August 2008 - Devel - libvirt List Archives

[libvirt] [patch] remove duplicate call of virInitialize()
by Nguyen Anh Quynh 18 Aug '08

18 Aug '08

Hi, This patch removes the redundant call to virInitialize() inside __virStateInitialize(). Thanks, Quynh

2 1

[libvirt] virt-install and custom distros
by Kay Williams 15 Aug '08

15 Aug '08

We have an application that builds custom distributions based on RHEL, CentOS or Fedora. We would like to install these over the network using virt-install, but we've run into an issue with the distro check logic. Specifically, virt-install fails unless it finds a string "Red Hat Enterprise Linux", "Fedora" or "CentOS" within the family field of the .treeinfo file. Our application currently sets the family field to the user-provided distro name (see below). We have avoided using the base distro name given trademark concerns. [general] family = <user provided value> variant = <user provided value> We can get virt-install to pass the distro check by setting the family name to one of the accepted values, e.g. [general] family = Fedora variant = [user provided distro name] Is this the expected/desired use for the family and variant fields? Or is there another approach we should consider? Thanks, Kay

2 1

[libvirt] [PATCH] Fix serial console telnet protocol support
by Mark McLoughlin 15 Aug '08

15 Aug '08

With e.g.: <serial type='tcp'> <source mode='bind' host='127.0.0.1' service='4444'/> <protocol type='telnet'/> <target port='0'/> </serial> You currently get: Unknown option: listen qemu: could not open serial device 'telnet:127.0.0.1:4444,listen' With the telnet protocol, qemu expects "server" as an option rather than "listen". Signed-off-by: Mark McLoughlin <markmc(a)redhat.com> Index: libvirt/src/qemu_conf.c =================================================================== --- libvirt.orig/src/qemu_conf.c 2008-08-13 18:14:34.000000000 +0100 +++ libvirt/src/qemu_conf.c 2008-08-13 18:35:20.000000000 +0100 @@ -685,12 +685,19 @@ break; case VIR_DOMAIN_CHR_TYPE_TCP: - if (snprintf(buf, buflen, "%s:%s:%s%s", - dev->data.tcp.protocol == VIR_DOMAIN_CHR_TCP_PROTOCOL_TELNET ? "telnet" : "tcp", - dev->data.tcp.host, - dev->data.tcp.service, - dev->data.tcp.listen ? ",listen" : "") >= buflen) - return -1; + if (dev->data.tcp.protocol == VIR_DOMAIN_CHR_TCP_PROTOCOL_TELNET) { + if (snprintf(buf, buflen, "telnet:%s:%s%s", + dev->data.tcp.host, + dev->data.tcp.service, + dev->data.tcp.listen ? ",server" : "") >= buflen) + return -1; + } else { + if (snprintf(buf, buflen, "tcp:%s:%s%s", + dev->data.tcp.host, + dev->data.tcp.service, + dev->data.tcp.listen ? ",listen" : "") >= buflen) + return -1; + } break; case VIR_DOMAIN_CHR_TYPE_UNIX:

3 4

[libvirt] [ANNOUNCE][RFC] sVirt: Integrating SELinux and Linux-based virtualization
by James Morris 15 Aug '08

15 Aug '08

This is to announce the formation of the sVirt project, which aims to integrate SELinux and Linux-based virtualization (KVM et al). The idea has been discussed a few times over the last year or so, and in recent weeks, a few Fedora folk (such as Dan Walsh, Daniel Berrange and myself) have put together some requirements and had some preliminary technical discussions. The requirements document and initital technical considerations are included below inline for review and discussion. In a nutshell, we'd like to be able to apply distinct security labels to individual VM instances and their resources, so that they can be isolated from each other via MAC policy. We want this to "just work" when configuring and managing VMs via the libvirt toolchain, e.g. provide a simple option during VM creation to make the VM "isolated", and have the toolchain do all the labeling and policy configuration behind the scenes. Greater detail may be found in the requirements document. If you wish to contribute, please reply to this email with any enhancements to the requirements, technical ideas, issues etc. I'd suggest joining the libvir-list (in the to: line) if not already on it, as that is where the integration work is expected to happen. There's also a wiki page: http://selinuxproject.org/page/SVirt ------------------------------------------------------------------------ 11 Aug 2008 sVirt: Integration of SELinux and Linux-based Virtualization Requirements and Design Considerations v1.0 1. Introduction This document establishes a set of functional and technical requirements for integrating SELinux with Linux-based virtualization (i.e. Linux-as-hypervisor schemes such as KVM/Qemu amd lguest). Note that non-Linux hypervisor models such as Xen are not covered explicitly in this document, although may be afforded some MAC coverage due to shared infrastructure (e.g. libvirt). Non-Linux hypervisor models may considered further at a later stage. Also, while this document focuses on SELinux as the MAC scheme, consideration should be given to ensuring support for other label-based MAC schemes. 1.1 Rationale With increased use of virtualization, one security benefit of physically separated systems -- strong isolation -- is reduced, an issue which may be ameliorated with the application of Mandatory Access Control (MAC) security in the host system. Integration of MAC with virtualization will also help increase the overall robustness and security assurance of both host and guest systems. Many threats arising from flaws in the VM environment, or misconfiguration, may be mitigated through tighter isolation and specific MAC policy enforcement. By incorporating MAC support into the virtualization toolchain and documentation, users will also be able to make more use of the MAC security capabilities provided by the OS. 1.2 Use-cases The following use-cases have been identified: o Providing virtualized services with a level of isolation similar to that previously afforded by physical separation. o Increased protection of the host from untrusted VM guests (e.g. for VM hosting providers, grid/cloud servers etc.). o Increased protection of VM guests from each other in the event of host flaws or misconfiguration. Some protection may also be provided against a compromised host. o Consolidating access to multiple networks which require strong isolation from each other (e.g. military, government, corporate extranets, internal "Chinese wall" separation etc.) o Strongly isolating desktop applications by running them in separately labeled VMs (e.g. online banking in one VM and World of Warcraft in another; opening untrusted office documents in an isolated VM for view/print only). o Forensic analysis of disk images, binaries, browser scripts etc. in a highly isolated VM, protecting both the host system and the integrity of the components under analysis. o Isolated test environments, preventing e.g. simulated trades from entering a production system, leakage of sensitive customer data to internal networks etc. o General ability to specify a wide range of high-level security goals for virtualization through flexible MAC policy. 2. Current Situation SELinux is already able to provide general MAC protection to Linux-based virtualization, such as protecting the integrity and confidentiality of disk images and providing strong isolation of Linux hypervisor processes from the rest of the system. There is, however, no explicit support for Linux-based virtualization in SELinux, and all VMs currently run in the same security context. Thus, there is no MAC isolation applied between VMs. 3. Functional Security Requirements 3.1 Strong isolation between active VMs Running different VMs with different MAC labels allows stronger isolation between VMs, reducing risks arising from flaws in or misconfiguration of the VM environment. For example, the threat of a rogue VM exploiting a flaw in KVM could be greatly reduced if it is isolated from other VMs by MAC security policy. 3.2 Improved control over access to VM resources Distinct MAC labeling of resources belonging to VMs (disk images, disk partitions etc.) binds VM instances to those resources, ensuring that VMs can only access their own resources. This can protect the VM from invalid VM resources; and protect VM resources from flawed or misconfigured VMs. 3.3 Improved control over access to shared resources Where VMs may share resources (e.g. miscellaneous devices, virtual networking, read-only disk images etc.), fine-grained MAC policy may be specified to control information flow between VMs. 3.4 Fine-grained interaction with the host With distinct labeling of VMs and their resources, interactions with host entities on a per-VM basis may then be controlled by MAC policy. An example of this would be to safely allow different users on the host to administer different VMs. Configuration of this could be managed via the RBAC scheme integrated with SELinux. 3.5 Coarse MAC containment of VMs High-level security constraints may be applied to different VMs, to allow simplified lock-down of the overall system. For example, a VM may be restricted so that it cannot transmit TCP traffic on port 25 via virtual networking (i.e. the guest cannot be used as a spam bot even if it is compromised via a rootkit). 3.6 Leverage general MAC architecture As MAC is extended to the desktop, it will be possible to apply uniform MAC policy to the OS, desktop and Linux-based virtualization components. This will provide a basis for a variety of sophisticated security applications such as a virtualized MLS desktop with different windows running VMs at different security levels. 4. Design Considerations 4.1 Consensus in preliminary discussion appears to be that adding MAC to libvirt will be the most effective approach. Support may then be extended to virsh, virt-manager, oVirt etc. 4.2 Initially, sVirt should "just work" as a means to isolate VMs, with minimal administrative interaction. e.g. an option is added to virt-manager which allows a VM to be designated as "isolated", and from then on, it is automatically run in a separate security context, with policy etc. being generated and managed by libvirt. 4.3 We need to consider very carefully exactly how VMs will be launched and controlled e.g. overall security ultimately must be enforced by the host kernel, even though VM launch will be initially controlled by host userspace. 4.4 We need to consider overall management of labeling both locally and in distributed environments (e.g. oVirt), as well as situations where VMs may be migrated between systems, backed up etc. One possible approach may be to represent the security label as the UUID of the guest and then translate that to locally meaningful values as needed. 4.5 MAC controls/policy will need to be considered for any control planes (e.g. /dev/kvm). 4.6 We need to ensure that we have high-level management tools available from the start, avoiding past mistakes with SELinux where we dropped a bunch of complicated pieces in the user's lap. All aspects of sVirt must be managed by the via the virt tools and only present high-level abstractions to the user (and then, only if essential). 4.7 As sVirt involves creating and managing arbitrary numbers of security labels, we will need to address the effects of label space explosion and resulting complexity. Possible approaches already discussed include: - SELinux RBAC or IBAC mechanisms. - MCS labels. This has the possible advantage of not requiring any policy changes for simple isolation: just have a general policy which applies to all MCS labels, and possibly customize behavior via the type. e.g. system_u:object_r:virt_image_t:c1 ^ ^ type mcs label 'c0' = isolated inactive VM image/device. 'cN' = dynamically assigned MCS label for active VM, bound to the UUID, and translated via MCS translation file. i.e. a user running ls -Z or ps -Z will see the UUID instead of cN. 'virt_image_t' = standard VM which is also isolated if an MCS label is present. 'virt_image_nonet_t' = VM with no network access at all. etc. So, MCS is used to enforce VM isolation, Type is used to enforce general security behavior. We can then provide a high-level GUI interface for selecting this behavior without the admin knowing anything about SELinux. Note: proof of concept testing has been performed using MCS labels, which appears to be workable at this stage. - Utilize the new hierarchical types being proposed upstream by NEC. (No analysis done yet). 4.8 Accessing images via shared storage will present challenges as we do not yet have labeling for networked filesystems. 4.9 We must ensure that any MAC support integrated into libvirt is readily debuggable. e.g. hook into auditsp to actively process policy violations and handle them via the virt toolchain; also develop good setroubleshoot plugins. 4.10 {lib}semanage needs performance optimization work to reduce impact on the virt toolchain. ------------------------------------------------------------------------

7 17

[libvirt] fail to run virsh
by Jun Koi 15 Aug '08

15 Aug '08

Hi, I installed libvirt (cvs version), and can confirm that libvirtd is running. However, virsh failed to work. I got the below message when running virsh with debugging information. How to fix this problem? Many thanks, Jun # LIBVIRT_DEBUG=1 virsh DEBUG: libvirt.c: virInitialize (register drivers) DEBUG: libvirt.c: virConnectOpenAuth (name=(null), auth=0xb7f53b84, flags=0) DEBUG: libvirt.c: do_open (Probed qemu:///system) DEBUG: lxc_driver.c: lxcCheckContainerSupport (clone call returned EINVAL, container support is not enabled) DEBUG: libvirt.c: do_open (Using qemu:///system as default URI, 1 hypervisor found) DEBUG: libvirt.c: do_open (name "qemu:///system" to URI components: scheme qemu opaque (null) authority (null) server (null) user (null) port 0 path /system ) DEBUG: libvirt.c: do_open (trying driver 0 (Test) ...) DEBUG: libvirt.c: do_open (driver 0 Test returned DECLINED) DEBUG: libvirt.c: do_open (trying driver 1 (QEMU) ...) DEBUG: libvirt.c: do_open (driver 1 QEMU returned DECLINED) DEBUG: libvirt.c: do_open (trying driver 2 (Xen) ...) DEBUG: libvirt.c: do_open (driver 2 Xen returned DECLINED) DEBUG: libvirt.c: do_open (trying driver 3 (OPENVZ) ...) DEBUG: libvirt.c: do_open (driver 3 OPENVZ returned DECLINED) DEBUG: libvirt.c: do_open (trying driver 4 (LXC) ...) DEBUG: libvirt.c: do_open (driver 4 LXC returned DECLINED) DEBUG: libvirt.c: do_open (trying driver 5 (remote) ...) DEBUG: remote_internal.c: doRemoteOpen (proceeding with name = qemu:///system) libvir: Remote error : No such file or directory DEBUG: libvirt.c: do_open (driver 5 remote returned ERROR) DEBUG: hash.c: virUnrefConnect (unref connection 0x806b588 qemu:///system 1) DEBUG: hash.c: virReleaseConnect (release connection 0x806b588 qemu:///system) error: failed to connect to the hypervisor

2 3

[libvirt] [PATCH] fix minor typo
by John Levon 15 Aug '08

15 Aug '08

Fix a typo in the message for the 'dump' command in virsh. Signed-off-by: John Levon <john.levon(a)sun.com> Index: src/virsh.c =================================================================== RCS file: /data/cvs/libvirt/src/virsh.c,v retrieving revision 1.157 diff -u -r1.157 virsh.c --- src/virsh.c 22 Jul 2008 16:12:01 -0000 1.157 +++ src/virsh.c 13 Aug 2008 15:50:09 -0000 @@ -1320,7 +1320,7 @@ return FALSE; if (virDomainCoreDump(dom, to, 0) == 0) { - vshPrint(ctl, _("Domain %s dumpd to %s\n"), name, to); + vshPrint(ctl, _("Domain %s dumped to %s\n"), name, to); } else { vshError(ctl, FALSE, _("Failed to core dump domain %s to %s"), name, to);

3 2

[libvirt] Reusing dumpxml output
by Stefan de Konink 14 Aug '08

14 Aug '08

I would like to reuse configurations that have been edited using the libvirt api. For example by attaching interfaces. Now the output that dumpxml generates, is very 'specific' to an active configuration. I am not able to use a stored configuration from an active domain to redefine it after it has been undefined. Is there a trick to do so? Or should one really strip all 'live' attributes first? Stefan

5 14

[libvirt] breaking out of virsh console?
by Schroeder, Paul 14 Aug '08

14 Aug '08

Hello all... In my VM's inittab, I set agetty to run on ttyS0 so I could do "virsh console myvm" and log in from the host machine's command line. It works perfectly. Trouble is, I don't know how to break out of it to get back to the command line on my host. I've only been able to do so by killing the virsh process. There's gotta be a better way.. Right? Thanks...Paul...

5 4

[libvirt] VMWare support, any news?
by Yushu Yao 14 Aug '08

14 Aug '08

Hi All, I noticed there are some discussion about VMWare support of libvirt several back in April-May. Just wondering is there a prototype yet? The function I¹m interested in is to stop/start a VM by VMWare player/workstation/free server. Thanks, -Yushu

5 5

[libvirt] [PATCH] get memory in openvz driver
by Evgeniy Sokolov 14 Aug '08

14 Aug '08

OpenVZ has several parameters for memory management. All of them can be configured independetly. Patch allow to get configuration of memory from container config and then calculate total usage of memory. It is open question how to manage memory?

2 4