The docs about remote URIs in uri.html are somewhat sparse with the full docs being in remote.html. Move all the URI content from remote.html into uri.html so the user only needs to look in one place for URI info. Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com&gt; --- docs/remote.html.in | 278 +------------------------------------------- docs/uri.html.in | 263 ++++++++++++++++++++++++++++++++++++----- 2 files changed, 238 insertions(+), 303 deletions(-) diff --git a/docs/remote.html.in b/docs/remote.html.in index 5a0ebe4790..0b0dc87f6f 100644 --- a/docs/remote.html.in +++ b/docs/remote.html.in @@ -34,7 +34,7 @@ the system-wide QEMU daemon on a remote machine called <code>qemu://compute1.libvirt.org/system</code>;. </p> <p> -The <a href="#Remote_URI_reference">section on remote URIs</a> +The <a href="uri.html#URI_remote">section on remote URIs</a> describes in more detail these remote URIs. </p> <p> @@ -109,279 +109,9 @@ even with graphical management applications. As with the classic ssh transport netcat is required on the remote side.</dd> </dl> <p> -The default transport, if no other is specified, is <code>tls</code>. -</p> - <h2> - <a id="Remote_URI_reference">Remote URIs</a> - </h2> - <p> -See also: <a href="uri.html">documentation on ordinary ("local") URIs</a>. -</p> - <p> -Remote URIs have the general form ("[...]" meaning an optional part): -</p> - <p><code>driver</code>[<code>+transport</code>]<code>://</code>[<code>username@</code>][<code>hostname</code>][<code>:port</code>]<code>/</code>[<code>path</code>][<code>?extraparameters</code>] -</p> - <p> -Either the transport or the hostname must be given in order -to distinguish this from a local URI. -</p> - <p> -Some examples: -</p> - <ul> - <li><code>xen+ssh://rjones@towada/system</code><br/> &#x2014; Connect to a -remote Xen hypervisor on host <code>towada</code> using ssh transport and ssh -username <code>rjones</code>. -</li> - <li><code>xen://towada/system</code><br/> &#x2014; Connect to a -remote Xen hypervisor on host <code>towada</code> using TLS. -</li> - <li><code>xen://towada/system?no_verify=1</code><br/> &#x2014; Connect to a -remote Xen hypervisor on host <code>towada</code> using TLS. Do not verify -the server's certificate. -</li> - <li><code>qemu+unix:///system?socket=/opt/libvirt/run/libvirt/libvirt-sock</code><br/> &#x2014; -Connect to the local qemu instances over a non-standard -Unix socket (the full path to the Unix socket is -supplied explicitly in this case). -</li> - <li><code>test+tcp://localhost:5000/default</code><br/> &#x2014; -Connect to a libvirtd daemon offering unencrypted TCP/IP connections -on localhost port 5000 and use the test driver with default -settings. -</li> -<li><code>qemu+libssh2://user@host/system?known_hosts=/home/user/.ssh/known_hosts</code><br/> &#x2014; -Connect to a remote host using a ssh connection with the libssh2 driver -and use a different known_hosts file.</li> -<li><code>qemu+libssh://user@host/system?known_hosts=/home/user/.ssh/known_hosts</code><br/> &#x2014; -Connect to a remote host using a ssh connection with the libssh driver -and use a different known_hosts file.</li> - </ul> - <h3> - <a id="Remote_URI_parameters">Extra parameters</a> - </h3> - <p> -Extra parameters can be added to remote URIs as part -of the query string (the part following <q><code>?</code></q>). -Remote URIs understand the extra parameters shown below. -Any others are passed unmodified through to the back end. -Note that parameter values must be -<a href="http://xmlsoft.org/html/libxml-uri.html#xmlURIEscapeStr"&...;. -</p> - <table class="top_table"> - <tr> - <th> Name </th> - <th> Transports </th> - <th> Meaning </th> - </tr> - <tr> - <td> - <code>name</code> - </td> - <td> - <i>any transport</i> - </td> - <td> - The name passed to the remote virConnectOpen function. The - name is normally formed by removing transport, hostname, port - number, username and extra parameters from the remote URI, but in certain - very complex cases it may be better to supply the name explicitly. -</td> - </tr> - <tr> - <td colspan="2"/> - <td> Example: <code>name=qemu:///system</code> </td> - </tr> - <tr> - <td> - <code>tls_priority</code> - </td> - <td> tls </td> - <td> - A vaid GNUTLS priority string -</td> - </tr> - <tr> - <td colspan="2"/> - <td> Example: <code>tls_priority=NORMAL:-VERS-SSL3.0</code> </td> - </tr> - <tr> - <td> - <code>mode</code> - </td> - <td> unix, ssh, libssh, libssh2 </td> - <td> - <dl> - <dt><code>auto</code></dt><dd>automatically determine the daemon</dd> - <dt><code>direct</code></dt><dd>connect to per-driver daemons</dd> - <dt><code>legacy</code></dt><dd>connect to libvirtd</dd> - </dl> - Can also be set in <code>libvirt.conf</code> as <code>remote_mode</code> - </td> - </tr> - <tr> - <td colspan="2"/> - <td> Example: <code>mode=direct</code> </td> - </tr> - <tr> - <td> - <code>command</code> - </td> - <td> ssh, ext </td> - <td> - The external command. For ext transport this is required. - For ssh the default is <code>ssh</code>. - The PATH is searched for the command. -</td> - </tr> - <tr> - <td colspan="2"/> - <td> Example: <code>command=/opt/openssh/bin/ssh</code> </td> - </tr> - <tr> - <td> - <code>socket</code> - </td> - <td> unix, ssh, libssh2, libssh </td> - <td> - The path to the Unix domain socket, which overrides the - compiled-in default. For ssh transport, this is passed to - the remote netcat command (see next). -</td> - </tr> - <tr> - <td colspan="2"/> - <td> Example: <code>socket=/opt/libvirt/run/libvirt/libvirt-sock</code> </td> - </tr> - <tr> - <td> - <code>netcat</code> - </td> - <td> ssh, libssh2, libssh </td> - <td> - The name of the netcat command on the remote machine. - The default is <code>nc</code>. For ssh transport, libvirt - constructs an ssh command which looks like: - -<pre><i>command</i> -p <i>port</i> [-l <i>username</i>] <i>hostname</i> <i>netcat</i> -U <i>socket</i> -</pre> - - where <i>port</i>, <i>username</i>, <i>hostname</i> can be - specified as part of the remote URI, and <i>command</i>, <i>netcat</i> - and <i>socket</i> come from extra parameters (or - sensible defaults). - -</td> - </tr> - <tr> - <td colspan="2"/> - <td> Example: <code>netcat=/opt/netcat/bin/nc</code> </td> - </tr> - - <tr> - <td> - <code>keyfile</code> - </td> - <td> ssh, libssh2, libssh </td> - <td> - The name of the private key file to use to authentication to the remote - machine. If this option is not used the default keys are used. - </td> - </tr> - <tr> - <td colspan="2"/> - <td> Example: <code>keyfile=/root/.ssh/example_key</code> </td> - </tr> - - <tr> - <td> - <code>no_verify</code> - </td> - <td> ssh, tls </td> - <td> - SSH: If set to a non-zero value, this disables client's strict host key - checking making it auto-accept new host keys. Existing host keys will - still be validated. - <br/> - <br/> - TLS: If set to a non-zero value, this disables client checks of the - server's certificate. Note that to disable server checks of - the client's certificate or IP address you must - <a href="#Remote_libvirtd_configuration">change the libvirtd - configuration</a>. -</td> - </tr> - <tr> - <td colspan="2"/> - <td> Example: <code>no_verify=1</code> </td> - </tr> - <tr> - <td> - <code>no_tty</code> - </td> - <td> ssh </td> - <td> - If set to a non-zero value, this stops ssh from asking for - a password if it cannot log in to the remote machine automatically - (eg. using ssh-agent etc.). Use this when you don't have access - to a terminal - for example in graphical programs which use libvirt. -</td> - </tr> - <tr> - <td colspan="2"/> - <td> Example: <code>no_tty=1</code> </td> - </tr> - <tr> - <td> - <code>pkipath</code> - </td> - <td> tls</td> - <td> - Specifies x509 certificates path for the client. If any of - the CA certificate, client certificate, or client key is - missing, the connection will fail with a fatal error. - </td> - </tr> - <tr> - <td colspan="2"/> - <td> Example: <code>pkipath=/tmp/pki/client</code> </td> - </tr> - <tr> - <td> - <code>known_hosts</code> - </td> - <td> libssh2, libssh </td> - <td> - Path to the known_hosts file to verify the host key against. LibSSH2 and - libssh support OpenSSH-style known_hosts files, although LibSSH2 does not - support all key types, so using files created by the OpenSSH binary may - result into truncating the known_hosts file. Thus, with LibSSH2 it's - recommended to use the default known_hosts file is located in libvirt's - client local configuration directory e.g.: ~/.config/libvirt/known_hosts. - Note: Use absolute paths. -</td> - </tr> - <tr> - <td colspan="2"/> - <td> Example: <code>known_hosts=/root/.ssh/known_hosts</code> </td> - </tr> - <tr> - <td> - <code>sshauth</code> - </td> - <td> libssh2, libssh </td> - <td> - A comma separated list of authentication methods to use. Default (is - "agent,privkey,password,keyboard-interactive". The order of the methods - is preserved. Some methods may require additional parameters. -</td> - </tr> - <tr> - <td colspan="2"/> - <td> Example: <code>sshauth=privkey,agent</code> </td> - </tr> - </table> + The choice of transport is determined by the <a href="uri.html#URI_remote">URI scheme</a>, + with <code>tls</code> as the default if no explicit transport is requested. + </p> <h2> <a id="Remote_libvirtd_configuration">libvirtd configuration file</a> </h2> diff --git a/docs/uri.html.in b/docs/uri.html.in index 6da9eb9746..49f92773f8 100644 --- a/docs/uri.html.in +++ b/docs/uri.html.in @@ -153,65 +153,270 @@ here</a>. <a id="URI_remote">Remote URIs</a> </h2> <p> -Remote URIs are formed by taking ordinary local URIs and adding a -hostname and/or transport name. As a special case, using a URI -scheme of 'remote', will tell the remote libvirtd server to probe -for the optimal hypervisor driver. This is equivalent to passing -a NULL URI for a local connection. For example: +Remote URIs have the general form ("[...]" meaning an optional part): +</p> + <p><code>driver</code>[<code>+transport</code>]<code>://</code>[<code>username@</code>][<code>hostname</code>][<code>:port</code>]<code>/</code>[<code>path</code>][<code>?extraparameters</code>] +</p> + <p> +Either the transport or the hostname must be given in order +to distinguish this from a local URI. +</p> + <p> +Some examples: +</p> + <ul> + <li><code>xen+ssh://rjones@towada/system</code><br/> &#x2014; Connect to a +remote Xen hypervisor on host <code>towada</code> using ssh transport and ssh +username <code>rjones</code>. +</li> + <li><code>xen://towada/system</code><br/> &#x2014; Connect to a +remote Xen hypervisor on host <code>towada</code> using TLS. +</li> + <li><code>xen://towada/system?no_verify=1</code><br/> &#x2014; Connect to a +remote Xen hypervisor on host <code>towada</code> using TLS. Do not verify +the server's certificate. +</li> + <li><code>qemu+unix:///system?socket=/opt/libvirt/run/libvirt/libvirt-sock</code><br/> &#x2014; +Connect to the local qemu instances over a non-standard +Unix socket (the full path to the Unix socket is +supplied explicitly in this case). +</li> + <li><code>test+tcp://localhost:5000/default</code><br/> &#x2014; +Connect to a libvirtd daemon offering unencrypted TCP/IP connections +on localhost port 5000 and use the test driver with default +settings. +</li> +<li><code>qemu+libssh2://user@host/system?known_hosts=/home/user/.ssh/known_hosts</code><br/> &#x2014; +Connect to a remote host using a ssh connection with the libssh2 driver +and use a different known_hosts file.</li> +<li><code>qemu+libssh://user@host/system?known_hosts=/home/user/.ssh/known_hosts</code><br/> &#x2014; +Connect to a remote host using a ssh connection with the libssh driver +and use a different known_hosts file.</li> + </ul> + <h3> + <a id="Remote_URI_parameters">Extra parameters</a> + </h3> + <p> +Extra parameters can be added to remote URIs as part +of the query string (the part following <q><code>?</code></q>). +Remote URIs understand the extra parameters shown below. +Any others are passed unmodified through to the back end. +Note that parameter values must be +<a href="http://xmlsoft.org/html/libxml-uri.html#xmlURIEscapeStr"&...;. </p> <table class="top_table"> <tr> - <th> Local URI </th> - <th> Remote URI </th> + <th> Name </th> + <th> Transports </th> <th> Meaning </th> </tr> <tr> <td> - <code>xen:///system</code> + <code>name</code> </td> <td> - <code>xen://oirase/system</code> + <i>any transport</i> </td> - <td> Connect to the Xen hypervisor running on host <code>oirase</code> - using TLS. </td> + <td> + The name passed to the remote virConnectOpen function. The + name is normally formed by removing transport, hostname, port + number, username and extra parameters from the remote URI, but in certain + very complex cases it may be better to supply the name explicitly. +</td> + </tr> + <tr> + <td colspan="2"/> + <td> Example: <code>name=qemu:///system</code> </td> </tr> <tr> <td> - <code>NULL</code> + <code>tls_priority</code> </td> + <td> tls </td> <td> - <code>remote://oirase/</code> + A vaid GNUTLS priority string +</td> + </tr> + <tr> + <td colspan="2"/> + <td> Example: <code>tls_priority=NORMAL:-VERS-SSL3.0</code> </td> + </tr> + <tr> + <td> + <code>mode</code> + </td> + <td> unix, ssh, libssh, libssh2 </td> + <td> + <dl> + <dt><code>auto</code></dt><dd>automatically determine the daemon</dd> + <dt><code>direct</code></dt><dd>connect to per-driver daemons</dd> + <dt><code>legacy</code></dt><dd>connect to libvirtd</dd> + </dl> + Can also be set in <code>libvirt.conf</code> as <code>remote_mode</code> </td> - <td> Connect to the "default" hypervisor running on host <code>oirase</code> - using TLS. </td> + </tr> + <tr> + <td colspan="2"/> + <td> Example: <code>mode=direct</code> </td> </tr> <tr> <td> - <code>xen:///system</code> + <code>command</code> </td> + <td> ssh, ext </td> <td> - <code>xen+ssh://oirase/system</code> + The external command. For ext transport this is required. + For ssh the default is <code>ssh</code>. + The PATH is searched for the command. +</td> + </tr> + <tr> + <td colspan="2"/> + <td> Example: <code>command=/opt/openssh/bin/ssh</code> </td> + </tr> + <tr> + <td> + <code>socket</code> </td> - <td> Connect to the Xen hypervisor running on host <code>oirase</code> - by going over an <code>ssh</code> connection. </td> + <td> unix, ssh, libssh2, libssh </td> + <td> + The path to the Unix domain socket, which overrides the + compiled-in default. For ssh transport, this is passed to + the remote netcat command (see next). +</td> + </tr> + <tr> + <td colspan="2"/> + <td> Example: <code>socket=/opt/libvirt/run/libvirt/libvirt-sock</code> </td> </tr> <tr> <td> - <code>test:///default</code> + <code>netcat</code> </td> + <td> ssh, libssh2, libssh </td> <td> - <code>test+tcp://oirase/default</code> + The name of the netcat command on the remote machine. + The default is <code>nc</code>. For ssh transport, libvirt + constructs an ssh command which looks like: + +<pre><i>command</i> -p <i>port</i> [-l <i>username</i>] <i>hostname</i> <i>netcat</i> -U <i>socket</i> +</pre> + + where <i>port</i>, <i>username</i>, <i>hostname</i> can be + specified as part of the remote URI, and <i>command</i>, <i>netcat</i> + and <i>socket</i> come from extra parameters (or + sensible defaults). + +</td> + </tr> + <tr> + <td colspan="2"/> + <td> Example: <code>netcat=/opt/netcat/bin/nc</code> </td> + </tr> + + <tr> + <td> + <code>keyfile</code> + </td> + <td> ssh, libssh2, libssh </td> + <td> + The name of the private key file to use to authentication to the remote + machine. If this option is not used the default keys are used. + </td> + </tr> + <tr> + <td colspan="2"/> + <td> Example: <code>keyfile=/root/.ssh/example_key</code> </td> + </tr> + + <tr> + <td> + <code>no_verify</code> + </td> + <td> ssh, tls </td> + <td> + SSH: If set to a non-zero value, this disables client's strict host key + checking making it auto-accept new host keys. Existing host keys will + still be validated. + <br/> + <br/> + TLS: If set to a non-zero value, this disables client checks of the + server's certificate. Note that to disable server checks of + the client's certificate or IP address you must + <a href="#Remote_libvirtd_configuration">change the libvirtd + configuration</a>. +</td> + </tr> + <tr> + <td colspan="2"/> + <td> Example: <code>no_verify=1</code> </td> + </tr> + <tr> + <td> + <code>no_tty</code> + </td> + <td> ssh </td> + <td> + If set to a non-zero value, this stops ssh from asking for + a password if it cannot log in to the remote machine automatically + (eg. using ssh-agent etc.). Use this when you don't have access + to a terminal - for example in graphical programs which use libvirt. +</td> + </tr> + <tr> + <td colspan="2"/> + <td> Example: <code>no_tty=1</code> </td> + </tr> + <tr> + <td> + <code>pkipath</code> + </td> + <td> tls</td> + <td> + Specifies x509 certificates path for the client. If any of + the CA certificate, client certificate, or client key is + missing, the connection will fail with a fatal error. + </td> + </tr> + <tr> + <td colspan="2"/> + <td> Example: <code>pkipath=/tmp/pki/client</code> </td> + </tr> + <tr> + <td> + <code>known_hosts</code> + </td> + <td> libssh2, libssh </td> + <td> + Path to the known_hosts file to verify the host key against. LibSSH2 and + libssh support OpenSSH-style known_hosts files, although LibSSH2 does not + support all key types, so using files created by the OpenSSH binary may + result into truncating the known_hosts file. Thus, with LibSSH2 it's + recommended to use the default known_hosts file is located in libvirt's + client local configuration directory e.g.: ~/.config/libvirt/known_hosts. + Note: Use absolute paths. +</td> + </tr> + <tr> + <td colspan="2"/> + <td> Example: <code>known_hosts=/root/.ssh/known_hosts</code> </td> + </tr> + <tr> + <td> + <code>sshauth</code> </td> - <td> Connect to the test driver on host <code>oirase</code> - using an unsecured TCP connection. </td> + <td> libssh2, libssh </td> + <td> + A comma separated list of authentication methods to use. Default (is + "agent,privkey,password,keyboard-interactive". The order of the methods + is preserved. Some methods may require additional parameters. +</td> + </tr> + <tr> + <td colspan="2"/> + <td> Example: <code>sshauth=privkey,agent</code> </td> </tr> </table> - <p> -Remote URIs in libvirt offer a rich syntax and many features. -We refer you to <a href="remote.html#Remote_URI_reference">the libvirt -remote URI reference</a> and <a href="remote.html">full documentation -for libvirt remote support</a>. -</p> <h2> <a id="URI_test">test:///... Test URIs</a> </h2> -- 2.23.0

The HTML from rst2html doesn't have <h1> immediately under the <body> tag, instead there is at least one <div> in between. There are also many things added in the <head> section that we don't want to have copied over, since our templating system already adds suitable <head> elements. We only need to copy the <script> to make index.html work. Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com&gt; --- docs/page.xsl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/page.xsl b/docs/page.xsl index 6f429ae087..70dfec6df6 100644 --- a/docs/page.xsl +++ b/docs/page.xsl @@ -97,9 +97,9 @@ <link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png"/> <link rel="manifest" href="/manifest.json"/> <meta name="theme-color" content="#ffffff"/> - <title>libvirt: <xsl:value-of select="html:html/html:body/html:h1"/></title> + <title>libvirt: <xsl:value-of select="html:html/html:body//html:h1"/></title> <meta name="description" content="libvirt, virtualization, virtualization API"/> - <xsl:apply-templates select="/html:html/html:head/*" mode="content"/> + <xsl:apply-templates select="/html:html/html:head/html:script" mode="content"/> <script type="text/javascript" src="{$href_base}js/main.js"> <xsl:comment>// forces non-empty element</xsl:comment> -- 2.23.0

We currently only render pretty tables if they have the "top_table" class set. All of our tables set this, except for the ACL & migration doc tables, which should have set it, and the API reference which does not want it. Simplify life by rendering all tables in a pretty style and remove the need for the "top_table" class entirely. A small rule turns off the pretty style for the API reference where tables are a hack used to render enums with horizontal alignment. Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com&gt; --- docs/aclpolkit.html.in | 20 +++++------ docs/genaclperms.pl | 2 +- docs/libvirt.css | 75 ++++++++++++------------------------------ docs/migration.html.in | 2 +- docs/newapi.xsl | 4 +-- 5 files changed, 35 insertions(+), 68 deletions(-) diff --git a/docs/aclpolkit.html.in b/docs/aclpolkit.html.in index 68e6d399b2..4a8877d5e7 100644 --- a/docs/aclpolkit.html.in +++ b/docs/aclpolkit.html.in @@ -64,7 +64,7 @@ </p> <h3><a id="object_connect">virConnectPtr</a></h3> - <table class="acl"> + <table> <thead> <tr> <th>Attribute</th> @@ -80,7 +80,7 @@ </table> <h3><a id="object_domain">virDomainPtr</a></h3> - <table class="acl"> + <table> <thead> <tr> <th>Attribute</th> @@ -104,7 +104,7 @@ </table> <h3><a id="object_interface">virInterfacePtr</a></h3> - <table class="acl"> + <table> <thead> <tr> <th>Attribute</th> @@ -128,7 +128,7 @@ </table> <h3><a id="object_network">virNetworkPtr</a></h3> - <table class="acl"> + <table> <thead> <tr> <th>Attribute</th> @@ -152,7 +152,7 @@ </table> <h3><a id="object_node_device">virNodeDevicePtr</a></h3> - <table class="acl"> + <table> <thead> <tr> <th>Attribute</th> @@ -172,7 +172,7 @@ </table> <h3><a id="object_nwfilter">virNWFilterPtr</a></h3> - <table class="acl"> + <table> <thead> <tr> <th>Attribute</th> @@ -196,7 +196,7 @@ </table> <h3><a id="object_secret">virSecretPtr</a></h3> - <table class="acl"> + <table> <thead> <tr> <th>Attribute</th> @@ -232,7 +232,7 @@ </table> <h3><a id="object_storage_pool">virStoragePoolPtr</a></h3> - <table class="acl"> + <table> <thead> <tr> <th>Attribute</th> @@ -256,7 +256,7 @@ </table> <h3><a id="object_storage_vol">virStorageVolPtr</a></h3> - <table class="acl"> + <table> <thead> <tr> <th>Attribute</th> @@ -317,7 +317,7 @@ </p> <h3><a id="object_connect_driver">Connection Driver Name</a></h3> - <table class="acl"> + <table> <thead> <tr> <th>Connection Driver</th> diff --git a/docs/genaclperms.pl b/docs/genaclperms.pl index e20b4c11c3..0de2cfad4d 100755 --- a/docs/genaclperms.pl +++ b/docs/genaclperms.pl @@ -85,7 +85,7 @@ foreach my $object (sort { $a cmp $b } keys %perms) { my $olink = lc "object_" . $object; print <<EOF; <h3><a id="$olink">$class</a></h3> -<table class="acl"> +<table> <thead> <tr> <th>Permission</th> diff --git a/docs/libvirt.css b/docs/libvirt.css index 399404ca54..d2e1842b62 100644 --- a/docs/libvirt.css +++ b/docs/libvirt.css @@ -161,37 +161,37 @@ p.image { text-align: center; } -.top_table { +table { border-collapse: collapse; min-width: 60%; margin-left: auto; margin-right: auto; } -.top_table th { +table th { background: rgb(0, 95, 97); color: rgb(255, 255, 255); padding: 0.5em; } -.top_table th a { +table th a { color: inherit; text-decoration: inherit; } -.top_table td, .top_table th { +table td, table th { border: 1px solid rgb(60, 133, 124); } -.top_table td { +table td { padding: 4px; } -.top_table tr:hover td, .top_table col:hover td { +table tr:hover td, table col:hover td { background: #eeeeee; } -.top_table tr td:hover { +table tr td:hover { background: #c5dbd8; } @@ -289,42 +289,12 @@ img.diagram { margin-right: auto; } -table.data th, table.data td { - padding: 0.3em; -} - -table.data { - border-spacing: 0px; -} - -table.data thead th { - background: rgb(178,178,178); - text-align: center; -} - -table.data { - border: 1px solid black; - border-collapse: collapse; -} - -table.data thead tr th { - border: 1px solid black; -} - -table.data tr.head th { - border-left: 1px solid black; - border-right: 1px solid black; -} - -table.data tbody td { - background: rgb(240,240,240); -} -table.data tbody td.y { +table tbody td.y { background: rgb(220,255,220); text-align: center; } -table.data tbody td.n { +table tbody td.n { background: rgb(255,220,220); text-align: center; } @@ -377,6 +347,18 @@ table.data tbody td.n { text-decoration: none; } +.api table td,.api table th { + border: 0px; +} + +.api table tr:hover td, .api table col:hover td { + background: inherit; +} + +.api table tr td:hover { + background: inherit; +} + dl.variablelist > dt { display: block; float: left; @@ -392,21 +374,6 @@ dl.variablelist > dt:after { content: ": "; } -table.acl { - margin: 1em; - border-spacing: 0px; - border: 1px solid #ccc; -} - -table.acl tr, table.acl td { - padding: 0.3em; - border: 1px solid #ccc; -} - -table.acl thead { - background: #ddd; -} - div.description pre.code { border: 1px dashed grey; background-color: inherit; diff --git a/docs/migration.html.in b/docs/migration.html.in index 7c345b65b7..355f0e89af 100644 --- a/docs/migration.html.in +++ b/docs/migration.html.in @@ -257,7 +257,7 @@ combinations. </p> - <table class="data"> + <table> <thead> <tr class="head"> <th colspan="3">Before migration</th> diff --git a/docs/newapi.xsl b/docs/newapi.xsl index 670879dc48..0dc4f7ae52 100644 --- a/docs/newapi.xsl +++ b/docs/newapi.xsl @@ -43,7 +43,7 @@ <xsl:if test="count(exsl:node-set($acls)/api[@name=$api]/check) > 0"> <h5>Access control parameter checks</h5> - <table class="acl"> + <table> <thead> <tr> <th>Object</th> @@ -56,7 +56,7 @@ </xsl:if> <xsl:if test="count(exsl:node-set($acls)/api[@name=$api]/filter) > 0"> <h5>Access control return value filters</h5> - <table class="acl"> + <table> <thead> <tr> <th>Object</th> -- 2.23.0

Most importantly we document the required heading markup so that we get consistency across the docs. Also mention that docs should have a table of contents if they have headings & are likely longer than one page of text. The 3-space indent rule may sound wierd, but that's what python has recommended and thus what tools like pandoc emit. Rather than try to reindent things to 4-space, just accept this RST norm. Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com&gt; --- docs/docs.html.in | 3 +++ docs/styleguide.rst | 66 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 69 insertions(+) create mode 100644 docs/styleguide.rst diff --git a/docs/docs.html.in b/docs/docs.html.in index f2721964b5..f441769617 100644 --- a/docs/docs.html.in +++ b/docs/docs.html.in @@ -135,6 +135,9 @@ <dt><a href="hacking.html">Contributor guidelines</a></dt> <dd>General hacking guidelines for contributors</dd> + <dt><a href="styleguide.html">Docs style guide</a></dt> + <dd>Style guidelines for reStructuredText docs</dd> + <dt><a href="strategy.html">Project strategy</a></dt> <dd>Sets a vision for future direction &amp; technical choices</dd> diff --git a/docs/styleguide.rst b/docs/styleguide.rst new file mode 100644 index 0000000000..71f29320cb --- /dev/null +++ b/docs/styleguide.rst @@ -0,0 +1,66 @@ +========================= +Documentation style guide +========================= + +.. contents:: + +The following documents some specific libvirt rules for writing docs in +reStructuredText + +Table of contents +================= + +Any document which uses headings and whose content is long enough to cause +scrolling when viewed in the browser must start with a table of contents. +This should be created using the default formatting: + +:: + + .. contents:: + + +Whitespace +========== + +Blocks should be indented with 3 spaces, and no tabs + + +Headings +======== + +RST allows headings to be created simply by underlining with any punctuation +characters. Optionally the text may be overlined to. + +For the sake of consistency, libvirt defines the following style requirement +which allows for 6 levels of headings + +:: + + ========= + Heading 1 + ========= + + + + Heading 2 + ========= + + + + Heading 3 + --------- + + + + Heading 4 + ~~~~~~~~~ + + + + Heading 5 + ......... + + + + Heading 6 + ^^^^^^^^^ -- 2.23.0

This is a semi-automated conversion. The first conversion is done using "pandoc -f html -t rst". The result is then editted manually to apply the desired heading markup, and fix a few things that pandoc gets wrong. Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com&gt; --- docs/kbase/launch_security_sev.html.in | 533 ------------------------- docs/kbase/launch_security_sev.rst | 529 ++++++++++++++++++++++++ 2 files changed, 529 insertions(+), 533 deletions(-) delete mode 100644 docs/kbase/launch_security_sev.html.in create mode 100644 docs/kbase/launch_security_sev.rst diff --git a/docs/kbase/launch_security_sev.html.in b/docs/kbase/launch_security_sev.html.in deleted file mode 100644 index 985c11a47b..0000000000 --- a/docs/kbase/launch_security_sev.html.in +++ /dev/null @@ -1,533 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE html> -<html xmlns="http://www.w3.org/1999/xhtml"> - <body> - <h1>Launch security with AMD SEV</h1> - - <ul id="toc"></ul> - - <p> - Storage encryption in modern public cloud computing is a common practice. - However, from the point of view of a user of these cloud workloads, a - significant amount of trust needs to be put in the cloud platform security as - well as integrity (was the hypervisor tampered?). For this reason there's ever - rising demand for securing data in use, i.e. memory encryption. - One of the solutions addressing this matter is AMD SEV. - </p> - - <h2>AMD SEV</h2> - <p> - SEV (Secure Encrypted Virtualization) is a feature extension of AMD's SME (Secure - Memory Encryption) intended for KVM virtual machines which is supported - primarily on AMD's EPYC CPU line. In contrast to SME, SEV uses a unique memory encryption - key for each VM. The whole encryption of memory pages is completely transparent - to the hypervisor and happens inside dedicated hardware in the on-die memory controller. - Each controller includes a high-performance Advanced Encryption Standard - (AES) engine that encrypts data when it is written to DRAM and decrypts it - when read. - - For more details about the technology itself, you can visit - <a href="https://developer.amd.com/sev/">AMD's developer portal</a>. - </p> - - <h2><a id="Host">Enabling SEV on the host</a></h2> - <p> - Before VMs can make use of the SEV feature you need to make sure your - AMD CPU does support SEV. You can check whether SEV is among the CPU - flags with: - </p> - - <pre> -$ cat /proc/cpuinfo | grep sev -... -sme ssbd sev ibpb</pre> - - <p> - Next step is to enable SEV in the kernel, because it is disabled by default. - This is done by putting the following onto the kernel command line: - </p> - - <pre> -mem_encrypt=on kvm_amd.sev=1 - </pre> - - <p> - To make the changes persistent, append the above to the variable holding - parameters of the kernel command line in - <code>/etc/default/grub</code> to preserve SEV settings across reboots - </p> - - <pre> -$ cat /etc/default/grub -... -GRUB_CMDLINE_LINUX="... mem_encrypt=on kvm_amd.sev=1" -$ grub2-mkconfig -o /boot/efi/EFI/&lt;distro&gt;/grub.cfg</pre> - - <p> - <code>mem_encrypt=on</code> turns on the SME memory encryption feature on - the host which protects against the physical attack on the hypervisor - memory. The <code>kvm_amd.sev</code> parameter actually enables SEV in - the kvm module. It can be set on the command line alongside - <code>mem_encrypt</code> like shown above, or it can be put into a - module config under <code>/etc/modprobe.d/</code> - </p> - - <pre> -$ cat /etc/modprobe.d/sev.conf -options kvm_amd sev=1 - </pre> - - <p> - After rebooting the host, you should see SEV being enabled in the kernel: - </p> - - <pre> -$ cat /sys/module/kvm_amd/parameters/sev -1 - </pre> - - <h2><a id="Virt">Checking SEV support in the virt stack</a></h2> - <p> - <b>Note: All of the commands bellow need to be run with root privileges.</b> - </p> - - <p> - First make sure you have the following packages in the specified versions: - </p> - - <ul> - <li> - libvirt >= 4.5.0 (>5.1.0 recommended due to additional SEV bugfixes) - </li> - <li> - QEMU >= 2.12.0 - </li> - </ul> - <p> - To confirm that the virtualization stack supports SEV, run the following: - </p> - - <pre> -# virsh domcapabilities -&lt;domainCapabilities&gt; -... - &lt;features&gt; - ... - &lt;sev supported='yes'&gt; - &lt;cbitpos&gt;47&lt;/cbitpos&gt; - &lt;reducedPhysBits&gt;1&lt;/reducedPhysBits&gt; - &lt;/sev&gt; - ... - &lt;/features&gt; -&lt;/domainCapabilities&gt;</pre> - <p> - Note that if libvirt was already installed and libvirtd running before enabling SEV in the kernel followed by the host reboot you need to force libvirtd - to re-probe both the host and QEMU capabilities. First stop libvirtd: - </p> - - <pre> -# systemctl stop libvirtd.service - </pre> - - <p> - Now you need to clean the capabilities cache: - </p> - - <pre> -# rm -f /var/cache/libvirt/qemu/capabilities/* - </pre> - - <p> - If you now restart libvirtd, it will re-probe the capabilities and if - you now run: - </p> - - <pre> -# virsh domcapabilities - </pre> - - <p> - SEV should be listed as supported. If you still see: - </p> - - <pre> -&lt;sev supported='no'/&gt; - </pre> - - <p> - it means one of two things: - <ol> - <li> - libvirt does support SEV, but either QEMU or the host does not - </li> - <li> - you have libvirt &lt;=5.1.0 which suffered from getting a - <code>'Permission denied'</code> on <code>/dev/sev</code> because - of the default permissions on the character device which prevented - QEMU from opening it during capabilities probing - you can either - manually tweak the permissions so that QEMU has access to it or - preferably install libvirt 5.1.0 or higher - </li> - </ol> - </p> - - <h2><a id="Configuration">VM Configuration</a></h2> - <p> - SEV is enabled in the XML by specifying the - <a href="https://libvirt.org/formatdomain.html#launchSecurity">... </a> element. However, specifying <code>launchSecurity</code> isn't - enough to boot an SEV VM. Further configuration requirements are discussed - below. - </p> - - <h3><a id="Machine">Machine type</a></h3> - <p> - Even though both Q35 and legacy PC machine types (for PC see also - "virtio") can be used with SEV, usage of the legacy PC machine type is - strongly discouraged, since depending on how your OVMF package was - built (e.g. including features like SecureBoot or SMM) Q35 may even be - required. - </p> - - <h5>Q35</h5> -<pre> -... -&lt;os&gt; - &lt;type arch='x86_64' machine='pc-q35-3.0'&gt;hvm&lt;/type&gt; - ... -&lt;/os&gt; -...</pre> - - <h5>i440fx (discouraged)</h5> - <pre> -... -&lt;os&gt; - &lt;type arch='x86_64' machine='pc-i440fx-3.0'&gt;hvm&lt;/type&gt; - ... -&lt;/os&gt; -... - </pre> - - <h3><a id="Boot">Boot loader</a></h3> - <p> - SEV is only going to work with OVMF (UEFI), so you'll need to point libvirt to - the correct OVMF binary. - </p> - <pre> -... -&lt;os&gt; - &lt;type arch='x86_64' machine='pc-q35-3.0'&gt;hvm&lt;/type&gt; - &lt;loader readonly='yes' type='pflash'&gt;/usr/share/edk2/ovmf/OVMF_CODE.fd&lt;/loader&gt; -&lt;/os&gt; -...</pre> - - <h3><a id="Memory">Memory</a></h3> - <p> - Internally, SEV expects that the encrypted memory pages won't be swapped out or move - around so the VM memory needs to be pinned in physical RAM which will be - handled by QEMU. Apart from that, certain memory regions allocated by QEMU - itself (UEFI pflash, device ROMs, video RAM, etc.) have to be encrypted as - well. This causes a conflict in how libvirt tries to protect the host. - By default, libvirt enforces a memory hard limit on each VM's cgroup in order - to protect the host from malicious QEMU to allocate and lock all the available - memory. This limit corresponds to the total memory allocation for the VM given - by <code>&lt;currentMemory&gt;</code> element. However, trying to account for the additional - memory regions QEMU allocates when calculating the limit in an automated manner - is non-deterministic. One way to resolve this is to set the hard limit manually. - - <p> - Note: Figuring out the right number so that your guest boots and isn't killed is - challenging, but 256MiB extra memory over the total guest RAM should suffice for - most workloads and may serve as a good starting point. - - For example, a domain with 4GB memory with a 256MiB extra hard limit would look - like this: - </p> - </p> - - <pre> -# virsh edit &lt;domain&gt; -&lt;domain&gt; - ... - &lt;currentMemory unit='KiB'&gt;4194304&lt;/currentMemory&gt; - &lt;memtune&gt; - &lt;hard_limit unit='KiB'&gt;4456448&lt;/hard_limit&gt; - &lt;/memtune&gt; - ... -&lt;/domain&gt;</pre> - <p> - There's another, preferred method of taking care of the limits by - using the<code>&lt;memoryBacking&gt;</code> element along with the - <code>&lt;locked/&gt;</code> subelement: - </p> - - <pre> -&lt;domain&gt; - ... - &lt;memoryBacking&gt; - &lt;locked/&gt; - &lt;/memoryBacking&gt; - ... -&lt;/domain&gt;</pre> - - <p> - What that does is that it tells libvirt not to force any hard limit (well, - unlimited) upon the VM cgroup. The obvious advantage is that one doesn't need - to determine the hard limit for every single SEV-enabled VM. However, there is - a significant security-related drawback to this approach. Since no hard limit - is applied, a malicious QEMU could perform a DoS attack by locking all of the - host's available memory. The way to avoid this issue and to protect the host is - to enforce a bigger hard limit on the master cgroup containing all of the VMs - - on systemd this is <code>machine.slice</code>. - </p> - - <pre> -# systemctl set-property machine.slice MemoryHigh=&lt;value&gt;</pre> - - <p> - To put even stricter measures in place which would involve the OOM killer, use - <pre> -# systemctl set-property machine.slice MemoryMax=&lt;value&gt;</pre> - instead. Alternatively, you can create a systemd config (don't forget - to reload systemd configuration in this case): - <pre> -# cat &lt;&lt; EOF &gt; /etc/systemd/system.control/machine.slice.d/90-MemoryMax.conf -MemoryMax=&lt;value&gt; -EOF</pre> - The trade-off to keep in mind with the second approach is that the VMs - can still perform DoS on each other. - </p> - - <h3><a id="Virtio">Virtio</a></h3> - <p> - In order to make virtio devices work, we need to enable emulated IOMMU - on the devices so that virtual DMA can work. - </p> - - <pre> -# virsh edit &lt;domain&gt; -&lt;domain&gt; - ... - &lt;controller type='virtio-serial' index='0'&gt; - &lt;driver iommu='on'/&gt; - &lt;/controller&gt; - &lt;controller type='scsi' index='0' model='virtio-scsi'&gt; - &lt;driver iommu='on'/&gt; - &lt;/controller&gt; - ... - &lt;memballoon model='virtio'&gt; - &lt;driver iommu='on'/&gt; - &lt;/memballoon&gt; - &lt;rng model='virtio'&gt; - &lt;backend model='random'&gt;/dev/urandom&lt;/backend&gt; - &lt;driver iommu='on'/&gt; - &lt;/rng&gt; - ... -&lt;domain&gt;</pre> - - <p> - If you for some reason want to use the legacy PC machine type, further changes - to the virtio - configuration is required, because SEV will not work with Virtio &lt;1.0. In - libvirt, this is handled by using the virtio-non-transitional device model - (libvirt &gt;= 5.2.0 required). - - <p> - Note: some devices like video devices don't - support non-transitional model, which means that virtio GPU cannot be used. - </p> - </p> - - <pre> -&lt;domain&gt; - ... - &lt;devices&gt; - ... - &lt;memballoon model='virtio-non-transitional'&gt; - &lt;driver iommu='on'/&gt; - &lt;/memballoon&gt; - &lt;/devices&gt; - ... -&lt;/domain&gt;</pre> - - <h2><a id="Guest">Checking SEV from within the guest</a></h2> - <p> - After making the necessary adjustments discussed in - <a href="#Configuration">Configuration</a>, the VM should now boot - successfully with SEV enabled. You can then verify that the guest has - SEV enabled by running: - </p> - - <pre> -# dmesg | grep -i sev -AMD Secure Encrypted Virtualization (SEV) active</pre> - - <h2><a id="Limitations">Limitations</a></h2> - <p> - Currently, the boot disk cannot be of type virtio-blk, instead, virtio-scsi - needs to be used if virtio is desired. This limitation is expected to be lifted - with future releases of kernel (the kernel used at the time of writing the - article is 5.0.14). - If you still cannot start an SEV VM, it could be because of wrong SELinux label on the <code>/dev/sev</code> device with selinux-policy &lt;3.14.2.40 which prevents QEMU from touching the device. This can be resolved by upgrading the package, tuning the selinux policy rules manually to allow svirt_t to access the device (see <code>audit2allow</code> on how to do that) or putting SELinux into permissive mode (discouraged). - </p> - - <h2><a id="Examples">Full domain XML examples</a></h2> - - <h5>Q35 machine</h5> - <pre> -&lt;domain type='kvm'&gt; - &lt;name&gt;sev-dummy&lt;/name&gt; - &lt;memory unit='KiB'&gt;4194304&lt;/memory&gt; - &lt;currentMemory unit='KiB'&gt;4194304&lt;/currentMemory&gt; - &lt;memoryBacking&gt; - &lt;locked/&gt; - &lt;/memoryBacking&gt; - &lt;vcpu placement='static'&gt;4&lt;/vcpu&gt; - &lt;os&gt; - &lt;type arch='x86_64' machine='pc-q35-3.0'&gt;hvm&lt;/type&gt; - &lt;loader readonly='yes' type='pflash'&gt;/usr/share/edk2/ovmf/OVMF_CODE.fd&lt;/loader&gt; - &lt;nvram&gt;/var/lib/libvirt/qemu/nvram/sev-dummy_VARS.fd&lt;/nvram&gt; - &lt;/os&gt; - &lt;features&gt; - &lt;acpi/&gt; - &lt;apic/&gt; - &lt;vmport state='off'/&gt; - &lt;/features&gt; - &lt;cpu mode='host-model' check='partial'&gt; - &lt;model fallback='allow'/&gt; - &lt;/cpu&gt; - &lt;clock offset='utc'&gt; - &lt;timer name='rtc' tickpolicy='catchup'/&gt; - &lt;timer name='pit' tickpolicy='delay'/&gt; - &lt;timer name='hpet' present='no'/&gt; - &lt;/clock&gt; - &lt;on_poweroff&gt;destroy&lt;/on_poweroff&gt; - &lt;on_reboot&gt;restart&lt;/on_reboot&gt; - &lt;on_crash&gt;destroy&lt;/on_crash&gt; - &lt;pm&gt; - &lt;suspend-to-mem enabled='no'/&gt; - &lt;suspend-to-disk enabled='no'/&gt; - &lt;/pm&gt; - &lt;devices&gt; - &lt;emulator&gt;/usr/bin/qemu-kvm&lt;/emulator&gt; - &lt;disk type='file' device='disk'&gt; - &lt;driver name='qemu' type='qcow2'/&gt; - &lt;source file='/var/lib/libvirt/images/sev-dummy.qcow2'/&gt; - &lt;target dev='sda' bus='scsi'/&gt; - &lt;boot order='1'/&gt; - &lt;/disk&gt; - &lt;controller type='virtio-serial' index='0'&gt; - &lt;driver iommu='on'/&gt; - &lt;/controller&gt; - &lt;controller type='scsi' index='0' model='virtio-scsi'&gt; - &lt;driver iommu='on'/&gt; - &lt;/controller&gt; - &lt;interface type='network'&gt; - &lt;mac address='52:54:00:cc:56:90'/&gt; - &lt;source network='default'/&gt; - &lt;model type='virtio'/&gt; - &lt;driver iommu='on'/&gt; - &lt;/interface&gt; - &lt;graphics type='spice' autoport='yes'&gt; - &lt;listen type='address'/&gt; - &lt;gl enable='no'/&gt; - &lt;/graphics&gt; - &lt;video&gt; - &lt;model type='qxl'/&gt; - &lt;/video&gt; - &lt;memballoon model='virtio'&gt; - &lt;driver iommu='on'/&gt; - &lt;/memballoon&gt; - &lt;rng model='virtio'&gt; - &lt;driver iommu='on'/&gt; - &lt;/rng&gt; - &lt;/devices&gt; - &lt;launchSecurity type='sev'&gt; - &lt;cbitpos&gt;47&lt;/cbitpos&gt; - &lt;reducedPhysBits&gt;1&lt;/reducedPhysBits&gt; - &lt;policy&gt;0x0003&lt;/policy&gt; - &lt;/launchSecurity&gt; -&lt;/domain&gt;</pre> - - <h5>PC-i440fx machine:</h5> - <pre> -&lt;domain type='kvm'&gt; - &lt;name&gt;sev-dummy-legacy&lt;/name&gt; - &lt;memory unit='KiB'&gt;4194304&lt;/memory&gt; - &lt;currentMemory unit='KiB'&gt;4194304&lt;/currentMemory&gt; - &lt;memtune&gt; - &lt;hard_limit unit='KiB'&gt;5242880&lt;/hard_limit&gt; - &lt;/memtune&gt; - &lt;vcpu placement='static'&gt;4&lt;/vcpu&gt; - &lt;os&gt; - &lt;type arch='x86_64' machine='pc-i440fx-3.0'&gt;hvm&lt;/type&gt; - &lt;loader readonly='yes' type='pflash'&gt;/usr/share/edk2/ovmf/OVMF_CODE.fd&lt;/loader&gt; - &lt;nvram&gt;/var/lib/libvirt/qemu/nvram/sev-dummy_VARS.fd&lt;/nvram&gt; - &lt;boot dev='hd'/&gt; - &lt;/os&gt; - &lt;features&gt; - &lt;acpi/&gt; - &lt;apic/&gt; - &lt;vmport state='off'/&gt; - &lt;/features&gt; - &lt;cpu mode='host-model' check='partial'&gt; - &lt;model fallback='allow'/&gt; - &lt;/cpu&gt; - &lt;clock offset='utc'&gt; - &lt;timer name='rtc' tickpolicy='catchup'/&gt; - &lt;timer name='pit' tickpolicy='delay'/&gt; - &lt;timer name='hpet' present='no'/&gt; - &lt;/clock&gt; - &lt;on_poweroff&gt;destroy&lt;/on_poweroff&gt; - &lt;on_reboot&gt;restart&lt;/on_reboot&gt; - &lt;on_crash&gt;destroy&lt;/on_crash&gt; - &lt;pm&gt; - &lt;suspend-to-mem enabled='no'/&gt; - &lt;suspend-to-disk enabled='no'/&gt; - &lt;/pm&gt; - &lt;devices&gt; - &lt;emulator&gt;/usr/bin/qemu-kvm&lt;/emulator&gt; - &lt;disk type='file' device='disk'&gt; - &lt;driver name='qemu' type='qcow2'/&gt; - &lt;source file='/var/lib/libvirt/images/sev-dummy-seabios.qcow2'/&gt; - &lt;target dev='sda' bus='sata'/&gt; - &lt;/disk&gt; - &lt;interface type='network'&gt; - &lt;mac address='52:54:00:d8:96:c8'/&gt; - &lt;source network='default'/&gt; - &lt;model type='virtio-non-transitional'/&gt; - &lt;/interface&gt; - &lt;serial type='pty'&gt; - &lt;target type='isa-serial' port='0'&gt; - &lt;model name='isa-serial'/&gt; - &lt;/target&gt; - &lt;/serial&gt; - &lt;console type='pty'&gt; - &lt;target type='serial' port='0'/&gt; - &lt;/console&gt; - &lt;input type='tablet' bus='usb'&gt; - &lt;address type='usb' bus='0' port='1'/&gt; - &lt;/input&gt; - &lt;input type='mouse' bus='ps2'/&gt; - &lt;input type='keyboard' bus='ps2'/&gt; - &lt;graphics type='spice' autoport='yes'&gt; - &lt;listen type='address'/&gt; - &lt;gl enable='no'/&gt; - &lt;/graphics&gt; - &lt;video&gt; - &lt;model type='qxl' ram='65536' vram='65536' vgamem='16384' heads='1' primary='yes'/&gt; - &lt;/video&gt; - &lt;memballoon model='virtio-non-transitional'&gt; - &lt;driver iommu='on'/&gt; - &lt;/memballoon&gt; - &lt;rng model='virtio-non-transitional'&gt; - &lt;driver iommu='on'/&gt; - &lt;/rng&gt; - &lt;/devices&gt; - &lt;launchSecurity type='sev'&gt; - &lt;cbitpos&gt;47&lt;/cbitpos&gt; - &lt;reducedPhysBits&gt;1&lt;/reducedPhysBits&gt; - &lt;policy&gt;0x0003&lt;/policy&gt; - &lt;/launchSecurity&gt; -&lt;/domain&gt;</pre> - </body> -</html> diff --git a/docs/kbase/launch_security_sev.rst b/docs/kbase/launch_security_sev.rst new file mode 100644 index 0000000000..4387ae64b0 --- /dev/null +++ b/docs/kbase/launch_security_sev.rst @@ -0,0 +1,529 @@ +============================ +Launch security with AMD SEV +============================ + +.. contents:: + +Storage encryption in modern public cloud computing is a common +practice. However, from the point of view of a user of these cloud +workloads, a significant amount of trust needs to be put in the cloud +platform security as well as integrity (was the hypervisor tampered?). +For this reason there's ever rising demand for securing data in use, +i.e. memory encryption. One of the solutions addressing this matter is +AMD SEV. + +AMD SEV +======= + +SEV (Secure Encrypted Virtualization) is a feature extension of AMD's +SME (Secure Memory Encryption) intended for KVM virtual machines which +is supported primarily on AMD's EPYC CPU line. In contrast to SME, SEV +uses a unique memory encryption key for each VM. The whole encryption of +memory pages is completely transparent to the hypervisor and happens +inside dedicated hardware in the on-die memory controller. Each +controller includes a high-performance Advanced Encryption Standard +(AES) engine that encrypts data when it is written to DRAM and decrypts +it when read. For more details about the technology itself, you can +visit `AMD's developer portal <https://developer.amd.com/sev/>`__. + +Enabling SEV on the host +======================== + +Before VMs can make use of the SEV feature you need to make sure your +AMD CPU does support SEV. You can check whether SEV is among the CPU +flags with: + +:: + + $ cat /proc/cpuinfo | grep sev + ... + sme ssbd sev ibpb + +Next step is to enable SEV in the kernel, because it is disabled by +default. This is done by putting the following onto the kernel command +line: + +:: + + mem_encrypt=on kvm_amd.sev=1 + +To make the changes persistent, append the above to the variable holding +parameters of the kernel command line in ``/etc/default/grub`` to +preserve SEV settings across reboots + +:: + + $ cat /etc/default/grub + ... + GRUB_CMDLINE_LINUX="... mem_encrypt=on kvm_amd.sev=1" + $ grub2-mkconfig -o /boot/efi/EFI/<distro>/grub.cfg + +``mem_encrypt=on`` turns on the SME memory encryption feature on the +host which protects against the physical attack on the hypervisor +memory. The ``kvm_amd.sev`` parameter actually enables SEV in the kvm +module. It can be set on the command line alongside ``mem_encrypt`` like +shown above, or it can be put into a module config under +``/etc/modprobe.d/`` + +:: + + $ cat /etc/modprobe.d/sev.conf + options kvm_amd sev=1 + +After rebooting the host, you should see SEV being enabled in the +kernel: + +:: + + $ cat /sys/module/kvm_amd/parameters/sev + 1 + + +Checking SEV support in the virt stack +====================================== + +**Note: All of the commands bellow need to be run with root +privileges.** + +First make sure you have the following packages in the specified +versions: + +- libvirt >= 4.5.0 (>5.1.0 recommended due to additional SEV bugfixes) +- QEMU >= 2.12.0 + +To confirm that the virtualization stack supports SEV, run the +following: + +:: + + # virsh domcapabilities + <domainCapabilities> + ... + <features> + ... + <sev supported='yes'> + <cbitpos>47</cbitpos> + <reducedPhysBits>1</reducedPhysBits> + </sev> + ... + </features> + </domainCapabilities> + +Note that if libvirt was already installed and libvirtd running before +enabling SEV in the kernel followed by the host reboot you need to force +libvirtd to re-probe both the host and QEMU capabilities. First stop +libvirtd: + +:: + + # systemctl stop libvirtd.service + +Now you need to clean the capabilities cache: + +:: + + # rm -f /var/cache/libvirt/qemu/capabilities/* + +If you now restart libvirtd, it will re-probe the capabilities and if +you now run: + +:: + + # virsh domcapabilities + +SEV should be listed as supported. If you still see: + +:: + + <sev supported='no'/> + +it means one of two things: + +#. libvirt does support SEV, but either QEMU or the host does not +#. you have libvirt <=5.1.0 which suffered from getting a + ``'Permission denied'`` on ``/dev/sev`` because of the default + permissions on the character device which prevented QEMU from opening + it during capabilities probing - you can either manually tweak the + permissions so that QEMU has access to it or preferably install + libvirt 5.1.0 or higher + +VM Configuration +================ + +SEV is enabled in the XML by specifying the +`<launchSecurity> <https://libvirt.org/formatdomain.html#launchSecurity>`__ +element. However, specifying ``launchSecurity`` isn't enough to boot an +SEV VM. Further configuration requirements are discussed below. + +Machine type +------------ + +Even though both Q35 and legacy PC machine types (for PC see also +"virtio") can be used with SEV, usage of the legacy PC machine type is +strongly discouraged, since depending on how your OVMF package was built +(e.g. including features like SecureBoot or SMM) Q35 may even be +required. + +Q35 +~~~ + +:: + + ... + <os> + <type arch='x86_64' machine='pc-q35-3.0'>hvm</type> + ... + </os> + ... + +i440fx (discouraged) +~~~~~~~~~~~~~~~~~~~~ + +:: + + ... + <os> + <type arch='x86_64' machine='pc-i440fx-3.0'>hvm</type> + ... + </os> + ... + +Boot loader +----------- + +SEV is only going to work with OVMF (UEFI), so you'll need to point +libvirt to the correct OVMF binary. + +:: + + ... + <os> + <type arch='x86_64' machine='pc-q35-3.0'>hvm</type> + <loader readonly='yes' type='pflash'>/usr/share/edk2/ovmf/OVMF_CODE.fd</loader> + </os> + ... + +Memory +------ + +Internally, SEV expects that the encrypted memory pages won't be swapped +out or move around so the VM memory needs to be pinned in physical RAM +which will be handled by QEMU. Apart from that, certain memory regions +allocated by QEMU itself (UEFI pflash, device ROMs, video RAM, etc.) +have to be encrypted as well. This causes a conflict in how libvirt +tries to protect the host. By default, libvirt enforces a memory hard +limit on each VM's cgroup in order to protect the host from malicious +QEMU to allocate and lock all the available memory. This limit +corresponds to the total memory allocation for the VM given by +``<currentMemory>`` element. However, trying to account for the +additional memory regions QEMU allocates when calculating the limit in +an automated manner is non-deterministic. One way to resolve this is to +set the hard limit manually. + +Note: Figuring out the right number so that your guest boots and isn't +killed is challenging, but 256MiB extra memory over the total guest RAM +should suffice for most workloads and may serve as a good starting +point. For example, a domain with 4GB memory with a 256MiB extra hard +limit would look like this: + +:: + + # virsh edit <domain> + <domain> + ... + <currentMemory unit='KiB'>4194304</currentMemory> + <memtune> + <hard_limit unit='KiB'>4456448</hard_limit> + </memtune> + ... + </domain> + +There's another, preferred method of taking care of the limits by using +the\ ``<memoryBacking>`` element along with the ``<locked/>`` +subelement: + +:: + + <domain> + ... + <memoryBacking> + <locked/> + </memoryBacking> + ... + </domain> + +What that does is that it tells libvirt not to force any hard limit +(well, unlimited) upon the VM cgroup. The obvious advantage is that one +doesn't need to determine the hard limit for every single SEV-enabled +VM. However, there is a significant security-related drawback to this +approach. Since no hard limit is applied, a malicious QEMU could perform +a DoS attack by locking all of the host's available memory. The way to +avoid this issue and to protect the host is to enforce a bigger hard +limit on the master cgroup containing all of the VMs - on systemd this +is ``machine.slice``. + +:: + + # systemctl set-property machine.slice MemoryHigh=<value> + +To put even stricter measures in place which would involve the OOM +killer, use + +:: + + # systemctl set-property machine.slice MemoryMax=<value> + +instead. Alternatively, you can create a systemd config (don't forget to +reload systemd configuration in this case): + +:: + + # cat << EOF > /etc/systemd/system.control/machine.slice.d/90-MemoryMax.conf + MemoryMax=<value> + EOF + +The trade-off to keep in mind with the second approach is that the VMs +can still perform DoS on each other. + +Virtio +------ + +In order to make virtio devices work, we need to enable emulated IOMMU +on the devices so that virtual DMA can work. + +:: + + # virsh edit <domain> + <domain> + ... + <controller type='virtio-serial' index='0'> + <driver iommu='on'/> + </controller> + <controller type='scsi' index='0' model='virtio-scsi'> + <driver iommu='on'/> + </controller> + ... + <memballoon model='virtio'> + <driver iommu='on'/> + </memballoon> + <rng model='virtio'> + <backend model='random'>/dev/urandom</backend> + <driver iommu='on'/> + </rng> + ... + <domain> + +If you for some reason want to use the legacy PC machine type, further +changes to the virtio configuration is required, because SEV will not +work with Virtio <1.0. In libvirt, this is handled by using the +virtio-non-transitional device model (libvirt >= 5.2.0 required). + +Note: some devices like video devices don't support non-transitional +model, which means that virtio GPU cannot be used. + +:: + + <domain> + ... + <devices> + ... + <memballoon model='virtio-non-transitional'> + <driver iommu='on'/> + </memballoon> + </devices> + ... + </domain> + +Checking SEV from within the guest +================================== + +After making the necessary adjustments discussed in +`Configuration <#Configuration>`__, the VM should now boot successfully +with SEV enabled. You can then verify that the guest has SEV enabled by +running: + +:: + + # dmesg | grep -i sev + AMD Secure Encrypted Virtualization (SEV) active + +Limitations +=========== + +Currently, the boot disk cannot be of type virtio-blk, instead, +virtio-scsi needs to be used if virtio is desired. This limitation is +expected to be lifted with future releases of kernel (the kernel used at +the time of writing the article is 5.0.14). If you still cannot start an +SEV VM, it could be because of wrong SELinux label on the ``/dev/sev`` +device with selinux-policy <3.14.2.40 which prevents QEMU from touching +the device. This can be resolved by upgrading the package, tuning the +selinux policy rules manually to allow svirt_t to access the device (see +``audit2allow`` on how to do that) or putting SELinux into permissive +mode (discouraged). + +Full domain XML examples +======================== + +Q35 machine +----------- + +:: + + <domain type='kvm'> + <name>sev-dummy</name> + <memory unit='KiB'>4194304</memory> + <currentMemory unit='KiB'>4194304</currentMemory> + <memoryBacking> + <locked/> + </memoryBacking> + <vcpu placement='static'>4</vcpu> + <os> + <type arch='x86_64' machine='pc-q35-3.0'>hvm</type> + <loader readonly='yes' type='pflash'>/usr/share/edk2/ovmf/OVMF_CODE.fd</loader> + <nvram>/var/lib/libvirt/qemu/nvram/sev-dummy_VARS.fd</nvram> + </os> + <features> + <acpi/> + <apic/> + <vmport state='off'/> + </features> + <cpu mode='host-model' check='partial'> + <model fallback='allow'/> + </cpu> + <clock offset='utc'> + <timer name='rtc' tickpolicy='catchup'/> + <timer name='pit' tickpolicy='delay'/> + <timer name='hpet' present='no'/> + </clock> + <on_poweroff>destroy</on_poweroff> + <on_reboot>restart</on_reboot> + <on_crash>destroy</on_crash> + <pm> + <suspend-to-mem enabled='no'/> + <suspend-to-disk enabled='no'/> + </pm> + <devices> + <emulator>/usr/bin/qemu-kvm</emulator> + <disk type='file' device='disk'> + <driver name='qemu' type='qcow2'/> + <source file='/var/lib/libvirt/images/sev-dummy.qcow2'/> + <target dev='sda' bus='scsi'/> + <boot order='1'/> + </disk> + <controller type='virtio-serial' index='0'> + <driver iommu='on'/> + </controller> + <controller type='scsi' index='0' model='virtio-scsi'> + <driver iommu='on'/> + </controller> + <interface type='network'> + <mac address='52:54:00:cc:56:90'/> + <source network='default'/> + <model type='virtio'/> + <driver iommu='on'/> + </interface> + <graphics type='spice' autoport='yes'> + <listen type='address'/> + <gl enable='no'/> + </graphics> + <video> + <model type='qxl'/> + </video> + <memballoon model='virtio'> + <driver iommu='on'/> + </memballoon> + <rng model='virtio'> + <driver iommu='on'/> + </rng> + </devices> + <launchSecurity type='sev'> + <cbitpos>47</cbitpos> + <reducedPhysBits>1</reducedPhysBits> + <policy>0x0003</policy> + </launchSecurity> + </domain> + +PC-i440fx machine +----------------- + +:: + + <domain type='kvm'> + <name>sev-dummy-legacy</name> + <memory unit='KiB'>4194304</memory> + <currentMemory unit='KiB'>4194304</currentMemory> + <memtune> + <hard_limit unit='KiB'>5242880</hard_limit> + </memtune> + <vcpu placement='static'>4</vcpu> + <os> + <type arch='x86_64' machine='pc-i440fx-3.0'>hvm</type> + <loader readonly='yes' type='pflash'>/usr/share/edk2/ovmf/OVMF_CODE.fd</loader> + <nvram>/var/lib/libvirt/qemu/nvram/sev-dummy_VARS.fd</nvram> + <boot dev='hd'/> + </os> + <features> + <acpi/> + <apic/> + <vmport state='off'/> + </features> + <cpu mode='host-model' check='partial'> + <model fallback='allow'/> + </cpu> + <clock offset='utc'> + <timer name='rtc' tickpolicy='catchup'/> + <timer name='pit' tickpolicy='delay'/> + <timer name='hpet' present='no'/> + </clock> + <on_poweroff>destroy</on_poweroff> + <on_reboot>restart</on_reboot> + <on_crash>destroy</on_crash> + <pm> + <suspend-to-mem enabled='no'/> + <suspend-to-disk enabled='no'/> + </pm> + <devices> + <emulator>/usr/bin/qemu-kvm</emulator> + <disk type='file' device='disk'> + <driver name='qemu' type='qcow2'/> + <source file='/var/lib/libvirt/images/sev-dummy-seabios.qcow2'/> + <target dev='sda' bus='sata'/> + </disk> + <interface type='network'> + <mac address='52:54:00:d8:96:c8'/> + <source network='default'/> + <model type='virtio-non-transitional'/> + </interface> + <serial type='pty'> + <target type='isa-serial' port='0'> + <model name='isa-serial'/> + </target> + </serial> + <console type='pty'> + <target type='serial' port='0'/> + </console> + <input type='tablet' bus='usb'> + <address type='usb' bus='0' port='1'/> + </input> + <input type='mouse' bus='ps2'/> + <input type='keyboard' bus='ps2'/> + <graphics type='spice' autoport='yes'> + <listen type='address'/> + <gl enable='no'/> + </graphics> + <video> + <model type='qxl' ram='65536' vram='65536' vgamem='16384' heads='1' primary='yes'/> + </video> + <memballoon model='virtio-non-transitional'> + <driver iommu='on'/> + </memballoon> + <rng model='virtio-non-transitional'> + <driver iommu='on'/> + </rng> + </devices> + <launchSecurity type='sev'> + <cbitpos>47</cbitpos> + <reducedPhysBits>1</reducedPhysBits> + <policy>0x0003</policy> + </launchSecurity> + </domain> -- 2.23.0

This is a semi-automated conversion. The first conversion is done using "pandoc -f html -t rst". The result is then editted manually to apply the desired heading markup, and fix a few things that pandoc gets wrong. Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com&gt; --- docs/kbase/locking.html.in | 48 -------------------------------------- docs/kbase/locking.rst | 33 ++++++++++++++++++++++++++ 2 files changed, 33 insertions(+), 48 deletions(-) delete mode 100644 docs/kbase/locking.html.in create mode 100644 docs/kbase/locking.rst diff --git a/docs/kbase/locking.html.in b/docs/kbase/locking.html.in deleted file mode 100644 index 4532dbddf9..0000000000 --- a/docs/kbase/locking.html.in +++ /dev/null @@ -1,48 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE html> -<html xmlns="http://www.w3.org/1999/xhtml"> - <body> - <h1>Virtual machine lock manager</h1> - - <ul id="toc"></ul> - - <p> - Libvirt includes a framework for ensuring mutual exclusion - between virtual machines using host resources. Typically - this is used to prevent two VM processes from having concurrent - write access to the same disk image, as this would result in - data corruption if the guest was not using a cluster - aware filesystem. - </p> - - <h2><a id="plugins">Lock manager plugins</a></h2> - - <p> - The lock manager framework has a pluggable architecture, - to allow different locking technologies to be used. - </p> - - <dl> - <dt><code>nop</code></dt> - <dd>This is a "no op" implementation which does absolutely - nothing. This can be used if mutual exclusion between - virtual machines is not required, or if it is being - solved at another level in the management stack.</dd> - <dt><code><a href="locking-lockd.html">lockd</a></code></dt> - <dd>This is the current preferred implementation shipped - with libvirt. It uses the <code>virtlockd</code> daemon - to manage locks using the POSIX fcntl() advisory locking - capability. As such it requires a shared filesystem of - some kind be accessible to all hosts which share the - same image storage.</dd> - <dt><code><a href="locking-sanlock.html">sanlock</a></code></dt> - <dd>This is an alternative implementation preferred by - the oVirt project. It uses a disk paxos algorithm for - maintaining continuously renewed leases. In the default - setup it requires some shared filesystem, but it is - possible to use it in a manual mode where the management - application creates leases in SAN storage volumes. - </dd> - </dl> - </body> -</html> diff --git a/docs/kbase/locking.rst b/docs/kbase/locking.rst new file mode 100644 index 0000000000..c0d5e39b2d --- /dev/null +++ b/docs/kbase/locking.rst @@ -0,0 +1,33 @@ +============================ +Virtual machine lock manager +============================ + +Libvirt includes a framework for ensuring mutual exclusion between +virtual machines using host resources. Typically this is used to prevent +two VM processes from having concurrent write access to the same disk +image, as this would result in data corruption if the guest was not +using a cluster aware filesystem. + +Lock manager plugins +==================== + +The lock manager framework has a pluggable architecture, to allow +different locking technologies to be used. + +nop + This is a "no op" implementation which does absolutely nothing. This + can be used if mutual exclusion between virtual machines is not + required, or if it is being solved at another level in the management + stack. +`lockd <locking-lockd.html>`__ + This is the current preferred implementation shipped with libvirt. It + uses the ``virtlockd`` daemon to manage locks using the POSIX fcntl() + advisory locking capability. As such it requires a shared filesystem + of some kind be accessible to all hosts which share the same image + storage. +`sanlock <locking-sanlock.html>`__ + This is an alternative implementation preferred by the oVirt project. + It uses a disk paxos algorithm for maintaining continuously renewed + leases. In the default setup it requires some shared filesystem, but + it is possible to use it in a manual mode where the management + application creates leases in SAN storage volumes. -- 2.23.0

This is a semi-automated conversion. The first conversion is done using "pandoc -f html -t rst". The result is then editted manually to apply the desired heading markup, and fix a few things that pandoc gets wrong. Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com&gt; --- docs/kbase/locking-sanlock.html.in | 247 ----------------------------- docs/kbase/locking-sanlock.rst | 193 ++++++++++++++++++++++ 2 files changed, 193 insertions(+), 247 deletions(-) delete mode 100644 docs/kbase/locking-sanlock.html.in create mode 100644 docs/kbase/locking-sanlock.rst diff --git a/docs/kbase/locking-sanlock.html.in b/docs/kbase/locking-sanlock.html.in deleted file mode 100644 index 3ee9849e87..0000000000 --- a/docs/kbase/locking-sanlock.html.in +++ /dev/null @@ -1,247 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE html> -<html xmlns="http://www.w3.org/1999/xhtml"> - <body> - <h1>Virtual machine lock manager, sanlock plugin</h1> - - <ul id="toc"></ul> - - <p> - This page describes use of the - <a href="https://fedorahosted.org/sanlock/">sanlock</a> - service as a <a href="locking.html">lock driver</a> - plugin for virtual machine disk mutual exclusion. - </p> - - <h2><a id="sanlock">Sanlock daemon setup</a></h2> - - <p> - On many operating systems, the <strong>sanlock</strong> plugin - is distributed in a sub-package which needs to be installed - separately from the main libvirt RPM. On a Fedora/RHEL host - this can be done with the <code>yum</code> command - </p> - - <pre> -$ su - root -# yum install libvirt-lock-sanlock - </pre> - - <p> - The next step is to start the sanlock daemon. For maximum - safety sanlock prefers to have a connection to a watchdog - daemon. This will cause the entire host to be rebooted in - the event that sanlock crashes / terminates abnormally. - To start the watchdog daemon on a Fedora/RHEL host - the following commands can be run: - </p> - - <pre> -$ su - root -# chkconfig wdmd on -# service wdmd start - </pre> - - <p> - Once the watchdog is running, sanlock can be started - as follows - </p> - - <pre> -# chkconfig sanlock on -# service sanlock start - </pre> - - <p> - <em>Note:</em> if you wish to avoid the use of the - watchdog, add the following line to <code>/etc/sysconfig/sanlock</code> - before starting it - </p> - - <pre> -SANLOCKOPTS="-w 0" - </pre> - - <p> - The sanlock daemon must be started on every single host - that will be running virtual machines. So repeat these - steps as necessary. - </p> - - <h2><a id="sanlockplugin">libvirt sanlock plugin configuration</a></h2> - - <p> - Once the sanlock daemon is running, the next step is to - configure the libvirt sanlock plugin. There is a separate - configuration file for each libvirt driver that is using - sanlock. For QEMU, we will edit <code>/etc/libvirt/qemu-sanlock.conf</code> - There is one mandatory parameter that needs to be set, - the <code>host_id</code>. This is an integer between - 1 and 2000, which must be set to a <strong>unique</strong> - value on each host running virtual machines. - </p> - - <pre> -$ su - root -# augtool -s set /files/etc/libvirt/qemu-sanlock.conf/host_id 1 - </pre> - - <p> - Repeat this on every host, changing <strong>1</strong> to a - unique value for the host. - </p> - - <h2><a id="sanlockstorage">libvirt sanlock storage configuration</a></h2> - - <p> - The sanlock plugin needs to create leases in a directory - that is on a filesystem shared between all hosts running - virtual machines. Obvious choices for this include NFS - or GFS2. The libvirt sanlock plugin expects its lease - directory be at <code>/var/lib/libvirt/sanlock</code> - so update the host's <code>/etc/fstab</code> to mount - a suitable shared/cluster filesystem at that location - </p> - - <pre> -$ su - root -# echo "some.nfs.server:/export/sanlock /var/lib/libvirt/sanlock nfs hard,nointr 0 0" >> /etc/fstab -# mount /var/lib/libvirt/sanlock - </pre> - - <p> - If your sanlock daemon happen to run under non-root - privileges, you need to tell this to libvirt so it - chowns created files correctly. This can be done by - setting <code>user</code> and/or <code>group</code> - variables in the configuration file. Accepted values - range is specified in description to the same - variables in <code>/etc/libvirt/qemu.conf</code>. For - example: - </p> - - <pre> -augtool -s set /files/etc/libvirt/qemu-sanlock.conf/user sanlock -augtool -s set /files/etc/libvirt/qemu-sanlock.conf/group sanlock - </pre> - - <p> - But remember, that if this is NFS share, you need a - no_root_squash-ed one for chown (and chmod possibly) - to succeed. - </p> - - <p> - In terms of storage requirements, if the filesystem - uses 512 byte sectors, you need to allow for <code>1MB</code> - of storage for each guest disk. So if you have a network - with 20 virtualization hosts, each running 50 virtual - machines and an average of 2 disks per guest, you will - need <code>20*50*2 == 2000 MB</code> of storage for - sanlock. - </p> - - - <p> - On one of the hosts on the network is it wise to setup - a cron job which runs the <code>virt-sanlock-cleanup</code> - script periodically. This scripts deletes any lease - files which are not currently in use by running virtual - machines, freeing up disk space on the shared filesystem. - Unless VM disks are very frequently created + deleted - it should be sufficient to run the cleanup once a week. - </p> - - <h2><a id="qemuconfig">QEMU/KVM driver configuration</a></h2> - - <p> - The QEMU/KVM driver is fully integrated with the lock - manager framework as of release <span>0.9.3</span>. - The out of the box configuration, however, currently - uses the <strong>nop</strong> lock manager plugin. - To get protection for disks, it is thus necessary - to reconfigure QEMU to activate the <strong>sanlock</strong> - driver. This is achieved by editing the QEMU driver - configuration file (<code>/etc/libvirt/qemu.conf</code>) - and changing the <code>lock_manager</code> configuration - tunable. - </p> - - <pre> -$ su - root -# augtool -s set /files/etc/libvirt/qemu.conf/lock_manager sanlock -# service libvirtd restart - </pre> - - <p> - If all went well, libvirtd will have talked to sanlock - and created the basic lockspace. This can be checked - by looking for existence of the following file - </p> - - <pre> -# ls /var/lib/libvirt/sanlock/ -__LIBVIRT__DISKS__ - </pre> - - <p> - Every time you start a guest, additional lease files will appear - in this directory, one for each virtual disk. The lease - files are named based on the MD5 checksum of the fully qualified - path of the virtual disk backing file. So if the guest is given - a disk backed by <code>/var/lib/libvirt/images/demo.img</code> - expect to see a lease <code>/var/lib/libvirt/sanlock/bfa0240911bc17753e0b473688822159</code> - </p> - - <p> - It should be obvious that for locking to work correctly, every - host running virtual machines should have storage configured - in the same way. The easiest way to do this is to use the libvirt - storage pool capability to configure any NFS volumes, iSCSI targets, - or SCSI HBAs used for guest storage. Simply replicate the same - storage pool XML across every host. It is important that any - storage pools exposing block devices are configured to create - volume paths under <code>/dev/disks/by-path</code> to ensure - stable paths across hosts. An example iSCSI configuration - which ensures this is: - </p> - - <pre> -&lt;pool type='iscsi'&gt; - &lt;name&gt;myiscsipool&lt;/name&gt; - &lt;source&gt; - &lt;host name='192.168.254.8'/&gt; - &lt;device path='your-iscsi-target-iqn'/&gt; - &lt;/source&gt; - &lt;target&gt; - &lt;path&gt;/dev/disk/by-path&lt;/path&gt; - &lt;/target&gt; -&lt;/pool&gt; - </pre> - - <h2><a id="domainconfig">Domain configuration</a></h2> - - <p> - In case sanlock loses access to disk locks for some reason, it will - kill all domains that lost their locks. This default behavior may - be changed using - <a href="formatdomain.html#elementsEvents">on_lockfailure - element</a> in domain XML. When this element is present, sanlock - will call <code>sanlock_helper</code> (provided by libvirt) with - the specified action. This helper binary will connect to libvirtd - and thus it may need to authenticate if libvirtd was configured to - require that on the read-write UNIX socket. To provide the - appropriate credentials to sanlock_helper, a - <a href="auth.html#Auth_client_config">client authentication - file</a> needs to contain something like the following: - </p> - <pre> -[auth-libvirt-localhost] -credentials=sanlock - -[credentials-sanlock] -authname=login -password=password - </pre> - </body> -</html> diff --git a/docs/kbase/locking-sanlock.rst b/docs/kbase/locking-sanlock.rst new file mode 100644 index 0000000000..fece9df80e --- /dev/null +++ b/docs/kbase/locking-sanlock.rst @@ -0,0 +1,193 @@ +============================================ +Virtual machine lock manager, sanlock plugin +============================================ + +.. contents:: + +This page describes use of the +`sanlock <https://fedorahosted.org/sanlock/>`__ service as a `lock +driver <locking.html>`__ plugin for virtual machine disk mutual +exclusion. + +Sanlock daemon setup +==================== + +On many operating systems, the **sanlock** plugin is distributed in a +sub-package which needs to be installed separately from the main libvirt +RPM. On a Fedora/RHEL host this can be done with the ``yum`` command + +:: + + $ su - root + # yum install libvirt-lock-sanlock + +The next step is to start the sanlock daemon. For maximum safety sanlock +prefers to have a connection to a watchdog daemon. This will cause the +entire host to be rebooted in the event that sanlock crashes / +terminates abnormally. To start the watchdog daemon on a Fedora/RHEL +host the following commands can be run: + +:: + + $ su - root + # chkconfig wdmd on + # service wdmd start + +Once the watchdog is running, sanlock can be started as follows + +:: + + # chkconfig sanlock on + # service sanlock start + +*Note:* if you wish to avoid the use of the watchdog, add the following +line to ``/etc/sysconfig/sanlock`` before starting it + +:: + + SANLOCKOPTS="-w 0" + +The sanlock daemon must be started on every single host that will be +running virtual machines. So repeat these steps as necessary. + +libvirt sanlock plugin configuration +==================================== + +Once the sanlock daemon is running, the next step is to configure the +libvirt sanlock plugin. There is a separate configuration file for each +libvirt driver that is using sanlock. For QEMU, we will edit +``/etc/libvirt/qemu-sanlock.conf`` There is one mandatory parameter that +needs to be set, the ``host_id``. This is an integer between 1 and 2000, +which must be set to a **unique** value on each host running virtual +machines. + +:: + + $ su - root + # augtool -s set /files/etc/libvirt/qemu-sanlock.conf/host_id 1 + +Repeat this on every host, changing **1** to a unique value for the +host. + +libvirt sanlock storage configuration +===================================== + +The sanlock plugin needs to create leases in a directory that is on a +filesystem shared between all hosts running virtual machines. Obvious +choices for this include NFS or GFS2. The libvirt sanlock plugin expects +its lease directory be at ``/var/lib/libvirt/sanlock`` so update the +host's ``/etc/fstab`` to mount a suitable shared/cluster filesystem at +that location + +:: + + $ su - root + # echo "some.nfs.server:/export/sanlock /var/lib/libvirt/sanlock nfs hard,nointr 0 0" >> /etc/fstab + # mount /var/lib/libvirt/sanlock + +If your sanlock daemon happen to run under non-root privileges, you need +to tell this to libvirt so it chowns created files correctly. This can +be done by setting ``user`` and/or ``group`` variables in the +configuration file. Accepted values range is specified in description to +the same variables in ``/etc/libvirt/qemu.conf``. For example: + +:: + + augtool -s set /files/etc/libvirt/qemu-sanlock.conf/user sanlock + augtool -s set /files/etc/libvirt/qemu-sanlock.conf/group sanlock + +But remember, that if this is NFS share, you need a no_root_squash-ed +one for chown (and chmod possibly) to succeed. + +In terms of storage requirements, if the filesystem uses 512 byte +sectors, you need to allow for ``1MB`` of storage for each guest disk. +So if you have a network with 20 virtualization hosts, each running 50 +virtual machines and an average of 2 disks per guest, you will need +``20*50*2 == 2000 MB`` of storage for sanlock. + +On one of the hosts on the network is it wise to setup a cron job which +runs the ``virt-sanlock-cleanup`` script periodically. This scripts +deletes any lease files which are not currently in use by running +virtual machines, freeing up disk space on the shared filesystem. Unless +VM disks are very frequently created + deleted it should be sufficient +to run the cleanup once a week. + +QEMU/KVM driver configuration +============================= + +The QEMU/KVM driver is fully integrated with the lock manager framework +as of release 0.9.3. The out of the box configuration, however, +currently uses the **nop** lock manager plugin. To get protection for +disks, it is thus necessary to reconfigure QEMU to activate the +**sanlock** driver. This is achieved by editing the QEMU driver +configuration file (``/etc/libvirt/qemu.conf``) and changing the +``lock_manager`` configuration tunable. + +:: + + $ su - root + # augtool -s set /files/etc/libvirt/qemu.conf/lock_manager sanlock + # service libvirtd restart + +If all went well, libvirtd will have talked to sanlock and created the +basic lockspace. This can be checked by looking for existence of the +following file + +:: + + # ls /var/lib/libvirt/sanlock/ + __LIBVIRT__DISKS__ + +Every time you start a guest, additional lease files will appear in this +directory, one for each virtual disk. The lease files are named based on +the MD5 checksum of the fully qualified path of the virtual disk backing +file. So if the guest is given a disk backed by +``/var/lib/libvirt/images/demo.img`` expect to see a lease +``/var/lib/libvirt/sanlock/bfa0240911bc17753e0b473688822159`` + +It should be obvious that for locking to work correctly, every host +running virtual machines should have storage configured in the same way. +The easiest way to do this is to use the libvirt storage pool capability +to configure any NFS volumes, iSCSI targets, or SCSI HBAs used for guest +storage. Simply replicate the same storage pool XML across every host. +It is important that any storage pools exposing block devices are +configured to create volume paths under ``/dev/disks/by-path`` to ensure +stable paths across hosts. An example iSCSI configuration which ensures +this is: + +:: + + <pool type='iscsi'> + <name>myiscsipool</name> + <source> + <host name='192.168.254.8'/> + <device path='your-iscsi-target-iqn'/> + </source> + <target> + <path>/dev/disk/by-path</path> + </target> + </pool> + +Domain configuration +==================== + +In case sanlock loses access to disk locks for some reason, it will kill +all domains that lost their locks. This default behavior may be changed +using `on_lockfailure element <formatdomain.html#elementsEvents>`__ in +domain XML. When this element is present, sanlock will call +``sanlock_helper`` (provided by libvirt) with the specified action. This +helper binary will connect to libvirtd and thus it may need to +authenticate if libvirtd was configured to require that on the +read-write UNIX socket. To provide the appropriate credentials to +sanlock_helper, a `client authentication +file <auth.html#Auth_client_config>`__ needs to contain something like +the following: + +:: + + [auth-libvirt-localhost] + credentials=sanlock + + [credentials-sanlock] + authname=login + password=password -- 2.23.0