[libvirt-users] nwfilter usage
by Matt LaPlante
I'm trying to accomplish what I had hoped would be a fairly simple
filtering of traffic to my VMs, but I'm hitting a snag. The VMs are
allowing traffic when I wouldn't expect them to.
Host and Guest are both running the same platform:
Ubuntu 12.04.4 LTS
0.9.8-2ubuntu17.19
I have a basic bridge enabled on the host:
brctl addbr brdg
brctl addif brdg eth1
ip link set brdg up
The host has iptables support:
root@host:~# lsmod | grep filt
ip6table_filter 12815 0
ip6_tables 27864 2 ip6table_filter,xt_TPROXY
iptable_filter 12810 1
ip_tables 27473 4
iptable_raw,iptable_nat,iptable_mangle,iptable_filter
x_tables 29891 52
ebt_arp,ebt_ip,ip6table_filter,ebtables,xt_time,xt_connlimit,xt_realm,xt_addrtype,iptable_raw,xt_comment,xt_recent,xt_policy,ipt_ULOG,ipt_REJECT,ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,ipt_ECN,ipt_ecn,ipt_CLUSTERIP,ipt_ah,xt_set,xt_TPROXY,ip6_tables,xt_tcpmss,xt_pkttype,xt_physdev,xt_owner,xt_NFQUEUE,xt_NFLOG,xt_multiport,xt_mark,xt_mac,xt_limit,xt_length,xt_iprange,xt_helper,xt_hashlimit,xt_DSCP,xt_dscp,xt_dccp,xt_conntrack,xt_connmark,xt_CLASSIFY,xt_AUDIT,ipt_LOG,xt_tcpudp,xt_state,iptable_nat,iptable_mangle,iptable_filter,ip_tables
Guest network using bridge:
<interface type='bridge'>
<mac address='00:11:22:33:44:55'/>
<source bridge='brdg'/>
<model type='virtio'/>
<filterref filter='outbound-only'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
<filter name='outbound-only' chain='root'>
<uuid>0c834381-402c-faf3-019f-eb5a40ea6b61</uuid>
<filterref filter='allow-arp'/>
<filterref filter='allow-dhcp'/>
<filterref filter='qemu-announce-self'/>
<filterref filter='no-other-l2-traffic'/>
</filter>
My goal is to allow the guest to reach the internet, but not allow the
internet or other guests to reach this guest. I realize this config
is not sufficient for that, but I can't get any farther until I
understand the current behavior. From the look of the config, this
should essentially not be allowing anything except arp and dhcp. And
yet, the host has full connectivity. I can run apt-get update on the
VM, I can ping the VM from other nodes in my network, etc. It's
basically wide-open. So either one of the included rules is not
working as advertised, or I'm misunderstanding some feature of the
filtering process.
Any pointers would be appreciated. Thanks
10 years, 3 months
[libvirt-users] vnet device not appearing
by Liam MacKenzie
Hello
I have a virtual server with 3 existing VMs running on it without issue.
The host has 4 NICs installed; em1 for the host, em2 and em3 already in
use by other VMs.
I would like to dedicate em4 to my new VM however when I create the bridge
like I did for the others I do not get a vnet3 device show up in the list
as shown below.
I tried using the GUI and virsh to create the bridge. I ended up with this
config:
[root@cbcvm network-scripts]# cat ifcfg-em4
DEVICE=em4
HWADDR=d4:ae:52:a1:53:a7
ONBOOT=yes
BRIDGE=www_br0
[root@cbcvm network-scripts]# cat ifcfg-www_br0
DEVICE=www_br0
ONBOOT=yes
TYPE=Bridge
STP=on
DELAY=0
[root@cbcvm network-scripts]# virsh iface-list
Name State MAC Address
--------------------------------------------
em1 active d4:ae:52:a1:53:a4
lo active 00:00:00:00:00:00
mon_br0 active d4:ae:52:a1:53:a6
sbs_br0 active d4:ae:52:a1:53:a5
www_br0 active d4:ae:52:a1:53:a7
How to I make the expected vnet3 device become available to my VM?
Thanks!
[image: Inline image 1]
sdds
10 years, 3 months
[libvirt-users] problem with bond/team network interfaces
by Nerijus Baliunas
Hello,
I have VM attached to bridge br0. VM can see the network (ping works) when
the bridge has ethernet interfaces. But when I create bond or team device
and attach it to a bridge instead of eth interface, VM does not ping
anymore. Any ideas why?
Thanks,
Nerijus
10 years, 3 months
[libvirt-users] How to build and install python-libvirt
by Qiang Guan
ubuntu@host-192-168-0-7:~/github$ git clone
git://libvirt.org/libvirt-python.git
ubuntu@host-192-168-0-7:~/github$ cd libvirt-python/
ubuntu@host-192-168-0-7:~/github/libvirt-python$ python setup.py build
Package libvirt was not found in the pkg-config search path.
Perhaps you should add the directory containing `libvirt.pc'
to the PKG_CONFIG_PATH environment variable
No package 'libvirt' found
Package libvirt was not found in the pkg-config search path.
Perhaps you should add the directory containing `libvirt.pc'
to the PKG_CONFIG_PATH environment variable
No package 'libvirt' found
running build
/usr/bin/pkg-config --print-errors --atleast-version=0.9.11 libvirt
Package libvirt was not found in the pkg-config search path.
Perhaps you should add the directory containing `libvirt.pc'
to the PKG_CONFIG_PATH environment variable
No package 'libvirt' found
error: command '/usr/bin/pkg-config' failed with exit status 1
What's the problem?
--
------------
Jackie
Best Regards
10 years, 3 months
[libvirt-users] How to open virtual machine console using python libvirt.
by deepak@fluentsoft.com
Hi,
How to open virtual machine console using python libvirt.
I tried openConsole function,it returning integer 0 and not opening any
console.
code
====
import libvirt
conn = libvirt.open('qemu+ssh://root@192.168.1.6/system')
vm=conn.lookupByName("vm1-1")
stream=onn.newStream(libvirt.VIR_STREAM_NONBLOCK)
vm.openConsole(None,stream, 0)
Regards,
Deepak S
-------------------------
Message sent via Atmail Open - http://atmail.org/
10 years, 3 months
[libvirt-users] [netcf] Why netcf can not rename a existing physical interface dynamically by itself?
by Jianwei Hu
Hi All,
I have a usage question about netcf. Why netcf can not rename a existing physical interface dynamically by itself? If you have any other method, please share to me, or can we add support for it in netcf? You can see the following steps for details.
Version:
netcf-0.2.4-1.el6.x86_64
kernel-2.6.32-431.el6.x86_64
1. Select a existing NIC from host, for example eth1.
[root@rhel6 ~]# ncftool list --all
eth0
eth1
lo
[root@rhel6 ~]# ncftool dumpxml eth1
<?xml version="1.0"?>
<interface type="ethernet" name="eth1">
<start mode="none"/>
<mac address="00:1B:21:27:4E:CE"/>
<protocol family="ipv4">
<dhcp/>
</protocol>
</interface>
[root@rhel6 ~]# ifconfig eth1
eth1 Link encap:Ethernet HWaddr 00:1B:21:27:4E:CE
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
[root@rhel6 ~]# ncftool ifup eth1
Interface eth1 successfully brought up
2. Undefine eth1 from host
[root@rhel6 ~]# ncftool ifdown eth1
Interface eth1 successfully brought down
[root@rhel6 ~]# ncftool undefine eth1
eth1 undefined
[root@rhel6 ~]# ncftool list --all
eth0
lo
3. Prepare another xml with same MAC and a new name "jiahu"
[root@rhel6 ~]# cat jiahu.xml
<interface type="ethernet" name="jiahu">
<start mode="none"/>
<mac address="00:1B:21:27:4E:CE"/>
<protocol family="ipv4">
<dhcp/>
</protocol>
</interface>
4. Define the "jiahu", and start it.
[root@rhel6 ~]# ncftool define jiahu.xml
Defined interface jiahu
[root@rhel6 ~]# ncftool dumpxml jiahu
<?xml version="1.0"?>
<interface type="ethernet" name="jiahu">
<start mode="none"/>
<mac address="00:1B:21:27:4E:CE"/>
<protocol family="ipv4">
<dhcp/>
</protocol>
</interface>
[root@rhel6 ~]# ifconfig jiahu
jiahu: error fetching interface information: Device not found
[root@rhel6 ~]# cat /etc/sysconfig/network-scripts/ifcfg-jiahu
DEVICE=jiahu
HWADDR=00:1B:21:27:4E:CE
ONBOOT=no
BOOTPROTO=dhcp
[root@rhel6 ~]# ncftool ifup jiahu
Interface jiahu bring-up failed!
error: failed to execute external program
error: Running 'ifup jiahu' failed with exit code 1: Device jiahu does not seem to be present, delaying initialization.
[root@rhel6 ~]# ll /sys/class/net/
total 0
lrwxrwxrwx. 1 root root 0 May 23 11:32 eth0 -> ../../devices/pci0000:00/0000:00:19.0/net/eth0
lrwxrwxrwx. 1 root root 0 May 23 11:35 eth1 -> ../../devices/pci0000:00/0000:00:1e.0/0000:02:00.0/net/eth1
lrwxrwxrwx. 1 root root 0 May 23 11:32 lo -> ../../devices/virtual/net/lo
lrwxrwxrwx. 1 root root 0 May 23 11:32 virbr0 -> ../../devices/virtual/net/virbr0
lrwxrwxrwx. 1 root root 0 May 23 11:32 virbr0-nic -> ../../devices/virtual/net/virbr0-nic
5. Reboot the host OS, the jiahu interface appeared.
[root@rhel6 ~]# ifconfig jiahu
jiahu Link encap:Ethernet HWaddr 00:1B:21:27:4E:CE
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
BR,
Jianwei
10 years, 3 months
[libvirt-users] - defining routing between guests
by Jacek Pielaszkiewicz
Hi,
On my host I have few lxc containers. Containers are split
between let say three virtual networks. My goal is to define custom
routing between networks. I can do that using for example iptables. Is
it possible to do that only in libvirt (in network/domains/network
filters configuration only)? I did some attempts with network filters,
but it doesn't work. I have managed to limit only inbound/outbound
traffic. I have found some examples that use libvirt hooks, but I would
like to avoid that.
I will be grateful for help and some examples.
Best Regards
Jacek Pielaszkiewicz
Samsung R&D Institute Poland
Samsung Electronics
Email: j.pielaszkie(a)samsung.com
10 years, 3 months
[libvirt-users] problem with bond/team network interfaces
by Nerijus Baliunas
Hello,
I have VM attached to bridge br0. VM can see the network (ping works) when
the bridge has ethernet interfaces. But when I create bond or team device
and attach it to a bridge instead of eth interface, VM does not ping
anymore. Any ideas why?
Thanks,
Nerijus
10 years, 3 months
[libvirt-users] How i can calculate cpu utilization percentage for host using python libvirt API.
by deepak@fluentsoft.com
Hi,
How i can calculate cpu utilization percentage for host using python
libvirt API.
Which function can i use for calulating cpu percentage of host and Virtual
Machines?
1)Host cpu utilization
====================
I tried getCPUStats() function,it gives the following output.Is there any
way to calculate cpu percentage from the following output?
Is there any other function availabe for calculating cpu utilization
percentage?
output:{'kernel': 34870000000L, 'idle': 3522190000000L, 'user':
209930000000L, 'iowait': 132240000000L}
import libvirt
conn=libvirt.open('qemu+ssh://root@192.168.1.4/system')
conn.getCPUStats(-1,0)
Thanks and Regards,
Deepak S
-------------------------
Message sent via Atmail Open - http://atmail.org/
10 years, 3 months
