[libvirt-users] libvirt_lxc namespace and umount in global namespace
by Olivier Nicaise
Hi,
I am currently having an issue with the libvirt_lxc binary that is launched
when starting a lxc instance using libvirt. This process seems to have its
own namespace for mounts.
What happens is that if I umount something in the global namespace, it
stays mounted in the libvirt_lxc namespace.
I'm working with drbd, and after unmounting the mount point, I want to
change the state of the drbd resource as Secondary. But if fails. Indeed,
libvirt_lxc has still the resource which is mounted in its namespace.
Currently, I wanted to test the setns tool to enter the namespace and
umount the mount point. But I am currently on Ubuntu 12.04 with a 3.2.0-59
kernel which does not have /proc/[pid]/ns/mnt
I can't upgrade to 3.8 (which have the proc mnt file) as the drbd tools are
not compatible.
Do you have an idea of what I could try ?
Here I the steps I do to reproduce the issue:
- Mount a drbd file system
- Start a lxc instance with libvirt
- Umount the drbd file system
- Set the drbd resource as secondary. => Does not work
10 years, 9 months
[libvirt-users] problem with nwfilter direction='out'
by Stephan Sachse
i test the following simple filter
<filter name='nwfilter-test-fedora2' chain='root'>
<uuid>ccbd255f-4be5-4f0f-8835-770ea40cb2c9</uuid>
<rule action='accept' direction='out' priority='500'>
<tcp dstipaddr='10.1.24.0' dstipmask='24' comment='test test test'/>
</rule>
</filter>
but i get strange results (look at the attached output of iptables-save)
for me it looks like the direction='out' filters are attached to every
chain for this domain. additional there are wrong conntrack, state and
ctdir matches.
is this a bug or my fault?
/stephan
--
Software is like sex, it's better when it's free!
10 years, 9 months
[libvirt-users] Networkfilters in Routed setup
by h0rst
Hello!
Since i could not find any information on the internet about this subject, i'm going to try my luck on this list.
I'm trying to setup network-filter on a routed setup. I have a root-server at Hetzner, a german hosting provider.
Along with my server i ordered a (/28) subnet to be able to setup dedicated IPs for my virtual machines (KVM).
My Server is running Ubuntu 12.04 with libvirt 0.9.8 . Since Hetzner does not allow any bridged traffic, i had
to setup a routed network. Currently my (via libvirt) defined network looks like this:
(lets assume my subnet is 1.2.3.64/28):
<network>
<name>hetzner-subnet-v4</name>
<forward dev='eth0' mode='route'>
<interface dev='eth0'/>
</forward>
<bridge name='route-br0' stp='off' delay='0' />
<mac address='52:54:00:F0:D0:AA'/>
<ip address='1.2.3.65' netmask='255.255.255.240'></ip>
</network>
The network definition for all running VMs looks like this:
<interface type='network'>
<mac address='52:54:00:00:00:##'/>
<source network='hetzner-subnet-v4'/>
</interface>
Without using Network-Filters, this setup is running as expected. All traffic is correctly forwarded to my virtual
machines connected to "route-br0" and the following iptables-rules are created in the FORWARD Chain:
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
target prot opt in out source destination
ACCEPT all -- eth0 route-br0 0.0.0.0/0 1.2.3.64/28
ACCEPT all -- route-br0 eth0 1.2.3.64/28 0.0.0.0/0
ACCEPT all -- route-br0 route-br0 0.0.0.0/0 0.0.0.0/0
REJECT all -- * route-br0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- route-br0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
When i try to setup a network-filter for a VM (a modified version of http://libvirt.org/formatnwfilter.html last example):
<filter name='server-x' chain='root'>
<filterref filter='clean-traffic'/>
<rule action='accept' direction='in' priority='500'>
<all state='ESTABLISHED'/>
</rule>
<rule action='accept' direction='out' priority='500'>
<all state='ESTABLISHED,RELATED'/>
</rule>
<rule action='accept' direction='in' priority='500'>
<tcp state='NEW' dstportstart='22'/>
</rule>
<rule action='accept' direction='out' priority='500'>
<all state='NEW'/>
</rule>
<rule action='drop' direction='inout' priority='500'>
<all/>
</rule>
</filter>
and adding the filter to my interface-definition of a VM using the following syntax:
<filterref filter='server-x'>
<parameter name='IP' value='1.2.3.70'/>
</filterref>
additional iptable-rules are getting created. The problematic rule seems to be the following:
-A libvirt-out -m physdev --physdev-out vnetX -g FO-vnetX
which should trigger the following rules:
-A FO-vnetX -p all -m state --state ESTABLISHED -j ACCEPT
-A FO-vnetX -p tcp --dport 22 -m state --state NEW -j ACCEPT
But this actually never happens. The FO-vnetX Chain never sees any packets and my syslog says:
xt_physdev: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore
Am i doing something wrong? I hope i did not write too much useless stuff here. I'm tried to figure it all out by
myself, but im currently stuck. Lets hope some wise guys can help me out here. Maybe there is some documentation i have missed?
Thanks!
kind regards,
Sebastian
10 years, 9 months
[libvirt-users] Errors with ESX driver & floppy0.filename
by Phil Mayers
We're getting the following error with one or two ESX VMs using libvirt;
I'm only trying to read the domain config here, not make changes:
libvir: error : internal error Invalid or not yet handled value 'Floppy
drive 1' for VMX entry 'floppy0.fileName'
Is there a way I can tell it to ignore unknown stuff?
10 years, 9 months
[libvirt-users] Right way to do SAN-based shared storage?
by urgrue
I'm trying to set up SAN-based shared storage in KVM, key word being
"shared" across multiple KVM servers for a) live migration and b)
clustering purposes. But it's surprisingly sparsely documented. For
starters, what type of pool should I be using?
10 years, 9 months
[libvirt-users] Error when building from source
by arnaud gaboury
Hi all,
I can not build from source since a few days. Make left me with this error:
Making install in tools/wireshark
make[1]: Entering directory
'/developement/aur/libvirt-git/src/libvirt/tools/wireshark'
make[2]: Entering directory
'/developement/aur/libvirt-git/src/libvirt/tools/wireshark'
make[3]: Entering directory
'/developement/aur/libvirt-git/src/libvirt/tools/wireshark'
make[3]: Nothing to be done for 'install-exec-am'.
make[3]: Nothing to be done for 'install-data-am'.
make[3]: Leaving directory
'/developement/aur/libvirt-git/src/libvirt/tools/wireshark'
make[2]: Leaving directory
'/developement/aur/libvirt-git/src/libvirt/tools/wireshark'
make[1]: Leaving directory
'/developement/aur/libvirt-git/src/libvirt/tools/wireshark'
mv: cannot stat ‘/developement/aur/libvirt-git/pkg/libvirt-git/lib/*’: No
such file or directory
I am on Arch linux and use the AUR mechanism package to build/install
packages from source.
Here is the build part of the PKGBUILD file :
build() {
cd "$srcdir/libvirt"
export LDFLAGS=-lX11
export RADVD=/usr/bin/radvd
./autogen.sh
#./configure --prefix=/usr --libexec=/usr/lib/"$pkgname" --sbindir=/usr/bin \
./configure --prefix=/usr --libexec=/usr/lib/"${pkgname/-git/}"
--sbindir=/usr/bin \
--with-storage-lvm --without-xen --with-udev --without-hal --disable-static \
--with-init-script=systemd --with-audit \
--with-qemu-user=nobody --with-qemu-group=nobody \
--without-netcf --with-interface
Thank you for help.
10 years, 9 months
[libvirt-users] lxc state driver is not active
by Tom Taylor
So I've followed this tutorial on a vanilla CentOS 6.5 (x64) hardware
install ... http://wiki.centos.org/HowTos/LXC-on-CentOS6 (barring the name
and location of the container)
I'm getting the following error when trying to intialise the container ...
# virt-install --connect lxc:/// --name dns --ram 512 --vcpu 1 --filesystem
/srv/lxc/dns,/ --noautoconsole
ERROR internal error lxc state driver is not active
Does this howto miss a step somewhere? Is something in the CentOS
distribution broken?
# rpm -qa | egrep 'lxc|libvirt'
lxc-0.9.0-2.el6.x86_64
libvirt-python-0.10.2-29.el6_5.3.x86_64
lxc-libs-0.9.0-2.el6.x86_64
libvirt-client-0.10.2-29.el6_5.3.x86_64
libvirt-0.10.2-29.el6_5.3.x86_64
lxc-templates-0.9.0-2.el6.x86_64
Thanks
Tom Taylor
10 years, 9 months
[libvirt-users] libvirtd ssl configuration
by Гусев Павел
Hi!
I found little semantics bug:
[13:53:40] root@dedicated-04:~ # LC_ALL=C libvirtd -h
libvirtd: invalid option -- 'h'
Usage:
libvirtd [options]
Options:
-v | --verbose Verbose messages.
-d | --daemon Run as a daemon & write PID file.
-l | --listen Listen for TCP/IP connections.
-t | --timeout <secs> Exit after timeout period.
-f | --config <file> Configuration file.
| --version Display version information.
-p | --pid-file <file> Change name of PID file.
libvirt management daemon:
Default paths:
Configuration file (unless overridden by -f):
/etc/libvirt/libvirtd.conf
Sockets:
/var/run/libvirt/libvirt-sock
/var/run/libvirt/libvirt-sock-ro
TLS:
CA certificate: /etc/pki/CA/caert.pem
Server certificate: /etc/pki/libvirt/servercert.pem
Server private key: /etc/pki/libvirt/private/serverkey.pem
PID file (unless overridden by -p):
/var/run/libvirtd.pid
I think that caert.pem should be cacert.pem =)
Tnx.
С уважением,
Гусев Павел
Руководитель отдела системного администрирования
QSOFT | Ведущий web-интегратор
офис 7(495) 771-7363 #110 | моб. 7(926) 850-1108
pgusev(a)qsoft.ru
Москва, Авангардная улица, 3 | qsoft.ru
San Francisco, 222 Columbus Ave | qsoftus.com
10 years, 9 months
[libvirt-users] tftp server inside a container ?
by Thomas Elsgaard
Hi list
I am trying to understand the containers in red hat 7, and i have following
questions:
1) Would it be possible to run an tftp server inside an container ?
2) Can i have containers binding to vlans on the host, so that i can have
containers with overlapping IP networks, but in different vlans ?
What i am trying to achieve is 10 containers with an tftp server inside,
where the containers are on isolated IP networks via vlans.
Thomas
10 years, 9 months
[libvirt-users] lxc and cgroups
by arnaud gaboury
Dear list,
I am bulding a VM using libvirt and lxc for linux container. I have an
issue with my cgroups settings:
gabx@hortensia ➤➤ ~ # virsh start dahlia
error: Failed to start domain dahlia
error: internal error: No valid cgroup for machine dahlia
My environement:
Host : Arch Linux - systemd 208-11, libvirt 1.2.1-4
guest : Arch Linux , machine name : dahlia ,
/etc/libvirt/lxc/dahlia.xml , mounted in /machine/dahlia
My set up so far :
- gabx@hortensia ➤➤ ~ % sudo virsh uri
[sudo] password for root:
lxc:///
- gabx@hortensia ➤➤ ~ # virsh -c lxc:/// list --all
Id Name State
----------------------------------------------------
- dahlia shut off
- custom kernel with user space set
gabx@hortensia ➤➤ ~ % zgrep USER_NS /proc/config.gz
CONFIG_USER_NS=y
- /etc/libvirt/lxc/dahlia.xml
$ ls -al
-rw------- 1 root root 1.1K Feb 15 12:11 /etc/libvirt/lxc/dahlia.xml
$ cat
<domain type='lxc'>
<name>dahlia</name>
<uuid>a34b58db-894f-4f4a-81f0-b13d2d5d7732</uuid>
<memory unit='KiB'>409600</memory>
<currentMemory unit='KiB'>409600</currentMemory>
<vcpu placement='static'>1</vcpu>
<resource>
<partition>/machine/dahlia</partition>
</resource>
<os>
<type arch='x86_64'>exe</type>
<init>/bin/init</init>
</os>
<idmap>
<uid start='0' target='1000' count='10'/>
<gid start='0' target='1000' count='10'/>
</idmap>
<clock offset='utc'/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>destroy</on_crash>
<devices>
<emulator>/usr/lib/libvirt/libvirt_lxc</emulator>
<interface type='network'>
<mac address='52:54:00:89:8f:1a'/>
<source network='default'/>
</interface>
<console type='pty'>
<target type='lxc' port='0'/>
</console>
</devices>
</domain>
- fstab :
UUID=f69d032f-c80f-4f2e-84cd-d2328a862818 /machine/dahlia ext4
defaults,relatime,discard 0 1
$ ls -al
drwxr-xr-x 17 root root 4.0K Feb 11 21:41 dahlia/
- /etc/cgconfig:
group dahlia {
perm {
# who can manage limits
admin {
uid = 1000;
gid = 1004;
}
# who can add task
task {
uid = 1000;
gid = 1004;
}
}
# create this group in the controllers
cpu { }
cpuset { }
memory { }
devices { }
freezer { }
net_cls { }
blkio { }
}
- /etc/cgrules is deafult one, so everything is commented. Maybe shall
I edit a line ??
- gabx@hortensia ➤➤ ~ # cat /proc/cgroups
#subsys_name hierarchy num_cgroups enabled
cpuset 3 5 1
cpu 4 4 1
cpuacct 4 4 1
memory 5 5 1
devices 6 4 1
freezer 7 5 1
net_cls 8 5 1
blkio 9 4 1
Something puzzles me. In /sys/fs/cgroup/blkio, I see two dirs: dahlia
and machine.slice. Inside machine.slice, I see another dir
machine-dahlia. I guess there is something wrong here !! Same for
cpuset or other controllers.
- gabx@hortensia ➤➤ ~ % systemctl status machine-dahlia.slice
machine-dahlia.slice - dahlia VM slice
Loaded: loaded (/etc/systemd/system/machine-dahlia.slice; static)
Active: active since Sat 2014-02-15 11:53:01 CET; 15min ago
Feb 15 11:53:01 hortensia systemd[1]: Starting dahlia VM slice.
Feb 15 11:53:01 hortensia systemd[1]: Created slice dahlia VM slice.
My systemd unit file machine-dahlia.slice in /etc/systemd/system
Apologize for the long post, but I wanted to detail everything.
Thank you for help on my cgroup set up.
10 years, 9 months
