[libvirt] RFC: An "embedded" mode for QEMU/LXC drivers
Richard W.M. Jones
rjones at redhat.com
Thu Jan 3 04:55:21 UTC 2013
On Wed, Jan 02, 2013 at 03:36:54PM +0000, Daniel P. Berrange wrote:
> This is something I was thinking about a little over the christmas
> break. I've no intention of implementing this in the immediate
> future, but wanted to post it while it was fresh in my mind.
>
> Historically we have had 2 ways of using the stateful drivers like
> QEMU/LXC/UML/etc.
>
> - "system mode" - privileged libvirtd, one per host, started at boot
> - "session mode" - unprivileged libvirtd, one per non-root user, autostarted
>
> Within context of each daemon, VM name uniqueness is enforced. Operating
> via the daemon means that all applications connected to libvirtd get the
> same world view. This single world view is exactly what you want when
> dealing with server / cloud / desktop virtualization, because it means
> tools like 'virt-top', 'virt-viewer', 'virsh' can see the same VMs as
> virt-manager / oVirt / OpenStack / Boxes / etc.
>
> Recently we've seen increasing importance of a new use case which I will
> refer to as "embedded" virtualization. The best example of this use case
> is libguestfs which has long run a dedicated QEMU instance, but just now
> switched to using libvirtd. The other use case is virt-sandbox which is
> doing application confinement using LXC/KVM.
>
> In both these cases, operating via libvirtd is sub-optimal. Users of so
> called "embedded" virtualization, explicitly don't want to have interaction
> with other libvirt applications. They likely don't even want to expose the
> concept of virtualization to their users. For them virtualization is intended
> to be just a hidden impl detail of their application.
>
> Some issues which arise when using embedded virtualization
>
> - Need to invent sensible unique names for each VM launched. This
> leads to pollution of logfiles for QEMU instances run.
>
> - User sees libguestfs / virt-sandbox VMs in virt-manager / oVirt
> which they may then try to "manage", breaking libguestfs / etc
I didn't realize this before, but yes this is bad.
> - Disassociated process context, so if 'virt-sandbox' is placed in
> a cgroup, the VMs it launches are in a different cgroup. Likewise
> if custom env variables are set, work is needed to propagate those
> to VMs.
>
> This leads me to wonder whether it is worth exploring the idea of a new
> type of libvirt connection.
>
> - "embed mode" - no libvirtd, driver runs in application context
Seems like an excellent idea.
> The idea here is to take libvirtd out of the equation and directly use
> the QEMU driver code in the libvirt.so client / application. Since
> libvirtd (mostly) uses the same APIs as the public libvirt.so clients,
> there isn't much required to make this work.
>
> - A way for the application to invoke virStateInit for the driver
> - Application must provide an event loop impl
> - A way to specify alternative dirs for logs/state/config/etc
>
> An application would access this mode using a different path for the
> driver, and specifying the path to use for logs/state/config etc.
> eg libguestfs might use
>
> qemu:///embed?statedir=/tmp/libguestfsXXXXX/
>
> to get an instance of the QEMU driver that is completely private
> to itself. One question is whether there should be a single embed
> instance per process, or whether an application should be allowed
> to open multiple completely isolated embed instances. The latter
> might require is to eliminate more static variables in our code.
>
> This kind of embedded mode is not without its downsides though
>
> - How to access virtual network / storage / node device APIs ?
libguestfs only uses (optionally) user networking. We also don't
access any storage or node APIs, and don't intend to AFAIK.
> - Extra SELinux policy work to allow each app to have the same
> kind of privileges that libvirtd has to let it start VMs
Right, this is important, and probably tricky. How about still
running libvirtd, but per connection/process? (I think you mentioned
before that this is in fact already possible). It costs 1 extra fork,
but in the libguestfs scheme of things this won't make much
difference.
> - How to troubleshoot - can't use things like
>
> 'virsh qemu-monitor-command'
>
> since the embedded instance is private to the application
> in question.
For libguestfs this last one isn't important.
> One answer to the latter question, might be to actually allow the
> application to expose the same RPC service as libvirtd does. So
> virsh could connect to libguestfs using
>
> qemu:///embed?socketdir=/tmp/libguestfsXXXXX/libvirt-sock
>
> For the question of network/storage/node device access, the long
> term answer is probably to split up the system libvirtd instance
> into separate pieces. eg a virtnodedeviced, virtnetworkd,
> virstoraged, virtqemud, virtlxcd, etc. Now a client app would
> connect to their embedded QEMU instances, but to the shared
> nodedevice/network/storage daemons.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-top is 'top' for virtual machines. Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://people.redhat.com/~rjones/virt-top
More information about the libvir-list
mailing list