<div dir="ltr">Hi Jan,<div><br></div><div>I have shared the draft proposal link with libvirt on GSoC's system.</div><div>Could you please check and provide your feedback, if possible.</div><div><br></div><div>Thanks,</div><div>Prakhar</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Mar 31, 2020 at 1:47 AM Jan Kiszka <<a href="mailto:jan.kiszka@web.de">jan.kiszka@web.de</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">On 31.03.20 04:43, PRAKHAR BANSAL wrote:<br>
> Hi Jan,<br>
><br>
> Thanks for the confirmation to proceed on project proposal.<br>
><br>
> Also, I tried installing Jailhouse on my VM after enabling VT-x/EPT and<br>
> IOMMU for my VM(Guest OS- Ubuntu 18.04) on VMware fusion hypervisor with<br>
> MacOS on the host side.<br>
> However, Jailhouse hardware check was failed because of missing<br>
> *Preemption timer and Virtualize APIC access*, could you please suggest,<br>
> if this is hardware limitation? Is there any workaround here?<br>
<br>
You will need a hypervisor that supports both when nesting, but I have<br>
no idea if there is one for the Mac. What is known to work is KVM on<br>
Linux hosts.<br>
<br>
> My laptop's processor is Intel quad-core i7.<br>
><br>
> image.png<br>
><br>
> Also, could you please suggest, if I can talk to you through an IRC or<br>
> slack channel since it is a bit hard to communicate over email every time.<br>
<br>
I'll be listening on #jailhouse, <a href="http://irc.freenode.net" rel="noreferrer" target="_blank">irc.freenode.net</a>.<br>
<br>
Jan<br>
<br>
><br>
> Thanks,<br>
> Prakhar<br>
><br>
><br>
> On Mon, Mar 30, 2020 at 6:15 AM Jan Kiszka <<a href="mailto:jan.kiszka@web.de" target="_blank">jan.kiszka@web.de</a><br>
> <mailto:<a href="mailto:jan.kiszka@web.de" target="_blank">jan.kiszka@web.de</a>>> wrote:<br>
><br>
> On 30.03.20 10:02, PRAKHAR BANSAL wrote:<br>
> > Hi Jan,<br>
> ><br>
> > On Sat, Mar 28, 2020 at 4:12 AM Jan Kiszka <<a href="mailto:jan.kiszka@web.de" target="_blank">jan.kiszka@web.de</a><br>
> <mailto:<a href="mailto:jan.kiszka@web.de" target="_blank">jan.kiszka@web.de</a>><br>
> > <mailto:<a href="mailto:jan.kiszka@web.de" target="_blank">jan.kiszka@web.de</a> <mailto:<a href="mailto:jan.kiszka@web.de" target="_blank">jan.kiszka@web.de</a>>>> wrote:<br>
> ><br>
> > On 28.03.20 08:47, PRAKHAR BANSAL wrote:<br>
> > > Hi Jan,<br>
> > ><br>
> > > Thanks for the reply!<br>
> > ><br>
> > > I was only considering the command-line tool "code" for<br>
> reference<br>
> > to the<br>
> > > Jailhouse kernel API(ioctl calls) because I didn't find a<br>
> > documentation<br>
> > > of the Jailhouse kernel APIs.<br>
> ><br>
> > Right, the IOCTL API is not documented so far. It is<br>
> currently only used<br>
> > inside the Jailhouse project. This needs to be formalized<br>
> when there<br>
> > shall be external users like a libvirt driver.<br>
> ><br>
> > That might be a nice small contribution task: Create some<br>
> > Documentation/driver-interfaces.md that describes the IOCTLs<br>
> along with<br>
> > their parameter structures and that also includes the current<br>
> > sysfs-entries.txt as a section. Then send this as patch here.<br>
> I'll help<br>
> > out when details are not clear from reading the code.<br>
> ><br>
> > Sure. I will do that.<br>
> ><br>
> > ><br>
> > > For the second part as you mentioned that Jailhouse can<br>
> only create<br>
> > > cells with the constraints defined in the root cell<br>
> configuration. I<br>
> > > have a few questions regarding that.<br>
> > ><br>
> > > 1. Is there a way to know if Jailhouse is enabled on the<br>
> host and get<br>
> > > the root cell configuration(s) from Jailhouse through an API?<br>
> > This can<br>
> > > be used while binding the libvirt to the Jailhouse hypervisor.<br>
> ><br>
> > Look at<br>
> ><br>
> <a href="https://github.com/siemens/jailhouse/blob/master/Documentation/sysfs-entries.txt" rel="noreferrer" target="_blank">https://github.com/siemens/jailhouse/blob/master/Documentation/sysfs-entries.txt</a><br>
> > for what is reported as runtime information. Full<br>
> configurations can't<br>
> > be read back at this point. This might be reconsidered in the<br>
> light of<br>
> > [1], but I wouldn't plat for that yet.<br>
> ><br>
> ><br>
> > Ok, sure. I am looking into it.<br>
> ><br>
> ><br>
> > ><br>
> > > 2. If Jailhouse is not enabled(again can we know this<br>
> using some API)<br>
> > > then, can libvirt enable/disable Jailhouse during the libvirt<br>
> > binding of<br>
> > > the Jailhouse driver with a given set of Jailhouse cell<br>
> > configurations<br>
> > > describing a complete partitioned system?<br>
> ><br>
> > With the API above and a given configuration set, yes. The<br>
> config set<br>
> > would have to be provided to the libvirt driver in some<br>
> to-be-defined<br>
> > way (e.g. /etc/libvirt/jailhouse.conf -><br>
> /etc/libvirt/jailhouse/*.cell).<br>
> ><br>
> > Cool, got it. Thanks!<br>
> ><br>
> > ><br>
> > > 3. I was wondering, as you mentioned that libvirt driver<br>
> should check<br>
> > > for mismatch of the cell configuration with the root cell<br>
> > configuration,<br>
> > > the question is, isn't that done by Jailhouse itself? If<br>
> yes, then<br>
> > > libvirt can just pass on the cell creation requests to<br>
> Jailhouse and<br>
> > > return the response to the user as it is, rather than driver<br>
> > doing any<br>
> > > such mismatch check.<br>
> ><br>
> > With matching I'm referring to a libvirt user request like<br>
> "create a<br>
> > domain with 2 CPUs", while there are no cells left that have<br>
> more than<br>
> > one CPU. Or "give the domain 1G RAM", and you need to find an<br>
> available<br>
> > cell with that much memory. Those are simple examples. A<br>
> request that<br>
> > states "connect the domain to the host network A" implies<br>
> that a cell<br>
> > has a shared-memory link to, say, the root cell that can be<br>
> configured<br>
> > to bridge this. But let's keep that for later and start as<br>
> simple as<br>
> > possible.<br>
> ><br>
> ><br>
> > Do I need to match the libvirt user-requested cell config with<br>
> only root<br>
> > cells or with all cells present at that time?<br>
><br>
> With all non-root cells - the root cell will be occupied already (it<br>
> runs libvirt e.g.).<br>
><br>
> ><br>
> > I wanted to request you for a favor for the proposal as the<br>
> deadline is<br>
> > approaching. Could I prepare a proposal for this project based on our<br>
> > discussion here and improve it later based on feedback comments after<br>
> > the deadline? I understand that I got late in starting on the project<br>
> > search and selection.<br>
><br>
> Sure, please go ahead.<br>
><br>
> Jan<br>
><br>
> ><br>
> > Thanks,<br>
> > Prakhar<br>
> ><br>
> ><br>
> > Jan<br>
> ><br>
> > [1]<br>
> ><br>
> <a href="https://groups.google.com/d/msgid/jailhouse-dev/CADiTV-1QiRhSWZnw%2BkHhJMO-BoA4sAcOmTkQE7ZWbHkGh3Jexw%40mail.gmail.com" rel="noreferrer" target="_blank">https://groups.google.com/d/msgid/jailhouse-dev/CADiTV-1QiRhSWZnw%2BkHhJMO-BoA4sAcOmTkQE7ZWbHkGh3Jexw%40mail.gmail.com</a><br>
> ><br>
> > ><br>
> > > -Prakhar<br>
> > ><br>
> > > On Thu, Mar 26, 2020 at 1:49 AM Jan Kiszka<br>
> <<a href="mailto:jan.kiszka@web.de" target="_blank">jan.kiszka@web.de</a> <mailto:<a href="mailto:jan.kiszka@web.de" target="_blank">jan.kiszka@web.de</a>><br>
> > <mailto:<a href="mailto:jan.kiszka@web.de" target="_blank">jan.kiszka@web.de</a> <mailto:<a href="mailto:jan.kiszka@web.de" target="_blank">jan.kiszka@web.de</a>>><br>
> > > <mailto:<a href="mailto:jan.kiszka@web.de" target="_blank">jan.kiszka@web.de</a> <mailto:<a href="mailto:jan.kiszka@web.de" target="_blank">jan.kiszka@web.de</a>><br>
> <mailto:<a href="mailto:jan.kiszka@web.de" target="_blank">jan.kiszka@web.de</a> <mailto:<a href="mailto:jan.kiszka@web.de" target="_blank">jan.kiszka@web.de</a>>>>> wrote:<br>
> > ><br>
> > > Hi Prakhar,<br>
> > ><br>
> > > On 25.03.20 05:36, PRAKHAR BANSAL wrote:<br>
> > > > Hi Jan,<br>
> > > ><br>
> > > > Thanks for the reply. I looked deeper into the<br>
> libvirt and<br>
> > Jailhouse<br>
> > > > source code and found following two things that seem<br>
> > relevant to the<br>
> > > > project I am interested in.<br>
> > > ><br>
> > > > - Libvirt driver interface at [libvirt.git]<br>
> > > ><br>
> <<a href="https://libvirt.org/git/?p=libvirt.git;a=tree;hb=HEAD" rel="noreferrer" target="_blank">https://libvirt.org/git/?p=libvirt.git;a=tree;hb=HEAD</a>> / src<br>
> > > ><br>
> > <<a href="https://libvirt.org/git/?p=libvirt.git;a=tree;f=src;hb=HEAD" rel="noreferrer" target="_blank">https://libvirt.org/git/?p=libvirt.git;a=tree;f=src;hb=HEAD</a>> /<br>
> > > driver.h<br>
> > > ><br>
> > ><br>
> ><br>
> <<a href="https://libvirt.org/git/?p=libvirt.git;a=blob_plain;f=src/driver.h;hb=HEAD" rel="noreferrer" target="_blank">https://libvirt.org/git/?p=libvirt.git;a=blob_plain;f=src/driver.h;hb=HEAD</a>><br>
> > > > - Jailhouse tool, which is using the ioctl API of the<br>
> > Jailhouse,<br>
> > > > available at<br>
> > > ><br>
> > <a href="https://github.com/siemens/jailhouse/blob/master/tools/jailhouse.c" rel="noreferrer" target="_blank">https://github.com/siemens/jailhouse/blob/master/tools/jailhouse.c</a>.<br>
> > > ><br>
> > > > With the help of the above two, it looks like, a<br>
> libvirt<br>
> > driver<br>
> > > for the<br>
> > > > Jailhouse can be implemented. Let me know if I am<br>
> moving<br>
> > in the right<br>
> > > > direction so far.<br>
> > ><br>
> > > From the Jailhouse perspective, it is important to not<br>
> > consider the<br>
> > > command line tool an interface anymore (like in the first<br>
> > prototype) but<br>
> > > build on top of the Linux driver API (ioctls, sysfs).<br>
> There<br>
> > is already a<br>
> > > Python library which started to abstract this<br>
> interface for<br>
> > > Jailhouse-internal use cases. However, I strongly suspect<br>
> > libvirt will<br>
> > > rather want a native binding.<br>
> > ><br>
> > > ><br>
> > > > I have been looking at the other libvirt driver<br>
> > implementations for<br>
> > > > hypervisors like HyperV and VMware to understand their<br>
> > implementation<br>
> > > > and learn from there.<br>
> > ><br>
> > > As Jailhouse is a static partitioning hypervisor without<br>
> > abstraction of<br>
> > > the underlying hardware, your starting point for the<br>
> libvirt<br>
> > binding<br>
> > > should be a given set of Jailhouse cell configurations<br>
> > describing a<br>
> > > complete partitioned system. So rather than<br>
> instantiating on<br>
> > demand a<br>
> > > domain (Jailhouse cell) with, say, a network adapter, the<br>
> > driver should<br>
> > > match a user request for a domain against the<br>
> configuration<br>
> > set and use<br>
> > > what is there - or report the mismatch. What it could<br>
> > organize, though,<br>
> > > is interconnecting cells that have a (preconfigured)<br>
> virtual<br>
> > network<br>
> > > link to the root cell.<br>
> > ><br>
> > > Due to this different concept, there will be no 1:1<br>
> mapping for<br>
> > > commodity hypervisor drivers to the Jailhouse scenario.<br>
> > Still, studying<br>
> > > what they do is useful and needed in order to<br>
> understand what<br>
> > "normally"<br>
> > > happens and find a reasonable translation. This is<br>
> probably<br>
> > the most<br>
> > > challenging part of the project.<br>
> > ><br>
> > > Jan<br>
> > ><br>
> ><br>
><br>
<br>
</blockquote></div>