[HOME] [DOWNLOAD] [DOCS] [BLOG] [SUPPORT] [TIPS] [ISSUES] [Priority Support]

Packaging libvirt files as debian package + unit test + CI


#1

We could package the libvirt files as a proper Debian package. What about moving the libvirt folder to packages/whonix-libvirt? The package (not the installation instructions on KVM wiki page) would could files to /usr/share/whonix-libvirt/xml/Whonix-Gateway_kvm.xml and so forth.

From user’s perspective nothing would change compared to now. (!)

That package wouldn’t be very useful for users. [As long as there is no Whonix Host Operating System (https://phabricator.whonix.org/T21) and perhaps never?]

Advantages:

  • We could add a unit test file /usr/share/whonix-libvirt/unit_test that would import and remove the VM’s to see if the xml’s are working as expected. Eventually it would also use the xml validation tool.
  • That unit test could be automatically run after each and every commit using CI (https://www.whonix.org/wiki/Dev/Continuous_Integration). Travis CI most likely. It’s Ubuntu based, but that is still somewhat comparable to Debian. It would detect things such as missing quotes.
  • Then we’d have some more confirmation, that the xml files are Debian compatible.
  • Getting the libvirt folder out of the main source code folder.
  • Would make it easier to add a version number to the xml files. Since at the moment, they don’t have version numbers. We could indicate, that the version number of the xml has been increased by using debian/changelog / make deb-chl-bumpup. We could have a unit test, that runs during the build process and breaks it when the version numbers of the xml files do not match debian/changelog’s version number.
  • Maybe some users would notice when that package gets updated, that libvirt files are now available in a higher version number.

What do you think?

One thing. whonix-libvirt might not be the best name for the package for trademark reasons (https://www.whonix.org/wiki/Dev/TPO_Trademark). Some are rather picky about it and I like to be one the very safe side to not have to rename it later. You know any good package name that does not include “libvirt” but at the same time doesn’t limit it to kvm [because there is also qemu, in future perhaps more]?


#2
What do you think?

Sounds great.

For names how about any of these?
whonix-virt-api
whonix-modes
whonix-multi


#3

Hm. Any package name not including “libvirt” seems like a mess.

For VirtualBox there is one package called “vbox-disable-timesync”. For libvirt, I don’t think that there is any meaningful comparable contraction.

I guess let’s use whonix-libvirt, then ask them if that is considered fair use. Could you relay a message please when the package has been created?


#4

Done:

Initial implementation:

TODO:

  • unit test
  • CI

#5

Done:

Dunno if it’s possible to fix this one on CI:
https://travis-ci.org/Whonix/whonix-libvirt/builds/44553778

[code]virsh -c qemu:///system net-define ./usr/share/whonix-libvirt/xml/Whonix_network.xml

error: Failed to connect socket to ‘/var/run/libvirt/libvirt-sock’: Permission denied

error: failed to connect to the hypervisor
[/code]

Deactivated for now.

Therefore set to only use virt-xml-validate for now.

https://travis-ci.org/Whonix/whonix-libvirt/builds/44554060

[code]+virt-xml-validate ./usr/share/whonix-libvirt/xml/Whonix_network.xml

./usr/share/whonix-libvirt/xml/Whonix_network.xml validates

+virt-xml-validate ./usr/share/whonix-libvirt/xml/Whonix-Gateway_kvm.xml

Relax-NG validity error : Extra element clock in interleave

./usr/share/whonix-libvirt/xml/Whonix-Gateway_kvm.xml:18: element clock: Relax-NG validity error : Element domain failed to validate content

./usr/share/whonix-libvirt/xml/Whonix-Gateway_kvm.xml fails to validate

The command “./usr/share/whonix-libvirt/unit_test” exited with 3.
[/code]

Could be because of their Ubuntu version. (http://docs.travis-ci.com/user/ci-environment/) (Ubuntu 12.04 LTS)

Maybe you got any idea about this or like to experiment with CI.


#6
Dunno if it's possible to fix this one on CI:

If there is an existing network on your system with the same name you will get errors like these. Thats what I saw in my experience.


#7
Could be because of their Ubuntu version. (http://docs.travis-ci.com/user/ci-environment/) (Ubuntu 12.04 LTS)

Ok 12.04 is old in libvirt terms and so things like hypervclock are till not recognized and will trigger errors like it has done.


#8

A reason for the error could be group permissions:

[code]virsh -c qemu:///system net-define ./usr/share/whonix-libvirt/xml/Whonix_network.xml

error: Failed to connect socket to ‘/var/run/libvirt/libvirt-sock’: Permission denied

error: failed to connect to the hypervisor[/code]

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Virtualization_Host_Configuration_and_Guest_Installation_Guide/Sect_Failed_to_connect_socket.html


#9

Ok 12.04 is old in libvirt terms and so things like hypervclock are till not recognized and will trigger errors like it has done.[/quote]
We might also be able to mix with versions from higher Ubuntu repositories. Just needs to be scripted.

[quote=“HulaHoop, post:8, topic:756”]A reason for the error could be group permissions:

[code]virsh -c qemu:///system net-define ./usr/share/whonix-libvirt/xml/Whonix_network.xml

error: Failed to connect socket to ‘/var/run/libvirt/libvirt-sock’: Permission denied

error: failed to connect to the hypervisor[/code]

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Virtualization_Host_Configuration_and_Guest_Installation_Guide/Sect_Failed_to_connect_socket.html[/quote]
One thing we cannot do, because unsupported by CI: reboot.

Testing workaround.


#10

Workaround works.

Using more recent versions from Ubuntu vivid now. (http://packages.ubuntu.com/vivid/qemu-kvm) Solved some issues. virsh define and virsh undefine is now functional! :slight_smile: Two more issues.

Log:
https://travis-ci.org/Whonix/whonix-libvirt/builds/44609513

net-start issue.

[code]virsh -c qemu:///system net-start Whonix

error: Failed to start network Whonix

error: Unable to create bridge virbr1: Package not installed[/code]

virt-xml-validate issue.

virt-xml-validate ./usr/share/whonix-libvirt/xml/Whonix-Gateway_kvm.xml

Relax-NG validity error : Extra element devices in interleave

./usr/share/whonix-libvirt/xml/Whonix-Gateway_kvm.xml:32: element devices: Relax-NG validity error : Element domain failed to validate content

Any idea how to solve these?

Can you try virt-xml-validate locally please?


#11

Apart from the remaining issues, the log looks quite useful already. :slight_smile:

https://travis-ci.org/Whonix/whonix-libvirt/builds/44612407


#12
error: Unable to create bridge virbr1: Package not installed

What I found about the error is its caused by the kernel lacking bridge support for some reason. Either they don’t have bridge-utils package installed or there is some other bug in that package:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542447
https://bugzilla.redhat.com/show_bug.cgi?id=524880


#13

I’m running libvirt 1.2.9 here and the files validate fine on my host.


#14

Ubuntu vivid contains 1.2.8. Debian jessie contains 1.2.9.

Same problem outside of CI on a Debian jessie system. (libvirt-bin 1.2.9-6)

virt-xml-validate Whonix-Gateway_qemu.xml Relax-NG validity error : Extra element devices in interleave Whonix-Gateway_qemu.xml:32: element devices: Relax-NG validity error : Element domain failed to validate content Whonix-Gateway_qemu.xml fails to validate

What I found about the error is its caused by the kernel lacking bridge support for some reason. Either they don't have bridge-utils package installed or there is some other bug in that package:
The bridge-utils package is installed as per build log (https://s3.amazonaws.com/archive.travis-ci.org/jobs/44612408/log.txt). The CI's kernel could be the issue. It's running in a OpenVZ VM, that comes with some limitations.

#15

I downloaded libvirt/kvm inside whonix from jessie repos and I can see what you describe. I started removing all the recent settings then eventually major parts of everything else, but the error keeps coming up. I think somehing is wrong with virt-xml-validate. I’ll be sure if the xml files allow a whonix guest to boot normally on a debian host. Can you please check if it does?


#16

Tested using QEMU inside a VBox VM with Debian Jessie, because I don’t have a host with Debian Jessie at the moment. Therefore I cannot test KVM.

virsh -c qemu:///system start Whonix-Gateway error: Failed to start domain Whonix-Gateway error: unsupported configuration: host doesn't support paravirtual spinlocks

After removing

VM was bootable.

So I guess it should be removed for all QEMU xml files for better compatibly.


#17

Added using “virsh domxml-to-native” to unit_test for debug output:

It works for QEMU, for example “virsh domxml-to-native qemu-argv ./usr/share/whonix-libvirt/xml/Whonix-Gateway_qemu.xml” works. But it fails for KVM.

Any idea? Does it work when you do that on your local disk?


#18
So I guess it should be removed for all QEMU xml files for better compatibly.

But pvspinlock is supported on the newer libvirt in Jessie. Debian stable is almost Jessie. I will remove it of course if the problem still persists on Jessie. Are you saying that its not compatible with the qemu xmls only? To be clear here when I say qemu I am talking about the pure emulator mode and not kvm.

converting xml to qemu arguments works with me.


This error is directly related to power management settings:

Try and see if removing this section in the xml makes it work. I know for a fact VirtualBox does not have suspend mode available inside it for the guest acpi. It could be libvirt is seeing this unsupported on its “host” (the inside of VirtualBox) and is failing the vml because it doesn’t have this “host” capability.

Hard to say without testing on Jessie baremetal.


#19

For the record, last CI build was broken:


#20

The errors complain that qemu-kvm cannot be installed on the CI server.

Unrelated. Can you please not merge and instead close all the recent pull requests to libvirt XML? I don’t think the changes are worth the extra maintenance.