Running libvirt without dnsmasq
Hi, we are trying to document a way for our users to run libvirt without dnsmasq to reduce attack surface on the host. We are aware that the default network uses it but plan to disable that and use our own custom configured networks instead. Uninstalling dnsmasq causes libvirt to refuse to start even if the default network is no longer running. Is this possible or is this something that needs code changes upstream?
On Wed, Jun 19, 2024 at 06:21:29PM -0000, procmem@riseup.net wrote:
Hi, we are trying to document a way for our users to run libvirt without dnsmasq to reduce attack surface on the host. We are aware that the default network uses it but plan to disable that and use our own custom configured networks instead. Uninstalling dnsmasq causes libvirt to refuse to start even if the default network is no longer running. Is this possible or is this something that needs code changes upstream?
The virtual network driver validates existance of dnsmasq at startup, but nothing requires you to actually run the virtual network driver, if you're intending to do your own thing with network setup. It sounds like you're using the old monolithic 'libvirtd' daemon. We always build libvirt with modules support, so all drivers are dlopen'd on startup. Thus if you're not intending to use the libvirt virtual network feature, simply don't install its modyle, and then libvirtd will see the module doesn't exist, and skip the dlopen. If you're using the new modular daemons, then even if installed, the virtnetworkd daemon won't get launched unless some guest is configured to use it. So if you're intending to setup network bridges yourself, virtnetworkd shouldn't run. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
On Wed, Jun 19, 2024 at 7:30 PM Daniel P. Berrangé <berrange@redhat.com> wrote:
On Wed, Jun 19, 2024 at 06:21:29PM -0000, procmem@riseup.net wrote:
Hi, we are trying to document a way for our users to run libvirt without
...
The virtual network driver validates existance of dnsmasq at startup, but nothing requires you to actually run the virtual network driver, if you're intending to do your own thing with network setup.
...
If you're using the new modular daemons, then even if installed, the virtnetworkd daemon won't get launched unless some guest is configured to use it. So if you're intending to setup network bridges yourself, virtnetworkd shouldn't run.
Just checking my understanding here. I set up a home lab with a load of RHEL software. I already had DHCP and DNS and didn't want dnsmasq to run. I defined a bridge, told libvirt about it, and also ran all the modular daemons (I didn't really understand them and copied the systemctl commands to start libvirt modular daemons. How useful is virtnetworkd in this situation? Shall I just leave it off? reference systemctl commands to start libvirt modular daemons https://libvirt.org/daemons.html#switching-to-modular-daemons network descriptions https://wiki.libvirt.org/VirtualNetworking.html my home lab code (all ansible playbooks, I'm afraid) ansible to start modular daemons https://github.com/nickhardiman/ansible-collection-aap2-refarch/blob/main/ro... define a bridge https://github.com/nickhardiman/ansible-collection-aap2-refarch/blob/main/ro... tell libvirt about the bridge https://github.com/nickhardiman/ansible-collection-aap2-refarch/blob/main/ro...
On Thu, Jun 20, 2024 at 09:18:30AM +0100, Nicholas Hardiman wrote:
On Wed, Jun 19, 2024 at 7:30 PM Daniel P. Berrangé <berrange@redhat.com> wrote:
On Wed, Jun 19, 2024 at 06:21:29PM -0000, procmem@riseup.net wrote:
Hi, we are trying to document a way for our users to run libvirt without
...
The virtual network driver validates existance of dnsmasq at startup, but nothing requires you to actually run the virtual network driver, if you're intending to do your own thing with network setup.
...
If you're using the new modular daemons, then even if installed, the virtnetworkd daemon won't get launched unless some guest is configured to use it. So if you're intending to setup network bridges yourself, virtnetworkd shouldn't run.
Just checking my understanding here. I set up a home lab with a load of RHEL software. I already had DHCP and DNS and didn't want dnsmasq to run. I defined a bridge, told libvirt about it, and also ran all the modular daemons (I didn't really understand them and copied the systemctl commands to start libvirt modular daemons.
How useful is virtnetworkd in this situation? Shall I just leave it off?
virtnetworkd is primarily for providing the NAT based connectivity. If you're creating standalone bridges for your LAN, then you don't need virtnetworkd. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
Hi all, I am using libvirt for more than 10 years, and I have installed it on lot of servers, with dozens of VMs. Network performances from VMs to host have always been at top. But first time I am in front of this problem: Replacing an old platform made of 2 servers Fedora (36 upgraded to) 37 by 2 servers (H/W stronger) with Fedora 39, same .qcow2 diskimages for VMs, I found out that response times are 2,5 times higher on the new platform than the old one. I have check H/W, new are better. I have check standard network configuration, identical, virtio is best (same as older) like I saw in my google searches. Then I checked network performances: On old platform, from VM1 to guest: iperf3 [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 27.7 GBytes 23.8 Gbits/sec 0 sender [ 5] 0.00-10.00 sec 27.7 GBytes 23.8 Gbits/sec receiver On new platform: [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 2.67 GBytes 2.29 Gbits/sec 17 sender [ 5] 0.00-10.00 sec 2.67 GBytes 2.29 Gbits/sec receiver So intrinsic network performances are ten times better on old platform. All VMs network definitions are identical: <interface type='network'> <mac address='52:54:xx:yy:zz:53'/> <source network='default'/> <model type='virtio'/> <address type='pci' domain='0x0000' bus='0x07' slot='0x00' function='0x0'/> </interface> On the host: <network> <name>default</name> <uuid>cfcfeeb6-3aa2-4732-9ca4-caf5b6554f2a</uuid> <forward mode='nat'/> <bridge name='virbr0' stp='on' delay='0'/> <mac address='52:54:00:82:33:0c'/> <ip address='10.0.10.1' netmask='255.255.255.0'> <dhcp> <range start='10.0.10.170' end='10.0.10.195'/> </dhcp> </ip> </network> chatGPT has no clue too. May I have some help? Thx Patrick
Hi, Anyone can help? Thanks Patrick Le 21/06/2024 à 10:57 AM, Patrick Chemla a écrit :
Hi all,
I am using libvirt for more than 10 years, and I have installed it on lot of servers, with dozens of VMs. Network performances from VMs to host have always been at top.
But first time I am in front of this problem:
Replacing an old platform made of 2 servers Fedora (36 upgraded to) 37 by 2 servers (H/W stronger) with Fedora 39, same .qcow2 diskimages for VMs, I found out that response times are 2,5 times higher on the new platform than the old one.
I have check H/W, new are better.
I have check standard network configuration, identical, virtio is best (same as older) like I saw in my google searches.
Then I checked network performances:
On old platform, from VM1 to guest: iperf3
[ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 27.7 GBytes 23.8 Gbits/sec 0 sender [ 5] 0.00-10.00 sec 27.7 GBytes 23.8 Gbits/sec receiver
On new platform:
[ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 2.67 GBytes 2.29 Gbits/sec 17 sender [ 5] 0.00-10.00 sec 2.67 GBytes 2.29 Gbits/sec receiver
So intrinsic network performances are ten times better on old platform.
All VMs network definitions are identical:
<interface type='network'> <mac address='52:54:xx:yy:zz:53'/> <source network='default'/> <model type='virtio'/> <address type='pci' domain='0x0000' bus='0x07' slot='0x00' function='0x0'/> </interface>
On the host: <network> <name>default</name> <uuid>cfcfeeb6-3aa2-4732-9ca4-caf5b6554f2a</uuid> <forward mode='nat'/> <bridge name='virbr0' stp='on' delay='0'/> <mac address='52:54:00:82:33:0c'/> <ip address='10.0.10.1' netmask='255.255.255.0'> <dhcp> <range start='10.0.10.170' end='10.0.10.195'/> </dhcp> </ip> </network>
chatGPT has no clue too.
May I have some help?
Thx
Patrick
On 6/19/24 18:30, Daniel P. Berrangé wrote:
On Wed, Jun 19, 2024 at 06:21:29PM -0000, procmem@riseup.net wrote:
Hi, we are trying to document a way for our users to run libvirt without dnsmasq to reduce attack surface on the host. We are aware that the default network uses it but plan to disable that and use our own custom configured networks instead. Uninstalling dnsmasq causes libvirt to refuse to start even if the default network is no longer running. Is this possible or is this something that needs code changes upstream?
The virtual network driver validates existance of dnsmasq at startup, but nothing requires you to actually run the virtual network driver, if you're intending to do your own thing with network setup.
It sounds like you're using the old monolithic 'libvirtd' daemon. We always build libvirt with modules support, so all drivers are dlopen'd on startup.
How to check that?
Thus if you're not intending to use the libvirt virtual network feature, simply don't install its modyle, and then libvirtd will see the module doesn't exist, and skip the dlopen.
That sounds like something people would do who compile from source code? We're using libvirtd (9.0.0-4) from Debian package sources. [1]
If you're using the new modular daemons, then even if installed, the virtnetworkd daemon won't get launched unless some guest is configured to use it. So if you're intending to setup network bridges yourself, virtnetworkd shouldn't run.
That is libvirtd 9.x or 10.x? Is there a chance that something is wrong with the libvirtd compilation settings by Debian's packaging? [1] packages.debian.org/bookworm/libvirt-daemon
On Sat, Jun 22, 2024 at 07:42:00PM +0000, procmem@riseup.net wrote:
On 6/19/24 18:30, Daniel P. Berrangé wrote:
On Wed, Jun 19, 2024 at 06:21:29PM -0000, procmem@riseup.net wrote:
Hi, we are trying to document a way for our users to run libvirt without dnsmasq to reduce attack surface on the host. We are aware that the default network uses it but plan to disable that and use our own custom configured networks instead. Uninstalling dnsmasq causes libvirt to refuse to start even if the default network is no longer running. Is this possible or is this something that needs code changes upstream?
The virtual network driver validates existance of dnsmasq at startup, but nothing requires you to actually run the virtual network driver, if you're intending to do your own thing with network setup.
It sounds like you're using the old monolithic 'libvirtd' daemon. We always build libvirt with modules support, so all drivers are dlopen'd on startup.
How to check that?
Thus if you're not intending to use the libvirt virtual network feature, simply don't install its modyle, and then libvirtd will see the module doesn't exist, and skip the dlopen.
That sounds like something people would do who compile from source code?
We're using libvirtd (9.0.0-4) from Debian package sources. [1]
This is possible on Fedora/RHEL with the RPM packages, but it seems Debian just bundle it all into one package :-( https://packages.debian.org/bookworm/amd64/libvirt-daemon/filelist
If you're using the new modular daemons, then even if installed, the virtnetworkd daemon won't get launched unless some guest is configured to use it. So if you're intending to setup network bridges yourself, virtnetworkd shouldn't run.
That is libvirtd 9.x or 10.x?
Is there a chance that something is wrong with the libvirtd compilation settings by Debian's packaging?
[1] packages.debian.org/bookworm/libvirt-daemon
Yes, it seems debian is intentionally not shipping them :-( With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
On Mon, Jun 24, 2024 at 11:42:46AM +0100, Daniel P. Berrangé wrote:
On Sat, Jun 22, 2024 at 07:42:00PM +0000, procmem@riseup.net wrote:
Thus if you're not intending to use the libvirt virtual network feature, simply don't install its modyle, and then libvirtd will see the module doesn't exist, and skip the dlopen.
That sounds like something people would do who compile from source code?
We're using libvirtd (9.0.0-4) from Debian package sources. [1]
This is possible on Fedora/RHEL with the RPM packages, but it seems Debian just bundle it all into one package :-(
https://packages.debian.org/bookworm/amd64/libvirt-daemon/filelist
FYI this has been possible in Debian unstable/testing for a few months now, specifically from version 10.6.0-2 forward. Unfortunately it's going to be a long while before those changes are included in a stable release.
If you're using the new modular daemons, then even if installed, the virtnetworkd daemon won't get launched unless some guest is configured to use it. So if you're intending to setup network bridges yourself, virtnetworkd shouldn't run.
That is libvirtd 9.x or 10.x?
Is there a chance that something is wrong with the libvirtd compilation settings by Debian's packaging?
Yes, it seems debian is intentionally not shipping them :-(
It's not a matter of intention as much as it is one of resources. I maintain the Debian package in my spare time and I just haven't gotten around to implement this specific transition yet. It'll come eventually. -- Andrea Bolognani / Red Hat / Virtualization
participants (5)
-
Andrea Bolognani -
Daniel P. Berrangé -
Nicholas Hardiman -
Patrick Chemla -
procmem@riseup.net