Re: [CentOS-virt] OT: adding a wifi adapter to openvswitch
On 09/24/2015 01:59 PM, C.L. Martinez wrote: I will do some tests using openvswitch bridges to my KVM machines. One of these tests is to add a wlan0 adapter from comandline but only when this wlan0 is associated with a ssid without assign an IP. Is this posible? Usually it's not. When you connect as a station to the infrastructure (AP) - e.g without WDS or proprietary extensions enabled, every frame transmitted in between has three addresses: your station MAC, BSSID (AP MAC for simplicity), destination MAC. WPA(2) PSK encryption is using your station MAC. So if you try to transmit a packet with MAC address other than yours, it won't be decrypted thus no transmission. To cut the long story short AFAIK you can't bridge on WiFi client side with WPA(2) PSK encryption. But you can using WEP (or no encryption at all). Beware - WEP is as insecure as no encryption - it's cracked literally in minutes. You could run WDS in AP-AP mode with the help of hostap suite or have a proprietary solution (WNIC and/or driver). Otherwise you can NAT/route it. Best regards, Dmitry Mikhailov ___ CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
Re: [CentOS-virt] OT: adding a wifi adapter to openvswitch
Followup On 09/24/2015 01:59 PM, C.L. Martinez wrote: https://wiki.debian.org/BridgeNetworkConnections#Bridging_with_a_wireless_NIC? They are doing an interesting Ethernet NAT with the following idea: Your wireless station has MAC "A" and IP "X" The virtual machine on the wireless station has MAC "B" and IP "Y" 1) To the outside world both your wireless station and virtual machine IPs would share the same MAC: Arp: IP "X": MAC "A" IP "Y": MAC "A" (translated from "B") 2) Every ingress packet coming to your wireless station with the VM's IP "Y" would have it's MAC changed back This scheme could provide you connectivity but it's hacky and it requires you to know the MAC and IP address combination of VM. So IMHO it's not really everyday mess-free usable. I'd prefer to have a real routing set up. Simple, fast and reliable. ___ CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
Re: [CentOS-virt] OT: adding a wifi adapter to openvswitch
On 09/24/2015 03:21 PM, C. L. Martinez wrote: Thanks Dimitry, but I use wlan0 or eth0 to connect my laptop to different networks. I use a vm as fw and I would like to have all vms and laptop behind this fw vm guest. Another option is to assign an IP to these interfaces and natting all to this fw vm ... but I don't like this option It isn't going to be safe, simple and reliable. You won't have anything like 'NetworkManager' on the laptop host OS. It either should be heavily scripted or not done at all. You could write some fancy ebtables rules to do one-to-one MAC mapping between the fw VM interface and host interface and run DHCP client on the fw VM. On the host you'd have static route to another fw VM interface. But I can't imagine all the hotplug event scripting. How could fw VM find out if it's time to (re-)run DHCP client? How would you configure WPA keys on the host. How would find out if WiFi is disconnected, cable is connected and it's time to redo MAC mapping with another MAC address? Without some real effort it's going to be fully(partly?) manual config with wpa_supplicant, ebtables and ssh'ing to fw VM involved. I doubt I would like to change from NetworkManager to this stuff instead. That's why they do https://www.anonabox.com/ Otherwise you can get some OpenWRT on a commodity router to run some VPN or T#r or some other funny stuff ___ CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
Re: [CentOS-virt] OT: adding a wifi adapter to openvswitch
On 09/24/2015 04:47 PM, Alvin Starr wrote: Actually I do a similar thing. Do you? I use a VM as my home/office firewall. If your laptop/server/smth is permanently wired to the internet, there's no problem to bridge this interface to the VM. But the topic starter wants to connect to the cable or wifi and still have a firewall VM. WiFi client connection with WPA(2) PSK encryption does allow only the station's MAC in the air. Thus topic starter needs some hotplug event scripting, wpa_supplicant being started manually, fancy ebtables rules to make it work, some way to notice the fw WM that network config changed so it would rerun dhclient. Yea, and he should have some GUI/TUI to have it managed. No NetworkManager GUI here. It works quite well and I would argue it is as secure as your standard firewall based on something like openWRT running on dedicated hardware. As aforementioned, it's a bit complicated setup. And if you're thinking security-wise, imagine you need T#r or some fancy VPN to get your job done AND due to some miniscule scripting glitch a SINGLE packet would fly out of your real IP address - you're busted. To be self-assured during such an intimate workout, you'd want to have a physical cable to the physical router that's perforing the encryption job. No VPN/T#r/smth - no juice. Simple, bulletproof. I also run a wireless AP in bridged mode to allow local network access on an appliance. Do you connect to the AP wirelessly as the client to have a firewall VM running over that WiFi? Or have you connected the AP via cable to the server/router with fw VM to provide connectivity to other clients? There should be no reason that you could not put both on the same physical hardware. You could. But it's hard to use in everyday life of typical usage. If the user is a sysadm/hacker who doesn't mind issuing several commands from the console upon every succesful wifi/wired connection - then welcome! As for the openvswitch original question. Openvswitch has an API that you can access to manage your traffic along with supporting Openflow. If you can get events from your wireless interface then you could write some programs to connect to the switch API. I do want to see a neat solution please. May be I'm just too lazy. ___ CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
Re: [CentOS-virt] OT: adding a wifi adapter to openvswitch
On 09/24/2015 08:31 PM, C. L. Martinez wrote: Simple, Windows 2012 creates a virtual bridge with the same MAC address as wlan has. Ok. Windows does just the same. Thanks for the ARP table. [For ML readers - it was sent directly]. Now we know what the money are paid for :) But, I think it could not be possible to bridge wlan interfaces with brctl or openvswitch according what I am. seeing and reading Quite possible with the invalulable help of Nux: Parprouted + NetworkManager scripting should do the trick. Ok, I will try a different approach. I can see two possible solutions: a) Pass wlan via PCI-Passthrough to fw vm Would work even better but I don't think the laptop would suspend. b) Using iptables+iproute2 rules in laptop and redirect/nat all traffic from/to fw vm. I will try b) option first. I know what type of iptables I need to use and what type of config I need to do to iproute2 works as I need. But I see one problem: I need to redirect ALL traffic from outside to inside: ip, ipv6, tcp, tcp6, igmp, etc ... and I don't know what type of iptables I need to configure. Any tip?? Try the aforementioned unnumbered option first. Can't say anything about IPv6 - sadly not proficient. For IPv4 you won't need iptables, only iproute: 1)save and delete the current wireless default gateway IP 2)create a source-based policy routing rule so traffic from the fw VM IP address would have the earlier saved IP as a gateway IP 3)set the default gateway IP to the another interface's (it's a requirement) IP address of a fw VM. ___ CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
Re: [CentOS-virt] OT: adding a wifi adapter to openvswitch
On 09/24/2015 08:22 PM, Nux! wrote: I know people used Parprouted to help with bridging wired with wireless. Have a look at it. Somebody already automated the ARP mangling. Brilliant. I wonder if there's a way to run a script upon every NetworkManager connection event. Topic starter wrote me that he bridged wired and wireless on Windows Server 2012 and it works for Hyper-V VM OOTB. Still hoping to get the ARP table I asked to confirm. ___ CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
Re: [CentOS-virt] Using STP in kvm bridges
On 09/16/2015 03:27 PM, Dennis Jacobfeuerborn wrote: You should always enable STP on a bridge unless you have a very specific reason not to. It's a question in the area of network adminisration. STP is slow by today's standards - 50 seconds to wait until it rearranges the topology is too much. And RSTP isn't supported without a special daemon. Next, if you want some physical link level redundancy you'd better go LACP - anyway almost every managed switch that has STP also has LACP today. And you can also get speed improvement. Next, I doubt anyone would create two vNICs on a VM that connect to the same physical network. I see no point. The chances are they're going to be VLANs on a physical network. So you need VSTP. Does your switch do VSTP and are you up to configure it? Thus personally I don't see a point in carelessly enabling STP on a hardware node. ___ CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
Re: [CentOS-virt] Using STP in kvm bridges
On 09/16/2015 03:18 PM, C.L. Martinez wrote: Thanks Dmitry... Uhmm, but my case is: "b) you provide more then one network interface to the virtual machine". I have several kvm guests with 3 or more network interfaces ... In this case, do you recommends to enable STP?? If you are the one who manages the VM's and you're not masochistic to intentionally bridge vNICs inside some VM, you don't need it. ___ CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
Re: [CentOS-virt] Using STP in kvm bridges
On 09/16/2015 03:27 PM, Dennis Jacobfeuerborn wrote: You should always enable STP on a bridge unless you have a very specific reason not to. And what's the reason if you're not a hosting provider or an enterprise with heavy and complicated infrastructure? ___ CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
[CentOS-virt] KVM virtio block layer - is TRIM/DISCARD supported?
Hi, One question please: If I use SSD as a storage on a host machine, does KVM's virtio I/O layer pass the TRIM/DISCARD commands to the SSD? I guess the question would be twofold: 1) is TRIM supported/forwarded if only one LVM'ed partition of SSD is forwarded? 2) is TRIM supported/forwarded if full SSD is forwarded (i.e. /dev/sdX) -- Best regards, Dmitry Mikhailov ___ CentOS-virt mailing list CentOS-virt@centos.org http://lists.centos.org/mailman/listinfo/centos-virt
Re: [CentOS-virt] Time
On Wed, 2013-01-02 at 00:53 -0800, Robert Dinse wrote: Friday, I moved our servers to a new co-lo facility and ran into an interesting problem with virtual machines. I did an orderly shutdown of the CentOS 6.3 host, and it in turn suspends all the guests. It took about an hour and a half to move and fire up the host. The guests, being suspended, were then an hour and a half behind and it seems ntpd does not want to correct more than 1000 seconds of error so it would not automatically adjust the clocks. I tried the -g argument which is supposed to override the 1000 second limit It is not supposed: from 'man ntpd': QUOTE The -g option overrides this check and the clock will be set to the server time regardless of the chip time. However, and to protect against broken hardware, such as when the CMOS battery fails or the clock counter becomes defective, once the clock has been set, an error greater than 1000s will cause ntpd to exit anyway. /QUOTE So after initial time set ntpd would enforce it's 1000s limit anyway. More, it would take too much time for ntpd to synchronize an hour difference. but it did not. I ended up having to manually set the clocks close enough for ntpd to correct. Since there is no hardware clock for the virtual machines to use when they boot, it seems that shutdown and reboot of the virtual machines probably would not have avoided this. IHMO it would help. There is some emulated hardware clock for a virtual machine but Linux doesn't use it except for bootup. Otherwize virtual machine won't get correct time at all. There's the 'hwclock' application mentioned in init scripts which synchronizes Linux clock to hardware (hwclock --hctosys) on bootup and does reverse on shutdown (hwclock --systohc). Obviously in the virtual environment the last command would be ignored :-). Any suggestions for addressing this particular scenerio other than having to manually set a bunch of clocks? Reboot. Or manually stop ntpd and do 'ntpdate'. Or you could manually try hwclock --hctosys. I'd like to know if it would succeed. -- Best regards, Dmitry Mikhailov ___ CentOS-virt mailing list CentOS-virt@centos.org http://lists.centos.org/mailman/listinfo/centos-virt
Re: [CentOS-virt] (no subject)
On Sat, 2012-12-08 at 14:17 -0500, Steve Thompson wrote: On Sat, 8 Dec 2012, SilverTip257 wrote: I have a WinXP Pro 32bit VM with virtio drivers and it runs just fine. I don't watch the load on it, so I don't know if its CPU goes idle. I'll have to take a peek at it next week. I have XP, 2003 and Win7 with virtio drivers, and the CPU does go idle on all of them when Windows is doing nothing. Are we talking about virtual machine's CPU that goes idle or host cpu that goes idle (i.e. host OS load decreasing) when virtual machine does nothing? However, Windows is often not doing nothing; make sure that you have volume indexing, for example, turned off. Steve ___ CentOS-virt mailing list CentOS-virt@centos.org http://lists.centos.org/mailman/listinfo/centos-virt ___ CentOS-virt mailing list CentOS-virt@centos.org http://lists.centos.org/mailman/listinfo/centos-virt
Re: [CentOS-virt] (no subject)
On Sat, 2012-12-08 at 06:48 +0100, Zoltan Frombach wrote: I've also heard that older versions of Windows don't put the CPU to idle mode even when there is nothing to do. It is a known problem with older Windows kernels. Windows is installed without ACPI, this way the CPU does not get IDLE instructions and Windows uses all vCPU time it can get. I don't know why ACPI is deactivated by default - some say performance without ACPI is higher, some say because of compatibility - anyway you have to choose between high load of host machine's CPU at ALL time or the best performance of Windows virtual machine when under load. My choice is to enable ACPI on windows virtual machines and the problem is solved. #virsh edit WinXP features acpi/ apic/ pae/ /features You should have acpi/ in features. If you don't - add it. Another way to add it is to open virtual machine manager (virt-manager), open virtual machine there, go to 'details' (button with blue 'i' on it), look in 'overview' screen, open 'Machine Settings', mark 'enable ACPI' there. Best regards, Dmitry Mikhailov. Anyway, try to install the latest virtio drivers for Windows if you don't already have. On 12/7/2012 9:18 PM, Robert Dinse wrote: About the only thing you can do is not run Windows, or at least that version, XP does the same thing, continuouslys spins the CPU when there aren't any user processes using time. I've heard this is resolved in Windows-7 but haven't tried it personally. -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- Eskimo North Linux Friendly Internet Access, Shell Accounts, and Hosting. Knowledgeable human assistance, not telephone trees or script readers. See our web site: http://www.eskimo.com/ (206) 812-0051 or (800) 246-6874. On Fri, 7 Dec 2012, Shawn Everett wrote: Date: Fri, 7 Dec 2012 12:02:14 -0800 From: Shawn Everett sh...@tandac.com Reply-To: Discussion about the virtualization on CentOS centos-virt@centos.org To: centos-virt@centos.org Subject: [CentOS-virt] (no subject) Hi All, I have recently installed CentOS 6.3 with QEMU+KVM for Virtualization. I have successfully created a Windows 2003 VM with 4GB of RAM. The host server is an HP ML350 G8 with 24GB RAM and 24 cores. Details of one of the cores is shown below: processor : 23 vendor_id : GenuineIntel cpu family : 6 model : 45 model name : Intel(R) Xeon(R) CPU E5-2620 0 @ 2.00GHz stepping: 7 cpu MHz : 1200.000 cache size : 15360 KB physical id : 1 siblings: 12 core id : 5 cpu cores : 6 apicid : 43 initial apicid : 43 fpu : yes fpu_exception : yes cpuid level : 13 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good xtopology nonstop_tsc aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm dca sse4_1 sse4_2 x2apic popcnt aes xsave avx lahf_lm ida arat epb xsaveopt pln pts dts tpr_shadow vnmi flexpriority ept vpid bogomips: 3989.86 clflush size: 64 cache_alignment : 64 address sizes : 46 bits physical, 48 bits virtual power management: On an otherwise completely idle system I've noticed the load to be 1.0 to 1.5 range. Running top shows the culprit to be: qemu-kvm. Is this normal behavior? I would have expected the load to be pretty light. Stopping the VM restores the load to normal once again. Is there anything I can do to reduce the load? Shawn ___ CentOS-virt mailing list CentOS-virt@centos.org http://lists.centos.org/mailman/listinfo/centos-virt ___ CentOS-virt mailing list CentOS-virt@centos.org http://lists.centos.org/mailman/listinfo/centos-virt ___ CentOS-virt mailing list CentOS-virt@centos.org http://lists.centos.org/mailman/listinfo/centos-virt ___ CentOS-virt mailing list CentOS-virt@centos.org http://lists.centos.org/mailman/listinfo/centos-virt
Re: [CentOS-virt] Accessing NTFS on host from XP/Win7 VM
I have installed XP as a guest under Centos. Now I want to install, say firefox, whose setup file is in the second NTFS partition of host from the XP guest. How to make the partition visible to the guest? Add a full physical disk to the VM: disk type='block' device='disk' driver name='qemu' type='raw' cache='none' io='native'/ source dev='/dev/sda'/ target dev='hda' bus='ide'/ address type='drive' controller='0' bus='0' target='0' unit='0'/ /disk *** WARNING *** WARNING *** WARNING *** Don't never ever try to boot Linux again from that disk in a virtual machine OR even write anything onto Linux partitions. Trying to mount/write already mounted partitions = big shit happens. ___ CentOS-virt mailing list CentOS-virt@centos.org http://lists.centos.org/mailman/listinfo/centos-virt
Re: [CentOS-virt] (no subject)
On Wednesday 27 July 2011 14:37, Grant McWilliams wrote: http://nichejunky.com/google.php ban this spammer please ___ CentOS-virt mailing list CentOS-virt@centos.org http://lists.centos.org/mailman/listinfo/centos-virt
