Re: [libvirt] [PATCHv3 0/4] util: fix libvirtd startup failure due to netlink error
On Fri, 2012-05-04 at 14:51 -0400, Laine Stump wrote: > As before, I'm unable to fully test this myself, so I won't push > unless/until I get verification it works. We tried various test scenarios, and libvirtd->lldpad and lldpad->libvirtd communication appeared to be functional and stable. -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzende des Aufsichtsrats: Martina Koederitz Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCHv2] util: fix libvirtd startup failure due to netlink error
On Thu, 2012-05-03 at 11:10 -0400, Laine Stump wrote: > Even with ACK, I will wait to push this until I have verification that > it does not break lldpad<-->libvirtd communication (if it does, I may > need to use the nl_handle allocated during virNetlinkStartup() for > virNetlinkEventServiceStart()). libvirtd->lldpad communication is still working, but lldpad->libvirtd not anymore (CONNECTION_REFUSED). -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzende des Aufsichtsrats: Martina Koederitz Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH 3/4] virnetdevvportprofile: Changes to support portprofiles for hostdevs
On Fri, 2012-03-02 at 15:45 -0500, Laine Stump wrote: > Okay, then in the end these patches will support 802.1Qbh > > setting, as well as setting the MAC address (but only for > SRIOV-capable > devices). And any future support for 802.1Qbg would require both some > extra support outside libvirt, as well as specifying the vlanid in the > config, and requiring the guest to setup VLAN tagging. Did I get it > right now? > Not sure, we need anything else for Qbg in addition to some changes in libvirt and vlan tagging in the guest. But, I think we are converging that the Qbh part looks okay and the Qbg part can be added later, if necessary. Best regards, Gerhard Stenzel, Hybrid Technologies, LTC --- IBM Deutschland Research & Development GmbH Vorsitzende des Aufsichtsrats: Martina Koederitz | Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen | Registergericht: Amtsgericht Stuttgart, HRB 243294 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH 3/4] virnetdevvportprofile: Changes to support portprofiles for hostdevs
On Fri, 2012-03-02 at 14:27 -0500, Laine Stump wrote: > So, at the end of this, is there *any* 802.1QbX mode that can work > using > PCI passthrough without at least one of the following things: > > 1) a macvtap interface on the host. (what about my idea of attaching a > macvtap interface to the PF? does that have any hint of practicality?) > > 2) extending the protocol for talking with lldpad to support using a > raw > PCI device rather than a macvtap device. > 3) the guest doing vlan tagging > > 4) the guest doing the full 802.1QbX associate/de-associate protocol > exchange itself? > > Nobody has said it explicitly yet (I think), but I have the impression > that this problem unfortunately can't be solved by libvirt alone. If > that's the case, we should state that as soon as possible so that we > can > table the part of these patches for the short term, and > separate the mac address part to get it pushed upstream (along with > the > new low-level PCI utility functions), as that is very useful on its > own. I am not sure I can follow the conclusion that this can not be solved in libvirt alone. Qbg: For the macvtap case, the macvtap device is "attached" to the underlying physical interface and this is where the association request is sent to, via lldpad. For the PCI passthrough case, the same must be possible, assuming the physical interface can be concluded from the PCI device and the VLAN information is provided. Or do I miss something? Best regards, Gerhard Stenzel, Hybrid Technologies, LTC --- IBM Deutschland Research & Development GmbH Vorsitzende des Aufsichtsrats: Martina Koederitz | Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen | Registergericht: Amtsgericht Stuttgart, HRB 243294 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH 3/4] virnetdevvportprofile: Changes to support portprofiles for hostdevs
On Fri, 2012-03-02 at 10:52 -0500, Laine Stump wrote: > 1) Currently it requires a PCI address (although I plan to add the > ability to accept a netdev name and automatically convert it to a PCI > address): > > > > This means the XML fragment look more like this for Qbh: and for Qbg: > > 2) I guess I have been misunderestimating the level of symbiosis > between > macvtap and 802.1QbX. I had thought that the private vs. vepa thing > was > related to whether or not macvtap could (or couldn't) share the > physical > device and (when sharing was allowed) whether or not it allowed > multiple > macvtap devices connected to the same physical to see traffic from > each > other. This assumption led me to believe that in the case of a PCI > passthrough device, where there is obviously no sharing (or macvtap > device), these different modes were irrelevant, and all that was > needed > was the information in . > > What I *think* I'm understanding from this discussion is that 1) in > order for a virtual port association to happen, a macvtap interface > must > exist, and the association is done wrt that macvtap device *not* the > physical device, or even the VF, and 2) knowing the information in > (along with knowing that the physical device is not > being > shared) is not enough information to properly perform an associate > operation. > > Is this correct? If I understand above correctly, your first assumption seems correct and my XML examples have been misleading you. > > If that's the case, then there are some basic assumptions made here > that > are incorrect, and we will need to either change the lower level code > to > somehow accomplish a port associate without a macvtap interface, or we > will need to pull some kind of trickery, possibly adding a macvtap > interface to the PF to be used as a proxy to do the ASSOCIATE for the > VF > (will that even work? In particular, will it work if multiple VFs need > to operate in one of the "exclusive" modes where no sharing of > physical > device is permitted?) > > I do not know for Qbh, but for Qbg: The switch knows nothing about macvtap devices or virtual functions, what matters is the combination of (managerid, typeid, typeidversion, instanceid, vlanid) to make an association. Best regards, Gerhard Stenzel, Hybrid Technologies, LTC --- IBM Deutschland Research & Development GmbH Vorsitzende des Aufsichtsrats: Martina Koederitz | Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen | Registergericht: Amtsgericht Stuttgart, HRB 243294 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH 3/4] virnetdevvportprofile: Changes to support portprofiles for hostdevs
On Fri, 2012-03-02 at 10:52 -0500, Laine Stump wrote: > Again, my knowledge is insufficient to understand - why was a vlanid > not > necessary before when we were dealing with a hostside macvtap tied to > a > guest-side emulated netdev, and why is it necessary now that we want > to > just passthrough the PCI device to the guest? > > > Note the additional vlanid attribute. The semantic > > would be that the host establishes a Qbg association for > > (managerid, typeid, typeidversion, instanceid, vlanid) > > and that the VM would need to add the correct VLAN tag in order to > be > > able to communicate. > > So adding the VLAN tag has in the past been done by the macvtap > interface? Where did it learn the vlanid from? (Many questions for which I will need some time ..) Let me answer the simple ones first: If you look here http://libvirt.org/formatdomain.html: ... ... In this example, the macvtap interface will be created on top of the VLAN interface 2 on top of eth0. The Qbg switch needs this information: (managerid, typeid, typeidversion, instanceid, vlanid) macvtap/VEPA does not need the the VLAN to work, but Qbg does. So for PCI passthrough, if the host does the association, it has to know which VLANID to associate, but the guest has to add the VLAN tags. > > Definitely if the packets need to leave the host with a VLAN tag, in > PCI > passthrough mode that will need to be done by the guest OS, since the > host will be unable to get its hands on the packets. Once that's the > case, does it maybe make more sense to just leave *everything* up to > the > guest OS - do a PCI passthrough of the device (maybe setting the MAC > address) and let the guest do the port associate etc. too? (Another > way > of saying this - at this point, shouldn't we just admit that > transparent > hostside support of VEPA (or any other protocol that requires data > packets to be modified) using PCI passthrough by definition is not > possible, and therefore isn't supported?) Letting the guest do the association is an option, which should work already (even if noone probably tested it yet), but the question is really how much control should the host have vs the guest. There are definitely scenarios thinkable where the host should do the association. Best regards, Gerhard Stenzel, Hybrid Technologies, LTC --- IBM Deutschland Research & Development GmbH Vorsitzende des Aufsichtsrats: Martina Koederitz | Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen | Registergericht: Amtsgericht Stuttgart, HRB 243294 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH 3/4] virnetdevvportprofile: Changes to support portprofiles for hostdevs
On Thu, 2012-03-01 at 13:02 -0500, Laine Stump wrote: > In the case of hostdev though, there is not necessarily any netdev > driver at all in the host (and thus no "linkdev" to attach a macvtap > to), certainly not after it's attached to the guest - control of the > PCI > device is given over to the guest. > > So is the problem here that 802.1QbX stuff can only work if there's an > associated macvtap device? Although it might be possible to > temporarily > create a macvtap device and attach it to the PCI device's netdev > driver > prior to passing it through, that would only work if a netdev driver > was > bound to the PCI device (which isn't always the case, especially for > SRIOV VFs), yet that netdev driver would then immediately need to be > unbound prior to assigning the device to the guest, and most likely > that > would kill the macvtap device; even if the setup done using that > macvtap > device wasn't undone in the process, would it be possible to undo it > later when the guest terminates (or the device is detached from the > guest)? I wondered how the complete XML fragment for Qbh would look like and came up with the following: Can someone confirm? For Qbg, we would need then something like this: to be of any use. Note the additional vlanid attribute. The semantic would be that the host establishes a Qbg association for (managerid, typeid, typeidversion, instanceid, vlanid) and that the VM would need to add the correct VLAN tag in order to be able to communicate. Does that make sense? Best regards, Gerhard Stenzel, Hybrid Technologies, LTC --- IBM Deutschland Research & Development GmbH Vorsitzende des Aufsichtsrats: Martina Koederitz | Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen | Registergericht: Amtsgericht Stuttgart, HRB 243294 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] FW: macvtap not working on rhel 6.1 x86 machine
On Thu, 2011-12-15 at 15:54 +0530, Amit Tewari wrote: > hi, > > i want the kvm guest machine to connect to network using macvtap.. > I tried this vepa mode it is also not working. where is your DHCP server? On the network or on your host? > eth0 has same mac address as that of macvatap0 that is 52:54:00:55:AE:B5 this is correct. The mac address of eth0 in the guest is the same as that of the macvtap device of the host. > due to this guest is not able to get dhcp address nor static ip address is > working. it works for me. I am on 6.2 now, but this worked on 6.1 as well. -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] FW: macvtap not working on rhel 6.1 x86 machine
On Thu, 2011-12-15 at 15:20 +0530, Amit Tewari wrote: > > > Hi all, > > > > My test environment > > Host os=rhel6.1 x86 machine > > Guest os = rhel6.1 > > Libvirt=0.8.7 > > Kvm hypervisor > Hi, maybe it would help if you try to explain first, what you are trying to achieve, what your setup looks like (including your DHCP setup and switch infrastructure). Here (http://libvirt.org/formatdomain.html) you will find the following xml sample, which works: ... ... This will connect your VM directly to the same network as eth0. Please be aware that, depending on your switch configuration (supports hair pin mode or not), your host might not be able to talk to your VM and vice versa. -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] RFC: managing "pci passthrough" usage of sriov VFs via a new network forward type
On Mon, 2011-08-22 at 05:17 -0400, Laine Stump wrote: > For some reason beyond my comprehension, the designers of SRIOV ethernet > cards decided that the virtual functions (VF) of the card (each VF > corresponds to an ethernet device, e.g. "eth10") should each be given a > new+different+random MAC address each time the hardware is rebooted. I read this is to avoid wasting MAC addresses from the vendor's pool which might never be used > Normally, udev keeps a persistent table that associates each known MAC > address with an ethernet device name - any time an ethernet device with > a previously-unknown MAC address is found, a new device name is > allocated ("eth11", etc) and the newly found MAC address is associated > with that device name. When an ethernet device is an SRIOV VF, though, > udev doesn't persist the MAC address, so at each boot a device is found > with a new MAC addres, but the device name from the previous boot is > "unused" so magically the device ends up with the same name even though > the MAC address has changed. RHEL 6.1 seems to use the PCI id to manage the inteface name in /etc/udev/rules.d/70-persistent-net.rules: # PCI device 0x8086:0x10ed (ixgbevf) SUBSYSTEM=="net", ACTION=="add", ATTR{dev_id}=="0x0", KERNELS==":15:10.0", ATTR{type}=="1", KERNEL=="eth*", NAME="eth8" > When this device is assigned to a guest via PCI passthrough, though, the > guest doesn't have the necessary information to realize that it's > actually an SRIOV VF, so the guest's udev persists the MAC address - on > the first boot of host+guest, the guest will see it has, e.g., mac > address 11:22:33:44:55:66 and udev will add an entry to its persistent > table remembering that 11:22:33:44:55:66="eth0". If the host reboots, > though, the VF will get a new MAC address, and when the guest boots, it > will see a new MAC address (e.g. "66:55:44:33:22:11") and think that > there's a different card, so it will create a new device (and a new udev > entry - 66:55:44:33:22:11="eth1"). This will repeat each time the host > reboots, with the obvious undesired consequences. > > This makes using SRIOV VFs via PCI passthrough very unpalatable. The > problem can be solved by setting the MAC address of the ethernet device > prior to assigning it to the guest, but of course the element > used to assign PCI devices to guests has no place to specify a MAC > address (and I'm not sure it would be appropriate to add something that > function-specific to ). Dave Allan and I have discussed a > different possible method of eliminating this problem (using a new > forward type for libvirt networks) that I've outlined below. Please let > me know what you think - is this reasonable in general? If so, what > about the details? If not, any counter-proposals to solve the problem? > > Providing Predictable/Configurable MAC Addresses for SRIOV VFs used via > PCI Passthrough: > > 1) will have a new forward type='hardware'. When forward > type='hardware', a pool of ethernet interfaces can be specified, just as > for the forward types "bridge", "vepa", "private", and "passthrough". At > this point, that's the only thing that I've determined is needed in the > network definition. type='hostdev'? > > 2) In a domain's definition, when type='network', if the > network has a forward type='hardware', the domain code will request an > unused ethernet device from the network driver, then do the following: > > 3) save the ethernet device name in interface/actual so that it can be > easily retrieved if libvirtd is restarted > > 4) Set the MAC address of the given ethernet device according to the > domain config. > > 5) Use the NodeDevice API to learn all the necessary PCI > domain/slot/bus/function and add a (non-persisting) element to > the guest's config before starting it up. > > 6) When the guest is eventually destroyed, the ethernet device will be > free'd back to the network pool for use by another guest. > > One problem this doesn't solve is that when a guest is migrated, the PCI > info for the allocated ethernet device on the destination host will > almost surely be different. Is there any provision for dealing with this > in the device passthrough code? If not, then migration will still not be > possible. > > Although I realize that many people are predisposed to not like the idea > of PCI passthrough of ethernet devices (including me), it seems that > it's going to be used, so we may as well provide the management tools to > do it in a sane manner. If I understand this correctly, this outlines an "implicit" pci passthrough and there is no need to provide an explicit element in the domain xml. Guest configs using an explicit element would still expose the problem outlined above, correct? Any plans for those? > > -- > libvir-list mailing list > libvir-list@redhat.com > https://www.redhat.com/mailman/listinfo/libvir-list -- libvir-list mailing list libvir-list@redhat.com http
Re: [libvirt] libvirt-0.9.3 week freeze, RC1 version to test
On Mon, 2011-06-27 at 13:01 +0800, Daniel Veillard wrote: > So we are entering the week freeze for the new version 0.9.3 > I have made an rc1 tarball available at: >ftp://libvirt.org/libvirt/libvirt-0.9.3-rc1.tar.gz > along with rpms for those interested > We pushed a lot of patches in the last few days, we know there is at > least some cleanup issues, but I tried it locally and basic operations > seems to work fine, > > please give it a try too and report issues, > >thanks ! > > Daniel > sanlock-devel seems to be in rawhide, not f15: $make rpm ... make[1]: Leaving directory `/home/stenzel/projects/libvirt-0.9.3' error: Failed build dependencies: sanlock-devel is needed by libvirt-0.9.3-0rc1.fc15.x86_64 make: *** [rpm] Error 1 $ cat /etc/redhat-release Fedora release 15 (Lovelock) libvirt.spec assumes f15 and higher: # Enable sanlock library for lock management with QEMU %if 0%{?fedora} >= 15 || 0%{?rhel} >= 6 %define with_sanlock 0%{!?_without_sanlock:%{server_drivers}} %endif -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH]: set and get the MAC of an interface
On Wed, 2011-06-22 at 16:30 +0800, Daniel Veillard wrote: > ACK, > Actually, this is not needed anymore, now that the functions are in interface.c -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] [PATCH v4]: set and restore MAC address of a NIC when using PASSTHROUGH mode
Next try .. The following patch addresses the problem that when a PASSTHROUGH mode DIRECT NIC connection is made the MAC address of the NIC is not automatically set and reset to the configured VM MAC and back again. The attached patch fixes this problem by setting and resetting the MAC while remembering the previous setting while the VM is running. This also works if libvirtd is restarted while the VM is running. the patch passes make syntax-check Signed-off-by: Dirk Herrendoerfer Signed-off-by: Gerhard Stenzel --- Index: libvirt/src/qemu/qemu_command.c === --- libvirt.orig/src/qemu/qemu_command.c +++ libvirt/src/qemu/qemu_command.c @@ -128,7 +128,7 @@ qemuPhysIfaceConnect(virDomainDefPtr def rc = openMacvtapTap(net->ifname, net->mac, net->data.direct.linkdev, net->data.direct.mode, vnet_hdr, def->uuid, &net->data.direct.virtPortProfile, &res_ifname, -vmop); +vmop, driver->stateDir); if (rc >= 0) { qemuAuditNetDevice(def, net, res_ifname, true); VIR_FREE(net->ifname); @@ -149,7 +149,9 @@ qemuPhysIfaceConnect(virDomainDefPtr def if (err) { VIR_FORCE_CLOSE(rc); delMacvtap(net->ifname, net->mac, net->data.direct.linkdev, - &net->data.direct.virtPortProfile); + net->data.direct.mode, + &net->data.direct.virtPortProfile, + driver->stateDir); VIR_FREE(net->ifname); } } Index: libvirt/src/qemu/qemu_process.c === --- libvirt.orig/src/qemu/qemu_process.c +++ libvirt/src/qemu/qemu_process.c @@ -2876,7 +2876,8 @@ void qemuProcessStop(struct qemud_driver virDomainNetDefPtr net = def->nets[i]; if (net->type == VIR_DOMAIN_NET_TYPE_DIRECT) { delMacvtap(net->ifname, net->mac, net->data.direct.linkdev, - &net->data.direct.virtPortProfile); + net->data.direct.mode, + &net->data.direct.virtPortProfile, driver->stateDir); VIR_FREE(net->ifname); } } Index: libvirt/src/util/macvtap.c === --- libvirt.orig/src/util/macvtap.c +++ libvirt/src/util/macvtap.c @@ -545,6 +545,104 @@ configMacvtapTap(int tapfd, int vnet_hdr return 0; } +/** + * replaceMacAdress: + * @macaddress: new MAC address for interface + * @linkdev: name of interface + * @stateDir: directory to store old MAC address + * + * Returns 0 on success, -1 in case of fatal error, error code otherwise. + * + */ +static int +replaceMacAdress(const unsigned char *macaddress, + const char *linkdev, + char *stateDir) +{ +unsigned char oldmac[6]; +int rc; + +rc = ifaceGetMacaddr(linkdev, oldmac); + +if (rc) { +virReportSystemError(rc, + _("Getting MAC address from '%s' " + "to '%02x:%02x:%02x:%02x:%02x:%02x' failed."), + linkdev, + oldmac[0], oldmac[1], oldmac[2], + oldmac[3], oldmac[4], oldmac[5]); +} else { +char *path = NULL; +char macstr[VIR_MAC_STRING_BUFLEN]; + +if (virAsprintf(&path, "%s/%s", +stateDir, +linkdev) < 0) { +virReportOOMError(); +return errno; +} +virFormatMacAddr(oldmac, macstr); +if (virFileWriteStr(path, macstr, O_CREAT|O_TRUNC|O_WRONLY) < 0) { +virReportSystemError(errno, _("Unable to preserve mac for %s"), + linkdev); +return errno; +} +} + +rc = ifaceSetMacaddr(linkdev, macaddress); +if (rc) { +virReportSystemError(errno, + _("Setting MAC address on '%s' to " + "'%02x:%02x:%02x:%02x:%02x:%02x' failed."), + linkdev, + macaddress[0], macaddress[1], macaddress[2], + macaddress[3], macaddress[4], macaddress[5]); +} +return rc; +} + +/** + * restoreMacAddress: + * @linkdev: name of interface + * @stateDir: directory containing old MAC address + * + * Returns 0 on success, -1 in case of fatal error, error code otherwise. + * + */ +static int +restoreMacAddress(const char *linkdev, + char *stateDir) +{ +int ret; +char *oldmacname = NULL
[libvirt] [PATCH v3]: set and restore MAC address of a NIC when using PASSTHROUGH mode
This is another rework of the patch from Dirk addressing all comments received so far. The following patch addresses the problem that when a PASSTHROUGH mode DIRECT NIC connection is made the MAC address of the NIC is not automatically set and reset to the configured VM MAC and back again. The attached patch fixes this problem by setting and resetting the MAC while remembering the previous setting while the VM is running. This also works if libvirtd is restarted while the VM is running. the patch passes make syntax-check Signed-off-by: Dirk Herrendoerfer Signed-off-by: Gerhard Stenzel --- Index: libvirt/src/qemu/qemu_command.c === --- libvirt.orig/src/qemu/qemu_command.c +++ libvirt/src/qemu/qemu_command.c @@ -128,7 +128,7 @@ qemuPhysIfaceConnect(virDomainDefPtr def rc = openMacvtapTap(net->ifname, net->mac, net->data.direct.linkdev, net->data.direct.mode, vnet_hdr, def->uuid, &net->data.direct.virtPortProfile, &res_ifname, -vmop); +vmop, driver->stateDir); if (rc >= 0) { qemuAuditNetDevice(def, net, res_ifname, true); VIR_FREE(net->ifname); @@ -149,7 +149,9 @@ qemuPhysIfaceConnect(virDomainDefPtr def if (err) { VIR_FORCE_CLOSE(rc); delMacvtap(net->ifname, net->mac, net->data.direct.linkdev, - &net->data.direct.virtPortProfile); + net->data.direct.mode, + &net->data.direct.virtPortProfile, + driver->stateDir); VIR_FREE(net->ifname); } } Index: libvirt/src/qemu/qemu_process.c === --- libvirt.orig/src/qemu/qemu_process.c +++ libvirt/src/qemu/qemu_process.c @@ -2876,7 +2876,8 @@ void qemuProcessStop(struct qemud_driver virDomainNetDefPtr net = def->nets[i]; if (net->type == VIR_DOMAIN_NET_TYPE_DIRECT) { delMacvtap(net->ifname, net->mac, net->data.direct.linkdev, - &net->data.direct.virtPortProfile); + net->data.direct.mode, + &net->data.direct.virtPortProfile, driver->stateDir); VIR_FREE(net->ifname); } } Index: libvirt/src/util/macvtap.c === --- libvirt.orig/src/util/macvtap.c +++ libvirt/src/util/macvtap.c @@ -545,6 +545,106 @@ configMacvtapTap(int tapfd, int vnet_hdr return 0; } +/** + * replaceMacAdress: + * @macaddress: new MAC address for interface + * @linkdev: name of interface + * @stateDir: directory to store old MAC address + * + * Returns 0 on success, -1 in case of fatal error, error code otherwise. + * + */ +static int +replaceMacAdress(const unsigned char *macaddress, + const char *linkdev, + char *stateDir) +{ +unsigned char oldmac[6]; +int rc; + +rc = ifaceGetMacaddr(linkdev, oldmac); + +if (rc) { +virReportSystemError(rc, + _("Getting MAC address from '%s' " + "to '%02x:%02x:%02x:%02x:%02x:%02x' failed."), + linkdev, + oldmac[0], oldmac[1], oldmac[2], + oldmac[3], oldmac[4], oldmac[5]); +} else { +char *path = NULL; + +char macstr[VIR_MAC_STRING_BUFLEN]; +if (virAsprintf(&path, "%s/%s", +stateDir, +linkdev) < 0) { +virReportOOMError(); +return errno; +} +virFormatMacAddr(oldmac, macstr); +if (virFileWriteStr(path, macstr, O_CREAT|O_TRUNC|O_WRONLY) < 0) { +virReportSystemError(errno, _("Unable to preserve mac for %s"), + linkdev); +return errno; +} +} + +rc = ifaceSetMacaddr(linkdev, macaddress); +if (rc) { +virReportSystemError(errno, + _("Setting MAC address on '%s' to " + "'%02x:%02x:%02x:%02x:%02x:%02x' failed."), + linkdev, + macaddress[0], macaddress[1], macaddress[2], + macaddress[3], macaddress[4], macaddress[5]); +} +return rc; +} + +/** + * restoreMacAddress: + * @linkdev: name of interface + * @stateDir: directory containing old MAC address + * + * Returns 0 on success, -1 in case of fatal error, error code otherwise. + * + */ +static int +restoreMacAddress(cons
[libvirt] [PATCH]: set and get the MAC of an interface
The following patch renames the function to set the MAC of an interface from ifSetInterfaceMac() to brSetInterfaceMac() and makes it available to other components. It also adds brGetInterfaceMac() to retrieve the MAC. Signed-off-by: Gerhard Stenzel Index: libvirt/src/util/bridge.c === --- libvirt.orig/src/util/bridge.c +++ libvirt/src/util/bridge.c @@ -286,8 +286,41 @@ brDeleteInterface(brControl *ctl ATTRIBU } # endif + +/** + * brGetInterfaceMac: + * @ctl: bridge control pointer + * @ifname: interface name to set MTU for + * @macaddr: MAC address (VIR_MAC_BUFLEN in size) + * + * This function gets the @macaddr for a given interface @ifname. + * + * Returns 0 in case of success or an errno code in case of failure. + */ +int brGetInterfaceMac(brControl *ctl, const char *ifname, + unsigned char *macaddr) +{ +struct ifreq ifr; + +if (!ctl || !ifname) +return EINVAL; + +memset(&ifr, 0, sizeof(struct ifreq)); +if (virStrcpyStatic(ifr.ifr_name, ifname) == NULL) +return EINVAL; + +if(ioctl(ctl->fd, SIOCGIFHWADDR, (char *)&ifr) != 0){ +return errno; +} + +memcpy(macaddr, ifr.ifr_ifru.ifru_hwaddr.sa_data, VIR_MAC_BUFLEN); + +return 0; +} + + /** - * ifSetInterfaceMac: + * brSetInterfaceMac: * @ctl: bridge control pointer * @ifname: interface name to set MTU for * @macaddr: MAC address (VIR_MAC_BUFLEN in size) @@ -297,7 +330,7 @@ brDeleteInterface(brControl *ctl ATTRIBU * * Returns 0 in case of success or an errno code in case of failure. */ -static int ifSetInterfaceMac(brControl *ctl, const char *ifname, +int brSetInterfaceMac(brControl *ctl, const char *ifname, const unsigned char *macaddr) { struct ifreq ifr; @@ -521,7 +554,7 @@ brAddTap(brControl *ctl, * seeing the kernel allocate random MAC for the TAP * device before we set our static MAC. */ -if ((errno = ifSetInterfaceMac(ctl, ifr.ifr_name, macaddr))) +if ((errno = brSetInterfaceMac(ctl, ifr.ifr_name, macaddr))) goto error; /* We need to set the interface MTU before adding it * to the bridge, because the bridge will have its Index: libvirt/src/util/bridge.h === --- libvirt.orig/src/util/bridge.h +++ libvirt/src/util/bridge.h @@ -106,6 +106,14 @@ int brGetEnableSTP (brContr const char *bridge, int *enable); +int brSetInterfaceMac (brControl *ctl, + const char *ifname, + const unsigned char *macaddr); + +int brGetInterfaceMac (brControl *ctl, + const char *ifname, + unsigned char *macaddr); + # endif /* WITH_BRIDGE */ #endif /* __QEMUD_BRIDGE_H__ */ === Best regards, Gerhard Stenzel - IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschaeftsfuehrung: Dirk Wittkopp Sitz der Gesellschaft: Boeblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] [PATCH v3]: set and restore MAC address of a NIC when using PASSTHROUGH mode
This is a another rework of the patch Dirk sent out last week taking into account most propsosed changes The following patch addresses the problem that when a PASSTHROUGH mode DIRECT NIC connection is made the MAC address of the NIC is not automatically set and reset to the configured VM MAC and back again. The attached patch fixes this problem by setting and resetting the MAC while remembering the previous setting while the VM is running. This also works if libvirtd is restarted while the VM is running. the patch passes make syntax-check Signed-off-by: Dirk Herrendoerfer Signed-off-by: Gerhard Stenzel --- Index: libvirt/src/libvirt_macvtap.syms === --- libvirt.orig/src/libvirt_macvtap.syms +++ libvirt/src/libvirt_macvtap.syms @@ -5,6 +5,8 @@ # macvtap.h delMacvtap; +getMacaddr; openMacvtapTap; +setMacaddr; vpAssociatePortProfileId; vpDisassociatePortProfileId; Index: libvirt/src/qemu/qemu_command.c === --- libvirt.orig/src/qemu/qemu_command.c +++ libvirt/src/qemu/qemu_command.c @@ -128,7 +128,7 @@ qemuPhysIfaceConnect(virDomainDefPtr def rc = openMacvtapTap(net->ifname, net->mac, net->data.direct.linkdev, net->data.direct.mode, vnet_hdr, def->uuid, &net->data.direct.virtPortProfile, &res_ifname, -vmop); +vmop, driver->stateDir); if (rc >= 0) { qemuAuditNetDevice(def, net, res_ifname, true); VIR_FREE(net->ifname); @@ -149,7 +149,7 @@ qemuPhysIfaceConnect(virDomainDefPtr def if (err) { VIR_FORCE_CLOSE(rc); delMacvtap(net->ifname, net->mac, net->data.direct.linkdev, - &net->data.direct.virtPortProfile); + net->data.direct.mode, &net->data.direct.virtPortProfile, driver->stateDir); VIR_FREE(net->ifname); } } Index: libvirt/src/qemu/qemu_process.c === --- libvirt.orig/src/qemu/qemu_process.c +++ libvirt/src/qemu/qemu_process.c @@ -2707,7 +2707,8 @@ void qemuProcessStop(struct qemud_driver virDomainNetDefPtr net = def->nets[i]; if (net->type == VIR_DOMAIN_NET_TYPE_DIRECT) { delMacvtap(net->ifname, net->mac, net->data.direct.linkdev, - &net->data.direct.virtPortProfile); + net->data.direct.mode, + &net->data.direct.virtPortProfile, driver->stateDir); VIR_FREE(net->ifname); } } Index: libvirt/src/util/macvtap.c === --- libvirt.orig/src/util/macvtap.c +++ libvirt/src/util/macvtap.c @@ -87,6 +87,7 @@ # define LLDPAD_PID_FILE "/var/run/lldpad.pid" +#define MACADDRSIZE 6 enum virVirtualPortOp { ASSOCIATE = 0x1, @@ -191,6 +192,149 @@ err_exit: # if WITH_MACVTAP +/** + * getMacaddr: + * Get the MAC address of a network device + * + * @macaddress: Pointer where the MAC address will be stored + * @srcdev: The interface name of the NIC to get the MAC from + * + * Returns zero in case of success, + * negative value otherwise with error reported. + * + */ +int +getMacaddr(const unsigned char *macaddress, const char *srcdev ) +{ +int sockfd; +int io; +struct ifreq ifr; + +strcpy(ifr.ifr_name, srcdev); + +sockfd = socket(AF_INET, SOCK_STREAM, 0); +if(sockfd < 0){ +return -1; +} + +io = ioctl(sockfd, SIOCGIFHWADDR, (char *)&ifr); +if(io < 0){ +return -1; +} + +memcpy(macaddress, ifr.ifr_ifru.ifru_hwaddr.sa_data, MACADDRSIZE); + +return 0; +} + +/** + * setMacaddr: + * Set the MAC address of a network device + * + * @macaddress: MAC address to assign to the NIC + * @srcdev: The interface name of the NIC + * + * Returns zero in case of success, + * negative value otherwise with error reported. + * + */ +int +setMacaddr(const unsigned char *macaddress, const char *srcdev ) +{ +int rc = 0; +struct nlmsghdr *resp; +struct nlmsgerr *err; +struct ifinfomsg ifinfo = { .ifi_family = AF_UNSPEC }; +int ifindex; +unsigned char *recvbuf = NULL; +unsigned int recvbuflen; +struct nl_msg *nl_msg; + +if (ifaceGetIndex(true, srcdev, &ifindex) != 0) +return -1; + +nl_msg = nlmsg_alloc_simple(RTM_SETLINK, NLM_F_REQUEST); + +if (!nl_msg) { +virReportOOMError(); +return -1; +} + +if (nlmsg_append(nl_msg, &ifinfo, sizeof(ifinfo), NLMSG_ALIGNTO) < 0) +goto buffer_too_small; + +if (nla_put_u32(nl_msg, IFLA_LINK, ifindex) < 0) +goto buffer_too_small; + +if (nla_put(nl_msg, IFLA_ADDR
Re: [libvirt] [PATCH v2]: set and restore MAC address of a NIC when using PASSTHROUGH mode
On Thu, 2011-06-16 at 19:16 +0100, Daniel P. Berrange wrote: > There are already (static) functions in src/util/bridge.c, which are > able to get and set the MAC address on network devices. So I think we > should just make them non-static and call them instead of duplicating > it here. I just sent out another version of the patch addressing all remarks except this last one. I had some difficulties with this and there is also only a function to set the MAC address. I will have another look into this next week, but would appreciate some feedback on the other changes in the meantime. -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] Network device abstraction aka virtual switch - V3
On Sun, 2011-06-12 at 20:29 -0400, Laine Stump wrote: > > > red-network > > > > > > > > > > > If this example describes a scenario with a SR-IOV card, where eth10 is the physical function and eth11-eth17 are the virtual functions and libvirt can attach a VM to any of the VFs, then I would not list eth10 in the interface pool for passthrough devices. -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] Network device abstraction aka virtual switch - V3
On Sun, 2011-06-12 at 20:29 -0400, Laine Stump wrote: ... > II. Changes to definition > === > ... > He also suggested adding a new "layer='network|link'" attribute to > . I'm not convinced that item is necessary (it seems > redundant), but am including it here for sake of discussion. > > The current modes are: > > > > (in addition to not listing any mode, which equates to "isolated") > > Here are suggested new modes: > >mode='bridge-brctl|vepa|private|passthrough|bridge-macvtap'/> On the "layer='network|link'" question, would "layer='IP|MAC'" not be clearer? Regarding the mode attribute: "mode='bridge|vepa|private|passthrough'" seems sufficient to me, bridge-brctl or bridge-macvtap can be concluded from the "dev" attribute, right? ... -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] Added capability to set and restore the MAC address of a NIC when using PASSTHROUGH mode with DIRECT type NICs. This is required to support SRIOV capable NICs with firmware imple
On Mon, 2011-06-13 at 12:34 -0600, Eric Blake wrote: > On 06/10/2011 05:40 AM, Dirk Herrendoerfer wrote: > > --- > . > > I ran out of time to review the rest of this; the overall idea has > merit, but there are a lot of changes needed in v2 before anything can > be applied. thanks for the review and the comments. I am temporarily taking over from Dirk and just sent out a V2 patch which should address most of the comments -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] [PATCH v2]: set and restore MAC address of a NIC when using PASSTHROUGH mode
This is a rework of the patch Dirk sent out last week. The attached patch addresses the problem that when a PASSTHROUGH mode DIRECT NIC connection is made the MAC address of the NIC is not automatically set and reset to the configured VM MAC and back again. The patch fixes this problem by setting and resetting the MAC while remembering the previous setting while the VM is running. This also works if libvirtd is restarted while the VM is running. The patch passes make syntax-check Signed-off-by: Dirk Herrendoerfer Signed-off-by: Gerhard Stenzel --- src/libvirt_macvtap.syms |2 + src/qemu/qemu_command.c | 48 +++ src/qemu/qemu_process.c | 45 ++ src/util/macvtap.c | 149 ++ src/util/macvtap.h |6 ++ 5 files changed, 250 insertions(+), 0 deletions(-) Index: libvirt/src/libvirt_macvtap.syms === --- libvirt.orig/src/libvirt_macvtap.syms +++ libvirt/src/libvirt_macvtap.syms @@ -5,6 +5,8 @@ # macvtap.h delMacvtap; +getMacaddr; openMacvtapTap; +setMacaddr; vpAssociatePortProfileId; vpDisassociatePortProfileId; Index: libvirt/src/qemu/qemu_command.c === --- libvirt.orig/src/qemu/qemu_command.c +++ libvirt/src/qemu/qemu_command.c @@ -125,6 +125,77 @@ qemuPhysIfaceConnect(virDomainDefPtr def net->model && STREQ(net->model, "virtio")) vnet_hdr = 1; +/** Note: When using PASSTHROUGH mode with MACVTAP devices the link + * device's MAC address must be set to the VMs MAC address. In + * order to not confuse the first switch or bridge in line this MAC + * address must be reset when the VM is shut down. + * This is especially important when using SRIOV capable cards that + * emulate their switch in firmware. + */ +if (net->data.direct.mode == VIR_DOMAIN_NETDEV_MACVTAP_MODE_PASSTHRU) { +unsigned char oldmac[6]; +rc = getMacaddr(&oldmac, net->data.direct.linkdev); +if (rc) { +virReportSystemError(rc, + _("Getting MAC address from '%s' " + "to '%02x:%02x:%02x:%02x:%02x:%02x' failed."), + net->data.direct.linkdev, + oldmac[0], oldmac[1], oldmac[2], + oldmac[3], oldmac[4], oldmac[5]); +} else { +char *oldmacpath = NULL; +char *oldmacname = NULL; +char *newmacname = NULL; +char *basedir = "/var/run/libvirt/network"; + +if (virAsprintf(&oldmacname,"%02x:%02x:%02x:%02x:%02x:%02x", +oldmac[0], oldmac[1], oldmac[2], +oldmac[3], oldmac[4], oldmac[5]) < 0) { +virReportOOMError(); +} +if (virAsprintf(&oldmacpath,"%s/%s", basedir, oldmacname) < 0) { +virReportOOMError(); +} + +if (virAsprintf(&newmacname, "%s/%s@%02x:%02x:%02x:%02x:%02x:%02x", +basedir, +net->data.direct.linkdev, +net->mac[0],net->mac[1],net->mac[2], +net->mac[3],net->mac[4],net->mac[5]) < 0) { +virReportOOMError(); +} + +rc = symlink (oldmacname, newmacname); +if (rc) { +virReportSystemError(errno, + _("MAC link file creation failed for %s."), + net->data.direct.linkdev); +} +rc = creat(oldmacpath, S_IWUSR); +if (rc) { +virReportSystemError(errno, + _("MAC link file creation failed for %s."), + oldmacpath); +} +rc = VIR_CLOSE(rc); +if (rc) { +virReportSystemError(errno, + _("MAC link file closing failed for %s."), + oldmacpath); +} +} + +rc = setMacaddr(net->mac, net->data.direct.linkdev); +if (rc) { +virReportSystemError(errno, + _("Setting MAC address on '%s' to " + "'%02x:%02x:%02x:%02x:%02x:%02x' failed."), + net->data.direct.linkdev, + net->mac[0], net->mac[1], net->mac[2], + net->mac[3], net->mac[4], net->mac[5]); +}
Re: [libvirt] [RFC PATCH] Set and reset MAC for PASSTHROUGH mode
On Mon, 2011-06-13 at 12:09 -0600, Eric Blake wrote: > /tmp is probably not the best place; we already have a hierarchy under > /var/run/libvirt/ and this information should live somewhere in that > hierarchy. How about "/var/run/libvirt/network" ? -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] fix missing VLAN id for Qbg example
On Mon, 2011-05-02 at 12:07 -0400, Laine Stump wrote: > Just so I understand correctly - the 802.1Qbg standard requires using > a > VLAN, but the vepa implementation doesn't have that restriction, so > it > is still okay for someone using a vepa switch to not use a VLAN. > Correct? yes -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] [PATCH] fix missing VLAN id for Qbg example
For IEEE 802.1Qbg, it is necessary to use a VLAN interface. vepa itself does not require a VLAN interface. Signed-off-by: Gerhard Stenzel === --- a/docs/formatdomain.html.in +++ b/docs/formatdomain.html.in @@ -1440,6 +1440,10 @@ the Virtual Station Interface (VSI) represents the virtual interface of a virtual machine. + + Please note, that IEEE 802.1Qbg requires a non-zero value for the + VLAN ID. + managerid The VSI Manager ID identifies the database containing the VSI type @@ -1466,7 +1470,7 @@ <interface type='direct'/> ... <interface type='direct'> - <source dev='eth0' mode='vepa'/> + <source dev='eth0.2' mode='vepa'/> <virtualport type="802.1Qbg"> <parameters managerid="11" typeid="1193047" typeidversion="2" instanceid="09b11c53-8b5c-4eeb-8f00-d84eaa0aaa4f"/> </virtualport> === Best regards, Gerhard Stenzel - IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschaeftsfuehrung: Dirk Wittkopp Sitz der Gesellschaft: Boeblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] documenting the 802.1Qbg parameters of a 'direct' interface
On Fri, 2011-03-11 at 10:11 -0700, Eric Blake wrote: > Indeed, and I just pushed the trivial fix. Thanks for pushing .. and for all the corrections as well -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] documenting the 802.1Qbg parameters of a 'direct' interface
This patchs adds documentation about the 802.1Qbg related parameters of the virtualport element in a 'direct' interface definition. Signed-off-by: Gerhard Stenzel patch attached to avoid line wrapping -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 This patchs adds documentation about the 802.1Qbg related parameters of the virtualport element in a 'direct' interface definition. Signed-off-by: Gerhard Stenzel Index: libvirt/docs/formatdomain.html.in === --- libvirt.orig/docs/formatdomain.html.in +++ libvirt/docs/formatdomain.html.in @@ -1296,6 +1296,52 @@ </devices> ... + + The network access of direct attached virtual machines can be + managed by the hardware switch to which the physical interface + of the host machine is connected to. + + The interface can have additional parameters as shown below, + if the switch is conforming to the IEEE 802.1Qbg standard. + The parameters of the virtualport element are documented in more detail + in the IEEE 802.1Qbg standard. The values are network specific and + should be provided by the network administrator. In 802.1Qbg terms, + the Virtual Station Interface (VSI) represents the virtual inferface + of a virtual machine. + + + managerid + The VSI Manager ID identifies the database containing the VSI type +and instance definitions. This is an integer value and the +value 0 is reserved. + typeid + The VSI Type ID identifies a VSI type characterizing the network +access. VSI types are typically managed by network administrator. +This is an integer value. + + typeidversion + The VSI Type Version allows multiple versions of a VSI Type. +This is an integer value. + + instanceid + The VSI Instance ID Identifier is generated when a VSI instance +(i.e. a virtual interface of a virtual machine) is created. +This is a globally unique identifier. + + + + ... + <devices> +<interface type='direct'/> +... +<interface type='direct'> + <source dev='eth0' mode='vepa'/> + <virtualport type="802.1Qbg"> +<parameters managerid="11" typeid="1193047" typeidversion="2" instanceid="09b11c53-8b5c-4eeb-8f00-d84eaa0aaa4f"/> + </virtualport> +</interface> + </devices> + ... Multicast tunnel -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [RFC] cgroups net_cls controller implementation
On Thu, 2010-12-02 at 14:47 +0100, D. Herrendoerfer wrote: > This a basic implemantation to support the net_cls feature of > cgroups. It adds the setting of a net_cls.classid value to the > existing cgroups setup in the qemu driver. > The classid is specified in the qemu.conf file. > > This enables the use of the tc utility to manage traffic from/to > vitual machines > based on the setting combination of classid and network interface. > > Signed-off-by: D.Herrendoerfer [dot] name > I verified that the patch works as intended. Are there any objections or comments regarding the patch or the approach it implements? We would very much appreciate it if this would make it into 0.8.7 -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] 802.1Qbg: use pre-associate state at beginning of incoming migration
On Thu, 2010-11-18 at 10:31 -0500, Stefan Berger wrote: > Gerhard successfully tested the patch with a recent blade network > 802.1Qbg-compliant switch. To actually verify this patch, one needs additional lldpad patches, which are currently prepared for the e1000-eedc mailing list -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [libvirt-tck] [RFC] 802.1Qbg test scripts
On Thu, 2010-10-07 at 13:23 +0100, Daniel P. Berrange wrote: > Since most systems won't yet have lldptool present, you should > surround the entire test from here onwards in a big 'SKIP : {}' > block. eg cool .. V3 attached -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 Index: libvirt-tck/scripts/nwfilter/300-vsitype.t === --- /dev/null +++ libvirt-tck/scripts/nwfilter/300-vsitype.t @@ -0,0 +1,74 @@ +# -*- perl -*- +# +# Copyright (C) 2010 IBM Corp. +# +# This program is free software; You can redistribute it and/or modify +# it under the GNU General Public License as published by the Free +# Software Foundation; either version 2, or (at your option) any +# later version +# +# The file "LICENSE" distributed along with this file provides full +# details of the terms and conditions +# + +=pod + +=head1 NAME + +nwfilter/300-vsitype.t - verify VSI informatio + +=head1 DESCRIPTION + +The test case validates that the corrrect VSI is set in the adjacent switch + +=cut + +use strict; +use warnings; + +use Test::More tests => 3; + +use Sys::Virt::TCK; +use Sys::Virt::TCK::NetworkHelpers; +use Test::Exception; +use Net::SSH::Perl; +use File::Spec::Functions qw(catfile catdir rootdir); + +my $tck = Sys::Virt::TCK->new(); +my $conn = eval { $tck->setup(); }; +BAIL_OUT "failed to setup test harness: $@" if $@; +END { +$tck->cleanup if $tck; +} + +SKIP: { + skip "lldptool not present", 3 unless -e "/usr/sbin/lldptool"; + +# creating domain + my $dom1; + my $dom_name ="tck8021Qbgtest"; + +# speficy mode="vepa" for a direct interface + $dom1 = prepare_test_disk_and_vm($tck, $conn, $dom_name, "vepa"); + $dom1->create(); + + ok($dom1->get_id() > 0, "running domain has an ID > 0"); + my $xml = $dom1->get_xml_description; + diag $xml; + my $mac1 = get_first_macaddress($dom1); + diag "mac is $mac1"; + + sleep(30); + +# check vsi information + diag "Verifying VSI information using lldptool"; + my $lldptool = `/usr/sbin/lldptool -t -i eth2 -V vdp mode`; + diag $lldptool; +# check if instance is listed + ok($lldptool =~ "instance", "check instance"); + ok($lldptool =~ $mac1, "check mac as well"); + + shutdown_vm_gracefully($dom1); + exit 0; + +}; -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [libvirt-tck] [RFC] 802.1Qbg test scripts
On Wed, 2010-10-06 at 12:52 +0100, Daniel P. Berrange wrote: > I don't like this approach. JUst add an optional parameter > to the build_domain methods > > my $mode = @_ ? shift : "bridge"; > > > eg so it default to traditional bridging, but you can pass > in 'vepa' if you desire to change it. Or something like > that. Thanks for the feedback. The changes are in the attached new versions of the patches. It would be great if you could push at least modify_library_functions.patch to the git. -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 Index: libvirt-tck/scripts/nwfilter/300-vsitype.t === --- /dev/null +++ libvirt-tck/scripts/nwfilter/300-vsitype.t @@ -0,0 +1,71 @@ +# -*- perl -*- +# +# Copyright (C) 2010 IBM Corp. +# +# This program is free software; You can redistribute it and/or modify +# it under the GNU General Public License as published by the Free +# Software Foundation; either version 2, or (at your option) any +# later version +# +# The file "LICENSE" distributed along with this file provides full +# details of the terms and conditions +# + +=pod + +=head1 NAME + +nwfilter/300-vsitype.t - verify VSI informatio + +=head1 DESCRIPTION + +The test case validates that the corrrect VSI is set in the adjacent switch + +=cut + +use strict; +use warnings; + +use Test::More tests => 3; + +use Sys::Virt::TCK; +use Sys::Virt::TCK::NetworkHelpers; +use Test::Exception; +use Net::SSH::Perl; +use File::Spec::Functions qw(catfile catdir rootdir); + +my $tck = Sys::Virt::TCK->new(); +my $conn = eval { $tck->setup(); }; +BAIL_OUT "failed to setup test harness: $@" if $@; +END { +$tck->cleanup if $tck; +} + +# creating domain +my $dom1; +my $dom_name ="tck8021Qbgtest"; + +# speficy mode="vepa" for a direct interface +$dom1 = prepare_test_disk_and_vm($tck, $conn, $dom_name, "vepa"); +$dom1->create(); + +ok($dom1->get_id() > 0, "running domain has an ID > 0"); +my $xml = $dom1->get_xml_description; +diag $xml; +my $mac1 = get_first_macaddress($dom1); +diag "mac is $mac1"; + +sleep(30); + +# check vsi information +diag "Verifying VSI information using lldptool"; +my $lldptool = `/usr/sbin/lldptool -t -i eth2 -V vdp mode`; +diag $lldptool; +# check if instance is listed +ok($lldptool =~ "instance", "check instance"); +ok($lldptool =~ $mac1, "check mac as well"); + + +shutdown_vm_gracefully($dom1); + +exit 0; Index: libvirt-tck/lib/Sys/Virt/TCK/DomainBuilder.pm === --- libvirt-tck.orig/lib/Sys/Virt/TCK/DomainBuilder.pm +++ libvirt-tck/lib/Sys/Virt/TCK/DomainBuilder.pm @@ -410,8 +410,25 @@ sub as_xml { $w->emptyTag("mac", address => $interface->{mac}); - $w->emptyTag("source", - network => $interface->{source}); + + if( $interface->{dev}) { + $w->emptyTag("source", + dev => $interface->{dev}, + mode => $interface->{mode}); + } else { + $w->emptyTag("source", + network => $interface->{source}); + } + if( $interface->{virtualport}) { + $w->startTag("virtualport", + type => $interface->{virtualport}); + $w->emptyTag("parameters", + managerid => '1', + typeid => '2', + typeidversion => '3', + instanceid => '4000----'); + $w->endTag("virtualport"); + } $w->emptyTag("model", type => $interface->{model}); if( $interface->{filterref}) { Index: libvirt-tck/lib/Sys/Virt/TCK/NetworkHelpers.pm === --- libvirt-tck.orig/lib/Sys/Virt/TCK/NetworkHelpers.pm +++ libvirt-tck/lib/Sys/Virt/TCK/NetworkHelpers.pm @@ -42,6 +42,7 @@ sub build_cdrom_ks_image { sub build_domain{ my $tck = shift; my $domain_name = shift; +my $mode = @_ ? shift : "bridge"; my $guest; my $mac = "52:54:00:11:11:11"; @@ -50,10 +51,19 @@ sub build_domain{ my $filterref = "clean-traffic"; my $network = "network"; my $source = "default"; +my $dev = "eth2"; +my $virtualport; my ($cdrom, $ksurl) = build_cdrom_ks_image($tck); my $guest = $tck->generic_domain($domain_name); + +# change the type of network connection for 8
[libvirt] [libvirt-tck] [RFC] 802.1Qbg test scripts
Hi Daniel, I am currently looking into TCK test cases to verify setting 802.1Qbg functionality from libvirt. My current approach requires changes to some library functions in lib/Sys/Virt/TCK/. I would appreciate your feedback about these changes before continuing much further. I also attach the test case. Thanks in advance. -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 Index: libvirt-tck/lib/Sys/Virt/TCK/DomainBuilder.pm === --- libvirt-tck.orig/lib/Sys/Virt/TCK/DomainBuilder.pm +++ libvirt-tck/lib/Sys/Virt/TCK/DomainBuilder.pm @@ -410,8 +410,25 @@ sub as_xml { $w->emptyTag("mac", address => $interface->{mac}); - $w->emptyTag("source", - network => $interface->{source}); + + if( $interface->{dev}) { + $w->emptyTag("source", + dev => $interface->{dev}, + mode => $interface->{mode}); + } else { + $w->emptyTag("source", + network => $interface->{source}); + } + if( $interface->{virtualport}) { + $w->startTag("virtualport", + type => $interface->{virtualport}); + $w->emptyTag("parameters", + managerid => '1', + typeid => '2', + typeidversion => '3', + instanceid => '4000----'); + $w->endTag("virtualport"); + } $w->emptyTag("model", type => $interface->{model}); if( $interface->{filterref}) { Index: libvirt-tck/lib/Sys/Virt/TCK/NetworkHelpers.pm === --- libvirt-tck.orig/lib/Sys/Virt/TCK/NetworkHelpers.pm +++ libvirt-tck/lib/Sys/Virt/TCK/NetworkHelpers.pm @@ -50,10 +50,21 @@ sub build_domain{ my $filterref = "clean-traffic"; my $network = "network"; my $source = "default"; +my $dev = "eth2"; +my $mode; +my $virtualport; my ($cdrom, $ksurl) = build_cdrom_ks_image($tck); my $guest = $tck->generic_domain($domain_name); + +# change the type of network connection for 802.1Qbg tests +if ($domain_name =~ "8021Qbg") { + $mode = "vepa"; + $network ="direct"; + $virtualport = "802.1Qbg"; + } + # We want a bigger disk than normal $guest->rmdisk(); my $diskpath = $tck->create_sparse_disk("nwfilter", "main.img", 2048); @@ -79,12 +90,23 @@ sub build_domain{ } else { diag "Do normal boot"; $guest->clear_kernel_initrd_cmdline(); - $guest->interface(type => $network, - source => $source, - model => $model, - mac => $mac, - filterref => $filterref); + if ($domain_name =~ "8021Qbg") { + $guest->interface(type => $network, + source => $source, + model => $model, + mac => $mac, + dev => $dev, + mode => $mode, + virtualport => $virtualport); + } else { + $guest->interface(type => $network, + source => $source, + model => $model, + mac => $mac, + filterref => $filterref); + } } + # common configuration $guest->maxmem("524288"); $guest->memory("524288"); Index: libvirt-tck/scripts/nwfilter/300-vsitype.t === --- /dev/null +++ libvirt-tck/scripts/nwfilter/300-vsitype.t @@ -0,0 +1,70 @@ +# -*- perl -*- +# +# Copyright (C) 2010 IBM Corp. +# +# This program is free software; You can redistribute it and/or modify +# it under the GNU General Public License as published by the Free +# Software Foundation; either version 2, or (at your option) any +# later version +# +# The file "LICENSE" distributed along with this file provides full +# details of the terms and conditions +# + +=pod + +=head1 NAME + +nwfilter/300-vsitype.t - verify VSI informatio + +=head1 DESCRIPTION + +The test case validates that the corrrect VSI is set in the adjacent switch + +=cut + +use strict; +use warnings; + +use Test::More tests => 3; + +use Sys::Virt::TCK; +use Sys::Virt::TCK::NetworkHelpers; +use Test::Exception; +use Net::SSH::Perl; +use File::Spec::Functions qw(catfile catdir rootdir); + +my $tck = Sys::Virt::TCK->new(); +my $conn = eval { $tck->setup(); }; +BAIL_OUT "failed to setup test harness: $@" if $@; +END { +$tck->cleanup if $tck; +} + +# creating domain with 8021Qbg in the name. thi
Re: [libvirt] [PATCH 0/3] test cases for spoofing prevention
On Tue, 2010-09-14 at 14:10 +0100, Daniel P. Berrange wrote: > This is bizarre - I don't see any characters in the $cmdfile > string that are above ASCII-7 range, so should be identical > whether its utf8 encoded or not !?!? Do you know why this > makes it work correctly ? The presence of ${mac1} in $cmdfile causes the problem. Eliminating $mac1 makes the problem go away. $mac1 is initialized like this: my $mac1 = get_first_macaddress($dom1); I guess, reading from the XML causes some sort of encoding problem. I googled for the error message and found similar problems which were fixed by using utf8::encode. -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH 0/3] test cases for spoofing prevention
On Fri, 2010-09-10 at 16:02 +0200, Gerhard Stenzel wrote: > Sounds good and I will give it a try ... All my tests worked except scripts/nwfilter/210-no-mac-spoofing.t, which failed with on Fedora 13: ... # ' > /test.sh input must be 8 bytes long at /usr/lib64/perl5/Crypt/DES.pm line 57. # Looks like you planned 4 tests but ran 3. ... Here is the patch, that fixes the problem for me: diff --git a/scripts/nwfilter/210-no-mac-spoofing.t b/scripts/nwfilter/210-no-mac-spoofing.t index df47fd7..2906e1f 100644 --- a/scripts/nwfilter/210-no-mac-spoofing.t +++ b/scripts/nwfilter/210-no-mac-spoofing.t @@ -25,6 +25,7 @@ The test case validates that MAC spoofing is prevented use strict; use warnings; +use utf8; use Test::More tests => 4; @@ -94,6 +95,7 @@ my $cmdfile = "echo '" . "/sbin/ifconfig eth0 up\n". "/sbin/ifconfig eth0\n". "' > /test.sh"; +utf8::encode ($cmdfile); diag $cmdfile; my ($stdout, $stderr, $exit) = $ssh->cmd($cmdfile); diag $stdout; -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH 0/3] test cases for spoofing prevention
On Fri, 2010-09-10 at 10:45 +0100, Daniel P. Berrange wrote: > Thanks, this one worked fine for me. I've committed your patches to > the GIT repository, and added a couple of follow on changes. I made > it use virtio instead of scsi for the disk, since RHEL6 doesn't ship > with SCSI enabled. I also use mkisofs to put the kickstart file into > a tiny ISO image and then boot with ks=cdrom:/ks.cfg so we can avoid > needing a web service in the host to provision it. I also changed the > filter name from 'no-spoofing' to 'clean-traffic' since libvirt does > not have any 'no-spoofing' filter by default & IIUC 'clean-traffic' > should be suitable for your tests. Sounds good and I will give it a try ... In the meantime, I think your spec(.PL) file misses something like the following: diff --git a/perl-Sys-Virt-TCK.spec.PL b/perl-Sys-Virt-TCK.spec.PL index aaca325..ecc979c 100644 --- a/perl-Sys-Virt-TCK.spec.PL +++ b/perl-Sys-Virt-TCK.spec.PL @@ -118,6 +118,7 @@ rm -rf $RPM_BUILD_ROOT %{perlvendorlib}/Sys/Virt/TCK.pm %{perlvendorlib}/Sys/Virt/TCK/ %dir %{_localstatedir}/cache/libvirt-tck +/etc/libvirt-tck/ks.cfg %changelog * Fri Mar 24 2006 - 0.0.1-1 -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH 0/3] test cases for spoofing prevention
On Thu, 2010-09-09 at 14:48 +0100, Daniel P. Berrange wrote: > On Wed, Jun 16, 2010 at 04:08:00PM +0200, gsten...@linux.vnet.ibm.com wrote: > > The following patches add a set of test cases to verify that several > > spoofing attacks are prevented by the nwfilter subsystem. > > > > In order to have a well defined test machine a virtual disk is installed > > from scratch over the network. > > I am currently trying to find a suitable location for the kickstart file. > > Do you have the suitable 'ks.cfg' you used with these test scripts ? The > test files look good to me and I'm going to commit them all now. We just > need the ks.cfg so we can make it work - I'll make it pull it off a floppy > disk image > > Regards, > Daniel Here is the one I used. I could update it to a newer fedora version, if necessary: #version=F12 install text url --url=http://ftp-stud.hs-esslingen.de/Mirrors/fedora.redhat.com/linux/releases/12/Fedora/i386/os/ lang en_US.UTF-8 keyboard de-latin1-nodeadkeys network --device eth0 --bootproto dhcp rootpw --iscrypted $6$AHEMvpa2rx3n/DON $toWNA/ainpreIRC1g2L9yuil7bS.2hIf8DomTluFGulQtN3KstPeVrmwFMhkwhsW7ud7DANsWycGEL5ZOU50e. firewall --service=ssh authconfig --enableshadow --passalgo=sha512 --enablefingerprint selinux --enforcing timezone --utc Europe/Berlin bootloader --location=mbr --driveorder=sda --append=" LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=de-latin1-nodeadkeys rhgb quiet" # The following is the partition information you requested # Note that any partitions you deleted are not expressed # here so unless you clear all partitions first, this is # not guaranteed to work clearpart --all --drives=sda --initlabel part /boot --fstype=ext4 --size=200 part swap --grow --maxsize=256 --asprimary --size=1 part / --fstype=ext3 --grow --size=200 poweroff %packages @admin-tools @base @core #...@editors #...@fonts @hardware-support #...@input-methods #...@online-docs #...@text-internet #gpgme #gnupg2 #hdparm #m17n-db-tamil #m17n-db-gujarati #m17n-db-kannada #m17n-db-hindi #m17n-db-oriya #m17n-db-bengali #m17n-contrib-sinhala #m17n-db-assamese #m17n-db-punjabi #iok #m17n-db-telugu #tm17n-db-malayalam -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] [PATCH] fix handling of PORT_PROFILE_RESPONSE_INPROGRESS netlink message
During function test of the 802.1Qbg implementation in lldpad we came across a small problem in the handling of the netlink message corresponding to PORT_PROFILE_RESPONSE_INPROGRESS. This should not result in returning the default rc=1. Signed-off-by: Gerhard Stenzel diff --git a/src/util/macvtap.c b/src/util/macvtap.c index 635458d..a6d9a57 100644 --- a/src/util/macvtap.c +++ b/src/util/macvtap.c @@ -1025,6 +1025,7 @@ getPortProfileStatus(struct nlattr **tb, int32_t vf, if (is8021Qbg) { /* no in-progress here; may be missing */ *status = PORT_PROFILE_RESPONSE_INPROGRESS; +rc = 0; } else { msg = _("no IFLA_PORT_RESPONSE found in netlink message"); goto err_exit; -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH 0/3] test cases for spoofing prevention
On Fri, 2010-06-18 at 18:29 +0100, Daniel P. Berrange wrote: > On Wed, Jun 16, 2010 at 04:08:00PM +0200, gsten...@linux.vnet.ibm.com wrote: > > The following patches add a set of test cases to verify that several > > spoofing attacks are prevented by the nwfilter subsystem. > > > > In order to have a well defined test machine a virtual disk is installed > > from scratch over the network. > > I am currently trying to find a suitable location for the kickstart file. > > I've just remembered that actually anaconda can load a kickstart file from > all sorts of interesting places.including a file on a disk in the > machine. So you could create a floppy disk image, containing the kickstart > file, add it to the guest XML and boot with "ks=file:fd0/ks.cfg" thus > avoiding any need to load it over the network > > I found this tip here: > > http://www.redhat.com/magazine/024oct06/features/kickstart/ > > > I'm just trying to get my machines working again so I can actually try > out your test cases myself...then i give any more feedback... Thanks, please find attached my ks.cfg > > Regards, > Daniel -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 ks.cfg Description: application/fluid -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH v2] vepa: parsing for 802.1Qb{g|h} XML
On Wed, 2010-05-12 at 21:08 +0200, Gerhard Stenzel wrote: > On Wed, 2010-05-12 at 13:21 -0400, Stefan Berger wrote: > > I am wondering whether it would not be 'more general' to have lldpad > > determine > > the root interface and handling bonding interfaces on the way > rather > > than libvirt trying to determine that here. So we would just pass > the > > linkdev or the even the macvtap to lldptool. The same would be true > > for finding the VLAN ID. For both the code I posted here on libvirt > > mailing list could be used in lldpad. For now I won't check it in. > > If that is the preferred way ... fine with me. Just in case, here is a version taking care of that: Here is a RFC patch, which demonstrates how libvirt could communicate with lldpad via the lldptool for the 802.1Qbg case. Please note, that there is currently no public available version of lldptool which accepts this command line. This is also work in progress. Signed-off-by: Gerhard Stenzel Index: libvirt/src/util/macvtap.c === --- libvirt.orig/src/util/macvtap.c +++ libvirt/src/util/macvtap.c @@ -750,6 +750,92 @@ configMacvtapTap(int tapfd, int vnet_hdr return 0; } +# define ASSOCIATE 0x02 +# define DEASSOCIATE0x03 +# define LLDPTOOL_NAME "lldptool" + +static int +setPortProfileId(const char *linkdev, + const unsigned char *mac, + int mode, + const virVSIProfileDefPtr vsi) +{ +char macaddr[VIR_MAC_STRING_BUFLEN]; +char uuidstr[VIR_UUID_STRING_BUFLEN]; +static char *lldptool; +char *modestr = NULL; +int rc; +int status = 0; +# define NUM_PARAMS 8 +const char *argv[NUM_PARAMS] = {NULL, }; +int argc = 0; + +virFormatMacAddr(mac, macaddr); + +if (lldptool == NULL) { +lldptool = virFindFileInPath(LLDPTOOL_NAME); +if (lldptool == NULL) { +macvtapError(VIR_ERR_INTERNAL_ERROR, + _("unable to find %s"), LLDPTOOL_NAME); +return -1; +} +} + +virFormatMacAddr(mac, macaddr); +virUUIDFormat(vsi->u.vsi8021Qbg.instanceID, uuidstr); + +VIR_DEBUG("setting typeid '%d' with mode '%d' on link '%s' mac '% s'\n", + vsi->u.vsi8021Qbg.typeID, mode, linkdev, macaddr); + +/* example syntax: + * lldptool -T -i eth2 -V vdp \ + * mode= + */ + +if ((virAsprintf(&modestr, "mode=%d,%d,%d,%d,%s,%s", mode, + vsi->u.vsi8021Qbg.managerID, + vsi->u.vsi8021Qbg.typeID, + vsi->u.vsi8021Qbg.typeIDVersion, + uuidstr, + macaddr) < 0 )) { +rc = -1; +goto err_exit; +} + +argv[argc++] = lldptool; +argv[argc++] = "-T"; +argv[argc++] = "-i"; +argv[argc++] = linkdev; +argv[argc++] = "-V"; +argv[argc++] = "vdp"; +argv[argc++] = modestr; +argv[argc ] = NULL; + +VIR_DEBUG("argc = %d\n", argc); +if (argc >= NUM_PARAMS) { +macvtapError(VIR_ERR_INTERNAL_ERROR, "%s", + _("too many parameters in array")); +rc = 1; +goto err_exit; +} +# undef NUM_PARAMS + +rc = virRun(argv, &status); +status >>= 8; + +VIR_DEBUG("Result from running %s: rc = %d, status = %d\n", + lldptool, rc, status); + +err_exit: +VIR_FREE(modestr); + +if (rc) +return rc; + +return status; + +} + /** * associatePortProfile @@ -791,7 +877,10 @@ associatePortProfileId(const char *linkd break; case VIR_VSI_8021QBG: -rc = -1; +rc = setPortProfileId(linkdev, +mac, +ASSOCIATE, +vsi); break; case VIR_VSI_8021QBH: @@ -829,7 +918,10 @@ disassociatePortProfileId(const char *li break; case VIR_VSI_8021QBG: -rc = -1; +rc = setPortProfileId(linkdev, +mac, +DEASSOCIATE, +vsi); break; case VIR_VSI_8021QBH: -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH v2] vepa: parsing for 802.1Qb{g|h} XML
On Wed, 2010-05-12 at 13:21 -0400, Stefan Berger wrote: > I am wondering whether it would not be 'more general' to have lldpad > determine > the root interface and handling bonding interfaces on the way rather > than libvirt trying to determine that here. So we would just pass the > linkdev or the even the macvtap to lldptool. The same would be true > for finding the VLAN ID. For both the code I posted here on libvirt > mailing list could be used in lldpad. For now I won't check it in. If that is the preferred way ... fine with me. -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH v2] vepa: parsing for 802.1Qb{g|h} XML
On Wed, 2010-05-12 at 12:13 -0400, Stefan Berger wrote: > I'd suggest to use this patch as a base for triggering the setup > protocol with the 802.1Qb{g|h} switch. Here is a RFC patch, which demonstrates how libvirt could communicate with lldpad via the lldptool for the 802.1Qbg case. Please note, that there is currently no public available version of lldptool which accepts this command line. This is also work in progress. This applies on top of the patch Stefan just posted. Signed-off-by: Gerhard Stenzel Index: libvirt/src/util/macvtap.c === --- libvirt.orig/src/util/macvtap.c +++ libvirt/src/util/macvtap.c @@ -750,6 +750,107 @@ configMacvtapTap(int tapfd, int vnet_hdr return 0; } +# define ASSOCIATE 0x02 +# define DEASSOCIATE0x03 +# define LLDPTOOL_NAME "lldptool" + +static int +setPortProfileId(const char *linkdev, + const unsigned char *mac, + int mode, + const virVSIProfileDefPtr vsi) +{ +char macaddr[VIR_MAC_STRING_BUFLEN]; +char uuidstr[VIR_UUID_STRING_BUFLEN]; +char rootifname[IFNAMSIZ]; +static char *lldptool; +char *modestr = NULL; +int vlanid = 0; +int rc; +int status = 0; +# define NUM_PARAMS 8 +const char *argv[NUM_PARAMS] = {NULL, }; +int argc = 0; + +virFormatMacAddr(mac, macaddr); + + rc = ifaceGetRootIface(-1, linkdev, rootifname); + if (rc != 0) { +macvtapError(VIR_ERR_INTERNAL_ERROR, + _("cannot get root interface for %s"), + linkdev); + return rc; + } +VIR_DEBUG("root iface of %s is %s\n", linkdev, rootifname); + +ifaceGetVlanID(linkdev, &vlanid); +VIR_DEBUG("vlan id of %s is %d\n", linkdev, vlanid); + +if (lldptool == NULL) { +lldptool = virFindFileInPath(LLDPTOOL_NAME); +if (lldptool == NULL) { +macvtapError(VIR_ERR_INTERNAL_ERROR, + _("unable to find %s"), LLDPTOOL_NAME); +return -1; +} +} + +virFormatMacAddr(mac, macaddr); +virUUIDFormat(vsi->u.vsi8021Qbg.instanceID, uuidstr); + +VIR_DEBUG("setting port profile id '%p' with mode %d on physical device '%s' mac '%s' vlan '%d'\n", + vsi, mode, rootifname, macaddr, vlanid); + +/* example syntax: + * lldptool -T -i eth2 -V vdp \ + * mode= + */ + +if ((virAsprintf(&modestr, "mode=%d,%d,%d,%d,%s,%s,%d", mode, + vsi->u.vsi8021Qbg.managerID, + vsi->u.vsi8021Qbg.typeID, + vsi->u.vsi8021Qbg.typeIDVersion, + uuidstr, + macaddr, + vlanid) < 0 )) { +rc = -1; +goto err_exit; +} + +argv[argc++] = lldptool; +argv[argc++] = "-T"; +argv[argc++] = "-i"; +argv[argc++] = rootifname; +argv[argc++] = "-V"; +argv[argc++] = "vdp"; +argv[argc++] = modestr; +argv[argc ] = NULL; + +VIR_DEBUG("argc = %d\n", argc); +if (argc >= NUM_PARAMS) { +macvtapError(VIR_ERR_INTERNAL_ERROR, "%s", + _("too many parameters in array")); +rc = 1; +goto err_exit; +} +# undef NUM_PARAMS + +rc = virRun(argv, &status); +status >>= 8; + +VIR_DEBUG("Result from running %s: rc = %d, status = %d\n", + lldptool, rc, status); + +err_exit: +VIR_FREE(modestr); + +if (rc) +return rc; + +return status; + +} + /** * associatePortProfile @@ -791,7 +892,10 @@ associatePortProfileId(const char *linkd break; case VIR_VSI_8021QBG: -rc = -1; +rc = setPortProfileId(linkdev, +mac, +ASSOCIATE, +vsi); break; case VIR_VSI_8021QBH: @@ -829,7 +933,10 @@ disassociatePortProfileId(const char *li break; case VIR_VSI_8021QBG: - rc = -1; +rc = setPortProfileId(linkdev, +mac, +DEASSOCIATE, +vsi); break; case VIR_VSI_8021QBH: -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [libvirt PATCH] Port-profile ID support using IFLA_VF_PORT_PROFILE netlink msg
On Sat, 2010-05-08 at 00:05 -0700, Scott Feldman wrote: > From: Scott Feldman > > This fleshes out the port profile ID proof-of-concept patch posted > earlier > by David Allan, referenced here: > > https://www.redhat.com/archives/libvir-list/2010-March/msg01401.html > > It uses the new IFLA_VF_PORT_PROFILE netlink msg to set/unset the > port- > profile for the virtual switch port backing the VM device. The new > netlink > msg is being discussed on the netdev kernel mailing list here: > > http://marc.info/?l=linux-netdev&m=127312092712543&w=2 > http://marc.info/?l=linux-netdev&m=127312093412556&w=2 > > IFLA_VF_PORT_PROFILE is sent using RTM_SETLINK, and retrieved using > RTM_GETLINK. IFLA_VF_PORT_PROFILE is sent using netlink multicast > send > with RTNLGRP_LINK so the receiver of the msg can be in user-space or > kernel-space. I tried the latest libvirt (from git) to compile with this patch: util/macvtap.c:618: warning: 'struct ifla_vf_port_profile' declared inside parameter list util/macvtap.c:618: warning: its scope is only this definition or declaration, which is probably not what you want util/macvtap.c: In function 'sendPortProfileMulticastMsg': util/macvtap.c:648: error: 'IFLA_VF_PORT_PROFILE' undeclared (first use in this function) util/macvtap.c:648: error: (Each undeclared identifier is reported only once util/macvtap.c:648: error: for each function it appears in.) util/macvtap.c:649: error: dereferencing pointer to incomplete type util/macvtap.c: In function 'unsetPortProfileId': util/macvtap.c:709: error: storage size of 'ivp' isn't known util/macvtap.c:711: error: invalid application of 'sizeof' to incomplete type 'struct ifla_vf_port_profile' util/macvtap.c:709: warning: unused variable 'ivp' [-Wunused-variable] util/macvtap.c: In function 'setPortProfileId': util/macvtap.c:733: error: storage size of 'ivp' isn't known util/macvtap.c:734: error: 'IFLA_VF_UUID_MAX' undeclared (first use in this function) util/macvtap.c:739: error: invalid application of 'sizeof' to incomplete type 'struct ifla_vf_port_profile' util/macvtap.c:734: warning: unused variable 'host_uuid' [-Wunused-variable] util/macvtap.c:733: warning: unused variable 'ivp' [-Wunused-variable] make[3]: *** [libvirt_util_la-macvtap.lo] Error 1 As of 2.6.34-rc7, 'IFLA_VF_PORT_PROFILE' is not yet in the kernel. Any estimate when this might change? -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH 1/1] Initial POC of port profile id support
On Fri, 2010-04-02 at 11:42 -0400, Dave Allan wrote: > Agreed with both; an updated patch is attached. I also added a test > for > the new element. > > Dave > Hi, unless I am missing something, you changed only the XML (), but not the source code (profileid = virXMLPropString(cur, "profileid");) I also get some weird characters, which I don't understand: 13:13:05.475: debug : virDomainNetDefParseXML:2057 : profileid=a 13:13:19.668: debug : virDomainNetDefFormat:5153 : profileid=з� I added a few debug lines in domain_conf.c to produce above output. The first line is when libvirtd starts up and reads all domain files. The second line is when I tried to edit the domain xml via "virsh edit". -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [RFC] libvirt-TCK scripts to verify spoofing prevention
Daniel, thanks for the comments .. most of them are integrated, but I have a problem with changing MAC addresses, because the domain xml is regenerated every time, so I cannot rely on the interface name being "eth0" as fedora during boot creates a new ethX for each new MAC address .. any good advice? On Thu, 2010-04-15 at 15:27 +0100, Daniel P. Berrange wrote: > On Thu, Apr 15, 2010 at 02:35:41PM +0200, Gerhard Stenzel wrote: > > The following patch mainly adds a set of test case to verify that > > several spoofing attacks are prevented by the nwfilter subsystem. > > > > In order to have a well defined test machine, the patch also includes > > test scripts to network install a virtual disk from scratch, to boot the > > virtual test machine prior to running the actual test scripts and to > > shut it down afterwards. > > > > While I have tried to remove as much dependency on my local setup as > > possible there is still some left, so I am currently more interested in > > feedback about the general approach, not necessarily actual inclusion > > into the libvirt-TCK git. > > Your actual test cases look good, so I'll just put comments about > the setup/teardown stuff inline. ok .. sounds good > > > > > For example, I am currently trying to find a suitable location for the > > kickstart file, and also a suitable place for the common_functions.pl. > > The 'lib' directory contains modules which provide common functions & > code for the test scripts. In this case I'd suggest creating a file > > lib/Sys/Virt/TCK/NetworkHelpers.pm (use Sys::Virt::TCK::NetworkHelpers) ok .. done > > > Index: libvirt-tck/scripts/network/README > > === > > --- /dev/null > > +++ libvirt-tck/scripts/network/README > > @@ -0,0 +1,14 @@ > > + > > +Test cases: > > + > > +000-install-image.tcreates and install a 2GB fedora > > virtual disk via > > kickstart file from the network > > +001-boot-image.t defines and boots a VM which uses the fedora > > virtual > > disk > > +100-ping-still-working.t verifies the VM is pingable > > +210-no-mac-spoofing.t verifies mac spoofing is prevented > > +220-no-ip-spoofing.t verifies ip spoofing is prevented > > +230-no-mac-broadcast.t verifies mac broadcasting is prevented > > +240-no-arp-spoofing.t verifies arp spoofing is prevented > > +999-shutdown-image.t shuts the VM down > > One thing about the TCK test cases is that each one should be > self-contained, doing all setup & teardown it requires, not > reliant on any of the other tests cases or ordering of tests. > > So instead of having the 000-install-image.t & 0001-boot-image.t > scripts that do setup, you'd want to create some library code > that can be used to install + boot the guest, and just call that > from each test case. I am currently trying this .. however, what I am struggling with is that the MAC address is different for every boot. > > > Index: libvirt-tck/scripts/network/000-install-image.t > > === > > --- /dev/null > > +++ libvirt-tck/scripts/network/000-install-image.t > > @@ -0,0 +1,181 @@ > > +# -*- perl -*- > > +# > > +# Copyright (C) 2010 IBM Corp. > > +# > > +# This program is free software; You can redistribute it and/or modify > > +# it under the GNU General Public License as published by the Free > > +# Software Foundation; either version 2, or (at your option) any > > +# later version > > +# > > +# The file "LICENSE" distributed along with this file provides full > > +# details of the terms and conditions > > +# > > + > > +=pod > > + > > +=head1 NAME > > + > > +network/000-install-image.t - install network test image > > + > > +=head1 DESCRIPTION > > + > > +The test case creates and install a 2GB fedora virtual > > +disk via kickstart file from the network. > > + > > +=cut > > + > > +use strict; > > +use warnings; > > + > > +use Test::More tests => 1; > > + > > +use Sys::Virt::TCK; > > + > > +my $tck = Sys::Virt::TCK->new(); > > +my $conn = eval { $tck->setup(); }; > > +BAIL_OUT "failed to setup test harness: $@" if $@; > > +END { $tck->cleanup if $tck; } > > + > > +# variables which may need to be adapted > > +my $domain_name ="f12nwtest"; > > +my $disk_na
[libvirt] [RFC] libvirt-TCK scripts to verify spoofing prevention
68.122.1\n". +"/sbin/ifconfig eth0 down\n". +"/sbin/ifconfig eth0 ${guestip1} netmask 255.255.255.0 up\n". +"/sbin/ifconfig eth0 \n". +"/bin/sleep 1\n". + "' > /test.sh"; +diag $cmdfile; +my ($stdout, $stderr, $exit) = $ssh->cmd($cmdfile); +diag $stdout; +diag $stderr; +diag $exit; +($stdout, $stderr, $exit) = $ssh->cmd("chmod +x /test.sh"); +diag $stdout; +diag $stderr; +diag $exit; +diag "running ip spoof"; +($stdout, $stderr, $exit) = $ssh->cmd("/test.sh"); +diag $stdout; +diag $stderr; +diag $exit; +diag "checking result"; +ok($stdout =~ "100% packet loss", "packet loss expected"); + +exit 0; Index: libvirt-tck/scripts/network/999-shutdown-image.t === --- /dev/null +++ libvirt-tck/scripts/network/999-shutdown-image.t @@ -0,0 +1,59 @@ +# -*- perl -*- +# +# Copyright (C) 2010 IBM Corp. +# +# This program is free software; You can redistribute it and/or modify +# it under the GNU General Public License as published by the Free +# Software Foundation; either version 2, or (at your option) any +# later version +# +# The file "LICENSE" distributed along with this file provides full +# details of the terms and conditions +# + +=pod + +=head1 NAME + +network/240-no-arp-spoofing.t - verify ARP spoofing is prevented + +=head1 DESCRIPTION + +The test case validates that ARP spoofing is prevented + +=cut + +use strict; +use warnings; + +use Test::More tests => 2; + +use Sys::Virt::TCK; +use Test::Exception; +use Net::SSH::Perl; + + +my $tck = Sys::Virt::TCK->new(); +my $conn = eval { $tck->setup(); }; +BAIL_OUT "failed to setup test harness: $@" if $@; +END { +$tck->cleanup if $tck; +} + +# find domain +my $domain_name = "f12nwtest"; +diag "Trying domain lookup by name"; +my $dom; +ok_domain { $dom = $conn->get_domain_by_name($domain_name) } "the running domain object"; +ok($dom->get_id() > 0, "running domain has an ID > 0"); + +# cleanup guest +diag "cleaning up"; +$dom->shutdown(); +while($dom->is_active()) { + sleep(1); + diag ".. waiting for virtual machine ${domain_name} to shutdown.. "; +} +#$dom->undefine(); + +exit 0; Index: libvirt-tck/scripts/network/common_functions.pl === --- /dev/null +++ libvirt-tck/scripts/network/common_functions.pl @@ -0,0 +1,35 @@ +use utf8; +#no utf8; + +sub get_macaddress { +my $xmldesc = shift; + +my $mac; +my $parser = XML::LibXML->new(); + +my $doc = $parser->parse_string($xmldesc); + +my $rootel = $doc -> getDocumentElement(); + +my @devices = $rootel->getChildrenByTagName("devices"); +foreach my $device(@devices) { + my @interfaces = $device->getChildrenByTagName("interface"); + foreach my $interface(@interfaces) { + my @targets = $interface->getChildrenByTagName("mac"); + foreach my $target(@targets) { + $mac = $target->getAttribute("address"); + } + } +} +utf8::decode($mac); +return $mac; +} + +sub get_ip_from_leases{ +my $mac = shift; +my $tmp = `grep $mac /var/lib/dnsmasq/dnsmasq.leases`; +my @fields = split(/ /, $tmp); +my $ip = $fields[2]; +return $ip; +} +1; -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] question about libvirt-tck/libivrt-perl
On Mon, 2010-04-12 at 15:21 +0100, Daniel P. Berrange wrote: > It is a subtle issue crossing several layers. libvirt internally > caches > virDomainPtr instances based on name. You created a object in the perl > layer '$dom' with the name, and then you create a new instance with > the > same name, but assign to a diferent perl object '$newdom'. This means > that the old virDomainPtr associated with $dom still exists. If you > explicitly set '$dom = undef' before creating the second domain you > should release the old handle & make it all work as expected thanks for the explanation .. my script now works as expected. BTW, additional test cases for libvirt-TCK should be send as patches to this list, correct? -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] question about libvirt-tck/libivrt-perl
Hi, I have a small libvirt-TCK script, which fails in a for me unexpected way: ## use strict; use warnings; use Term::ReadKey; use Test::More tests => 4; use Sys::Virt::TCK; my $tck = Sys::Virt::TCK->new(); my $conn = eval { $tck->setup(); }; BAIL_OUT "failed to setup test harness: $@" if $@; END { $tck->cleanup if $tck; } # first domain my $xml = $tck->generic_domain("tck")->as_xml; my $dom; ok_domain(sub { $dom = $conn->create_domain($xml) }, "defined domain config"); my $uuid = $dom->get_uuid_string(); diag $uuid; $xml = $dom->get_xml_description; diag "Starting inactive domain config"; ok($dom->get_id() > 0, "running domain has an ID > 0"); $dom->destroy; # new domain my $newxml = $tck->generic_domain("tck")->as_xml; my $newdom; ok_domain(sub { $newdom = $conn->create_domain($newxml) }, "defined domain config"); my $newuuid = $newdom->get_uuid_string(); diag $newuuid; $newxml = $newdom->get_xml_description(); ok($newdom->get_id() > 0, "running domain has an ID > 0"); $newdom->destroy; ## scripts/network/001-prepare-image.t .. 1..4 ok 1 - defined domain config # 4317db52-00bb-3cac-5639-91cdce05a717 # Starting inactive domain config ok 2 - running domain has an ID > 0 ok 3 - defined domain config # 4317db52-00bb-3cac-5639-91cdce05a717 libvirt error code: 42, message: Domain not found: no domain with matching uuid '4317db52-00bb-3cac-5639-91cdce05a717' # Looks like you planned 4 tests but ran 3. # Looks like your test exited with 255 just after 3. Dubious, test returned 255 (wstat 65280, 0xff00) Failed 1/4 subtests Test Summary Report --- scripts/network/001-prepare-image.t (Wstat: 65280 Tests: 3 Failed: 0) Non-zero exit status: 255 Parse errors: Bad plan. You planned 4 tests but ran 3. Files=1, Tests=3, 1 wallclock secs ( 0.02 usr 0.01 sys + 0.19 cusr 0.04 csys = 0.26 CPU) Result: FAIL ## If I change my $newxml = $tck->generic_domain("tck")->as_xml; to my $newxml = $tck->generic_domain("tck2")->as_xml; the script works as expected. I am wondering if this is a problem in the libvirt-perl wrapper or working as designed and my expectation is simply wrong? Thanks in advance... -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH v2]
On Thu, 2010-04-08 at 14:07 +0100, Daniel P. Berrange wrote: > So I think what we'd want todo is to write a > kickstart file that installs a bare minimum Fedora guest OS, with a > pre-set root password, ssh daemon active & known IP address. Then use > that with Rich Jones' febootstrap script to create the guest image > at runtime. We'd cache the guest image between runs of the TCK, so the > overhead of febootstrap will only be seen the first time. > febootstrap seems like a good way to prepare a guest with the necessary files in it, but I have not found anything in febootstrap about kickstart support or installation in a disk image. Have I overlooked something? So. my understanding of your proposal is: - create a image file with qemu-img - loop back mount that image file - use febootstrap to install a fedora file system into image file I still have some problems setting the root password via febootstrap-run. Message is: passwd: Can not identity you Would the call to febootstrap be part of a libvirt-TCK script? An alternative could be use in the domain xml to pass the kickstart file to the basic Fedora anaconda install kernel+initrd and do the installation from the guest itself. -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH v2]
On Thu, 2010-04-08 at 07:16 -0400, Stefan Berger wrote: > Ok, I'll adapt it for the TCK project. Some time ago, I started with some libvirt-tck scripts - 210-no-mac-spoofing.t - 220-no-ip-spoofing.t - 230-no-mac-broadcast.t - 240-no-arp-spoofing.t which try to perform an action (like mac spoofing etc) and verify that the filter is working. Since the test scripts need to log in to the guest/domain to perform that action, they have certain requirements on the guest/domain like root password, installed utilities etc. Of course, I have a local guest which satisfies those requirements, but what is the best way to solve this in a libvirt-tck way? -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] Patch for Vepa support in brctl
On Wed, 2010-03-31 at 13:18 +0530, Kumar L Srikanth-B22348 wrote: > Hi Daniel, > Can you please provide a valid patch for 'brctl' utility, to support > 'vepa' mode. Maybe you are looking for this ? http://lkml.org/lkml/2009/6/15/417 > > > Regards, > Srikanth. > -- > libvir-list mailing list > libvir-list@redhat.com > https://www.redhat.com/mailman/listinfo/libvir-list -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] [PATCH] fix filter referencing element info
This patch changes the original element info for referencing a filter from " to ", as it is currently implemented. Signed-off-by: Gerhard Stenzel Index: libvirt/docs/schemas/domain.rng === --- libvirt.orig/docs/schemas/domain.rng +++ libvirt/docs/schemas/domain.rng @@ -806,8 +806,8 @@ - - + + -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [RFC] events scripts support
On Tue, 2010-03-23 at 12:12 +, Daniel P. Berrange wrote: > I think it would be useful to have a libvirt-events daemon that > listened > for these async events via our public API & invoked scripts upon > certain > scenarios. This is obviously separate from the synchronous hooks. > FWIW, a few days ago I wrote a small event watcher perl script based on one of the test scripts in libvirt-perl to print out machine start and stop events and the used interface name. The main program looks like this: ## my $ev = Sys::Virt::Event::Simple->new(); my $conn = Sys::Virt->new(uri => $URI); my @events; $conn->domain_event_register( sub { my $con = shift; my $dom = shift; my $event = shift; my $detail = shift; printf("event handler: " . $con->get_uri() . ", " . $dom->get_name() . ", $event, $detail\n"); push @events, [$con, $dom, $event, $detail]; }); while (1) { my $no_of_ev = int(@events); $ev->run_once(); printf("no of ev : $no_of_ev \n" ); printf("uri : " . $events[$no_of_ev]->[0]->get_uri()); printf("\n" ); printf("name : " . $events[$no_of_ev]->[1]->get_name()); printf("\n" ); my $xmldesc = $events[$no_of_ev]->[1]->get_xml_description(); my $ifname = get_ifname($xmldesc); print "ifname = $ifname\n"; printf("\n" ); } $conn->domain_event_deregister; $conn = undef; ## Current output looks like this: ## event handler: qemu:///system, f12a, 2, 0 no of ev : 0 uri : qemu:///system name : f12a ifname = macvtap0 event handler: qemu:///system, f12, 5, 0 no of ev : 1 uri : qemu:///system name : f12 ifname = macvtap1 ## Having an architected events daemon in libvirt would certainly be a good idea in my opinion. -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [RFC] Proposal for introduction of network traffic filtering capabilities for filtering of network traffic from and to VMs
The predefined no-other-l2-traffic filter drops all layer 2 packets which did not match other rules. Example 1.10. XML definition to drop all other layer 2 traffic. Example 1.11. XML definition to allow arp traffic. Example 1.12. XML definition to allow IPV4 traffic. ------------ -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH 0/5] macvtap support for Qemu/KVM VMs via libvirt
On Mon, 2010-02-15 at 18:24 +0100, Daniel Veillard wrote: > On Thu, Feb 11, 2010 at 09:48:07AM -0500, Stefan Berger wrote: > > Hello! > > > > This is a re-post of previously posted patches following Daniel > > Berrange's request for changes along with other fixes PLUS a rebase > > to the latest code where the conn parameter is missing along with > > changes requested by Daniel Veillard. > > Okay, I have applied and pushed the 5 patch set, but I had to do a bit > of surgery. First the detection code in configure was always setting > WITH_MACVTAP , so of course thsi didn't compile on my system. I also had > to reorganize the patch order to have each patch compiling. And I also > had to fix various things popping up when running "make syntax-check" > after each patch got applied. > > But basically that's in and with the new version of [3/5] ! > > thanks ! > > Daniel > The attached patch adds a macvtap usage example to the Network Interface chapter of the Libvirt Application Development Guide. -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 Index: libvirt-appdev-guide/en-US/Network_Interfaces.xml === --- libvirt-appdev-guide.orig/en-US/Network_Interfaces.xml +++ libvirt-appdev-guide/en-US/Network_Interfaces.xml @@ -134,8 +134,25 @@ ]]> + + XML definition of a macvtap interface associated with eth1 + + + + + The above XML indicates that eth1 is the Ethernet interface to link +the macvtap device to and communicate to the network. As a consequence, +libvirt will create an instance of a macvtap device, assign it the same +MAC address as the VM's interface has and open a file descriptor of the +associated character device /dev/tap%d and pass it via command line to +Qemu/kvm. In the above XML the mode can be chosen as 'vepa', 'private' +or 'bridge' and is by default set to 'vepa'(by the driver) if omitted. + - + Retrieving Information About Interfaces -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [RFC] Proposal for introduction of network traffic filtering capabilities for filtering of network traffic from and to VMs
On Mon, 2010-01-25 at 14:59 +, Daniel P. Berrange wrote: > The shear size of the ruleset inside the element is > rather alarming to me. Imagine if you have a guest with more > than one NIC. I'm inclined to suggest that the > element in the domain XML description should only have a single > rule > > > > and if apps wish to construct a filter, from multiple independant > sub-filters, then that should be done against the filter object's > config, rather than the domain object's config. Daniel, we could achieve something similar with the following construct: http://www.w3.org/2001/XInclude"/> This would also have the advantage that the filter rules do not clutter up the domain xml, but the migration of the rules might be simpler to implement. What is your thinking about this approach? -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] Libvirt guide draft published on libvirt.org
On Mon, 2010-01-18 at 20:00 -0500, David Jorm wrote: > I am a tech writer who recently joined the Red Hat team. I have been tasked > with assisting in the improvement of libvirt documentation where possible and > co-ordinating the development of the libvirt Application Development Guide. > The guide was previously in the hands of Dani Coulson, who has since left Red > Hat. She got it to a draft stage with a skeletal structure, but as far as I > can tell nothing ever reached a publishable state. I've picked up where she > left off and re-built the latest guide from the DocBook XML in git. It is now > up at: > > http://libvirt.org/guide/ > > If you look in the guide, you will notice an awful lot of "TBD" stubs. > Contributions to fill these would be greatly appreciated - please email them > to me directly. I will chase up with the people who were originally nominated > as the responsible parties to try and get some content to flesh out the guide. > > I don't have a lot of spare temporal bandwidth at the moment, but if there > are any docs-related BZs or libvirt issues, feel free to push them my way and > i'll do what I can. I think i've made every mistake possible so far in > submitting patches, so I know the process by virtue of what-not-to-do. > > Thanks > David > > -- > libvir-list mailing list > libvir-list@redhat.com > https://www.redhat.com/mailman/listinfo/libvir-list A few minor spelling problems which I noticed: diff --git a/en-US/Network_Interfaces.xml b/en-US/Network_Interfaces.xml index c307dc6..cc45cf0 100644 --- a/en-US/Network_Interfaces.xml +++ b/en-US/Network_Interfaces.xml @@ -14,7 +14,7 @@ The configuration of network interfaces on physical hosts can be examined and modified with functions in the virInterface API. This is - useful for setting up the host to share one physical interface bewteen + useful for setting up the host to share one physical interface between multiple guest domains you want connected directly to the network (briefly - enslave a physical interface to the bridge, then create a tap device for each VM you want to share the interface), as well as @@ -332,7 +332,7 @@ free(xml);]]> - Defining an inteface configuration + Defining an interface configuration The virInterfaceDefineXML function is used both for adding new interface configurations and modifying existing configurations. It either adds a new interface @@ -382,7 +382,7 @@ cleanup: - Undefining an inteface configuration + Undefining an interface configuration virInterfaceUndefine completely and permanently removes the configuration for the given interface from tho host's configuration @@ -442,7 +442,7 @@ if (!iface) { virInterfaceDestroy makes the given interface inactive ("down"). On success, it returns 0. If there is any problem making the interface - acrive, -1 is returned. + active, -1 is returned. -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [RFC] Proposal for introduction of network traffic filtering capabilities for filtering of network traffic from and to VMs
On Tue, 2010-01-26 at 13:35 +, Daniel P. Berrange wrote: > There's no need for ipaddr there - the XML schema already allows > for a > > > > within the tag here. We already have MAC address as > a separate tag too. We could likely add VLAN in a similar way. agreed. We will start with the implementation and send a patch or rather a series once we have them. Thanks. -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [RFC] Proposal for introduction of network traffic filtering capabilities for filtering of network traffic from and to VMs
On Mon, 2010-01-25 at 14:59 +, Daniel P. Berrange wrote: > On Fri, Jan 22, 2010 at 01:29:16PM +0100, Gerhard Stenzel wrote: > > On Wed, 2010-01-13 at 17:36 +, Daniel P. Berrange wrote: ... > > The shear size of the ruleset inside the element is > rather alarming to me. Imagine if you have a guest with more > than one NIC. I'm inclined to suggest that the > element in the domain XML description should only have a single > rule > > > > and if apps wish to construct a filter, from multiple independant > sub-filters, then that should be done against the filter object's > config, rather than the domain object's config. > ... > What was the idea with the empty attributes here ? Are those > implying that the attribute value is to be filled in with the > value from the domain XML ? If so I'd probably make that more > explicit using something like $IP and $MAC to represent the > guest configured IP/MAC > ... > I don't think that '' is the top level object to be managed > here. I would suggest that '' and '' elements are > redundant, and that should be for the top level managed objects. > The libvirt API would allow listing of existing filters, creating / deleting > filters and updating the config. The element would allow some kind > of element to allow a complex filter to be built out of multiple > simpler filters. > > > Regards, > Daniel Daniel, ok, trying to combine your suggestions: - guest contains a single filter reference per interface guest.xml: -- demo 256000 - complex filter include other filter and can contain rules complex demofilter.xml: --- - simple filter contain only rules simple no-arp-spoofing.xml: --- - $IP, $MAC represent the guests configured IP,MAC values If the above seems acceptable for the moment, I would suggest we verify that this is actually implementable or if we missed something. -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [RFC] Proposal for introduction of network traffic filtering capabilities for filtering of network traffic from and to VMs
ttp://www.w3.org/2001/XMLSchema-datatypes";> -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] Libvirt guide draft published on libvirt.org
Hi, I cloned the repository from git://libvirt.org/libvirt-appdev-guide The file en-US/Book_Info.xml contains 0.7.3, whereas the docments at http://libvirt.org/guide/ show 0.7.5 Have I cloned the wrong repository? -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] attach_device incompatibility between libvirt and qemu 0.12
Hi, I have a small libvirt-tck test script, in which I create a domain without a NIC, then use attach_device to add a NIC. And then I do a ping test to the domain. This stopped working after updating to latest fedora and libvirt levels. After some hours, I now discovered that downgrading to qemu 0.11 fixes it. So there seems to be some incompatibility with qemu 0.12 and latest libvirt. The expected output with qemu-system-x86-0.11.0-12.fc12.x86_64: /usr/share/libvirt-tck/tests/scripts/network/100-ping-still-working.t .. 1..5 # Trying domain lookup by name ok 1 - the running domain object # Attaching the new interface d0:f:d0:f:2:1 ok 2 - interface has been attached # xml contains mac address element (should be 1) # 1 ok 3 - running domain has an ID > 0 # waiting for guests to boot # PING 192.168.1.101 (192.168.1.101) 56(84) bytes of data. # 64 bytes from 192.168.1.101: icmp_seq=1 ttl=64 time=2.17 ms # 64 bytes from 192.168.1.101: icmp_seq=2 ttl=64 time=0.554 ms # 64 bytes from 192.168.1.101: icmp_seq=3 ttl=64 time=0.510 ms # 64 bytes from 192.168.1.101: icmp_seq=4 ttl=64 time=0.508 ms # 64 bytes from 192.168.1.101: icmp_seq=5 ttl=64 time=0.505 ms # 64 bytes from 192.168.1.101: icmp_seq=6 ttl=64 time=0.673 ms # 64 bytes from 192.168.1.101: icmp_seq=7 ttl=64 time=0.528 ms # 64 bytes from 192.168.1.101: icmp_seq=8 ttl=64 time=0.522 ms # 64 bytes from 192.168.1.101: icmp_seq=9 ttl=64 time=0.506 ms # 64 bytes from 192.168.1.101: icmp_seq=10 ttl=64 time=0.546 ms # # --- 192.168.1.101 ping statistics --- # 10 packets transmitted, 10 received, 0% pacFor the working I see the following lines in the log: ket loss, time 9002ms # rtt min/avg/max/mdev = 0.505/0.703/2.178/0.493 ms ok 4 - ping 192.168.1.101 test # cleaning up # Detaching the 1st interface d0:f:d0:f:2:1 ok 5 - interface has been detached ok All tests successful. Files=1, Tests=5, 20 wallclock secs ( 0.02 usr 0.01 sys + 0.22 cusr 0.15 csys = 0.40 CPU) Result: PASS The failing output with qemu-system-x86-0.11.0-12.fc12.x86_64: /usr/share/libvirt-tck/tests/scripts/network/100-ping-still-working.t .. 1..5 # Trying domain lookup by name ok 1 - the running domain object # Attaching the new interface d0:f:d0:f:2:1 ok 2 - interface has been attached # xml contains mac address element (should be 1) # 1 ok 3 - running domain has an ID > 0 # waiting for guests to boot # PING 192.168.1.101 (192.168.1.101) 56(84) bytes of data. # From 192.168.1.1 icmp_seq=2 Destination Host Unreachable # From 192.168.1.1 icmp_seq=3 Destination Host Unreachable # From 192.168.1.1 icmp_seq=4 Destination Host Unreachable # From 192.168.1.1 icmp_seq=6 Destination Host Unreachable # From 192.168.1.1 icmp_seq=7 Destination Host Unreachable # From 192.168.1.1 icmp_seq=8 Destination Host Unreachable # From 192.168.1.1 icmp_seq=9 Destination Host Unreachable # From 192.168.1.1 icmp_seq=10 Destination Host Unreachable # # --- 192.168.1.101 ping statistics --- # 10 packets transmitted, 0 received, +8 errors, 100% packet loss, time 19000ms # pipe 3 not ok 4 - ping 192.168.1.101 test # Failed test 'ping 192.168.1.101 test' # at /usr/share/libvirt-tck/tests/scripts/network/100-ping-still-working.t line 82. # cleaning up # Detaching the 1st interface d0:f:d0:f:2:1 ok 5 - interface has been detached # Looks like you failed 1 test of 5. Dubious, test returned 1 (wstat 256, 0x100) Failed 1/5 subtests Test Summary Report --- /usr/share/libvirt-tck/tests/scripts/network/100-ping-still-working.t (Wstat: 256 Tests: 5 Failed: 1) Failed test: 4 Non-zero exit status: 1 Files=1, Tests=5, 30 wallclock secs ( 0.02 usr 0.02 sys + 0.24 cusr 0.13 csys = 0.41 CPU) Result: FAIL I see the following in the debug log: ... qemuMonitorCommandWithHandler:216 : Send command 'getfd fd-tap.0' for write with FD 18 ... For the working qemu: qemuMonitorCommandWithHandler:221 : Receive command reply ret=0 errno=0 0 bytes '(null)' For the failing qemu: qemuMonitorCommandWithHandler:221 : Receive command reply ret=0 errno=0 44 bytes 'No file descriptor supplied via SCM_RIGHTS^M ' Any ideas? -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 # -*- perl -*- # # Copyright (C) 2010 IBM Corp. # # This program is free software; You can redistribute it and/or modify # it under the GNU General Public License as published by the Free # Software Foundation; either version 2, or (at your option) any # later version # # The file "LICENSE" distributed along with this file provides full # details of the terms and conditions # =pod =head1 NAME domain/100-ping-still-working.t - verify machines can be pinged from
[libvirt] [PATCH] remove ebtables rules at qemud shutdown
This patch removes ebtables rules at qemud shutdown time Signed-off-by: Gerhard Stenzel Index: libvirt/src/qemu/qemu_bridge_filter.c === --- libvirt.orig/src/qemu/qemu_bridge_filter.c +++ libvirt/src/qemu/qemu_bridge_filter.c @@ -48,6 +48,35 @@ networkAddEbtablesRules(struct qemud_dri return 0; } +int +networkRemoveEbtablesRules(struct qemud_driver *driver) { +int err; + +/* Set forward policy to DROP */ +if ((err = ebtablesRemoveForwardPolicyReject(driver->ebtables))) { +virReportSystemError(NULL, err, + _("failed to remove ebtables rule to set default policy to drop on '%s'"), + __FILE__); +return err; +} + +return 0; +} + +int +networkEnableAllFrames(struct qemud_driver *driver) { +int err; + +/* add default rules */ +if ((err = networkRemoveEbtablesRules(driver))) { +virReportSystemError(NULL, err, + _("cannot remove filter on bridge '%s'"), + __FILE__); +return err; +} +return 0; +} + int networkDisableAllFrames(struct qemud_driver *driver) { Index: libvirt/src/util/ebtables.c === --- libvirt.orig/src/util/ebtables.c +++ libvirt/src/util/ebtables.c @@ -60,6 +60,7 @@ enum { ADD = 0, REMOVE, CREATE, +DELETE, POLICY, INSERT }; @@ -336,12 +337,28 @@ ebtablesForwardPolicyReject(ebtablesCont INSERT, "--insert", "FORWARD", "--jump", ctx->forward_filter->chain, NULL); -} - -return ebtablesAddRemoveRule(ctx->forward_filter, +return ebtablesAddRemoveRule(ctx->forward_filter, POLICY, "-P", ctx->forward_filter->chain, "DROP", NULL); +} +if (action == REMOVE) { +ebtablesAddRemoveRule(ctx->forward_filter, + POLICY, + "-P", ctx->forward_filter->chain, "ACCEPT", + NULL); + +ebtablesAddRemoveRule(ctx->forward_filter, + INSERT, + "--delete", "FORWARD", "--jump", + ctx->forward_filter->chain, NULL); + +return ebtablesAddRemoveRule(ctx->forward_filter, + DELETE, + "--delete-chain", ctx->forward_filter->chain, NULL, + NULL); +} + } /* Index: libvirt/src/libvirt_private.syms === --- libvirt.orig/src/libvirt_private.syms +++ libvirt/src/libvirt_private.syms @@ -179,6 +179,7 @@ virDomainEventQueueDispatch; # ebtables.h ebtablesAddForwardAllowIn; ebtablesAddForwardPolicyReject; +ebtablesRemoveForwardPolicyReject; ebtablesContextNew; ebtablesRemoveForwardAllowIn; Index: libvirt/src/qemu/qemu_driver.c === --- libvirt.orig/src/qemu/qemu_driver.c +++ libvirt/src/qemu/qemu_driver.c @@ -1081,6 +1081,14 @@ qemudShutdown(void) { virDomainObjListDeinit(&qemu_driver->domains); +if (qemu_driver->macFilter) { +if ((errno = networkEnableAllFrames(qemu_driver))) { +virReportSystemError(NULL, errno, + _("failed to add rule to allow all frames in '%s'"), + __FILE__); +} +} + VIR_FREE(qemu_driver->securityDriverName); VIR_FREE(qemu_driver->logDir); VIR_FREE(qemu_driver->configDir); -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- Libvir-list mailing list Libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] remove port filter on detachment of a network device
On Tue, 2009-11-10 at 13:28 +0100, Gerhard Stenzel wrote: > This patch removes the port filter if the network device is detached > via virDomainDetachDevice. > > Signed-off-by: Gerhard Stenzel > Index: libvirt/src/qemu/qemu_driver.c > === > --- libvirt.orig/src/qemu/qemu_driver.c > +++ libvirt/src/qemu/qemu_driver.c > @@ -4829,6 +4829,7 @@ qemudDomainDetachNetDevice(virConnectPtr > { > int i, ret = -1; > virDomainNetDefPtr detach = NULL; > +struct qemud_driver *driver = qemu_driver; > > for (i = 0 ; i < vm->def->nnets ; i++) { > virDomainNetDefPtr net = vm->def->nets[i]; > @@ -4863,6 +4864,15 @@ qemudDomainDetachNetDevice(virConnectPtr > if (qemuMonitorRemoveHostNetwork(vm, detach->vlan, > detach->hostnet_name) < 0) > goto cleanup; > > +if ((driver->macFilter) && (detach->ifname != NULL)) { > +if ((errno = networkDisallowMacOnPort(conn, driver, > detach->ifname, > + detach->mac))) { > +virReportSystemError(conn, errno, > + _("failed to remove ebtables rule on '%s'"), > + detach->ifname); > +} > +} > + > if (vm->def->nnets > 1) { > memmove(vm->def->nets + i, > vm->def->nets + i + 1, > This was probably overlooked. Resending for 0.7.5. This patch removes the port filter if the network device is detached via virDomainDetachDevice Signed-off-by: Gerhard Stenzel Index: libvirt/src/qemu/qemu_driver.c === --- libvirt.orig/src/qemu/qemu_driver.c +++ libvirt/src/qemu/qemu_driver.c @@ -5284,6 +5284,17 @@ qemudDomainDetachNetDevice(virConnectPtr } qemuDomainObjExitMonitorWithDriver(driver, vm); +if ((driver->macFilter) && (detach->ifname != NULL)) { +if ((errno = networkDisallowMacOnPort(conn, + driver, + detach->ifname, + detach->mac))) { +virReportSystemError(conn, errno, + _("failed to remove ebtables rule on '%s'"), + detach->ifname); +} +} + if (vm->def->nnets > 1) { memmove(vm->def->nets + i, vm->def->nets + i + 1, -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- Libvir-list mailing list Libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH 2/2] add MAC address based port filtering to qemu
On Wed, 2009-11-04 at 12:55 +, Daniel P. Berrange wrote: ... > > Mark pointed out to me offlist, that this filtering is a little too > restrictive because it also blocks multicast + broadcast packets. We > can fix that easily enough with an extra patch though, and a single > catch-all rule for multi/broad-cast packets. > > Daniel Hi, I have revisited this subject and was trying to find a scenario, where multi/broad-cast packets would be affected by this patch and failed so far. Since only the source mac address of a guest is filtered, I don't see how a multicast or broadcast destination mac address could be a problem. What am I missing? -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- Libvir-list mailing list Libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] Prevent initializing ebtables if disabled in qemu.conf
Cole Robinson wrote on 11/11/2009 02:34:17 AM: > Also, hijacking this patch a bit to point out a few small issues I noticed > with the ebtables code (cc-ing Gerhard) Apologies for any inconviences... > > The mac_filter value in qemu.conf isn't documented and isn't commented out by > default, unlike the other values in the conf file. I think it would be good to > match existing convention. ok. I will fix this with a separate patch. > > Even though we check for the ebtables binary in configure, we don't disable > the driver if the binary doesn't exist (like it didn't on my rawhide box). > This causes it to print lots of error messages on libvirtd startup. It would > be nice to find a way to just VIR_DEBUG that the binary wasn't found and skip > initializing the driver. ok. I will look into this. > Thanks, > Cole Best regards, Gerhard Stenzel, Linux on Cell/Hybrid Technologies, LTC --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter | Geschäftsführung: Erich Baier Sitz der Gesellschaft: Böblingen | Registergericht: Amtsgericht Stuttgart, HRB 243294 -- Libvir-list mailing list Libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] [PATCH] disable mac_filter config switch by default
This patch disables the mac_filter config switch by default to match existing convention. Signed-off-by: Gerhard Stenzel Index: libvirt/src/qemu/qemu.conf === --- libvirt.orig/src/qemu/qemu.conf +++ libvirt/src/qemu/qemu.conf @@ -153,4 +153,7 @@ # hugetlbfs_mount = "/dev/hugepages" -mac_filter = 1 +# mac_filter enables MAC addressed based filtering on bridge ports. +# This currently requires ebtables to be installed. +# +# mac_filter = 1 -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Erich Baier Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- Libvir-list mailing list Libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] [PATCH] remove port filter on detachment of a network device
This patch removes the port filter if the network device is detached via virDomainDetachDevice. Signed-off-by: Gerhard Stenzel Index: libvirt/src/qemu/qemu_driver.c === --- libvirt.orig/src/qemu/qemu_driver.c +++ libvirt/src/qemu/qemu_driver.c @@ -4829,6 +4829,7 @@ qemudDomainDetachNetDevice(virConnectPtr { int i, ret = -1; virDomainNetDefPtr detach = NULL; +struct qemud_driver *driver = qemu_driver; for (i = 0 ; i < vm->def->nnets ; i++) { virDomainNetDefPtr net = vm->def->nets[i]; @@ -4863,6 +4864,15 @@ qemudDomainDetachNetDevice(virConnectPtr if (qemuMonitorRemoveHostNetwork(vm, detach->vlan, detach->hostnet_name) < 0) goto cleanup; +if ((driver->macFilter) && (detach->ifname != NULL)) { +if ((errno = networkDisallowMacOnPort(conn, driver, detach->ifname, + detach->mac))) { +virReportSystemError(conn, errno, + _("failed to remove ebtables rule on '%s'"), + detach->ifname); +} +} + if (vm->def->nnets > 1) { memmove(vm->def->nets + i, vm->def->nets + i + 1, -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Erich Baier Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- Libvir-list mailing list Libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH 1/2] add ebtables wrapper
On Tue, 2009-11-03 at 23:17 +0100, Daniel Veillard wrote: > On Tue, Oct 27, 2009 at 12:36:09PM +0100, Gerhard Stenzel wrote: > > This patch adds the files which implement the ebtables wrapper. > > > > Signed-off-by: Gerhard Stenzel ... > > +/** > > + * ebtablesSaveRules: > > + * @ctx: pointer to the EB table context > > + * > > + * Saves all the EB table rules associated with a context > > + * to disk so that if ebtables is restarted, the rules > > + * will automatically be reload. > > + */ > > +void > > +ebtablesSaveRules(ebtablesContext *ctx) > > +{ > > +ebtRulesSave(ctx->input_filter); > > +ebtRulesSave(ctx->forward_filter); > > +ebtRulesSave(ctx->nat_postrouting); > > +} > > Hum, and where ? Under /etc/libvirt/ebtables/ ? > > Are the table and chain names provided in ebtRulesNew() sufficient > to uniquely name the set ? I hope so otherwise we're gonna have trouble > with persistance. It would be good to have ebtRulesSave() documented if > not fully finished before next release. > > I'm gonna commit this, but I think we need to double-check that the > current APIs won't be a problem when we want to implement saving (didn't > checked the second patch yet). > > I also think the spec file should add a Requires to ebtables as this > is not installed systematically (it wasn't present on my workstation > by default). > > I will push this tonight, > > thanks ! > > Daniel > This patch removes the ebtablesSaveRules() function as it more confusing than useful at the moment. Signed-off-by: Gerhard Stenzel Index: libvirt/src/libvirt_private.syms === --- libvirt.orig/src/libvirt_private.syms +++ libvirt/src/libvirt_private.syms @@ -179,7 +179,6 @@ ebtablesAddForwardAllowIn; ebtablesAddForwardPolicyReject; ebtablesContextNew; ebtablesRemoveForwardAllowIn; -ebtablesSaveRules; # event.h Index: libvirt/src/qemu/qemu_bridge_filter.c === --- libvirt.orig/src/qemu/qemu_bridge_filter.c +++ libvirt/src/qemu/qemu_bridge_filter.c @@ -44,7 +44,6 @@ networkAddEbtablesRules(struct qemud_dri __FILE__); return err; } -ebtablesSaveRules(driver->ebtables); return 0; } Index: libvirt/src/util/ebtables.c === --- libvirt.orig/src/util/ebtables.c +++ libvirt/src/util/ebtables.c @@ -65,12 +65,6 @@ enum { }; static void -ebtRulesSave(ebtRules *rules) -{ -(void) rules; -} - -static void ebtRuleFree(ebtRule *rule) { VIR_FREE(rule->rule); @@ -315,22 +309,6 @@ ebtablesContextFree(ebtablesContext *ctx VIR_FREE(ctx); } -/** - * ebtablesSaveRules: - * @ctx: pointer to the EB table context - * - * Saves all the EB table rules associated with a context - * to disk so that if ebtables is restarted, the rules - * will automatically be reload. - */ -void -ebtablesSaveRules(ebtablesContext *ctx) -{ -ebtRulesSave(ctx->input_filter); -ebtRulesSave(ctx->forward_filter); -ebtRulesSave(ctx->nat_postrouting); -} - int ebtablesAddForwardPolicyReject(ebtablesContext *ctx) { -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Erich Baier Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- Libvir-list mailing list Libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH 2/2] add MAC address based port filtering to qemu
On Wed, 2009-11-04 at 12:55 +, Daniel P. Berrange wrote: > On Tue, Nov 03, 2009 at 11:50:52PM +0100, Daniel Veillard wrote: ... > Mark pointed out to me offlist, that this filtering is a little too > restrictive because it also blocks multicast + broadcast packets. We > can fix that easily enough with an extra patch though, and a single > catch-all rule for multi/broad-cast packets. > > Daniel something like the following? ebtables -A libvirt_qemu_FORWARD -p ARP -j ACCEPT any other multi/broad-cast packets you/Mark had in mind? -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Erich Baier Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- Libvir-list mailing list Libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] [PATCH 0/2] Add MAC filtering to qemu
The following series of patches is a prototype implementation of a ebtables based MAC address filter. I hope to have addressed all the previous comments. At the moment, some defaults are set when libvirtd starts and when a domain is started or destroyed. The plan is to extend this filter capability to the API level and virsh command level. The plan is also to add more filtering features like VLAN filtering and QoS filtering. Thanks, Gerhard --- Gerhard Stenzel (2): add MAC address based port filtering to qemu add ebtables wrapper configure.in |3 po/POTFILES.in|1 src/Makefile.am |5 src/libvirt_private.syms |7 + src/qemu/qemu.conf|2 src/qemu/qemu_bridge_filter.c | 108 ++ src/qemu/qemu_bridge_filter.h | 39 src/qemu/qemu_conf.c | 25 ++ src/qemu/qemu_conf.h |4 src/qemu/qemu_driver.c| 16 + src/util/ebtables.c | 441 + src/util/ebtables.h | 65 ++ 12 files changed, 715 insertions(+), 1 deletions(-) create mode 100644 src/qemu/qemu_bridge_filter.c create mode 100644 src/qemu/qemu_bridge_filter.h create mode 100644 src/util/ebtables.c create mode 100644 src/util/ebtables.h -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Erich Baier Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- Libvir-list mailing list Libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] [PATCH 2/2] add MAC address based port filtering to qemu
This patch adds MAC address based port filtering to the qemu driver. Signed-off-by: Gerhard Stenzel --- po/POTFILES.in|1 src/Makefile.am |4 +- src/qemu/qemu.conf|2 + src/qemu/qemu_bridge_filter.c | 108 + src/qemu/qemu_bridge_filter.h | 39 +++ src/qemu/qemu_conf.c | 25 + src/qemu/qemu_conf.h |4 ++ src/qemu/qemu_driver.c| 16 ++ 8 files changed, 198 insertions(+), 1 deletions(-) create mode 100644 src/qemu/qemu_bridge_filter.c create mode 100644 src/qemu/qemu_bridge_filter.h diff --git a/po/POTFILES.in b/po/POTFILES.in index 1a12a39..e090f58 100644 --- a/po/POTFILES.in +++ b/po/POTFILES.in @@ -24,6 +24,7 @@ src/opennebula/one_driver.c src/openvz/openvz_conf.c src/openvz/openvz_driver.c src/phyp/phyp_driver.c +src/qemu/qemu_bridge_filter.c src/qemu/qemu_conf.c src/qemu/qemu_driver.c src/qemu/qemu_monitor_text.c diff --git a/src/Makefile.am b/src/Makefile.am index 055573a..8b02828 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -184,7 +184,9 @@ QEMU_DRIVER_SOURCES = \ qemu/qemu_conf.c qemu/qemu_conf.h \ qemu/qemu_monitor_text.c\ qemu/qemu_monitor_text.h\ - qemu/qemu_driver.c qemu/qemu_driver.h + qemu/qemu_driver.c qemu/qemu_driver.h \ + qemu/qemu_bridge_filter.c \ + qemu/qemu_bridge_filter.h UML_DRIVER_SOURCES = \ uml/uml_conf.c uml/uml_conf.h \ diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf index 6d6b86a..2af8ffe 100644 --- a/src/qemu/qemu.conf +++ b/src/qemu/qemu.conf @@ -152,3 +152,5 @@ # in a location of $MOUNTPOINT/libvirt/qemu # hugetlbfs_mount = "/dev/hugepages" + +mac_filter = 1 diff --git a/src/qemu/qemu_bridge_filter.c b/src/qemu/qemu_bridge_filter.c new file mode 100644 index 000..36dd01c --- /dev/null +++ b/src/qemu/qemu_bridge_filter.c @@ -0,0 +1,108 @@ +/* + * Copyright (C) 2009 IBM Corp. + * Copyright (C) 2007-2009 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Gerhard Stenzel + */ + +#include + +#include "ebtables.h" +#include "qemu_conf.h" +#include "qemu_driver.h" +#include "util.h" +#include "virterror_internal.h" +#include "logging.h" + +#include "qemu_bridge_filter.h" + +#define VIR_FROM_THIS VIR_FROM_QEMU + +int +networkAddEbtablesRules(struct qemud_driver *driver) { +int err; + +/* Set forward policy to DROP */ +if ((err = ebtablesAddForwardPolicyReject(driver->ebtables))) { +virReportSystemError(NULL, err, + _("failed to add ebtables rule to set default policy to drop on '%s'"), + __FILE__); +return err; +} +ebtablesSaveRules(driver->ebtables); + +return 0; +} + + +int +networkDisableAllFrames(struct qemud_driver *driver) { +int err; + +/* add default rules */ +if ((err = networkAddEbtablesRules(driver))) { +virReportSystemError(NULL, err, + _("cannot filter mac addresses on bridge '%s'"), + __FILE__); +return err; +} +return 0; +} + +int +networkAllowMacOnPort(virConnectPtr conn, + struct qemud_driver *driver, + const char * ifname, + const unsigned char * mac) { + +int err; + +/* allow this combination of macaddr and ifname */ +ebtablesContext * ebtablescontext = driver->ebtables; +if ((err = ebtablesAddForwardAllowIn(ebtablescontext, + ifname, + mac))) { +virReportSystemError(conn, err, + _("failed to add ebtables rule to allow routing to '%s'"), + ifname); +} + +return 0;
[libvirt] [PATCH 1/2] add ebtables wrapper
This patch adds the files which implement the ebtables wrapper. Signed-off-by: Gerhard Stenzel --- configure.in |3 src/Makefile.am |1 src/libvirt_private.syms |7 + src/util/ebtables.c | 441 ++ src/util/ebtables.h | 65 +++ 5 files changed, 517 insertions(+), 0 deletions(-) create mode 100644 src/util/ebtables.c create mode 100644 src/util/ebtables.h diff --git a/configure.in b/configure.in index 2f9db72..d8abf9f 100644 --- a/configure.in +++ b/configure.in @@ -287,6 +287,9 @@ fi AC_PATH_PROG([IPTABLES_PATH], [iptables], /sbin/iptables, [/usr/sbin:$PATH]) AC_DEFINE_UNQUOTED([IPTABLES_PATH], "$IPTABLES_PATH", [path to iptables binary]) +AC_PATH_PROG([EBTABLES_PATH], [ebtables], /sbin/ebtables, [/usr/sbin:$PATH]) +AC_DEFINE_UNQUOTED([EBTABLES_PATH], "$EBTABLES_PATH", [path to ebtables binary]) + if test "$with_openvz" = "yes"; then AC_DEFINE_UNQUOTED([WITH_OPENVZ], 1, [whether OpenVZ driver is enabled]) fi diff --git a/src/Makefile.am b/src/Makefile.am index 8e27ea7..055573a 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -51,6 +51,7 @@ UTIL_SOURCES = \ util/event.c util/event.h \ util/hash.c util/hash.h \ util/iptables.c util/iptables.h \ + util/ebtables.c util/ebtables.h \ util/logging.c util/logging.h \ util/memory.c util/memory.h \ util/pci.c util/pci.h \ diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 98ea7f8..42fb654 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -234,6 +234,13 @@ iptablesRemoveUdpInput; iptablesSaveRules; +# ebtables.h +ebtablesRemoveForwardAllowIn; +ebtablesAddForwardAllowIn; +ebtablesAddForwardPolicyReject; +ebtablesContextNew; +ebtablesSaveRules; + # libvirt_internal.h virStateInitialize; virStateCleanup; diff --git a/src/util/ebtables.c b/src/util/ebtables.c new file mode 100644 index 000..78f273a --- /dev/null +++ b/src/util/ebtables.c @@ -0,0 +1,441 @@ +/* + * Copyright (C) 2009 IBM Corp. + * Copyright (C) 2007-2009 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * based on iptables.c + * Authors: + * Gerhard Stenzel + */ + +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#ifdef HAVE_SYS_WAIT_H +#include +#endif + +#ifdef HAVE_PATHS_H +#include +#endif + +#include "internal.h" +#include "ebtables.h" +#include "util.h" +#include "memory.h" +#include "virterror_internal.h" +#include "logging.h" + +struct _ebtablesContext +{ +ebtRules *input_filter; +ebtRules *forward_filter; +ebtRules *nat_postrouting; +}; + +enum { +ADD = 0, +REMOVE, +CREATE, +POLICY, +INSERT +}; + +static void +ebtRulesSave(ebtRules *rules) +{ +(void) rules; +} + +static void +ebtRuleFree(ebtRule *rule) +{ +VIR_FREE(rule->rule); + +if (rule->argv) { +int i = 0; +while (rule->argv[i]) +VIR_FREE(rule->argv[i++]); +VIR_FREE(rule->argv); +} +} + +static int +ebtRulesAppend(ebtRules *rules, + char *rule, + const char **argv, + int command_idx) +{ +if (VIR_REALLOC_N(rules->rules, rules->nrules+1) < 0) { +int i = 0; +while (argv[i]) +VIR_FREE(argv[i++]); +VIR_FREE(argv); +return ENOMEM; +} + +rules->rules[rules->nrules].rule= rule; +rules->rules[rules->nrules].argv= argv; +rules->rules[rules->nrules].command_idx = command_idx; + +rules->nrules++; + +return 0; +} + +static int +ebtRulesRemove(ebtRules *rules, + char *rule) +{ +int i; + +for (i = 0; i < rules->nrules; i++) +if (STREQ(rules->rules[i].rule, rule)) +break; +
[libvirt] [RFC PATCH 3/3] add MAC address based port filtering to qemu
This patch adds MAC address based port filtering to the qemu driver. Signed-off-by: Gerhard Stenzel --- src/qemu/qemu.conf |3 ++ src/qemu/qemu_conf.c | 85 src/qemu/qemu_conf.h |8 + src/qemu/qemu_driver.c | 44 + 4 files changed, 140 insertions(+), 0 deletions(-) diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf index 6d6b86a..53c4522 100644 --- a/src/qemu/qemu.conf +++ b/src/qemu/qemu.conf @@ -152,3 +152,6 @@ # in a location of $MOUNTPOINT/libvirt/qemu # hugetlbfs_mount = "/dev/hugepages" + +mac_filter = 1 + diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c index ac63570..606152c 100644 --- a/src/qemu/qemu_conf.c +++ b/src/qemu/qemu_conf.c @@ -318,6 +318,20 @@ int qemudLoadDriverConfig(struct qemud_driver *driver, } } +p = virConfGetValue (conf, "mac_filter"); +CHECK_TYPE ("mac_filter", VIR_CONF_LONG); +if (p) { +driver->macFilter = p->l; +if (!(driver->ebtables = ebtablesContextNew("qemu"))) { + driver->macFilter = 0; // TODO: we need to report an error here +} + +if ((errno = networkDisableAllFrames(driver))) { +virReportSystemError(NULL, errno, + _("failed to add rule to drop all frames in '%s'"), __FILE__); +} +} + virConfFree (conf); return 0; } @@ -1119,6 +1133,69 @@ int qemudExtractVersion(virConnectPtr conn, int +networkAddEbtablesRules(struct qemud_driver *driver) { +int err; + +/* Set forward policy to DROP */ +if ((err = ebtablesAddForwardPolicyReject(driver->ebtables))) { +virReportSystemError(NULL, err, + _("failed to add ebtables rule to set default policy to drop on '%s'"), + __FILE__); +return err; +} +ebtablesSaveRules(driver->ebtables); + +return 0; +} + + +int +networkDisableAllFrames(struct qemud_driver *driver) { +int err; + +/* add default rules */ +if ((err = networkAddEbtablesRules(driver))) { +virReportSystemError(NULL, err, + _("cannot filter mac addresses on bridge '%s'"), + __FILE__); +return err; +} +return 0; +} + +static int +networkAllowMacOnPort(virConnectPtr conn, + struct qemud_driver *driver, + char * ifname, + unsigned char * mac) { + +int err; +char *macaddr; + +if (virAsprintf(&macaddr, +"%02x:%02x:%02x:%02x:%02x:%02x", +mac[0], mac[1], +mac[2], mac[3], +mac[4], mac[5]) < 0) { + virReportOOMError(conn); + return -1; +} +/* allow this combination of macaddr and ifname */ + +ebtablesContext * ebtablescontext = driver->ebtables; +if ((err = ebtablesAddForwardAllowIn(ebtablescontext, + ifname, + macaddr))) { +virReportSystemError(conn, err, + _("failed to add ebtables rule to allow routing to '%s'"), + ifname); +} + +return 0; +} + + +int qemudNetworkIfaceConnect(virConnectPtr conn, struct qemud_driver *driver, virDomainNetDefPtr net, @@ -1193,6 +1270,14 @@ qemudNetworkIfaceConnect(virConnectPtr conn, tapfd = -1; } +if (driver->macFilter) { +if ((err = networkAllowMacOnPort(conn, driver, net->ifname, net->mac))) { +virReportSystemError(conn, err, + _("failed to add ebtables rule to allow MAC address on '%s'"), + net->ifname); +} +} + cleanup: VIR_FREE(brname); diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h index f9a970f..3074ad1 100644 --- a/src/qemu/qemu_conf.h +++ b/src/qemu/qemu_conf.h @@ -26,6 +26,7 @@ #include +#include "ebtables.h" #include "internal.h" #include "bridge.h" #include "capabilities.h" @@ -112,6 +113,9 @@ struct qemud_driver { char *hugetlbfs_mount; char *hugepage_path; +unsigned int macFilter : 1; +ebtablesContext *ebtables; + virCapsPtr caps; /* An array of callbacks */ @@ -205,4 +209,8 @@ virDomainDefPtr qemuParseCommandLineString(virConnectPtr conn, virCapsPtr caps, const char *args); + +int networkDisableAllFrames(struct qemud_driver *driver); +int networkAddEbtablesRules(struct qemud_driver *driver); + #endif /* __QEMUD_CONF_H */ diff --gi
[libvirt] [RFC PATCH 2/3] add build support for ebtables wrapper
This patch adds build support for the ebtables wrapper. Signed-off-by: Gerhard Stenzel --- configure.in |3 +++ src/Makefile.am |1 + src/libvirt_private.syms | 27 +++ 3 files changed, 31 insertions(+), 0 deletions(-) diff --git a/configure.in b/configure.in index 518859d..90c42cc 100644 --- a/configure.in +++ b/configure.in @@ -287,6 +287,9 @@ fi AC_PATH_PROG([IPTABLES_PATH], [iptables], /sbin/iptables, [/usr/sbin:$PATH]) AC_DEFINE_UNQUOTED([IPTABLES_PATH], "$IPTABLES_PATH", [path to iptables binary]) +AC_PATH_PROG([EBTABLES_PATH], [ebtables], /sbin/ebtables, [/usr/sbin:$PATH]) +AC_DEFINE_UNQUOTED([EBTABLES_PATH], "$EBTABLES_PATH", [path to ebtables binary]) + if test "$with_openvz" = "yes"; then AC_DEFINE_UNQUOTED([WITH_OPENVZ], 1, [whether OpenVZ driver is enabled]) fi diff --git a/src/Makefile.am b/src/Makefile.am index d0ef7d1..d9ed610 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -51,6 +51,7 @@ UTIL_SOURCES = \ util/event.c util/event.h \ util/hash.c util/hash.h \ util/iptables.c util/iptables.h \ + util/ebtables.c util/ebtables.h \ util/logging.c util/logging.h \ util/memory.c util/memory.h \ util/pci.c util/pci.h \ diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 37395ab..6db2a57 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -230,6 +230,33 @@ iptablesRemoveUdpInput; iptablesSaveRules; +# ebtables.h +ebtablesAddForwardAllowCross; +ebtablesAddForwardAllowIn; +ebtablesAddForwardAllowOut; +ebtablesAddForwardAllowRelatedIn; +ebtablesAddForwardMasquerade; +ebtablesAddForwardRejectIn; +ebtablesAddForwardRejectOut; +ebtablesAddTcpInput; +ebtablesAddUdpInput; +ebtablesContextFree; +ebtablesContextNew; +ebtablesReloadRules; +ebtablesRemoveForwardAllowCross; +ebtablesRemoveForwardAllowIn; +ebtablesRemoveForwardAllowOut; +ebtablesRemoveForwardAllowRelatedIn; +ebtablesRemoveForwardMasquerade; +ebtablesRemoveForwardRejectIn; +ebtablesRemoveForwardRejectOut; +ebtablesRemoveTcpInput; +ebtablesRemoveUdpInput; +ebtablesSaveRules; +ebtablesAddForwardPolicyReject; +ebtablesRemoveForwardPolicyReject; +ebtablesForwardPolicyReject; + # libvirt_internal.h virStateInitialize; virStateCleanup; -- Libvir-list mailing list Libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] [RFC PATCH 1/3] add ebtables wrapper
This patch adds the files which implement the ebtables wrapper. Signed-off-by: Gerhard Stenzel --- src/util/ebtables.c | 982 +++ src/util/ebtables.h | 134 +++ 2 files changed, 1116 insertions(+), 0 deletions(-) create mode 100644 src/util/ebtables.c create mode 100644 src/util/ebtables.h diff --git a/src/util/ebtables.c b/src/util/ebtables.c new file mode 100644 index 000..493b094 --- /dev/null +++ b/src/util/ebtables.c @@ -0,0 +1,982 @@ +/* + * Copyright (C) 2009 IBM Corp. + * Copyright (C) 2007-2009 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * based on iptables.c + * Authors: + * Gerhard Stenzel + */ + +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#ifdef HAVE_SYS_WAIT_H +#include +#endif + +#ifdef HAVE_PATHS_H +#include +#endif + +#include "internal.h" +#include "ebtables.h" +#include "util.h" +#include "memory.h" +#include "virterror_internal.h" +#include "logging.h" + +enum { +ADD = 0, +REMOVE, +CREATE, +POLICY, +INSERT +}; + + +#ifdef ENABLE_EBTABLES_LOKKIT +static void +notifyRulesUpdated(const char *table, + const char *path) +{ +char arg[PATH_MAX]; +const char *argv[4]; + +snprintf(arg, sizeof(arg), "--custom-rules=ipv4:%s:%s", table, path); + +argv[0] = (char *) LOKKIT_PATH; +argv[1] = (char *) "--nostart"; +argv[2] = arg; +argv[3] = NULL; + +char ebuf[1024]; +if (virRun(NULL, argv, NULL) < 0) +VIR_WARN(_("Failed to run '%s %s': %s"), + LOKKIT_PATH, arg, virStrerror(errno, ebuf, sizeof ebuf)); +} + +static int +stripLine(char *str, int len, const char *line) +{ +char *s, *p; +int changed; + +changed = 0; +s = str; + +while ((p = strchr(s, '\n'))) { +if (p == s || STRNEQLEN(s, line, p - s)) { +s = ++p; +continue; +} + +++p; +memmove(s, p, len - (p - str) + 1); +len -= p - s; +changed = 1; +} + +if (STREQ(s, line)) { +*s = '\0'; +changed = 1; +} + +return changed; +} + +static void +notifyRulesRemoved(const char *table, + const char *path) +{ +/* 10 MB limit on config file size as a sanity check */ +#define MAX_FILE_LEN (1024*1024*10) + +char arg[PATH_MAX]; +char *content; +int len; +FILE *f = NULL; + +len = virFileReadAll(SYSCONF_DIR "/sysconfig/system-config-firewall", + MAX_FILE_LEN, &content); +if (len < 0) { +VIR_WARN("%s", _("Failed to read " SYSCONF_DIR + "/sysconfig/system-config-firewall")); +return; +} + +snprintf(arg, sizeof(arg), "--custom-rules=ipv4:%s:%s", table, path); + +if (!stripLine(content, len, arg)) { +VIR_FREE(content); +return; +} + +if (!(f = fopen(SYSCONF_DIR "/sysconfig/system-config-firewall", "w"))) +goto write_error; + +if (fputs(content, f) == EOF) +goto write_error; + +if (fclose(f) == EOF) { +f = NULL; +goto write_error; +} + +VIR_FREE(content); + +return; + + write_error:; +char ebuf[1024]; +VIR_WARN(_("Failed to write to " SYSCONF_DIR + "/sysconfig/system-config-firewall : %s"), + virStrerror(errno, ebuf, sizeof ebuf)); +if (f) +fclose(f); +VIR_FREE(content); + +#undef MAX_FILE_LEN +} + +static int +writeRules(const char *path, + const ebtRule *rules, + int nrules) +{ +char tmp[PATH_MAX]; +FILE *f; +int istmp; +int i; + +if (nrules == 0 && unlink(path) == 0) +return 0; + +if (snprintf(tmp, PATH_MAX, "%s.new", path) >= PATH_MAX) +return EINVAL; + +istmp = 1; + +if (!(f = fopen(tmp, "w"))) { +istmp = 0; +if (!(f = fopen(path, "w"))) +return errno; +} + +for (i = 0; i < nrules; i++)
[libvirt] [RFC PATCH 0/3] Add MAC filtering to qemu
The following series of patches is a prototype implementation of a ebtables based MAC address filter. I hope to have addressed all the previous comments and I am still interested to get more feedback/comments. At the moment, some defaults are set when libvirtd starts and when a domain is started or destroyed. The plan is to extend this filter capability to the API level and virsh command level. The plan is also to add more filtering features like VLAN filtering and QoS filtering. Thanks, Gerhard --- Gerhard Stenzel (3): add MAC address based port filtering to qemu add build support for ebtables wrapper add ebtables wrapper configure.in |3 src/Makefile.am |1 src/libvirt_private.syms | 27 + src/qemu/qemu.conf |3 src/qemu/qemu_conf.c | 85 src/qemu/qemu_conf.h |8 src/qemu/qemu_driver.c | 44 ++ src/util/ebtables.c | 982 ++ src/util/ebtables.h | 134 ++ 9 files changed, 1287 insertions(+), 0 deletions(-) create mode 100644 src/util/ebtables.c create mode 100644 src/util/ebtables.h -- -- Libvir-list mailing list Libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [RFC PATCH 5/6] add MAC address based port filtering to qemu
On Mon, 2009-10-05 at 13:19 +0100, Daniel P. Berrange wrote: > On Fri, Oct 02, 2009 at 03:48:36PM +0200, Gerhard Stenzel wrote: > > This patch adds MAC address based port filtering to the qemu driver. > > > > Signed-off-by: Gerhard Stenzel > > --- > > > > src/qemu/qemu.conf |3 +++ > > src/qemu/qemu_conf.c | 14 ++ > > src/qemu/qemu_conf.h |2 ++ > > src/qemu/qemu_driver.c | 23 +++ > > 4 files changed, 42 insertions(+), 0 deletions(-) > > > > @@ -1193,6 +1197,16 @@ qemudNetworkIfaceConnect(virConnectPtr conn, > > tapfd = -1; > > } > > > > +if (driver->macFilter) { > > +virNetworkPtr network = virNetworkLookupByName(conn, > > + > > net->data.network.name); > > +if ((err = virNetworkAllowMacOnPort(network, brname, net->ifname, > > net->mac))) { > > +virReportSystemError(conn, err, > > + _("failed to add ebtables rule to allow > > MAC address on '%s'"), > > + net->ifname); > > +} > > +} > > This will crash in a large number of scenarios, since it is > only valid to deference net->data.network fields once you > have verified net->type == VIR_DOMAIN_NET_TYPE_NETWORK. It > is also failing to check for virNetworkLookupByName() returning > NULL. > > This is why the MAC filtering should not be part of the > virNetwork API set. The QEMU driver should be directly > calling the ebtables APIs you added in patch 1, rather > then indirectly via virNetwork.. This would allow this > MAC filtering to work with bridged network modes too. > > > diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c > > index 155e4a3..a95c867 100644 > > --- a/src/qemu/qemu_driver.c > > +++ b/src/qemu/qemu_driver.c > > @@ -239,6 +239,14 @@ qemudAutostartConfigs(struct qemud_driver *driver) { > > } > > virDomainObjUnlock(vm); > > } > > +if (qemu_driver->macFilter) { > > +fprintf(stderr,"%s:%s:%d macFilter=%d\n", __FILE__, __FUNCTION__, > > __LINE__, qemu_driver->macFilter); > > There's a VIR_DEBUG() macro available for logging. > > > > +if ((errno = virNetworkDisableAllFrames(conn))) { > > +virReportSystemError(conn, errno, > > + _("failed to add rule to drop all frames > > in '%s'"), __FILE__); > > +} > > +} > > + > > qemuDriverUnlock(driver); > > > > if (conn) > > @@ -2167,8 +2175,23 @@ cleanup: > > static void qemudShutdownVMDaemon(virConnectPtr conn, > >struct qemud_driver *driver, > >virDomainObjPtr vm) { > > + > > int ret; > > int retries = 0; > > +char *brname; > > + > > +virDomainNetDefPtr net = vm->def->nets[0]; > > This assumes the guest has exactly one NIC - it'll crash if there > are no NICs, and it'll miss cleanup steps if there are multiple NICs > > > +virNetworkPtr network = virNetworkLookupByName(conn, > > + net->data.network.name); > > +brname = virNetworkGetBridgeName(network); > > + > > +if (driver->macFilter) { > > +if ((errno = virNetworkDisallowMacOnPort(network, brname, > > net->ifname, net->mac))) { > > +virReportSystemError(conn, errno, > > + _("failed to add ebtables rule to allow > > MAC address on '%s'"), > > + net->ifname); > > +} > > +} > > Same comment as before about not using virNetwork for any of this > > Regards, > Daniel Thanks for the feedback so far. I know there is more to be done like handling multiple NICs and some more error checking, but is the following more in the direction you would like to have it? Index: libvirt/src/qemu/qemu_conf.c === --- libvirt.orig/src/qemu/qemu_conf.c +++ libvirt/src/qemu/qemu_conf.c @@ -37,6 +37,7 @@ #include #include +#include "ebtables.h" #include "c-ctype.h" #include "virterror_internal.h" #include "qemu_conf.h" @@ -318,6 +319,10 @@ int qemudLoadDriverConfig(struct qemud_d } } +p =
[libvirt] [RFC PATCH 6/6] remove currently unused parameter to pass make check test
This patch removes the currently unused "network" parameter to pass "make check" Signed-off-by: Gerhard Stenzel --- a/include/libvirt/libvirt.h.in +++ b/include/libvirt/libvirt.h.in @@ -890,12 +890,10 @@ int virNetworkSetAutostart (virNetworkPtr network, int virNetworkDisableAllFrames(virConnectPtr conn); int virNetworkAllowMacOnPort(virNetworkPtr network, - char * brname, char * ifname, unsigned char * mac); int virNetworkDisallowMacOnPort(virNetworkPtr network, -char * brname, char * ifname, unsigned char * mac); --- include/libvirt/libvirt.h.in |2 -- src/driver.h |2 -- src/libvirt.c|6 ++ src/network/bridge_driver.c |4 src/qemu/qemu_conf.c |2 +- src/qemu/qemu_driver.c |2 +- src/util/ebtables.c |7 ++- src/util/ebtables.h |2 -- 8 files changed, 6 insertions(+), 21 deletions(-) diff --git a/include/libvirt/libvirt.h.in b/include/libvirt/libvirt.h.in index 78e5cce..13f6586 100644 --- a/include/libvirt/libvirt.h.in +++ b/include/libvirt/libvirt.h.in @@ -890,12 +890,10 @@ int virNetworkSetAutostart (virNetworkPtr network, int virNetworkDisableAllFrames(virConnectPtr conn); int virNetworkAllowMacOnPort(virNetworkPtr network, - char * brname, char * ifname, unsigned char * mac); int virNetworkDisallowMacOnPort(virNetworkPtr network, -char * brname, char * ifname, unsigned char * mac); diff --git a/src/driver.h b/src/driver.h index fea6247..e3936ff 100644 --- a/src/driver.h +++ b/src/driver.h @@ -472,7 +472,6 @@ typedef int int autostart); typedef int (*virDrvNetworkAllowMacOnPort) (virConnectPtr conn, - char * brname, char * ifname, unsigned char * mac); typedef int @@ -480,7 +479,6 @@ typedef int typedef int (*virDrvNetworkDisallowMacOnPort) (virConnectPtr conn, - char * brname, char * ifname, unsigned char * mac); diff --git a/src/libvirt.c b/src/libvirt.c index ca65beb..76d55ee 100644 --- a/src/libvirt.c +++ b/src/libvirt.c @@ -5498,7 +5498,6 @@ error: int virNetworkDisallowMacOnPort(virNetworkPtr network, - char * brname, char * ifname, unsigned char * mac) { @@ -5516,7 +5515,7 @@ virNetworkDisallowMacOnPort(virNetworkPtr network, if (conn->networkDriver && conn->networkDriver->networkDisallowMacOnPort) { int ret; -ret = conn->networkDriver->networkDisallowMacOnPort (conn, brname, ifname, mac); +ret = conn->networkDriver->networkDisallowMacOnPort (conn, ifname, mac); if (ret < 0) goto error; return ret; @@ -5542,7 +5541,6 @@ error: int virNetworkAllowMacOnPort(virNetworkPtr network, - char * brname, char * ifname, unsigned char * mac) { @@ -5562,7 +5560,7 @@ virNetworkAllowMacOnPort(virNetworkPtr network, if (conn->networkDriver && conn->networkDriver->networkAllowMacOnPort) { int ret; -ret = conn->networkDriver->networkAllowMacOnPort (conn, brname, ifname, mac); +ret = conn->networkDriver->networkAllowMacOnPort (conn, ifname, mac); if (ret < 0) goto error; return ret; diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index acd7afe..7d4cf2d 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -685,7 +685,6 @@ networkDisableAllFrames(virConnectPtr conn) { static int networkDisallowMacOnPort(virConnectPtr conn, - char * brname, char * ifname, unsigned char * mac) { @@ -705,7 +704,6 @@ networkDisallowMacOnPort(virConnectPtr conn, ebtablesContext * ebtablescontext = netdriver->ebtables; if ((err = ebtablesRemoveForwardAllowIn(ebtablescontext, -
[libvirt] [RFC PATCH 5/6] add MAC address based port filtering to qemu
This patch adds MAC address based port filtering to the qemu driver. Signed-off-by: Gerhard Stenzel --- src/qemu/qemu.conf |3 +++ src/qemu/qemu_conf.c | 14 ++ src/qemu/qemu_conf.h |2 ++ src/qemu/qemu_driver.c | 23 +++ 4 files changed, 42 insertions(+), 0 deletions(-) diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf index 6d6b86a..53c4522 100644 --- a/src/qemu/qemu.conf +++ b/src/qemu/qemu.conf @@ -152,3 +152,6 @@ # in a location of $MOUNTPOINT/libvirt/qemu # hugetlbfs_mount = "/dev/hugepages" + +mac_filter = 1 + diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c index ac63570..7a3b1f1 100644 --- a/src/qemu/qemu_conf.c +++ b/src/qemu/qemu_conf.c @@ -318,6 +318,10 @@ int qemudLoadDriverConfig(struct qemud_driver *driver, } } +p = virConfGetValue (conf, "mac_filter"); +CHECK_TYPE ("mac_filter", VIR_CONF_LONG); +if (p) driver->macFilter = p->l; + virConfFree (conf); return 0; } @@ -1193,6 +1197,16 @@ qemudNetworkIfaceConnect(virConnectPtr conn, tapfd = -1; } +if (driver->macFilter) { +virNetworkPtr network = virNetworkLookupByName(conn, + net->data.network.name); +if ((err = virNetworkAllowMacOnPort(network, brname, net->ifname, net->mac))) { +virReportSystemError(conn, err, + _("failed to add ebtables rule to allow MAC address on '%s'"), + net->ifname); +} +} + cleanup: VIR_FREE(brname); diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h index f9a970f..ddcbd8a 100644 --- a/src/qemu/qemu_conf.h +++ b/src/qemu/qemu_conf.h @@ -112,6 +112,8 @@ struct qemud_driver { char *hugetlbfs_mount; char *hugepage_path; +unsigned int macFilter : 1; + virCapsPtr caps; /* An array of callbacks */ diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 155e4a3..a95c867 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -239,6 +239,14 @@ qemudAutostartConfigs(struct qemud_driver *driver) { } virDomainObjUnlock(vm); } +if (qemu_driver->macFilter) { +fprintf(stderr,"%s:%s:%d macFilter=%d\n", __FILE__, __FUNCTION__, __LINE__, qemu_driver->macFilter); +if ((errno = virNetworkDisableAllFrames(conn))) { +virReportSystemError(conn, errno, + _("failed to add rule to drop all frames in '%s'"), __FILE__); +} +} + qemuDriverUnlock(driver); if (conn) @@ -2167,8 +2175,23 @@ cleanup: static void qemudShutdownVMDaemon(virConnectPtr conn, struct qemud_driver *driver, virDomainObjPtr vm) { + int ret; int retries = 0; +char *brname; + +virDomainNetDefPtr net = vm->def->nets[0]; +virNetworkPtr network = virNetworkLookupByName(conn, + net->data.network.name); +brname = virNetworkGetBridgeName(network); + +if (driver->macFilter) { +if ((errno = virNetworkDisallowMacOnPort(network, brname, net->ifname, net->mac))) { +virReportSystemError(conn, errno, + _("failed to add ebtables rule to allow MAC address on '%s'"), + net->ifname); +} +} if (!virDomainIsActive(vm)) return; -- Libvir-list mailing list Libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] [RFC PATCH 4/6] add MAC address based port filtering to libvirt
This patch adds MAC address based port filtering support to libvirt. Signed-off-by: Gerhard Stenzel --- include/libvirt/libvirt.h.in | 16 ++ src/driver.h | 16 ++ src/libvirt.c| 121 ++ src/libvirt_public.syms |3 + src/test/test_driver.c |3 + 5 files changed, 159 insertions(+), 0 deletions(-) diff --git a/include/libvirt/libvirt.h.in b/include/libvirt/libvirt.h.in index 4e63e48..78e5cce 100644 --- a/include/libvirt/libvirt.h.in +++ b/include/libvirt/libvirt.h.in @@ -884,6 +884,22 @@ int virNetworkSetAutostart (virNetworkPtr network, int autostart); /* + * MAC address based filtering + */ + +int virNetworkDisableAllFrames(virConnectPtr conn); + +int virNetworkAllowMacOnPort(virNetworkPtr network, + char * brname, + char * ifname, + unsigned char * mac); + +int virNetworkDisallowMacOnPort(virNetworkPtr network, +char * brname, +char * ifname, +unsigned char * mac); + +/* * Physical host interface configuration API */ diff --git a/src/driver.h b/src/driver.h index 6a3dcc2..fea6247 100644 --- a/src/driver.h +++ b/src/driver.h @@ -470,6 +470,19 @@ typedef int typedef int (*virDrvNetworkSetAutostart) (virNetworkPtr network, int autostart); +typedef int +(*virDrvNetworkAllowMacOnPort) (virConnectPtr conn, + char * brname, + char * ifname, + unsigned char * mac); +typedef int +(*virDrvNetworkDisableAllFrames) (virConnectPtr conn); + +typedef int +(*virDrvNetworkDisallowMacOnPort) (virConnectPtr conn, + char * brname, + char * ifname, + unsigned char * mac); typedef struct _virNetworkDriver virNetworkDriver; @@ -504,6 +517,9 @@ struct _virNetworkDriver { virDrvNetworkGetBridgeName networkGetBridgeName; virDrvNetworkGetAutostart networkGetAutostart; virDrvNetworkSetAutostart networkSetAutostart; +virDrvNetworkAllowMacOnPortnetworkAllowMacOnPort; +virDrvNetworkDisallowMacOnPort networkDisallowMacOnPort; +virDrvNetworkDisableAllFrames networkDisableAllFrames; }; /*---*/ diff --git a/src/libvirt.c b/src/libvirt.c index 4cc19ec..ca65beb 100644 --- a/src/libvirt.c +++ b/src/libvirt.c @@ -5456,6 +5456,127 @@ error: } /** + * virNetworkDisableAllFrames: + * @network: a network object + * + * Provides a bridge interface name to which a domain may connect + * a network interface in order to join the network. + * + * Returns -1 in case of error, 0 in case of success + */ + +int +virNetworkDisableAllFrames(virConnectPtr conn) { + +virResetLastError(); + +if (conn->networkDriver && conn->networkDriver->networkDisableAllFrames) { +int ret; +ret = conn->networkDriver->networkDisableAllFrames(conn); +if (ret < 0) +goto error; +return ret; +} + +virLibConnError (conn, VIR_ERR_NO_SUPPORT, __FUNCTION__); + +error: +/* Copy to connection error object for back compatability */ +return -1; +} + + +/** + * virNetworkDisallowMacOnPort: + * @network: a network object + * + * Provides a bridge interface name to which a domain may connect + * a network interface in order to join the network. + * + * Returns -1 in case of error, 0 in case of success + */ + +int +virNetworkDisallowMacOnPort(virNetworkPtr network, + char * brname, + char * ifname, + unsigned char * mac) { + +virConnectPtr conn; +DEBUG("network=%p", network); + +virResetLastError(); + +if (!VIR_IS_CONNECTED_NETWORK(network)) { +virLibNetworkError(NULL, VIR_ERR_INVALID_NETWORK, __FUNCTION__); +return (-1); +} + +conn = network->conn; + +if (conn->networkDriver && conn->networkDriver->networkDisallowMacOnPort) { +int ret; +ret = conn->networkDriver->networkDisallowMacOnPort (conn, brname, ifname, mac); +if (ret < 0) +goto error; +return ret; +} + +virLibConnError (conn, VIR_ERR_NO_SUPPORT, __FUNCTION__); + +error: +/* Copy to connection error object for back compatability */ +virSetConnError(network->conn); +return -1; +} + +/** + * virNetworkAllo
[libvirt] [RFC PATCH 3/6] add the ebtables wrapper to network driver
This patch adds the ebtables wrapper to the network driver. Signed-off-by: Gerhard Stenzel --- src/conf/network_conf.h | 10 ++ src/libvirt_private.syms| 26 ++ src/network/bridge_driver.c | 179 +++ 3 files changed, 215 insertions(+), 0 deletions(-) diff --git a/src/conf/network_conf.h b/src/conf/network_conf.h index e983a01..2f7d536 100644 --- a/src/conf/network_conf.h +++ b/src/conf/network_conf.h @@ -55,6 +55,13 @@ struct _virNetworkDHCPHostDef { char *ip; }; +typedef struct _virNetworkBridgePortDef virNetworkBridgePortDef; +typedef virNetworkBridgePortDef *virNetworkBridgePortDefPtr; +struct _virNetworkBridgePortDef { +char *mac; +char *name; +}; + typedef struct _virNetworkDef virNetworkDef; typedef virNetworkDef *virNetworkDefPtr; struct _virNetworkDef { @@ -79,6 +86,9 @@ struct _virNetworkDef { unsigned int nhosts; /* Zero or more dhcp hosts */ virNetworkDHCPHostDefPtr hosts; +unsigned int nports; /* Zero or more filtered ports */ +virNetworkBridgePortDefPtr ports; + char *tftproot; char *bootfile; }; diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index b699fb2..f92f646 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -227,6 +227,32 @@ iptablesRemoveTcpInput; iptablesRemoveUdpInput; iptablesSaveRules; +# ebtables.h +ebtablesAddForwardAllowCross; +ebtablesAddForwardAllowIn; +ebtablesAddForwardAllowOut; +ebtablesAddForwardAllowRelatedIn; +ebtablesAddForwardMasquerade; +ebtablesAddForwardRejectIn; +ebtablesAddForwardRejectOut; +ebtablesAddTcpInput; +ebtablesAddUdpInput; +ebtablesContextFree; +ebtablesContextNew; +ebtablesReloadRules; +ebtablesRemoveForwardAllowCross; +ebtablesRemoveForwardAllowIn; +ebtablesRemoveForwardAllowOut; +ebtablesRemoveForwardAllowRelatedIn; +ebtablesRemoveForwardMasquerade; +ebtablesRemoveForwardRejectIn; +ebtablesRemoveForwardRejectOut; +ebtablesRemoveTcpInput; +ebtablesRemoveUdpInput; +ebtablesSaveRules; +ebtablesAddForwardPolicyReject; +ebtablesRemoveForwardPolicyReject; +ebtablesForwardPolicyReject; # libvirt_internal.h virStateInitialize; diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index 95bc810..acd7afe 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -54,6 +54,7 @@ #include "util.h" #include "memory.h" #include "uuid.h" +#include "ebtables.h" #include "iptables.h" #include "bridge.h" #include "logging.h" @@ -70,6 +71,7 @@ struct network_driver { virNetworkObjList networks; iptablesContext *iptables; +ebtablesContext *ebtables; brControl *brctl; char *networkConfigDir; char *networkAutostartDir; @@ -245,6 +247,10 @@ networkStartup(int privileged) { goto out_of_memory; } +if (!(driverState->ebtables = ebtablesContextNew())) { +goto out_of_memory; +} + if (virNetworkLoadAllConfigs(NULL, &driverState->networks, @@ -293,6 +299,11 @@ networkReload(void) { iptablesReloadRules(driverState->iptables); } + if (driverState->ebtables) { +VIR_INFO0(_("Reloading ebtables rules\n")); +ebtablesReloadRules(driverState->ebtables); +} + networkAutostartConfigs(driverState); networkDriverUnlock(driverState); return 0; @@ -350,6 +361,9 @@ networkShutdown(void) { if (driverState->iptables) iptablesContextFree(driverState->iptables); +if (driverState->ebtables) +ebtablesContextFree(driverState->ebtables); + networkDriverUnlock(driverState); virMutexDestroy(&driverState->lock); @@ -573,6 +587,168 @@ cleanup: return ret; } + +static int +networkAddEbtablesRules(virConnectPtr conn, + struct network_driver *driver) { +int err; + +/* Catch all rules to block forwarding to/from bridges */ +/* +if ((err = ebtablesAddForwardRejectOut(driver->ebtables, network->def->bridge))) { +virReportSystemError(conn, err, + _("failed to add ebtables rule to block outbound traffic from '%s'"), + network->def->bridge); +goto err5; +} + +if ((err = ebtablesAddForwardRejectIn(driver->ebtables, network->def->bridge))) { +virReportSystemError(conn, err, + _("failed to add ebtables rule to block inbound traffic to '%s'"), + network->def->bridge); +goto err6; +} +*/ +/* Set forward policy to DROP */ +if ((err = ebtablesAddForwardPolicyReject(driver->ebtables))) { +virReportSystemError(conn, err, + _("failed to add ebtables rule to set default policy to dro
[libvirt] [RFC PATCH 2/6] add build support for ebtables wrapper
This patch adds build support for the ebtables wrapper. Signed-off-by: Gerhard Stenzel --- configure.in|3 +++ src/Makefile.am |1 + 2 files changed, 4 insertions(+), 0 deletions(-) diff --git a/configure.in b/configure.in index cb5ce55..9e9aa3a 100644 --- a/configure.in +++ b/configure.in @@ -287,6 +287,9 @@ fi AC_PATH_PROG([IPTABLES_PATH], [iptables], /sbin/iptables, [/usr/sbin:$PATH]) AC_DEFINE_UNQUOTED([IPTABLES_PATH], "$IPTABLES_PATH", [path to iptables binary]) +AC_PATH_PROG([EBTABLES_PATH], [ebtables], /sbin/ebtables, [/usr/sbin:$PATH]) +AC_DEFINE_UNQUOTED([EBTABLES_PATH], "$EBTABLES_PATH", [path to ebtables binary]) + if test "$with_openvz" = "yes"; then AC_DEFINE_UNQUOTED([WITH_OPENVZ], 1, [whether OpenVZ driver is enabled]) fi diff --git a/src/Makefile.am b/src/Makefile.am index de7765c..4a6716c 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -43,6 +43,7 @@ UTIL_SOURCES = \ util/event.c util/event.h \ util/hash.c util/hash.h \ util/iptables.c util/iptables.h \ + util/ebtables.c util/ebtables.h \ util/logging.c util/logging.h \ util/memory.c util/memory.h \ util/pci.c util/pci.h \ -- Libvir-list mailing list Libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] [RFC PATCH 1/6] add ebtables wrapper
This patch adds the files which implement the ebtables wrapper. Signed-off-by: Gerhard Stenzel --- src/util/ebtables.c | 964 +++ src/util/ebtables.h | 136 +++ 2 files changed, 1100 insertions(+), 0 deletions(-) create mode 100644 src/util/ebtables.c create mode 100644 src/util/ebtables.h diff --git a/src/util/ebtables.c b/src/util/ebtables.c new file mode 100644 index 000..930d046 --- /dev/null +++ b/src/util/ebtables.c @@ -0,0 +1,964 @@ +/* + * Copyright (C) 2009 IBM Corp. + * Copyright (C) 2007-2009 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * based on iptables.c + * Authors: + * Gerhard Stenzel + */ + +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#ifdef HAVE_SYS_WAIT_H +#include +#endif + +#ifdef HAVE_PATHS_H +#include +#endif + +#include "internal.h" +#include "ebtables.h" +#include "util.h" +#include "memory.h" +#include "virterror_internal.h" +#include "logging.h" + +enum { +ADD = 0, +REMOVE +}; + + +#ifdef ENABLE_ebtabLES_LOKKIT +static void +notifyRulesUpdated(const char *table, + const char *path) +{ +char arg[PATH_MAX]; +const char *argv[4]; + +snprintf(arg, sizeof(arg), "--custom-rules=ipv4:%s:%s", table, path); + +argv[0] = (char *) LOKKIT_PATH; +argv[1] = (char *) "--nostart"; +argv[2] = arg; +argv[3] = NULL; + +char ebuf[1024]; +if (virRun(NULL, argv, NULL) < 0) +VIR_WARN(_("Failed to run '%s %s': %s"), + LOKKIT_PATH, arg, virStrerror(errno, ebuf, sizeof ebuf)); +} + +static int +stripLine(char *str, int len, const char *line) +{ +char *s, *p; +int changed; + +changed = 0; +s = str; + +while ((p = strchr(s, '\n'))) { +if (p == s || STRNEQLEN(s, line, p - s)) { +s = ++p; +continue; +} + +++p; +memmove(s, p, len - (p - str) + 1); +len -= p - s; +changed = 1; +} + +if (STREQ(s, line)) { +*s = '\0'; +changed = 1; +} + +return changed; +} + +static void +notifyRulesRemoved(const char *table, + const char *path) +{ +/* 10 MB limit on config file size as a sanity check */ +#define MAX_FILE_LEN (1024*1024*10) + +char arg[PATH_MAX]; +char *content; +int len; +FILE *f = NULL; + +len = virFileReadAll(SYSCONF_DIR "/sysconfig/system-config-firewall", + MAX_FILE_LEN, &content); +if (len < 0) { +VIR_WARN("%s", _("Failed to read " SYSCONF_DIR + "/sysconfig/system-config-firewall")); +return; +} + +snprintf(arg, sizeof(arg), "--custom-rules=ipv4:%s:%s", table, path); + +if (!stripLine(content, len, arg)) { +VIR_FREE(content); +return; +} + +if (!(f = fopen(SYSCONF_DIR "/sysconfig/system-config-firewall", "w"))) +goto write_error; + +if (fputs(content, f) == EOF) +goto write_error; + +if (fclose(f) == EOF) { +f = NULL; +goto write_error; +} + +VIR_FREE(content); + +return; + + write_error:; +char ebuf[1024]; +VIR_WARN(_("Failed to write to " SYSCONF_DIR + "/sysconfig/system-config-firewall : %s"), + virStrerror(errno, ebuf, sizeof ebuf)); +if (f) +fclose(f); +VIR_FREE(content); + +#undef MAX_FILE_LEN +} + +static int +writeRules(const char *path, + const ebtRule *rules, + int nrules) +{ +char tmp[PATH_MAX]; +FILE *f; +int istmp; +int i; + +if (nrules == 0 && unlink(path) == 0) +return 0; + +if (snprintf(tmp, PATH_MAX, "%s.new", path) >= PATH_MAX) +return EINVAL; + +istmp = 1; + +if (!(f = fopen(tmp, "w"))) { +istmp = 0; +if (!(f = fopen(path, "w"))) +return errno; +} + +for (i = 0; i < nrules; i++) { +if (fputs(rules[i
[libvirt] [RFC PATCH 0/6] Series short description
The following series of patches is a prototype implementation of a ebtables based MAC address filter. This is currently not intended for inclusion, but rather to get some feedback/comments about the approach and the implementation. At the moment, some defaults are set when libvirtd starts and when a domain is started or destroyed. The plan is to extend this filter capability to the API level and virsh command level. The plan is also to add more filtering features like VLAN filtering and QoS filtering. Thanks, Gerhard --- Gerhard Stenzel (6): remove currently unused parameter to pass make check test add MAC address based port filtering to qemu add MAC address based port filtering to libvirt add the ebtables wrapper to network driver add build support for ebtables wrapper add ebtables wrapper configure.in |3 include/libvirt/libvirt.h.in | 14 + src/Makefile.am |1 src/conf/network_conf.h | 10 src/driver.h | 14 + src/libvirt.c| 119 + src/libvirt_private.syms | 26 + src/libvirt_public.syms |3 src/network/bridge_driver.c | 175 src/qemu/qemu.conf |3 src/qemu/qemu_conf.c | 14 + src/qemu/qemu_conf.h |2 src/qemu/qemu_driver.c | 23 + src/test/test_driver.c |3 src/util/ebtables.c | 961 ++ src/util/ebtables.h | 134 ++ 16 files changed, 1505 insertions(+), 0 deletions(-) create mode 100644 src/util/ebtables.c create mode 100644 src/util/ebtables.h -- -- Libvir-list mailing list Libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] Integrating MAC address based filtering into libvirt
On Wed, 2009-08-19 at 13:35 +0100, Daniel P. Berrange wrote: > On Wed, Aug 19, 2009 at 02:11:14PM +0200, Gerhard Stenzel wrote: ... > I think this extra XML element is probably redundant - we should always do > MAC filtering at all times, on all bridges. Not simply those used in a > virtual network, but also those connected to a real physical device too. > I used the extra XML element as a means to switch filtering on and off, I am not passionate about it. > I could see having a QEMU driver level configuration option in > /etc/libvirt/qemu.conf though, to turn filtering on/off for the > host as a whole though. > Fine with me, if that is the preferred way. > > The current prototype implementation is based on the existing iptables > > wrapper in libvirt. I basically cloned the iptables wrapper to an > > ebtables wrapper and did some ebtables specific adjustments. There are > > currenlty four occasions when the ebtables wrapper is called: > > - when creating the network > > What do you do to ebtables at this point ? > The "filter" element is evaluated at startup of libvirtd and a generic ebtables rules is generated to drop all frames. This could be changed to use the config option. > > - when adding a guest to the network > > - when removing a guest from the network > > Isn't it sufficient to only use ebtables in these two places ? > I think some generic settings should be dowe at libvirtd startup ... > > - when destroying the network (currently not implemented) > ... and some reasonable state should be restored at libvirtd shutdown, but that might be unnecessary. > > > These calls can be augmented to also do for example tagged vlan and > > protocol filtering. > > We probably also want to be able todo IP address filtering too. > IP address filtering, VLAN tag filtering and similar are further down on my list. > ie, if the guest XML has an element inside the > then we should add rules to ensure only IP traffic matching that > source/target address is allowed to pass out/in > > > Daniel -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Erich Baier Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- Libvir-list mailing list Libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] Integrating MAC address based filtering into libvirt
Hello, I am currently investigating the possibility to implement MAC address based filtering in libvirt and was wondering if there is any related effort going on and what people in general would think about that. Here is a description of my current prototype implementation: I have a small setup of two guests and a network: Guest1: r...@stenzel-desktop:/etc/libvirt/qemu# cat build1.xml build1 ... ... Guest2: r...@stenzel-desktop:/etc/libvirt/qemu# cat build2.xml build2 ... ... and the network to which I added a new XML element "filter" with attribute "mac", which switches on the MAC address filtering: r...@stenzel-desktop:/etc/libvirt/qemu# cat networks/mynet.xml mynet 920debe0-c3ef-4395-8241-ee82d4b49c2d the "filter" element is evaluated at startup of libvirtd and a generic ebtables rules is generated (all frames are dropped): sten...@stenzel-desktop:~/projects/vsn/libvirt$ sudo ebtables -L Bridge table: filter ... Bridge chain: FORWARD, entries: 0, policy: DROP ... When starting up guest1, ... sten...@stenzel-desktop:~/projects/vsn/libvirt$ sudo virsh start build1 Domain build1 started ... an ebtables rule is generated to allow its mac address on the its interface: sten...@stenzel-desktop:~/projects/vsn/libvirt$ sudo ebtables -L ... Bridge chain: FORWARD, entries: 1, policy: DROP -s d0:f:d0:f:2:1 -i vnet0 -j ACCEPT ... the same happens when starting up the second guest: sten...@stenzel-desktop:~/projects/vsn/libvirt$ sudo virsh start build2 Domain build2 started sten...@stenzel-desktop:~/projects/vsn/libvirt$ sudo ebtables -L ... Bridge chain: FORWARD, entries: 2, policy: DROP -s d0:f:d0:f:2:2 -i vnet1 -j ACCEPT -s d0:f:d0:f:2:1 -i vnet0 -j ACCEPT ... so the two guests are allowed to communicate. After destroying the two guests, the corresponding ebtables rules are removed: sten...@stenzel-desktop:~/projects/vsn/libvirt$ sudo virsh destroy build2 Domain build2 destroyed sten...@stenzel-desktop:~/projects/vsn/libvirt$ sudo ebtables -L ... Bridge chain: FORWARD, entries: 1, policy: DROP -s d0:f:d0:f:2:1 -i vnet0 -j ACCEPT ... sten...@stenzel-desktop:~/projects/vsn/libvirt$ sudo virsh destroy build1 Domain build1 destroyed sten...@stenzel-desktop:~/projects/vsn/libvirt$ sudo ebtables -L ... Bridge chain: FORWARD, entries: 0, policy: DROP ... The current prototype implementation is based on the existing iptables wrapper in libvirt. I basically cloned the iptables wrapper to an ebtables wrapper and did some ebtables specific adjustments. There are currenlty four occasions when the ebtables wrapper is called: - when creating the network - when adding a guest to the network - when removing a guest from the network - when destroying the network (currently not implemented) These calls can be augmented to also do for example tagged vlan and protocol filtering. Configuring the filter rules via virsh is also an option. Comments are appreciated. -- Best regards, Gerhard Stenzel, --- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Erich Baier Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- Libvir-list mailing list Libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list