[libvirt-users] [virtual interface] detach interface during boot succeed with no changes
by Yalan Zhang
Hi guys,
when I detach an interface from vm during boot (vm boot not finished), it
always fail. I'm not sure if there is an existing bug. I have
confirmed with someone that for disk, there is similar behavior, if
this is also acceptable?
# virsh destroy rhel7.2; virsh start rhel7.2 ;sleep 2; virsh
detach-interface rhel7.2 network 52:54:00:98:c4:a0; sleep 2; virsh
dumpxml rhel7.2 |grep /interface -B9
Domain rhel7.2 destroyed
Domain rhel7.2 started
Interface detached successfully
<address type='pci' domain='0x0000' bus='0x00' slot='0x06'
function='0x0'/>
</controller>
<interface type='network'>
<mac address='52:54:00:98:c4:a0'/>
<source network='default' bridge='virbr0'/>
<target dev='vnet0'/>
<model type='rtl8139'/>
<alias name='net0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03'
function='0x0'/>
</interface>
When I detach after the vm boot, expand the sleep time to 10, it will succeed.
# virsh destroy rhel7.2; virsh start rhel7.2 ;sleep 10; virsh
detach-interface rhel7.2 network 52:54:00:98:c4:a0; sleep 2; virsh
dumpxml rhel7.2 |grep /interface -B9
Domain rhel7.2 destroyed
Domain rhel7.2 started
Interface detached successfully
-------
Best Regards,
Yalan Zhang
IRC: yalzhang
Internal phone: 8389413
2 years, 3 months
[libvirt-users] Question about disabling UFO on guest
by Bao Nguyen
Hello everyone,
I would like to ask a question regarding to disable UFO of virtio vNIC in
my guest. I have read the document at https://libvirt.org/formatdomain.html
*host*
The csum, gso, tso4, tso6, ecn and ufo attributes with possible
values on and off can be used to turn off host offloading options. By
default, the supported offloads are enabled by QEMU. *Since 1.2.9 (QEMU
only)* The mrg_rxbuf attribute can be used to control mergeable rx buffers
on the host side. Possible values are on (default) and off. *Since 1.2.13
(QEMU only)*
*guest*
The csum, tso4, tso6, ecn and ufo attributes with possible
values on and off can be used to turn off guest offloading options. By
default, the supported offloads are enabl
ed by QEMU.
*Since 1.2.9 (QEMU only)*
Then I disabled UFO on my vNIC on guest as the following configuration
<devices>
<interface type='network'>
<source network='default'/>
<target dev='vnet1'/>
<model type='virtio'/>
<driver name='vhost' txmode='iothread' ioeventfd='on' event_idx='off'
queues='5' rx_queue_size='256' tx_queue_size='256'>
*<host gso='off' ufo='off' />*
*<guest ufo='off'/>*
</driver>
</interface>
</devices>
Then I reboot my node to get the change effect and it works. However, can I
disable the UFO without touching the host OS? or it always has to disable
on both host and guest like that?
Thanks,
Brs,
Natsu
4 years, 4 months
[libvirt-users] Libvirt access control drivers
by Anastasiya Ruzhanskaya
Hello!
According to the documentation access control drivers are not in really
"good condition". There is a polkit, but it can distinguish users only
according the pid. However, I have met some articles about more
fine-grained control and about selinux drivers for libvirt? So, what is the
status now? Should I implement something by myself if I want access based
on login, are their instructions how to write these drivers or there is
smth already?
6 years, 1 month
[libvirt-users] ceph rbd pool and libvirt manageability (virt-install)
by Jelle de Jong
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello everybody,
I created a rbd pool and activated it, but I can't seem to create
volumes in it with virsh or virt-install?
# virsh pool-dumpxml myrbdpool
<pool type='rbd'>
<name>myrbdpool</name>
<uuid>2d786f7a-2df3-4d79-ae60-1535bcf1c6b5</uuid>
<capacity unit='bytes'>6997998301184</capacity>
<allocation unit='bytes'>10309227031</allocation>
<available unit='bytes'>6977204658176</available>
<source>
<host name='ceph01.powercraft.nl' port='6789'/>
<host name='ceph02.powercraft.nl' port='6789'/>
<host name='ceph03.powercraft.nl' port='6789'/>
<name>libvirt-pool</name>
<auth type='ceph' username='libvirt'>
<secret uuid='029a334e-ed57-4293-bb99-ffafa8867122'/>
</auth>
</source>
</pool>
# virt-install --version
1.0.1
# virsh --version
1.2.9
I ended using virsh edit ceph-test.powercraft.nl and making creating
the disk manually.
<disk type='network' device='disk'>
<auth username='libvirt'>
<secret type='ceph' uuid='029a334e-ed57-4293-bb99-ffafa8867122'/>
</auth>
<source protocol='rbd' name='libvirt-pool/kvm01-storage'>
<host name='ceph01.powercraft.nl' port='6789'/>
<host name='ceph02.powercraft.nl' port='6789'/>
<host name='ceph03.powercraft.nl' port='6789'/>
</source>
<target dev='vdc' bus='virtio'/>
</disk>
I use virt-install a lot to define, import and undefine domains, how
can I use virt-install to manage my rdb disks?
Kind regards,
Jelle de Jong
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iJwEAQECAAYFAlV1xlQACgkQ1WclBW9j5HkbPQP+PjNrzvlqysslOp2Yk7wH4Mxy
2sh2dn96G0KOAHEeEn3BN6IWlnD1TADZbHdpTtMwkdv48Xwn0sP1s+3QDM4pb3gP
n+z+dVxS8FouDIy/eiso3IBCj3g4TWbEX8ZHqs3jKqe0lZgAXBzB9xYSUowcEBrZ
ddkPbr8p8ozWyOG+9V8=
=lkK7
-----END PGP SIGNATURE-----
6 years, 3 months
[libvirt-users] East-west traffic network filter
by Ales Musil
Hello,
I would like to make filter that allows communication only between
specified VMs. Those VMs should be specified by their MAC address. The
filter should extend clean-traffic but I was not able to get it working
with that reference. I have came up with modified clean-traffic which works
fine [1]. Is there a way to achieve the same behavior with reference to
clean-traffic?
Thank you.
Best wishes,
Ales Musil
[1]
<filter name='clean-traffic-gateway'>
<!-- An example of a traffic filter enforcing clean traffic
from a VM by
- preventing MAC spoofing -->
<filterref filter='no-mac-spoofing'/>
<!-- preventing IP spoofing on outgoing -->
<filterref filter='no-ip-spoofing'/>
<!-- preventing ARP spoofing/poisoning -->
<filterref filter='no-arp-spoofing'/>
<!-- accept all other incoming and outgoing ARP traffic -->
<rule action='accept' direction='inout' priority='-500'>
<mac protocolid='arp'/>
</rule>
<!-- accept traffic only from specified MAC address -->
<rule action='accept' direction='in'>
<mac match='yes' srcmacaddr='$GATEWAY_MAC'
srcmacmask='$GATEWAY_MAC_MASK' />
</rule>
<!-- allow traffic only to specified MAC address -->
<rule action='accept' direction='out'>
<mac match='yes' dstmacaddr='$GATEWAY_MAC'
dstmacmask='$GATEWAY_MAC_MASK' />
</rule>
<!-- preventing any other traffic than between specified MACs
and ARP -->
<filterref filter='no-other-l2-traffic'/>
<!-- allow qemu to send a self-announce upon migration end -->
<filterref filter='qemu-announce-self'/>
</filter>
--
ALES MUSIL
INTERN - rhv network
Red Hat EMEA <https://www.redhat.com/>
amusil(a)redhat.com IM: amusil
<https://red.ht/sig>
6 years, 5 months
[libvirt-users] Reintroduce "allocate entire disk" checkbox on virt-manager
by Gionatan Danti
Hi list,
on older virt-manager versions (ie: what shipped with RHEL 6), a
checkbox called "allocate entire disk" was selectable when configuring a
new virtual machine. When checked, it means that the RAW disk image file
was entirely allocated, generally issuing a fallocate() call. When
unchecked, the disk image was a sparse file, with on-demand space
allocation.
On new virt-manager versions (ie: what ships with RHEL 7), the checkbox
is gone. This means that for creating a sparse allocated file from
within the "new vm" wizard, one is forced to use a Qcow2 file
(selectable in the global preferences). No sparse RAM images can be
created within such wizard.
As a heavy consumer of RAW disk files, I would really like to have the
checkbox back, especially in RHEL/CentOS 7.x
Do you plan to reintroduce it? For RHEL/CentOS, should I open a Bugzilla
ticket?
Thanks.
--
Danti Gionatan
Supporto Tecnico
Assyoma S.r.l. - www.assyoma.it
email: g.danti(a)assyoma.it - info(a)assyoma.it
GPG public key ID: FF5F32A8
6 years, 5 months
[libvirt-users] Virtio-net drivers immune to Nethammer?
by procmem
Hi I'm a privacy distro maintainer investigating the implications of the
newly published nethammer attack [0] on KVM guests particularly the
virtio-net drivers. The summary of the paper is that rowhammer can be
remotely triggered by feeding susceptible* network driver crafted
traffic. This attack can do all kinds of nasty things such as modifying
SSL certs on the victim system.
* Susceptible drivers are those relying on Intel CAT, uncached memory or
the clflush instruction.
My question is, do virtio-net drivers do any of these things?
***
[0] https://arxiv.org/abs/1805.04956
6 years, 6 months
[libvirt-users] virsh error: domain is already quiesced
by Jérôme
Hi all.
I'm having issues while creating snapshots.
I posted on Stack Exchange [1], but figured I might get more success
here.
My VM backup script fails while creating the snapshot.
virsh snapshot-create-as --domain machine_1 snap --diskspec
vda,file=/srv/test/test-snap.qcow2 --disk-only --atomic --no-metadata
--quiesce
error: Requested operation is not valid: domain is already quiesced
Even after a VM reboot, the system is still quiesced and I get the same
error.
I thought quiesce means FS freeze, but this makes no sense since I can
still write to the FS when logged in the faulty VMs. And this would not
survive a reboot, right?
Could it be a communication issue that makes the host think the GA says
the machine is quiesced while it is not?
In any case, is there a command to enquire the quiesce state (apart from
attempting a snapshot and see if I get an error)?
Assuming the faulty VMs went quiesced after a unreproducible error, I
could fix that by exiting quiesced state, whatever that means. Is there
a virsh command to unquiesce the VM?
The whole backup procedure used to work and now it fails on 2 VMs but
still works on 2 others and I can't think of any relevant difference
between them.
Software versions:
- Host is Debian Jessie with qemu-kvm 2.8+dfsg-3~bop8+1 from backports.
- Guests are Debian Stretch with qemu-guest-agent 2.8+dfsg-6+deb9u4.
(For the record, the backup script is on GitHub [2]. Basically, what it
does is 1/ create snapshot, 2/ copy, 3/ commit snapshot.)
If I remove the `quiesce` option from the snapshot command line, things
work smooth. But obviously, this is not ideal.
Thanks for any hint.
[1]
https://serverfault.com/questions/917247/virsh-error-domain-is-already-qu...
[2] https://github.com/Nobatek/vmbackup/blob/master/vmbackup
--
Jérôme
6 years, 6 months
[libvirt-users] How libvirt interacts with dhcpd?
by Daniel.
Hi everybody,
I'm using libvirt together with xCAT, on the same host, for testing
purposes. xCAT install and manages dhcpd. How libvirt interacts with
dhcpd? And if doens't how does the dhcp server of libvirt works, plus
where I can find information on how to troubleshot it?
Regards,
--
“If you're going to try, go all the way. Otherwise, don't even start. ..."
Charles Bukowski
6 years, 6 months