[libvirt-users] Lack of ebtables rules when using nwfilters
by Maciej Gałkiewicz
Hi
I am using libvirt (0.9.12) with openstack and xen. It looks like libvirt
is not creating ebtables rules against arp spoofing etc. Here are my
configs:
VM definition:
<domain type='xen'>
<uuid>d49b777f-32f1-4093-ae47-a12efd0efd2c</uuid>
<name>instance-00000168</name>
<memory>2097152</memory>
<os>
<type>linux</type>
<root>/dev/xvda</root>
<kernel>/var/lib/nova/instances/instance-00000168/kernel</kernel>
<cmdline>ro</cmdline>
<initrd>/var/lib/nova/instances/instance-00000168/ramdisk</initrd>
</os>
<features>
<acpi/>
</features>
<vcpu>2</vcpu>
<devices>
<disk type='file' device='disk'>
<driver type='raw' cache='none'/>
<source file='/var/lib/nova/instances/instance-00000168/disk'/>
<target dev='sda' bus='scsi'/>
</disk>
<disk type='file'>
<driver type='raw' cache='none'/>
<source
file='/var/lib/nova/instances/instance-00000168/disk.swap'/>
<target dev='sdb' bus='scsi'/>
</disk>
<interface type='bridge'>
<source bridge='br0'/>
<mac address='fa:16:3e:1e:70:87'/>
<filterref
filter="nova-instance-instance-00000168-fa163e1e7087">
<parameter name="IP" value="10.255.0.114" />
<parameter name="DHCPSERVER" value="10.255.0.3" />
</filterref>
</interface>
<console type='pty'/>
<graphics type='vnc' port='-1' autoport='yes' keymap='en-us'
listen='127.0.0.1'/>
</devices>
</domain>
# virsh nwfilter-dumpxml nova-instance-instance-00000168-fa163e1e7087
<filter name='nova-instance-instance-00000168-fa163e1e7087' chain='root'>
<uuid>b6475525-5901-aeab-4ed0-dc0d7b545aea</uuid>
<filterref filter='nova-base'/>
</filter>
# virsh nwfilter-dumpxml nova-base
<filter name='nova-base' chain='root'>
<uuid>197b7f7a-389c-bd6d-6b77-07b88d3d9138</uuid>
<filterref filter='no-mac-spoofing'/>
<filterref filter='no-ip-spoofing'/>
<filterref filter='no-arp-spoofing'/>
</filter>
# ebtables -t nat -L
Bridge table: nat
Bridge chain: PREROUTING, entries: 0, policy: ACCEPT
Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
Bridge chain: POSTROUTING, entries: 0, policy: ACCEPT
# ebtables -L
Bridge table: filter
Bridge chain: INPUT, entries: 0, policy: ACCEPT
Bridge chain: FORWARD, entries: 0, policy: ACCEPT
Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
logs:
2013-04-23 10:47:37.438+0000: 30155: debug : virNWFilterDefineXML:16099 :
conn=0x1331ff0, xmlDesc=<filter
name='nova-instance-instance-00000167-fa163e4faae5' chain='roo
t'><filterref filter='nova-base'/></filter>
2013-04-23 10:47:37.544+0000: 30155: debug : virNWFilterFree:15971 :
nwfilter=0x7f18400bc2b0
2013-04-23 10:47:37.544+0000: 30155: debug : virUnrefNWFilter:1262 : unref
nwfilter 0x7f18400bc2b0 nova-instance-instance-00000167-fa163e4faae5 1
2013-04-23 10:47:37.544+0000: 30155: debug : virReleaseNWFilter:1222 :
release nwfilter 0x7f18400bc2b0
nova-instance-instance-00000167-fa163e4faae5 875ff1e5-fc4d-2fca-9
da2-f163f273ad6a
2013-04-23 10:47:37.544+0000: 30155: debug : virReleaseNWFilter:1229 :
unref connection 0x1331ff0 2
regards
Maciej Gałkiewicz
11 years, 3 months
[libvirt-users] Create image from running domain
by Hongbin Lu
Hi.
A short question. I want to know what is the proper steps to create an
image from a running domain and use it as base image of another domains.
The domain is with Qemu Hypervisor, persistent, and created based on Ubuntu
Cloud image.
Thank in advance
Hongbin
11 years, 3 months
[libvirt-users] failure creating a snapshot volume within a lvm-based pool
by Edoardo Comar
Hi
I have defined a logical pool and a volume within it
# virsh vol-create-as images_lvm myvol 2G
Vol myvol created
# virsh vol-list images_lvm
Name Path
-----------------------------------------
myvol /dev/libvirt_images_vg/myvol
if I try to create another volume using the previous one as backing-vol,
the creation fails with what looks like an incorrect commandline for
lvcreate:
# virsh vol-create-as images_lvm myvol-instance 2G --backing-vol myvol
error: Failed to create vol myvol-instance
error: internal error Child process (/usr/sbin/lvcreate --name
myvol-instance -L 2097152K -s=/dev/libvirt_images_vg/myvol) unexpected
exit status 3: /usr/sbin/lvcreate: invalid option -- '='
Error during parsing of command line.
Exactly the same happens if I specify a qcow2 format (the doc however says
that The logical volume pool does not use the volume format type element).
is this a known bug? I'm running Fedora 18
# virsh version
Compiled against library: libvirt 0.10.2
Using library: libvirt 0.10.2
Using API: QEMU 0.10.2
Running hypervisor: QEMU 1.2.2
--------------------------------------------------
regards,
Edoardo Comar
WebSphere Application Service Platform for Networks (ASPN)
ecomar(a)uk.ibm.com
Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number
741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
11 years, 3 months
Re: [libvirt-users] Fwd: kvm
by Stefan Hajnoczi
On Mon, Apr 22, 2013 at 10:59:25AM +0100, Gary Lloyd wrote:
> I was wondering if anyone could help me with an issue with KVM and ISCSI.
>
> If we restart a controller on our EqualLogic SAN or there are any
> network interruptions on the storage network, KVM guests throw a
> wobbler and their files systems go into read only(centos 5.9 guest
> with virtio driver).
>
> I have read a few forums that indicate you can set disk timeout values
> on the guests themselves but this is not possible using the virtio
> driver, which is what we are currently using.
>
> Is there any way we can instruct KVM to pause the vm's if there is a
> storage failure and resume them when the storage comes back online ?
>
> We are currently running Centos 6.4. There seems to be a werror='stop'
> and rerror='stop' options to achieve this but if I try to put these in
> options in the libvirt xml file for a vm, libvirt appears to be
> removing them.
Please email libvirt-users(a)redhat.com for questions about libvirt in the
future.
This is a question about libvirt domain XML. The documentation is here:
http://libvirt.org/formatdomain.html#elementsDisks
The attribute is called "error_policy". The documentation says:
The optional error_policy attribute controls how the hypervisor will
behave on a disk read or write error, possible values are "stop",
"report", "ignore", and "enospace".Since 0.8.0, "report" since 0.9.7 The
default setting of error_policy is "report". There is also an optional
rerror_policy that controls behavior for read errors only. Since 0.9.7.
If no rerror_policy is given, error_policy is used for both read and
write errors. If rerror_policy is given, it overrides the error_policy
for read errors. Also note that "enospace" is not a valid policy for
read errors, so if error_policy is set to "enospace" and no
rerror_policy is given, the read error policy will be left at its
default, which is "report".
Stefan
11 years, 3 months
[libvirt-users] Libvirt profiling
by Jon Martin Sigvaldsen
Hi
For a school project I am researching performance issues when using libvirt
to run very large numbers of virtual machines.
My experiments indicate that having more CPU cores negatively impacts the
performance. A simple desktop with an Intel Core 2 Duo E6550 performs
better than a server with a 48 core AMD CPU. Limiting the cores used
through 'cputune' improves performance on the server. If anyone has got any
explanations for this, it would be greatly appreciated.
Further on I would like to profile the slowdowns, but I am not sure how to
approach this problem. Any recommendations on how to do this?
Best regards
Jon
11 years, 3 months
[libvirt-users] Sanlock - what are my options?
by Russell Jones
Hi all,
I have an RHCS 2 node cluster utilizing SAN storage with GFS2 for the VM
images. I am looking into configuring Sanlock, however am running into
some architecture questions with it. The documentation for Sanlock states:
"The sanlock plugin needs to create leases in a directory that is on a
filesystem shared between all hosts running virtual machines. Obvious
choices for this include NFS or GFS2."
I do not have a highly available NFS mount where I can store the disk
leases, and I cannot store the lockspace on the same GFS2 mount as the
disk images as during fencing/journal recovery disk I/O can become
blocked, which causes Sanlock to log warnings/errors about renewals.
Is there another option for configuration?
11 years, 3 months
[libvirt-users] problem when get the vm cpu stat
by Wangkai (Kevin,C)
Hi all,
I try to get vm cpu stat by function "virDomainGetCPUStats", when the vm
Cpu usage is 100%, I can see from the vm shell by "top", when the info
Get by the "virDomainGetCPUStats" show only the "cpu_time" increased,
"user_time" and "system_time" was not changed at all.
Is that correct ? How can I get the vm cpu usage?
nparams = virDomainGetCPUStats(domain, NULL, 0, -1, 1, 0);
virDomainGetCPUStats(domain, params, nparams, -1, 1, 0);
Thanks,
Kevin.
11 years, 3 months
[libvirt-users] Unexplained shutdown of VM on upgrade of libvirt package
by Chandana De Silva
I am running KVM on Centos 6.3 and am seeing an unexplained shut down of
two guests. The libvirt package was upgraded to
libvirt-0.10.2-18.el6_4.4.x86_64 at the time of the shutdown. Only the
two guests shown below was affected, while 9 others running on the same
hypervisor were not.
Can some one help me to find the cause please ?
Regards
Chandana
GUEST #1
========
2013-04-10 04:15:02.903+0000: starting up
LC_ALL=C PATH=/sbin:/usr/sbin:/bin:/usr/bin QEMU_AUDIO_DRV=none
/usr/libexec/qemu-kvm -name guinness-a -S -M rhel6.3.0 -enable-kvm -m
4471 -smp 2,sockets=2,cores=1,threads=1 -uuid
894072ba-634c-40a2-9f70-0338d124abc3 -nodefconfig -nodefaults -chardev
socket,id=charmonitor,path=/var/lib/libvirt/qemu/guinness-a.monitor,server,nowait
-mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc
-no-shutdown -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive
file=/var/lib/libvirt/images/guinness-a.img,if=none,id=drive-ide0-0-0,format=raw
-device
ide-drive,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=1
-netdev tap,fd=28,id=hostnet0 -device
e1000,netdev=hostnet0,id=net0,mac=54:52:00:98:7f:cc,bus=pci.0,addr=0x3
-netdev tap,fd=33,id=hostnet1 -device
e1000,netdev=hostnet1,id=net1,mac=54:52:00:c4:d4:fd,bus=pci.0,addr=0x5
-netdev tap,fd=34,id=hostnet2 -device
e1000,netdev=hostnet2,id=net2,mac=54:52:00:a3:33:24,bus=pci.0,addr=0x6
-chardev pty,id=charserial0 -device
isa-serial,chardev=charserial0,id=serial0 -vnc 127.0.0.1:1 -vga cirrus
-device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x4
char device redirected to /dev/pts/11
2013-04-19 01:31:23.502+0000: shutting down
qemu: terminating on signal 15 from pid 12852
GUEST #2
========
2013-03-24 22:30:36.881+0000: starting up
LC_ALL=C PATH=/sbin:/usr/sbin:/bin:/usr/bin QEMU_AUDIO_DRV=none
/usr/libexec/qemu-kvm -name singha-a -S -M rhel6.3.0 -enable-kvm -m 2048
-smp 2,sockets=2,cores=1,threads=1 -uuid
52761f28-8f8d-4d79-a9c0-fd5222502cf4 -nodefconfig -nodefaults -chardev
socket,id=charmonitor,path=/var/lib/libvirt/qemu/singha-a.monitor,server,nowait
-mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc
-no-shutdown -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive
file=/var/lib/libvirt/images/singha-a.img,if=none,id=drive-ide0-0-0,format=raw
-device
ide-drive,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=1
-netdev tap,fd=32,id=hostnet0 -device
e1000,netdev=hostnet0,id=net0,mac=54:52:00:2c:75:26,bus=pci.0,addr=0x3
-netdev tap,fd=33,id=hostnet1 -device
e1000,netdev=hostnet1,id=net1,mac=54:52:00:b3:80:dd,bus=pci.0,addr=0x5
-netdev tap,fd=34,id=hostnet2 -device
e1000,netdev=hostnet2,id=net2,mac=54:52:00:e6:aa:a2,bus=pci.0,addr=0x6
-chardev pty,id=charserial0 -device
isa-serial,chardev=charserial0,id=serial0 -vnc 127.0.0.1:0 -vga cirrus
-device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x4
char device redirected to /dev/pts/5
2013-04-19 01:31:23.515+0000: shutting down
qemu: terminating on signal 15 from pid 12852
PID 12582 is the libvirtd daemon, and I see this in the libvirtd log:
2013-04-19 01:31:23.492+0000: 13039: info : libvirt version: 0.10.2,
package: 18.el6_4.4 (CentOS BuildSystem <http://bugs.centos.org>,
2013-04-18-16:13:45, c6b7.bsys.dev.centos.org)
2013-04-19 01:31:23.492+0000: 13039: error :
virSecuritySELinuxReserveSecurityLabel:676 : internal error MCS level
for existing domain label already reserved
2013-04-19 01:31:23.515+0000: 13035: error :
virSecuritySELinuxReserveSecurityLabel:676 : internal error MCS level
for existing domain label already reserved
11 years, 3 months
[libvirt-users] How can I define a network using an exist host bridge
by Wangkai (Kevin,C)
Hi all,
When I defined a network use the host bridge "virbr1" an error occurred :
"libvir: error : Unable to create bridge virbr1: File exists"
But how can I define this network use the host bridge "virbr1" ?
<network>
<name>def1</name>
<bridge name='virbr1'/>
<forward mode='nat'>
<interface dev='eth0'/>
</forward>
</network>
Thanks,
Kevin
11 years, 3 months
[libvirt-users] libvirt 1.0.3 Vs 1.0.4 / cgroup devices
by Mohamed Larabi
Hi there,
I am using libvirt with lxc to create fedora 16 & 18 containers on fedora 18 host.
first I did the setup with libvirt 1.0.3 and everything worked fine, then after upgrading to libvirt 1.0.4, I could not create character device on the guests :
Test on the guest1 :
# ls -l /dev
total 0
lrwxrwxrwx. 1 root root 10 Apr 17 21:18 console -> /dev/pts/0
lrwxrwxrwx. 1 root root 11 Apr 17 21:18 core -> /proc/kcore
lrwxrwxrwx. 1 root root 13 Apr 17 21:18 fd -> /proc/self/fd
crw-rw-rw-. 1 root root 1, 7 Apr 17 21:18 full
drwxr-xr-x. 2 root root 0 Apr 17 21:18 hugepages
prw-------. 1 root root 0 Apr 17 21:18 initctl
srw-rw-rw-. 1 root root 0 Apr 17 21:18 log
drwxrwxrwt. 2 root root 40 Apr 17 21:18 mqueue
crw-rw-rw-. 1 root root 1, 3 Apr 17 21:18 null
crw-rw-rw-. 1 root root 5, 2 Apr 18 10:31 ptmx
drwxr-xr-x. 2 root root 0 Apr 17 21:18 pts
crw-r--r--. 1 root root 1, 8 Apr 17 21:19 random
drwxrwxrwt. 2 root root 40 Apr 17 21:18 shm
lrwxrwxrwx. 1 root root 15 Apr 17 21:18 stderr -> /proc/self/fd/2
lrwxrwxrwx. 1 root root 15 Apr 17 21:18 stdin -> /proc/self/fd/0
lrwxrwxrwx. 1 root root 15 Apr 17 21:18 stdout -> /proc/self/fd/1
lrwxrwxrwx. 1 root root 10 Apr 17 21:18 tty1 -> /dev/pts/0
crw-rw-rw-. 1 root root 1, 9 Apr 17 21:18 urandom
crw-rw-rw-. 1 root root 1, 5 Apr 17 21:18 zero
# rm -f /dev/random (successful)
# mknod random c 1 8
mknod: `random': Operation not permitted
Config on the host :
knowing that selinux is set to permissive and c 1:8 rwm is in the cgroup devices list of the guest1
# cat /sys/fs/cgroup/devices/ libvirt/lxc/guest1/devices. list
c 1:3 rwm
c 1:5 rwm
c 1:7 rwm
c 1:8 rwm
c 1:9 rwm
c 5:0 rwm
c 5:2 rwm
c 10:229 rwm
c 136:* rwm
is this a change that was introduced intentially on 1.0.4 ? if yes, how can I make it work ?
please advice
Thank you in advance
Mohamed
11 years, 3 months
