February 2009 - Devel - libvirt List Archives

[libvirt] PATCH: Fix autostart of session daemon
by Daniel P. Berrange 26 Feb '09

26 Feb '09

When connecting qemu:///session we can autostart the libvirtd daemon. With the node device APIs present, it can take upto a second to start up while talking to dbus. The remote driver was only waiting for a fraction of a second. This changes it to wait for upto 2 seconds, and also not to spawn multiple instances of the daemon. Daniel diff -rup libvirt-0.6.0.orig/src/remote_internal.c libvirt-0.6.0.new/src/remote_internal.c --- libvirt-0.6.0.orig/src/remote_internal.c 2009-02-18 10:56:34.000000000 +0000 +++ libvirt-0.6.0.new/src/remote_internal.c 2009-02-18 13:35:26.000000000 +0000 @@ -654,12 +654,13 @@ doRemoteOpen (virConnectPtr conn, */ if (errno == ECONNREFUSED && flags & VIR_DRV_OPEN_REMOTE_AUTOSTART && - trials < 5) { + trials < 20) { close(priv->sock); priv->sock = -1; - if (remoteForkDaemon(conn) == 0) { + if (trials > 0 || + remoteForkDaemon(conn) == 0) { trials++; - usleep(5000 * trials * trials); + usleep(1000 * 100 * trials); goto autostart_retry; } } -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

2 2

[libvirt] storage_backend_fs.c Bug
by Russell 26 Feb '09

26 Feb '09

Line 1133 of storage_backend_fs.c in 0.6.0: if (vol->target.backingStore != NULL) { virStorageReportError(conn, VIR_ERR_NO_SUPPORT, _("copy-on-write image not supported with " "qcow-create")); return -1; } virStorageVolTarget has no member called backingStore, resulting in compile errors.

5 5

[libvirt] [PATCH] Don't generate python bindings multiple times w/ parallel build
by Cole Robinson 26 Feb '09

26 Feb '09

The attached patch was posted by Michael Marineau at: https://bugzilla.redhat.com/show_bug.cgi?id=472702 It prevents generating the python bindings multiple times in a parallel build. Works fine in my testing, so I figured I'd pass it along here for better exposure, since it has been languishing in bugzilla. Thanks, Cole

3 2

[libvirt] [PATCH 0/5] Add device assignment related node device methods
by Mark McLoughlin 25 Feb '09

25 Feb '09

Hi, The following patches implement three new node device methods that are needed for KVM PCI device assignment. The dettach method unbinds the device from its device driver and binds it to the pci-stub driver, if available. This ensures the device is not being used by the host. The reattach method undos this operation. It unbinds the device from pci-stub and attempts to re-bind it to the original device driver. This allows the device to be used by the host again. The reset method is intended to be used on a dettached device before it is used by the guest or host. This operation may in future affect other devices, so it is intended that all devices to be assigned to a guest are first dettached before any device is reset. A writeup of some more background details are available here: http://marc.info/?l=kvm&m=123454366317045 Cheers, Mark.

2 13

[libvirt] [PATCH] document static host IP assignment
by Charles Duffy 25 Feb '09

25 Feb '09

Back in August 2008, DV added support for providing static IP/hostname assignments to dnsmasq via <host> elements in the network definition. Since this functionality isn't covered in the documentation, I wrote up a quick patch, attached.

3 2

[libvirt] [PATCH 0/2] Dettach and reset devices before assigning to guests
by Mark McLoughlin 25 Feb '09

25 Feb '09

Hi, The following two patches build on the previous series. The idea is simple - when starting a guest, we should automatically dettach and reset any devices assigned to it. Rather than change the semantics of the existing hostdev source, we only do this when the node device name is used as the hostdev source. Directly specifying the device address rather than its name can be seen as an option for people who know what they're doing. Cheers, Mark.

2 6

[libvirt] "type 'hvm' & arch 'i686' combination is not supported" error
by Frederik Himpe 25 Feb '09

25 Feb '09

I recently updated for libvirt 0.4.6 to libvirt 0.6.0. Now several of the virtual machines I defined, are not shown in virt-manager nor by virsh list --all, although the config files are still in /etc/libvirt/qemu. I tried to run virsh create, and this error is shown: libvir: Domain Config error : internal error os type 'hvm' & arch 'i686' combination is not supported This configuration was working perfectly with libvirt 0.4.6. I needed to change i686 to x86_64 in all config files of 32 bit systems to make them work again. Is there no way libvirt could migrate those configuration files automatically? -- Frederik Himpe

2 5

[libvirt] Patch to python-virtinst to allow it to choose svirt labels
by Daniel J Walsh 24 Feb '09

24 Feb '09

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Also found at least one big bug in python-virtinst, VirtualDisk.py was dropping the "/" between dirname and basename of installation object, when you told it to create the object. I think we want to have a big switch stored in libvirt somewhere saying whether or not we want isolated virtual machines. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkme++4ACgkQrlYvE4MpobM5ewCeP3iaq3HwT/Rw71E2YElbxKyg 66gAoJaCUkQkBvJz80wjztYiwOGsAKaj =GlDN -----END PGP SIGNATURE----- diff -r -u virtinst-0.400.1/virtinst/Guest.py virtinst-0.400.1.new/virtinst/Guest.py --- virtinst-0.400.1/virtinst/Guest.py 2009-01-26 14:33:25.000000000 -0500 +++ virtinst-0.400.1.new/virtinst/Guest.py 2009-02-19 17:36:35.000000000 -0500 @@ -32,6 +32,8 @@ import __builtin__ import CapabilitiesParser import VirtualDevice +import selinux +import random import osdict from VirtualDisk import VirtualDisk @@ -315,8 +317,9 @@ self._install_disk = None # VirtualDisk that contains install media if type is None: - type = "xen" - self.type = type + self.type = "xen" + else: + self.type = type if not location is None: self.location = location @@ -526,6 +529,7 @@ self._vcpus = None self._cpuset = None self._graphics_dev = None + self._seclabel = None self._os_type = None self._os_variant = None @@ -552,12 +556,34 @@ self.disknode = None # this needs to be set in the subclass + self.default_seclabel , self.default_imagelabel = self._default_seclabels() + + while self._seclabel == None: + seclabel, imagelabel = self.gen_seclabels() + if self.is_conflict_seclabel(self.conn, seclabel): + continue + self.set_seclabel(seclabel) + self.set_imagelabel(imagelabel) + def get_installer(self): return self._installer def set_installer(self, val): self._installer = val installer = property(get_installer, set_installer) + # Security context used to secure guest image + def get_imagelabel(self): + return self._imagelabel + def set_imagelabel(self, val): + self._imagelabel = val + imagelabel = property(get_imagelabel, set_imagelabel) + + # Security context used to secure guest process + def get_seclabel(self): + return self._seclabel + def set_seclabel(self, val): + self._seclabel = val + seclabel = property(get_seclabel, set_seclabel) def get_type(self): return self._installer.type @@ -565,7 +591,6 @@ self._installer.type = val type = property(get_type, set_type) - # Domain name of the guest def get_name(self): return self._name @@ -750,7 +775,7 @@ if enabled not in (True, False): raise ValueError, _("Graphics enabled must be True or False") - if enabled == True: + if enabled: gdev = VirtualGraphics(type=gtype) if port: gdev.port = port @@ -807,9 +832,23 @@ """Ensure that devices are setup""" for disk in self._install_disks: disk.setup(progresscb) + # Not sure of this, might want to put this in VirtualDisk class + selinux.setfilecon(disk.path, self._imagelabel) for nic in self._install_nics: nic.setup(self.conn) + def _get_seclabel_xml(self): + xml = "" + if self._seclabel != None: + xml = """ + <seclabel model='selinux'> + <label>%s</label> + <image>%s</image> + </seclabel> +""" % ( self._seclabel, self._imagelabel) + print xml + return xml + def _get_disk_xml(self, install=True): """Return xml for disk devices (Must be implemented in subclass)""" raise NotImplementedError @@ -899,6 +938,7 @@ <devices> %(devices)s </devices> + %(secxml)s </domain> """ % { "type": self.type, "name": self.name, \ @@ -909,7 +949,8 @@ "maxramkb": self.maxmemory * 1024, \ "devices": self._get_device_xml(install), \ "osblob": osblob, \ - "action": action } + "action": action, \ + "secxml": self._get_seclabel_xml()} def start_install(self, consolecb=None, meter=None, removeOld=False, @@ -1026,6 +1067,108 @@ if self.domain is not None: raise RuntimeError, _("Domain has already been started!") + def _default_seclabels(self): + try: + fd = open(selinux.selinux_virtual_domain_context_path(), 'r') + except OSError, (err_no, msg): + raise RuntimeError, \ + "failed to SELinux virtual domains context: %s: %s %s" % (selinux.selinux_virtual_domain_context_path(),err_no, msg) + + label = fd.read() + fd.close() + try: + fd = open(selinux.selinux_virtual_image_context_path(), 'r') + except OSError, (err_no, msg): + raise RuntimeError, \ + "failed to SELinux virtual domains context: %s: %s %s" % (selinux.selinux_virtual_domain_context_path(), err_no, msg) + + image = fd.read() + fd.close() + + return (label, image) + + def is_conflict_seclabel(self, conn, seclabel): + """ + check if security label is in use by any other VMs on passed + connection. + + @param conn: connection to check for collisions on + @type conn: libvirt.virConnect + + @param seclabel: Security Label + @type str: Security label + + @return: True if a collision, False otherwise + @rtype: C{bool} + """ + if not seclabel: + return False + + vms = [] + # get working domain's name + ids = conn.listDomainsID() + for i in ids: + try: + vm = conn.lookupByID(i) + vms.append(vm) + except libvirt.libvirtError: + # guest probably in process of dieing + logging.warn("Failed to lookup domain id %d" % i) + # get defined domain + names = conn.listDefinedDomains() + for name in names: + try: + vm = conn.lookupByName(name) + vms.append(vm) + except libvirt.libvirtError: + # guest probably in process of dieing + logging.warn("Failed to lookup domain name %s" % name) + + count = 0 + for vm in vms: + doc = None + try: + doc = libxml2.parseDoc(vm.XMLDesc(0)) + except: + continue + ctx = doc.xpathNewContext() + try: + try: + label = ctx.xpathEval("/domain/seclabel/label/") + if label[0].content == seclabel: + count += 1 + break + except: + continue + finally: + if ctx is not None: + ctx.xpathFreeContext() + if doc is not None: + doc.freeDoc() + if count > 0: + return True + else: + return False + + def _get_random_mcs(self): + f1 = random.randrange(1024) + f2 = random.randrange(1024) + if f1 < f2: + return "s0:c%s,c%s" % (f1, f2) + else: + if f1 == f2: + return "s0:c%s" % f1 + else: + return "s0:c%s,c%s" % (f2, f1) + + def gen_seclabels(self): + mcs = self._get_random_mcs() + con = self.default_seclabel.split(':') + seclabel = "%s:%s:%s:%s" % (con[0], con[1], con[2], mcs) + con = self.default_imagelabel.split(':') + imagelabel = "%s:%s:%s:%s" % (con[0], con[1], con[2], mcs) + return (seclabel, imagelabel) + def _set_defaults(self): if self.uuid is None: while 1: diff -r -u virtinst-0.400.1/virtinst/VirtualDisk.py virtinst-0.400.1.new/virtinst/VirtualDisk.py --- virtinst-0.400.1/virtinst/VirtualDisk.py 2009-01-26 14:33:25.000000000 -0500 +++ virtinst-0.400.1.new/virtinst/VirtualDisk.py 2009-02-19 19:43:44.000000000 -0500 @@ -172,8 +172,6 @@ """ return "%s:%s" %(self.type, self.path) - - def _get_path(self): return self._path def _set_path(self, val, validate=True): @@ -413,7 +411,7 @@ newpath = self.vol_object.path() elif self.vol_install: newpath = _util.get_xml_path(self.vol_install.pool.XMLDesc(0), - "/pool/target/path") + \ + "/pool/target/path") + "/" + \ self.vol_install.name if newpath and newpath != self.path:

3 6

[libvirt] iptables and libvirt
by Karl Wirth 24 Feb '09

24 Feb '09

Hi, I would like your feedback on the following idea. What if we could flexibly change the iptables rules for the different guests as they are deployed onto the node/host. The idea would be to do all of this within the iptables of the host leaving alone the iptables of the guests themselves. Here are some specifics: - Physical systems typically isolated using firewalls protecting well known ports. - With virt, on shared physical device, use a bridge to give full LAN access to vm - Or a virtual network which is an isolated bridge with no physical connection. Guest can talk to each other directly. Only NAT'd outbound. - The idea is to eventually make it easy to centrally set up iptable rules for guests that are applied in the host iptables. - We would have to be able to migrate the iptables rules and the state data with vm as it moves The benefits of this would be we could: - Create networking controls that provide same isolation as physical systems - Control which VMs can talk to which others Integration option: - Integration in virtd because it knows about the guests and their network parameters. Thanks for your feedback. Best regards, Karl

6 8

[libvirt] About virtualization, libvirt and xen...
by Patrick Archibal 24 Feb '09

24 Feb '09

Hello, I have understand that : ---------------------------- guest ---------------------------- driver_device0_guest ---------------------------- hypervisor ---------------------------- driver_device0_hypervisor ---------------------------- device0 ---------------------------- in order to access to a device, a guest use driver_device0_guest The driver_device0_guest is modified to ask the hypervisor instead of the device0 directly. Then the hypervisor uses the driver_device0_hypervisor in order to ask the device0. It's my understant, maybe it's false. I have few questions : 1 - what is the difference between libvirt and virtio. 2 - why developpers for xen, kvm... must develop drivers each time there are new devices ? Because the driver must ask the hypervisor instead of device directly. 3 - The devices presented to the guest are real or emulated ? (for xen and/or kvm) if devices are real, for example, i can use my graphic card with a virtual machine ?? 4 - Can you tell me why kvm is best or xen is best in enterprise. In my understand, in the future, kvm is in good position because the developpment is integrated in the kernel. Also, i feel xen progress because firms like citrix contribute but it's seems there is no big update since few years. My vision is xen is best for production environnement because it takes advantages of minimal hypervisor code while kvm must be install with the kernel. Also, it seems, performance will be better in kvm with virtio. Can we use virtio with xen ? _________________________________________________________________ Vous voulez savoir ce que vous pouvez faire avec le nouveau Windows Live ? Lancez-vous ! http://www.microsoft.com/windows/windowslive/default.aspx

2 1