
On 03/25/2013 16:21, Eric Blake wrote:
On 03/25/2013 03:09 AM, Benoit Friry wrote:
Hello,
I test libvirt 0.9.12 on Debian.
I am disappointed by changes made on my host without any notice.
The whole point of libvirtd is to make changes on your host; I wouldn't go so far as to say that it was without notice, just that they are changes that you weren't aware that libvirtd was capable of exposing.
I would not say libvirt is just about making changes on the host. I like the wrapping of the daemonization (instead of some "nohup kvm &") and the normalization of the commands. And when I run virt-install, I am not disappointed by the file creation.
Examples: - editing interfaces with virsh or virt-manager modifies my /etc/network/interfaces. It's not clear at first glance that I can even cut myself from the host when editing remotely. The initial file is not even saved.
The initial file _is_ saved if you properly use the 'virsh iface-begin' command before making any changes, then 'virsh iface-commit' if you are happy with the changes. 'virsh iface-rollback' will revert you to a previous saved state, and since we know that an improper change can cut off connectivity, we also set things up so that a host reboot will do an implicit 'virsh iface-rollback' on any uncommitted changes.
I did not understood the purpose of this commands. Unfortunately, they are not available in virt-manager.
- starting default network (nat) adds rules in netfilter. I have not seen how to create another network nat conf without calling clean-traffic nwfilter (it is not explicit in network XML file). Is it hardcoded ?
What distro are you using? The clean-traffic nwfilter is not installed by default on Fedora, so I'm wondering if you are hitting a distro-specific add-on, or something that is added by a higher layer of the virt stack than just libvirt. Libvirt's own NAT netfilter rules are required for out-of-the-box NAT to a guest, but no one says you are forced to use NAT; you can design your own bridge and take over the netfilter rules yourself if you don't want libvirt messing with iptables.
Debian wheezy, libvirt 0.9.12. Debian patches are listed on http://patch-tracker.debian.org/package/libvirt/0.9.12-11 I do not see anything modifying that part. I can be wrong.
I think it would be nice: - to be alerted before any host modification,
What did you have in mind? Patches are welcome if you can come up with a proposal.
For a beginning, I think it may be valuable to list such behavior in the README. http://libvirt.org/git/?p=libvirt.git;a=blob_plain;f=README;hb=HEAD On Debian, and maybe in upstream, clean-traffic nwfilter is activated for every nat network... But without being listed in the network XML configuration.
- to be able to change the templates, for instance: - not including any nwfilter when creating a network, - script called when adding a file in a dir pool, - and so on.
Another example: what if I want to use BIND9 instead of dnsmasq? BIND9 has a dns64 capability, dnsmasq has not. dnsmasq, radvd, brctl are hardcoded. Don't you think it would be better to call a helper script, that can be tweaked by admins? Thanks & HAND, benoit