[libvirt] ceph rbd key
Is there a way that qemu takes the key of ceph rbd from a file rather than reading it from the file cinder.conf? Going from something like rbd_secret_uuid=UUID key to something like rbd_secret_uuid=/path/to/key (to restrict the access rights to the file and avoid the secret_uuid to be readable from anyone with ps kind of command) Regards, -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] direct device assignment
Ok, thanks. So as soon as a device is directly assigned to a VM, setrlimit() or prlimit() are applied to the qemu-kvm process to avoid paging at the host level, right? and if there is not enough physical RAM, is the device simply not connected or is the VM halted? And the VM itself can page in/page out with its own page file, this is not a problem, right? Regards, 2015-03-04 16:57 GMT+01:00 Laine Stump : > On 03/04/2015 10:27 AM, Raymond Durand wrote: > > I read this in the context of direct device assignment: "All of the > > guest's memory must kept permanently in memory. This is because the > > guest may program the device with any address in its address space and > > the hypervisor has no way of handling a DMA page fault" > > > > is it still true? > > > > Yes. libvirt takes care of this automatically (by calling setrlimit() or > prlimit()) when you assign a device to a guest. It does mean that you'll > need enough physical RAM on the machine to account for it, though. -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] memory ballooning and nova
Ok thanks. Regards, 2015-03-05 20:45 GMT+01:00 Daniel P. Berrange : > On Wed, Feb 25, 2015 at 11:38:46AM +0100, Raymond Durand wrote: > > Thanks. > > > > Is it possible to enable/disable which parameters are triggered by Nova > on > > Libvirt? ie. > > -device virtio-balloon > > -pci-device isa-serial > > No, these are a standard part of Nova > > Regards, > Daniel > -- > |: http://berrange.com -o-http://www.flickr.com/photos/dberrange/ > :| > |: http://libvirt.org -o- http://virt-manager.org > :| > |: http://autobuild.org -o- http://search.cpan.org/~danberr/ > :| > |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc > :| > -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] direct device assignment
I read this in the context of direct device assignment: "All of the guest's memory must kept permanently in memory. This is because the guest may program the device with any address in its address space and the hypervisor has no way of handling a DMA page fault" is it still true? Thanks, Regards, -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] memory ballooning and nova
Thanks. Is it possible to enable/disable which parameters are triggered by Nova on Libvirt? ie. -device virtio-balloon -pci-device isa-serial Regards, 2015-02-25 11:30 GMT+01:00 Daniel P. Berrange : > On Wed, Feb 25, 2015 at 11:27:23AM +0100, Raymond Durand wrote: > > Is Libvirt memory ballooning managed by nova in OpenStack Juno? > > > > Is Libvirt memory ballooning independent from the OpenStack "RAM > > allocation ratio"? and allow a VM to expand (page out) even though the > > overall RAM allocation ratio is already at his maximum? > > OpenStack doesn't do anything with ballooning. You get the allocated > memory at boot and it never gets changed thereafter. > > Regards, > Daniel > -- > |: http://berrange.com -o-http://www.flickr.com/photos/dberrange/ > :| > |: http://libvirt.org -o- http://virt-manager.org > :| > |: http://autobuild.org -o- http://search.cpan.org/~danberr/ > :| > |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc > :| > -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] memory ballooning and nova
Is Libvirt memory ballooning managed by nova in OpenStack Juno? Is Libvirt memory ballooning independent from the OpenStack "RAM allocation ratio"? and allow a VM to expand (page out) even though the overall RAM allocation ratio is already at his maximum? Thanks, Regards, -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] libseccomp and KVM
Thanks. 2014-12-12 16:32 GMT+01:00 Daniel P. Berrange : > > On Fri, Dec 12, 2014 at 04:24:55PM +0100, Raymond Durand wrote: > > Thanks. > > > > How are the rules managed so as to fit the VM system calls? > > Is tuning possible? recommended? > > QEMU has a built-in policy that adds rules for every conceivable > function that QEMU might need to execute. Given that is quite > broad, the security benefit from seccomp enablement is quit low > IMHO > > I see. Is it something like each QEMU device enabled comes along with a system-calls list ie. rules allowed? Is this list of rules loaded at each time the QEMU/KVM starts? > Regards, > Daniel > -- > |: http://berrange.com -o-http://www.flickr.com/photos/dberrange/ > :| > |: http://libvirt.org -o- http://virt-manager.org > :| > |: http://autobuild.org -o- http://search.cpan.org/~danberr/ > :| > |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc > :| > Regards, -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] libseccomp and KVM
Thanks. 2014-12-12 17:06 GMT+01:00 Stefan Berger : > > On 12/12/2014 10:32 AM, Daniel P. Berrange wrote: > >> On Fri, Dec 12, 2014 at 04:24:55PM +0100, Raymond Durand wrote: >> >>> Thanks. >>> >>> How are the rules managed so as to fit the VM system calls? >>> Is tuning possible? recommended? >>> >> QEMU has a built-in policy that adds rules for every conceivable >> function that QEMU might need to execute. Given that is quite >> broad, the security benefit from seccomp enablement is quit low >> IMHO >> > > Base code and (active) devices would each have to report what syscalls > they need so this list could be reduced to the minimum ... > "Could be reduced": how? do you have in mind by selecting the appropriate active devices at the initialization time? > > Stefan > > Regards, >> Daniel >> > > -- > libvir-list mailing list > libvir-list@redhat.com > https://www.redhat.com/mailman/listinfo/libvir-list > Regards, -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] exec-shield and KVM
Is exec-shield protection on the KVM host relevant for VM memory protection? Regards, -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] libseccomp and KVM
Thanks. How are the rules managed so as to fit the VM system calls? Is tuning possible? recommended? Regards, 2014-12-09 17:32 GMT+01:00 Michal Privoznik : > > On 09.12.2014 15:24, Raymond Durand wrote: > >> How is libseccomp used/enabled/configured with KVM/QEMU Hypervisor? >> > > You need to set seccomp_sandbox=1 in /etc/libvirt/qemu.conf and restart > libvirtd. From now on, any qemu/kvm guest that libvirt starts will use > seccomp or fail if qemu binary doesn't support it. > > Michal > -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] libseccomp and KVM
How is libseccomp used/enabled/configured with KVM/QEMU Hypervisor? Does it need a system call profiling per VMs? Regards, -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
