[libvirt] [PATCH v3 0/5] introduce support for an embedded driver mode

Daniel P. Berrangé berrange at redhat.com
Thu Jan 9 13:15:05 UTC 2020 

On Wed, Jan 08, 2020 at 05:30:23PM +0100, Michal Privoznik wrote:
> On 12/20/19 3:16 PM, Daniel P. Berrangé wrote:
> > 
> 
> Hm.. maybe I'm doing something wrong, but the following doesn't work for me.
> Note, "fedora" is a VM with two disks:
> 
>     <disk type='file' device='disk'>
>       <driver name='qemu' type='qcow2' discard='unmap'/>
>       <source file='/var/lib/libvirt/images/fedora.qcow2'/>
>       <target dev='sda' bus='scsi'/>
>       <boot order='1'/>
>       <address type='drive' controller='0' bus='0' target='0' unit='0'/>
>     </disk>
>     <disk type='network' device='disk'>
>       <driver name='qemu' type='raw'/>
>       <source protocol='iscsi'
> name='iqn.2017-03.com.mprivozn:server-lun-0/0'>
>         <host name='iscsi-server.example.com' port='3260'/>
>         <initiator>
>           <iqn name='iqn.2017-03.com.mprivozn:client'/>
>         </initiator>
>         <auth username='mprivozn'>
>           <secret type='iscsi' usage='iscsi-secret-pool'/>
>         </auth>
>       </source>
>       <target dev='vda' bus='virtio'/>
>       <address type='pci' domain='0x0000' bus='0x00' slot='0x03'
> function='0x0'/>
>     </disk>
> 
> 
> libvirt.git/_build # ./tools/virsh -c qemu:///embed?root=/tmp/embed/
> Welcome to virsh, the virtualization interactive terminal.
> 
> Type:  'help' for help with commands
>        'quit' to quit
> 
> virsh # list --all
>  Id   Name     State
> -------------------------
>  -    fedora   shut off
> 
> virsh # connect secret:///embed?root=/tmp/embed

Ok, you're opening the secret driver in embedded mode

If you *also* open the QEMU driver now, it will use
this embedded secret driver directly.

> 
> virsh # secret-list
>  UUID                                   Usage
> -----------------------------------------------------------------
>  4cf62bac-6a9f-4b9a-ba33-8c4d96b0e2e4   iscsi iscsi-secret-pool

I guess you created the XML file for this secrete previously ?


> virsh # connect qemu:///embed?root=/tmp/embed

Note that this now *closes* the existing connection, so the
embeded secret driver is now closed, and QEMU will speak to
libvirtd (or virtsecretd) for secrets now.

Basically virsh is not a suitable tool for using the
drivers in embedded mode since it is only capable of
opening a single driver connection at a time.

> virsh # start fedora
> 2020-01-08 15:37:57.294+0000: 44566: info : libvirt version: 6.0.0
> 2020-01-08 15:37:57.294+0000: 44566: info : hostname: moe
> 2020-01-08 15:37:57.294+0000: 44566: warning : qemuDomainDefValidate:5835 :
> CPU topology doesn't match numa CPU count; partial NUMA mapping is obsoleted
> and will be removed in future
> error: Failed to start domain fedora
> error: internal error: URI must be secret:///embed

Oh, that's odd - it seems to be trying to access the embedded
secret driver but failing a URI sanity check. This is probably
a result of you previously opening & then closing the embedded
secret driver. This is not really a supported use case anyway.


> However, running the domain (with the same disks) from regular URI is
> impossible either:
> 
> libvirt.git/_build # ./tools/virsh -c qemu:///system start fedora
> error: Failed to start domain fedora
> error: internal error: no internalFlags support
> 
> 
> This is because if the secret is private, then we don't want to allow
> clients getting its value. And if running the monolithic daemon, the
> conn->secretDrive is initialized to point right to the secret driver. But
> when using split daemons, then the connection points to the remote secret
> driver and virtqemud is then unable to obtain the secret value.
> Unfortunately, I don't see a way around this. I mean other than allow
> getting the value on RPC layer.

Basically we need to establish a trust relationship between
virtqemud and virtsecretd. I think we could relax this to mean a
trust relationship between virtsecretd and any client which is
running as the same user ID by default. A stronger trust relation
could be set using the fine grained polkit ACLs, with a ACL check
based on the API flag.


Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

More information about the libvir-list mailing list