[libvirt] storage_backend_fs.c Bug
by Russell
Line 1133 of storage_backend_fs.c in 0.6.0:
if (vol->target.backingStore != NULL) {
virStorageReportError(conn, VIR_ERR_NO_SUPPORT,
_("copy-on-write image not supported with "
"qcow-create"));
return -1;
}
virStorageVolTarget has no member called backingStore, resulting in
compile errors.
15 years, 2 months
[libvirt] [PATCH 0/5] Add device assignment related node device methods
by Mark McLoughlin
Hi,
The following patches implement three new node device methods
that are needed for KVM PCI device assignment.
The dettach method unbinds the device from its device driver
and binds it to the pci-stub driver, if available. This ensures the
device is not being used by the host.
The reattach method undos this operation. It unbinds the
device from pci-stub and attempts to re-bind it to the original device
driver. This allows the device to be used by the host again.
The reset method is intended to be used on a dettached device
before it is used by the guest or host. This operation may in future
affect other devices, so it is intended that all devices to be
assigned to a guest are first dettached before any device is reset.
A writeup of some more background details are available here:
http://marc.info/?l=kvm&m=123454366317045
Cheers,
Mark.
15 years, 2 months
[libvirt] [PATCH] document static host IP assignment
by Charles Duffy
Back in August 2008, DV added support for providing static IP/hostname
assignments to dnsmasq via <host> elements in the network definition.
Since this functionality isn't covered in the documentation, I wrote up
a quick patch, attached.
15 years, 2 months
[libvirt] [PATCH 0/2] Dettach and reset devices before assigning to guests
by Mark McLoughlin
Hi,
The following two patches build on the previous series.
The idea is simple - when starting a guest, we should
automatically dettach and reset any devices assigned to it.
Rather than change the semantics of the existing
hostdev source, we only do this when the node device name is
used as the hostdev source. Directly specifying the device
address rather than its name can be seen as an option for
people who know what they're doing.
Cheers,
Mark.
15 years, 2 months
[libvirt] "type 'hvm' & arch 'i686' combination is not supported" error
by Frederik Himpe
I recently updated for libvirt 0.4.6 to libvirt 0.6.0. Now several of the
virtual machines I defined, are not shown in virt-manager nor by virsh
list --all, although the config files are still in /etc/libvirt/qemu. I
tried to run virsh create, and this error is shown:
libvir: Domain Config error : internal error os type 'hvm' & arch 'i686'
combination is not supported
This configuration was working perfectly with libvirt 0.4.6. I needed to
change i686 to x86_64 in all config files of 32 bit systems to make them
work again. Is there no way libvirt could migrate those configuration
files automatically?
--
Frederik Himpe
15 years, 2 months
[libvirt] Patch to python-virtinst to allow it to choose svirt labels
by Daniel J Walsh
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Also found at least one big bug in python-virtinst, VirtualDisk.py was
dropping the "/" between dirname and basename of installation object,
when you told it to create the object.
I think we want to have a big switch stored in libvirt somewhere saying
whether or not we want isolated virtual machines.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkme++4ACgkQrlYvE4MpobM5ewCeP3iaq3HwT/Rw71E2YElbxKyg
66gAoJaCUkQkBvJz80wjztYiwOGsAKaj
=GlDN
-----END PGP SIGNATURE-----
diff -r -u virtinst-0.400.1/virtinst/Guest.py virtinst-0.400.1.new/virtinst/Guest.py
--- virtinst-0.400.1/virtinst/Guest.py 2009-01-26 14:33:25.000000000 -0500
+++ virtinst-0.400.1.new/virtinst/Guest.py 2009-02-19 17:36:35.000000000 -0500
@@ -32,6 +32,8 @@
import __builtin__
import CapabilitiesParser
import VirtualDevice
+import selinux
+import random
import osdict
from VirtualDisk import VirtualDisk
@@ -315,8 +317,9 @@
self._install_disk = None # VirtualDisk that contains install media
if type is None:
- type = "xen"
- self.type = type
+ self.type = "xen"
+ else:
+ self.type = type
if not location is None:
self.location = location
@@ -526,6 +529,7 @@
self._vcpus = None
self._cpuset = None
self._graphics_dev = None
+ self._seclabel = None
self._os_type = None
self._os_variant = None
@@ -552,12 +556,34 @@
self.disknode = None # this needs to be set in the subclass
+ self.default_seclabel , self.default_imagelabel = self._default_seclabels()
+
+ while self._seclabel == None:
+ seclabel, imagelabel = self.gen_seclabels()
+ if self.is_conflict_seclabel(self.conn, seclabel):
+ continue
+ self.set_seclabel(seclabel)
+ self.set_imagelabel(imagelabel)
+
def get_installer(self):
return self._installer
def set_installer(self, val):
self._installer = val
installer = property(get_installer, set_installer)
+ # Security context used to secure guest image
+ def get_imagelabel(self):
+ return self._imagelabel
+ def set_imagelabel(self, val):
+ self._imagelabel = val
+ imagelabel = property(get_imagelabel, set_imagelabel)
+
+ # Security context used to secure guest process
+ def get_seclabel(self):
+ return self._seclabel
+ def set_seclabel(self, val):
+ self._seclabel = val
+ seclabel = property(get_seclabel, set_seclabel)
def get_type(self):
return self._installer.type
@@ -565,7 +591,6 @@
self._installer.type = val
type = property(get_type, set_type)
-
# Domain name of the guest
def get_name(self):
return self._name
@@ -750,7 +775,7 @@
if enabled not in (True, False):
raise ValueError, _("Graphics enabled must be True or False")
- if enabled == True:
+ if enabled:
gdev = VirtualGraphics(type=gtype)
if port:
gdev.port = port
@@ -807,9 +832,23 @@
"""Ensure that devices are setup"""
for disk in self._install_disks:
disk.setup(progresscb)
+ # Not sure of this, might want to put this in VirtualDisk class
+ selinux.setfilecon(disk.path, self._imagelabel)
for nic in self._install_nics:
nic.setup(self.conn)
+ def _get_seclabel_xml(self):
+ xml = ""
+ if self._seclabel != None:
+ xml = """
+ <seclabel model='selinux'>
+ <label>%s</label>
+ <image>%s</image>
+ </seclabel>
+""" % ( self._seclabel, self._imagelabel)
+ print xml
+ return xml
+
def _get_disk_xml(self, install=True):
"""Return xml for disk devices (Must be implemented in subclass)"""
raise NotImplementedError
@@ -899,6 +938,7 @@
<devices>
%(devices)s
</devices>
+ %(secxml)s
</domain>
""" % { "type": self.type,
"name": self.name, \
@@ -909,7 +949,8 @@
"maxramkb": self.maxmemory * 1024, \
"devices": self._get_device_xml(install), \
"osblob": osblob, \
- "action": action }
+ "action": action, \
+ "secxml": self._get_seclabel_xml()}
def start_install(self, consolecb=None, meter=None, removeOld=False,
@@ -1026,6 +1067,108 @@
if self.domain is not None:
raise RuntimeError, _("Domain has already been started!")
+ def _default_seclabels(self):
+ try:
+ fd = open(selinux.selinux_virtual_domain_context_path(), 'r')
+ except OSError, (err_no, msg):
+ raise RuntimeError, \
+ "failed to SELinux virtual domains context: %s: %s %s" % (selinux.selinux_virtual_domain_context_path(),err_no, msg)
+
+ label = fd.read()
+ fd.close()
+ try:
+ fd = open(selinux.selinux_virtual_image_context_path(), 'r')
+ except OSError, (err_no, msg):
+ raise RuntimeError, \
+ "failed to SELinux virtual domains context: %s: %s %s" % (selinux.selinux_virtual_domain_context_path(), err_no, msg)
+
+ image = fd.read()
+ fd.close()
+
+ return (label, image)
+
+ def is_conflict_seclabel(self, conn, seclabel):
+ """
+ check if security label is in use by any other VMs on passed
+ connection.
+
+ @param conn: connection to check for collisions on
+ @type conn: libvirt.virConnect
+
+ @param seclabel: Security Label
+ @type str: Security label
+
+ @return: True if a collision, False otherwise
+ @rtype: C{bool}
+ """
+ if not seclabel:
+ return False
+
+ vms = []
+ # get working domain's name
+ ids = conn.listDomainsID()
+ for i in ids:
+ try:
+ vm = conn.lookupByID(i)
+ vms.append(vm)
+ except libvirt.libvirtError:
+ # guest probably in process of dieing
+ logging.warn("Failed to lookup domain id %d" % i)
+ # get defined domain
+ names = conn.listDefinedDomains()
+ for name in names:
+ try:
+ vm = conn.lookupByName(name)
+ vms.append(vm)
+ except libvirt.libvirtError:
+ # guest probably in process of dieing
+ logging.warn("Failed to lookup domain name %s" % name)
+
+ count = 0
+ for vm in vms:
+ doc = None
+ try:
+ doc = libxml2.parseDoc(vm.XMLDesc(0))
+ except:
+ continue
+ ctx = doc.xpathNewContext()
+ try:
+ try:
+ label = ctx.xpathEval("/domain/seclabel/label/")
+ if label[0].content == seclabel:
+ count += 1
+ break
+ except:
+ continue
+ finally:
+ if ctx is not None:
+ ctx.xpathFreeContext()
+ if doc is not None:
+ doc.freeDoc()
+ if count > 0:
+ return True
+ else:
+ return False
+
+ def _get_random_mcs(self):
+ f1 = random.randrange(1024)
+ f2 = random.randrange(1024)
+ if f1 < f2:
+ return "s0:c%s,c%s" % (f1, f2)
+ else:
+ if f1 == f2:
+ return "s0:c%s" % f1
+ else:
+ return "s0:c%s,c%s" % (f2, f1)
+
+ def gen_seclabels(self):
+ mcs = self._get_random_mcs()
+ con = self.default_seclabel.split(':')
+ seclabel = "%s:%s:%s:%s" % (con[0], con[1], con[2], mcs)
+ con = self.default_imagelabel.split(':')
+ imagelabel = "%s:%s:%s:%s" % (con[0], con[1], con[2], mcs)
+ return (seclabel, imagelabel)
+
def _set_defaults(self):
if self.uuid is None:
while 1:
diff -r -u virtinst-0.400.1/virtinst/VirtualDisk.py virtinst-0.400.1.new/virtinst/VirtualDisk.py
--- virtinst-0.400.1/virtinst/VirtualDisk.py 2009-01-26 14:33:25.000000000 -0500
+++ virtinst-0.400.1.new/virtinst/VirtualDisk.py 2009-02-19 19:43:44.000000000 -0500
@@ -172,8 +172,6 @@
"""
return "%s:%s" %(self.type, self.path)
-
-
def _get_path(self):
return self._path
def _set_path(self, val, validate=True):
@@ -413,7 +411,7 @@
newpath = self.vol_object.path()
elif self.vol_install:
newpath = _util.get_xml_path(self.vol_install.pool.XMLDesc(0),
- "/pool/target/path") + \
+ "/pool/target/path") + "/" + \
self.vol_install.name
if newpath and newpath != self.path:
15 years, 2 months
[libvirt] iptables and libvirt
by Karl Wirth
Hi,
I would like your feedback on the following idea.
What if we could flexibly change the iptables rules for the different
guests as they are deployed onto the node/host. The idea would be to do
all of this within the iptables of the host leaving alone the iptables
of the guests themselves.
Here are some specifics:
- Physical systems typically isolated using firewalls protecting well
known ports.
- With virt, on shared physical device, use a bridge to give full LAN
access to vm
- Or a virtual network which is an isolated bridge with no physical
connection. Guest can talk to each other directly. Only NAT'd outbound.
- The idea is to eventually make it easy to centrally set up iptable
rules for guests that are applied in the host iptables.
- We would have to be able to migrate the iptables rules and the state
data with vm as it moves
The benefits of this would be we could:
- Create networking controls that provide same isolation as physical systems
- Control which VMs can talk to which others
Integration option:
- Integration in virtd because it knows about the guests and their
network parameters.
Thanks for your feedback.
Best regards,
Karl
15 years, 2 months
[libvirt] About virtualization, libvirt and xen...
by Patrick Archibal
Hello,
I have understand that :
----------------------------
guest
----------------------------
driver_device0_guest
----------------------------
hypervisor
----------------------------
driver_device0_hypervisor
----------------------------
device0
----------------------------
in order to access to a device, a guest use driver_device0_guest
The driver_device0_guest is modified to ask the hypervisor instead of the device0 directly.
Then the hypervisor uses the driver_device0_hypervisor in order to ask the device0.
It's my understant, maybe it's false.
I have few questions :
1 - what is the difference between libvirt and virtio.
2 - why developpers for xen, kvm... must develop drivers each time there are new devices ?
Because the driver must ask the hypervisor instead of device directly.
3 - The devices presented to the guest are real or emulated ? (for xen and/or kvm)
if devices are real, for example, i can use my graphic card with a virtual machine ??
4 - Can you tell me why kvm is best or xen is best in enterprise.
In my understand, in the future, kvm is in good position because the developpment is integrated in
the kernel. Also, i feel xen progress because firms like citrix contribute but it's seems there is
no big update since few years.
My vision is xen is best for production environnement because it takes advantages of minimal
hypervisor code while kvm must be install with the kernel.
Also, it seems, performance will be better in kvm with virtio. Can we use virtio with xen ?
_________________________________________________________________
Vous voulez savoir ce que vous pouvez faire avec le nouveau Windows Live ? Lancez-vous !
http://www.microsoft.com/windows/windowslive/default.aspx
15 years, 2 months
[libvirt] [Patch 0/1] enable --checkpoint option in 'virsh save'
by Matt McCowan
Along the lines of Xen's 'xm save' function with the '-c' checkpoint flag, following up is a patch to basically make-it-so, plus enable it for qemu. Patch merges with CVS, and passes tests as described in the HACKING file.
The code implementing the '--live' option for 'virsh migrate' was copied/pasted/mod'ed to create the --checkpoint option for 'virsh save'
Regards
Matt McCowan
15 years, 2 months
