Re: [libvirt-users] Host modifications
On 03/25/2013 16:21, Eric Blake wrote:
On 03/25/2013 03:09 AM, Benoit Friry wrote:
> Hello,
>
> I test libvirt 0.9.12 on Debian.
>
> I am disappointed by changes made on my host without any notice.
The whole point of libvirtd is to make changes on your host; I
wouldn't go so far as to say that it was without notice, just that
they are changes that you weren't aware that libvirtd was capable
of exposing.
I would not say libvirt is just about making changes on the host. I
like the wrapping of the daemonization (instead of some "nohup kvm &")
and the normalization of the commands. And when I run virt-install, I
am not disappointed by the file creation.
> Examples: - editing interfaces with virsh or virt-manager
> modifies my /etc/network/interfaces. It's not clear at first
> glance that I can even cut myself from the host when editing
> remotely. The initial file is not even saved.
The initial file _is_ saved if you properly use the 'virsh
iface-begin' command before making any changes, then 'virsh
iface-commit' if you are happy with the changes. 'virsh
iface-rollback' will revert you to a previous saved state, and
since we know that an improper change can cut off connectivity, we
also set things up so that a host reboot will do an implicit 'virsh
iface-rollback' on any uncommitted changes.
I did not understood the purpose of this commands. Unfortunately, they
are not available in virt-manager.
> - starting default network (nat) adds rules in netfilter. I have
> not seen how to create another network nat conf without calling
> clean-traffic nwfilter (it is not explicit in network XML file).
> Is it hardcoded ?
What distro are you using? The clean-traffic nwfilter is not
installed by default on Fedora, so I'm wondering if you are hitting
a distro-specific add-on, or something that is added by a higher
layer of the virt stack than just libvirt. Libvirt's own NAT
netfilter rules are required for out-of-the-box NAT to a guest, but
no one says you are forced to use NAT; you can design your own
bridge and take over the netfilter rules yourself if you don't want
libvirt messing with iptables.
Debian wheezy, libvirt 0.9.12.
Debian patches are listed on
http://patch-tracker.debian.org/package/libvirt/0.9.12-11
I do not see anything modifying that part. I can be wrong.
>
> I think it would be nice: - to be alerted before any host
> modification,
What did you have in mind? Patches are welcome if you can come up
with a proposal.
For a beginning, I think it may be valuable to list such behavior in
the README.
http://libvirt.org/git/?p=libvirt.git;a=blob_plain;f=README;hb=HEAD
On Debian, and maybe in upstream, clean-traffic nwfilter is activated
for every nat network... But without being listed in the network XML
configuration.
> - to be able to change the templates, for instance: - not
> including any nwfilter when creating a network, - script called
> when adding a file in a dir pool, - and so on.
Another example: what if I want to use BIND9 instead of dnsmasq? BIND9
has a dns64 capability, dnsmasq has not.
dnsmasq, radvd, brctl are hardcoded. Don't you think it would be
better to call a helper script, that can be tweaked by admins?
Thanks & HAND,
benoit