SELinux labels change in libvirt
by Ram Lavi
Hello all,
tl;dr, can you point me to the point in the libvirt repo where it's trying
to change a tap-device's SELinux label?
I am trying to create a tap device with libvirt on a
super-privileged container, and then use it on another,
unprivileged container with libvirt.
User wise, I know I need the super-privileged container to open the tap
device with the user of the unprivileged one - that I already did and it's
not the issue.
But I have a problem when I open the tap device in the
non-privileged container: the tap device currently has the spc_t label
since the tun_socket inherited the selinux context from the
super-privileged container who creates it. then libvirt is trying to change
the SELinux labels, and since it's not privileged then it fails.
But I didn't find where and how libvirt is trying to change the tap
device's label.
Can you point me to that specific code on libvirt?
Ram Lavi
Senior Software Engineer
Red Hat Israel <https://www.redhat.com/>
Yerushalaim Road 34, Ra'anana
ralavi(a)redhat.com IM: ralavi
@RedHat <https://twitter.com/redhat> Red Hat
<https://www.linkedin.com/company/red-hat> Red Hat
<https://www.facebook.com/RedHatInc>
<https://www.redhat.com/>
4 years, 4 months
Help with external snapshots as backups
by Alex Regan
Hi,
I have a win10 guest on a fedora32 system and have some questions as I
explore using external snapshots as a form of backup in case of a
Windows failure (as in, it won't boot or is completely irrecoverable) as
well as revision control (to be able to rollback changes after a failed
app install, etc).
The first hit on Google for external snapshots involves a RHEL7 document
that talks about how it's not officially supported. The current RHEL8
docs don't include any references to snapshots.
The fedora docs I've found are many years old - I'm just not sure if
they're still applicable. Where can I find the current docs for fedora32?
- If I've already created a live internal snapshot, can I then create an
external safely? Are all changes currently being written to this
internal snapshot now?
- Can external snapshots be used for backup? Perhaps there are
predefined steps for doing this that I can follow?
This is the procedure I'm currently using. I've made a backup of the
original image - can I now just continue to backup the snapshots in the
eventuality of a crash, then use this original image backup and the
snapshots to restore it?
I suppose I would also periodically merge the snapshots back into the a
single snapshot to ease the process?
# virsh snapshot-create-as --domain dave-win10a win10a-state01
--diskspec
vda,file=/var/lib/libvirt/images/vm_snapshots/disk-overlay.qcow2,snapshot=external
--memspec
file=/var/lib/libvirt/images/vm_snapshots/mem-overlay.qcow2,snapshot=external
--atomic
Domain snapshot win10a-state01 created
# ls -lh vm_snapshots/
total 3.3G
-rw------- 1 qemu qemu 196K Jul 11 12:32 disk-overlay.qcow2
-rw------- 1 root root 3.3G Jul 11 12:32 mem-overlay.qcow2
Thanks,
Alex
4 years, 4 months
Emulated TPM devices and snapshots of running VMs
by Milan Zamazal
Hi,
I would like to clarify how to make snapshots of running VMs with
emulated TPM devices. As far as I understand QEMU documentation, it's
possible to make snapshots of running VMs with TPM, but it's important
to retain the state of swtpm. Does libvirt assist with that in any way
or is it completely user's responsibility? libvirt pauses the VM
internally when making a snapshot, which should be the right moment to
copy the swtpm data, but the user doesn't have control over it. Is
there a way to make a copy of swtpm data that is guaranteed to be
consistent with the snapshot?
Thank you,
Milan
4 years, 4 months
Could you please help with questions about the net failover feature
by Yalan Zhang
Hi laine,
I have leave some questions on IRC, but my VPN broken time after time.
Please ignore the questions on IRC.
In my understanding, the standby and primary hostdev interface may be in
different subnet.
I'm not sure whether it is correct. Could you please help to explain? Thank
you in advance.
For example, primary hostdev is connected to vf-pool with <pf='eth0'/>,
while the standby is connected to NAT network with " forward dev='eth0'".
The standby interface will get ip as 192.168.122.x, but after NAT, it will
be in the same subnet of the vf.
So after the VF is unplugged, the packet will still broadcast in the same
subnet, and the vm will get the packet as the standby share the same mac.
Right?
Thank you!
-------
Best Regards,
Yalan Zhang
IRC: yalzhang
4 years, 4 months
Why wireless interface cannot be attached to a Linux host bridge?
by ryotaro kobayashi
Hello, everyone.
I'm from japan and using machine translation, so I apologize if it's hard
to read.
I am currently trying to build a virtual environment using Ubuntu and kvm.
However, I found out from the following page that the virtual machine
cannot use the bridge network because I am using a wireless network.
https://wiki.libvirt.org/page/Networking
I am having trouble with this because my PC is using a wireless LAN.
On that page it says "wireless interfaces cannot be attached to a Linux
host bridge", I Can you tell me why this is so?
Is it a limitation of the NIC driver for the wireless LAN?
Or is it a limitation of libvirt?
Best regards.
4 years, 4 months
Asking for suggestion and questions regarding the workings/internals of Libvirt
by Shashwat shagun
I am building a multi-tenant json REST API for managing KVM VMs but don't
know if libvirt transactions are going to be fast enough to be invoked
directly?
or do i need a job queue?
Does libvirtd already have a job queue that is used when handling
time-consuming tasks like creating domain and such? If yes then what about
tasks such as volUpload or download?
Shashwat.
shashwatshagun2581(a)gmail.com
4 years, 4 months
Re: image of OS X how to boot
by Jerry Geis
Thanks Marc - my OSX is still Yosemite. I dont see that in these files ? Is
support for that available ?
Jerry
4 years, 4 months
