[libvirt-users] X11 apps on lxc
by Jesus
Hi
How can I run X11 apps on the local X11 using libvirt lxc?
I already had this runing on centos 7 but I upgraded to centos 8 (I rebuild libvirt) and the socket is not in the /tmp/.X11-unix/ folder of the vm any more.
Can somebody help with this?
Thanks!!
5 years, 2 months
[libvirt-users] [libvirt]Some questions about live migration
by Luyao Zhong
Hi libvirt experts,
I have some questions about live migration.
* If a live migration failed during migrating, will the domain exist on the
destination host?
* Is the flag VIR_MIGRATE_PAUSED make sense to live migration? It's a little
confusing for me. Does that indicate if I set this flag, then the domain on
the destination will not disappear even if the migration is failed, and it will
in 'paused' status? If not setting this flag, what will it be? It may be similar
to the question above.
I filed a bug https://bugzilla.redhat.com/show_bug.cgi?id=1762703 about this flag,
since its description is not very clear.
Thanks in advance, looking forward to your reply.
Regards,
Luyao
--
2.7.4
5 years, 2 months
[libvirt-users] Transient permission denied errors when sending audit logs
by Roman Mohr
Hi,
In kubevirt we are running into a strange permission problem on
libvirt-5.0. We see transient "Permission Denied" errors when "virAuditSend"
wants to send an audit log. [1] shows the logs of one of these containers.
Here an example:
{"component":"virt-launcher","level":"warning","msg":"Failed to send audit
message virt=kvm
vm=\"kubevirt-test-default_testvmit2pqrkrlrwbhptcjcs4n67jn6pjqvmtd7pkrpdmkrl5sldzs4rxr9zdg8m45jxz\"
uuid=56a33283-f6d7-4002-b188-1fed83186545 vm-ctx=+107:+107
img-ctx=+107:+107 model=dac: Permission
denied","pos":"virAuditSend:141","subcomponent":"libvirt","thread":"30","timestamp":"2019-10-08T23:58:40.651000Z"}
We recently switched in kubevirt to a dedicated selinux policy and remove
the general "privileged" flag from the containers where we run libvirt in.
This is very likely related to it, but we can't make sense out of it,
because:
* It randomly affects one out of a few hundred containers which we start
* It is not bound to a specific node
* It is only transient on that container. After a few denials libvirt can
just continue.
* Sometimes it is accompanied with a transient "Permission denied" on
/dev/null from our code in that container (so not from something which
libvirt tries to do).
Has someone seen something like this before in different environments?
Best Regards,
Roman
[1]
https://storage.googleapis.com/kubevirt-prow/pr-logs/pull/kubevirt_kubevi...
5 years, 2 months
[libvirt-users] create virtual network fails with virt-manager
by Marko Horn
hello list,
creatig a virtual network via virt-manager fails.
gentoo linux vanilla-sources 5.3.1
virt-manager 2.2.1
qemu 4.0
libvirt 5.5.0
the error output of
Error creating virtual network: internal error: Failed to apply firewall
rules /sbin/iptables -w --table filter --insert LIBVIRT_INP
--in-interface virbr1 --protocol tcp --destination-port 67 --jump
ACCEPT: iptables: No chain/target/match by that name.
Traceback (most recent call last):
File "/usr/share/virt-manager/virtManager/asyncjob.py", line 75, in
cb_wrapper
callback(asyncjob, *args, **kwargs)
File "/usr/share/virt-manager/virtManager/createnet.py", line 472, in
_async_net_create
netobj.create()
File "/usr/lib64/python3.6/site-packages/libvirt.py", line 2993, in
create
if ret == -1: raise libvirtError ('virNetworkCreate() failed',
net=self)
libvirt.libvirtError: internal error: Failed to apply firewall rules
/sbin/iptables -w --table filter --insert LIBVIRT_INP --in-interface
virbr1 --protocol tcp --destination-port 67 --jump ACCEPT: iptables: No
chain/target/match by that name.
/sbin/iptables exists
any ideas?
kind regards
m@rko
--
zbfmail - Mittendrin statt nur Datei!
Datei sein ist alles!
5 years, 2 months
[libvirt-users] hidden state='on' not working
by Michael Lipp
Hi,
I have set
<kvm>
<hidden state='on'/>
</kvm>
in my configuration file. But looking at the command line, I see
-cpu ...,hypervisor=on,...
Should the setting result in hypervisor=off (or -hypervisor)
- Michael
5 years, 2 months
[libvirt-users] Emulated TPM doesn't work on Debian Buster
by procmem@riseup.net
Hi. I am very interested in the security properties a totally open TPM
can give our users - its use as a universal smartcard to protect all
types of keys. When adding the virtual 1.2 or 2.0 TPM I get the vague
error below. OS is Debian stable with standard packages.
Error starting domain: Unable to find 'swtpm' binary in $PATH: No such
file or directory
Traceback (most recent call last):
File "/usr/share/virt-manager/virtManager/asyncjob.py", line 75, in
cb_wrapper
callback(asyncjob, *args, **kwargs)
File "/usr/share/virt-manager/virtManager/asyncjob.py", line 111, in tmpcb
callback(*args, **kwargs)
File "/usr/share/virt-manager/virtManager/libvirtobject.py", line 66,
in newfn
ret = fn(self, *args, **kwargs)
File "/usr/share/virt-manager/virtManager/domain.py", line 1400, in
startup
self._backend.create()
File "/usr/lib/python3/dist-packages/libvirt.py", line 1080, in create
if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self)
libvirt.libvirtError: Unable to find 'swtpm' binary in $PATH: No such
file or directory
5 years, 2 months
[libvirt-users] Error validating install location: Distro 'rhel8' does not exist in our dictionary
by Kaushal Shriyan
Hi,
I am running the below command to spawn CentOS8 based Virtual Machines
using KVM based technology
virt-install --name=centos8
> --file=/linuxkvmguestosdisk/var/lib/libvirt/images/centos8 --file-size=100
> --nonsparse --vcpus=2 --ram=8096 --network=bridge:br0 --os-type=linux
> --os-variant=rhel8 --graphics none
> --location=/linuxkvmguestosdisk/var/lib/libvirt/isos/CentOS-8-x86_64-1905-dvd1.iso
> --extra-args="console=ttyS0"
> ERROR Error validating install location: Distro 'rhel8' does not exist
> in our dictionary
Any clue and i look forward to hearing from you. Thanks in advance.
Best Regards,
5 years, 2 months
Re: [libvirt-users] Internal error reported by libvirt while creating a VM
by Andrea Bolognani
Re-added the list. Please *do not* drop the libvirt-users mailing
list from the recipients again!
On Thu, 2019-10-03 at 16:42 -0400, Ajay Kumar wrote:
> Hi Andrea,
>
> Thank you for your help,
>
> The above issues are addressed while reinstalling libvirt 4.0.0. Currently, I could create a VMs on libvirt.
>
> I have another issue while configuring/editing win10.xml file.
> After edit or insert of few lines in win10.XML file using virsh i.e at /etc/libvirt/qem$ virsh edit win10
Saying that you changed "few lines" is not at all useful: if you
hope to get any help from the list, you'll have to share the *exact*
changes you made each time and the full XML configuration that
resulted from them.
> I am getting a below error.
> @ubuntu-kvm3:/etc/libvirt/qemu$ virsh edit win10
> error: internal error: Child process (LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin /usr/local/bin/qemu-system-x86_64 -help) unexpected exit status 126: libvirt: error : cannot execute binary /usr/local/bin/qemu-system-x86_64: Permission denied
>
> I understand that this could be the problem of AppArmor security feature it doesn't allow new binary such as (qemu-system-x86_64) to execute
>
> Later I have followed the below link to address
> [ https://www.reddit.com/r/VFIO/comments/9pi2cd/how_to_set_up_qemu_30_on_ub...
> 6. Create AppArmor rules so libvirt can use the binary ]
>
> here i have added few lines in 2 files as per the procedure. later when i restart apparmor I got the below error
Again, saying that you added "few lines" is not helpful because we
have no idea what those lines look like, so it's simply impossible
for anyone to figure out the root cause of the error message you're
seeing. Please share the *exact* changes you made.
--
Andrea Bolognani / Red Hat / Virtualization
5 years, 2 months
[libvirt-users] network namespace for multiple overlapping nat networks?
by Fred Clift
I have noticed that you can't have multiple separate NAT style libvirt
networks defined with the same private IP blocks.
For example I have this default network:
<network>
<name>default</name>
<uuid>13baf167-02ff-4312-928c-b82ed4df5785</uuid>
<forward mode='nat'>
<nat>
<port start='1024' end='65535'/>
</nat>
</forward>
<bridge name='virbr1' stp='on' delay='0'/>
<mac address='52:54:00:9c:8f:7c'/>
<ip address='192.168.122.1' netmask='255.255.255.0'>
<dhcp>
<range start='192.168.122.2' end='192.168.122.25'/>
</dhcp>
</ip>
</network>
I can't define another nat network that uses the same IP address range. I
assume this is an implementation limit because of how the iptables rules
are written/work for doing the NAT.
I'd like to have 10 networks with the same default IP address, attached to
10 vms that all run off the same read-only image. I know that I could use
different ranges and then have my vms use dhcp, and or a few other similar
ways. I'm limited by the virtual image I want to run (close source OS,
licensed-and-IP-locked software - I have plenty of licences for
instances).
I'd love to replace my 10 instances all with their own IPs on a public
bridge with 10 NAT'd instances all using the same IP each on their own
little network world - so I'd make a separate bridge for each, but of
course it doesn't work.
I have a proof-of-concept setup where I use a routed private network + nat
with the application vm and a small linux vm in pairs. The linux vms have
a public IP, and a private bridge with a fixed ip to be the default route
of the app vm. Then the app vm can have a fixed ip, route to a fixed
default route, and get natted to whatever it's buddy router vm's public IP
is. This works - but then I have 20 vms instead of 10. They are small and
dont use much cpu, but they use ram... which is somewhat constraining. And
I have to maintain a router image. I'm going to settle for this setup If I
have to, but I'd rather not.
So I had the bright idea of somehow routing/natting each vm through a
network namespace. I could perhaps avoid having to have a whole separate
linux instance just to get a copy of the network stack to do nat with. I'm
kind of struggling to see how I'd could have each libvirt vm run in it's
own namespace. I don't think it is possible actually. But perhaps I could
use an extra set of IPs and an extra bridge/veth-pair to work some kind of
magic.
Anyone out there doing something like this? Can you help me wrap my head
around how to mix libvirt kvm VMs and network namespaces?
Is there some other simpler way to achieve what I want?
Thanks.
Fred Clift
fred(a)clift.org
5 years, 2 months