Re: [libvirt-users] disable libvirt-nwfilter
by Michal Privoznik
[Please keep the list CC-ed as it may help somebody from future when
searching for solution to the same problem]
On 5/6/19 6:08 PM, nakata(a)geekpit.org wrote:
> Am 2019-05-06 16:26, schrieb Michal Privoznik:
>> On 5/6/19 3:44 PM, nakata(a)geekpit.org wrote:
>>> Hi,
>>>
>>> i want to disable the nwfilter functionality of libvirt.
>>> It's surely nice for some people, nevertheless i don't want libvirt
>>> to alter any netfilter rules, neither i want the according
>>> functionality even available.
>>
>> It's not only NWFilter that will inject firewall rules. Depending on
>> configuration it might also be the default network.
>>
>>> I know about nwfilter-undefine, but what i'm looking for is an option
>>> to globally disable this functionality at all. Some config flag or
>>> similar.
>>> How can i achieve that?
>>
>> Unless you have a domain <interface/> defined so that it uses a
>> nwfilter then no firwall rules are added by nwfilter code.
>>
>> If you still want to remove nwfilter module then just uninstall it,
>> e.g. via:
>>
>> dnf remove libvirt-daemon-driver-nwfilter libvirt-daemon-config-nwfilter
>>
>> Michal
>
> Hi,
>
> me again.
> Another question libvirt is adding chains. Where do i disable these:
>
> chains are LIBVIRT-{FWO,FWX,FWI, INP, OUT}
>
> These are absolutely and explicit unwanted.
> Adding new rich features for folks is a fine thing, but i need an opt out.
> Please, how do i get rid of it?
As I've said, there are two sources which cause libvirt to insert FW
rules. By uninstalling nwfilter module you've eliminated one. But since
you're still able to run the domain this step was useless because your
domain doesn't have nwfilter configured for any of its <interface/>-s
and thus nwfilter module did nothing but sit there.
The other module that is inserting FW rules is network module.
Currently, when libvirtd is starting it reads all the configs of defined
networks. If a NATed network is found then it creates those LIBVIRT-*
chains and when the network is started then all the rules will be placed
into those chains to not contaminate config set by sysadmin.
There is patch to postpone creating the chains unitl network actually is
starting:
https://www.redhat.com/archives/libvir-list/2019-April/msg01547.html
So your options here are:
a) undefine all NATed networks (typically there's 'default' network)
b) uninstall network module (but this will render all domains using
<interface type='network'/> unable to start).
As an extension to a) you can have a network with <forward mode='open'/>
which preserves all the advantages of having a libvirt network but does
not install any FW rules.
Of course, any comments to aforementioned patch are welcome too.
Michal
5 years, 6 months
[libvirt-users] Autodetecting backing file properties when using vol-create-as
by Gionatan Danti
Hi all,
experimenting with vol-create-as, I think it should autodetect some data
- filesize and backing file format, specifically. However, the current
implementation require us to specify both filesize and backing file
format.
Considering that qemu-img already autodetects these data, there are any
reason for the lack of autodetect by libvirt? Should I open a bugzilla
issue?
Below you can find a practical example of what I mean. System is CentOS
Linux release 7.6.1810 (Core) with libvirt-4.5.0-10.el7_6.4.x86_64
Please let me know if I am missing something.
Thanks.
# create base file
[root@singularity images]# qemu-img create base.qcow2 8G -f qcow2
Formatting 'base.qcow2', fmt=qcow2 size=8589934592 cluster_size=65536
lazy_refcounts=off refcount_bits=16
[root@singularity images]# qemu-img info base.qcow2
image: base.qcow2
file format: qcow2
virtual size: 8.0G (8589934592 bytes)
disk size: 17K
cluster_size: 65536
Format specific information:
compat: 1.1
lazy refcounts: false
refcount bits: 16
corrupt: false
# create overlay1.qcow2 via qemu-img; note how backing file format is
autodetected ("-f qcow2" regards the overlay file itself)
[root@singularity images]# qemu-img create -b
/var/lib/libvirt/images/base.qcow2 overlay1.qcow2 -f qcow2
Formatting 'overlay1.qcow2', fmt=qcow2 size=8589934592
backing_file=/var/lib/libvirt/images/base.qcow2 cluster_size=65536
lazy_refcounts=off refcount_bits=16
[root@singularity images]# qemu-img info overlay1.qcow2
image: overlay1.qcow2
file format: qcow2
virtual size: 8.0G (8589934592 bytes)
disk size: 17K
cluster_size: 65536
backing file: /var/lib/libvirt/images/base.qcow2
Format specific information:
compat: 1.1
lazy refcounts: false
refcount bits: 16
corrupt: false
# try the same with virsh vol-create-as; note how you must specify
filesize and the backing file format is *wrong* (leading to an unusable
overlay disk)
[root@singularity images]# virsh vol-create-as default overlay2.qcow2 8G
--format qcow2 --backing-vol /var/lib/libvirt/images/base.qcow2
Vol overlay2.qcow2 created
[root@singularity images]# qemu-img info overlay2.qcow2
image: overlay2.qcow2
file format: qcow2
virtual size: 8.0G (8589934592 bytes)
disk size: 17K
cluster_size: 65536
backing file: /var/lib/libvirt/images/base.qcow2
backing file format: raw
Format specific information:
compat: 0.10
refcount bits: 16
--
Danti Gionatan
Supporto Tecnico
Assyoma S.r.l. - www.assyoma.it
email: g.danti(a)assyoma.it - info(a)assyoma.it
GPG public key ID: FF5F32A8
5 years, 6 months
[libvirt-users] disable libvirt-nwfilter
by nakata@geekpit.org
Hi,
i want to disable the nwfilter functionality of libvirt.
It's surely nice for some people, nevertheless i don't want libvirt to
alter any netfilter rules, neither i want the according functionality
even available.
I know about nwfilter-undefine, but what i'm looking for is an option to
globally disable this functionality at all. Some config flag or similar.
How can i achieve that?
greetings
5 years, 6 months
[libvirt-users] VM: Unable to enable scatter-gather / tx-checksumming / tcp-segmentation offload
by Harsh Gondaliya
In my Linux VM, I am unable to change scatter-gather / tx-checksumming /
TCP-segmentation offload features by ethtool command. I am using virtio nic
with vhostuser port backend.
It shows me an error:
Cannot change tx-checksumming
Cannot change scatter-gather
Cannot change tcp-segmentation offload
Could not change any device features
Ony running command ethtool -k ens3, I get the following:
[image: image.png]
If there is something that needs to be changed in the domain XML itself
then please guide me what changes to do?
5 years, 6 months
[libvirt-users] Running all my virtual machines with a low priority
by R. Diez
Hi all:
I have an Ubuntu 18.04 system. What is the easiest way to run all of my virtual machines with a low priority? Say a "nice" level of 15.
I just do not want my virtual machines to have too much of an impact in any other processes on the system.
Thanks in advance,
rdiez
5 years, 6 months
[libvirt-users] NUMA revisited
by Patrick Meyer
Moin libvirters,
I'm looking into the current numa settings for a large-ish libvirt/qemu
based setup and I ended up having a couple of questions:
1) Has kernel.numa_balancing completely replaced numad or is there still
a time and place for numad when we have a modern kernel?
2) Should I pin vCPUs to numa nodes and/or use numatune at all, when
using kernel.numa_balancing?
3) The libvirt domain xml elements for vcpu and numatune.memory have
placement options. According to the docs setting them to auto will query
numad for a good placements. Should I keep numad running just for this?
4) Should I still expose the numa topology via cpu.numa.cell if I use
the auto placement for vcpu and numatune?
5) Does the cpus attribute in the cpu.numa.cell elements reference vCPU
cores or the real physical CPU cores? Most examples reference them as
ranges, which confuses me as on my numa hosts node0 has cores 0,2,4..
and node1 the others.
I'd like to benchmark a couple of different options using our production
workloads once I actually have grasp what combinations could make any
sense. Maybe somebody would like to share the cpu/memory/numa settings
they ended up with and why?
Thanks a lot,
Patrick Meyer
5 years, 6 months
[libvirt-users] Unable to have TSO GSO feature in VM
by Harsh Gondaliya
I am trying to turn ON TSO in my Ubuntu Virtual machine but it gives me the
following error:
[image: image.png]
Also on doing *ethtool -k ens3* all the features are marked as [fixed].
How to use libvirt to configure VM to have TSO?
5 years, 6 months
