[libvirt-users] VM's in a HA-configuration - synchronising vm config files
by Lentes, Bernd
Hi,
i'd like to establish a HA-Cluster with two nodes. My services will run inside vm's, the vm's are stored on a FC SAN, so every host has access to the vm's. But how can i keep the config files (xml-files under /etc/libvirt/qemu) synchronised ? Is there a possibility to store the config files somewhere else ? E.g. a partitition with ocfs2 on the SAN ?
If not, what would you do ? Otherweise i'm thinking of a cron-job who synchronises the file each minute with rsync.
Bernd
--
Bernd Lentes
Systemadministration
institute of developmental genetics
Gebäude 35.34 - Raum 208
HelmholtzZentrum München
bernd.lentes(a)helmholtz-muenchen.de
phone: +49 (0)89 3187 1241
fax: +49 (0)89 3187 2294
Wer Visionen hat soll zum Hausarzt gehen
Helmut Schmidt
Helmholtz Zentrum Muenchen
Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
Ingolstaedter Landstr. 1
85764 Neuherberg
www.helmholtz-muenchen.de
Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Dr. Alfons Enhsen, Renate Schlusen (komm.)
Registergericht: Amtsgericht Muenchen HRB 6466
USt-IdNr: DE 129521671
8 years, 7 months
[libvirt-users] which is the config file for a vm ?
by Lentes, Bernd
Hi,
i have a weird problem. I have a vm (KVM) which seems to run fine. I believe the respective config file for this vm is /etc/libvirt/qemu/MausDB.xml. This is it:
=========================================================
<domain type='kvm'>
<name>MausDB</name>
<uuid>d4c7956c-b57f-967a-0454-99835a3a740b</uuid>
<memory unit='KiB'>2353792</memory>
<currentMemory unit='KiB'>2353792</currentMemory>
<vcpu placement='static'>2</vcpu>
<os>
<type arch='x86_64' machine='pc-i440fx-1.4'>hvm</type>
<boot dev='hd'/>
</os>
<features>
<acpi/>
<apic/>
<pae/>
</features>
<clock offset='utc'/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>destroy</on_crash>
<devices>
<emulator>/usr/bin/qemu-kvm</emulator>
<disk type='file' device='disk'>
<driver name='qemu' type='raw'/>
<source file='/var/lib/kvm/images/MausDB/disk0.raw'/>
<target dev='vda' bus='virtio'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
</disk>
<disk type='file' device='cdrom'>
<driver name='qemu' type='raw'/>
<target dev='hda' bus='ide'/>
<readonly/>
<address type='drive' controller='0' bus='0' target='0' unit='0'/>
</disk>
<controller type='usb' index='0'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
</controller>
<controller type='pci' index='0' model='pci-root'/>
<controller type='ide' index='0'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
</controller>
<interface type='bridge'>
<mac address='52:54:00:37:92:03'/>
<source bridge='br0'/>
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
<input type='mouse' bus='ps2'/>
<input type='keyboard' bus='ps2'/>
<graphics type='vnc' port='-1' autoport='yes'/>
<video>
<model type='cirrus' vram='9216' heads='1'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
</video>
<memballoon model='virtio'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
</memballoon>
</devices>
</domain>
=============================================================
As you see, the vm has one NIC. Its MAC-Address is: '52:54:00:37:92:03'.
I also see that MAC when i edit the config via virsh.
But when i boot that vm, it has a nic with another MAC: '52:54:00:37:92:B2' ??? lspci shows me just one nic in the vm.
This MAC-Address is also visible in the Virtual Machine Manager.
Pictures you find here: https://hmgubox.helmholtz-muenchen.de:8001/d/51feb02c02/
I thought the xml-file in /etc/libvirt/qemu ist the only responsable one. It is that one which is configured when i issue a 'edit domain' in virsh. Or ?
Where does the VMM stores the configuration of the domains ?
I found another xml: /var/run/libvirt/qemu/MausDB.xml . Inside it there is the MAC the booted vm has. What is the purpose of this xml ?
Also ps inside the host shows the MAC which is in the booted vm:
root 28237 4.8 2.4 2886084 2416116 ? Sl Feb29 55:16 /usr/bin/qemu-kvm -name MausDB -S -machine pc-i440fx-1.4,accel=kvm,usb=off -m 2299 -smp 2,sockets=2,cores=1,threads=1 -uuid d4c7956c-b57f-967a-0454-99835a3a740b -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/MausDB.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc -no-shutdown -boot strict=on -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/var/lib/kvm/images/MausDB/disk0.raw,if=none,id=drive-virtio-disk0,format=raw -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -drive if=none,id=drive-ide0-0-0,readonly=on,format=raw -device ide-cd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0 -netdev tap,fd=22,id=hostnet0,vhost=on,vhostfd=23 -device virtio-net-pci,netdev=hostnet0,id=net0, mac=52:54:00:37:92:b2,bus=pci.0,addr=0x3 -vnc 127.0.0.1:0 -vga cirrus -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5
Can anyone help sorting this out ?
Bernd
--
Bernd Lentes
Systemadministration
institute of developmental genetics
Gebäude 35.34 - Raum 208
HelmholtzZentrum München
bernd.lentes(a)helmholtz-muenchen.de
phone: +49 (0)89 3187 1241
fax: +49 (0)89 3187 2294
Wer Visionen hat soll zum Hausarzt gehen
Helmut Schmidt
Helmholtz Zentrum Muenchen
Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
Ingolstaedter Landstr. 1
85764 Neuherberg
www.helmholtz-muenchen.de
Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Dr. Alfons Enhsen, Renate Schlusen (komm.)
Registergericht: Amtsgericht Muenchen HRB 6466
USt-IdNr: DE 129521671
8 years, 7 months
[libvirt-users] Insert iptables rules with network hook
by Dieter Späth
Hi,
I want to add iptables rules between existing rules and the rules created
by libvirt (forward type=nat).
I did try the hook
/etc/libvirt/hooks/network network_name start begin -
and
/etc/libvirt/hooks/network network_name started begin -
It seems like the libvirt iptables rules are already inserted when
this hook is executed.
Simply use I instead of A does not work either because the rules should be
inserted between the existing one and the libvirt rules. Also the custom
rules should be deleted after
the hoook
/etc/libvirt/hooks/network network_name stopped end -
is executed.
Does a hook exists which is executed after the network is started but before
the
libvirt rules are inserted?
Is it possible the use a custom chain for the libvirt iptables rules instead
of directly writing
them into the INPUT chain?
I think of some thing like INPUT
VIRT_VIBR0 all -- * virbr0 0.0.0.0/0 0.0.0.0/0
VIRT_VIBR0 all -- virbr0 * 0.0.0.0/0 0.0.0.0/0
and VIRT_VIBR0
ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24
state RELATED,ESTABLISHED
ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
thanks & regards
dieter
8 years, 7 months
[libvirt-users] nwfilter : iptables rules not working
by jf grunt
Hi,
I contact you as i have difficulties to use nwfilter with KVM host.
I want to implemente flow filtering between my Linux guests.
I created the following filter :
cat admin-dmz-internet.xml
<filter name='admin-dmz-internet'>
<!-- this zone is an SSH ingoing only zone -->
<!-- but SSH can go to an other SSH proxy -->
<filterref filter='clean-traffic' />
<!-- enable SSH (tcp port 22) to go inside the zone -->
<rule action='accept' direction='in'>
<tcp dstportstart='22'/>
</rule>
<!-- accept the SSH to the other out -->
<rule action='accept' direction='out'>
<tcp dstipaddr='192.168.150.50' dstportstart='22' />
</rule>
<!-- deny explicitly all other flows to go outside -->
<rule action='drop' direction='inout'>
<all/>
</rule>
</filter>
then i define it :
irsh nwfilter-define admin-dmz-internet.xml
Filtre réseau admin-dmz-internet défini depuis admin-dmz-internet.xml
The filters are defined :
virsh nwfilter-list
UUID Nom
------------------------------------------------------------------
4ae1f709-4767-4148-9b02-9065da3d8d8a admin-dmz-internet
7d32639b-5e6e-4dfe-b07b-e798bbd89adb allow-arp
I then assigned the filter to mv VM :
<interface type='network'>
<mac address='52:54:00:36:7d:99'/>
<source network='adm-from-net'/>
<ip address='192.168.130.229' family='ipv4'/>
<model type='virtio'/>
<filterref filter='admin-dmz-internet'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03'
function='0x0'/>
</interface>
and restart libvirtd and start the VM
systemctl restart libvirtd
virsh start externeSSH
Howerver the filter don"t work, i can do allow flow that i want.... :(
To debug i looked at the iptables rules. We see that no packet go to the
rules for the filter :
Chain FI-vnet0 (1 references)
pkts bytes target prot opt in out source
destination
0 0 RETURN tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:22 ctstate ESTABLISHED ctdir REPLY
0 0 RETURN tcp -- * * 0.0.0.0/0
192.168.150.50 tcp dpt:22 ctstate NEW,ESTABLISHED ctdir ORIGINAL
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FO-vnet0 (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 ctstate NEW,ESTABLISHED ctdir ORIGINAL
0 0 ACCEPT tcp -- * * 192.168.150.50
0.0.0.0/0 tcp spt:22 ctstate ESTABLISHED ctdir REPLY
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain HI-vnet0 (1 references)
pkts bytes target prot opt in out source
destination
0 0 RETURN tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:22 ctstate ESTABLISHED ctdir REPLY
0 0 RETURN tcp -- * * 0.0.0.0/0
192.168.150.50 tcp dpt:22 ctstate NEW,ESTABLISHED ctdir ORIGINAL
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain libvirt-host-in (1 references)
pkts bytes target prot opt in out source
destination
0 0 HI-vnet0 all -- * * 0.0.0.0/0
0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0
Chain libvirt-in (1 references)
pkts bytes target prot opt in out source
destination
0 0 FI-vnet0 all -- * * 0.0.0.0/0
0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0
Chain libvirt-in-post (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in vnet0
Chain libvirt-out (1 references)
pkts bytes target prot opt in out source
destination
0 0 FO-vnet0 all -- * * 0.0.0.0/0
0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0
--physdev-is-bridged
How can i make the rules work?
I am under Centos 7 and the libvirtd is as is :
rpm -qa | grep libvirt
libvirt-daemon-kvm-1.2.17-13.el7_2.3.x86_64
libvirt-daemon-config-network-1.2.17-13.el7_2.3.x86_64
libvirt-python-1.2.17-2.el7.x86_64
libvirt-client-1.2.17-13.el7_2.3.x86_64
libvirt-daemon-driver-network-1.2.17-13.el7_2.3.x86_64
libvirt-daemon-driver-secret-1.2.17-13.el7_2.3.x86_64
libvirt-daemon-driver-nodedev-1.2.17-13.el7_2.3.x86_64
libvirt-daemon-driver-qemu-1.2.17-13.el7_2.3.x86_64
libvirt-daemon-driver-storage-1.2.17-13.el7_2.3.x86_64
libvirt-daemon-config-nwfilter-1.2.17-13.el7_2.3.x86_64
libvirt-daemon-1.2.17-13.el7_2.3.x86_64
libvirt-daemon-driver-interface-1.2.17-13.el7_2.3.x86_64
libvirt-daemon-driver-lxc-1.2.17-13.el7_2.3.x86_64
libvirt-daemon-driver-nwfilter-1.2.17-13.el7_2.3.x86_64
libvirt-1.2.17-13.el7_2.3.x86_64
Thanks in advance for your help.
Regards,
JF
8 years, 7 months
