January 2007 - Devel - libvirt List Archives

Re: [Libvir] Authenticate APIs ?
by Richard W.M. Jones 15 Jan '07

15 Jan '07

[Apologies that this is not threaded with the original post] > Following on from the issue of certificate management, is the issue of > authentication. This hasn't been an issue thus far, because Xen has zero > authentication. I'm not planning to make this same mistake with the QEMU > management daemon though - its going to have a secure data transport and > real authentication from day-1. Thus we need to consider how authentication > is exposed at the libvirt client API layer. > > First off, there are many possible authentication approaches: > > - Username + password > - Username + one time key > - Username + password digest > - Kerberos tickets > - x509 certificates > - ...etc I would definitely avoid over-engineering a solution. I suspect that "large corp" users will understand certificate infrastructures -- they probably already use X.509 client certificates to authenticate desktops -- and will be able to manage those. Everyone else will want to use ssh, the model for that being the way cvs allows you to flexibly hand over authentication problems to an external program through setting the $CVS_RSH environment variable. It's so easy to set up ssh to get passwordless remote logins. If they haven't set that up, and they're using libvirt through a command line tool like virsh then they'll get a prompt from ssh to type a password. ssh also has the advantage that it is very widely installed. The only issue is what command to run on the remote system. A simple command line tool which talks to the daemon over a socket might be one option. nc (netcat), gnutls_cli or stunnel might work too. Rich. -- Red Hat UK Ltd. 64 Baker Street, London, W1U 7DF Mobile: +44 7866 314 421 (will change soon)

2 1

[Libvir] Certificate management APIs ?
by Daniel P. Berrange 15 Jan '07

15 Jan '07

I now have the QEMU backend working with full wire encryption using the TLS protocol, and so ready to start thinking about various authentication related issues. - The client needs to have the certificate of the CA in order to validate the signature on the remote server's certificate (aka, just like web browsers need a set of CA certificates) Currently I just have it loading 'cert.pem' out of the current working directory of the app using libvirt. Obviously this is not a real solution. - The client technically should have a certificate revocation list too. Again I currently load this out of current working dir - The server end can optionally require the client to present a certificate too, as its means of authenticating the client. This obviously requires a way of specifying the client certificate and secret key in libvirt when opening the connection. - The first time it connects to a server, the client validates the server's certificate against the CA certificate, and remote hostname. Web browsers will also typically display the certificate to the user and ask them to allow one-time, allow permanently, or reject it. This would require a way to pass the certificate back to the client app during the virConnectOpen call. The above is all related to x509 certificates. So we basically have 5 types of file we need to store / provide to libvirt when opening a connection: - Certificate Authority's certificate - Certificate Authority's certificate revocation list - Client secret key - Client certificate - Trusted server certificates And some form of callback to let the client app validate the server certificate. As a rough stab at an API my thoughts are: typedef enum { VIR_CERT_CA_CERT, VIR_CERT_CA_CRL, VIR_CERT_CLIENT_KEY, VIR_CERT_CLIENT_CERT, } virConnectCertDataType; /** * dataType: one of the virConnectCertDataType constants * data: base64, PEM encoded certificate/key data */ int virConnectAddCertData(int dataType, const char *data); /** * dataType: one of the virConnectCertDataType constants * dataFile: file containing base64, PEM encoded certificate/key data */ int virConnectAddCertDataFile(int dataType, const char *dataFile); Virt-manager would use the latter API to load in its client certificate, CA certs, etc to libvirt prior to opening a connection to a TLS enabled server. This means libvirt doesn't have to make the policy on where to store its client cert data. On the otherhand, we probably want the files to be in a common location for virsh & virt-manager so both can use the same data. On yet another hand, virt-manager will also likely end up using TLS to connect to VNC, so needs access to the files independant on libvirt / virsh for that. So we should probably have these flexible APIs, but recommend that all apps use a pre-defined directory unless they have a particular need not to, eg $HOME/.libvirt/tls/ | +- ca | | | +- cert.pem | +- ca-crl.pem | +- client | | | +- cert.pem | +- key.pem | +- server | +- trusted.pem /** * hostname: canonical name of remote host providing certiifcate * cert: base64, PEM encoded certificate data * * Invoked to let client application decide whether to accept a * server certificate. The certificate wil already have been * validated against the CA cert, and its expiration date, etc * checked. This callback is intended to allow the end user to * accept/reject the certificate. The trusted flag indicates * whether the server is present in the list of known servers. */ typedef int (*virConnectCertificateValidator)(const char *hostname, const char *cert); int virConnectSetCertificateValidator(virConnectCertificateValidator cb) The applications like virt-manager would probably want to present the certificate details to the user for validation, also optionally maintaining a list of previously trusted server certs. Dan. -- |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|

2 2

[Libvir] Authenticate APIs ?
by Daniel P. Berrange 15 Jan '07

15 Jan '07

Following on from the issue of certificate management, is the issue of authentication. This hasn't been an issue thus far, because Xen has zero authentication. I'm not planning to make this same mistake with the QEMU management daemon though - its going to have a secure data transport and real authentication from day-1. Thus we need to consider how authentication is exposed at the libvirt client API layer. First off, there are many possible authentication approaches: - Username + password - Username + one time key - Username + password digest - Kerberos tickets - x509 certificates - ...etc So of these require prompting the user for data (eg username / password), others will pick up their credentials from known sources (eg, the keberos ticket cache file in /tmp/krbXXX), or have to be provided ahead of time as part of the transport layer securit protocol (eg the x509 certificate file). We don't have to consider the latter case, since that's taken care of by the certificate management API - unless we want to figure out a more unified API, but I'm not sure it would be particularly sane. The interesting case from an API point of view is the first, which requires prompting the user for data. This is pretty much the PAM approach, with the added complication that you're in the middle of a network protocol and you may have several wire messages going back & forth, each time requesting more pieces of info. ie you can't possibly gather the neccessary info ahead of time. So we need some form of callback to collect the neccessary auth data. The network protocol equivalent of PAM is SASL. This actually has a number of different types of callback function yuou can register, depending on what sort of data you're prepared to provide as a client - Challenge / response: - const char *challenge - const char *prompt - const char *defresult, - const char **result, - unsigned *len - Password, username, language - const char **result - unsigned *len - AUthentication realm - const char **availrealms, - const char **result There are a few more auth callback types defined in SASL spec, which I've omitted here for brevity. We could map this onto an API something like this: enum { VIR_CONN_AUTH_PASSWORD, VIR_CONN_AUTH_USERNAME, VIR_CONN_AUTH_LANG, VIR_CONN_AUTH_CHALLENGE, VIR_CONN_AUTH_REALM, } virConnectAuthToken; typedef int (virConnectAuthCBSimple)(const char **result, unsigned *len); typedef int (virConnectAuthCBPrompt)(const char *challenge, const char *prompt, const char *defresult, const char *result, unsigned *len); typedef int (virConnetAuthCBRealm)(const char **availrealms, const char *result); typedef struct { int token; union { virConnectAuthCBSimple simple; virConnectAuthCBPrompt prompt; virConnectAuthCBRealm realm; } cb; } virConnectAuthCallback; int virConnectSetAuthCallbacks(virConnectAuthCallback *cbs, int ncbs); Now, of course not everything is going to be SASL based - Xen may well end up using TLS/SSL + HTTP Basic auth. There's a couple of other HTTP related auth protocols too. They are all basically a subset of SASL provides, so the above API ought to be sufficient to serve their auth needs too. Finally, one could simply say, this is all rather complicated, why don't we just use a simple username+password for everything. While this would be nice from a coding POV, I think we need to be forward looking and ensure we're setup to cope with things like Kerberos single-sign-on. This is why I'm looking at SASL for the QEMU authentication process - if you use libsasl.so you're app doesn't even need to know what auth method it is using - the admin can simple create an appropriate config file for sasl, and bingo you're fully kerberized & single sign-on capable. Regards, Dan. -- |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|

2 2

[Libvir] Availability of the Relax-NG schemas for libvirt XML instances
by Daniel Veillard 12 Jan '07

12 Jan '07

As hinted previously in the QEmu thread, I developped a Relax-NG schemas to check the XML instances used to define Domains in libvirt. It's in CVS in the docs directory and also available online at http://libvirt.org/libvirt.rng For those not familiar with Relax-NG there is a nice tutorial and docs at http://relaxng.org/ Libxml2 on which libvirt depends has support for Relax-NG so we could easilly add checking at domain creation time within the library, but I decided to not add this at the moment, at least the schemas need to get more testing itself. The simplest to validate existing XML instances is to use the command line tool of libxml2 named xmllint in the following way: paphio:~/libvirt/tests -> xmllint --noout --relaxng ../docs/libvirt.rng xml2sexprdata/xml2sexpr-disk-drv-blkback.xml xml2sexprdata/xml2sexpr-disk-drv-blkback.xml validates paphio:~/libvirt/tests -> The schemas try to validate content as much as possible, but it's not possible to validate really in a complete fashion, for example to validate an IP address I used the following type: <define name='addrIP'> <data type='string'> <param name="pattern">([0-2]?[0-9]?[0-9]\.){3}[0-2]?[0-9]?[0-9]</param> </data> </define> which will catch '192.618.0.254' as erroneous but not '192.168.0.264' . There is also a number of cases which are structure related but hard to express cleanly in a schemas for example the fact that we may have an emulator description in the device list but that it's should only be allowed in an hvm kind of configuration. Still despite the limitations I found 2 weirdness: - we allow both <os> and <bootloader> blocks to be present, but I think they are redundant, I remember that Xen will ignore the bootloader informations if the os description is there, shouldn't we ban having both in a domain description ? e.g. tests/sexpr2xmldata/sexpr2xml-curmem.xml in the tree I still allowed this in the schemas but this may be wrong. - I though an interface of type ethernet needed a source description, but the output tests/sexpr2xmldata/sexpr2xml-net-routed.xml seems to miss both the source and target of the interface though the device is present in tests/sexpr2xmldata/sexpr2xml-net-routed.sexpr as (dev 'eth3') this probably indicates our conversion from sexpr to xml is lossy there. currently tests/sexpr2xmldata/sexpr2xml-net-routed.xml is the only example from our regression tests which doesn't pass the schemas testing. In general the schemas is both stricter than libvirt itself (as libvirt will only pick the parts of the XML it recognizes and need) and still allows some invalid constructs, I guess it's nearly impossible to make it a one to one match but I hope this can still be useful both for client tools, regression testings, and as another source of documentation. I still need to update the libvirt documentation, the XML page had some omissions and document the availability of the schemas and find its place when doing a 'make install', Daniel -- Red Hat Virtualization group http://redhat.com/virtualization/ Daniel Veillard | virtualization library http://libvirt.org/ veillard(a)redhat.com | libxml GNOME XML XSLT toolkit http://xmlsoft.org/ http://veillard.com/ | Rpmfind RPM search engine http://rpmfind.net/

2 1

[Libvir] Bug in the virDomainGetInfo() API of libvirt 0.1.9 with Xen 3.0.3
by Philippe Berthault 12 Jan '07

12 Jan '07

The maxMem field of the virDomainInfo structure is given in bytes instead of Kbytes when the domain is 0 (Domain-0). With others domains, the value of maxMem is correct. Exemple with virsh: On a system with 4 GB memory, virsh reports: # virsh dominfo 0 ... Max memory: 4294967292 kB With the same libvirt version 0.1.9 but with an older Xen (not 3.0.3), the maxMem value of Domain-0 is correct.

3 7

[Libvir] Question about libvirt integration into RHEL-5
by Philippe Berthault 11 Jan '07

11 Jan '07

Hello, Currently, the libvirt integrated into RHEL-5 beta release is the pretty old 0.1.8 version. Could you confirm that in the first release candidate RHEL-5 RC1 (planned february, 28), the libvirt will be the 0.1.8 version or another one ? Thanks.

3 8

[Libvir] PATCH 0/2: Support QEMU (+KVM) in libvirt
by Daniel P. Berrange 09 Jan '07

09 Jan '07

The following series of (2) patches adds a QEMU driver to libvirt. The first patch provides a daemon for managing QEMU instances, the second provides a driver letting libvirt manage QEMU via the daemon. Basic architecture ------------------ The reason for the daemon architecture is two fold: - At this time, there is no (practical) way to enumerate QEMU instances, or reliably connect to the monitor console of an existing process. There is also no way to determine the guest configuration associated with a daemon. - It is desirable to be able to manage QEMU instances using either an unprivilegd local client, or a remote client. The daemon can provide connectivity via UNIX domain sockets, or IPv4 / IPv6 and layer in suitable authentication / encryption via TLS and/or SASL protocols. Anthony Ligouri is working on patches for QEMU with the goal of addressing the first point. For example, an extra command line argument will cause QEMU to save a PID file and create a UNIX socket for its monitor at a well-defined path. More functionality in the monitor console will allow the guest configuration to be reverse engineered from a running guest. Even with those patches, however, it will still be desirable to have a daemon to provide more flexible connectivity, and to facilitate implementation libvirt APIs which are host (rather than guest) related. Thus I expect that over time we can simply enhance the daemon to take advantage of newer capabilities in the QEMU monitor, but keep the same basic libvirt driver architecture. Considering some of the other hypervisor technologies out there, in particular User Mode Linux, and lhype, it may well become possible to let this QEMU daemon also provide the management of these guests - allowing re-use of the single driver backend in the libvirt client library itself. XML format ---------- As discussed in the previous mail thread, the XML format for describing guests with the QEMU backend is the same structure as that for Xen guests, with following enhancements: - The 'type' attribute on the top level <domain> tag can take one of the values 'qemu', 'kqemu' or 'kvm' instead of 'xen'. This selects between the different virtualization approaches QEMU can provide. - The '<type>' attribute within the <os> block of the XML (for now) is still expected to the 'hvm' (indicating full virtualization), although I'm trying to think of a better name, since its not technically hardware accelerated unless you're using KVM - The '<type>' attribute within the <os> block of the XML can have two optional 'arch' and 'machine' attributes. The former selects the CPU architecture to be emulated; the latter the specific machine to have QEMU emulate (determine those supported by QEMU using 'qemu -M ?'). - The <kernel>, <initrd>, <cmdline> elements can be used to specify an explicit kernel to boot off[1], otherwise it'll do a boot of the cdrom, harddisk / floppy (based on <boot> element). Well,the kernel bits are parsed at least. I've not got around to using them when building the QEMU argv yet. - The disk devices are configured in same way as Xen HVM guests. eg you have to use hda -> hdd, and/or fda -> fdb. Only hdc can be selected as a cdrom device. - The network configuration is work in progress. QEMU has many ways to setup networking. I use the 'type' attribute to select between the different approachs 'user', 'tap', 'server', 'client', 'mcast' mapping them directly onto QEMU command line arguments. You can specify a MAC address as usual too. I need to implement auto-generation of MAC addresses if omitted. Most of them have extra bits of metadata though which I've not figured out appropriate XML for yet. Thus when building the QEMU argv I currently just hardcode 'user' networking. - The QEMU binary is determined automatically based on the requested CPU architecture, defaulting to i686 if non specified. It is possible to override the default binary using the <emulator> element within the <devices> section. This is different to previously discussed, because recent work by Anthony merging VMI + KVM to give paravirt guests means that the <loader> element is best kept to refer to the VMI ROM (or other ROM like files :-) - this is also closer to Xen semantics anyway. Connectivity ------------ The namespace under which all connection URIs come is 'qemud'. Thereafter there are several options. First, two well-known local hypervisor connections - qemud:///session This is a per-user private hypervisor connection. The libvirt daemon and qemu guest processes just run as whatever UNIX user your client app is running. This lets unprivileged users use the qemu driver without needing any kind admin rights. Obviously you can't use KQEMU or KVM accelerators unless the /dev/ device node is chmod/chown'd to give you access. The communication goes over a UNIX domain socket which is mode 0600 created in the abstract namespace at $HOME/.qemud.d/sock. - qemud:///system This is a system-wide privileged hypervisor connection. There is only one of these on any given machine. The libvirt_qemud daemon would be started ahead of time (by an init script), possibly running as root, or maybe under a dedicated system user account (and the KQEMU/KVM devices chown'd to match). The admin would optionally also make it listen on IPv4/6 addrs to allow remote communication. (see next URI example) The local communication goes over one of two possible UNIX domain sockets Both in the abstract namespace under the directory /var/run. The first socket called 'qemud' is mode 0600, so only privileged apps (ie root) can access it, and gives full control capabilities. The other called 'qemud-ro' is mode 0666 and any clients connecting to it will be restricted to only read-only libvirt operations by the server. - qemud://hostname:port/ This lets you connect to a daemon over IPv4 or IPv6. If omitted the port is 8123 (will probably change it). This lets you connect to a system daemon on a remote host - assuming it was configured to listen on IPv4/6 interfaces. Currently there is zero auth or encryption, but I'm planning to make it mandortory to use the TLS protocol - using the GNU TLS library. This will give encryption, and mutual authentication using either x509 certificates or PGP keys & trustdbs or perhaps both :-) Will probably start off by implementing PGP since I understand it better. So if you wanted to remotely manage a server, you'd copy the server's certificate/public key to the client into a well known location. Similarly you'd generate a keypair for the client & copy its public key to the server. Perhaps I'll allow clients without a key to connect in read-only mode. Need to prototype it first and then write up some ideas. Server architecture ------------------- The server is a fairly simple beast. It is single-threaded using non-blocking I/O and poll() for all operations. It will listen on multiple sockets for incoming connections. The protocol used for client-server comms is a very simple binary message format close to the existing libvirt_proxy. Client sends a message, server receives it, performs appropriate operation & sends a reply to the client. The client (ie libvirt driver) blocks after sending its message until it gets a reply. The server does non-blocking reads from the client buffering until it has a single complete message, then processes it and populates the buffer with a reply and does non-blocking writes to send it back to the client. It won't try to read a further message from the client until its sent the entire reply back. ie, it is a totally synchronous message flow - no batching/pipelining of messages. During the time the server is processes a message it is not dealing with any other I/O, but thus far all the operations are very fast to implement, so this isn't a serious issue, and there ways to deal with it if there are operations which turn out to take a long time. I certainly want to avoid multi-threading in the server at all costs! As well as monitoring the client & client sockets, the poll() event loop in the server also captures stdout & stderr from the QEMU processes. Currently we just dump this to stdout of the daemon, but I expect we can log it somewhere. When we start accessing the QEMU monitor there will be another fd in the event loop - ie the pseduo-TTY (or UNIX socket) on which we talk to the monitor. Inactive guests --------------- Guests created using 'virsh create' (or equiv API) are treated as 'transient' domains - ie their config files are not saved to disk. This is consistent with the behaviour in the Xen backend. Guests created using 'virsh define', however, are saved out to disk in $HOME/.qemud.d for the per-user session daemon. The system-wide daemon should use /etc/qemud.d, but currently its still /root/.qemud.d The config files are simply saved as the libvirt XML blob ensuring no data conversion issues. In any case, QEMU doesn't currently have any config file format we can leverage. The list of inactive guests is loaded at startup of the daemon. New config files are expected to be created via the API - files manually created in the directory after initial startup are not seen. Might like to change this later. XML Examples ------------ This is a guest using plain qemu, with x86_64 architecture and a ISA-only (ie no PCI) machine emulation. I was actually running this on a 32-bit host :-) VNC is configured to run on port 5906. QEMU can't automatically choose a VNC port, so if one isn't specified we assign one based on the domain ID. This should be fixed in QEMU.... <domain type='qemu'> <name>demo1</name> <uuid>4dea23b3-1d52-d8f3-2516-782e98a23fa0</uuid> <memory>131072</memory> <vcpu>1</vcpu> <os> <type arch='x86_64' machine='isapc'>hvm</type> </os> <devices> <disk type='file' device='disk'> <source file='/home/berrange/fedora/diskboot.img'/> <target dev='hda'/> </disk> <interface type='user'> <mac address='24:42:53:21:52:45'/> </interface> <graphics type='vnc' port='5906'/> </devices> </domain> A second example, this time using KVM acceleration. Note how I specify a non-default path to QEMU to pick up the KVM build of QEMU. Normally KVM binary will default to /usr/bin/qemu-kvm - this may change depending on how distro packaging of KVM turns out - it may even be merged into regular QEMU binaries. <domain type='kvm'> <name>demo2</name> <uuid>4dea24b3-1d52-d8f3-2516-782e98a23fa0</uuid> <memory>131072</memory> <vcpu>1</vcpu> <os> <type>hvm</type> </os> <devices> <emulator>/home/berrange/usr/kvm-devel/bin/qemu-system-x86_64</emulator> <disk type='file' device='disk'> <source file='/home/berrange/fedora/diskboot.img'/> <target dev='hda'/> </disk> <interface type='user'> <mac address='24:42:53:21:52:45'/> </interface> <graphics type='vnc' port='-1'/> </devices> </domain> Outstanding work ---------------- - TLS support. Need to add TLS encryption & authentication to both the client and server side for IPv4/6 communications. This will obviously add a dependancy on libgnutls.so in libvirt & the daemon. I don't consider this a major problem since every non-trivial network app these days uses TLS. The other possible impl of OpenSSL has GPL-compatability issues, so is not considered. - Change the wire format to use fixed size data types (ie, int8, int16, int32, etc) instead of the size-dependant int/long types. At same time define some rules for the byte ordering. Client must match server ordering ? Server must accept client's desired ordering ? Everyone must use BE regardless of server/client format ? I'm inclined to say client must match server, since it distributes the byte-swapping overhead to all clients and lets the common case of x86->x86 be a no-op. - Add a protocol version message as first option to let use protocol at will later while maintaining compat with older libvirt client libraries. - Improve support for describing the various QEMU network configurations - Finish boot options - boot device order & explicit kernel - Open & use connection to QEMU monitor which will let us implement pause/resume, suspend/restore drivers, and device hotplug / media changes. - Return sensible data for virNodeInfo - will need to have operating system dependant code here - parsing /proc for Linux to determine available RAM & CPU speed. Who knows what for Solaris / BSD ?!? Anyone know of remotely standard ways for doing this. Accurate host memory reporting is the only really critical data item we need. - There is a fair bit of duplicate in various helper functions between the daemon, and various libvirt driver backends. We should probably pull this stuff out into a separate lib/ directoy, build it into a static library and then link that into both libvirt, virsh & the qemud daemon as needed. Dan. -- |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|

3 12

[Libvir] Get info with libvirt from a remote Xen dom0
by Jordi Prats 09 Jan '07

09 Jan '07

Hi, On the function: virConnectPtr virConnectOpenReadOnly (const char * name) name is unused. Is planned any use for it? I'm particullay interested on obtaining information from a remote machine. I'm trying to provide HA between dom0, so this way is a dom0 chashes another dom0 will create every vm from the othe node. Example: dom0.1 have vm01 and vm02 dom0.2 have vm03 and vm04 Then if dom0.1 goes down, dom0.2 will have vm01,vm02,vm03 and vm04 I'm pretending to use libvirt as a abstraction layer to operate this Xen cluster. Thanks, -- ...................................................................... __ / / Jordi Prats Català C E / S / C A Departament de Sistemes /_/ Centre de Supercomputació de Catalunya Gran Capità, 2-4 (Edifici Nexus) · 08034 Barcelona T. 93 205 6464 · F. 93 205 6979 · jprats(a)cesca.es ...................................................................... pgp:0x5D0D1321 ......................................................................

2 1

[Libvir] XML format for QEMU / KVM driver
by Daniel P. Berrange 03 Jan '07

03 Jan '07

Since KVM is the new "shiny thing" in the virtualization world for Linux I figure its time to resurrect & finish the prototype QEMU backend I started developing for libvirt. Thanks to the design of KVM, it ought to be possible to support KVM & QEMU in a single driver with near-zero extra effort to add the bits for KVM support. There's a couple of interesting decisions wrt additions in the XML format describing guests. 1. QEMU can be built with several different CPU accelerators, eg KQEMU, QVM86 or KVM. These are only available if the guest CPU matches the host CPU architecture though. 2. QEMU can emulate many different CPU types. x86, x86_64, mips, sparc, ppc, arm, etc 3. QEMU can emulate many different different 'machine' types, for each CPU type. eg for x86 cpus: $ qemu -M ? Supported machines are: pc Standard PC (default) isapc ISA-only PC Some of these options are activated by specifying a particular command line flag, eg -M for machine type. Others require you to use a different qemu binary, eg 'qemu-system-arm', 'qemu-system-ppc' instead of 'qemu'. QEMU is basically a fully-virt solution, so XML description for the <os> block would be superficically similar to Xen HVM support, in that it will typically try to boot the kernel found in the MBR of the first harddisk (unless you specify an alternate boot device). Unlike Xen HVM support, it can also have an explicit kernel, initrd & arguments specified via command line. The other difference is that Xen has a separater binary for the loader, vs device model - QEMU/KVM does it all in one binary. So, my initial thoughts are: 1. Use the <type> element within the <os> block to describe the CPU accelerator to use, accepting the values 'qemu', 'kvm', 'kqemu' or 'qvm86'. 2. For CPU architecture, there are a couple of choices a) Add an 'arch' attribute to the <type> element to select between x86, ppc, sparc, etc. b) Add an <arch> element within the <os> block to switch between architectures. c) Just use the <loader> element to point to the QEMU binary matching the desired architecture. d) Use the <emulator> element within the <devices> section to point to the QEMU binary matching the desired architecture. e) Option a) and also allow use of <loader> to override the default QEMU binary to use f) Option b) and also allow use of <loader> to override the default QEMU binary to use g) Option a) and also allow use of <emulator> within the <devices> block to override the default QEMU binary to use h) Option b) and also allow use of <emulator> within the <devices> block to override the default QEMU binary to use At this time, i'm leaning towards either option e). This would give examples like * Using PPC with regular non-accelerated QEMU <os> <type arch="ppc">qemu</type> </os> * Using non-accelerated QEMU, and guest architecture matching the host <os> <type>qemu</type> </os> * Using accelerated KVM <os> <type>kvm</type> </os> * Using accelerated KVM, but with an alernate binary <os> <type>kvm</type> <loader>/home/berrange/work/kvm-devel/qemu-kvm</loader> </os> 3. For machine type, again there are a couple of options: a) Add a 'machine' attribute to the <type> element b) Add a <machine> element within the <os> block For this I think we should just follow same scheme that we use to specify architecture. So I'd lean towards a) * Using PPC with a Mac-99 machine: <os> <type arch="ppc" machine="mac99">qemu</type> </os> * Using non-accelerated QEMU, and guest architecture matching the host, and a non-PCI machine: <os> <type machine="isapc">qemu</type> </os> All the other bits of XML like disk/network/console configuration are pretty straightforward, following very similar structure to Xen. So there isn't really much interesting stuff to discuss there. Dan. -- |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|

3 6