From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Libvirt on IPFire Date: Sat, 19 Mar 2016 14:57:59 +0000 Message-ID: <1458399479.17935.40.camel@ipfire.org> In-Reply-To: <1458398686.2003.3@smtp.gmail.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4446812112038078267==" List-Id: --===============4446812112038078267== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, On Sat, 2016-03-19 at 15:44 +0100, Jonatan Schlag wrote: > Hi, > thank you for your response. >=20 > Am Sa, 19. M=C3=A4r, 2016 um 2:16 schrieb Michael Tremer >: > > Hi, > >=20 > > thanks for getting in touch. > >=20 > > On Sat, 2016-03-19 at 09:42 +0100, Jonatan Schlag wrote: > > =C2=A0Hi list, > > =C2=A0in October 2014 I began to build libvirt for IPFire. This failed th= e first > > =C2=A0time and second but now I tried it the third time with a lot more k= nowledge > > =C2=A0and it works well. > >=20 > > This is indeed something I would personally like to see in IPFire. Althou= gh > > I > > have many reasons why this is a bad idea... > >=20 > > =C2=A0So I have a running libvirt daemon on my IPFire (Arch is x86_64 wor= ks very > > =C2=A0well by the way) and want to ask if the project is interested that = the > > libvirt > > =C2=A0package becomes an official addon.=C2=A0 > >=20 > > It must be an add-on so that users do not have to install it if they don't > > wish > > to do so and to reduce attack surface. > I absolutely agree everybody should have the possibility to decide if he wa= nts > libvirt or not. Although this should be only interesting for home users. I > would never recommend a libvirt addon to a company. So if libvirt is an add= on > like qemu or something similar it should be ok or did i miss understand you? No, please send patches. +1 from me. >=20 > >=20 > >=20 > > =C2=A0It could save a lot of work because everybody have the chance to in= stall > > what > > =C2=A0he want in a virtual machine. =C2=A0Also, I think it is safer to pu= t my owncloud > > =C2=A0into a virtual machine than to put is directly on my IPFire. Also, = it could > > =C2=A0save energy because a home user has to run only one real computer. = =C2=A0 > >=20 > > It is probably not more secure to run a KVM machine. Breaking out of that= is > > easy enough. However, I would also like to see some things installed on a > > different system instead of on IPFire itself. Just because I think that > > there > > are better distributions out there to host owncloud and similar things. It > > will > > also allow to migrate this functionality from a physical machine to IPFire > > or > > from IPFire to a physcial machine later. > That is true. There are better distributions for owncloud and so on, that w= as > also my motivation to build libvirt for IPFire. IPFire is a very good firew= all > distribution, but it is not a good distribution for web hosting. But that is > not a fault because IPFire is not developed for that, and this perfect. My > thought was to use a virtual machine on my IPfire to server all other thing= s I > need because why should I compile 20 libraries when I have to compile 10 and > then I could install everything in a virtual machine that I want. >=20 > >=20 > >=20 > > =C2=A0Otherwise, libvirt is one more security risk and it is possible to = break > > out > > =C2=A0of a virtual machine and attack the host.=C2=A0 > > =C2=A0So these are some security aspects, but in the moment, I think ther= e are > > more > > =C2=A0=C2=A0benefits than disadvantages.=C2=A0 > > =C2=A0But =C2=A0I would like to hear your opinions on this topic.=C2=A0 > > =C2=A0 > > =C2=A0So what are the dependencies for libvirt and what have to be done on > > existing > > =C2=A0packages. > > =C2=A0 > > =C2=A0Hard dependencies > > =C2=A0 > > =C2=A0util-macros > > =C2=A0libpciaccess > > =C2=A0libyajl > > =C2=A0 > > =C2=A0nice to have ( increase the usability) > > =C2=A0 > > =C2=A0opus > > =C2=A0python-six > > =C2=A0python-pyparsing > > =C2=A0spice-protocol > > =C2=A0spice > > =C2=A0 > > =C2=A0These packages provide a protocol similar to vnc (http://www.spice-= space.or > > g/) > >=20 > > These look okay. Basically anything that is free software and actively > > maintained upstream should be okay. Please consider to reduce size as best > > as > > you can. It does not have to fit into a megabyte all together, but avoid > > adding > > things that are not useful. > =C2=A0 > Thanks. I will have a look at spice and if we really need it otherwise this= is > the technology which is actively developed and is comparison tho vnc very > fast. I try it with vnc but it is horrible to install a server when your > monitor show only 5 pictures per second. So I will have a look on that, but= i > do not see a real change to reduce the amount of packages. I think spice should be included. I assume that most people will run something like Windows in this to have a machine on a remote network to connect to and = do debugging. In that case, a good remote screen protocol like spice is necessar= y. > > =C2=A0optional ( create errors on start up but nothing more) > > =C2=A0 > > =C2=A0pm-utils > > =C2=A0dmidecode > >=20 > > Add these too. > I will drop this.=C2=A0 I was rather saying that you should build these packages. I would like to add dmidecode to the core system any way. > > =C2=A0what have to be done on existing addons > > =C2=A0 > > =C2=A0nmap: update to the latest version=C2=A0 > > =C2=A0(to have a ncat version which supports the -U options, this is requ= ired to > > =C2=A0communicate over a normal ssh session) > >=20 > > Please send updates as individual patches up front. > Ok, I will send patches for everything that I listed in these part. >=20 > >=20 > >=20 > > =C2=A0ebtables: create some links > > =C2=A0(libvirt search in the wrong directory =C2=A0for the binaries) > >=20 > > Where? > Libvirt looks in the /sbin directory for the binaries > These are the 3 symlinks >=20 > =C2=A0ln -s /usr/local/sbin/ebtables-save /sbin/ebtables-save > =C2=A0ln -s /usr/local/sbin/ebtables /sbin/ebtables > =C2=A0ln -s /usr/local/sbin/ebtables-restore /sbin/ebtables-restore We should probably move it to /usr/sbin then and libvirt should be able to fi= nd it there. Would you be up to send a patch for that, too? > > =C2=A0dnsmasq > > =C2=A0enable=C2=A0 > > =C2=A0HAVE_DHCP > > =C2=A0HAVE_SCRIPT > > =C2=A0HAVE_TFTP=C2=A0 > > =C2=A0but I have to check this again on i686 HAVE_SCRIPT is enough, =C2= =A0in the > > moment I > > =C2=A0have not the time to test where the problem is, but =C2=A0I will do= this in the > > =C2=A0next weeks. > >=20 > > This will probably be a bigger issue. We are using dnsmasq just as a DNS > > proxy > > and do not use the DHCP component. If that should be used we either have = to > > disable this in our other configuration or ship a second copy. I would li= ke > > to > > avoid the latter. > I guessed that this would be a big problem. Libvirt start it own dnsmasq > daemons so the second copy is maybe an alternative, but you are right this = not > a good solution.=C2=A0 > The problem is that libvirt require the DHCP option otherwise, the whole > network configuration does not work. That is a big problem and make the who= le > thing around dnmasq more complicated.=C2=A0 > I sad to say this but in the moment, I have no real idea what we could do.= =C2=A0 We will figure this out. Start building the rest and we will have a look at t= his when we arrive at this point. > > =C2=A0So that is it. > > =C2=A0Now I am waiting for your opinion and what you think about this :-). > >=20 > > Do you have code for this already? Do you have a git repository or do you > > need > > one? We could host things if needed. > I have a local git repository with all changes. But I have no online git > repository. I would be very cool and helpfull if you could host one for me.= :- > ). > A big thanks for the offer that you could host the things. No worries :) I will send you another email about this. >=20 > >=20 > >=20 > > =C2=A0Regards Jonatan > > =C2=A0 > > =C2=A0Ps. I would maintain these packages if they become official package= s.=C2=A0 > >=20 > > That is a huge requirement. We just don't have the man power to do this > > ourselves. Although we are keen to support you when ever needed. > Thanks for the help. I will maintain this packages if libvirt become an > official addon >=20 > qemu and it dependencies. (When I maintain libvirt I think I make sense to > maintain qemu, because libvirt is nothing without qemu. ) >=20 > libvirt > util-macros > libpciaccess > libyajl >=20 > spice > spice-protocol > python-pyparsing > python-six > opus >=20 > I know that the project has not he power to maintain all these packages, so > =C2=A0for me it is logical to say if I want libvirt in IPFire, I have to ma= intain > libvirt.=C2=A0 > Nevertheless, a big thanks that you want to support me if there are problem= s.=C2=A0 We have a development Jabber channel in case you need help with the build system. Someone should usually be around. >=20 > >=20 > >=20 > > =C2=A0PSS. I use a new e-mail address because my old one is currently blo= cked by > > =C2=A0this server. > >=20 > > Which one is that? Could you maybe email me details about that in private? > >=20 > > Best, > > -Michael > I will write you a second E-Mail on this topic. >=20 > Thanks to all =C2=A0for the opinions on that topic. >=20 > Regards Jonatan >=20 -Michael --===============4446812112038078267== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjIKCmlRSWNCQUFC Q2dBR0JRSlc3V2ozQUFvSkVJQjU4UDl2a0FrSGYwd1AvMmcxTTFBNE54cHU3WDN6aVJBcEg3ZjAK WHZhcWt5ODNma1hQN1kvV0tRbUxHamNIZWdJYStLTXBlQjl2ZUx1ZndGMzBKYVAxRmxLL256ZkpT V1luTVVGWgpKdFh2OVlOYkdPb1QvSUhjYkFsNGhoVkV2bi90Uy94VmUwM05IM3lXazBiVnh2Ukl3 WTVvUWVacVpPSGM3N0NoClV1OGpjTGxydGJzUVhWVHpSVVgxMkk1cFI0dDI5dVl4ejBTNFp5d3hk WHl1SE16dnBOS21wRnJqNGhnc1BZQlUKMll4eWxXWHV6NUpxZVhZa3JMUWo0L2paMm1YTFFwWG1v bGtSTWhnOHM2dnJFOFRUU3l0dzZPZ001OHg0ck1YNwpVRVhrakNHT3JtdVo0N1M4WUVqVDZwNEcz WEptbFZSVys5aUUwOU1xU3RVbTFiWFV3Rnk3YzhwQW1iWTZyOGNPCjFGUkxwWW5IK1dCaXkybUEz Zk5qL1gxckhvM2pwamNvZjlxZVhkUmRHL0hnbGV1Z0pOYmZZbUNHbG1PenlRWTQKZk9WMWsvdk5l bUMrOGI1eXVxL1ZtR2hNdy9wZE91azN4bm0xRVRmQ0o4amFPN2U2K2JEY3RCSkFOZHVOTm96YQpI RjNubXRHNFdzVnJ4YlJyZitYQzBUZlNOeVJHWE81ZDFNcUpFUjRZKzI5dVo2a1kwYlNrSlZqckZM L1o4RUtkCkhhSFZ4ZmwyMndqREFtMlN4SllJMGlLdnU4SmE5anRHdnFiYnpReUhMSXF2ZG53SmJQ ZUQzZHJjL05rcTd3VXUKTVBVSlpMNndRQUFYZU01b0JQY2JMN2xabCtSYXJGaUtkS0VPYmVUQnZM NHNRUEFwRk1SSXM4eEpHL282U2JkZwpmS1NSQys1QkQwbXUrOVdVOVQ1bAo9VFV6cgotLS0tLUVO RCBQR1AgU0lHTkFUVVJFLS0tLS0K --===============4446812112038078267==--