October 2019 - Users - libvirt List Archives

[libvirt-users] X11 apps on lxc
by Jesus 21 Oct '19

21 Oct '19

Hi How can I run X11 apps on the local X11 using libvirt lxc? I already had this runing on centos 7 but I upgraded to centos 8 (I rebuild libvirt) and the socket is not in the /tmp/.X11-unix/ folder of the vm any more. Can somebody help with this? Thanks!!

2 1

[libvirt-users] [libvirt]Some questions about live migration
by Luyao Zhong 18 Oct '19

18 Oct '19

Hi libvirt experts, I have some questions about live migration. * If a live migration failed during migrating, will the domain exist on the destination host? * Is the flag VIR_MIGRATE_PAUSED make sense to live migration? It's a little confusing for me. Does that indicate if I set this flag, then the domain on the destination will not disappear even if the migration is failed, and it will in 'paused' status? If not setting this flag, what will it be? It may be similar to the question above. I filed a bug https://bugzilla.redhat.com/show_bug.cgi?id=1762703 about this flag, since its description is not very clear. Thanks in advance, looking forward to your reply. Regards, Luyao -- 2.7.4

2 1

[libvirt-users] Transient permission denied errors when sending audit logs
by Roman Mohr 17 Oct '19

17 Oct '19

Hi, In kubevirt we are running into a strange permission problem on libvirt-5.0. We see transient "Permission Denied" errors when "virAuditSend" wants to send an audit log. [1] shows the logs of one of these containers. Here an example: {"component":"virt-launcher","level":"warning","msg":"Failed to send audit message virt=kvm vm=\"kubevirt-test-default_testvmit2pqrkrlrwbhptcjcs4n67jn6pjqvmtd7pkrpdmkrl5sldzs4rxr9zdg8m45jxz\" uuid=56a33283-f6d7-4002-b188-1fed83186545 vm-ctx=+107:+107 img-ctx=+107:+107 model=dac: Permission denied","pos":"virAuditSend:141","subcomponent":"libvirt","thread":"30","timestamp":"2019-10-08T23:58:40.651000Z"} We recently switched in kubevirt to a dedicated selinux policy and remove the general "privileged" flag from the containers where we run libvirt in. This is very likely related to it, but we can't make sense out of it, because: * It randomly affects one out of a few hundred containers which we start * It is not bound to a specific node * It is only transient on that container. After a few denials libvirt can just continue. * Sometimes it is accompanied with a transient "Permission denied" on /dev/null from our code in that container (so not from something which libvirt tries to do). Has someone seen something like this before in different environments? Best Regards, Roman [1] https://storage.googleapis.com/kubevirt-prow/pr-logs/pull/kubevirt_kubevirt…

2 2

[libvirt-users] create virtual network fails with virt-manager
by Marko Horn 16 Oct '19

16 Oct '19

hello list, creatig a virtual network via virt-manager fails. gentoo linux vanilla-sources 5.3.1 virt-manager 2.2.1 qemu 4.0 libvirt 5.5.0 the error output of Error creating virtual network: internal error: Failed to apply firewall rules /sbin/iptables -w --table filter --insert LIBVIRT_INP --in-interface virbr1 --protocol tcp --destination-port 67 --jump ACCEPT: iptables: No chain/target/match by that name. Traceback (most recent call last): File "/usr/share/virt-manager/virtManager/asyncjob.py", line 75, in cb_wrapper callback(asyncjob, *args, **kwargs) File "/usr/share/virt-manager/virtManager/createnet.py", line 472, in _async_net_create netobj.create() File "/usr/lib64/python3.6/site-packages/libvirt.py", line 2993, in create if ret == -1: raise libvirtError ('virNetworkCreate() failed', net=self) libvirt.libvirtError: internal error: Failed to apply firewall rules /sbin/iptables -w --table filter --insert LIBVIRT_INP --in-interface virbr1 --protocol tcp --destination-port 67 --jump ACCEPT: iptables: No chain/target/match by that name. /sbin/iptables exists any ideas? kind regards m@rko -- zbfmail - Mittendrin statt nur Datei! Datei sein ist alles!

2 2

[libvirt-users] Fwd: Libvirt-QEMU : Multiplex the output from qemu's serial port to a pty as well as a file (basically redirect console to file as well as pty device)
by gokul cg 11 Oct '19

11 Oct '19

Hi Folks , As per https://libvirt.org/formatdomain.html#elementsConsole Regardless of the type, character devices can have an optional log file associated with them. Whether the lgging functionality is same as mapping device to file ? Whether libvirt xml syntax below both 1 and 2 are same ? 1) <serial type='pty'> <log file='/var/lib/nova/instances/7151c8b7-1ea5-4701-bb79-b482d9e253b8/console.log' append='off'/> <target port='0'/> </serial> 2) <serial type='pty'> <source path='/tmp/serial.log'/> <target port='0'/> </serial> is it possible to multiplex the output from qemu's serial port to a pty as well as a file (basically redirect console to file as well as pty device)? Regards Gokul

1 2

[libvirt-users] hidden state='on' not working
by Michael Lipp 09 Oct '19

09 Oct '19

Hi, I have set <kvm> <hidden state='on'/> </kvm> in my configuration file. But looking at the command line, I see -cpu ...,hypervisor=on,... Should the setting result in hypervisor=off (or -hypervisor) - Michael

2 2

[libvirt-users] Emulated TPM doesn't work on Debian Buster
by procmem＠riseup.net 07 Oct '19

07 Oct '19

Hi. I am very interested in the security properties a totally open TPM can give our users - its use as a universal smartcard to protect all types of keys. When adding the virtual 1.2 or 2.0 TPM I get the vague error below. OS is Debian stable with standard packages. Error starting domain: Unable to find 'swtpm' binary in $PATH: No such file or directory Traceback (most recent call last): File "/usr/share/virt-manager/virtManager/asyncjob.py", line 75, in cb_wrapper callback(asyncjob, *args, **kwargs) File "/usr/share/virt-manager/virtManager/asyncjob.py", line 111, in tmpcb callback(*args, **kwargs) File "/usr/share/virt-manager/virtManager/libvirtobject.py", line 66, in newfn ret = fn(self, *args, **kwargs) File "/usr/share/virt-manager/virtManager/domain.py", line 1400, in startup self._backend.create() File "/usr/lib/python3/dist-packages/libvirt.py", line 1080, in create if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self) libvirt.libvirtError: Unable to find 'swtpm' binary in $PATH: No such file or directory

3 5

[libvirt-users] Error validating install location: Distro 'rhel8' does not exist in our dictionary
by Kaushal Shriyan 07 Oct '19

07 Oct '19

Hi, I am running the below command to spawn CentOS8 based Virtual Machines using KVM based technology virt-install --name=centos8 > --file=/linuxkvmguestosdisk/var/lib/libvirt/images/centos8 --file-size=100 > --nonsparse --vcpus=2 --ram=8096 --network=bridge:br0 --os-type=linux > --os-variant=rhel8 --graphics none > --location=/linuxkvmguestosdisk/var/lib/libvirt/isos/CentOS-8-x86_64-1905-dvd1.iso > --extra-args="console=ttyS0" > ERROR Error validating install location: Distro 'rhel8' does not exist > in our dictionary Any clue and i look forward to hearing from you. Thanks in advance. Best Regards,

4 4

Re: [libvirt-users] Internal error reported by libvirt while creating a VM
by Andrea Bolognani 04 Oct '19

04 Oct '19

Re-added the list. Please *do not* drop the libvirt-users mailing list from the recipients again! On Thu, 2019-10-03 at 16:42 -0400, Ajay Kumar wrote: > Hi Andrea, > > Thank you for your help, > > The above issues are addressed while reinstalling libvirt 4.0.0. Currently, I could create a VMs on libvirt. > > I have another issue while configuring/editing win10.xml file. > After edit or insert of few lines in win10.XML file using virsh i.e at /etc/libvirt/qem$ virsh edit win10 Saying that you changed "few lines" is not at all useful: if you hope to get any help from the list, you'll have to share the *exact* changes you made each time and the full XML configuration that resulted from them. > I am getting a below error. > @ubuntu-kvm3:/etc/libvirt/qemu$ virsh edit win10 > error: internal error: Child process (LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin /usr/local/bin/qemu-system-x86_64 -help) unexpected exit status 126: libvirt: error : cannot execute binary /usr/local/bin/qemu-system-x86_64: Permission denied > > I understand that this could be the problem of AppArmor security feature it doesn't allow new binary such as (qemu-system-x86_64) to execute > > Later I have followed the below link to address > [ https://www.reddit.com/r/VFIO/comments/9pi2cd/how_to_set_up_qemu_30_on_ubun… > 6. Create AppArmor rules so libvirt can use the binary ] > > here i have added few lines in 2 files as per the procedure. later when i restart apparmor I got the below error Again, saying that you added "few lines" is not helpful because we have no idea what those lines look like, so it's simply impossible for anyone to figure out the root cause of the error message you're seeing. Please share the *exact* changes you made. -- Andrea Bolognani / Red Hat / Virtualization

1 0

[libvirt-users] network namespace for multiple overlapping nat networks?
by Fred Clift 04 Oct '19

04 Oct '19

I have noticed that you can't have multiple separate NAT style libvirt networks defined with the same private IP blocks. For example I have this default network: <network> <name>default</name> <uuid>13baf167-02ff-4312-928c-b82ed4df5785</uuid> <forward mode='nat'> <nat> <port start='1024' end='65535'/> </nat> </forward> <bridge name='virbr1' stp='on' delay='0'/> <mac address='52:54:00:9c:8f:7c'/> <ip address='192.168.122.1' netmask='255.255.255.0'> <dhcp> <range start='192.168.122.2' end='192.168.122.25'/> </dhcp> </ip> </network> I can't define another nat network that uses the same IP address range. I assume this is an implementation limit because of how the iptables rules are written/work for doing the NAT. I'd like to have 10 networks with the same default IP address, attached to 10 vms that all run off the same read-only image. I know that I could use different ranges and then have my vms use dhcp, and or a few other similar ways. I'm limited by the virtual image I want to run (close source OS, licensed-and-IP-locked software - I have plenty of licences for instances). I'd love to replace my 10 instances all with their own IPs on a public bridge with 10 NAT'd instances all using the same IP each on their own little network world - so I'd make a separate bridge for each, but of course it doesn't work. I have a proof-of-concept setup where I use a routed private network + nat with the application vm and a small linux vm in pairs. The linux vms have a public IP, and a private bridge with a fixed ip to be the default route of the app vm. Then the app vm can have a fixed ip, route to a fixed default route, and get natted to whatever it's buddy router vm's public IP is. This works - but then I have 20 vms instead of 10. They are small and dont use much cpu, but they use ram... which is somewhat constraining. And I have to maintain a router image. I'm going to settle for this setup If I have to, but I'd rather not. So I had the bright idea of somehow routing/natting each vm through a network namespace. I could perhaps avoid having to have a whole separate linux instance just to get a copy of the network stack to do nat with. I'm kind of struggling to see how I'd could have each libvirt vm run in it's own namespace. I don't think it is possible actually. But perhaps I could use an extra set of IPs and an extra bridge/veth-pair to work some kind of magic. Anyone out there doing something like this? Can you help me wrap my head around how to mix libvirt kvm VMs and network namespaces? Is there some other simpler way to achieve what I want? Thanks. Fred Clift fred(a)clift.org

1 0