[libvirt-users] libvirt and UEFI/SecureBoot
by Shmuel Melamud
Hi!
I'm working currently on integration of UEFI/SecureBoot support into
oVirt. And I have several questions about UEFI/SecureBoot support in
libvirt. Can you please help me with them?
For UEFI I add the following to the XML:
<loader readonly="yes" secure="no" type="pflash">
/usr/share/OVMF/OVMF_CODE.secboot.fd
</loader>
<nvram template="/usr/share/OVMF/OVMF_VARS.fd">
/var/lib/libvirt/qemu/nvram/VM_UUID.fd
</nvram>
1. Are all paths mandatory or there are some defaults?
2. If nvram image file is absent, libvirt creates it?
3. Is nvram image file only read or is it also written?
4. If nvram image file is present, is it used? Or removed and created again?
5. Is nvram image file used only on VM startup, or it must be present
all the time the VM is running? Is it used on VM shutdown?
6. What happens if the VM is migrated at the moment when nvram image
file is used? Is this file migrated also?
7. Is it enough to set secure="yes" to boot the VM with SecureBoot? Or
I need to prepare the nvram somehow (install keys etc.)?
8. How to verify that the VM was indeed booted with UEFI? With SecureBoot?
Shmuel
6 years, 3 months
[libvirt-users] compile error libvirt-python 4.5.0 - error: unknown type name ?virNWFilterBindingPtr?
by Holger Schranz
Hello,
I have tried to upgrade libvirt / libvort-python from 4.4.0 to 4.5.0
1) libvirt configure and install
Compile and install of libvirt 4.5.0 complete without problems.
Configure:
./configure -q --with-lxc --with-storage-iscsi --with-storage-scsi
--with-interface --with-storage-lvm --with-storage-fs --with-udev
--with-vmware --with-storage-mpath --prefix=/usr;make -j6
The following installation was successful:
ETCSVMS3:~ # virsh version --daemon
Compiled against library: libvirt 4.5.0
Using library: libvirt 4.5.0
Using API: QEMU 4.5.0
Running hypervisor: QEMU 2.12.0
Running against daemon: 4.5.0
ETCSVMS3:~ #
2) libvirt-python build and install
this steps end with a compile error.
Protocol:
shl@ETCSVMS3:~/Install/libvirt-python-4.5.0> python setup.py build
running build
/usr/bin/pkg-config --print-errors --atleast-version=0.9.11 libvirt
/usr/bin/python generator.py libvirt /usr/share/libvirt/api/libvirt-api.xml
Found 446 functions in /usr/share/libvirt/api/libvirt-api.xml
Found 0 functions in libvirt-override-api.xml
Generated 365 wrapper functions
/usr/bin/python generator.py libvirt-qemu
/usr/share/libvirt/api/libvirt-qemu-api.xml
Found 5 functions in /usr/share/libvirt/api/libvirt-qemu-api.xml
Found 0 functions in libvirt-qemu-override-api.xml
Generated 3 wrapper functions
/usr/bin/pkg-config --atleast-version=1.0.2 libvirt
/usr/bin/python generator.py libvirt-lxc
/usr/share/libvirt/api/libvirt-lxc-api.xml
Found 4 functions in /usr/share/libvirt/api/libvirt-lxc-api.xml
Found 0 functions in libvirt-lxc-override-api.xml
Generated 2 wrapper functions
running build_py
creating build/lib.linux-x86_64-2.7
copying build/libvirt.py -> build/lib.linux-x86_64-2.7
copying build/libvirt_qemu.py -> build/lib.linux-x86_64-2.7
copying build/libvirt_lxc.py -> build/lib.linux-x86_64-2.7
running build_ext
building 'libvirtmod' extension
creating build/temp.linux-x86_64-2.7
creating build/temp.linux-x86_64-2.7/build
gcc -pthread -fno-strict-aliasing -fmessage-length=0
-grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector
-funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -g
-DNDEBUG -fmessage-length=0 -grecord-gcc-switches -O2 -Wall
-D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables
-fasynchronous-unwind-tables -fstack-clash-protection -g
-DOPENSSL_LOAD_CONF -fwrapv -fPIC -I. -I/usr/include/python2.7 -c
libvirt-override.c -o build/temp.linux-x86_64-2.7/libvirt-override.o
In file included from libvirt-override.c:24:0:
typewrappers.h:114:5: error: unknown type name ?virNWFilterBindingPtr?
virNWFilterBindingPtr obj;
^
typewrappers.h:201:46: error: unknown type name ?virNWFilterBindingPtr?
PyObject * libvirt_virNWFilterBindingPtrWrap(virNWFilterBindingPtr node);
^
error: command 'gcc' failed with exit status 1
shl@ETCSVMS3:~/Install/libvirt-python-4.5.0>
================================================================================
Best regards
Holger
---
Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft.
https://www.avast.com/antivirus
6 years, 3 months
[libvirt-users] dmesg shows Intel Virt., lsmod shows kvm_intel; "Host does not [have] virt. options"
by Quincy Wofford
Hello,
I've tried over at IRC and it appears the solution to this problem may not
be obvious.
I'm working with a Centos7 box on HP ProLiant 380p hardware. The BIOS is a
bit outdated, but both Intel Virtualization Options and VT-d are present
and enabled in the firmware.
Some relevant command outputs below:
-bash-4.2$ dmesg | grep Virtualization
[ 1.299295] DMAR: Intel(R) Virtualization Technology for Directed I/O
-bash-4.2$ lsmod | grep kvm
kvm_intel 174841 0
kvm 578518 1 kvm_intel
irqbypass 13503 1 kvm
sudo virt-install --virt-type kvm --name <my name> --memory 8192 --cdrom
<my path>/CentOS-7-x86_64-Everything-1708.iso --disk size=4 --os-variant
rhel7
ERROR Host does not support any virtualization options
I don't see any options to increase the verbosity of virt-install. Any
ideas?
6 years, 3 months
[libvirt-users] How about giving commit ID in release notes
by Han Han
Hello developers,
Your release notes from libvirt(https://libvirt.org/news.html) are really
helpful to our users and QAs. How about giving commit ID of each item in
release notes, so that our user can gather more info from release notes.
For example,in v4.5.0 release note, add commit ID on each item:
capabilities: Provide info about host IOMMU support
Capabilities XML now provide information about host IOMMU support. (commit
dc34e7)
Though we can seach them from git, it is more accurate doing by the
authors.
--
Best regards,
-----------------------------------
Han Han
Quality Engineer
Redhat.
Email: hhan(a)redhat.com
Phone: +861065339333
6 years, 3 months
[libvirt-users] Breaking a virtlockd lock?
by Steve Gaarder
I have several Qemu/kvm servers running VMs hosted on an NFS share, and am
using virtlockd. (lock_manager = "lockd" in qemu.conf) After a power
failure, one of the VMs will not start, claiming that it is locked. How do
I get out of this?
thanks,
Steve Gaarder
System Administrator, Dept of Mathematics
Cornell University, Ithaca, NY, USA
gaarder(a)math.cornell.edu
6 years, 4 months
[libvirt-users] East-west traffic network filter
by Ales Musil
Hello,
I would like to make filter that allows communication only between
specified VMs. Those VMs should be specified by their MAC address. The
filter should extend clean-traffic but I was not able to get it working
with that reference. I have came up with modified clean-traffic which works
fine [1]. Is there a way to achieve the same behavior with reference to
clean-traffic?
Thank you.
Best wishes,
Ales Musil
[1]
<filter name='clean-traffic-gateway'>
<!-- An example of a traffic filter enforcing clean traffic
from a VM by
- preventing MAC spoofing -->
<filterref filter='no-mac-spoofing'/>
<!-- preventing IP spoofing on outgoing -->
<filterref filter='no-ip-spoofing'/>
<!-- preventing ARP spoofing/poisoning -->
<filterref filter='no-arp-spoofing'/>
<!-- accept all other incoming and outgoing ARP traffic -->
<rule action='accept' direction='inout' priority='-500'>
<mac protocolid='arp'/>
</rule>
<!-- accept traffic only from specified MAC address -->
<rule action='accept' direction='in'>
<mac match='yes' srcmacaddr='$GATEWAY_MAC'
srcmacmask='$GATEWAY_MAC_MASK' />
</rule>
<!-- allow traffic only to specified MAC address -->
<rule action='accept' direction='out'>
<mac match='yes' dstmacaddr='$GATEWAY_MAC'
dstmacmask='$GATEWAY_MAC_MASK' />
</rule>
<!-- preventing any other traffic than between specified MACs
and ARP -->
<filterref filter='no-other-l2-traffic'/>
<!-- allow qemu to send a self-announce upon migration end -->
<filterref filter='qemu-announce-self'/>
</filter>
--
ALES MUSIL
INTERN - rhv network
Red Hat EMEA <https://www.redhat.com/>
amusil(a)redhat.com IM: amusil
<https://red.ht/sig>
6 years, 4 months