michaelh
Anmeldungsdatum: 1. Dezember 2006
Beiträge: Zähle...
|
Hallo zusammen. Nach jahrelangen einwandfreien lauf, hat sich meine libvirt nun verabschiedet und ich bekomme keine meiner VM´s mehr zum laufen. Das ganze passierte beim Update von 14.04 auf 16.04. Hier die Fehlermeldung wenn ich VMM Starten will it libvirt konnte nicht verbunden werden.
Verify that:
- The 'libvirt-bin' package is installed
- The 'libvirtd' daemon has been started
- You are member of the 'libvirtd' group
Libvirt URI is: qemu:///system
Traceback (most recent call last):
File "/usr/share/virt-manager/virtManager/connection.py", line 903, in _do_open
self._backend.open(self._do_creds_password)
File "/usr/share/virt-manager/virtinst/connection.py", line 148, in open
open_flags)
File "/usr/lib/python2.7/dist-packages/libvirt.py", line 105, in openAuth
if ret is None:raise libvirtError('virConnectOpenAuth() failed')
libvirtError: Socket-Erstellung zu '/var/run/libvirt/libvirt-sock' fehlgeschlagen: Datei oder Verzeichnis nicht gefunden Gut punkt eins mal überprüft:
Statusinformationen werden eingelesen.... Fertig
»libvirt-bin« ist bereits die neuste Version (1.3.1-1ubuntu10.2).
0 aktualisiert, 0 neu installiert, 0 zu entfernen und 0 nicht aktualisiert.
Punkt 3 ebenfalls ok:
michael@server-1:~$ id
uid=1000(michael) gid=1000(michael) Gruppen=1000(michael),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(sambashare),113(libvirtd),114(lpadmin)
Und jetzt wirds knifflig, wenn ich libvirtd eingebe kommt das:
michael@server-1:~$ libvirtd
2016-09-26 19:59:07.654+0000: 6808: info : libvirt version: 1.3.1, package: 1ubuntu10.2 (Ryan Harper <ryan.harper@canonical.com> Thu, 30 Jun 2016 10:09:45 -0500)
2016-09-26 19:59:07.654+0000: 6808: info : hostname: server-1.home
2016-09-26 19:59:07.654+0000: 6808: error : virAuditOpen:62 : audit layer kann nicht initialisiert werden: Keine Berechtigung
2016-09-26 19:59:07.661+0000: 6808: error : virNetlinkEventServiceStart:676 : kann nicht auf netlink Socket verbinden mit Protokoll 0: Keine Berechtigung
desweiteren kann ich in der init.d nur libvirt-bin und libvirt-guests finden. eine libvirtd ist da nicht angeführt
{ find /etc/init.d/ -perm /111 -type f -printf '%f\n'; for f in $(ls /etc/init/); do echo "${f%.conf}"; done } | sort -u
acpid
alsa-restore
alsa-state
alsa-store
alsa-utils
anacron
apparmor
apport
atd
avahi-cups-reload
avahi-daemon
bluetooth
bootmisc.sh
cgmanager
cgproxy
cgroup-lite
checkfs.sh
checkroot-bootclean.sh
checkroot.sh
console
console-font
console-setup
container-detect
control-alt-delete
cron
cups
cups-browsed
dbus
dmesg
dns-clean
ebtables
failsafe
flush-early-job-log
friendly-recovery
gpu-manager
grub-common
halt
hddtemp
hostname
hostname.sh
hwclock
hwclock-save
hwclock.sh
irqbalance
kerneloops
keyboard-setup
killprocs
kmod
libvirt-bin
libvirt-guests
lightdm
lm-sensors
lxdm
modemmanager
mountall
mountall-bootclean.sh
mountall-net
mountall-reboot
mountall.sh
mountall-shell
mountdevsubfs.sh
mounted-debugfs
mounted-dev
mounted-proc
mounted-run
mounted-tmp
mounted-var
mountkernfs.sh
mountnfs-bootclean.sh
mountnfs.sh
mtab.sh
networking
network-interface
network-interface-container
network-interface-security
network-manager
nmbd
ondemand
passwd
plymouth
plymouth-log
plymouth-ready
plymouth-shutdown
plymouth-splash
plymouth-stop
plymouth-upstart-bridge
pppd-dns
procps
procps-instance
pulseaudio
qemu-kvm
rc
rc.local
rcS
rc-sysinit
reboot
reload-smbd
resolvconf
rfkill-restore
rfkill-store
rsync
rsyslog
samba
samba-ad-dc
saned
screen-cleanup
sendsigs
setvtrgb
shutdown
single
smartmontools
smbd
ssh
thermald
tty1
tty2
tty3
tty4
tty5
tty6
udev
udevmonitor
udevtrigger
ufw
umountfs
umountnfs.sh
umountroot
unattended-upgrades
upstart-file-bridge
upstart-socket-bridge
upstart-udev-bridge
urandom
ureadahead
ureadahead-other
usb-modeswitch-upstart
uuidd
virtlockd
virtlogd
wait-for-state
winbind
x11-common
wäre sehr froh wenn mir hier wer helfen könnte. Mit freundlichen Grüssen
Michael Hietz
|
Taomon
Supporter
Anmeldungsdatum: 30. Januar 2011
Beiträge: 8430
Wohnort: Digiworld
|
Grübel, virt-host-validate
und sudo aa-logprof und systemctl status libvirt-bin libvirt-bin.socket libvirt-guests Ich muß hier ein bißchen rumraten, da ich libvirt nicht am Start habe. Gruß Taomon Edit Okay falsch geraten. Lt. hier gibt es keine Datei libvirtd im Paket libvirt-bin.
|
michaelh
(Themenstarter)
Anmeldungsdatum: 1. Dezember 2006
Beiträge: 56
|
Danke für die rasche Antwort Momten nur per ssh Zugriff ich hab alles mal eingefügt.
Wie ersichtlich startet der deamon nicht, aber im packet dürfte er schon drinnen sein unter /bin hab ihn im link von dir gefunden.
Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-38-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Tue Sep 27 17:19:37 CEST 2016
System load: 0.08 Processes: 183
Usage of /home: 42.3% of 852.41GB Users logged in: 0
Memory usage: 3% IP address for br0: 10.0.0.50
Swap usage: 0%
Graph this data and manage this system at:
https://landscape.canonical.com/
0 Software-Pakete können aktualisiert werden.
0 Aktualisierungen sind Sicherheitsaktualisierungen.
Last login: Mon Sep 26 16:07:45 2016 from 213.162.68.236
michael@server-1:~$ virt-host-validate
QEMU: Überprüfung for hardware virtualization : BESTANDEN
QEMU: Überprüfung if device /dev/kvm exists : BESTANDEN
QEMU: Überprüfung if device /dev/kvm is accessible : VERFEHLT (Check /dev/kvm is world writable or you are in a group that is allowed to access it)
QEMU: Überprüfung if device /dev/vhost-net exists : BESTANDEN
QEMU: Überprüfung if device /dev/net/tun exists : BESTANDEN
QEMU: Überprüfung for cgroup 'memory' controller support : BESTANDEN
QEMU: Überprüfung for cgroup 'memory' controller mount-point : BESTANDEN
QEMU: Überprüfung for cgroup 'cpu' controller support : BESTANDEN
QEMU: Überprüfung for cgroup 'cpu' controller mount-point : BESTANDEN
QEMU: Überprüfung for cgroup 'cpuacct' controller support : BESTANDEN
QEMU: Überprüfung for cgroup 'cpuacct' controller mount-point : BESTANDEN
QEMU: Überprüfung for cgroup 'devices' controller support : BESTANDEN
QEMU: Überprüfung for cgroup 'devices' controller mount-point : BESTANDEN
QEMU: Überprüfung for cgroup 'net_cls' controller support : BESTANDEN
QEMU: Überprüfung for cgroup 'net_cls' controller mount-point : BESTANDEN
QEMU: Überprüfung for cgroup 'blkio' controller support : BESTANDEN
QEMU: Überprüfung for cgroup 'blkio' controller mount-point : BESTANDEN
QEMU: Überprüfung for device assignment IOMMU support : WARNUNG (No ACPI IVRS table found, IOMMU either disabled in BIOS or not supported by this hardware platform)
LXC: Überprüfung für Linux >= 2.6.26 : BESTANDEN
LXC: Überprüfung for namespace ipc : BESTANDEN
LXC: Überprüfung for namespace mnt : BESTANDEN
LXC: Überprüfung for namespace pid : BESTANDEN
LXC: Überprüfung for namespace uts : BESTANDEN
LXC: Überprüfung for namespace net : BESTANDEN
LXC: Überprüfung for namespace user : BESTANDEN
LXC: Überprüfung for cgroup 'memory' controller support : BESTANDEN
LXC: Überprüfung for cgroup 'memory' controller mount-point : BESTANDEN
LXC: Überprüfung for cgroup 'cpu' controller support : BESTANDEN
LXC: Überprüfung for cgroup 'cpu' controller mount-point : BESTANDEN
LXC: Überprüfung for cgroup 'cpuacct' controller support : BESTANDEN
LXC: Überprüfung for cgroup 'cpuacct' controller mount-point : BESTANDEN
LXC: Überprüfung for cgroup 'devices' controller support : BESTANDEN
LXC: Überprüfung for cgroup 'devices' controller mount-point : BESTANDEN
LXC: Überprüfung for cgroup 'net_cls' controller support : BESTANDEN
LXC: Überprüfung for cgroup 'net_cls' controller mount-point : BESTANDEN
LXC: Überprüfung for cgroup 'freezer' controller support : BESTANDEN
LXC: Überprüfung for cgroup 'freezer' controller mount-point : BESTANDEN
michael@server-1:~$ sudo aa-logprof
[sudo] Passwort für michael:
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
michael@server-1:~$ systemctl status libvirt-bin libvirt-bin.socket libvirt-guests
● libvirt-bin.service - Virtualization daemon
Loaded: loaded (/lib/systemd/system/libvirt-bin.service; enabled; vendor p Active: inactive (dead) (Result: exit-code) since Die 2016-09-27 16:37:48 Docs: man:libvirtd(8)
http://libvirt.org
Process: 1733 ExecStart=/usr/sbin/libvirtd $libvirtd_opts (code=exited, sta Main PID: 1733 (code=exited, status=6)
Sep 27 16:37:48 server-1 systemd[1]: libvirt-bin.service: Main process exitedSep 27 16:37:48 server-1 systemd[1]: Failed to start Virtualization daemon.
Sep 27 16:37:48 server-1 systemd[1]: libvirt-bin.service: Unit entered failedSep 27 16:37:48 server-1 systemd[1]: libvirt-bin.service: Failed with result Sep 27 16:37:48 server-1 systemd[1]: libvirt-bin.service: Service hold-off tiSep 27 16:37:48 server-1 systemd[1]: Stopped Virtualization daemon.
Sep 27 16:37:48 server-1 systemd[1]: libvirt-bin.service: Start request repeaSep 27 16:37:48 server-1 systemd[1]: Failed to start Virtualization daemon.
● libvirt-bin.socket
Loaded: loaded (/lib/systemd/system/libvirt-bin.socket; static; vendor pre Active: inactive (dead)
Listen: /var/run/libvirt/libvirt-sock (Stream)
/var/run/libvirt/libvirt-sock-ro (Stream)
● libvirt-guests.service - Suspend Active Libvirt Guests
Loaded: loaded (/lib/systemd/system/libvirt-guests.service; enabled; vendo Active: active (exited) since Die 2016-09-27 16:37:46 CEST; 44min ago
Docs: man:libvirtd(8)
http://libvirt.org
Process: 1509 ExecStart=/usr/lib/libvirt/libvirt-guests.sh start (code=exit Main PID: 1509 (code=exited, status=0/SUCCESS)
CGroup: /system.slice/libvirt-guests.service
Sep 27 16:37:46 server-1 systemd[1]: Starting Suspend Active Libvirt Guests..Sep 27 16:37:46 server-1 systemd[1]: Started Suspend Active Libvirt Guests.
michael@server-1:~$ Irgendwie eine idee wie ich den deamon starten kann, war ja früher upstart zuständig 😉 Mit freundlichen grüßen
Michael
|
Taomon
Supporter
Anmeldungsdatum: 30. Januar 2011
Beiträge: 8430
Wohnort: Digiworld
|
Hm, ls -al /dev/kvm
Versuch den Daemon zu starten. sudo systemctl start libvirt-bin und journactl -p err..alert Und rumsuch ls -al /lib/udev/rules.d | grep -i kvm
sowie cat /etc/group | grep -i kvm Gruß Taomon
|
michaelh
(Themenstarter)
Anmeldungsdatum: 1. Dezember 2006
Beiträge: 56
|
So wieder am terminal hier die ausgaben (besser gruppiert) ls -al /dev/kvm michael@server-1:~$ ls -al /dev/kvm
crw-rw----+ 1 root kvm 10, 232 Sep 27 17:35 /dev/kvm sudo systemctl start libvirt-bin michael@server-1:~$ sudo systemctl start libvirt-bin
[sudo] Passwort für michael:
Job for libvirt-bin.service failed because the control process exited with error code. See "systemctl status libvirt-bin.service" and "journalctl -xe" for details. systemctl status libvirt-bin.service michael@server-1:~$ systemctl status libvirt-bin.service
● libvirt-bin.service - Virtualization daemon
Loaded: loaded (/lib/systemd/system/libvirt-bin.service; enabled; vendor preset: enabled)
Active: inactive (dead) (Result: exit-code) since Die 2016-09-27 20:17:48 CEST; 43s ago
Docs: man:libvirtd(8)
http://libvirt.org
Process: 7207 ExecStart=/usr/sbin/libvirtd $libvirtd_opts (code=exited, status=6)
Main PID: 7207 (code=exited, status=6)
Sep 27 20:17:48 server-1 systemd[1]: Failed to start Virtualization daemon.
Sep 27 20:17:48 server-1 systemd[1]: libvirt-bin.service: Unit entered failed state.
Sep 27 20:17:48 server-1 systemd[1]: libvirt-bin.service: Failed with result 'exit-code'.
Sep 27 20:17:48 server-1 systemd[1]: libvirt-bin.service: Service hold-off time over, scheduli
Sep 27 20:17:48 server-1 systemd[1]: Stopped Virtualization daemon.
Sep 27 20:17:48 server-1 systemd[1]: libvirt-bin.service: Start request repeated too quickly.
Sep 27 20:17:48 server-1 systemd[1]: Failed to start Virtualization daemon. journalctl -xe michael@server-1:~$ journalctl -xe
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit libvirt-bin.service has finished shutting down.
Sep 27 20:17:48 server-1 systemd[1]: Starting Virtualization daemon...
-- Subject: Unit libvirt-bin.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit libvirt-bin.service has begun starting up.
Sep 27 20:17:48 server-1 audit[7207]: AVC apparmor="DENIED" operation="create" profile="/usr/sbin/libvirtd" pid=7207 comm="li
Sep 27 20:17:48 server-1 kernel: audit: type=1400 audit(1475000268.593:37): apparmor="DENIED" operation="create" profile="/us
Sep 27 20:17:48 server-1 libvirtd[7207]: libvirt version: 1.3.1, package: 1ubuntu10.2 (Ryan Harper <ryan.harper@canonical.com
Sep 27 20:17:48 server-1 libvirtd[7207]: hostname: server-1.home
Sep 27 20:17:48 server-1 libvirtd[7207]: audit layer kann nicht initialisiert werden: Keine Berechtigung
Sep 27 20:17:48 server-1 kernel: audit: type=1400 audit(1475000268.601:38): apparmor="DENIED" operation="create" profile="/us
Sep 27 20:17:48 server-1 audit[7207]: AVC apparmor="DENIED" operation="create" profile="/usr/sbin/libvirtd" pid=7207 comm="li
Sep 27 20:17:48 server-1 libvirtd[7207]: kann nicht auf netlink Socket verbinden mit Protokoll 0: Keine Berechtigung
Sep 27 20:17:48 server-1 systemd[1]: libvirt-bin.service: Main process exited, code=exited, status=6/NOTCONFIGURED
Sep 27 20:17:48 server-1 systemd[1]: Failed to start Virtualization daemon.
-- Subject: Unit libvirt-bin.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit libvirt-bin.service has failed.
--
-- The result is failed.
Sep 27 20:17:48 server-1 systemd[1]: libvirt-bin.service: Unit entered failed state.
Sep 27 20:17:48 server-1 systemd[1]: libvirt-bin.service: Failed with result 'exit-code'.
Sep 27 20:17:48 server-1 systemd[1]: libvirt-bin.service: Service hold-off time over, scheduling restart.
Sep 27 20:17:48 server-1 systemd[1]: Stopped Virtualization daemon.
-- Subject: Unit libvirt-bin.service has finished shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit libvirt-bin.service has finished shutting down.
Sep 27 20:17:48 server-1 systemd[1]: libvirt-bin.service: Start request repeated too quickly.
Sep 27 20:17:48 server-1 systemd[1]: Failed to start Virtualization daemon.
-- Subject: Unit libvirt-bin.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit libvirt-bin.service has failed.
--
-- The result is failed. journalctl -p err..alert michael@server-1:~$ journalctl -p err..alert
-- Logs begin at Die 2016-09-27 17:35:41 CEST, end at Die 2016-09-27 20:17:48 CEST. --
Sep 27 17:35:44 server-1 kernel: MPU-401 device not found or device busy
Sep 27 17:35:58 server-1 systemd[1]: Failed to start Automatically refresh installed snaps.
Sep 27 17:36:00 server-1 libvirtd[1360]: audit layer kann nicht initialisiert werden: Keine Berechtigung
Sep 27 17:36:00 server-1 libvirtd[1360]: kann nicht auf netlink Socket verbinden mit Protokoll 0: Keine Berechtigung
Sep 27 17:36:00 server-1 systemd[1]: Failed to start Virtualization daemon.
Sep 27 17:36:00 server-1 libvirtd[1464]: audit layer kann nicht initialisiert werden: Keine Berechtigung
Sep 27 17:36:01 server-1 lightdm[1486]: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open share
Sep 27 17:36:01 server-1 libvirtd[1464]: kann nicht auf netlink Socket verbinden mit Protokoll 0: Keine Berechtigung
Sep 27 17:36:01 server-1 lightdm[1486]: PAM adding faulty module: pam_kwallet.so
Sep 27 17:36:01 server-1 lightdm[1486]: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open sha
Sep 27 17:36:01 server-1 lightdm[1486]: PAM adding faulty module: pam_kwallet5.so
Sep 27 17:36:01 server-1 systemd[1]: Failed to start Virtualization daemon.
Sep 27 17:36:01 server-1 libvirtd[1501]: audit layer kann nicht initialisiert werden: Keine Berechtigung
Sep 27 17:36:01 server-1 libvirtd[1501]: kann nicht auf netlink Socket verbinden mit Protokoll 0: Keine Berechtigung
Sep 27 17:36:01 server-1 systemd[1]: Failed to start Virtualization daemon.
Sep 27 17:36:01 server-1 libvirtd[1542]: audit layer kann nicht initialisiert werden: Keine Berechtigung
Sep 27 17:36:01 server-1 libvirtd[1542]: kann nicht auf netlink Socket verbinden mit Protokoll 0: Keine Berechtigung
Sep 27 17:36:01 server-1 systemd[1]: Failed to start Virtualization daemon.
Sep 27 17:36:01 server-1 libvirtd[1583]: audit layer kann nicht initialisiert werden: Keine Berechtigung
Sep 27 17:36:01 server-1 libvirtd[1583]: kann nicht auf netlink Socket verbinden mit Protokoll 0: Keine Berechtigung
Sep 27 17:36:01 server-1 systemd[1]: Failed to start Virtualization daemon.
Sep 27 17:36:01 server-1 systemd[1]: Failed to start Virtualization daemon.
Sep 27 17:36:04 server-1 lightdm[1730]: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open share
Sep 27 17:36:04 server-1 lightdm[1730]: PAM adding faulty module: pam_kwallet.so
Sep 27 17:36:04 server-1 lightdm[1730]: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open sha
Sep 27 17:36:04 server-1 lightdm[1730]: PAM adding faulty module: pam_kwallet5.so
Sep 27 17:36:16 server-1 console-kit-daemon[1758]: GLib-CRITICAL: Source ID 13 was not found when attempting to remove it
Sep 27 17:36:29 server-1 pulseaudio[1702]: [pulseaudio] bluez5-util.c: GetManagedObjects() failed: org.freedesktop.DBus.Error
Sep 27 17:52:53 server-1 sshd[2249]: error: Received disconnect from 67.63.203.91 port 64925:3: com.jcraft.jsch.JSchException
Sep 27 17:52:57 server-1 sshd[2253]: error: Received disconnect from 67.63.203.91 port 65120:3: com.jcraft.jsch.JSchException
Sep 27 17:53:01 server-1 sshd[2257]: error: Received disconnect from 67.63.203.91 port 65319:3: com.jcraft.jsch.JSchException
Sep 27 17:53:05 server-1 sshd[2263]: error: Received disconnect from 67.63.203.91 port 49198:3: com.jcraft.jsch.JSchException
Sep 27 17:53:08 server-1 sshd[2267]: error: Received disconnect from 67.63.203.91 port 49397:3: com.jcraft.jsch.JSchException
Sep 27 17:53:12 server-1 sshd[2273]: error: Received disconnect from 67.63.203.91 port 49629:3: com.jcraft.jsch.JSchException
Sep 27 17:53:15 server-1 sshd[2277]: error: Received disconnect from 67.63.203.91 port 49857:3: com.jcraft.jsch.JSchException
Sep 27 17:53:19 server-1 sshd[2283]: error: Received disconnect from 67.63.203.91 port 50074:3: com.jcraft.jsch.JSchException
Sep 27 17:53:23 server-1 sshd[2287]: error: Received disconnect from 67.63.203.91 port 50299:3: com.jcraft.jsch.JSchException
Sep 27 17:53:26 server-1 sshd[2289]: error: Received disconnect from 67.63.203.91 port 50530:3: com.jcraft.jsch.JSchException
Sep 27 17:53:30 server-1 sshd[2295]: error: Received disconnect from 67.63.203.91 port 50747:3: com.jcraft.jsch.JSchException
Sep 27 17:53:34 server-1 sshd[2299]: error: Received disconnect from 67.63.203.91 port 50987:3: com.jcraft.jsch.JSchException
Sep 27 17:53:38 server-1 sshd[2305]: error: Received disconnect from 67.63.203.91 port 51223:3: com.jcraft.jsch.JSchException
Sep 27 17:53:41 server-1 sshd[2309]: error: Received disconnect from 67.63.203.91 port 51472:3: com.jcraft.jsch.JSchException
Sep 27 17:53:45 server-1 sshd[2313]: error: Received disconnect from 67.63.203.91 port 51675:3: com.jcraft.jsch.JSchException
Sep 27 17:53:48 server-1 sshd[2317]: error: Received disconnect from 67.63.203.91 port 51903:3: com.jcraft.jsch.JSchException
Sep 27 17:53:51 server-1 sshd[2319]: error: Received disconnect from 67.63.203.91 port 52125:3: com.jcraft.jsch.JSchException
Sep 27 17:53:55 server-1 sshd[2323]: error: Received disconnect from 67.63.203.91 port 52313:3: com.jcraft.jsch.JSchException
Sep 27 17:53:58 server-1 sshd[2325]: error: Received disconnect from 67.63.203.91 port 52521:3: com.jcraft.jsch.JSchException
Sep 27 17:54:02 server-1 sshd[2327]: error: Received disconnect from 67.63.203.91 port 52739:3: com.jcraft.jsch.JSchException
Sep 27 17:54:06 server-1 sshd[2331]: error: Received disconnect from 67.63.203.91 port 52941:3: com.jcraft.jsch.JSchException
Sep 27 17:54:10 server-1 sshd[2333]: error: Received disconnect from 67.63.203.91 port 53144:3: com.jcraft.jsch.JSchException
Sep 27 17:54:14 server-1 sshd[2337]: error: Received disconnect from 67.63.203.91 port 53358:3: com.jcraft.jsch.JSchException
Sep 27 17:54:17 server-1 sshd[2340]: error: Received disconnect from 67.63.203.91 port 53575:3: com.jcraft.jsch.JSchException
Sep 27 17:54:21 server-1 sshd[2342]: error: Received disconnect from 67.63.203.91 port 53772:3: com.jcraft.jsch.JSchException
Sep 27 17:54:25 server-1 sshd[2346]: error: Received disconnect from 67.63.203.91 port 53998:3: com.jcraft.jsch.JSchException
Sep 27 17:54:29 server-1 sshd[2348]: error: Received disconnect from 67.63.203.91 port 54169:3: com.jcraft.jsch.JSchException
Sep 27 17:54:33 server-1 sshd[2352]: error: Received disconnect from 67.63.203.91 port 54379:3: com.jcraft.jsch.JSchException
Sep 27 17:54:37 server-1 sshd[2354]: error: Received disconnect from 67.63.203.91 port 54582:3: com.jcraft.jsch.JSchException
Sep 27 17:54:41 server-1 sshd[2358]: error: Received disconnect from 67.63.203.91 port 54756:3: com.jcraft.jsch.JSchException
Sep 27 17:54:44 server-1 sshd[2360]: error: Received disconnect from 67.63.203.91 port 54941:3: com.jcraft.jsch.JSchException
Sep 27 17:54:48 server-1 sshd[2362]: error: Received disconnect from 67.63.203.91 port 55124:3: com.jcraft.jsch.JSchException
Sep 27 17:54:52 server-1 sshd[2366]: error: Received disconnect from 67.63.203.91 port 55323:3: com.jcraft.jsch.JSchException
Sep 27 17:54:56 server-1 sshd[2368]: error: Received disconnect from 67.63.203.91 port 55514:3: com.jcraft.jsch.JSchException
Sep 27 17:55:00 server-1 sshd[2372]: error: Received disconnect from 67.63.203.91 port 55698:3: com.jcraft.jsch.JSchException
Sep 27 17:55:04 server-1 sshd[2374]: error: Received disconnect from 67.63.203.91 port 55882:3: com.jcraft.jsch.JSchException
Sep 27 17:55:08 server-1 sshd[2379]: error: Received disconnect from 67.63.203.91 port 56109:3: com.jcraft.jsch.JSchException
Sep 27 17:55:11 server-1 sshd[2381]: error: Received disconnect from 67.63.203.91 port 56291:3: com.jcraft.jsch.JSchException
Sep 27 17:55:16 server-1 sshd[2383]: error: Received disconnect from 67.63.203.91 port 56461:3: com.jcraft.jsch.JSchException
Sep 27 17:55:19 server-1 sshd[2387]: error: Received disconnect from 67.63.203.91 port 56691:3: com.jcraft.jsch.JSchException
Sep 27 17:55:23 server-1 sshd[2389]: error: Received disconnect from 67.63.203.91 port 56895:3: com.jcraft.jsch.JSchException
Sep 27 17:55:27 server-1 sshd[2393]: error: Received disconnect from 67.63.203.91 port 57081:3: com.jcraft.jsch.JSchException
Sep 27 17:55:31 server-1 sshd[2395]: error: Received disconnect from 67.63.203.91 port 57293:3: com.jcraft.jsch.JSchException
Sep 27 17:55:35 server-1 sshd[2399]: error: Received disconnect from 67.63.203.91 port 57488:3: com.jcraft.jsch.JSchException
Sep 27 19:21:36 server-1 console-kit-daemon[1758]: GLib-CRITICAL: Source ID 38 was not found when attempting to remove it
Sep 27 19:21:36 server-1 console-kit-daemon[1758]: GLib-CRITICAL: Source ID 38 was not found when attempting to remove it
Sep 27 20:16:19 server-1 pulseaudio[6922]: [pulseaudio] bluez5-util.c: GetManagedObjects() failed: org.freedesktop.DBus.Error
Sep 27 20:17:47 server-1 libvirtd[7122]: audit layer kann nicht initialisiert werden: Keine Berechtigung
Sep 27 20:17:47 server-1 libvirtd[7122]: kann nicht auf netlink Socket verbinden mit Protokoll 0: Keine Berechtigung
Sep 27 20:17:47 server-1 systemd[1]: Failed to start Virtualization daemon.
Sep 27 20:17:47 server-1 libvirtd[7142]: audit layer kann nicht initialisiert werden: Keine Berechtigung
Sep 27 20:17:47 server-1 libvirtd[7142]: kann nicht auf netlink Socket verbinden mit Protokoll 0: Keine Berechtigung
Sep 27 20:17:47 server-1 systemd[1]: Failed to start Virtualization daemon.
Sep 27 20:17:48 server-1 libvirtd[7162]: audit layer kann nicht initialisiert werden: Keine Berechtigung
Sep 27 20:17:48 server-1 libvirtd[7162]: kann nicht auf netlink Socket verbinden mit Protokoll 0: Keine Berechtigung
Sep 27 20:17:48 server-1 systemd[1]: Failed to start Virtualization daemon.
Sep 27 20:17:48 server-1 libvirtd[7186]: audit layer kann nicht initialisiert werden: Keine Berechtigung
Sep 27 20:17:48 server-1 libvirtd[7186]: kann nicht auf netlink Socket verbinden mit Protokoll 0: Keine Berechtigung
Sep 27 20:17:48 server-1 systemd[1]: Failed to start Virtualization daemon.
Sep 27 20:17:48 server-1 libvirtd[7207]: audit layer kann nicht initialisiert werden: Keine Berechtigung
Sep 27 20:17:48 server-1 libvirtd[7207]: kann nicht auf netlink Socket verbinden mit Protokoll 0: Keine Berechtigung
Sep 27 20:17:48 server-1 systemd[1]: Failed to start Virtualization daemon.
Sep 27 20:17:48 server-1 systemd[1]: Failed to start Virtualization daemon. Und den rest zusammengefasst michael@server-1:~$ ls -al /lib/udev/rules.d | grep -i kvm
michael@server-1:~$ cat /etc/group | grep -i kvm
kvm:x:106:
michael@server-1:~$ Also dank deiner infos (die wirklich sehr hilfreich waren ... vielen Dank) habe ich apparmor als den Störenfried auswendig gemacht.
Habe mit
sudo service apparmor teardown
mal deaktiviert und siehe da die VMM laufen auf einmal alle wieder an (war schön das rattern der IMG Festplatte zu hören). michael@server-1:~$ systemctl status libvirt-bin.service
● libvirt-bin.service - Virtualization daemon
Loaded: loaded (/lib/systemd/system/libvirt-bin.service; enabled; vendor preset: enabled)
Active: active (running) since Die 2016-09-27 20:34:43 CEST; 10s ago
Docs: man:libvirtd(8)
http://libvirt.org
Main PID: 7337 (libvirtd)
CGroup: /system.slice/libvirt-bin.service
├─7337 /usr/sbin/libvirtd
├─7477 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/l
├─7478 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/l
└─7501 qemu-system-x86_64 -enable-kvm -name Windows-10-Server -S -machine pc-i440fx-trusty,accel=kvm,usb=off -m 55
Sep 27 20:34:46 server-1 dnsmasq[7477]: started, version 2.75 cachesize 150
Sep 27 20:34:46 server-1 dnsmasq[7477]: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack
Sep 27 20:34:46 server-1 dnsmasq-dhcp[7477]: DHCP, IP range 192.168.122.2 -- 192.168.122.254, lease time 1h
Sep 27 20:34:46 server-1 dnsmasq-dhcp[7477]: DHCP, sockets bound exclusively to interface virbr0
Sep 27 20:34:46 server-1 dnsmasq[7477]: reading /etc/resolv.conf
Sep 27 20:34:46 server-1 dnsmasq[7477]: using nameserver 8.8.8.8#53
Sep 27 20:34:46 server-1 dnsmasq[7477]: using nameserver 8.8.4.4#53
Sep 27 20:34:46 server-1 dnsmasq[7477]: read /etc/hosts - 5 addresses
Sep 27 20:34:46 server-1 dnsmasq[7477]: read /var/lib/libvirt/dnsmasq/default.addnhosts - 0 addresses
Sep 27 20:34:46 server-1 dnsmasq-dhcp[7477]: read /var/lib/libvirt/dnsmasq/default.hostsfile Soweit so gut. Aber wie bekomme ich es hin ohne apparmor zu killen? Arbeite nun schon fast 10 Jahre mit ubuntu, aber hier stehe ich wohl oder übel an ☹ AppArmor klingt für mich wie ein Spansisches Dorf. Mit freundlichen Gruss
Michael
|
Taomon
Supporter
Anmeldungsdatum: 30. Januar 2011
Beiträge: 8430
Wohnort: Digiworld
|
Von apparmor habe ich keine Ahnung, da es nicht standartmäßig bei mir installiert ist.
Mal gucken wie das geht. Du bist mein Versuchskanninchen. 🤣
sudo aa-status --verbose Gruß Taomon
|
michaelh
(Themenstarter)
Anmeldungsdatum: 1. Dezember 2006
Beiträge: 56
|
Ok dann knabbere ich mal an der Karotte, aber es ist schon ein Produktiv system 😬 Dieses mal wieder per SSH... Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-38-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Tue Sep 27 21:59:26 CEST 2016
System load: 1.78 Processes: 201
Usage of /home: 42.5% of 852.41GB Users logged in: 1
Memory usage: 56% IP address for br0: 10.0.0.50
Swap usage: 0% IP address for virbr0: 192.168.122.1
Graph this data and manage this system at:
https://landscape.canonical.com/
0 Software-Pakete können aktualisiert werden.
0 Aktualisierungen sind Sicherheitsaktualisierungen.
Last login: Tue Sep 27 19:18:36 2016 from 10.0.0.112
michael@server-1:~$ sudo aa-status --verbose
[sudo] Passwort für michael:
apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
michael@server-1:~$
Nunja ... er ist noch teardown ... und irgendwie weigert sich eine stimme in mir in wieder zu aktivieren 😉.
|
Taomon
Supporter
Anmeldungsdatum: 30. Januar 2011
Beiträge: 8430
Wohnort: Digiworld
|
Dazu sollte apparmor schon laufen. Du weißt ja wie du es wieder ausknipsen kannst. *Beruhigungsmöhrchen rüberschieb* 😉 Gruß Taomon
|
michaelh
(Themenstarter)
Anmeldungsdatum: 1. Dezember 2006
Beiträge: 56
|
So hab es wieder aktiviert ... VMś sind sofort off gegangen. michael@server-1:~$ sudo aa-status --verbose
[sudo] Passwort für michael:
apparmor module is loaded.
15 profiles are loaded.
15 profiles are in enforce mode.
/sbin/dhclient
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/NetworkManager/nm-dhcp-helper
/usr/lib/connman/scripts/dhclient-script
/usr/lib/cups/backend/cups-pdf
/usr/lib/libvirt/virt-aa-helper
/usr/lib/lightdm/lightdm-guest-session
/usr/lib/lightdm/lightdm-guest-session//chromium
/usr/lib/snapd/snap-confine
/usr/sbin/cups-browsed
/usr/sbin/cupsd
/usr/sbin/cupsd//third_party
/usr/sbin/ippusbxd
/usr/sbin/libvirtd
/usr/sbin/tcpdump
0 profiles are in complain mode.
4 processes have profiles defined.
4 processes are in enforce mode.
/usr/sbin/cups-browsed (1108)
/usr/sbin/cupsd (976)
/usr/sbin/cupsd (1198)
/usr/sbin/cupsd (1199)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
michael@server-1:~$
Sehe ich das richtig und hat dir libvirtd eine ausnahme? Dann müsste es ja eigentlich funktionieren...... und hier nochmal die bestätigung ... libvird kann nicht starten michael@server-1:~$ systemctl status libvirt-bin.service
● libvirt-bin.service - Virtualization daemon
Loaded: loaded (/lib/systemd/system/libvirt-bin.service; enabled; vendor preset: enabled)
Active: inactive (dead) (Result: exit-code) since Die 2016-09-27 22:14:43 CEST; 2min 52s ago
Docs: man:libvirtd(8)
http://libvirt.org
Process: 1574 ExecStart=/usr/sbin/libvirtd $libvirtd_opts (code=exited, status=6)
Main PID: 1574 (code=exited, status=6)
Sep 27 22:14:43 server-1 systemd[1]: Failed to start Virtualization daemon.
Sep 27 22:14:43 server-1 systemd[1]: libvirt-bin.service: Unit entered failed state.
Sep 27 22:14:43 server-1 systemd[1]: libvirt-bin.service: Failed with result 'exit-code'.
Sep 27 22:14:43 server-1 systemd[1]: libvirt-bin.service: Service hold-off time over, scheduling restart.
Sep 27 22:14:43 server-1 systemd[1]: Stopped Virtualization daemon.
Sep 27 22:14:43 server-1 systemd[1]: libvirt-bin.service: Start request repeated too quickly.
Sep 27 22:14:43 server-1 systemd[1]: Failed to start Virtualization daemon.
|
Taomon
Supporter
Anmeldungsdatum: 30. Januar 2011
Beiträge: 8430
Wohnort: Digiworld
|
Blöd, da gibt es anscheinend 2 Profile für libvirtd. cat /etc/apparmor.d/local/usr.sbin.libvirtd und cat /etc/apparmor.d/usr.sbin.libvirtd Gruß Taomon
|
michaelh
(Themenstarter)
Anmeldungsdatum: 1. Dezember 2006
Beiträge: 56
|
Also mir sagen diese ausgaben gar nichts ... ich hoffe dir gehts da besser ... michael@server-1:~$ cat /etc/apparmor.d/local/usr.sbin.libvirtd
# Site-specific additions and overrides for usr.sbin.libvirtd.
# For more details, please see /etc/apparmor.d/local/README.
michael@server-1:~$ cat /etc/apparmor.d/usr.sbin.libvirtd
# Last Modified: Mon Jul 6 17:23:58 2009
#include <tunables/global>
@{LIBVIRT}="libvirt"
/usr/sbin/libvirtd {
#include <abstractions/base>
#include <abstractions/dbus>
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.libvirtd>
capability kill,
capability net_admin,
capability net_raw,
capability setgid,
capability sys_admin,
capability sys_module,
capability sys_ptrace,
capability sys_nice,
capability sys_chroot,
capability setuid,
capability dac_override,
capability dac_read_search,
capability fowner,
capability chown,
capability setpcap,
capability mknod,
capability fsetid,
capability ipc_lock,
capability audit_write,
# Needed for vfio
capability sys_resource,
network inet stream,
network inet dgram,
network inet6 stream,
network inet6 dgram,
network packet dgram,
network netlink,
dbus bus=system,
signal,
ptrace,
unix,
# for now, use a very lenient profile since we want to first focus on
# confining the guests
/ r,
/** rwmkl,
/bin/* PUx,
/sbin/* PUx,
/usr/bin/* PUx,
/usr/sbin/* PUx,
/lib/udev/scsi_id PUx,
/usr/lib/xen-common/bin/xen-toolstack PUx,
/usr/lib/xen-*/bin/pygrub PUx,
/usr/lib/xen-*/bin/libxl-save-helper PUx,
# Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
# write and run an ebtables script.
/var/lib/libvirt/virtd* ixr,
# force the use of virt-aa-helper
audit deny /sbin/apparmor_parser rwxl,
audit deny /etc/apparmor.d/libvirt/** wxl,
audit deny /sys/kernel/security/apparmor/features rwxl,
audit deny /sys/kernel/security/apparmor/matching rwxl,
audit deny /sys/kernel/security/apparmor/.* rwxl,
/sys/kernel/security/apparmor/profiles r,
/usr/lib/libvirt/* PUxr,
/etc/libvirt/hooks/** rmix,
/etc/xen/scripts/** rmix,
# allow changing to our UUID-based named profiles
change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
}
gruß michael
|
michaelh
(Themenstarter)
Anmeldungsdatum: 1. Dezember 2006
Beiträge: 56
|
Nachtrag michael@server-1:~$ cat /etc/apparmor.d/local/README
# This directory is intended to contain profile additions and overrides for
# inclusion by distributed profiles to aid in packaging AppArmor for
# distributions.
#
# The shipped profiles in /etc/apparmor.d can still be modified by an
# administrator and people should modify the shipped profile when making
# large policy changes, rather than trying to make those adjustments here.
#
# For simple access additions or the occasional deny override, adjusting them
# here can prevent the package manager of the distribution from interfering
# with local modifications. As always, new policy should be reviewed to ensure
# it is appropriate for your site.
#
# For example, if the shipped /etc/apparmor.d/usr.sbin.smbd profile has:
# #include <local/usr.sbin.smbd>
#
# then an administrator can adjust /etc/apparmor.d/local/usr.sbin.smbd to
# contain any additional paths to be allowed, such as:
#
# /var/exports/** lrwk,
#
# Keep in mind that 'deny' rules are evaluated after allow rules, so you won't
# be able to allow access to files that are explicitly denied by the shipped
# profile using this mechanism.
|
Taomon
Supporter
Anmeldungsdatum: 30. Januar 2011
Beiträge: 8430
Wohnort: Digiworld
|
Nachtrag nö. cat /etc/apparmor.d/usr.sbin.libvirtd Gruß Taomon Edit cat /etc/libvirt/qemu.conf
|
michaelh
(Themenstarter)
Anmeldungsdatum: 1. Dezember 2006
Beiträge: 56
|
michael@server-1:~$ cat /etc/apparmor.d/usr.sbin.libvirtd
# Last Modified: Mon Jul 6 17:23:58 2009
#include <tunables/global>
@{LIBVIRT}="libvirt"
/usr/sbin/libvirtd {
#include <abstractions/base>
#include <abstractions/dbus>
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.libvirtd>
capability kill,
capability net_admin,
capability net_raw,
capability setgid,
capability sys_admin,
capability sys_module,
capability sys_ptrace,
capability sys_nice,
capability sys_chroot,
capability setuid,
capability dac_override,
capability dac_read_search,
capability fowner,
capability chown,
capability setpcap,
capability mknod,
capability fsetid,
capability ipc_lock,
capability audit_write,
# Needed for vfio
capability sys_resource,
network inet stream,
network inet dgram,
network inet6 stream,
network inet6 dgram,
network packet dgram,
network netlink,
dbus bus=system,
signal,
ptrace,
unix,
# for now, use a very lenient profile since we want to first focus on
# confining the guests
/ r,
/** rwmkl,
/bin/* PUx,
/sbin/* PUx,
/usr/bin/* PUx,
/usr/sbin/* PUx,
/lib/udev/scsi_id PUx,
/usr/lib/xen-common/bin/xen-toolstack PUx,
/usr/lib/xen-*/bin/pygrub PUx,
/usr/lib/xen-*/bin/libxl-save-helper PUx,
# Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
# write and run an ebtables script.
/var/lib/libvirt/virtd* ixr,
# force the use of virt-aa-helper
audit deny /sbin/apparmor_parser rwxl,
audit deny /etc/apparmor.d/libvirt/** wxl,
audit deny /sys/kernel/security/apparmor/features rwxl,
audit deny /sys/kernel/security/apparmor/matching rwxl,
audit deny /sys/kernel/security/apparmor/.* rwxl,
/sys/kernel/security/apparmor/profiles r,
/usr/lib/libvirt/* PUxr,
/etc/libvirt/hooks/** rmix,
/etc/xen/scripts/** rmix,
# allow changing to our UUID-based named profiles
change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
}
michael@server-1:~$
Gruss michael Edit:
michael@server-1:~$ cat /etc/libvirt/qemu.conf
cat: /etc/libvirt/qemu.conf: Keine Berechtigung
michael@server-1:~$
|
michaelh
(Themenstarter)
Anmeldungsdatum: 1. Dezember 2006
Beiträge: 56
|
Nachtrag ... habs mit sudo probiert: michael@server-1:~$ sudo cat /etc/libvirt/qemu.conf
[sudo] Passwort für michael:
# Master configuration file for the QEMU driver.
# All settings described here are optional - if omitted, sensible
# defaults are used.
# VNC is configured to listen on 127.0.0.1 by default.
# To make it listen on all public interfaces, uncomment
# this next option.
#
# NB, strong recommendation to enable TLS + x509 certificate
# verification when allowing public access
#
#vnc_listen = "0.0.0.0"
# Enable this option to have VNC served over an automatically created
# unix socket. This prevents unprivileged access from users on the
# host machine, though most VNC clients do not support it.
#
# This will only be enabled for VNC configurations that do not have
# a hardcoded 'listen' or 'socket' value. This setting takes preference
# over vnc_listen.
#
#vnc_auto_unix_socket = 1
# Enable use of TLS encryption on the VNC server. This requires
# a VNC client which supports the VeNCrypt protocol extension.
# Examples include vinagre, virt-viewer, virt-manager and vencrypt
# itself. UltraVNC, RealVNC, TightVNC do not support this
#
# It is necessary to setup CA and issue a server certificate
# before enabling this.
#
#vnc_tls = 1
# Use of TLS requires that x509 certificates be issued. The
# default it to keep them in /etc/pki/libvirt-vnc. This directory
# must contain
#
# ca-cert.pem - the CA master certificate
# server-cert.pem - the server certificate signed with ca-cert.pem
# server-key.pem - the server private key
#
# This option allows the certificate directory to be changed
#
#vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc"
# The default TLS configuration only uses certificates for the server
# allowing the client to verify the server's identity and establish
# an encrypted channel.
#
# It is possible to use x509 certificates for authentication too, by
# issuing a x509 certificate to every client who needs to connect.
#
# Enabling this option will reject any client who does not have a
# certificate signed by the CA in /etc/pki/libvirt-vnc/ca-cert.pem
#
#vnc_tls_x509_verify = 1
# The default VNC password. Only 8 bytes are significant for
# VNC passwords. This parameter is only used if the per-domain
# XML config does not already provide a password. To allow
# access without passwords, leave this commented out. An empty
# string will still enable passwords, but be rejected by QEMU,
# effectively preventing any use of VNC. Obviously change this
# example here before you set this.
#
#vnc_password = "XYZ12345"
# Enable use of SASL encryption on the VNC server. This requires
# a VNC client which supports the SASL protocol extension.
# Examples include vinagre, virt-viewer and virt-manager
# itself. UltraVNC, RealVNC, TightVNC do not support this
#
# It is necessary to configure /etc/sasl2/qemu.conf to choose
# the desired SASL plugin (eg, GSSPI for Kerberos)
#
#vnc_sasl = 1
# The default SASL configuration file is located in /etc/sasl2/
# When running libvirtd unprivileged, it may be desirable to
# override the configs in this location. Set this parameter to
# point to the directory, and create a qemu.conf in that location
#
#vnc_sasl_dir = "/some/directory/sasl2"
# QEMU implements an extension for providing audio over a VNC connection,
# though if your VNC client does not support it, your only chance for getting
# sound output is through regular audio backends. By default, libvirt will
# disable all QEMU sound backends if using VNC, since they can cause
# permissions issues. Enabling this option will make libvirtd honor the
# QEMU_AUDIO_DRV environment variable when using VNC.
#
#vnc_allow_host_audio = 0
# SPICE is configured to listen on 127.0.0.1 by default.
# To make it listen on all public interfaces, uncomment
# this next option.
#
# NB, strong recommendation to enable TLS + x509 certificate
# verification when allowing public access
#
#spice_listen = "0.0.0.0"
# Enable use of TLS encryption on the SPICE server.
#
# It is necessary to setup CA and issue a server certificate
# before enabling this.
#
#spice_tls = 1
# Use of TLS requires that x509 certificates be issued. The
# default it to keep them in /etc/pki/libvirt-spice. This directory
# must contain
#
# ca-cert.pem - the CA master certificate
# server-cert.pem - the server certificate signed with ca-cert.pem
# server-key.pem - the server private key
#
# This option allows the certificate directory to be changed.
#
#spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"
# The default SPICE password. This parameter is only used if the
# per-domain XML config does not already provide a password. To
# allow access without passwords, leave this commented out. An
# empty string will still enable passwords, but be rejected by
# QEMU, effectively preventing any use of SPICE. Obviously change
# this example here before you set this.
#
#spice_password = "XYZ12345"
# Enable use of SASL encryption on the SPICE server. This requires
# a SPICE client which supports the SASL protocol extension.
#
# It is necessary to configure /etc/sasl2/qemu.conf to choose
# the desired SASL plugin (eg, GSSPI for Kerberos)
#
#spice_sasl = 1
# The default SASL configuration file is located in /etc/sasl2/
# When running libvirtd unprivileged, it may be desirable to
# override the configs in this location. Set this parameter to
# point to the directory, and create a qemu.conf in that location
#
#spice_sasl_dir = "/some/directory/sasl2"
# By default, if no graphical front end is configured, libvirt will disable
# QEMU audio output since directly talking to alsa/pulseaudio may not work
# with various security settings. If you know what you're doing, enable
# the setting below and libvirt will passthrough the QEMU_AUDIO_DRV
# environment variable when using nographics.
#
#nographics_allow_host_audio = 1
# Override the port for creating both VNC and SPICE sessions (min).
# This defaults to 5900 and increases for consecutive sessions
# or when ports are occupied, until it hits the maximum.
#
# Minimum must be greater than or equal to 5900 as lower number would
# result into negative vnc display number.
#
# Maximum must be less than 65536, because higher numbers do not make
# sense as a port number.
#
#remote_display_port_min = 5900
#remote_display_port_max = 65535
# VNC WebSocket port policies, same rules apply as with remote display
# ports. VNC WebSockets use similar display <-> port mappings, with
# the exception being that ports start from 5700 instead of 5900.
#
#remote_websocket_port_min = 5700
#remote_websocket_port_max = 65535
# The default security driver is SELinux. If SELinux is disabled
# on the host, then the security driver will automatically disable
# itself. If you wish to disable QEMU SELinux security driver while
# leaving SELinux enabled for the host in general, then set this
# to 'none' instead. It's also possible to use more than one security
# driver at the same time, for this use a list of names separated by
# comma and delimited by square brackets. For example:
#
# security_driver = [ "selinux", "apparmor" ]
#
# Notes: The DAC security driver is always enabled; as a result, the
# value of security_driver cannot contain "dac". The value "none" is
# a special value; security_driver can be set to that value in
# isolation, but it cannot appear in a list of drivers.
#
#security_driver = "selinux"
# If set to non-zero, then the default security labeling
# will make guests confined. If set to zero, then guests
# will be unconfined by default. Defaults to 1.
#security_default_confined = 1
# If set to non-zero, then attempts to create unconfined
# guests will be blocked. Defaults to 0.
#security_require_confined = 1
# The user for QEMU processes run by the system instance. It can be
# specified as a user name or as a user id. The qemu driver will try to
# parse this value first as a name and then, if the name doesn't exist,
# as a user id.
#
# Since a sequence of digits is a valid user name, a leading plus sign
# can be used to ensure that a user id will not be interpreted as a user
# name.
#
# Some examples of valid values are:
#
# user = "qemu" # A user named "qemu"
# user = "+0" # Super user (uid=0)
# user = "100" # A user named "100" or a user with uid=100
#
#user = "root"
# The group for QEMU processes run by the system instance. It can be
# specified in a similar way to user.
#group = "root"
# Whether libvirt should dynamically change file ownership
# to match the configured user/group above. Defaults to 1.
# Set to 0 to disable file ownership changes.
#dynamic_ownership = 1
# What cgroup controllers to make use of with QEMU guests
#
# - 'cpu' - use for schedular tunables
# - 'devices' - use for device whitelisting
# - 'memory' - use for memory tunables
# - 'blkio' - use for block devices I/O tunables
# - 'cpuset' - use for CPUs and memory nodes
# - 'cpuacct' - use for CPUs statistics.
#
# NB, even if configured here, they won't be used unless
# the administrator has mounted cgroups, e.g.:
#
# mkdir /dev/cgroup
# mount -t cgroup -o devices,cpu,memory,blkio,cpuset none /dev/cgroup
#
# They can be mounted anywhere, and different controllers
# can be mounted in different locations. libvirt will detect
# where they are located.
#
#cgroup_controllers = [ "cpu", "devices", "memory", "blkio", "cpuset", "cpuacct" ]
# This is the basic set of devices allowed / required by
# all virtual machines.
#
# As well as this, any configured block backed disks,
# all sound device, and all PTY devices are allowed.
#
# This will only need setting if newer QEMU suddenly
# wants some device we don't already know about.
#
#cgroup_device_acl = [
# "/dev/null", "/dev/full", "/dev/zero",
# "/dev/random", "/dev/urandom",
# "/dev/ptmx", "/dev/kvm", "/dev/kqemu",
# "/dev/rtc","/dev/hpet", "/dev/vfio/vfio"
#]
#
# RDMA migration requires the following extra files to be added to the list:
# "/dev/infiniband/rdma_cm",
# "/dev/infiniband/issm0",
# "/dev/infiniband/issm1",
# "/dev/infiniband/umad0",
# "/dev/infiniband/umad1",
# "/dev/infiniband/uverbs0"
# The default format for Qemu/KVM guest save images is raw; that is, the
# memory from the domain is dumped out directly to a file. If you have
# guests with a large amount of memory, however, this can take up quite
# a bit of space. If you would like to compress the images while they
# are being saved to disk, you can also set "lzop", "gzip", "bzip2", or "xz"
# for save_image_format. Note that this means you slow down the process of
# saving a domain in order to save disk space; the list above is in descending
# order by performance and ascending order by compression ratio.
#
# save_image_format is used when you use 'virsh save' or 'virsh managedsave'
# at scheduled saving, and it is an error if the specified save_image_format
# is not valid, or the requested compression program can't be found.
#
# dump_image_format is used when you use 'virsh dump' at emergency
# crashdump, and if the specified dump_image_format is not valid, or
# the requested compression program can't be found, this falls
# back to "raw" compression.
#
# snapshot_image_format specifies the compression algorithm of the memory save
# image when an external snapshot of a domain is taken. This does not apply
# on disk image format. It is an error if the specified format isn't valid,
# or the requested compression program can't be found.
#
#save_image_format = "raw"
#dump_image_format = "raw"
#snapshot_image_format = "raw"
# When a domain is configured to be auto-dumped when libvirtd receives a
# watchdog event from qemu guest, libvirtd will save dump files in directory
# specified by auto_dump_path. Default value is /var/lib/libvirt/qemu/dump
#
#auto_dump_path = "/var/lib/libvirt/qemu/dump"
# When a domain is configured to be auto-dumped, enabling this flag
# has the same effect as using the VIR_DUMP_BYPASS_CACHE flag with the
# virDomainCoreDump API. That is, the system will avoid using the
# file system cache while writing the dump file, but may cause
# slower operation.
#
#auto_dump_bypass_cache = 0
# When a domain is configured to be auto-started, enabling this flag
# has the same effect as using the VIR_DOMAIN_START_BYPASS_CACHE flag
# with the virDomainCreateWithFlags API. That is, the system will
# avoid using the file system cache when restoring any managed state
# file, but may cause slower operation.
#
#auto_start_bypass_cache = 0
# If provided by the host and a hugetlbfs mount point is configured,
# a guest may request huge page backing. When this mount point is
# unspecified here, determination of a host mount point in /proc/mounts
# will be attempted. Specifying an explicit mount overrides detection
# of the same in /proc/mounts. Setting the mount point to "" will
# disable guest hugepage backing. If desired, multiple mount points can
# be specified at once, separated by comma and enclosed in square
# brackets, for example:
#
# hugetlbfs_mount = ["/dev/hugepages2M", "/dev/hugepages1G"]
#
# The size of huge page served by specific mount point is determined by
# libvirt at the daemon startup.
#
# NB, within these mount points, guests will create memory backing
# files in a location of $MOUNTPOINT/libvirt/qemu
#
#hugetlbfs_mount = "/dev/hugepages"
# Path to the setuid helper for creating tap devices. This executable
# is used to create <source type='bridge'> interfaces when libvirtd is
# running unprivileged. libvirt invokes the helper directly, instead
# of using "-netdev bridge", for security reasons.
#bridge_helper = "/usr/libexec/qemu-bridge-helper"
# If clear_emulator_capabilities is enabled, libvirt will drop all
# privileged capabilities of the QEmu/KVM emulator. This is enabled by
# default.
#
# Warning: Disabling this option means that a compromised guest can
# exploit the privileges and possibly do damage to the host.
#
#clear_emulator_capabilities = 1
# If enabled, libvirt will have QEMU set its process name to
# "qemu:VM_NAME", where VM_NAME is the name of the VM. The QEMU
# process will appear as "qemu:VM_NAME" in process listings and
# other system monitoring tools. By default, QEMU does not set
# its process title, so the complete QEMU command (emulator and
# its arguments) appear in process listings.
#
#set_process_name = 1
# If max_processes is set to a positive integer, libvirt will use
# it to set the maximum number of processes that can be run by qemu
# user. This can be used to override default value set by host OS.
# The same applies to max_files which sets the limit on the maximum
# number of opened files.
#
#max_processes = 0
#max_files = 0
# mac_filter enables MAC addressed based filtering on bridge ports.
# This currently requires ebtables to be installed.
#
#mac_filter = 1
# By default, PCI devices below non-ACS switch are not allowed to be assigned
# to guests. By setting relaxed_acs_check to 1 such devices will be allowed to
# be assigned to guests.
#
#relaxed_acs_check = 1
# If allow_disk_format_probing is enabled, libvirt will probe disk
# images to attempt to identify their format, when not otherwise
# specified in the XML. This is disabled by default.
#
# WARNING: Enabling probing is a security hole in almost all
# deployments. It is strongly recommended that users update their
# guest XML <disk> elements to include <driver type='XXXX'/>
# elements instead of enabling this option.
#
#allow_disk_format_probing = 1
# In order to prevent accidentally starting two domains that
# share one writable disk, libvirt offers two approaches for
# locking files. The first one is sanlock, the other one,
# virtlockd, is then our own implementation. Accepted values
# are "sanlock" and "lockd".
#
#lock_manager = "lockd"
# Set limit of maximum APIs queued on one domain. All other APIs
# over this threshold will fail on acquiring job lock. Specially,
# setting to zero turns this feature off.
# Note, that job lock is per domain.
#
#max_queued = 0
###################################################################
# Keepalive protocol:
# This allows qemu driver to detect broken connections to remote
# libvirtd during peer-to-peer migration. A keepalive message is
# sent to the daemon after keepalive_interval seconds of inactivity
# to check if the daemon is still responding; keepalive_count is a
# maximum number of keepalive messages that are allowed to be sent
# to the daemon without getting any response before the connection
# is considered broken. In other words, the connection is
# automatically closed approximately after
# keepalive_interval * (keepalive_count + 1) seconds since the last
# message received from the daemon. If keepalive_interval is set to
# -1, qemu driver will not send keepalive requests during
# peer-to-peer migration; however, the remote libvirtd can still
# send them and source libvirtd will send responses. When
# keepalive_count is set to 0, connections will be automatically
# closed after keepalive_interval seconds of inactivity without
# sending any keepalive messages.
#
#keepalive_interval = 5
#keepalive_count = 5
# Use seccomp syscall whitelisting in QEMU.
# 1 = on, 0 = off, -1 = use QEMU default
# Defaults to -1.
#
#seccomp_sandbox = 1
# Override the listen address for all incoming migrations. Defaults to
# 0.0.0.0, or :: if both host and qemu are capable of IPv6.
#migration_address = "0.0.0.0"
# The default hostname or IP address which will be used by a migration
# source for transferring migration data to this host. The migration
# source has to be able to resolve this hostname and connect to it so
# setting "localhost" will not work. By default, the host's configured
# hostname is used.
#migration_host = "host.example.com"
# Override the port range used for incoming migrations.
#
# Minimum must be greater than 0, however when QEMU is not running as root,
# setting the minimum to be lower than 1024 will not work.
#
# Maximum must not be greater than 65535.
#
#migration_port_min = 49152
#migration_port_max = 49215
# Timestamp QEMU's log messages (if QEMU supports it)
#
# Defaults to 1.
#
#log_timestamp = 0
# Location of master nvram file
#
# When a domain is configured to use UEFI instead of standard
# BIOS it may use a separate storage for UEFI variables. If
# that's the case libvirt creates the variable store per domain
# using this master file as image. Each UEFI firmware can,
# however, have different variables store. Therefore the nvram is
# a list of strings when a single item is in form of:
# ${PATH_TO_UEFI_FW}:${PATH_TO_UEFI_VARS}.
# Later, when libvirt creates per domain variable store, this list is
# searched for the master image. The UEFI firmware can be called
# differently for different guest architectures. For instance, it's OVMF
# for x86_64 and i686, but it's AAVMF for aarch64. The libvirt default
# follows this scheme.
#nvram = [
# "/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd",
# "/usr/share/AAVMF/AAVMF_CODE.fd:/usr/share/AAVMF/AAVMF_VARS.fd"
#]
# The backend to use for handling stdout/stderr output from
# QEMU processes.
#
# 'file': QEMU writes directly to a plain file. This is the
# historical default, but allows QEMU to inflict a
# denial of service attack on the host by exhausting
# filesystem space
#
# 'logd': QEMU writes to a pipe provided by virtlogd daemon.
# This is the current default, providing protection
# against denial of service by performing log file
# rollover when a size limit is hit.
#
#stdio_handler = "logd"
michael@server-1:~$
|