[libvirt-users] Host modifications

Mon Mar 25 21:12:44 UTC 2013

On 03/25/2013 16:21, Eric Blake wrote:
> On 03/25/2013 03:09 AM, Benoit Friry wrote:
>> Hello,
>> 
>> I test libvirt 0.9.12 on Debian.
>> 
>> I am disappointed by changes made on my host without any notice.
> 
> The whole point of libvirtd is to make changes on your host; I
> wouldn't go so far as to say that it was without notice, just that
> they are changes that you weren't aware that libvirtd was capable
> of exposing.

I would not say libvirt is just about making changes on the host. I
like the wrapping of the daemonization (instead of some "nohup kvm &")
and the normalization of the commands. And when I run virt-install, I
am not disappointed by the file creation.

>> Examples: - editing interfaces with virsh or virt-manager
>> modifies my /etc/network/interfaces. It's not clear at first
>> glance that I can even cut myself from the host when editing
>> remotely. The initial file is not even saved.
> 
> The initial file _is_ saved if you properly use the 'virsh
> iface-begin' command before making any changes, then 'virsh
> iface-commit' if you are happy with the changes.  'virsh
> iface-rollback' will revert you to a previous saved state, and
> since we know that an improper change can cut off connectivity, we
> also set things up so that a host reboot will do an implicit 'virsh
> iface-rollback' on any uncommitted changes.

I did not understood the purpose of this commands. Unfortunately, they
are not available in virt-manager.

>> - starting default network (nat) adds rules in netfilter. I have
>> not seen how to create another network nat conf without calling 
>> clean-traffic nwfilter (it is not explicit in network XML file).
>> Is it hardcoded ?
> 
> What distro are you using?  The clean-traffic nwfilter is not
> installed by default on Fedora, so I'm wondering if you are hitting
> a distro-specific add-on, or something that is added by a higher
> layer of the virt stack than just libvirt.  Libvirt's own NAT
> netfilter rules are required for out-of-the-box NAT to a guest, but
> no one says you are forced to use NAT; you can design your own
> bridge and take over the netfilter rules yourself if you don't want
> libvirt messing with iptables.

Debian wheezy, libvirt 0.9.12.

Debian patches are listed on
http://patch-tracker.debian.org/package/libvirt/0.9.12-11

I do not see anything modifying that part. I can be wrong.

>> 
>> I think it would be nice: - to be alerted before any host
>> modification,
> 
> What did you have in mind?  Patches are welcome if you can come up
> with a proposal.

For a beginning, I think it may be valuable to list such behavior in
the README.

http://libvirt.org/git/?p=libvirt.git;a=blob_plain;f=README;hb=HEAD

On Debian, and maybe in upstream, clean-traffic nwfilter is activated
for every nat network... But without being listed in the network XML
configuration.

>> - to be able to change the templates, for instance: - not
>> including any nwfilter when creating a network, - script called
>> when adding a file in a dir pool, - and so on.

Another example: what if I want to use BIND9 instead of dnsmasq? BIND9
has a dns64 capability, dnsmasq has not.

dnsmasq, radvd, brctl are hardcoded. Don't you think it would be
better to call a helper script, that can be tweaked by admins?

Thanks & HAND,
benoit