This page describes the main principles and architecture choices - behind the definition of the libvirt API: + behind the definition of the libvirt API:
+ URI page for a full descriptions of the values allowed.
Once the application obtained a virConnectPtr
connection to the
hypervisor it can then use it to manage domains and related resources
@@ -61,7 +61,7 @@
defined in which case they are inactive but there is
a permanent definition available in the system for them. Based on this
thay can be activated dynamically in order to be used.
Most kind of object can also be named in various ways:
+
Most kind of object can also be named in various ways:
name, an user friendly identifier but
whose unicity cannot be garanteed between two nodes.For each first class object you will find apis for the following actions:
For more in-depth details of the storage related APIs see - the storage management page, + the storage management page. +
diff --git a/docs/archnetwork.html.in b/docs/archnetwork.html.in index 57b8f3dbff..c7ca4cacd6 100644 --- a/docs/archnetwork.html.in +++ b/docs/archnetwork.html.in @@ -32,7 +32,7 @@
VLAN 2. It has no direct connectivity
- to a physical LAN, relying on Guest B to route traffic
+ to a physical LAN, relying on Guest B to route traffic
on its behalf.
Extra parameters can be added to a URI as part of the query string
(the part following ?). A single parameter is formed by a
@@ -308,7 +308,7 @@ error: invalid argument in libvirt was built without the 'esx' driver
There are several specialties in the domain XML config for ESX domains.
There are some restrictions for some values of the domain XML config. The driver will complain if this restrictions are violated. @@ -328,7 +328,7 @@ error: invalid argument in libvirt was built without the 'esx' driver -
Storage is managed in datastores. VMware uses a special path format to reference files in a datastore. Basically, the datastore name is put @@ -347,7 +347,7 @@ error: invalid argument in libvirt was built without the 'esx' driver
-
VMware has registered two MAC address prefixes for domains:
00:0c:29 and 00:50:56. These prefixes are
@@ -408,7 +408,7 @@ ethernet0.checkMACAddress = "false"
-
VMware ESX supports different models of SCSI controllers and network cards. diff --git a/docs/drvvmware.html.in b/docs/drvvmware.html.in index 0ef6044d67..44814d3bca 100644 --- a/docs/drvvmware.html.in +++ b/docs/drvvmware.html.in @@ -8,7 +8,9 @@
This driver uses the "vmrun" utility which is distributed with the VMware VIX API. - You can download the VIX API from here. + You can download the VIX API + from here. +
Provides direct attachment of the virtual machine's NIC to the given
physial interface of the host.
- Since 0.7.7 (QEMU and KVM only)
+ Since 0.7.7 (QEMU and KVM only)
This setup requires the Linux macvtap
driver to be available. (Since Linux 2.6.34.)
One of the modes 'vepa'
@@ -1299,7 +1299,7 @@
originate from are directly delivered to the target macvtap device.
Both origin and destination devices need to be in bridge mode
for direct delivery. If either one of them is in vepa mode,
- a VEPA capable bridge is required.
+ a VEPA capable bridge is required.
privatetxmode attribute specifies how to handle
transmission of packets when the transmit buffer is full. The
value can be either 'iothread' or 'timer'.
- Since 0.8.8 (QEMU and KVM only)keymap attribute specifies the keymap
to use. It is possible to set a limit on the validity of the password
be giving an timestamp passwdValidTo='2010-04-09T15:51:00'
- assumed to be in UTC. NB, this may not be supported by all hypervisors.socket
attribute for listening on a unix domain socket path.
Since 0.8.8
@@ -2103,7 +2103,7 @@ qemu-kvm -net nic,model=? /dev/null
Alternatively you can use telnet instead of raw TCP.
Since 0.8.5 you can also use telnets
(secure telnet) and tls.
- +
...
diff --git a/docs/formatnwfilter.html.in b/docs/formatnwfilter.html.in
index 8840856b00..eb3c72b7a9 100644
--- a/docs/formatnwfilter.html.in
+++ b/docs/formatnwfilter.html.in
@@ -25,18 +25,18 @@
cannot be circumvented from within
the virtual machine, it makes them mandatory from the point of
view of a virtual machine user.
-
+
The network filter subsystem allows each virtual machine's network
traffic filtering rules to be configured individually on a per
interface basis. The rules are
applied on the host when the virtual machine is started and can be modified
while the virtual machine is running. The latter can be achieved by
modifying the XML description of a network filter.
-
+
Multiple virtual machines can make use of the same generic network filter.
When such a filter is modified, the network traffic filtering rules
of all running virtual machines that reference this filter are updated.
-
+
Network filtering support is available since 0.8.1
(Qemu, KVM)
@@ -79,7 +79,7 @@
other filters can be used, a tree of filters can be built.
The clean-traffic filter can be viewed using the
command virsh nwfilter-dumpxml clean-traffic.
-
+
As previously mentioned, a single network filter can be referenced
by multiple virtual machines. Since interfaces will typically
have individual parameters associated with their respective traffic
@@ -108,7 +108,7 @@
10.0.0.1 and enforce that the traffic from this interface will
always be using 10.0.0.1 as the source IP address, which is
one of the purposes of this particular filter.
-
+
Usage of variables in filters
@@ -117,7 +117,7 @@
Two variables names have so far been reserved for usage by the
network traffic filtering subsystem: MAC and
IP.
-
+
MAC is the MAC address of the
network interface. A filtering rule that references this variable
will automatically be instantiated with the MAC address of the
@@ -125,7 +125,7 @@
the MAC parameter. Even though it is possible to specify the MAC
parameter similar to the IP parameter above, it is discouraged
since libvirt knows what MAC address an interface will be using.
-
+
The parameter IP represents the IP address
that the operating system inside the virtual machine is expected
to use on the given interface. The IP parameter
@@ -136,7 +136,7 @@
For current limitations on IP address detection, consult the
section on limitations on how to use this
feature and what to expect when using it.
-
+
The following is the XML description of the network filer
no-arp-spoofing. It serves as an example for
a network filter XML referencing the MAC and
@@ -205,7 +205,7 @@
filters may be referenced multiple times in a filter tree but
references between filters must not introduce loops (directed
acyclic graph).
-
+
The following shows the XML of the clean-traffic
network filter referencing several other filters.
@@ -226,7 +226,7 @@
needs to be provided inside a filter node. This
node must have the attribute filter whose value contains
the name of the filter to be referenced.
-
+
New network filters can be defined at any time and
may contain references to network filters that are
not known to libvirt, yet. However, once a virtual machine
@@ -282,7 +282,7 @@
ip is also associated with the chain
'ipv4' then that filter's rules will be ordered relative to the priority
500 of the shown rule.
- ip is to be
filtered.
@@ -325,7 +325,7 @@
-
+
Every attribute except for those of type IP_MASK or IPV6_MASK can
be negated using the match
attribute with value no. Multiple negated attributes
@@ -349,14 +349,14 @@
the protocol property attribute1 does not match value1 AND
the protocol property attribute2 does not match value2 AND
the protocol property attribute3 matches value3.
-
+
Protocol ID: mac
-
+
Note: Rules of this type should go into the root chain.
-
+
Protocol ID: icmp
-
+
Note: The chain parameter is ignored for this type of traffic
and should either be omitted or set to root.
-
+
Protocol ID: igmp, esp, ah, udplite, all
-
+
Note: The chain parameter is ignored for this type of traffic
and should either be omitted or set to root.
-
+
Protocol ID: tcp-ipv6, udp-ipv6, sctp-ipv6
-
+
Note: The chain parameter is ignored for this type of traffic
and should either be omitted or set to root.
-
+
Protocol ID: icmpv6
-
+
Note: The chain parameter is ignored for this type of traffic
and should either be omitted or set to root.
-
+
Protocol ID: igmp-ipv6, esp-ipv6, ah-ipv6, udplite-ipv6, all-ipv6
-
+
Note: The chain parameter is ignored for this type of traffic
and should either be omitted or set to root.
-
+
Note that the rule for the limit has to logically appear
- before the rule for accepting the traffic.
+ before the rule for accepting the traffic.
An additional rule for letting DNS traffic to port 22
go out the VM has been added to avoid ssh sessions not
getting established for reasons related to DNS lookup failures
by the ssh daemon. Leaving this rule out may otherwise lead to
fun-filled debugging joy (symptom: ssh client seems to hang
while trying to connect).
-
+
Lot of care must be taken with timeouts related
to tracking of traffic. An ICMP ping that
the user may have terminated inside the VM may have a long
@@ -1299,7 +1299,7 @@
sets the ICMP connection tracking timeout to 3 seconds. The
effect of this is that once one ping is terminated, another
- one can start after 3 seconds.
+ one can start after 3 seconds.
Further, we want to point out that a client that for whatever
reason has not properly closed a TCP connection may cause a
connection to be held open for a longer period of time,
@@ -1323,7 +1323,7 @@
with life-cycle support for network filters. All commands related
to the network filtering subsystem start with the prefix
nwfilter. The following commands are available:
-
+
All other protocols over IPv4 are supported using iptables, those over
IPv6 are implemented using ip6tables.
-
+
On a Linux host, all traffic filtering instantiated by libvirt's network
filter subsystem first passes through the filtering support implemented
by ebtables and only then through iptables or ip6tables filters. If
a filter tree has rules with the protocols mac,
arp, rarp, ip, or ipv6
ebtables rules will automatically be instantiated.
-
+
The role of the chain attribute in the network filter
XML is that internally a new user-defined ebtables table is created
that then for example receives all arp traffic coming
@@ -1435,7 +1435,7 @@
placed into filters specifying this chain. This type of branching
into user-defined tables is only supported with filtering on the ebtables
layer.
-
+
As an example, it is
possible to filter on UDP traffic by source and destination ports using
the ip protocol filter and specifying attributes for the
@@ -1467,7 +1467,7 @@
The requirement to prevent spoofing is fulfilled by the existing
clean-traffic network filter, thus we will reference this
filter from our custom filter.
-
+
To enable traffic for TCP ports 22 and 80 we will add 2 rules to
enable this type of traffic. To allow the VM to send ping traffic
we will add a rule for ICMP traffic. For simplicity reasons
@@ -1523,7 +1523,7 @@
per-interface basis and the rules are evaluated based on the knowledge
about which (tap) interface has sent or will receive the packet rather
than what their source or destination IP address may be.
-
+
An XML fragment for a possible network interface description inside
the domain XML of the test VM could then look like this:
The additional requirement of allowing an ftp server to be run inside
@@ -1577,7 +1577,7 @@
outgoing tcp connection originating from the VM's TCP port 20 back to
the ftp client (ftp active mode). There are several ways of how this
filter can be written and we present 2 solutions.
-
+
The 1st solution makes use of the state attribute of
the TCP protocol that gives us a hook into the connection tracking
framework of the Linux host. For the VM-initiated ftp data connection
@@ -1752,13 +1752,13 @@
to be using.
Different IP addresses in use by multiple interfaces of a VM
(one IP address each) will be independently detected.
-
+
Once a VM's IP address has been detected, its IP network traffic
may be locked to that address, if for example IP address spoofing
is prevented by one of its filters. In that case the user of the VM
will not be able to change the IP address on the interface inside
the VM, which would be considered IP address spoofing.
-
+
In case a VM is resumed after suspension or migrated, IP address
detection will be restarted.
uuid.
- +
<encryption type="default"/> can be specified only
diff --git a/docs/internals.html.in b/docs/internals.html.in
index 6fa2de33ab..5689998d07 100644
--- a/docs/internals.html.in
+++ b/docs/internals.html.in
@@ -9,9 +9,9 @@
Similarly the daemon logging behaviour can be tuned using 3 config - variables, stored in the configuration file: + variables, stored in the configuration file:
Multiple filters can be defined in a single string, they just need to be
separated by spaces, e.g: "3:remote 4:event" to only get
warning or errors from the remote layer and only errors from the event
- layer.
+ layer.
If you specify a log priority in a filter that is below the default log priority level, messages that match that filter will still be logged, while others will not. In order to see those messages, you must also have diff --git a/docs/windows.html.in b/docs/windows.html.in index 4011cc3e46..8e0af7c24b 100644 --- a/docs/windows.html.in +++ b/docs/windows.html.in @@ -30,7 +30,7 @@ and untested Python bindings.
-These are problems we know about, and need to be fixed in subsequent @@ -72,7 +72,7 @@
These connection types are known to work: @@ -114,7 +114,7 @@ be used in security sensitive environments.
-Details on the capabilities, certificates, and connection string @@ -124,7 +124,7 @@ http://libvirt.org/drvesx.html -
TLS certificates need to have been created and placed in the correct @@ -184,7 +184,7 @@
Feedback and suggestions on changes to make and what else to include