Hi, we are trying to document a way for our users to run libvirt without dnsmasq to reduce attack surface on the host. We are aware that the default network uses it but plan to disable that and use our own custom configured networks instead. Uninstalling dnsmasq causes libvirt to refuse to start even if the default network is no longer running. Is this possible or is this something that needs code changes upstream?

On Wed, Jun 19, 2024 at 7:30 PM Daniel P. Berrangé <berrange(a)redhat.com&gt; wrote: > > On Wed, Jun 19, 2024 at 06:21:29PM -0000, procmem(a)riseup.net wrote: > > Hi, we are trying to document a way for our users to run libvirt without ... > > The virtual network driver validates existance of dnsmasq at startup, > but nothing requires you to actually run the virtual network driver, > if you're intending to do your own thing with network setup. ... > If you're using the new modular daemons, then even if installed, the > virtnetworkd daemon won't get launched unless some guest is configured > to use it. So if you're intending to setup network bridges yourself, > virtnetworkd shouldn't run. Just checking my understanding here. I set up a home lab with a load of RHEL software. I already had DHCP and DNS and didn't want dnsmasq to run. I defined a bridge, told libvirt about it, and also ran all the modular daemons (I didn't really understand them and copied the systemctl commands to start libvirt modular daemons. How useful is virtnetworkd in this situation? Shall I just leave it off?

Hi all, I am using libvirt for more than 10 years, and I have installed it on lot of servers, with dozens of VMs. Network performances from VMs to host have always been at top. But first time I am in front of this problem: Replacing an old platform made of 2 servers Fedora (36 upgraded to) 37 by 2 servers (H/W stronger) with Fedora 39, same .qcow2 diskimages for VMs, I found out that response times are 2,5 times higher on the new platform than the old one. I have check H/W, new are better. I have check standard network configuration, identical, virtio is best (same as older) like I saw in my google searches. Then I checked network performances: On old platform, from VM1 to guest: iperf3 [ ID] Interval           Transfer     Bitrate         Retr [  5]   0.00-10.00  sec  27.7 GBytes  23.8 Gbits/sec    0             sender [  5]   0.00-10.00  sec  27.7 GBytes  23.8 Gbits/sec                  receiver On new platform: [ ID] Interval           Transfer     Bitrate         Retr [  5]   0.00-10.00  sec  2.67 GBytes  2.29 Gbits/sec   17             sender [  5]   0.00-10.00  sec  2.67 GBytes  2.29 Gbits/sec                  receiver So intrinsic network performances are ten times better on old platform. All VMs network definitions are identical: <interface type='network'>      <mac address='52:54:xx:yy:zz:53'/>      <source network='default'/>      <model type='virtio'/>      <address type='pci' domain='0x0000' bus='0x07' slot='0x00' function='0x0'/>    </interface> On the host: <network>  <name>default</name>  <uuid>cfcfeeb6-3aa2-4732-9ca4-caf5b6554f2a</uuid>  <forward mode='nat'/>  <bridge name='virbr0' stp='on' delay='0'/>  <mac address='52:54:00:82:33:0c'/>  <ip address='10.0.10.1' netmask='255.255.255.0'>    <dhcp>        <range start='10.0.10.170' end='10.0.10.195'/>    </dhcp>  </ip> </network> chatGPT has no clue too. May I have some help? Thx Patrick

On 6/19/24 18:30, Daniel P. Berrangé wrote: > On Wed, Jun 19, 2024 at 06:21:29PM -0000, procmem(a)riseup.net wrote: > > Hi, we are trying to document a way for our users to run libvirt without > > dnsmasq to reduce attack surface on the host. We are aware that the > > default network uses it but plan to disable that and use our own custom > > configured networks instead. Uninstalling dnsmasq causes libvirt to > > refuse to start even if the default network is no longer running. > > Is this possible or is this something that needs code changes upstream? > > The virtual network driver validates existance of dnsmasq at startup, > but nothing requires you to actually run the virtual network driver, > if you're intending to do your own thing with network setup. > > It sounds like you're using the old monolithic 'libvirtd' daemon. We > always build libvirt with modules support, so all drivers are dlopen'd > on startup. > How to check that? > Thus if you're not intending to use the libvirt virtual network feature, > simply don't install its modyle, and then libvirtd will see the module > doesn't exist, and skip the dlopen. > That sounds like something people would do who compile from source code? We're using libvirtd (9.0.0-4) from Debian package sources. [1]

> If you're using the new modular daemons, then even if installed, the > virtnetworkd daemon won't get launched unless some guest is configured > to use it. So if you're intending to setup network bridges yourself, > virtnetworkd shouldn't run. > That is libvirtd 9.x or 10.x? Is there a chance that something is wrong with the libvirtd compilation settings by Debian's packaging? [1] packages.debian.org/bookworm/libvirt-daemon