On 03/25/2013 16:21, Eric Blake wrote: > On 03/25/2013 03:09 AM, Benoit Friry wrote: >> Hello, >> >> I test libvirt 0.9.12 on Debian. >> >> I am disappointed by changes made on my host without any notice. > > The whole point of libvirtd is to make changes on your host; I > wouldn't go so far as to say that it was without notice, just that > they are changes that you weren't aware that libvirtd was capable > of exposing. I would not say libvirt is just about making changes on the host. I like the wrapping of the daemonization (instead of some "nohup kvm &") and the normalization of the commands. And when I run virt-install, I am not disappointed by the file creation. >> Examples: - editing interfaces with virsh or virt-manager >> modifies my /etc/network/interfaces. It's not clear at first >> glance that I can even cut myself from the host when editing >> remotely. The initial file is not even saved. > > The initial file _is_ saved if you properly use the 'virsh > iface-begin' command before making any changes, then 'virsh > iface-commit' if you are happy with the changes. 'virsh > iface-rollback' will revert you to a previous saved state, and > since we know that an improper change can cut off connectivity, we > also set things up so that a host reboot will do an implicit 'virsh > iface-rollback' on any uncommitted changes. I did not understood the purpose of this commands. Unfortunately, they are not available in virt-manager. >> - starting default network (nat) adds rules in netfilter. I have >> not seen how to create another network nat conf without calling >> clean-traffic nwfilter (it is not explicit in network XML file). >> Is it hardcoded ? > > What distro are you using? The clean-traffic nwfilter is not > installed by default on Fedora, so I'm wondering if you are hitting > a distro-specific add-on, or something that is added by a higher > layer of the virt stack than just libvirt. Libvirt's own NAT > netfilter rules are required for out-of-the-box NAT to a guest, but > no one says you are forced to use NAT; you can design your own > bridge and take over the netfilter rules yourself if you don't want > libvirt messing with iptables. Debian wheezy, libvirt 0.9.12. Debian patches are listed on http://patch-tracker.debian.org/package/libvirt/0.9.12-11 I do not see anything modifying that part. I can be wrong. >> >> I think it would be nice: - to be alerted before any host >> modification, > > What did you have in mind? Patches are welcome if you can come up > with a proposal. For a beginning, I think it may be valuable to list such behavior in the README. http://libvirt.org/git/?p=libvirt.git;a=blob_plain;f=README;hb=HEAD On Debian, and maybe in upstream, clean-traffic nwfilter is activated for every nat network... But without being listed in the network XML configuration. >> - to be able to change the templates, for instance: - not >> including any nwfilter when creating a network, - script called >> when adding a file in a dir pool, - and so on. Another example: what if I want to use BIND9 instead of dnsmasq? BIND9 has a dns64 capability, dnsmasq has not. dnsmasq, radvd, brctl are hardcoded. Don't you think it would be better to call a helper script, that can be tweaked by admins? Thanks & HAND, benoit _______________________________________________ libvirt-users mailing list libvirt-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvirt-users
