December 2011 - Users - libvirt List Archives

Re: [libvirt-users] acceptable SASL mechanisms/can libvirt authenticate against PAM
by Josip Deanovic 14 Dec '11

14 Dec '11

On Wednesday 2011-12-14, Josip Deanovic wrote: > On Wednesday 2011-12-14, Dave Allan wrote: > > I was playing with SASL authentication a bit today and I wasn't able > > to get libvirt to authenticate against PAM (or anything else except > > the sasldb, although I didn't try Kerberos). Does anybody know off > > the top of their head what mechanisms/password check options work? > > I'm trying to figure out if I'm attempting the impossible. > > > > Dave > > Hi Dave, > > Here is my working configuration with sql backend. I am using postgres. > > mech_list: digest-md5 > pwcheck_method: auxprop > auxprop_plugin: sql > sql_engine: pgsql > sql_hostnames: localhost > sql_user: qemukvm > sql_passwd: secret > sql_database: qemukvmdb > sql_select: select password from qemuusers where username = '%u' > > > To make use of PAM as far as I know you will have to use saslauthd > method. > > And here is the list of relevant sasl options (I am not sure if it's up > to date): http://asyd.net/docs/cyrus-options.html Sorry, I was mistakenly referring to sasl authentication for vnc client with sasl support. However, this configuration might work with libvit with little or no modifications. However I never tried to authenticate to libvrit using sasl. -- Josip Deanovic

1 0

[libvirt-users] Why does libvirt use XML firewall rules?
by Hansa 14 Dec '11

14 Dec '11

Hi there, When creating a VM with a persistent virtual network, libvirt creates an XML file with firewall definitions and stores it in /etc/libvirt/<hypervisor>/networks/. The XML file is (to my knowledge) incompatible with iptables-restore. Therefore you cant manage your firewall with other iptables (GUI) tools unless libvirt lets you a) import extra rules, b) has an option to export the XML rules into iptables-save format or c) something else. If a) , b) or c) is possible then this discussion is of course useless and I would be pleased to know how its done :) If not, then lets get the discussion started. IMHO, saving rules into XML instead of using iptables-save is absurd since youll have to code stuff which is already coded. Also youll make it incompatible with the tools which are readily available. Why go for this approach and what do we get from it? Best regards, -Hansa

2 2

[libvirt-users] Libvirt filterref magic
by zz elle 14 Dec '11

14 Dec '11

Hi everyone, When i start a libvirt domain (on KVM) with network filtering (using filterref clean-traffic for example), the filter works ! But ... i don't understand how/why it works :( Indeed when i look at ebtables -L iptables-save & arptables-save (and KVM command), I see no filtering rules (which is surprising because clean-traffic requires at least ebtables to be installed). Is it normal ? Do i miss some xxtables administration command to see them ? What appends if i do a arptables-restore, iptables-restore after the vm startup ? Does it remove network filtering rules from xxtables ? No impact ? Thx by advance for your help ZZ, what is the magic behind my questioning ?

2 1

[libvirt-users] libvirt0.9.7.tar.gz installation cannot start libvirtd?
by 张光鹏 13 Dec '11

13 Dec '11

Hi： I have a host Redhat6.1 ，when i install os the libvirt0.8.7 were contained . Latter i installed libvirt0.9.3.tar.gz without uninstall the libvirt0.8.7, i just use the virsh functions. Now i want to install libvirt0.9.7.tar.gz , and i uninstall libvirt0.9.3 and uninstall libvirt0.8.7 with "rpm -e" , i also delete some files contains vesion number 0.8.7 or o.9.3. Today i install libvirt 0.9.7 , untar and install wit "./configure --prefix-/usr/local/libvirt --with-esx", then " make" "make install" ,and i make a link "ln -s /usr/local/libvirt/bin/virsh /usr/bin/virsh" , so i can use virsh . But i cannot start libvirtd ,when i use "service libvirtd start/status.." ,it returns "libvirtd:unrecognized service". I found a libvirtd file in /usr/sbin/. Could someone help to resolve the problem ? Thanks all Best regards --------------------------------------------------------------------------------------------------- Confidentiality Notice: The information contained in this e-mail and any accompanying attachment(s) is intended only for the use of the intended recipient and may be confidential and/or privileged of Neusoft Corporation, its subsidiaries and/or its affiliates. If any reader of this communication is not the intended recipient, unauthorized use, forwarding, printing, storing, disclosure or copying is strictly prohibited, and may be unlawful.If you have received this communication in error,please immediately notify the sender by return e-mail, and delete the original message and all copies from your system. Thank you. ---------------------------------------------------------------------------------------------------

2 1

[libvirt-users] Temporary use of disk space when deploying KVM with qcow2?
by Jorge 13 Dec '11

13 Dec '11

Hello, I'm using libvirt to deploy a series of 7 KVM (in qcow2 format) sequentially. The base image of the qcow2 is an ubuntu server. The environment where i am doing this is a Live USB Ubuntu with a persistence file (so that changes made remain). So, my problem: * If the persistence file (i.e. free disk space in the live ubuntu) is up to around 1.5GB, the qemu process of launching the first one of the KVM gets stuck, and a few seconds later an Ubuntu message pops up saying there is no disk space left. * If the persistence file is a bit bigger (100 MB more), it can launch the 7 KVM machines without any disk space problems. This would suggest that during the deployment of one virtual machine, there is a short period of time where a big amount of disk space (similar to the size of the base image) is used (even if i am using qcow2 vms) and afterwards released, so it can be used to launch the second vm, released, used for the third, and so on. If this is correct, i would like to know who is using that space, since my intention would be to, if possible, redirect this temporary disk usage to a RAM filesystem such as tmpfs, so that i don't need such a huge persistence file in the USB. I'm aware that this might be related to qemu-kvm rather than to libvirt itself, but i can't find information about it and i would appreciate if anyone could point me in the right direction. More details or clarification can be provided if needed. Best regards, Jorge

1 0

[libvirt-users] Issues with nwfilter rules
by Kevin 10 Dec '11

10 Dec '11

Hi All, I have two kvm guests running with a bridged configuration bound separately to br0 and br1 on my Fedora 15 host. I'm attempting to create some nwfilter rules on br1 and am running into a bunch of problems that have me scratching my head. libvirt version: 0.8.8-7 What I've noticed on the second host is as follows: - Most all nwfilter rules that I create for the host on br1 don't work as I would expect. If I create a rule for TCP dest port 22 with direction set to 'in', I would expect I could connect to the host via SSH from another host, but I only see a SYN and not a full connection. If I set the direction to 'inout', SSH seems to work. - A nwfilter rule for UDP dest port 53 with direction set to 'out' or 'inout' doesn't allow lookups to an outside DNS server. - In the configuration of one VM, the source Virtual network device lists "Host device vnet0 (Bridge 'br0') and the other lists "Host device eth1 (Bridge 'br1')". I don't see anything different in the two hosts XML configuration files that describe the difference, but I'm concerned that the second VM on br1 is misconfigured. I notice a few iptables rules with "PHYSDEV match --physdev-in vnet1" listed in them, should these really read "PHYSDEV match --physdev-in br1" given the configuration virt-manager is reporting? I would appreciate any pointers. -Kevin

1 0

[libvirt-users] http://libvirt.org/archdomain.html - page is empty
by pitnvrsk＠rambler.ru 09 Dec '11

09 Dec '11

Hello. I have found in section Architecture -->Domain management architecture an empty page. http://libvirt.org/archdomain.html Respectfully, Peter.

2 1

[libvirt-users] FYI: SpecVirt results using libvirt + KVM
by Daniel P. Berrange 09 Dec '11

09 Dec '11

Some folks may be aware of the SpecVirt benchmark, where KVM is giving the competition something to worry about :-) http://www.spec.org/virt_sc2010/results/ >From the POV of libvirt uses though, there has been one annoyance with the previously submitted results though, in that they have been invoking the KVM command line directly. This has made it harder for people who are deploying KVM using libvirt to replicate the optimal configurations. I'm pleased to be able to point out that the latest result published for KVM by IBM has in fact been done using libvirt! You can clearly see how the guests are being configured with libvirt and the results demonstrate that using libvirt to manage KVM does not involve sacrificing any of the performance that KVM offers: http://www.spec.org/virt_sc2010/results/res2011q4/ This can only continue to get better as our communities work together to add more performance related features to both libvirt and KVM :-) Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|

1 0

[libvirt-users] lxc capabilities
by Chris Haumesser 08 Dec '11

08 Dec '11

I'm experimenting with the libvirt lxc driver, and wondering if there is some way to control the capabilities assigned to the container processes. With lxc-tools, I can specify a configuration option, lxc.cap.drop, which causes the container processes to drop the specified privileges. My libvirt containers seem to run with cap_sys_module,cap_sys_boot,cap_sys_time,cap_audit_control,cap_mac_admin which is rather more permissive than I'd like. In particular, cap_sys_boot allows a container to reboot the host machine. I am running libvirt-0.9.2 from squeeze-backports on debian squeeze. Cheers, -C-

2 5

[libvirt-users] read-only rootfs for lxc containers
by Chris Haumesser 08 Dec '11

08 Dec '11

And speaking of running out of a shared read-only root, I get the following error when I attempt it: error: Failed to start domain hw error: internal error guest failed to start: PATH=/bin:/sbin TERM=linux LIBVIRT_LXC_UUID=38320e75-1ba0-d85a-6138-532a3a66f13d LIBVIRT_LXC_NAME=hw /bin/bash 2011-12-08 15:31:41.945: 1: info : libvirt version: 0.9.7 2011-12-08 15:31:41.945: 1: error : lxcContainerPivotRoot:345 : Failed to create /mnt/vmroot/.oldroot: Read-only file system 2011-12-08 15:31:41.945: 2666: info : libvirt version: 0.9.7 2011-12-08 15:31:41.945: 2666: error : lxcControllerRun:1210 : error receiving signal from container: Input/output error XML: http://pastebin.com/Q0p5irBH Cheers, -C-

2 3