Scientific Linux Forum.org



  Reply to this topicStart new topicStart Poll

> Filesystem passthrough "virtio-9pfs" support in KVM in SL7x, 9pfs qemu-kvm guest sandboxing
helikaon
 Posted: Jul 9 2014, 11:55 AM
Quote Post


SLF Administrator
*******

Group: Admins
Posts: 836
Member No.: 4
Joined: 8-April 11









Hi guys,
i wander ...

What i'd like to do:

- have sandboxed SL 7 insecure guest (facing to outworld internet) with no access to its host network
- backup regularly some files from guest to the host
- mount filesystem from host to guest directly - no NFS, no Samba... simply no LAN networking on guest
- provide physical NIC from SL 7 host to guest and in doing so separate (sandbox) the guest network from host host LAN network

To achieve the above, i want to use the FS (filesystem) passthrough method, which need to have the 9pfs support in both: kernel and qemu-kvm

Sadly, in Upstream Vendor, OS version 7 there is even less support seamingly compared to 6x - there is not even kernel module mentioned ..

example

7.0:
cat /boot/config-3.10.0.-123.el7.x86_64 | grep -i 9p
CONFIG_NET_9P is not set

while e.g.
6.x:
cat /boot/config-2.6.32-358.6.2.el6.x86_64 | grep -i 9p
CONFIG_NET_9P=m
CONFIG_NET_9P_VIRTIO=m
CONFIG_NET_9P_RDMA=m
CONFIG_NET_9P_DEBUG is not set
CONFIG_9P_FS is not set

so in 6x version you can recompile kernel and turn on the function, while in 7x you cant ...? or ..?

Anyone knows anything - even rumors? :]

--------------------
PMEmail Poster
^
helikaon
 Posted: Jul 17 2014, 03:01 PM
Quote Post


SLF Administrator
*******

Group: Admins
Posts: 836
Member No.: 4
Joined: 8-April 11









FYI guys,

this i reply i got at official RH forum while asking about it there (quite interesting)
QUOTE

-----
Hi Karel,

RHEL only provides a subset of kernel modules and QEMU device models, that are well tested and that Red Hat will be able to support for the 10 years of product lifetime. Unfortunately, virtio-9pfs does not satisfy these requirements yet:

    it is not very well documented upstream, to the extent that it's hard to understand what works and what doesn't; the IBM team who worked on it moved to other tasks.

    it has a privileged (setuid) component that may require special care in order to support SELinux and sVirt; the component is also not very well documented, which makes this problem worse;

    it is not supported on Windows guests.

As of RHEL7, the recommended general-purpose file service is NFS; if it is not enough for your purpose, raising a
ticket through your regular Red Hat support channels will make your needs known to the support, product management and development teams.

I don't know the reason why CONFIG_9P_FS was enabled in RHEL6 and disabled in RHEL7; this was done independent of the choice to disable virtio-9pfs, and I wasn't involved in that decision.
-----



and these are informations from Rob Landley (who is included in 9pfs devs mailing lists as well as other regarding kernel stuff)who very kindly answered me a few questions via email (shortened):
QUOTE

q:
For some reason, Red Hat developers completely removed the 9p modules in
RHEL 7.0 kernel, even though the qemu-kvm still support the 9p option.
Is the 9p 'dangerous' to overall OS security?

a:
Nah, Red Hat just doesn't want to support it.
9p is in use all over the place. You mentioned builtin kvm support. Cray is using it as an actual filesystem.

q:
is the 9p still in development, or is it just another 'closed' or 'closing' branch in the linux history about to be replaced ... with what?

a:
It works fine but you've got to disable IBM's stupid RDMA transport
because otherwise it overrides the autodetection code ..

q:
for some unknow reason to me, the Rhel 7 devs completely
removed (not just disabled, but removed) 9p support from it's shipped
kernel - and i just can't find out why (no response on rhel forums from
anyone) ..

a:
It's still there in vanilla. It's still used by lots of people. I have
no idea what's wrong with Red Hat.
Ping the Centos guys? As far as i can tell, nobody actually uses RHEL,
they buy RHEL to make management happy and then use Centos.



So, make up your mind guys for yourself. RH clearly doesn't want to commit resources to it, but as Rob says, lots people uses it. I'll give it go definitely myself.
I'm just recompiling 3.15.5 vanilla kernel with all the 9p modules and i'll try to add it up to my testing rhel7 machine.

--------------------
PMEmail Poster
^
helikaon
 Posted: Jul 22 2014, 12:48 PM
Quote Post


SLF Administrator
*******

Group: Admins
Posts: 836
Member No.: 4
Joined: 8-April 11









This project drives me crazy.
I can remember last time i failed so bad.
The need for right combination / versions of kernel, libvirt and qemu start to prove to have effect on my psyche tongue.gif.
Can't remember last time i been recompiling so many things ..

--------------------
PMEmail Poster
^
burakkucat
 Posted: Jul 22 2014, 02:44 PM
Quote Post


SLF Administrator
****

Group: Admins
Posts: 207
Member No.: 14
Joined: 10-April 11









Have you considered using the kernel-ml package, available from the ELRepo Project?

Testing is just a yum --enablerepo elrepo-kernel install kernel-ml and a reboot away. wink.gif

--------------------
user posted image 100% Linux and, previously, Unix. Co-founder of the ELRepo Project.
PMUsers Website
^
helikaon
 Posted: Jul 23 2014, 09:40 AM
Quote Post


SLF Administrator
*******

Group: Admins
Posts: 836
Member No.: 4
Joined: 8-April 11









Hi,
thanks for tip! :]

Unfortunatelly, kernel is not the problem, i already have it recompiled with 9pfs modules. Problem is the *right* combination of qemu and libvirt - they need to support it too, or lets say, thay need to be aware of the 9p filesystem options.
Thing is all RHEL based packages have 9p fs 'awareness' taken away from them.
I'm already on good path to make it working (hopefully) though. I'll post later about it so that we can discuss details.

cheers,

--------------------
PMEmail Poster
^
burakkucat
 Posted: Jul 23 2014, 04:29 PM
Quote Post


SLF Administrator
****

Group: Admins
Posts: 207
Member No.: 14
Joined: 10-April 11









Thank you for the update. smile.gif

I'm sure that your work, once completed, will be useful to others. http://th166.photobucket.com/albums/u117/rdshear/Smiley%20Faces/th_smiley-face-thumbs-up.gif

--------------------
user posted image 100% Linux and, previously, Unix. Co-founder of the ELRepo Project.
PMUsers Website
^
0 User(s) are reading this topic (0 Guests and 0 Anonymous Users)
0 Members:

Topic Options Reply to this topicStart new topicStart Poll