March 2013 - Devel - Libvirt List Archives

by Gene Czarcinski

Before I start creating patches (since it is not only source code but also documentation, schemas, tests, etc), I thought I would run this by you folks for comments/suggestions. With IPv4, it is relatively easy to set up working networks: just use nat/MASQUERADE and things pretty much just work. With IPv6, it is a bit more difficult because IPv6 is route-only with (theoretically) unique addresses known across the Internet. It took me a while but once I realized that I needed to define some static routes on my default router, it because much easier. The default route(s) on the default router connect the IPv6 guest network used by a qemu-kvm/libvirt with the virtual host's IPv6 address. My recommendation is to use a /48 or /56 IPv6 network and assign it to a specific virtual host. This virtual host needs to have a fixed IPv6 address either with manual configuration or using a client-id to pin a specific IPv6 address. Then make each of the virtual networks on that host be a /64 network. So far so good and really not too much of an administrative burden. NetworkManager can be used to set this default route. Now lets add some additional virtual network layers/segments to the mix. For example: guest10 <-> net-a <-> guest20 <-> net-b <-> guest30 <-> virbr<n> host40 <-> router50 <-> host60 guest30 can talk to other systems such as host40, router50, and host60 on the real network since it is covered by the static route on the default router. guest10, guest20, and guest30 can talk to each other with some additional static routes (or just default routes). The problem: guest10 cannot talk to other real hosts such as host40 or host60. The problem is that NetworkManager will not set a static route for any network on a libvirt bridge device (or any bridge device which NM does not "own"). At first I thought this was a NM problem but I now believe that this should be fixed by libvirt. I did some manual configuration to figure out what needed to be done so that guest10 could use IPv6 to talk to another host on the real network. 1. You have defined a static route on the default router for fd00:aa:bb::/48 to the virtual host. 2. You have an libvirt network defined with (for example) fd00:aa:bb:10::/64 and a guest on that network with the address of fd00:aa:bb:10::2/128. Lets say it is on virbr4. 3. Your secondary (isolated) virtual network is fd00:aa:bb:11::/64. 4. You need to issue firewalld commands so it will pass the additional network on virbr4. These are of the form: firewall-cmd --direct --passthrough ipv6 -I FORWARD -1 -d fd00:aa:bb:11::/64 -o virbr4 -j ACCEPT firewall-cmd --direct --passthrough ipv6 -I FORWARD -1 -s fd00:aa:bb:11::/64 -i virbr4 -j ACCEPT 5. Create the route: ip -6 route fd00:aa:bb:11::/64 via fd00:aa:bb:10::2 dev virbr4 proto static metric 1 OK, that is what has to be done but I want libvirt to do all of this for me after some simple configuration. I propose adding a new optional xml-element to the <ip> element: <via> <via> would be an exclusive alternate to <dhcp> and both <via> and <dhcp> could not be used under a single <ip> definition. As implied by the name, <via> would specify the gateway address which is to receive the packets on the designated network. Right now, if you specify an additional IPv6 address to a network definition, you get the correct ip6tables rules but you also get a ip-addr for that additional definition and an ip-route for the related network. With <via>, this last part would be replaced with NO additional ip-addr and a static route for the network to the gateway. Anticipated code changes (besides the tests, schemas, and documentation) are: network_conf.c to handle the new <via> element. virnetdev.c to create and issue the ip-6-route command. bridge_driver.c to detect when an IPv6 address is a "via" and do the ip-6-route instead of adding the address. Although this is being done for IPv6, there is no reason not to make sure it also works with IPv4. Comments, suggestions appreciated. Gene

11 years, 8 months

1
2
0 / 0

[libvirt] This patch adds the label to lxc-enter-namespace

by Daniel J Walsh

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 lxc-enter-namespace allows a process from outside a container to start a process inside a container. One problem with the current code is the process running within the container would run with the label of the process that created it. For example if the admin process is running as unconfined_t and executes the following command # virsh -c lxc:/// lxc-enter-namespace --nolabel dan -- /bin/ps -eZ LABEL PID TTY TIME CMD system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 1 pts/0 00:00:00 systemd system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 3 pts/1 00:00:00 sh system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 24 ? 00:00:00 systemd-journal system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 29 ? 00:00:00 dhclient staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 47 ? 00:00:00 ps Note the ps command is running as unconfined_t, After this patch, virsh -c lxc:/// lxc-enter-namespace dan -- /bin/ps -eZ LABEL PID TTY TIME CMD system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 1 pts/0 00:00:00 systemd system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 3 pts/1 00:00:00 sh system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 24 ? 00:00:00 systemd-journal system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 32 ? 00:00:00 dhclient system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 38 ? 00:00:00 ps I also add a --nolabel command to virsh, which can go back to the original behaviour. virsh -c lxc:/// lxc-enter-namespace --nolabel dan -- /bin/ps -eZ LABEL PID TTY TIME CMD system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 1 pts/0 00:00:00 systemd system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 3 pts/1 00:00:00 sh system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 24 ? 00:00:00 systemd-journal system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 32 ? 00:00:00 dhclient staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 37 ? 00:00:00 ps One problem I had when I originally did the patch is lxcDomainGetSecurityLabel was returning the incorrect label, I needed the label of the initpid within the container not its parent process, so I changed this function to match OpenNamespaces function. One last strangeness, about half the time I run this, virsh hangs and never returns. Seems like if (conn->driver->domainGetSecurityLabel(domain, seclabel) == 0) { Gets hung up. I have attached the strace in out1.gz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlE476kACgkQrlYvE4MpobMW8QCeMwkx5uzMgQdJbNqnyiOa62+Y JNIAnA8ZZRhjlqMIRAy5/RbMc1g3Wxv1 =cSsv -----END PGP SIGNATURE-----

11 years, 8 months

2
1
0 / 0

[libvirt] Libvirt and qemu multiqueue net

by Michal Privoznik

It's been a while since qemu added support for multiqueue virtio-net. For more info follow [1]. From usage POV, libvirt is required to pass multiple FDs: qemu-kvm -netdev tap,id=hn0,fds=x:y:...:z,vhost=on,vhostfds=a:b:...:c -device virtio-net-pci,netdev=hn0,vectors=N ... where count(x:...:z) = M. We are strongly advised to use 1:1 ratio => M=N. The FDs for 'fds' argument can be obtained via: fd1 = open("/dev/net/tun") ioctl(fd1, TUNSETIFF, "tap") fd2 = open("/dev/net/tun") ioctl(fd2, TUNATTACHQUEUE, "tap") And what I am wondering about is, how to expose this to XML. Or do we even want to expose this instead of some smart automatic setting? There are not any other configurable knobs right now, but they may come in the future. Michal 1: http://www.linux-kvm.org/page/Multiqueue

11 years, 8 months

3
2
0 / 0

[libvirt] we can't build a new libvirt package (error 1)

by Erdembileg. G

Hi, I installed Xen 4.2.1-4.el6 on CentOS 6.4. kernel version is 3.8.2-3.el6xen.x86_64. Libvirt version is libvirt-0.10.2-18.el6 Before configure and installion are OK. But I can't build a new libvirt package. PASS: test_conf.sh PASS: cpuset PASS: define-dev-segfault PASS: int-overflow PASS: libvirtd-fail PASS: libvirtd-pool PASS: read-bufsiz PASS: read-non-seekable PASS: start PASS: vcpupin TEST: virsh-all ........................................ 40 ........................................ 80 ........................................ 120 ........................................ 160 ................................. 193 OK PASS: virsh-all PASS: virsh-optparse PASS: virsh-schedinfo PASS: virsh-synopsis PASS: virsh-undefine ======================================= 1 of 71 tests failed (1 test was not run) Please report to libvir-list(a)redhat.com ======================================= make[1]: *** [check-TESTS] Error 1 make[1]: Leaving directory `/root/rpmbuild/BUILD/libvirt-0.10.2/tests' make: *** [check-am] Error 2 error: Bad exit status from /var/tmp/rpm-tmp.rsnyPA (%check) RPM build errors: Bad exit status from /var/tmp/rpm-tmp.rsnyPA (%check) [root@xebin SPECS]# -- Best Regards, Erdembileg.G

11 years, 8 months

2
1
0 / 0

[libvirt] [PATCH] audit: Audit operations done by using VirtIO RNG

by Peter Krempa

This patch adds auditing of resources used by the 'random' backend of virtio RNG. --- If there's desire to audit also use of the "egd" backend that uses a generic character device, a way how to audit this device will need to be introduced. We don't audit useage of chardevs right now. src/conf/domain_audit.c | 76 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) diff --git a/src/conf/domain_audit.c b/src/conf/domain_audit.c index 8cd522a..c80bdb4 100644 --- a/src/conf/domain_audit.c +++ b/src/conf/domain_audit.c @@ -100,6 +100,79 @@ cleanup: } +static void +virDomainAuditRNG(virDomainObjPtr vm, + virDomainRNGDefPtr newDef, virDomainRNGDefPtr oldDef, + const char *reason, bool success) +{ + char uuidstr[VIR_UUID_STRING_BUFLEN]; + char *vmname; + char *oldsrc = NULL; + char *newsrc = NULL; + const char *virt; + + virUUIDFormat(vm->def->uuid, uuidstr); + if (!(vmname = virAuditEncode("vm", vm->def->name))) + goto no_memory; + + if (!(virt = virDomainVirtTypeToString(vm->def->virtType))) { + VIR_WARN("Unexpected virt type %d while encoding audit message", vm->def->virtType); + virt = "?"; + } + + if (newDef) { + switch (newDef->backend) { + case VIR_DOMAIN_RNG_BACKEND_RANDOM: + if (!(newsrc = virAuditEncode("new-rng", VIR_AUDIT_STR(newDef->source.file)))) + goto no_memory; + break; + + case VIR_DOMAIN_RNG_BACKEND_EGD: + case VIR_DOMAIN_RNG_BACKEND_LAST: + if (!(newsrc = virAuditEncode("new-rng", "?"))) + goto no_memory; + break; + } + } else { + if (!(newsrc = virAuditEncode("new-rng", "?"))) + goto no_memory; + } + + if (oldDef) { + switch (oldDef->backend) { + case VIR_DOMAIN_RNG_BACKEND_RANDOM: + if (!(oldsrc = virAuditEncode("old-rng", VIR_AUDIT_STR(oldDef->source.file)))) + goto no_memory; + break; + + case VIR_DOMAIN_RNG_BACKEND_EGD: + case VIR_DOMAIN_RNG_BACKEND_LAST: + if (!(oldsrc = virAuditEncode("old-rng", "?"))) + goto no_memory; + break; + } + } else { + if (!(oldsrc = virAuditEncode("old-rng", "?"))) + goto no_memory; + } + + VIR_AUDIT(VIR_AUDIT_RECORD_RESOURCE, success, + "virt=%s resrc=rng reason=%s %s uuid=%s %s %s", + virt, reason, vmname, uuidstr, + oldsrc, newsrc); + +cleanup: + VIR_FREE(vmname); + VIR_FREE(oldsrc); + VIR_FREE(newsrc); + return; + +no_memory: + VIR_WARN("OOM while encoding audit message"); + goto cleanup; +} + + void virDomainAuditFS(virDomainObjPtr vm, virDomainFSDefPtr oldDef, virDomainFSDefPtr newDef, @@ -641,6 +714,9 @@ virDomainAuditStart(virDomainObjPtr vm, const char *reason, bool success) virDomainAuditRedirdev(vm, redirdev, "start", true); } + if (vm->def->rng) + virDomainAuditRNG(vm, vm->def->rng, NULL, "start", true); + virDomainAuditMemory(vm, 0, vm->def->mem.cur_balloon, "start", true); virDomainAuditVcpu(vm, 0, vm->def->vcpus, "start", true); -- 1.8.1.5

11 years, 8 months

2
3
0 / 0

[libvirt] [PATCH v3 0/3] Keep original file label

by Michal Privoznik

Yet another rework of $subj. I am still not solving atomicity problem for now. See diff to the patches if you want to know what's changed. Michal Privoznik (3): virFile: Add APIs for extended attributes handling virfile: Introduce internal API for managing ACL security_dac: Favour ACLs over chown() configure.ac | 2 + libvirt.spec.in | 1 + m4/virt-acl.m4 | 9 ++ src/Makefile.am | 4 +- src/libvirt_private.syms | 6 + src/security/security_dac.c | 209 ++++++++++++++++++++++++++----- src/util/virfile.c | 290 ++++++++++++++++++++++++++++++++++++++++++++ src/util/virfile.h | 23 ++++ 8 files changed, 515 insertions(+), 29 deletions(-) create mode 100644 m4/virt-acl.m4 -- 1.8.1.5

11 years, 8 months

2
7
0 / 0

[libvirt] [PATCH] Add missing break in LXC loop device setup

by Daniel P. Berrange

From: "Daniel P. Berrange" <berrange(a)redhat.com> When setting up disks with loop devices for LXC, one of the switch cases was missing a 'break' causing it to fallthrough to an error condition. Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com> --- src/lxc/lxc_controller.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c index ce46070..128271f 100644 --- a/src/lxc/lxc_controller.c +++ b/src/lxc/lxc_controller.c @@ -448,6 +448,7 @@ static int virLXCControllerSetupLoopDevices(virLXCControllerPtr ctrl) fd = virLXCControllerSetupLoopDeviceDisk(disk); if (fd < 0) goto cleanup; + break; default: virReportError(VIR_ERR_CONFIG_UNSUPPORTED, -- 1.8.1.4

11 years, 8 months

2
1
0 / 0

[libvirt] using virSetUIDGID() with unprivileged qemu defeats setuid helper

by Csaba Henk

Hi, I recently experienced that my qemu guest (which I'm using with unprivileged user) fails to start with: error: internal error process exited while connecting to monitor: chardev: opening backend "pty" failed This happens upon trying to facilitate the <serial type='pty'> <target port='0'/> </serial> <console type='pty'> <target type='serial' port='0'/> </console> stanzas, for which qemu wants to grab a pty through openpty(3). openpty needs to have the assigned pty to be chown'd to the qemu user, which is attempted via running the setuid helper program pt_chown. However, chown(2) fails with EPERM. The culprit seems to be the commits v1.0.3-rc1~113: util: virSetUIDGIDWithCaps - change uid while keeping caps v1.0.3-rc1~112: util: maintain caps when running command with uid != 0 which change how capabilities are manipulated before program execution. Just immediately before the execve(2) call, the qemu process used to have the following capabilities: CapInh: 0000000000000000 CapPrm: 0000000000000000 CapEff: 0000000000000000 CapBnd: ffffffffffffffff since said commits, it looks like: CapInh: 0000000000000000 CapPrm: 0000000000000000 CapEff: 0000000000000000 CapBnd: ffffffe000000000 as far as my capability-noob eyes can see, the bounding set lacks CAP_CHOWN and thus pt_chown won't attain CAP_CHOWN despite running on uid 0, and the EPERM is triggered. How could we fix it? Qemu invocation should be customized or virExec() adjusted? Or is there some configuration workaround? (For the record, I've seen it on Arch Linux; tried their binary package and also my own builds, which included a current git checkout.) Thanks Csaba

11 years, 8 months

3
2
0 / 0

[libvirt] [PATCH] Add support for disks backed by plain files in LXC

by Daniel P. Berrange

From: "Daniel P. Berrange" <berrange(a)redhat.com> By using a loopback device, disks backed by plain files can be made available to LXC containers. We make no attempt to auto-detect format if <driver type="raw"/> is not set, instead we unconditionally treat that as meaning raw. This is to avoid the security issues inherant with format auto-detection Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com> --- src/lxc/lxc_controller.c | 67 ++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 65 insertions(+), 2 deletions(-) diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c index a7e715e..176e1be 100644 --- a/src/lxc/lxc_controller.c +++ b/src/lxc/lxc_controller.c @@ -356,7 +356,7 @@ static int virLXCControllerValidateConsoles(virLXCControllerPtr ctrl) } -static int virLXCControllerSetupLoopDevice(virDomainFSDefPtr fs) +static int virLXCControllerSetupLoopDeviceFS(virDomainFSDefPtr fs) { int lofd; char *loname = NULL; @@ -377,6 +377,27 @@ static int virLXCControllerSetupLoopDevice(virDomainFSDefPtr fs) } +static int virLXCControllerSetupLoopDeviceDisk(virDomainDiskDefPtr disk) +{ + int lofd; + char *loname = NULL; + + if ((lofd = virFileLoopDeviceAssociate(disk->src, &loname)) < 0) + return -1; + + /* + * We now change it into a block device type, so that + * the rest of container setup 'just works' + */ + disk->type = VIR_DOMAIN_DISK_TYPE_BLOCK; + VIR_FREE(disk->src); + disk->src = loname; + loname = NULL; + + return lofd; +} + + static int virLXCControllerSetupLoopDevices(virLXCControllerPtr ctrl) { size_t i; @@ -389,7 +410,7 @@ static int virLXCControllerSetupLoopDevices(virLXCControllerPtr ctrl) if (fs->type != VIR_DOMAIN_FS_TYPE_FILE) continue; - fd = virLXCControllerSetupLoopDevice(fs); + fd = virLXCControllerSetupLoopDeviceFS(fs); if (fd < 0) goto cleanup; @@ -402,6 +423,48 @@ static int virLXCControllerSetupLoopDevices(virLXCControllerPtr ctrl) ctrl->loopDevFds[ctrl->nloopDevs - 1] = fd; } + for (i = 0 ; i < ctrl->def->ndisks ; i++) { + virDomainDiskDefPtr disk = ctrl->def->disks[i]; + int fd; + + if (disk->type != VIR_DOMAIN_DISK_TYPE_FILE) + continue; + + switch (disk->format) { + /* We treat 'none' as meaning 'raw' since we + * don't want to go into the auto-probing + * business for security reasons + */ + case VIR_STORAGE_FILE_RAW: + case VIR_STORAGE_FILE_NONE: + if (disk->driverName && + STRNEQ(disk->driverName, "loop")) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, + _("disk driver %s is not supported"), + disk->driverName); + goto cleanup; + } + + fd = virLXCControllerSetupLoopDeviceDisk(disk); + if (fd < 0) + goto cleanup; + + default: + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, + _("disk format %s is not supported"), + virStorageFileFormatTypeToString(disk->format)); + goto cleanup; + } + + VIR_DEBUG("Saving loop fd %d", fd); + if (VIR_EXPAND_N(ctrl->loopDevFds, ctrl->nloopDevs, 1) < 0) { + VIR_FORCE_CLOSE(fd); + virReportOOMError(); + goto cleanup; + } + ctrl->loopDevFds[ctrl->nloopDevs - 1] = fd; + } + VIR_DEBUG("Setup all loop devices"); ret = 0; -- 1.7.11.7

11 years, 8 months

3
3
0 / 0

[libvirt] [PATCH] util: escapes special characters in VIR_LOG_REGEX

by Guannan Ren

In debug mode, the bug failed to start vm error: Failed to start domain rhel5u9 error: internal error Out of space while reading console log output: ... --- src/util/virlog.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/util/virlog.c b/src/util/virlog.c index 130bdff..957d993 100644 --- a/src/util/virlog.c +++ b/src/util/virlog.c @@ -80,7 +80,7 @@ static regex_t *virLogRegex = NULL; #define VIR_LOG_DATE_REGEX "[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9]" -#define VIR_LOG_TIME_REGEX "[0-9][0-9]:[0-9][0-9]:[0-9][0-9].[0-9][0-9][0-9]+[0-9][0-9][0-9][0-9]" +#define VIR_LOG_TIME_REGEX "[0-9][0-9]:[0-9][0-9]:[0-9][0-9]\\.[0-9][0-9][0-9]\\+[0-9][0-9][0-9][0-9]" #define VIR_LOG_PID_REGEX "[0-9]+" #define VIR_LOG_LEVEL_REGEX "debug|info|warning|error" -- 1.7.11.2

11 years, 8 months

3
4
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Devel March 2013