Hi, after migrating to libvirt/libxl according to:
https://wiki.centos.org/HowTos/Xen/Xen4QuickStart/Xen4Libvirt
I've noticed that my Xen PV domains are being launched by qemu-system-i386 running under root privileges.
I am wondering why is this? Previously no qemu process was used.
If qemu is needed for some reason, are there any guidelines for non-root operation?
Thanks -- Karel Hendrych
On Sun, Sep 06, 2015 at 09:08:50AM +0200, Karel Hendrych wrote:
Hi, after migrating to libvirt/libxl according to:
Hi,
https://wiki.centos.org/HowTos/Xen/Xen4QuickStart/Xen4Libvirt
I've noticed that my Xen PV domains are being launched by qemu-system-i386 running under root privileges.
I am wondering why is this? Previously no qemu process was used.
If qemu is needed for some reason, are there any guidelines for non-root operation?
In general qemu is used for the following purposes:
- for certain domU disk backend types (image files), and/or if there's no blktap driver in dom0 kernel. - domU graphical console (PVFB) VNC server, if it's enabled for the domU.
-- Karel Hendrych
-- Pasi
Hi, spot on!
On 6.9.2015 12:56, Pasi Kärkkäinen wrote:
On Sun, Sep 06, 2015 at 09:08:50AM +0200, Karel Hendrych wrote:
Hi, after migrating to libvirt/libxl according to:
Hi,
https://wiki.centos.org/HowTos/Xen/Xen4QuickStart/Xen4Libvirt
I've noticed that my Xen PV domains are being launched by qemu-system-i386 running under root privileges.
I am wondering why is this? Previously no qemu process was used.
If qemu is needed for some reason, are there any guidelines for non-root operation?
In general qemu is used for the following purposes:
- for certain domU disk backend types (image files), and/or if there's no blktap driver in dom0 kernel.
- domU graphical console (PVFB) VNC server, if it's enabled for the domU.
-- Karel Hendrych
-- Pasi
CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
...
changing from: <driver name='file'/> to: <driver name='tap2'/> makes the domain start without QEMU.
However I see much better performance with QEMU (close to dom0, tested using simple dd writes) than with tap2 driver. Is that expected?
What's best practise to file based storage on latest CentOS6-xen (Kernel 3.18.17, Xen 4.4.2-7)
Are there any guides around running QEMU on CentOS6-xen as non-root user?
Cheers -- Karel
On 7.9.2015 17:42, Karel Hendrych wrote:
Hi, spot on!
On 6.9.2015 12:56, Pasi Kärkkäinen wrote:
On Sun, Sep 06, 2015 at 09:08:50AM +0200, Karel Hendrych wrote:
Hi, after migrating to libvirt/libxl according to:
Hi,
https://wiki.centos.org/HowTos/Xen/Xen4QuickStart/Xen4Libvirt
I've noticed that my Xen PV domains are being launched by qemu-system-i386 running under root privileges.
I am wondering why is this? Previously no qemu process was used.
If qemu is needed for some reason, are there any guidelines for non-root operation?
In general qemu is used for the following purposes:
- for certain domU disk backend types (image files), and/or if there's
no blktap driver in dom0 kernel.
- domU graphical console (PVFB) VNC server, if it's enabled for the domU.
-- Karel Hendrych
-- Pasi
CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
On Mon, Sep 07, 2015 at 05:47:39PM +0200, Karel Hendrych wrote:
...
changing from: <driver name='file'/> to: <driver name='tap2'/> makes the domain start without QEMU.
However I see much better performance with QEMU (close to dom0, tested using simple dd writes) than with tap2 driver. Is that expected?
How did you measure it? buffered or direct io?
-- Pasi
What's best practise to file based storage on latest CentOS6-xen (Kernel 3.18.17, Xen 4.4.2-7)
Are there any guides around running QEMU on CentOS6-xen as non-root user?
Cheers
Karel
On 7.9.2015 17:42, Karel Hendrych wrote:
Hi, spot on!
On 6.9.2015 12:56, Pasi Kärkkäinen wrote:
On Sun, Sep 06, 2015 at 09:08:50AM +0200, Karel Hendrych wrote:
Hi, after migrating to libvirt/libxl according to:
Hi,
https://wiki.centos.org/HowTos/Xen/Xen4QuickStart/Xen4Libvirt
I've noticed that my Xen PV domains are being launched by qemu-system-i386 running under root privileges.
I am wondering why is this? Previously no qemu process was used.
If qemu is needed for some reason, are there any guidelines for non-root operation?
In general qemu is used for the following purposes:
- for certain domU disk backend types (image files), and/or if there's
no blktap driver in dom0 kernel.
- domU graphical console (PVFB) VNC server, if it's enabled for the domU.
-- Karel Hendrych
-- Pasi
CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
Comparing simple dd bs=1M count=10000 on dom0 vs domU. Qemu driver is achieving pretty much the same like dom0. Thanks -- Karel
On 7.9.2015 21:45, Pasi Kärkkäinen wrote:
On Mon, Sep 07, 2015 at 05:47:39PM +0200, Karel Hendrych wrote:
...
changing from: <driver name='file'/> to: <driver name='tap2'/> makes the domain start without QEMU.
However I see much better performance with QEMU (close to dom0, tested using simple dd writes) than with tap2 driver. Is that expected?
How did you measure it? buffered or direct io?
-- Pasi
What's best practise to file based storage on latest CentOS6-xen (Kernel 3.18.17, Xen 4.4.2-7)
Are there any guides around running QEMU on CentOS6-xen as non-root user?
Cheers
Karel
On 7.9.2015 17:42, Karel Hendrych wrote:
Hi, spot on!
On 6.9.2015 12:56, Pasi Kärkkäinen wrote:
On Sun, Sep 06, 2015 at 09:08:50AM +0200, Karel Hendrych wrote:
Hi, after migrating to libvirt/libxl according to:
Hi,
https://wiki.centos.org/HowTos/Xen/Xen4QuickStart/Xen4Libvirt
I've noticed that my Xen PV domains are being launched by qemu-system-i386 running under root privileges.
I am wondering why is this? Previously no qemu process was used.
If qemu is needed for some reason, are there any guidelines for non-root operation?
In general qemu is used for the following purposes:
- for certain domU disk backend types (image files), and/or if there's
no blktap driver in dom0 kernel.
- domU graphical console (PVFB) VNC server, if it's enabled for the domU.
-- Karel Hendrych
-- Pasi
CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
On Sat, Sep 12, 2015 at 01:35:48AM +0200, Karel Hendrych wrote:
Comparing simple dd bs=1M count=10000 on dom0 vs domU. Qemu driver is achieving pretty much the same like dom0.
So you're measuring buffered speed. Try measuring non-buffered (iflag=direct or oflag=direct, depending if you're reading or writing).
-- Pasi
Thanks
Karel
On 7.9.2015 21:45, Pasi Kärkkäinen wrote:
On Mon, Sep 07, 2015 at 05:47:39PM +0200, Karel Hendrych wrote:
...
changing from: <driver name='file'/> to: <driver name='tap2'/> makes the domain start without QEMU.
However I see much better performance with QEMU (close to dom0, tested using simple dd writes) than with tap2 driver. Is that expected?
How did you measure it? buffered or direct io?
-- Pasi
What's best practise to file based storage on latest CentOS6-xen (Kernel 3.18.17, Xen 4.4.2-7)
Are there any guides around running QEMU on CentOS6-xen as non-root user?
Cheers
Karel
On 7.9.2015 17:42, Karel Hendrych wrote:
Hi, spot on!
On 6.9.2015 12:56, Pasi Kärkkäinen wrote:
On Sun, Sep 06, 2015 at 09:08:50AM +0200, Karel Hendrych wrote:
Hi, after migrating to libvirt/libxl according to:
Hi,
https://wiki.centos.org/HowTos/Xen/Xen4QuickStart/Xen4Libvirt
I've noticed that my Xen PV domains are being launched by qemu-system-i386 running under root privileges.
I am wondering why is this? Previously no qemu process was used.
If qemu is needed for some reason, are there any guidelines for non-root operation?
In general qemu is used for the following purposes:
- for certain domU disk backend types (image files), and/or if there's
no blktap driver in dom0 kernel.
- domU graphical console (PVFB) VNC server, if it's enabled for the domU.
-- Karel Hendrych
-- Pasi
CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
Good test, non-buffered dom0 dd write speed is similar with tap2.
I'll likely stay with the QEMU backend. Are there any best practises regarding security, at least if QEMU can operate under non-root account?
Cheers -- Karel
On 12.9.2015 10:51, Pasi Kärkkäinen wrote:
On Sat, Sep 12, 2015 at 01:35:48AM +0200, Karel Hendrych wrote:
Comparing simple dd bs=1M count=10000 on dom0 vs domU. Qemu driver is achieving pretty much the same like dom0.
So you're measuring buffered speed. Try measuring non-buffered (iflag=direct or oflag=direct, depending if you're reading or writing).
-- Pasi
Thanks
Karel
On 7.9.2015 21:45, Pasi Kärkkäinen wrote:
On Mon, Sep 07, 2015 at 05:47:39PM +0200, Karel Hendrych wrote:
...
changing from: <driver name='file'/> to: <driver name='tap2'/> makes the domain start without QEMU.
However I see much better performance with QEMU (close to dom0, tested using simple dd writes) than with tap2 driver. Is that expected?
How did you measure it? buffered or direct io?
-- Pasi
What's best practise to file based storage on latest CentOS6-xen (Kernel 3.18.17, Xen 4.4.2-7)
Are there any guides around running QEMU on CentOS6-xen as non-root user?
Cheers
Karel
On 7.9.2015 17:42, Karel Hendrych wrote:
Hi, spot on!
On 6.9.2015 12:56, Pasi Kärkkäinen wrote:
On Sun, Sep 06, 2015 at 09:08:50AM +0200, Karel Hendrych wrote: > Hi, after migrating to libvirt/libxl according to: >
Hi,
> https://wiki.centos.org/HowTos/Xen/Xen4QuickStart/Xen4Libvirt > > I've noticed that my Xen PV domains are being launched by > qemu-system-i386 running under root privileges. > > I am wondering why is this? Previously no qemu process was used. > > If qemu is needed for some reason, are there any guidelines for > non-root operation? >
In general qemu is used for the following purposes:
- for certain domU disk backend types (image files), and/or if there's
no blktap driver in dom0 kernel.
- domU graphical console (PVFB) VNC server, if it's enabled for the domU.
> -- > Karel Hendrych
-- Pasi
CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
On Mon, Sep 14, 2015 at 11:47 AM, Karel Hendrych k+centosvirt@karlos.cz wrote:
Good test, non-buffered dom0 dd write speed is similar with tap2.
I'll likely stay with the QEMU backend. Are there any best practises regarding security, at least if QEMU can operate under non-root account?
Not at the moment. Fortunately the attack surface from guest -> qemu in this case is fairly small (just the PV block interface).
qemu deprivileging is on our short list of things to look at though. We've already had patches for deprivileging qemu when acting as a stub domain; those will probably make it for 4.7. I'll add qdisk to the list.
If you really want to get your hands dirty you could try to set up a storage driver domain; but that's really not as simple to set up as it should be.
Hope that helps.
-George
-
George Dunlap -
Karel Hendrych -
Pasi Kärkkäinen