLMSG_ALIGNTO (4)
-bytes.
-
-Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
-Reviewed-by: Laine Stump <laine@redhat.com>
-Signed-off-by: Cole Robinson <crobinso@redhat.com>
----
- src/util/virarptable.c | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/src/util/virarptable.c b/src/util/virarptable.c
-index 299dddd664..d8e41c5a86 100644
---- a/src/util/virarptable.c
-+++ b/src/util/virarptable.c
-@@ -102,8 +102,7 @@ virArpTableGet(void)
-             return table;
- 
-         VIR_WARNINGS_NO_CAST_ALIGN
--        parse_rtattr(tb, NDA_MAX, NDA_RTA(r),
--                     nh->nlmsg_len - NLMSG_LENGTH(sizeof(*r)));
-+        parse_rtattr(tb, NDA_MAX, NDA_RTA(r), NLMSG_PAYLOAD(nh, sizeof(*r)));
-         VIR_WARNINGS_RESET
- 
-         if (tb[NDA_DST] == NULL || tb[NDA_LLADDR] == NULL)
--- 
-2.46.0
-

0002-virarptable-Fix-check-for-message-length.patch

@@ -1,42 +0,0 @@
-From 137779b894858bd958ea575cec260a0559b31e48 Mon Sep 17 00:00:00 2001
-Message-ID: <137779b894858bd958ea575cec260a0559b31e48.1724763718.git.crobinso@redhat.com>
-In-Reply-To: <adfdb79f1e01401349e1321d0f5059d7b6489f00.1724763718.git.crobinso@redhat.com>
-References: <adfdb79f1e01401349e1321d0f5059d7b6489f00.1724763718.git.crobinso@redhat.com>
-From: Martin Kletzander <mkletzan@redhat.com>
-Date: Fri, 16 Aug 2024 13:59:15 +0200
-Subject: [PATCH 2/3] virarptable: Fix check for message length
-Content-type: text/plain
-
-The previous check was all wrong since it calculated the how long would
-the netlink message be if the netlink header was the payload and then
-subtracted that from the whole message length, a variable that was not
-used later in the code.  This check can fail if there are no additional
-payloads, struct rtattr in particular, which we are parsing later,
-however the RTA_OK macro would've caught that anyway.
-
-Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
-Reviewed-by: Laine Stump <laine@redhat.com>
-Signed-off-by: Cole Robinson <crobinso@redhat.com>
----
- src/util/virarptable.c | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/src/util/virarptable.c b/src/util/virarptable.c
-index d8e41c5a86..45ee76766f 100644
---- a/src/util/virarptable.c
-+++ b/src/util/virarptable.c
-@@ -81,10 +81,9 @@ virArpTableGet(void)
-     for (; NLMSG_OK(nh, msglen); nh = NLMSG_NEXT(nh, msglen)) {
-         VIR_WARNINGS_RESET
-         struct ndmsg *r = NLMSG_DATA(nh);
--        int len = nh->nlmsg_len;
-         void *addr;
- 
--        if ((len -= NLMSG_LENGTH(sizeof(*nh))) < 0) {
-+        if (nh->nlmsg_len < NLMSG_SPACE(sizeof(*r))) {
-             virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
-                            _("wrong nlmsg len"));
-             goto cleanup;
--- 
-2.46.0
-

0003-virarptable-End-parsing-earlier-in-case-of-NLMSG_DON.patch

@@ -1,54 +0,0 @@
-From df2cefb31dab2fa56e0864fbd2b8ad468dee22c0 Mon Sep 17 00:00:00 2001
-Message-ID: <df2cefb31dab2fa56e0864fbd2b8ad468dee22c0.1724763718.git.crobinso@redhat.com>
-In-Reply-To: <adfdb79f1e01401349e1321d0f5059d7b6489f00.1724763718.git.crobinso@redhat.com>
-References: <adfdb79f1e01401349e1321d0f5059d7b6489f00.1724763718.git.crobinso@redhat.com>
-From: Martin Kletzander <mkletzan@redhat.com>
-Date: Fri, 16 Aug 2024 14:02:48 +0200
-Subject: [PATCH 3/3] virarptable: End parsing earlier in case of NLMSG_DONE
-Content-type: text/plain
-
-Check for the last multipart message right as the first thing.  The
-presumption probably was that the last message might still contain a
-payload we want to parse.  However that cannot be true since that would
-have to be a type RTM_NEWNEIGH.  This was not caught because older
-kernels were note sending NLMSG_DONE and probably relied on the fact
-that the parsing just stops after all the messages are walked through,
-which the NLMSG_OK macro successfully did.
-
-Resolves: https://issues.redhat.com/browse/RHEL-52449
-Resolves: https://bugzilla.redhat.com/2302245
-Fixes: a176d67cdfaf5b8237a7e3a80d8be0e6bdf2d8fd
-Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
-Reviewed-by: Laine Stump <laine@redhat.com>
-Signed-off-by: Cole Robinson <crobinso@redhat.com>
----
- src/util/virarptable.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/src/util/virarptable.c b/src/util/virarptable.c
-index 45ee76766f..20d11f97b0 100644
---- a/src/util/virarptable.c
-+++ b/src/util/virarptable.c
-@@ -83,6 +83,9 @@ virArpTableGet(void)
-         struct ndmsg *r = NLMSG_DATA(nh);
-         void *addr;
- 
-+        if (nh->nlmsg_type == NLMSG_DONE)
-+            break;
-+
-         if (nh->nlmsg_len < NLMSG_SPACE(sizeof(*r))) {
-             virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
-                            _("wrong nlmsg len"));
-@@ -97,9 +100,6 @@ virArpTableGet(void)
-             (!(r->ndm_state == NUD_STALE || r->ndm_state == NUD_REACHABLE)))
-             continue;
- 
--        if (nh->nlmsg_type == NLMSG_DONE)
--            return table;
--
-         VIR_WARNINGS_NO_CAST_ALIGN
-         parse_rtattr(tb, NDA_MAX, NDA_RTA(r), NLMSG_PAYLOAD(nh, sizeof(*r)));
-         VIR_WARNINGS_RESET
--- 
-2.46.0
-

fix-virtiofs-socket-label.patch

@@ -1,31 +0,0 @@
-From 4c5b2e1e0d0d0cbbf8c6ed28ce77d055d5974f7f Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
-Date: Wed, 6 Mar 2024 17:26:40 +0100
-Subject: [PATCH] qemu: virtiofs: set correct label when creating the socket
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Use svirt_t instead of virtd_t, since virtd_t is not available in the
-session mode and qemu with svirt_t won't be able to talk to unconfined_t
-socket.
-
-Signed-off-by: Ján Tomko <jtomko@redhat.com>
-Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
----
- src/qemu/qemu_virtiofs.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/qemu/qemu_virtiofs.c b/src/qemu/qemu_virtiofs.c
-index 15dea3bb57f..d80cddd3ba9 100644
---- a/src/qemu/qemu_virtiofs.c
-+++ b/src/qemu/qemu_virtiofs.c
-@@ -102,7 +102,7 @@ qemuVirtioFSOpenChardev(virQEMUDriver *driver,
-     chrdev->data.nix.listen = true;
-     chrdev->data.nix.path = g_strdup(socket_path);
- 
--    if (qemuSecuritySetDaemonSocketLabel(driver->securityManager, vm->def) < 0)
-+    if (qemuSecuritySetSocketLabel(driver->securityManager, vm->def) < 0)
-         goto cleanup;
-     fd = qemuOpenChrChardevUNIXSocket(chrdev);
-     if (fd < 0) {

libvirt.spec

@@ -3,15 +3,15 @@
 # This spec file assumes you are building on a Fedora or RHEL version
 # that's still supported by the vendor. It may work on other distros
 # or versions, but no effort will be made to ensure that going forward.
-%define min_rhel 8
-%define min_fedora 37
+%define min_rhel 9
+%define min_fedora 41
 
-%define arches_qemu_kvm         %{ix86} x86_64 %{power64} %{arm} aarch64 s390x
+%define arches_qemu_kvm         %{ix86} x86_64 %{power64} aarch64 s390x riscv64
 %if 0%{?rhel}
-    %if 0%{?rhel} > 8
-        %define arches_qemu_kvm     x86_64 aarch64 s390x
+    %if 0%{?rhel} >= 10
+        %define arches_qemu_kvm     x86_64 aarch64 s390x riscv64
     %else
-        %define arches_qemu_kvm     x86_64 %{power64} aarch64 s390x
+        %define arches_qemu_kvm     x86_64 aarch64 s390x
     %endif
 %endif
 
@@ -19,7 +19,7 @@
 %define arches_x86              %{ix86} x86_64
 
 %define arches_systemtap_64bit  %{arches_64bit}
-%define arches_dmidecode        %{arches_x86}
+%define arches_dmidecode        %{arches_x86} aarch64 riscv64
 %define arches_xen              %{arches_x86} aarch64
 %if 0%{?fedora}
     %define arches_xen          x86_64 aarch64
@@ -29,12 +29,24 @@
 %define arches_zfs              %{arches_x86} %{power64} %{arm}
 %define arches_numactl          %{arches_x86} %{power64} aarch64 s390x
 %define arches_numad            %{arches_x86} %{power64} aarch64
+%define arches_ch               x86_64 aarch64
 
 # The hypervisor drivers that run in libvirtd
-%define with_qemu          0%{!?_without_qemu:1}
 %define with_lxc           0%{!?_without_lxc:1}
 %define with_libxl         0%{!?_without_libxl:1}
 %define with_vbox          0%{!?_without_vbox:1}
+%define with_ch            0%{!?_without_ch:1}
+
+%ifarch %{arches_64bit}
+    %define with_qemu      0%{!?_without_qemu:1}
+%else
+    # QEMU drops 32-bit in Fedora 44
+    %if 0%{?fedora} > 43
+        %define with_qemu  0
+    %else
+        %define with_qemu  0%{!?_without_qemu:1}
+    %endif
+%endif
 
 %ifarch %{arches_qemu_kvm}
     %define with_qemu_kvm      %{with_qemu}
@@ -42,6 +54,12 @@
     %define with_qemu_kvm      0
 %endif
 
+%if 0%{?fedora} >= 42
+    %define with_account_add 0
+%else
+    %define with_account_add 1
+%endif
+
 %define with_qemu_tcg      %{with_qemu}
 
 # RHEL disables TCG on all architectures
@@ -64,18 +82,13 @@
 
 %define with_storage_gluster 0%{!?_without_storage_gluster:1}
 %if 0%{?rhel}
-    # Glusterfs has been dropped in RHEL-9, and before that
-    # was only enabled on arches where KVM exists
-    %if 0%{?rhel} > 8
-        %define with_storage_gluster 0
-    %else
-        %ifnarch %{arches_qemu_kvm}
-            %define with_storage_gluster 0
-        %endif
-    %endif
+    # Glusterfs has been dropped in RHEL-9.
+    %define with_storage_gluster 0
 %endif
 
-# Fedora has zfs-fuse
+# On Fedora 43, the 'zfs-fuse' package was removed, but is obtainable via
+# other means. Build the backend, but it's no longer considered to be part
+# of 'daemon-driver-storage'.
 %if 0%{?fedora}
     %define with_storage_zfs      0%{!?_without_storage_zfs:1}
 %else
@@ -84,13 +97,12 @@
 
 %define with_storage_iscsi_direct 0%{!?_without_storage_iscsi_direct:1}
 # libiscsi has been dropped in RHEL-9
-%if 0%{?rhel} > 8
+%if 0%{?rhel}
     %define with_storage_iscsi_direct 0
 %endif
 
 # Other optional features
 %define with_numactl          0%{!?_without_numactl:1}
-%define with_userfaultfd_sysctl 0%{!?_without_userfaultfd_sysctl:1}
 
 # A few optional bits off by default, we enable later
 %define with_fuse             0
@@ -123,6 +135,9 @@
 %ifnarch %{arches_ceph}
     %define with_storage_rbd 0
 %endif
+%ifnarch %{arches_ch}
+    %define with_ch 0
+%endif
 
 # RHEL doesn't ship many hypervisor drivers
 %if 0%{?rhel}
@@ -132,14 +147,11 @@
     %define with_libxl 0
     %define with_hyperv 0
     %define with_lxc 0
+    %define with_ch 0
 %endif
 
 %define with_firewalld_zone 0%{!?_without_firewalld_zone:1}
 
-%if 0%{?rhel} && 0%{?rhel} < 9
-    %define with_netcf 0%{!?_without_netcf:1}
-%endif
-
 # fuse is used to provide virtualized /proc for LXC
 %if %{with_lxc}
     %define with_fuse      0%{!?_without_fuse:1}
@@ -181,8 +193,7 @@
 # Right now that's not the case anywhere, but things should be fine by the time
 # Fedora 40 is released.
 %if %{with_qemu}
-    # rhel-8 lacks pidfd_open
-    %if 0%{?fedora} || 0%{?rhel} >= 9
+    %if 0%{?fedora} || 0%{?rhel}
         %define with_nbdkit 0%{!?_without_nbdkit:1}
 
         # setting 'with_nbdkit_config_default' must be done only when compiling
@@ -190,7 +201,7 @@
         #
         # TODO: add RHEL 9 once a minor release that contains the necessary SELinux
         #       bits exists (we only support the most recent minor release)
-        %if 0%{?fedora} >= 40
+        %if 0%{?fedora}
             %define with_nbdkit_config_default 0%{!?_without_nbdkit_config_default:1}
         %endif
     %endif
@@ -201,10 +212,22 @@
 %endif
 
 %define with_modular_daemons 0
-%if 0%{?fedora} || 0%{?rhel} >= 9
+%if 0%{?fedora} || 0%{?rhel}
     %define with_modular_daemons 1
 %endif
 
+# Prefer nftables for future OS releases but keep using iptables
+# for existing ones
+%if 0%{?rhel} >= 10 || 0%{?fedora}
+    %define prefer_nftables 1
+    %define firewall_backend_priority nftables,iptables
+%else
+    %define prefer_nftables 0
+    %define firewall_backend_priority iptables,nftables
+%endif
+
+
+
 # Force QEMU to run as non-root
 %define qemu_user  qemu
 %define qemu_group  qemu
@@ -240,19 +263,14 @@
 
 # RHEL releases provide stable tool chains and so it is safe to turn
 # compiler warning into errors without being worried about frequent
-# changes in reported warnings
-%if 0%{?rhel}
+# changes in reported warnings. ELN is a rebuild of Rawhide so should
+# be treated as unstable for this flag
+%if 0%{?rhel} && !0%{?eln}
     %define enable_werror -Dwerror=true
 %else
     %define enable_werror -Dwerror=false -Dgit_werror=disabled
 %endif
 
-# Fedora and RHEL-9 are new enough to support /dev/userfaultfd, which
-# does not require enabling vm.unprivileged_userfaultfd sysctl.
-%if 0%{?fedora} || 0%{?rhel} >= 9
-    %define with_userfaultfd_sysctl 0
-%endif
-
 %define tls_priority "@LIBVIRT,SYSTEM"
 
 # libvirt 8.1.0 stops distributing any sysconfig files.
@@ -276,8 +294,8 @@
 
 Summary: Library providing a simple virtualization API
 Name: libvirt
-Version: 10.1.0
-Release: 4%{?dist}
+Version: 12.0.0
+Release: 3%{?dist}
 License: GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND OFL-1.1
 URL: https://libvirt.org/
 
@@ -285,16 +303,10 @@ URL: https://libvirt.org/
     %define mainturl stable_updates/
 %endif
 Source: https://download.libvirt.org/%{?mainturl}libvirt-%{version}.tar.xz
-Patch1: 0001-rpc-ensure-temporary-GSource-is-removed-from-client-.patch
-Patch2: 0001-rpc-avoid-leak-of-GSource-in-use-for-interrupting-ma.patch
-Patch3: 0001-interface-fix-udev-reference-leak-with-invalid-flags.patch
-
-Patch0: fix-virtiofs-socket-label.patch
-
-Patch10: 0001-virarptable-Properly-calculate-rtattr-length.patch
-Patch11: 0002-virarptable-Fix-check-for-message-length.patch
-Patch12: 0003-virarptable-End-parsing-earlier-in-case-of-NLMSG_DON.patch
 
+# Fix IPv6 connections to ESXi
+# Upstream in > 12.0.0
+Patch: 0001-esx-Allow-connecting-to-IPv6-server.patch
 
 Requires: libvirt-daemon = %{version}-%{release}
 Requires: libvirt-daemon-config-network = %{version}-%{release}
@@ -315,6 +327,9 @@ Obsoletes: libvirt-daemon-uml <= 5.0.0
 %if %{with_vbox}
 Requires: libvirt-daemon-driver-vbox = %{version}-%{release}
 %endif
+%if %{with_ch}
+Requires: libvirt-daemon-driver-ch = %{version}-%{release}
+%endif
 Requires: libvirt-daemon-driver-nwfilter = %{version}-%{release}
 Requires: libvirt-daemon-driver-interface = %{version}-%{release}
 Requires: libvirt-daemon-driver-secret = %{version}-%{release}
@@ -329,7 +344,7 @@ Requires: libvirt-libs = %{version}-%{release}
 BuildRequires: python3-docutils
 BuildRequires: meson >= 0.56.0
 BuildRequires: ninja-build
-BuildRequires: git
+BuildRequires: git-core
 BuildRequires: perl-interpreter
 BuildRequires: python3
 BuildRequires: python3-pytest
@@ -346,7 +361,7 @@ BuildRequires: gcc
     %if %{with_libxl}
 BuildRequires: xen-devel
     %endif
-BuildRequires: glib2-devel >= 2.56
+BuildRequires: glib2-devel >= 2.66
 BuildRequires: libxml2-devel
 BuildRequires: readline-devel
 BuildRequires: pkgconfig(bash-completion) >= 2.0
@@ -359,21 +374,14 @@ BuildRequires: libblkid-devel >= 2.17
 BuildRequires: augeas
 BuildRequires: systemd-devel >= 185
 BuildRequires: libpciaccess-devel >= 0.10.9
-BuildRequires: yajl-devel
+BuildRequires: json-c-devel
     %if %{with_sanlock}
 BuildRequires: sanlock-devel >= 2.4
     %endif
 BuildRequires: libpcap-devel >= 1.5.0
 BuildRequires: libnl3-devel
 BuildRequires: libselinux-devel
-BuildRequires: iptables
-BuildRequires: ebtables
-# For modprobe
-BuildRequires: kmod
 BuildRequires: cyrus-sasl-devel
-BuildRequires: polkit >= 0.112
-# For mount/umount in FS driver
-BuildRequires: util-linux
     %if %{with_qemu}
 # For managing ACLs
 BuildRequires: libacl-devel
@@ -384,10 +392,6 @@ BuildRequires: /usr/bin/qemu-img
     %if %{with_nbdkit}
 BuildRequires: libnbd-devel
     %endif
-# For LVM drivers
-BuildRequires: lvm2
-# For pool type=iscsi
-BuildRequires: iscsi-initiator-utils
     %if %{with_storage_iscsi_direct}
 # For pool type=iscsi-direct
 BuildRequires: libiscsi-devel
@@ -410,7 +414,7 @@ BuildRequires: numactl-devel
     %endif
 BuildRequires: libcap-ng-devel >= 0.5.0
     %if %{with_fuse}
-BuildRequires: fuse-devel >= 2.8.6
+BuildRequires: fuse3-devel
     %endif
     %if %{with_libssh2}
 BuildRequires: libssh2-devel >= 1.3.0
@@ -425,16 +429,8 @@ BuildRequires: libcurl-devel
 BuildRequires: libwsman-devel >= 2.6.3
     %endif
 BuildRequires: audit-libs-devel
-# we need /usr/sbin/dtrace
 BuildRequires: systemtap-sdt-devel
 BuildRequires: /usr/bin/dtrace
-# For mount/umount in FS driver
-BuildRequires: util-linux
-# For showmount in FS driver (netfs discovery)
-BuildRequires: nfs-utils
-    %if %{with_numad}
-BuildRequires: numad
-    %endif
     %if %{with_wireshark}
 BuildRequires: wireshark-devel
     %endif
@@ -515,6 +511,8 @@ Requires: libvirt-libs = %{version}-%{release}
 # Recommends here will install libvirt-client by default (if available), but
 # RPM won't complain if the package is unavailable, masked, or removed later.
 Recommends: libvirt-client = %{version}-%{release}
+# For modprobe and rmmod
+Requires: kmod
 # for /sbin/ip
 Requires: iproute
 # for /sbin/tc
@@ -529,8 +527,10 @@ Requires(posttrans): /usr/bin/systemctl
 Requires(preun): /usr/bin/systemctl
 # libvirtd depends on 'messagebus' service
 Requires: dbus
+    %if %{with_account_add}
 # For uid creation during pre
 Requires(pre): shadow-utils
+    %endif
 # Needed by /usr/libexec/libvirt-guests.sh script.
     %if 0%{?fedora}
 Requires: gettext-runtime
@@ -557,6 +557,7 @@ resources
 %package daemon-plugin-lockd
 Summary: lockd client plugin for virtlockd
 Requires: libvirt-libs = %{version}-%{release}
+Requires: libvirt-daemon-common = %{version}-%{release}
 Requires: libvirt-daemon-lock = %{version}-%{release}
 
 %description daemon-plugin-lockd
@@ -605,7 +606,11 @@ Summary: Network driver plugin for the libvirtd daemon
 Requires: libvirt-daemon-common = %{version}-%{release}
 Requires: libvirt-libs = %{version}-%{release}
 Requires: dnsmasq >= 2.41
+    %if %{prefer_nftables}
+Requires: nftables
+    %else
 Requires: iptables
+    %endif
 
 %description daemon-driver-network
 The network driver plugin for the libvirtd daemon, providing
@@ -666,8 +671,8 @@ an implementation of the secret key APIs.
 Summary: Storage driver plugin including base backends for the libvirtd daemon
 Requires: libvirt-daemon-common = %{version}-%{release}
 Requires: libvirt-libs = %{version}-%{release}
-Requires: nfs-utils
-# For mkfs
+Recommends: nfs-utils
+# For mkfs and mount/umount
 Requires: util-linux
 # For storage wiping with different algorithms
 Requires: scrub
@@ -779,9 +784,13 @@ volumes using the ceph protocol.
 Summary: Storage driver plugin for ZFS
 Requires: libvirt-daemon-driver-storage-core = %{version}-%{release}
 Requires: libvirt-libs = %{version}-%{release}
-# Support any conforming implementation of zfs
+# Starting with Fedora 43 the 'zfs-fuse' is no longer shipped but obtainable
+# externally. The package builds fine without these. Users will have to provide
+# their own implementation.
+        %if 0%{?fedora} && 0%{?fedora} < 43
 Requires: /sbin/zfs
 Requires: /sbin/zpool
+        %endif
 
 %description daemon-driver-storage-zfs
 The storage driver backend adding implementation of the storage APIs for
@@ -805,7 +814,10 @@ Requires: libvirt-daemon-driver-storage-gluster = %{version}-%{release}
     %if %{with_storage_rbd}
 Requires: libvirt-daemon-driver-storage-rbd = %{version}-%{release}
     %endif
-    %if %{with_storage_zfs}
+# Starting with Fedora 43 the 'zfs-fuse' is no longer shipped but obtainable
+# externally. We do not want to install this as part of 'daemon-driver-storage'
+# any more.
+    %if %{with_storage_zfs} && 0%{?fedora} && 0%{?fedora} < 43
 Requires: libvirt-daemon-driver-storage-zfs = %{version}-%{release}
     %endif
 
@@ -826,12 +838,13 @@ Requires: gzip
 Requires: bzip2
 Requires: lzop
 Requires: xz
+Requires: zstd
 Requires: systemd-container
 Requires: swtpm-tools
         %if %{with_numad}
 Requires: numad
         %endif
-        %if 0%{?fedora} || 0%{?rhel} >= 9
+        %if 0%{?fedora} || 0%{?rhel}
 Recommends: passt
 Recommends: passt-selinux
         %endif
@@ -913,6 +926,7 @@ Requires: libvirt-daemon-driver-nodedev = %{version}-%{release}
 Requires: libvirt-daemon-driver-nwfilter = %{version}-%{release}
 Requires: libvirt-daemon-driver-secret = %{version}-%{release}
 Requires: libvirt-daemon-driver-storage = %{version}-%{release}
+Requires: libvirt-ssh-proxy = %{version}-%{release}
 Requires: qemu
 
 %description daemon-qemu
@@ -941,6 +955,7 @@ Requires: libvirt-daemon-driver-nodedev = %{version}-%{release}
 Requires: libvirt-daemon-driver-nwfilter = %{version}-%{release}
 Requires: libvirt-daemon-driver-secret = %{version}-%{release}
 Requires: libvirt-daemon-driver-storage = %{version}-%{release}
+Requires: libvirt-ssh-proxy = %{version}-%{release}
 Requires: qemu-kvm
 
 %description daemon-kvm
@@ -989,7 +1004,6 @@ Requires: libvirt-daemon-driver-libxl = %{version}-%{release}
 Requires: libvirt-daemon-driver-interface = %{version}-%{release}
 Requires: libvirt-daemon-driver-network = %{version}-%{release}
 Requires: libvirt-daemon-driver-nodedev = %{version}-%{release}
-Requires: libvirt-daemon-driver-nwfilter = %{version}-%{release}
 Requires: libvirt-daemon-driver-secret = %{version}-%{release}
 Requires: libvirt-daemon-driver-storage = %{version}-%{release}
 Requires: xen
@@ -1023,11 +1037,23 @@ Server side daemon and driver required to manage the virtualization
 capabilities of VirtualBox
     %endif
 
+    %if %{with_ch}
+%package daemon-driver-ch
+Summary: Cloud-Hypervisor driver plugin for libvirtd daemon
+Requires: libvirt-daemon-common = %{version}-%{release}
+Requires: libvirt-daemon-log = %{version}-%{release}
+Requires: libvirt-libs = %{version}-%{release}
+
+%description daemon-driver-ch
+The ch driver plugin for the libvirtd daemon, providing
+an implementation of the hypervisor driver APIs by
+Cloud-Hypervisor
+    %endif
+
+
 %package client
 Summary: Client side utilities of the libvirt library
 Requires: libvirt-libs = %{version}-%{release}
-# Needed by virt-pki-validate script.
-Requires: gnutls-utils
 
 # Ensure smooth upgrades
 Obsoletes: libvirt-bash-completion < 7.3.0
@@ -1049,8 +1075,6 @@ with some QEMU specific features of libvirt.
 
 %package libs
 Summary: Client side libraries
-# So remote clients can access libvirt over SSH tunnel
-Requires: cyrus-sasl
 # Needed by default sasl.conf - no onerous extra deps, since
 # 100's of other things on a system already pull in krb5-libs
 Requires: cyrus-sasl-gssapi
@@ -1072,6 +1096,10 @@ Wireshark dissector plugin for better analysis of libvirt RPC traffic.
 %package login-shell
 Summary: Login shell for connecting users to an LXC container
 Requires: libvirt-libs = %{version}-%{release}
+        %if %{with_account_add}
+# For uid creation during pre
+Requires(pre): shadow-utils
+        %endif
 
 %description login-shell
 Provides the set-uid virt-login-shell binary that is used to
@@ -1094,6 +1122,7 @@ Requires: sanlock >= 2.4
 #for virt-sanlock-cleanup require augeas
 Requires: augeas
 Requires: libvirt-libs = %{version}-%{release}
+Requires: libvirt-daemon-common = %{version}-%{release}
 Obsoletes: libvirt-lock-sanlock < 9.1.0
 Provides: libvirt-lock-sanlock = %{version}-%{release}
 
@@ -1110,6 +1139,13 @@ Requires: libvirt-daemon-driver-network = %{version}-%{release}
 Libvirt plugin for NSS for translating domain names into IP addresses.
 %endif
 
+%package ssh-proxy
+Summary: Libvirt SSH proxy
+Requires: libvirt-libs = %{version}-%{release}
+
+%description ssh-proxy
+Allows SSH into domains via VSOCK without need for network.
+
 %if %{with_mingw32}
 %package -n mingw32-libvirt
 Summary: %{summary}
@@ -1182,9 +1218,15 @@ exit 1
 %endif
 
 %if %{with_esx}
-    %define arg_esx -Ddriver_esx=enabled -Dcurl=enabled
+    %define arg_esx -Ddriver_esx=enabled
 %else
-    %define arg_esx -Ddriver_esx=disabled -Dcurl=disabled
+    %define arg_esx -Ddriver_esx=disabled
+%endif
+
+%if %{with_esx} || %{with_ch}
+    %define arg_curl -Dcurl=enabled
+%else
+    %define arg_curl -Dcurl=disabled
 %endif
 
 %if %{with_hyperv}
@@ -1199,6 +1241,12 @@ exit 1
     %define arg_vmware -Ddriver_vmware=disabled
 %endif
 
+%if %{with_ch}
+    %define arg_ch -Ddriver_ch=enabled
+%else
+    %define arg_ch -Ddriver_ch=disabled
+%endif
+
 %if %{with_storage_rbd}
     %define arg_storage_rbd -Dstorage_rbd=enabled
 %else
@@ -1295,12 +1343,6 @@ exit 1
     %define arg_remote_mode -Dremote_default_mode=legacy
 %endif
 
-%if %{with_userfaultfd_sysctl}
-    %define arg_userfaultfd_sysctl -Duserfaultfd_sysctl=enabled
-%else
-    %define arg_userfaultfd_sysctl -Duserfaultfd_sysctl=disabled
-%endif
-
 %define when  %(date +"%%F-%%T")
 %define where %(hostname)
 %define who   %{?packager}%{!?packager:Unknown}
@@ -1316,6 +1358,8 @@ export SOURCE_DATE_EPOCH=$(stat --printf='%Y' %{_specdir}/libvirt.spec)
 %meson \
            -Drunstatedir=%{_rundir} \
            -Dinitconfdir=%{_sysconfdir}/sysconfig \
+           -Dunitdir=%{_unitdir} \
+           -Dsysusersdir=%{_sysusersdir} \
            %{?arg_qemu} \
            %{?arg_openvz} \
            %{?arg_lxc} \
@@ -1327,11 +1371,12 @@ export SOURCE_DATE_EPOCH=$(stat --printf='%Y' %{_specdir}/libvirt.spec)
            -Ddriver_remote=enabled \
            -Ddriver_test=enabled \
            %{?arg_esx} \
+           %{?arg_curl} \
            %{?arg_hyperv} \
            %{?arg_vmware} \
+           %{?arg_ch} \
            -Ddriver_vz=disabled \
            -Ddriver_bhyve=disabled \
-           -Ddriver_ch=disabled \
            %{?arg_remote_mode} \
            -Ddriver_interface=enabled \
            -Ddriver_network=enabled \
@@ -1358,7 +1403,7 @@ export SOURCE_DATE_EPOCH=$(stat --printf='%Y' %{_specdir}/libvirt.spec)
            -Dapparmor_profiles=disabled \
            -Dsecdriver_apparmor=disabled \
            -Dudev=enabled \
-           -Dyajl=enabled \
+           -Djson_c=enabled \
            %{?arg_sanlock} \
            -Dlibpcap=enabled \
            %{?arg_nbdkit} \
@@ -1381,10 +1426,11 @@ export SOURCE_DATE_EPOCH=$(stat --printf='%Y' %{_specdir}/libvirt.spec)
            -Dqemu_datadir=%{qemu_datadir} \
            -Dtls_priority=%{tls_priority} \
            -Dsysctl_config=enabled \
-           %{?arg_userfaultfd_sysctl} \
+           -Dssh_proxy=enabled \
            %{?enable_werror} \
            -Dexpensive_tests=enabled \
            -Dinit_script=systemd \
+           -Dfirewall_backend_priority=%{firewall_backend_priority} \
            -Ddocs=enabled \
            -Dtests=enabled \
            -Drpath=disabled \
@@ -1409,6 +1455,7 @@ export SOURCE_DATE_EPOCH=$(stat --printf='%Y' %{_specdir}/libvirt.spec)
   -Dblkid=disabled \
   -Dcapng=disabled \
   -Ddriver_bhyve=disabled \
+  -Ddriver_ch=disabled \
   -Ddriver_hyperv=disabled \
   -Ddriver_interface=disabled \
   -Ddriver_libvirtd=disabled \
@@ -1428,6 +1475,7 @@ export SOURCE_DATE_EPOCH=$(stat --printf='%Y' %{_specdir}/libvirt.spec)
   -Dfuse=disabled \
   -Dglusterfs=disabled \
   -Dhost_validate=disabled \
+  -Djson_c=disabled \
   -Dlibiscsi=disabled \
   -Dnbdkit=disabled \
   -Dnbdkit_config_default=disabled \
@@ -1465,12 +1513,12 @@ export SOURCE_DATE_EPOCH=$(stat --printf='%Y' %{_specdir}/libvirt.spec)
   -Dstorage_vstorage=disabled \
   -Dstorage_zfs=disabled \
   -Dsysctl_config=disabled \
-  -Duserfaultfd_sysctl=disabled \
+  -Dssh_proxy=disabled \
   -Dtests=disabled \
   -Dudev=disabled \
   -Dwireshark_dissector=disabled \
-  -Dyajl=disabled
-    %mingw_ninja
+  %{?enable_werror}
+%mingw_ninja
 %endif
 
 %install
@@ -1529,6 +1577,10 @@ rm -rf $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/libvirtd.libxl
 rm -f $RPM_BUILD_ROOT%{_datadir}/augeas/lenses/libvirtd_libxl.aug
 rm -f $RPM_BUILD_ROOT%{_datadir}/augeas/lenses/tests/test_libvirtd_libxl.aug
     %endif
+    %if ! %{with_ch}
+rm -f $RPM_BUILD_ROOT%{_datadir}/augeas/lenses/libvirtd_ch.aug
+rm -f $RPM_BUILD_ROOT%{_datadir}/augeas/lenses/tests/test_libvirtd_ch.aug
+    %endif
 
 # Copied into libvirt-docs subpackage eventually
 mv $RPM_BUILD_ROOT%{_datadir}/doc/libvirt libvirt-docs
@@ -1576,7 +1628,8 @@ rm -rf $RPM_BUILD_ROOT%{mingw64_libexecdir}/libvirt-guests.sh
 %if %{with_native}
 # Building on slow archs, like emulated s390x in Fedora copr, requires
 # raising the test timeout
-VIR_TEST_DEBUG=1 %meson_test --no-suite syntax-check --timeout-multiplier 10
+export VIR_TEST_DEBUG=1
+%meson_test --no-suite syntax-check --timeout-multiplier 10
 %endif
 
 %define libvirt_rpmstatedir %{_localstatedir}/lib/rpm-state/libvirt
@@ -1738,10 +1791,12 @@ VIR_TEST_DEBUG=1 %meson_test --no-suite syntax-check --timeout-multiplier 10
 %pre daemon-common
 %libvirt_sysconfig_pre libvirt-guests
 %libvirt_systemd_oneshot_pre libvirt-guests
+    %if %{with_account_add}
 # 'libvirt' group is just to allow password-less polkit access to libvirt
 # daemons. The uid number is irrelevant, so we use dynamic allocation.
 getent group libvirt >/dev/null || groupadd -r libvirt
 exit 0
+    %endif
 
 %posttrans daemon-common
 %libvirt_sysconfig_posttrans libvirt-guests
@@ -1864,6 +1919,7 @@ exit 0
 %libvirt_sysconfig_pre virtqemud
 %libvirt_systemd_unix_pre virtqemud
 
+        %if %{with_account_add}
 # We want soft static allocation of well-known ids, as disk images
 # are commonly shared across NFS mounts by id rather than name.
 # See https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/
@@ -1879,6 +1935,7 @@ if ! getent passwd 'qemu' >/dev/null; then
   fi
 fi
 exit 0
+        %endif
 
 %posttrans daemon-driver-qemu
 %libvirt_sysconfig_posttrans virtqemud
@@ -1927,6 +1984,19 @@ exit 0
 %libvirt_systemd_unix_preun virtxend
     %endif
 
+    %if %{with_ch}
+%pre daemon-driver-ch
+%libvirt_sysconfig_pre virtchd
+%libvirt_systemd_unix_pre virtchd
+
+%posttrans daemon-driver-ch
+%libvirt_sysconfig_posttrans virtchd
+%libvirt_systemd_unix_posttrans virtchd
+
+%preun daemon-driver-ch
+%libvirt_systemd_unix_preun virtchd
+    %endif
+
 %pre daemon-config-network
 %libvirt_systemd_config_pre libvirtd
 %libvirt_systemd_config_pre virtnetworkd
@@ -1992,8 +2062,10 @@ done
 
     %if %{with_lxc}
 %pre login-shell
+        %if %{with_account_add}
 getent group virtlogin >/dev/null || groupadd -r virtlogin
 exit 0
+        %endif
     %endif
 %endif
 
@@ -2014,7 +2086,9 @@ exit 0
 %config(noreplace) %{_sysconfdir}/libvirt/libvirtd.conf
 %config(noreplace) %{_prefix}/lib/sysctl.d/60-libvirtd.conf
 %config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd
+%dir %{_datadir}/augeas/lenses
 %{_datadir}/augeas/lenses/libvirtd.aug
+%dir %{_datadir}/augeas/lenses/tests
 %{_datadir}/augeas/lenses/tests/test_libvirtd.aug
 %attr(0755, root, root) %{_sbindir}/libvirtd
 %{_mandir}/man8/libvirtd.8*
@@ -2025,7 +2099,7 @@ exit 0
 %config(noreplace) %{_sysconfdir}/sasl2/libvirt.conf
 %dir %{_datadir}/libvirt/
 %ghost %dir %{_rundir}/libvirt/
-%ghost %dir %{_rundir}/libvirt/common/
+%ghost %dir %attr(0700, root, root) %{_rundir}/libvirt/common/
 %dir %attr(0755, root, root) %{_localstatedir}/lib/libvirt/
 %dir %attr(0711, root, root) %{_localstatedir}/lib/libvirt/images/
 %dir %attr(0711, root, root) %{_localstatedir}/lib/libvirt/filesystems/
@@ -2035,9 +2109,11 @@ exit 0
 %dir %attr(0755, root, root) %{_libdir}/libvirt/connection-driver/
 %dir %attr(0755, root, root) %{_libdir}/libvirt/storage-backend/
 %dir %attr(0755, root, root) %{_libdir}/libvirt/storage-file/
+%dir %attr(0755, root, root) %{_libdir}/libvirt/lock-driver/
 %{_datadir}/polkit-1/actions/org.libvirt.unix.policy
 %{_datadir}/polkit-1/actions/org.libvirt.api.policy
 %{_datadir}/polkit-1/rules.d/50-libvirt.rules
+%{_sysusersdir}/libvirt.conf
 %dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/
 %attr(0755, root, root) %{_libexecdir}/libvirt_iohelper
 %attr(0755, root, root) %{_bindir}/virt-ssh-helper
@@ -2065,7 +2141,6 @@ exit 0
 %{_mandir}/man8/virtlockd.8*
 
 %files daemon-plugin-lockd
-%dir %attr(0755, root, root) %{_libdir}/libvirt/lock-driver/
 %attr(0755, root, root) %{_libdir}/libvirt/lock-driver/lockd.so
 
 %files daemon-log
@@ -2111,7 +2186,7 @@ exit 0
 %{_unitdir}/virtinterfaced-ro.socket
 %{_unitdir}/virtinterfaced-admin.socket
 %attr(0755, root, root) %{_sbindir}/virtinterfaced
-%ghost %dir %{_rundir}/libvirt/interface/
+%ghost %dir %attr(0700, root, root) %{_rundir}/libvirt/interface/
 %{_libdir}/libvirt/connection-driver/libvirt_driver_interface.so
 %{_mandir}/man8/virtinterfaced.8*
 
@@ -2119,6 +2194,9 @@ exit 0
 %config(noreplace) %{_sysconfdir}/libvirt/virtnetworkd.conf
 %{_datadir}/augeas/lenses/virtnetworkd.aug
 %{_datadir}/augeas/lenses/tests/test_virtnetworkd.aug
+%config(noreplace) %{_sysconfdir}/libvirt/network.conf
+%{_datadir}/augeas/lenses/libvirtd_network.aug
+%{_datadir}/augeas/lenses/tests/test_libvirtd_network.aug
 %{_unitdir}/virtnetworkd.service
 %{_unitdir}/virtnetworkd.socket
 %{_unitdir}/virtnetworkd-ro.socket
@@ -2150,7 +2228,7 @@ exit 0
 %{_unitdir}/virtnodedevd-ro.socket
 %{_unitdir}/virtnodedevd-admin.socket
 %attr(0755, root, root) %{_sbindir}/virtnodedevd
-%ghost %dir %{_rundir}/libvirt/nodedev/
+%ghost %dir %attr(0700, root, root) %{_rundir}/libvirt/nodedev/
 %{_libdir}/libvirt/connection-driver/libvirt_driver_nodedev.so
 %{_mandir}/man8/virtnodedevd.8*
 
@@ -2165,8 +2243,8 @@ exit 0
 %attr(0755, root, root) %{_sbindir}/virtnwfilterd
 %dir %attr(0700, root, root) %{_sysconfdir}/libvirt/nwfilter/
 %ghost %dir %{_rundir}/libvirt/network/
-%ghost %dir %{_rundir}/libvirt/nwfilter-binding/
-%ghost %dir %{_rundir}/libvirt/nwfilter/
+%ghost %dir %attr(0700, root, root) %{_rundir}/libvirt/nwfilter-binding/
+%ghost %dir %attr(0700, root, root) %{_rundir}/libvirt/nwfilter/
 %{_libdir}/libvirt/connection-driver/libvirt_driver_nwfilter.so
 %{_mandir}/man8/virtnwfilterd.8*
 
@@ -2180,7 +2258,7 @@ exit 0
 %{_unitdir}/virtsecretd-admin.socket
 %attr(0755, root, root) %{_sbindir}/virtsecretd
 %dir %attr(0700, root, root) %{_sysconfdir}/libvirt/secrets/
-%ghost %dir %{_rundir}/libvirt/secrets/
+%ghost %dir %attr(0700, root, root) %{_rundir}/libvirt/secrets/
 %{_libdir}/libvirt/connection-driver/libvirt_driver_secret.so
 %{_mandir}/man8/virtsecretd.8*
 
@@ -2201,7 +2279,6 @@ exit 0
 %ghost %dir %{_rundir}/libvirt/storage/
 %{_libdir}/libvirt/connection-driver/libvirt_driver_storage.so
 %{_libdir}/libvirt/storage-backend/libvirt_storage_backend_fs.so
-%{_libdir}/libvirt/storage-file/libvirt_storage_file_fs.so
 %{_mandir}/man8/virtstoraged.8*
 
 %files daemon-driver-storage-disk
@@ -2243,9 +2320,6 @@ exit 0
     %if %{with_qemu}
 %files daemon-driver-qemu
 %config(noreplace) %{_sysconfdir}/libvirt/virtqemud.conf
-        %if %{with_userfaultfd_sysctl}
-%config(noreplace) %{_prefix}/lib/sysctl.d/60-qemu-postcopy-migration.conf
-        %endif
 %{_datadir}/augeas/lenses/virtqemud.aug
 %{_datadir}/augeas/lenses/tests/test_virtqemud.aug
 %{_unitdir}/virtqemud.service
@@ -2259,11 +2333,11 @@ exit 0
 %config(noreplace) %{_sysconfdir}/libvirt/qemu.conf
 %config(noreplace) %{_sysconfdir}/libvirt/qemu-lockd.conf
 %config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.qemu
-%ghost %dir %{_rundir}/libvirt/qemu/
-%ghost %dir %{_rundir}/libvirt/qemu/dbus/
-%ghost %dir %{_rundir}/libvirt/qemu/passt/
-%ghost %dir %{_rundir}/libvirt/qemu/slirp/
-%ghost %dir %{_rundir}/libvirt/qemu/swtpm/
+%ghost %dir %attr(0755, %{qemu_user}, %{qemu_group}) %{_rundir}/libvirt/qemu/
+%ghost %dir %attr(0770, %{qemu_user}, %{qemu_group}) %{_rundir}/libvirt/qemu/dbus/
+%ghost %dir %attr(0755, %{qemu_user}, %{qemu_group}) %{_rundir}/libvirt/qemu/passt/
+%ghost %dir %attr(0755, %{qemu_user}, %{qemu_group}) %{_rundir}/libvirt/qemu/slirp/
+%ghost %dir %attr(0770, %{qemu_user}, %{qemu_group}) %{_rundir}/libvirt/qemu/swtpm/
 %dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/
 %dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/checkpoint/
 %dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/dump/
@@ -2377,7 +2451,6 @@ exit 0
         %if %{with_libxl}
 %config(noreplace) %{_sysconfdir}/libvirt/libxl-sanlock.conf
         %endif
-%dir %attr(0755, root, root) %{_libdir}/libvirt/lock-driver/
 %attr(0755, root, root) %{_libdir}/libvirt/lock-driver/sanlock.so
 %{_datadir}/augeas/lenses/libvirt_sanlock.aug
 %{_datadir}/augeas/lenses/tests/test_libvirt_sanlock.aug
@@ -2387,6 +2460,22 @@ exit 0
 %attr(0755, root, root) %{_libexecdir}/libvirt_sanlock_helper
     %endif
 
+    %if %{with_ch}
+%files daemon-driver-ch
+%attr(0755, root, root) %{_sbindir}/virtchd
+%config(noreplace) %{_sysconfdir}/libvirt/virtchd.conf
+%{_datadir}/augeas/lenses/virtchd.aug
+%{_datadir}/augeas/lenses/tests/test_virtchd.aug
+%{_unitdir}/virtchd-admin.socket
+%{_unitdir}/virtchd-ro.socket
+%{_unitdir}/virtchd.service
+%{_unitdir}/virtchd.socket
+%{_libdir}/libvirt/connection-driver/libvirt_driver_ch.so
+%config(noreplace) %{_sysconfdir}/libvirt/ch.conf
+%{_datadir}/augeas/lenses/libvirtd_ch.aug
+%{_datadir}/augeas/lenses/tests/test_libvirtd_ch.aug
+    %endif
+
 %files client
 %{_mandir}/man1/virsh.1*
 %{_mandir}/man1/virt-xml-validate.1*
@@ -2417,15 +2506,17 @@ exit 0
 %{_libdir}/libvirt-lxc.so.*
 %{_libdir}/libvirt-admin.so.*
 %dir %{_datadir}/libvirt/
+%{_datadir}/libvirt/test-screenshot.png
 %dir %{_datadir}/libvirt/schemas/
+%{_datadir}/libvirt/schemas/*.rng
+%dir %{_datadir}/systemtap/tapset/
 %{_datadir}/systemtap/tapset/libvirt_probes*.stp
 %{_datadir}/systemtap/tapset/libvirt_functions.stp
     %if %{with_qemu}
 %{_datadir}/systemtap/tapset/libvirt_qemu_probes*.stp
     %endif
-%{_datadir}/libvirt/schemas/*.rng
+%dir %{_datadir}/libvirt/cpu_map
 %{_datadir}/libvirt/cpu_map/*.xml
-%{_datadir}/libvirt/test-screenshot.png
 
     %if %{with_wireshark}
 %files wireshark
@@ -2436,11 +2527,16 @@ exit 0
 %{_libdir}/libnss_libvirt.so.2
 %{_libdir}/libnss_libvirt_guest.so.2
 
+%files ssh-proxy
+%config(noreplace) %{_sysconfdir}/ssh/ssh_config.d/30-libvirt-ssh-proxy.conf
+%{_libexecdir}/libvirt-ssh-proxy
+
     %if %{with_lxc}
 %files login-shell
 %attr(4750, root, virtlogin) %{_bindir}/virt-login-shell
 %{_libexecdir}/virt-login-shell-helper
 %config(noreplace) %{_sysconfdir}/libvirt/virt-login-shell.conf
+%{_sysusersdir}/libvirt-login-shell.conf
 %{_mandir}/man1/virt-login-shell.1*
     %endif
 
@@ -2489,7 +2585,7 @@ exit 0
 %{mingw32_bindir}/virt-admin.exe
 %{mingw32_bindir}/virt-xml-validate
 %{mingw32_bindir}/virt-pki-query-dn.exe
-%{mingw32_bindir}/virt-pki-validate
+%{mingw32_bindir}/virt-pki-validate.exe
 %{mingw32_bindir}/libvirt-lxc-0.dll
 %{mingw32_bindir}/libvirt-qemu-0.dll
 %{mingw32_bindir}/libvirt-admin-0.dll
@@ -2548,7 +2644,7 @@ exit 0
 %{mingw64_bindir}/virt-admin.exe
 %{mingw64_bindir}/virt-xml-validate
 %{mingw64_bindir}/virt-pki-query-dn.exe
-%{mingw64_bindir}/virt-pki-validate
+%{mingw64_bindir}/virt-pki-validate.exe
 %{mingw64_bindir}/libvirt-lxc-0.dll
 %{mingw64_bindir}/libvirt-qemu-0.dll
 %{mingw64_bindir}/libvirt-admin-0.dll
@@ -2599,17 +2695,142 @@ exit 0
 
 
 %changelog
-* Tue Aug 27 2024 Cole Robinson <crobinso@redhat.com> - 10.1.0-4
-- Fix 'virsh domifaddr --source=arp' on kernel 6.10 (bz #2302245)
+* Mon Jan 26 2026 Richard W.M. Jones <rjones@redhat.com> - 12.0.0-3
+- Backport fix for IPv6 connections to ESXi
 
-* Tue Jul  9 2024 Daniel P. Berrangé <berrange@redhat.com> - 10.1.0-3
-- Fix virtiofs SELinux socket label
+* Fri Jan 16 2026 Fedora Release Engineering <releng@fedoraproject.org> - 12.0.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
 
-* Fri Mar 01 2024 Cole Robinson <crobinso@redhat.com> - 10.1.0-2
-- Fix crash in event loop (CVE-2024-4418)
+* Thu Jan 15 2026 Daniel P. Berrangé <berrange@redhat.com> - 12.0.0-1
+- Update to 12.0.0
+
+* Mon Jan 12 2026 Daniel P. Berrangé <berrange@redhat.com> - 11.10.0-3
+- Disable -Werror on ELN
+
+* Thu Jan 08 2026 Richard W.M. Jones <rjones@redhat.com> - 11.10.0-2
+- Rebuild for xen 4.21.0
+
+* Mon Dec 01 2025 Cole Robinson <crobinso@redhat.com> - 11.10.0-1
+- Update to version 11.10.0
+
+* Mon Nov 17 2025 Richard W.M. Jones <rjones@redhat.com> - 11.9.0-3
+- Add upstream patches to fix parallel libguestfs
+
+* Tue Nov  4 2025 Tom Callaway <spot@fedoraproject.org> - 11.9.0-2
+- rebuild against new fuse3
+
+* Mon Nov  3 2025 Daniel P. Berrangé <berrange@redhat.com> - 11.9.0-1
+- Update to 11.9.0 release
+
+* Wed Oct 29 2025 Peter Robinson <pbrobinson@fedoraproject.org> - 11.8.0-3
+- Build against fuse3, supported since 8.2
+
+* Tue Oct 14 2025 Cole Robinson <crobinso@redhat.com> - 11.8.0-2
+- Fix build with latest wireshark
+
+* Wed Oct 01 2025 Cole Robinson <crobinso@redhat.com> - 11.8.0-1
+- Update to version 11.8.0
+
+* Thu Sep 04 2025 Adam Williamson <awilliam@redhat.com> - 11.7.0-3
+- Rebuild on a side tag
+
+* Thu Sep 04 2025 Adam Williamson <awilliam@redhat.com> - 11.7.0-2
+- Rebuild for libiscsi.so.11
+
+* Tue Sep 02 2025 Cole Robinson <crobinso@redhat.com> - 11.7.0-1
+- Update to version 11.7.0
+
+* Tue Aug 05 2025 Cole Robinson <crobinso@redhat.com> - 11.6.0-1
+- Update to version 11.6.0
+
+* Thu Jul 24 2025 Fedora Release Engineering <releng@fedoraproject.org> - 11.5.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
+
+* Wed Jul 16 2025 Richard W.M. Jones <rjones@redhat.com> - 11.5.0-2
+- Rebuild for updated Xen
+
+* Wed Jul 09 2025 Cole Robinson <crobinso@redhat.com> - 11.5.0-1
+- Update to version 11.5.0
+
+* Fri Jun 20 2025 Cole Robinson <crobinso@redhat.com> - 11.4.0-2
+- Fix dumpxml failures after migration (bz 2369243)
+
+* Mon Jun 02 2025 Cole Robinson <crobinso@redhat.com> - 11.4.0-1
+- Update to version 11.4.0
+
+* Thu May 08 2025 Adam Williamson <awilliam@redhat.com> - 11.3.0-3
+- Properly obsolete libvirt-daemon-driver-storage-zfs
+
+* Thu May 08 2025 Cole Robinson <crobinso@redhat.com> - 11.3.0-2
+- zfs-fuse is gone from rawhide, drop libvirt-daemon-storage-zfs
+
+* Wed May 07 2025 Cole Robinson <crobinso@redhat.com> - 11.3.0-1
+- Update to version 11.3.0
+
+* Tue Apr 29 2025 Daniel P. Berrangé <berrange@redhat.com> - 11.2.0-2
+- Fix install of Ampere 1 ARM CPU model (rhbz #2361196)
+- Fix location of mount, umount (rhbz #2359196)
+- Fix location of numad (rhbz #2359736)
+- Fix tests on rebuild with latest GCC 15
+
+* Tue Apr 01 2025 Cole Robinson <crobinso@redhat.com> - 11.2.0-1
+- Update to version 11.2.0
+
+* Mon Mar 03 2025 Cole Robinson <crobinso@redhat.com> - 11.1.0-1
+- Update to version 11.1.0
+
+* Fri Jan 17 2025 Cole Robinson <crobinso@redhat.com> - 11.0.0-1
+- Update to version 11.0.0
+
+* Fri Jan 17 2025 Fedora Release Engineering <releng@fedoraproject.org> - 10.10.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
+
+* Mon Dec 02 2024 Cole Robinson <crobinso@redhat.com> - 10.10.0-1
+- Update to version 10.10.0
+
+* Fri Nov  1 2024 Daniel P. Berrangé <berrange@redhat.com> - 10.9.0-1
+- Update to version 10.9.0
+
+* Tue Oct 01 2024 Cole Robinson <crobinso@redhat.com> - 10.8.0-1
+- Update to version 10.8.0
+
+* Mon Sep 02 2024 Cole Robinson <crobinso@redhat.com> - 10.7.0-1
+- Update to version 10.7.0
+
+* Tue Aug 27 2024 Cole Robinson <crobinso@redhat.com> - 10.6.0-2
+- Fix `virsh domifaddr --source=arp` on kernel 6.10 (bz #2302245)
+- Add new systemtap-sdt-dtrace to build deps
+
+* Tue Aug 06 2024 Cole Robinson <crobinso@redhat.com> - 10.6.0-1
+- Update to version 10.6.0
+
+* Mon Aug 05 2024 Richard W.M. Jones <rjones@redhat.com> - 10.5.0-3
+- Rebuild for Xen 4.19.0
+
+* Thu Jul 18 2024 Fedora Release Engineering <releng@fedoraproject.org> - 10.5.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
+
+* Thu Jul  4 2024 Daniel P. Berrangé <berrange@redhat.com> - 10.5.0-1
+- Rebase to 10.5.0 release
+
+* Wed Jun  5 2024 Daniel P. Berrangé <berrange@redhat.com> - 10.4.0-2
 - Fix leak of GSource handle
 - Fix leak of udev reference (rhbz #2266017)
 
+* Wed Jun  5 2024 Daniel P. Berrangé <berrange@redhat.com> - 10.4.0-1
+- Update to version 10.4.0
+- Change virtual network backend from iptables to nftables
+- Introduce SSH VSOCK proxy
+
+* Thu May  2 2024 Daniel P. Berrangé <berrange@redhat.com> - 10.3.0-1
+- Update to version 10.3.0
+
+* Sat Apr 06 2024 Cole Robinson <crobinso@redhat.com> - 10.2.0-2
+- Rebuild for new libiscsi
+
+* Fri Apr 05 2024 Cole Robinson <crobinso@redhat.com> - 10.2.0-1
+- Update to version 10.2.0
+
 * Fri Mar 01 2024 Cole Robinson <crobinso@redhat.com> - 10.1.0-1
 - Update to version 10.1.0
 

sources

@@ -1 +1 @@
-SHA512 (libvirt-10.1.0.tar.xz) = 08e73ae15de5681430b62db85ec9901242dca5e9a4ca9685614f4a67092c6e28f27f9187144b3ceb18ad6b40e6eb1a90b1a4b056b0888724d04a62002ee2bc48
+SHA512 (libvirt-12.0.0.tar.xz) = 5613e4e59865f688fe4cca2734c6de1cf68d0540c6e3013c9c21e583accd4f4fc21ec98e9c794036c5d6d0c8dd05ad1d22dab61f8c7d2934c8cb507b5bee76ad