[Libvir] PATCH: Allow libvirtd configuration for QEMU VNC server
by Daniel P. Berrange
The QEMU VNC server spawned by the QEMU driver in libvirt is hardcoded to
start off on 127.0.0.1, unless the person creating a guest overides this in
the XML passed to libvirt. If wanting to setup off-host VNC access, it is
much much more convenient to be able to set the system wide default to be
0.0.0.0 than to specify 0.0.0.0 for each VM created.
In addition, it is desirable to be able to configure use of TLS and x509
certificates for the VNC servers system wide.
In Xen world this is already possible through the /etc/xen/xend-config.sxp
configuration file.
In QEMU world, libvirtd takes the place of XenD. The /etc/libvirt/libvirtd.conf
file though is for the daemon as a whole. There is no config file for the
QEMU driver in libvirt itself. So this patch extends the QEMU driver to be
able to load /etc/libvirt/qemu.conf and configure a handful of options.
- vnc_listen = "0.0.0.0" - the address for VNC to listen on. Defaults
to 127.0.0.1 for security sake
- vnc_tls = 1 - turn on use of TLS extension
- vnc_tls_x509_verify - request client certificates for auth
- vnc_tls_cert_dir - the location of the VNC server certs.
Defaults to /etc/pki/libvirt-vnc
The code for building command line args for the -vnc flag to QEMU takes
care to look at these options & add approprivate syntax.
Dan.
--
|=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=|
|=- Perl modules: http://search.cpan.org/~danberr/ -=|
|=- Projects: http://freshmeat.net/~danielpb/ -=|
|=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|
17 years, 1 month
[Libvir] how to setup usb/serial ports with libvirt & kvm (Fedora 7)
by John Davey
I am experimenting with the following Redhat 9 kvm on Fedora 7.
How do I add a USB device with Libvirt? Specifically I'd like to add a
usb-serial converter for logging data. "Man qemu-kvm" shows -usbdevice
devname to add a USB device but I cannot find out how to do this with
libvirt.
Regards John
<domain type='kvm'>
<name>Rho</name>
<memory>458752</memory>
<currentMemory>458752</currentMemory>
<vcpu>1</vcpu>
<os>
<type>hvm</type>
<boot dev='hd'/>
</os>
<features>
<acpi/>
</features>
<clock offset='utc'/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>restart</on_crash>
<devices>
<emulator>/usr/bin/qemu-kvm</emulator>
<disk type='file' device='disk'>
<source file='/var/lib/xen/images/rho.img'/>
<target dev='hda'/>
</disk>
<interface type='bridge'>
<mac address='06:00:CF:DE:01:A2'/>
<source bridge='eth0'/>
<target dev='rho0'/>
</interface>
<input type='mouse' bus='ps2'/>
<graphics type='vnc' port='-1' listen='127.0.0.1'/>
</devices>
</domain>
17 years, 1 month
[Libvir] [PATCH] qemu: reset migration source if restore fails
by Jim Paris
With the latest KVM I'm having some issues with save/restore, but I
think it's a kvm issue and not libvirt. The problems did expose a
libvirt bug, though; patch below.
-jim
---
A failed restore of a configured VM would leave the migration source
set incorrectly, preventing the VM from being started normally.
Always clear migration source, then deal with failures.
src/qemu_driver.c | 12 ++++++------
1 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/src/qemu_driver.c b/src/qemu_driver.c
index 87b66ad..bff17b0 100644
--- a/src/qemu_driver.c
+++ b/src/qemu_driver.c
@@ -2083,6 +2083,7 @@ static int qemudDomainRestore(virConnectPtr conn,
struct qemud_vm_def *def;
struct qemud_vm *vm;
int fd;
+ int ret;
char *xml;
struct qemud_save_header header;
@@ -2161,18 +2162,17 @@ static int qemudDomainRestore(virConnectPtr conn,
/* Set the migration source and start it up. */
snprintf(vm->migrateFrom, sizeof(vm->migrateFrom), "stdio");
vm->stdin = fd;
-
- if (qemudStartVMDaemon(conn, driver, vm) < 0) {
+ ret = qemudStartVMDaemon(conn, driver, vm);
+ close(fd);
+ vm->migrateFrom[0] = '\0';
+ vm->stdin = -1;
+ if (ret < 0) {
qemudReportError(conn, NULL, NULL, VIR_ERR_OPERATION_FAILED,
"failed to start VM");
if (!vm->configFile[0])
qemudRemoveInactiveVM(driver, vm);
- close(fd);
return -1;
}
- close(fd);
- vm->migrateFrom[0] = '\0';
- vm->stdin = -1;
/* If it was running before, resume it now. */
if (header.was_running) {
--
1.5.3.rc4
17 years, 1 month
[Libvir] Win Pro 64 dies in second half of windows guest installation
by Lawrence Nitz
When I set up a guest VM using virtp-install on a Fedor a 7 system, the
process gets as far as reading the raw device (/dev/scd0) for the
install disk, writes the basic windows data onto the disk, and then
reboots to complete the Windows installation. At this point the
installation hangs, with a diagnostic that says the file cannot be
found. The same error occurs whether the install is from the hard disk
image or from the cd-rom. The install gets half done, and has nothing
to read when the install program restarts itself. In the Virt manager
the edit command allows me to edit the machine, but not to add back the
cd drive, only add network cards and hard disk partitions.
Any help by a more experienced virt-install user would be much
appreciated. Larry Nitz.
17 years, 1 month
[Libvir] Problems with defineXML in python..
by Mark Dehus
I am having some problems getting libvirt under python to work properly.
I can setup new domains by using the createLinux() function, but when I
attempt to use defineXML() it fails with no reason given other then
"virDomainDefineXML() failed". I am using the same XML file for both
functions.
This is on a Ubuntu 7.04 server running python 2.5 & libvirt 0.1.8 (from
the ubuntu universe repo).
Here is my test code:
import libvirt
import sys
import xml
import random
try:
conn = libvirt.open(None)
except Exception, e:
print e
if conn == None:
print 'Failed to open connection to the hypervisor'
sys.exit(1)
create = True
if create:
xmlfile = open('webserv.xml')
xmldesc = xmlfile.read()
xmlfile.close()
try:
# webserv = conn.createLinux(xmldesc, 0)
webserv = conn.defineXML(xmldesc)
except Exception, e:
print 'Failed to create webserv: %s' % e
sys.exit(1)
if webserv is None:
print 'whoops this shouldnt happen!'
conn.create(webserv)
try:
print "Domain 0: id %d running %s" % (webserv.ID(), webserv.OSType())
print webserv.info()
print webserv.XMLDesc(0)
except Exception, e:
print e
#webserv.shutdown()
And the XML file:
<domain type='xen' >
<name>webserv</name>
<os>
<type>linux</type>
<kernel>/boot/vmlinuz-2.6.19-4-generic-amd64</kernel>
<initrd>/boot/initrd.img-2.6.19-4-generic-amd64</initrd>
<root>/dev/hda1</root>
</os>
<memory>1024</memory>
<vcpu>1</vcpu>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>restart</on_crash>
<devices>
<interface type='bridge'>
<source bridge='xenbr0'/>
<mac address='00:16:3e:24:27:a5'/>
<script path='vif-bridge'/>
</interface>
<graphics type='vnc' port='5902'/>
<disk type='file' device='disk'>
<driver name='tap' type='aio'/>
<source file='/virtual/images/webserv/webserv.img'/>
<target dev='hda1'/>
</disk>
<console tty='/dev/pts/4'/>
</devices>
</domain>
Am I missing something simple, or is there a bug?
Thanks!
17 years, 1 month
[Libvir] [PATCH] Found minor bug in topology code
by beth kon
I found a problem with an error path... I was cutting off incrementing
of a value in the loop then checking if it was too big after the loop,
so the way it was structured, it could never happen. Here is the fix.
--
Elizabeth Kon (Beth)
IBM Linux Technology Center
Open Hypervisor Team
email: eak(a)us.ibm.com
17 years, 1 month
[Libvir] PATCH: Updated patches for PolicyKit support
by Daniel P. Berrange
A few weeks back I posted some prototype patches for PolicyKit support to
allow the main libvirt daemon socket to be made world-accessible. PolicyKit
then can do ACLs on incoming connections, allowing definition of rules which
could for example, allow only the user who owns the active X login sesion
http://www.redhat.com/archives/libvir-list/2007-August/msg00027.html
This is an updated patch which takes account of a change in the PolicyKit
XML file syntax between 0.4 and 0.5 releases.
The configure.in scripts has been tweaked to automatically disable PolicyKit
if pkg-config is not available instead of aborting.
The code for getting UNIX socket credentials has been factored out into its
own method. There is still only a Linux implementation. I was going to take
the code for other OS from DBus, but DBus is currently under a GPL/Academic
license options, which is not compatible with LGPL. Fortunately DBus is in
middle of re-licensing to X11 style which is LGPL compatible, so in a week
or so's time we'll be able to safely take their OS portability code for
socket credentials.
I short-circuit the logic to always allow root. This allows existing people
running libvirt tools as root to continue use without any regressions. There
is one small issue still that the default policy I provide only allows the
use of read-only connections if the user is logged into to the desktop. This
is a partial regression - the admin can edit /etc/PolicyKit/PolicyKit.conf
and add a site-local rule allowing all users access, regardless of whether
they're in a session. I've spoken with David Zeuthan and he's going to add
ability to specify rules for non-session clients in the default policy
config files, which will fix this minor regression. Once this is done the
libvirt default policy will be identical to current file permission based
policy (root == full access, non-root == read only).
As I mentioned previously, with this change it is now possible to open a full
read-write connection from virt-manager running as non-root. Depending on
site policy it will optionally prompt for root password (su style equiv) or
the user's password (sudo style equiv) without needing virt-manager itself
to gain any elevated privileges.
When compiling with PolicyKit support, the default file permissions for both
the main & readonly UNIX sockets in the daemon switch to 0777, instead of
the previous 0700 & 0777. It is possible to turn off PolicyKit auth in the
daemon config file, even if it is compiled in - in which case the default
permissions get set back to 0700 & 0777.
Although in previous feedback Daniel suggested I leave the LIBVIRTD_AUTH_POLKIT
constant compiled in all the time, I feel it is better to remove it when the
policykit support is disabled in configure. This removes the need to have
extra switch/case statements to explicitly reject LIBVIRTD_AUTH_POLKIT auth,
since it will be handle by the 'default:' statement which already has code
to reject connections.
I've done more extensive testing with virt-manager since my previous patch,
and its working very nicely with the new UI which allows multiple hypervisor
connections. Instead of asking for the root password up-front at app start
time, we now only need ask for it if the user connects to a local HV. If
they only ever manage remote connections we don't need to do anything with
the local root password.
Dan.
--
|=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=|
|=- Perl modules: http://search.cpan.org/~danberr/ -=|
|=- Projects: http://freshmeat.net/~danielpb/ -=|
|=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|
17 years, 1 month
