Running libvirt without dnsmasq
by procmem@riseup.net
Hi, we are trying to document a way for our users to run libvirt without dnsmasq to reduce attack surface on the host. We are aware that the default network uses it but plan to disable that and use our own custom configured networks instead. Uninstalling dnsmasq causes libvirt to refuse to start even if the default network is no longer running. Is this possible or is this something that needs code changes upstream?
1 week, 5 days
trustGuestRxFilters broken after upgrade to Debian 12
by Paul B. Henson
We've been running Debian 11 for a while, using sr-iov:
<network>
<name>sr-iov-intel-10G-1</name>
<uuid>6bdaa4c8-e720-4ea0-9a50-91cb7f2c83b1</uuid>
<forward mode='hostdev' managed='yes'>
<pf dev='eth2'/>
</forward>
</network>
and allocating vf's from the pool:
<interface type='network' trustGuestRxFilters='yes'>
<mac address='52:54:00:08:da:5b'/>
<source network='sr-iov-intel-10G-1'/>
<vlan>
<tag id='50'/>
</vlan>
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
After upgrading to Debian 12, when I try to start any vm which uses the
trustGuestRxFilters option, it fails to start with the message:
error: internal error: unable to execute QEMU command 'query-rx-filter':
invalid net client name: hostdev0
If I remove the option, it starts fine (but of course is broken
functionality wise as the option wasn't there just for fun :) ).
Any thoughts on what's going on here? The Debian 12 versions are:
libvirt-daemon/stable,now 9.0.0-4
qemu-system-x86/stable,now 1:7.2+dfsg-7+deb12u3
I see Debian 12 backports has version 8.1.2+ds-1~bpo12+1 of qemu, but no
newer versions of libvirt. I haven't tried the backports version to
see if that resolves the problem.
Thanks much...
1 month, 3 weeks
reconfiguring a two vms bridge to two vms + the host with proper
iface naming
by daggs
Greetings,
I have two vms (vm1 and vm2) connected via a bridge named br1.
libvirt creates two taps, tap0 and tap1
I'm trying to rename them to some thing more meaningful for starts.
I assume that I cannot use vnet-vm1 or vnet-vm2 so I decided to configure it like this:
vm1:
<interface type='bridge'>
<source bridge='br1'/>
<target dev='vnet1'/>
</interface>
vm2:
<interface type='bridge'>
<source bridge='br1'/>
<target dev='vnet2'/>
</interface>
but when start the vms, the iface names are still tap1 and tap2. am I doing something wrong?
in addition, I want to add the host to br1, so I ran this after the bridge exists: ip link set dev tap3 master br1
I see it when I run brctl show br1, but I'm unable to get ip, am I doing something wrong here too?
Thanks,
Dagg.
1 month, 3 weeks
[FOSDEM] Call for participation: Virtualization and Cloud
infrastructure Room at FOSDEM 2025
by Piotr Kliczewski
We are excited to announce that the call for proposals is now open for the
Virtualization and Cloud infrastructure devroom at the upcoming FOSDEM
2025, to be hosted on Sunday (Feb 2) 2025.
This devroom is a collaborative effort, and is organized by dedicated folks
from projects such as OpenStack, Xen Project, KubeVirt, QEMU, KVM, and
Foreman. We invite everyone involved in these fields to submit your
proposals by December 8th, 2024.
About the Devroom
The Virtualization & IaaS devroom will feature session topics such as open
source hypervisors or virtual machine managers such as Xen Project, KVM,
bhyve and VirtualBox as well as Infrastructure-as-a-Service projects such
as KubeVirt, Apache CloudStack, OpenStack, QEMU and OpenNebula.
This devroom will host presentations that focus on topics of shared
interest, such as KVM; libvirt; shared storage; virtualized networking;
cloud security; clustering and high availability; interfacing with multiple
hypervisors; hyperconverged deployments; and scaling across hundreds or
thousands of servers.
Presentations in this devroom will be aimed at developers working on these
platforms who are looking to collaborate and improve shared infrastructure
or solve common problems. We seek topics that encourage dialog between
projects and continued work post-FOSDEM.
Important Dates
Submission deadline: 8th December 2024
Acceptance notifications: 10th December 2024
Final schedule announcement: 15th December 2024
Devroom: 2nd February 2025
Submit Your Proposal
All submissions must be made via the Pretalx event planning site[1]. It is
a new submission system so you will need to create an account. If you
submitted proposals for FOSDEM in previous years, you won’t be able to use
your existing account.
During submission please make sure to select Virtualization and Cloud
infrastructure from the Track list. Please provide a meaningful abstract
and description of your proposed session.
Submission Guidelines
We expect more proposals than we can possibly accept, so it is vitally
important that you submit your proposal on or before the deadline. Late
submissions are unlikely to be considered.
All presentation slots are 30 minutes, with 20 minutes planned for
presentations, and 10 minutes for Q&A.
All presentations will be recorded and made available under Creative
Commons licenses. In the Submission notes field, please indicate that you
agree that your presentation will be licensed under the CC-By-SA-4.0 or
CC-By-4.0 license and that you agree to have your presentation recorded.
For example:
"If my presentation is accepted for FOSDEM, I hereby agree to license all
recordings, slides, and other associated materials under the Creative
Commons Attribution Share-Alike 4.0 International License.
Sincerely,
<NAME>."
In the Submission notes field, please also confirm that if your talk is
accepted, you will be able to attend FOSDEM and deliver your presentation.
We will not consider proposals from prospective speakers who are unsure
whether they will be able to secure funds for travel and lodging to attend
FOSDEM. (Sadly, we are not able to offer travel funding for prospective
speakers.)
Code of Conduct
Following the release of the updated code of conduct for FOSDEM[3], we'd
like to remind all speakers and attendees that all of the presentations and
discussions in our devroom are held under the guidelines set in the CoC and
we expect attendees, speakers, and volunteers to follow the CoC at all
times.
If you submit a proposal and it is accepted, you will be required to
confirm that you accept the FOSDEM CoC. If you have any questions about the
CoC or wish to have one of the devroom organizers review your presentation
slides or any other content for CoC compliance, please email us and we will
do our best to assist you.
Questions?
If you have any questions about this devroom, please send your questions to
our devroom mailing list. You can also subscribe to the list to receive
updates about important dates, session announcements, and to connect with
other attendees.
See you all at FOSDEM!
[1] https://pretalx.fosdem.org/fosdem-2025/cfp
[2] virtualization-devroom-manager at fosdem.org
[3] https://fosdem.org/2025/practical/conduct/
1 month, 3 weeks
SEV start VM help
by 435285706@qq.com
Hi, I'm new to libvirt. I recently tried to start a sev vm with secret injection, and the documentation on this is very good, could you provide me with the steps to start a VM with libvirt's SEV, or documentation on this, thank you very much!
1 month, 3 weeks
SEV start VM
by 435285706@qq.com
Hi, I'm new to libvirt. I recently tried to start a sev vm with secret injection, and the documentation on this is very good, could you provide me with the steps to start a VM with libvirt's SEV, or documentation on this, thank you very much!
1 month, 4 weeks
FreeBSD dhcp failing with UDP checksum errors
by Richard W.M. Jones
I recently reinstalled Fedora (host) and I'm trying to import a
previously working FreeBSD 13 guest. It boots fine, but fails to get
an address from DHCP. In the FreeBSD boot output it prints:
Starting dhclient.
DHCPDISCOVER on vtnet0 to 255.255.255.255 port 67 interval 7
DHCPDISCOVER on vtnet0 to 255.255.255.255 port 67 interval 9
DHCPDISCOVER on vtnet0 to 255.255.255.255 port 67 interval 9
DHCPDISCOVER on vtnet0 to 255.255.255.255 port 67 interval 10
DHCPDISCOVER on vtnet0 to 255.255.255.255 port 67 interval 17
5 bad udp checksums in 5 packets
Indeed, tcpdumping the network on the host side shows that checksums
are wrong (note "bad udp cksum" in the reply message):
0.0.0.0.bootpc > 255.255.255.255.bootps: [udp sum ok] BOOTP/DHCP, Request from 52:54:00:d4:07:ab (oui Unknown), length 300, xid 0xf9ee0d34, secs 53, Flags [none] (0x0000)
Client-Ethernet-Address 52:54:00:d4:07:ab (oui Unknown)
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: Discover
Requested-IP (50), length 4: freebsd.home.annexia.org
Client-ID (61), length 7: ether 52:54:00:d4:07:ab
Hostname (12), length 7: "freebsd"
Parameter-Request (55), length 10:
Subnet-Mask (1), BR (28), Time-Zone (2), Classless-Static-Route (121)
Default-Gateway (3), Domain-Name (15), Domain-Name-Server (6), Hostname (12)
Unknown (119), MTU (26)
END (255), length 0
PAD (0), length 0, occurs 20
13:07:37.304083 IP (tos 0xc0, ttl 64, id 20207, offset 0, flags [none], proto UDP (17), length 328)
cash.bootps > 192.168.122.203.bootpc: [bad udp cksum 0x7763 -> 0x88a0!] BOOTP/DHCP, Reply, length 300, xid 0xf9ee0d34, secs 53, Flags [none] (0x0000)
Your-IP 192.168.122.203
Server-IP cash
Client-Ethernet-Address 52:54:00:d4:07:ab (oui Unknown)
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: Offer
Server-ID (54), length 4: cash
Lease-Time (51), length 4: 3600
RN (58), length 4: 1800
RB (59), length 4: 3150
Subnet-Mask (1), length 4: 255.255.255.0
BR (28), length 4: 192.168.122.255
Default-Gateway (3), length 4: cash
Domain-Name-Server (6), length 4: cash
END (255), length 0
PAD (0), length 0, occurs 8
I guess this is something to do with checksum offloading. I can only
find ancient bugs related to this. How to fix? The host is:
libvirt-daemon-10.6.0-1.fc41.x86_64
dnsmasq-2.90-3.fc41.x86_64
Linux cash 6.11.0-0.rc5.20240830git20371ba12063.47.fc42.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Aug 30 15:36:28 UTC 2024 x86_64 GNU/Linux
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
nbdkit - Flexible, fast NBD server with plugins
https://gitlab.com/nbdkit/nbdkit
2 months
AMD SEV-SNP encryption at rest
by me+libvirt@gsora.xyz
Hello folks,
I’m exploring the capabilities of the AMD SEV-SNP platform for a TEE implementation that will handle and store secret data.
This data should be tied to a single guest, that is no other guest that boots with the same kernel/initrd/cmdline - in the form of a UKI - should be able to decrypt it.
I have a prototype that encrypts the boot disk with a key derived from the VCEK, but a different guest is able to derive the same key provided it boots either the same UKI.
The key has been derived with the snpguest tool developed by the virtee project.
Does anybody have experience with encryption at rest with the AMD SEV SNP platform?
I understand that it’s possible to inject secrets into a SEV VM at creation time, but documentation is scarce on that front.
Thank you
2 months, 1 week
New application (library)
by Erik Huelsmann
Hi!
On https://libvirt.org/apps.html it says to send a mail to this mailinglist
to get your app listed on apps/libraries the list.
Over the past months, I've been writing a set of Perl libraries,
culminating in Sys::Async::Virt (https://metacpan.org/pod/Sys::Async::Virt),
which is a library for developing LibVirt client applications supporting
the asynchronous paradigm introduced by Future::AsyncAwait (
https://metacpan.org/pod/Future::AsyncAwait).
The library binds to the network protocol and instantiates Perl objects for
manipulating server-side resources. The API tries to stay close to the
Sys::Virt API, although I've been looking closely at the C API as well. At
the time of writing, the local and ssh transports are supported, but work
is on-going for more.
Not all protocol messages are supported at the moment; 47 out of 448
messages are remaining. Effort to implement them is on-going here too. The
list of unimplemented messages is published at the bottom of the
documentation page on MetaCPAN referenced above.
Let me know your feedback, or submit your bugs and ideas at
https://github.com/ehuelsmann/perl-sys-async-virt.
Thanks in advance for listing the library!
--
Bye,
Erik.
http://efficito.com -- Hosted accounting and ERP.
Robust and Flexible. No vendor lock-in.
2 months, 2 weeks
How to use UEFI_VARS.fd using virt-manager on Ubuntu 24.04...
by Mario Marietto
Hello.
On FreeBSD I've installed Windows 11 on the first partition of a 200 GB
disk and Android X86 on the second partition of a 200 GB image file called
"Android.img". This is how I boot Android :
/usr/sbin/./bhyve-win -S -c sockets=4,cores=2,threads=1 -m 8G -w -H -A \
-s 0,hostbridge \
-s 1,ahci-hd,/mnt/zroot-133/bhyve/img/Android/Android.img,bootindex=1 \
-s 13,virtio-net,tap13 \
-s 29,fbuf,tcp=0.0.0.0:5913,w=1600,h=950,wait \
-s 30,xhci,tablet \
-s 31,lpc \
-l
bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI_CODE.fd,/usr/local/share/uefi-firmware/BHYVE_UEFI_VARS.fd
\
as you can see to boot Android correctly,I SHOULD use
"/usr/local/share/uefi-firmware/BHYVE_UEFI_VARS.fd"
Now I'm using Ubuntu 24.04 and I want to boot Android from the same img
file. But,what I don't know is how to add the parameter
"/usr/local/share/uefi-firmware/BHYVE_UEFI_VARS.fd" to virt-manager.
Without it Android will not boot,but only Windows is able to boot ONLY from
the first partition....
--
Mario.
2 months, 3 weeks