Re: [libvirt-users] acceptable SASL mechanisms/can libvirt authenticate against PAM
by Josip Deanovic
On Wednesday 2011-12-14, Josip Deanovic wrote:
> On Wednesday 2011-12-14, Dave Allan wrote:
> > I was playing with SASL authentication a bit today and I wasn't able
> > to get libvirt to authenticate against PAM (or anything else except
> > the sasldb, although I didn't try Kerberos). Does anybody know off
> > the top of their head what mechanisms/password check options work?
> > I'm trying to figure out if I'm attempting the impossible.
> >
> > Dave
>
> Hi Dave,
>
> Here is my working configuration with sql backend. I am using postgres.
>
> mech_list: digest-md5
> pwcheck_method: auxprop
> auxprop_plugin: sql
> sql_engine: pgsql
> sql_hostnames: localhost
> sql_user: qemukvm
> sql_passwd: secret
> sql_database: qemukvmdb
> sql_select: select password from qemuusers where username = '%u'
>
>
> To make use of PAM as far as I know you will have to use saslauthd
> method.
>
> And here is the list of relevant sasl options (I am not sure if it's up
> to date): http://asyd.net/docs/cyrus-options.html
Sorry, I was mistakenly referring to sasl authentication for vnc client with
sasl support.
However, this configuration might work with libvit with little or no
modifications. However I never tried to authenticate to libvrit using sasl.
--
Josip Deanovic
12 years, 11 months
[libvirt-users] Why does libvirt use XML firewall rules?
by Hansa
Hi there,
When creating a VM with a persistent virtual network, libvirt creates an XML
file with firewall definitions and stores it in
/etc/libvirt/<hypervisor>/networks/. The XML file is (to my knowledge)
incompatible with iptables-restore. Therefore you cant manage your firewall
with other iptables (GUI) tools unless libvirt lets you a) import extra
rules, b) has an option to export the XML rules into iptables-save format or
c) something else. If a) , b) or c) is possible then this discussion is of
course useless and I would be pleased to know how its done :)
If not, then lets get the discussion started.
IMHO, saving rules into XML instead of using iptables-save is absurd since
youll have to code stuff which is already coded. Also youll make it
incompatible with the tools which are readily available. Why go for this
approach and what do we get from it?
Best regards,
-Hansa
12 years, 11 months
[libvirt-users] Libvirt filterref magic
by zz elle
Hi everyone,
When i start a libvirt domain (on KVM) with network filtering (using
filterref clean-traffic for example), the filter works !
But ... i don't understand how/why it works :(
Indeed when i look at ebtables -L iptables-save & arptables-save (and KVM
command),
I see no filtering rules (which is surprising because clean-traffic
requires at least ebtables to be installed).
Is it normal ?
Do i miss some xxtables administration command to see them ?
What appends if i do a arptables-restore, iptables-restore after the vm
startup ?
Does it remove network filtering rules from xxtables ? No impact ?
Thx by advance for your help
ZZ, what is the magic behind my questioning ?
12 years, 11 months
[libvirt-users] libvirt0.9.7.tar.gz installation cannot start libvirtd?
by 张光鹏
Hi:
I have a host Redhat6.1 ,when i install os the libvirt0.8.7 were contained . Latter i installed libvirt0.9.3.tar.gz without uninstall the libvirt0.8.7, i just use the virsh functions. Now i want to install libvirt0.9.7.tar.gz , and i uninstall libvirt0.9.3 and uninstall libvirt0.8.7 with "rpm -e" , i also delete some files contains vesion number 0.8.7 or o.9.3.
Today i install libvirt 0.9.7 , untar and install wit "./configure --prefix-/usr/local/libvirt --with-esx", then " make" "make install" ,and i make a link "ln -s /usr/local/libvirt/bin/virsh /usr/bin/virsh" , so i can use virsh .
But i cannot start libvirtd ,when i use "service libvirtd start/status.." ,it returns "libvirtd:unrecognized service". I found a libvirtd file in /usr/sbin/.
Could someone help to resolve the problem ?
Thanks all
Best regards
---------------------------------------------------------------------------------------------------
Confidentiality Notice: The information contained in this e-mail and any accompanying attachment(s)
is intended only for the use of the intended recipient and may be confidential and/or privileged of
Neusoft Corporation, its subsidiaries and/or its affiliates. If any reader of this communication is
not the intended recipient, unauthorized use, forwarding, printing, storing, disclosure or copying
is strictly prohibited, and may be unlawful.If you have received this communication in error,please
immediately notify the sender by return e-mail, and delete the original message and all copies from
your system. Thank you.
---------------------------------------------------------------------------------------------------
12 years, 11 months
[libvirt-users] Temporary use of disk space when deploying KVM with qcow2?
by Jorge
Hello,
I'm using libvirt to deploy a series of 7 KVM (in qcow2 format)
sequentially. The base image of the qcow2 is an ubuntu server.
The environment where i am doing this is a Live USB Ubuntu with a
persistence file (so that changes made remain).
So, my problem:
* If the persistence file (i.e. free disk space in the live ubuntu) is up
to around 1.5GB, the qemu process of launching the first one of the KVM
gets stuck, and a few seconds later an Ubuntu message pops up saying there
is no disk space left.
* If the persistence file is a bit bigger (100 MB more), it can launch the
7 KVM machines without any disk space problems.
This would suggest that during the deployment of one virtual machine, there
is a short period of time where a big amount of disk space (similar to the
size of the base image) is used (even if i am using qcow2 vms) and
afterwards released, so it can be used to launch the second vm, released,
used for the third, and so on.
If this is correct, i would like to know who is using that space, since my
intention would be to, if possible, redirect this temporary disk usage to a
RAM filesystem such as tmpfs, so that i don't need such a huge persistence
file in the USB.
I'm aware that this might be related to qemu-kvm rather than to libvirt
itself, but i can't find information about it and i would appreciate if
anyone could point me in the right direction. More details or clarification
can be provided if needed.
Best regards,
Jorge
12 years, 11 months
[libvirt-users] Issues with nwfilter rules
by Kevin
Hi All,
I have two kvm guests running with a bridged configuration bound
separately to br0 and br1 on my Fedora 15 host. I'm attempting to create
some nwfilter rules on br1 and am running into a bunch of problems that
have me scratching my head.
libvirt version: 0.8.8-7
What I've noticed on the second host is as follows:
- Most all nwfilter rules that I create for the host on br1 don't
work as I would expect. If I create a rule for TCP dest port 22
with direction set to 'in', I would expect I could connect to the
host via SSH from another host, but I only see a SYN and not a full
connection. If I set the direction to 'inout', SSH seems to work.
- A nwfilter rule for UDP dest port 53 with direction set to 'out' or
'inout' doesn't allow lookups to an outside DNS server.
- In the configuration of one VM, the source Virtual network device
lists "Host device vnet0 (Bridge 'br0') and the other lists "Host
device eth1 (Bridge 'br1')". I don't see anything different in the
two hosts XML configuration files that describe the difference, but
I'm concerned that the second VM on br1 is misconfigured.
I notice a few iptables rules with "PHYSDEV match --physdev-in vnet1"
listed in them, should these really read "PHYSDEV match --physdev-in br1"
given the configuration virt-manager is reporting?
I would appreciate any pointers.
-Kevin
12 years, 11 months
[libvirt-users] lxc capabilities
by Chris Haumesser
I'm experimenting with the libvirt lxc driver, and wondering if there is
some way to control the capabilities assigned to the container processes.
With lxc-tools, I can specify a configuration option, lxc.cap.drop,
which causes the container processes to drop the specified privileges.
My libvirt containers seem to run with
cap_sys_module,cap_sys_boot,cap_sys_time,cap_audit_control,cap_mac_admin
which is rather more permissive than I'd like. In particular,
cap_sys_boot allows a container to reboot the host machine.
I am running libvirt-0.9.2 from squeeze-backports on debian squeeze.
Cheers,
-C-
12 years, 11 months
[libvirt-users] read-only rootfs for lxc containers
by Chris Haumesser
And speaking of running out of a shared read-only root, I get the
following error when I attempt it:
error: Failed to start domain hw
error: internal error guest failed to start: PATH=/bin:/sbin TERM=linux
LIBVIRT_LXC_UUID=38320e75-1ba0-d85a-6138-532a3a66f13d
LIBVIRT_LXC_NAME=hw /bin/bash
2011-12-08 15:31:41.945: 1: info : libvirt version: 0.9.7
2011-12-08 15:31:41.945: 1: error : lxcContainerPivotRoot:345 : Failed
to create /mnt/vmroot/.oldroot: Read-only file system
2011-12-08 15:31:41.945: 2666: info : libvirt version: 0.9.7
2011-12-08 15:31:41.945: 2666: error : lxcControllerRun:1210 : error
receiving signal from container: Input/output error
XML: http://pastebin.com/Q0p5irBH
Cheers,
-C-
12 years, 11 months
