libvirt 1.2.9 KVM qemu AppArmor support

October 24, 2014October 24, 2014 Peter

If you want to use AppArmor support in libvirt 1.2.9, you will need to copy the following files over from the source:

cp libvirt-1.2.9/examples/apparmor/libvirt-lxc /etc/apparmor.d/abstractions
cp libvirt-1.2.9/examples/apparmor/TEMPLATE.lxc /etc/apparmor.d/libvirt
cp libvirt-1.2.9/examples/apparmor/TEMPLATE.qemu /etc/apparmor.d/libvirt
ln -s /etc/apparmor.d/libvirt/TEMPLATE.qemu /etc/apparmor.d/libvirt/TEMPLATE.kvm

This is due to the fact that libvirt looks for both TEMPLATE.lxc and TEMPLATE.qemu instead of just TEMPLATE to enable AppArmor support.

You may encounter the following error when trying to a KVM guest with AppArmor support enabled:

error: Failed to start domain test-domain
error: internal error: cannot load AppArmor profile 'libvirt-598505b5-1549-4164-97bd-d1d37fdd8995'

If you look at /var/log/libvirtd.log you may see the following error message:

2014-10-24 18:00:52.280+0000: 4468: error : virCommandWait:2533 : internal error: Child process (/usr/lib/libvirt/virt-aa-helper -p 0 -c -u libvirt-598505b5-1549-4164-97bd-d1d37fdd8995) unexpected exit status 1: virt-aa-helper: error: template does not exist
virt-aa-helper: error: could not create profile

2014-10-24 18:00:52.280+0000: 4468: error : AppArmorGenSecurityLabel:468 : internal error: cannot load AppArmor profile 'libvirt-598505b5-1549-4164-97bd-d1d37fdd8995'

This is due to the fact there is a bug in libvirt 1.2.9 which looks for /etc/apparmor.d/libvirt/TEMPLATE.kvm instead of /etc/apparmor.d/libvirt/TEMPLATE.qemu. This has been fixed via a patch which has not been integrated in a release upstream as of this post. You may symlink TEMPLATE.kvm to TEMPLATE.qemu to resolve this issue until it is resolved upstream.

Linux 3.17 KVM, qemu 2.1, libvirt 1.2.9 experiences (and how to cleanly disable TCP checksum offload in libvirt)

October 20, 2014November 1, 2015 Peter 4 Comments

Update: This issue has been resolved in kernel 3.18.10 release. The below instructions are no longer required if your distribution has updated the kernel or backported the fix.

Due to latency issues that I was having with KVM and Windows 2008 R2 with Linux 3.10, I decided to update to Linux 3.17 series despite the TCP checksuming issue that I had been encountering (eg. virtio-net not working at all between guests due to the CHECKSUM_PARTIAL bug in 3.11 and above.)

I updated to Linux 3.17.1, and kept qemu at 2.0 (included in Ubuntu 14.04) and libvirt 1.2.2. Unfortunately, the TCP checksuming bug still exists. However, this resolved my Windows 2008 R2 latency issues. I am no longer seeing latency jumps to 1500ms or packet loss under load, this was using SRV-IO passthrough of a NIC.

Due to the issues I was experiencing with TCP checksuming, virtio-net and openvswitch I decided to update to libvirt 1.2.9 which includes new support for tuning guest network interfaces. This allows me to cleanly turn off TCP checksuming on an interface using the following interface definition (and thus allows all my guests to function properly):

<interface type='network'>
  <model type='virtio'/>
  <driver name='vhost'>
    <guest csum='off' tso4='off' tso6='off'/>
  </driver>
</interface>

Additionally, my Sophos UTM 9 guest (which is my firewall) no longer halts cleanly so I tried updating to qemu 2.1 – but this did not solve the issue. I have decided to leave the newer releases in place, as they have improved performance with the Windows guests as well.

For those interested, pre-built packages for Ubuntu 14.04 amd64 are available here.

Intel E1G42ET (82576 controller) SR-IOV with Windows 2008 R2 guest

July 22, 2014July 22, 2014 Peter

I've followed the Redhat Enterprise Linux 7 Using SR-IOV guide, with the following changes made for Ubuntu 14.04 and the fact that the Intel driver set (PROWinx64) doesn't install the drivers automatically.

Make sure to bring the network link state up before you start the virtual machine, or the network driver will report "Network cable unplugged" permanently. igbvf doesn't want to detach on Linux 3.10 on Ubuntu 14.04, so I have blacklisted the module.

/etc/modprobe.d/blacklist-igbvf.conf

blacklist igbvf

/etc/modprobe.d/igb.conf

options igb max_vfs=7

Download the latest Intel Virtual Function drivers from the Intel site, extract PROWinx64 with your favourite archival program. Then run the following command:

pnputil -a PRO1000\Winx64\NDIS62\v1q62x64.inf

Then you can either go to Device Manager and scan for New hardware changes or restart the virtual machine. Your guest networking should now be working.

Ansible: Package manager agnostic task

July 15, 2014July 15, 2014 Peter

Want to have install packages in an agnostic way (eg. apt, yum, etc.) if all the package names are the same – regardless of the system? There are two ways to do it.

Use an action, and iterate over each package

- action: "{{ansible_pkg_mgr}} name={{item}} state=latest"
  with_items:
   - ntp
   - acpid
   - haveged
   - irqbalance
   - nano
   - screen
   - wget
   - sysstat

Concatenate list and pass to package manager module

For the fast way, as all package manager modules support passing package names as a comma separated list (which will be executed in one go by the module – the faster way)

Site definition

  vars:
    default_packages:
     - ntp
     - acpid
     - haveged
     - irqbalance
     - nano
     - screen
     - wget
     - sysstat

Task

- action: "{{ansible_pkg_mgr}} name={{default_packages|join(\",\")}} state=latest"

Installing Docker on CentOS 7

July 7, 2014July 22, 2014 Peter

Install Docker via Yum

yum install docker docker-registry

Start and enable Docker service

systemctl start docker.service
systemctl enable docker.service

Disable firewall (conflicts with Docker)

systemctl stop firewalld.service
systemctl disable firewalld.service

Download images from Docker.io

docker pull ubuntu