Running libvirt without dnsmasq
by procmem@riseup.net
Hi, we are trying to document a way for our users to run libvirt without dnsmasq to reduce attack surface on the host. We are aware that the default network uses it but plan to disable that and use our own custom configured networks instead. Uninstalling dnsmasq causes libvirt to refuse to start even if the default network is no longer running. Is this possible or is this something that needs code changes upstream?
8 months
trustGuestRxFilters broken after upgrade to Debian 12
by Paul B. Henson
We've been running Debian 11 for a while, using sr-iov:
<network>
<name>sr-iov-intel-10G-1</name>
<uuid>6bdaa4c8-e720-4ea0-9a50-91cb7f2c83b1</uuid>
<forward mode='hostdev' managed='yes'>
<pf dev='eth2'/>
</forward>
</network>
and allocating vf's from the pool:
<interface type='network' trustGuestRxFilters='yes'>
<mac address='52:54:00:08:da:5b'/>
<source network='sr-iov-intel-10G-1'/>
<vlan>
<tag id='50'/>
</vlan>
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
After upgrading to Debian 12, when I try to start any vm which uses the
trustGuestRxFilters option, it fails to start with the message:
error: internal error: unable to execute QEMU command 'query-rx-filter':
invalid net client name: hostdev0
If I remove the option, it starts fine (but of course is broken
functionality wise as the option wasn't there just for fun :) ).
Any thoughts on what's going on here? The Debian 12 versions are:
libvirt-daemon/stable,now 9.0.0-4
qemu-system-x86/stable,now 1:7.2+dfsg-7+deb12u3
I see Debian 12 backports has version 8.1.2+ds-1~bpo12+1 of qemu, but no
newer versions of libvirt. I haven't tried the backports version to
see if that resolves the problem.
Thanks much...
9 months, 2 weeks
KVM image fails to resume
by libvirt@eyal.emu.id.au
I upgraded f38->f40 but left the vm saved rather than shutdown (my bad but here we are)
Attempting to restore the vm with 'virsh restore /data1/VMs/libvirt/images/e4.saved' I get:
error: Failed to restore domain from /data1/VMs/libvirt/images/e4.saved
error: operation failed: guest CPU doesn't match specification: extra features: vmx-ins-outs,vmx-true-ctls,vmx-store-lma,vmx-activity-hlt,vmx-vmwrite-vmexit-fields,vmx-apicv-xapic,vmx-ept,vmx-desc-exit,vmx-rdtscp-exit,vmx-vpid,vmx-wbinvd-exit,vmx-unrestricted-guest,vmx-rdrand-exit,vmx-invpcid-exit,vmx-vmfunc,vmx-shadow-vmcs,vmx-rdseed-exit,vmx-pml,vmx-ept-execonly,vmx-page-walk-4,vmx-ept-2mb,vmx-ept-1gb,vmx-invept,vmx-eptad,vmx-invept-single-context,vmx-invept-all-context,vmx-invvpid,vmx-invvpid-single-addr,vmx-invvpid-all-context,vmx-intr-exit,vmx-nmi-exit,vmx-vnmi,vmx-preemption-timer,vmx-vintr-pending,vmx-tsc-offset,vmx-hlt-exit,vmx-invlpg-exit,vmx-mwait-exit,vmx-rdpmc-exit,vmx-rdtsc-exit,vmx-cr3-load-noexit,vmx-cr3-store-noexit,vmx-cr8-load-exit,vmx-cr8-store-exit,vmx-flexpriority,vmx-vnmi-pending,vmx-movdr-exit,vmx-io-exit,vmx-io-bitmap,vmx-mtf,vmx-msr-bitmap,vmx-monitor-exit,vmx-pause-exit,vmx-secondary-ctls,vmx-exit-nosave-debugctl,vmx-exit-load-perf-global-ctrl,vmx-exit-ack-i
ntr,vmx-exit-save-pat,vmx-exit-load-pat,vmx-exit-save-efer,vmx-exit-load-efer,vmx-exit-save-preemption-timer,vmx-entry-noload-debugctl,vmx-entry-ia32e-mode,vmx-entry-load-perf-global-ctrl,vmx-entry-load-pat,vmx-entry-load-efer,vmx-eptp-switching
Then, trying to resume from the "virtual Machine Manager" UI gets the message:
=====
Error unpausing domain: Requested
operation is not valid: domain is not
running
Error unpausing domain: Requested operation is not valid: domain is not running
Traceback (most recent call last):
File "/usr/share/virt-manager/virtManager/asyncjob.py", line 72, in cb_wrapper
callback(asyncjob, *args, **kwargs)
File "/usr/share/virt-manager/virtManager/asyncjob.py", line 108, in tmpcb
callback(*args, **kwargs)
File "/usr/share/virt-manager/virtManager/object/libvirtobject.py", line 57, in newfn
ret = fn(self, *args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/share/virt-manager/virtManager/object/domain.py", line 1437, in resume
self._backend.resume()
File "/usr/lib64/python3.12/site-packages/libvirt.py", line 2425, in resume
raise libvirtError('virDomainResume() failed')
libvirt.libvirtError: Requested operation is not valid: domain is not running
I searched for a solution and most say to fiddle with some settings and reboot. I cannot reboot, I want to resume (unpause).
How can I restore the vm without crashing it (throwing away the saved memory), if it even boots this way?
TIA
11 months, 3 weeks
luks devices and libvirt
by Marc Haber
Hi,
this is an ongoing issue. I don't know whether I ever have addresses
this here, but it's still annoying.
I am using debian unstable, libvirt 10.5.0, virt-manager 4.1.0, qemu
9.0.2. I work through virt-manager, rarely I use virsh.
I regularly configure virtual disks that are located on a luks-encrypted
LVM volume. when unlocked, the block devices appears as /dev/mapper/foo
and is a symlink to a ../dm-xx node with xx being a random number,
../dm-xx being a regular block device.
To facilitate this, I have defined a storage pool with this XML:
<pool type="dir">
<name>mapper</name>
<uuid></uuid>
<capacity unit="bytes">24598757376</capacity>
<allocation unit="bytes">0</allocation>
<available unit="bytes">24598757376</available>
<source>
</source>
<target>
<path>/dev/mapper</path>
<permissions>
<mode>0755</mode>
<owner>0</owner>
<group>0</group>
</permissions>
</target>
</pool>
This is necessary as the storage type "LVM volume group" now insists on
a volume group name, and the DM mappings created by LUKS dont have a
volume group name.
When I add a disk to a VM from this storage pool, it generates the XML:
<disk type="file" device="disk">
<driver name="qemu" type="raw"/>
<source file="/dev/mapper/wintest"/>
<target dev="vda" bus="virtio"/>
<address type="pci" domain="0x0000" bus="0x05" slot="0x00" function="0x0"/>
</disk>
qemu won't start with this settings:
error: Failed to start domain 'win11test'
error: internal error: QEMU unexpectedly closed the monitor (vm='win11test'): 2024-07-28T15:20:25.250387Z qemu-system-x86_64: -blockdev {"driver":"file","filename":"/dev/mapper/wintest","node-name":"libvirt-1-storage","read-only":false}: 'file' driver requires '/dev/mapper/wintest' to be a regular file
Changing the XML to
<disk type="block" device="disk">
<driver name="qemu" type="raw"/>
<source dev="/dev/mapper/wintest"/>
<target dev="vda" bus="virtio"/>
<address type="pci" domain="0x0000" bus="0x05" slot="0x00" function="0x0"/>
</disk>
(note type="block" and "source dev")
makes the VM work.
Can virt-manager somehow be coaxed into generating XML that works here?
If not, is this a virt-manager issue or should qemu just accept
type="file" and "source file")?
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
1 year
KVM static internal networking without host bridge interface (virbr)
by Daniel
How to set up an internal network between two KVM network interfaces
while using static networking (avoiding dnsmasq) and while avoiding a
host bridge interface (virbr)?
Currently I am using this for the network.
<network>
<name>Internal</name>
<bridge name='virbr2' stp='on' delay='0'/>
</network>
And then for the VM.
<interface type='network'>
<source network='Internal'/>
<model type='virtio'/>
<driver name='qemu'/>
</interface>
* I would like to avoid the host `virbr2` interface. This is because
ideally package sniffers on the host such as tshark / wireshark would be
unable to see these packages following between an internal network
between two VMs.
* SLIRP should be avoided due to past security issues. [1]
* dnsmasq on the host operating system or inside the VMs should also be
avoided in favor of static IP addresses.
By comparison, this is possible in VirtualBox. [2]
Is that possible with KVM too? Could you please show an example
configuration file on how to accomplish that?
[1] CVE-2019-6778
[2] VirtualBox has this capability. VirtualBox can have an internal
network using static networking. No vibr bridge interfaces can be seen
on the host operating system. And VM to VM internal traffic is not
visible to package analyzers on the host operating system either.
Regards,
Daniel
--
Daniel Winzen
Steinkaulstr. 47
52070 Aachen
Germany
Web: https://danwin1210.de/
E-Mail: daniel(a)danwin1210.de
Phone: +49 176 98819809
PGP-Key: https://danwin1210.de/pgp.txt
1 year
Certificate verification error for qemu while migrating
by jdeberles@gmail.com
Hello,
I'm running ovirt 4.4.10 (using libvirt 7.10.0-1.module_el8.6.0+1046+bd8eec5e) and I have the following qemu error while I launch a VM migration
Jul 3 12:37:07myhostname1 journal[958949]: Certificate [session] owner does not match
the hostname myhostname2
Jul 3 12:37:07 myhostname1journal[958949]: Certificate check failed Certificate
[session] owner does not match the hostname myhostname2
Jul 3 12:37:07 myhostname1 journal[958949]: authentication failed: Failed to verify
peer's certificate
Jul 3 12:37:07myhostname1 journal[958949]: operation failed: Failed to connect to remote
libvirt URI qemu+tls://myhostname3/system: authentication failed: Failed to verify
peer's certificate
To avoid this error I set the following paramaters inside the /etc/libvirt/qemu.conf and
restard vdsmd and libvirtd daemons.
migrate_tls_x509_verify = 0
default_tls_x509_verify = 0
But I still have the same error. Can you help me to understand why this set of parameters
are not working as expected ?
kind regards,
Julien
1 year
can this network setup works?
by daggs
Greetings,
I have this setup.
host and two vms, a and b.
vm a servers as router, it has one physical nic passed directly into it.
I want to connect vm a to vm b and the host to provide internet access to both.
so I've created a virtual switch like this:
<network>
<name>default</name>
<uuid>f90b3044-81c1-4c22-98df-8bbca3153f21</uuid>
<bridge name='virsw0' stp='on' delay='0'/>
<mac address='52:54:00:6b:1b:92'/>
</network>
with this xml entry:
<interface type='bridge'>
<mac address='xx:xx:xx:xx:xx:xx'/>
<source bridge='virsw0'/>
<model type='virtio'/>
<address type='pci' domain='x' bus='x' slot='x' function='x'/>
</interface>
in vm a and vm b should connect the both to the virtual switch thus allowing vm b internet access.
this however doesn't solves the host connection to the internet.
reading docs points to the fact I can add new tun devs outside of libvirt and add it to the virtual switch.
so I did this:
$ ip tuntap add QemuTap0 mode tap user root
$ ip link set QemuTap0 master virsw0
and brctl show virsw0 returns this:
$ brctl show virsw0
bridge name bridge id STP enabled interfaces
virsw0 8000.5254006b1b92 yes QemuTap0
so theoretically speaking, when vm a is started and libvirt creates a device and connects it to the virtual switch and run dhcpd, vm a will provide ip.
am I correct?
Thanks,
Dagg
1 year, 1 month
per user vm isolation with shared network
by daggs
Greetings,
I have two vm which I want to isolate per user, if I'm not mistaken, I can to that with per session uri.
but I want to setup a virtual bridge so they will get connected with each other.
looks like that if I define the network as system, it isn't visible in the session.
is there a way to do that? if I define the same network in both sessions, will it work?
Thanks,
Dagg
1 year, 1 month
Re: dm-crypt performance regression due to workqueue changes
by Mikulas Patocka
On Sun, 30 Jun 2024, Tejun Heo wrote:
> Hello,
>
> On Sat, Jun 29, 2024 at 08:15:56PM +0200, Mikulas Patocka wrote:
>
> > With 6.5, we get 3600MiB/s; with 6.6 we get 1400MiB/s.
> >
> > The reason is that virt-manager by default sets up a topology where we
> > have 16 sockets, 1 core per socket, 1 thread per core. And that workqueue
> > patch avoids moving work items across sockets, so it processes all
> > encryption work only on one virtual CPU.
> >
> > The performance degradation may be fixed with "echo 'system'
> > >/sys/module/workqueue/parameters/default_affinity_scope" - but it is
> > regression anyway, as many users don't know about this option.
> >
> > How should we fix it? There are several options:
> > 1. revert back to 'numa' affinity
> > 2. revert to 'numa' affinity only if we are in a virtual machine
> > 3. hack dm-crypt to set the 'numa' affinity for the affected workqueues
> > 4. any other solution?
>
> Do you happen to know why libvirt is doing that? There are many other
> implications to configuring the system that way and I don't think we want to
> design kernel behaviors to suit topology information fed to VMs which can be
> arbitrary.
>
> Thanks.
I don't know why. I added users(a)lists.libvirt.org to the CC.
How should libvirt properly advertise "we have 16 threads that are
dynamically scheduled by the host kernel, so the latencies between them
are changing and unpredictable"?
Mikulas
1 year, 1 month
