Re: Add option to skip cpu feature and model verification in libvirt and rely on qemu 'enforce' option

On Wed, Nov 23, 2022 at 12:51:39PM +0100, Jiri Denemark wrote: > On Wed, Nov 23, 2022 at 11:41:03 +0000, Daniel P. Berrangé wrote: >> On Wed, Nov 23, 2022 at 12:29:24PM +0100, Jiri Denemark wrote: >>> On Wed, Nov 23, 2022 at 11:18:01 +0000, Daniel P. Berrangé wrote: >>>> On Tue, Nov 22, 2022 at 01:48:39PM +0100, Jiri Denemark wrote: >>>>> On Mon, Nov 21, 2022 at 12:47:58 +0530, manish.mishra wrote: >>>>>> On 18/11/22 5:00 pm, Jiri Denemark wrote: >>>>>>> On Fri, Nov 18, 2022 at 10:18:59 +0000, John Levon wrote: >>>>>>>> On Fri, Nov 18, 2022 at 10:52:32AM +0100, Jiri Denemark wrote: >>>>>>>> >>>>>>>>>> * Qemu already provide an option 'enforce' to validate if features >>>>>>>>>> with which vm is started is exactly same as one provided and nothing >>>>>>>>>> is silently dropped. >>>>>>>>> Right, but it's not enough. In addition to removed features libvirt also >>>>>>>>> checks for unexpectedly added features. And you really need to do both. >>>>>>>>> Because if you ask for -cpu Model,feat1=on,feat2=on,enforce and QEMU >>>>>>>>> says everything is fine, the guest might see more than what you asked. >>>>>>>>> For example, if a feature is enabled only if a host supports it you may >>>>>>>>> or may not get it without any complains from QEMU. But if you get it you >>>>>>>>> really need to explicitly ask for it during migration, otherwise the >>>>>>>>> feature can just silently disappear. Of course, this would be a really >>>>>>>>> bad behavior from QEMU, but that does not mean it can't happen (I think >>>>>>>>> SVM is a bit problematic in this way) and the whole point of libvirt's >>>>>>>>> checks is to prevent this kind of issues. >>>>>>>> Hi Jiri, I'm not following this very well. I think you're saying that qemu has >>>>>>>> had bugs previously where features get silently enabled, >>>>>>> Personally, I haven't actually witnessed any bug in this area (as far as >>>>>>> I can remember, which is not that far :-)), but got some reports of at >>>>>>> least one, even though without any proof. >>>>>>> >>>>>>> Specifically, SVM is quite strange as it is included in all AMD CPU >>>>>>> models in QEMU and yet if you try to start it on a host without nesting >>>>>>> enabled "enforce" does not complain. I saw the feature is enabled with >>>>>>> older machine types, but I was told the magic behind this feature looks >>>>>>> like not only machine type but even host configuration itself is >>>>>>> involved. Anyway, although I saw reports of that the feature could be >>>>>>> enabled without an explicit request even with new machine types I still >>>>>>> haven't seen any proof of this happening. So I hope it just does not >>>>>>> happen and users are only afraid of this possibility. >>>>>>> >>>>>>>> and it's libvirt's job/role to paper over those issues? Do you have >>>>>>>> some specific cases of this? >>>>>>> This is not about papering. It's actually the opposite, that is about >>>>>>> detecting if something like this happens and reporting it as a failure >>>>>>> rather than papering it and hoping everything goes well. So I think >>>>>>> doing this is a good idea even though I don't think we actually saw any >>>>>>> issue of this kind. >>>>>> >>>>>> Hi Jiri, I see now with libvirt master, with check=='full' we verify >>>>>> both silently dropped as well as added features. But as you already >>>>>> stated Qemu silently adding feature is a Qemu bug and libvirt just >>>>>> reports that bug, so it should be very unlikely, i agree that is not a >>>>>> good reasoning :). Our requirement is that we want to use CPU Models >>>>>> and features which are defined in Qemu but not in libvirt for e.g if >>>>>> we want to use Icelake-Server-V4 directly or newly added vmx feature, >>>>>> libvirt does not allow. Currently we take help of qemu to do >>>>>> validations but for cpu feature verfication and model definations we >>>>>> still use libvirt defined definations which prevent us to use anything >>>>>> which is not defined in libvirt. I see there are already efforts going >>>>>> on to get all model and feature defination from qemu itself, but not >>>>>> sure how much time it will take. Till that happens we thought safest >>>>>> option is to have an option to remove all validations from libvirt and >>>>>> rely on qemu 'enforce' for migration safetly. I understand >>>>>> qemu-enforce does not check for silently added features, but that case >>>>>> we can assume is very unlikely and Qemu should fix otherwise VMs will >>>>>> not poweron anyway with check=='full'. Basically we want it as an >>>>>> modification of check='none' but also skipping things like >>>>>> virCPUValidateFeatures and passing option 'enforce' to Qemu. Or if >>>>>> silently adding features is that big concern we can have a check in >>>>>> Qemu itself? I understand current qemu-enforce is not as migration >>>>>> safe as check=='full' but probably suitable for our use case for time >>>>>> being? >>>>> I understand why you want this, but on the other hand adding just a >>>>> plain pass-through for CPU model and features is quite dangerous as it >>>>> can be used to set any -cpu option even if it's not a feature. And >>>>> especially the parts that are configured in other areas of domain XML >>>>> (such as hypervisor features). So I think instead of adding a new mode >>>>> for <cpu> we should go another way. For things that are not yet >>>>> supported by libvirt we support various elements in qemu namespace, >>>>> e.g., setting QEMU command line options, environment variables, or even >>>>> overriding options libvirt would normally set on the command line. So I >>>>> guess we could have a special <qemu:cpu> element which would be used >>>>> when a user wants full control over the -cpu option without any libvirt >>>>> intervention. >>>> I really don't think we should allow this, especially not for something >>>> which is clearly intended to be used for production deployment. Our >>>> hypervisor CLI passthrough is there to allow for short term workarounds >>>> for bugs, or to experiment with a feature before it is mapped into >>>> libvirt in a supported manner. >>>> >>>> If there are aspects related to QEMU configuration thiat are not in >>>> libvirt yet, we need to address those gaps, not provide yet another >>>> way to bypass libvirt mapping. >>> Indeed, this was definitely meant as a short term workaround for stuff >>> we don't have support for yet, for testing or experimental purposes. The >>> supported approach is for implement the missing parts in libvirt (and >>> QEMU) as soon as possible. I don't see why would a properly documented >>> support for experiments with -cpu would be an issue. >> Why can't it just use the exsting QEMU passthrough syntax we have. >> I don't think we should be adding specifial support just for CPUs > That would be nice, but the QEMU passthrough syntax cannot be used for > changing options that libvirt already passes to QEMU. So using it would > likely result in two separate -cpu options on QEMU command line. And it > would not rule out the CPU verification code in libvirt. Remember, we > add a default -cpu model in case there's none configured in the XML. Two -cpu options isn't a problem, the latter will override the former, which is fine from the level of support intended for QEMU passthrough usage. For the libvirt checking, isn't the 'check=none' attr sufficient to skip checks libvirt does. With regards, Daniel