Andre Goree
2018-Mar-30 20:29 UTC
Re: [libvirt-users] Possible to edit/apply nwfilter at runtime?
On 2018/02/16 12:12 pm, Daniel P. Berrangé wrote:> On Fri, Feb 16, 2018 at 11:59:42AM -0500, Andre Goree wrote: >> I'm trying to determine if it's possible to edit/attach/apply nwfilter >> rules >> at runtime? I.e., after a VM is already running, can I apply a >> nwfilter to >> the VM and have it work without rebooting the machine? Thus far, I've >> not >> come across a way to do so, but I thought I'd ask here before I chase >> my >> tail around Google. > > Simply re-define the nwfilter in question using virsh nwfilter-define. > Any VMs using that filter will automatically update. > > > Regards, > Daniel > -- > |: https://berrange.com -o- > https://www.flickr.com/photos/dberrange :| > |: https://libvirt.org -o- > https://fstop138.berrange.com :| > |: https://entangle-photo.org -o- > https://www.instagram.com/dberrange :|I've run into an issue here that I thought you might have some insight on. I can't seem to "re-define" a nwfilter. I must first 'virsh nwfilter-undefine' then 'virsh nwfilter-define', or else use 'virsh nwfilter-edit'. The problem being, I cannot use nwfilter-edit from a script :/ My real problem is that if I want to add to and/or adjust a filter for a VM, I basically have to call 'virsh update-device ...' which unfortunately leaves the VM wide-open for a short period of time, which is very undesirable. I wonder if there's a way to edit the nwfilter _without_ libvirt having to drop the filter for the VM before applying any changes. -- Andre Goree -=-=-=-=-=- Email - andre at drenet.net Website - http://blog.drenet.net PGP key - http://www.drenet.net/pubkey.html -=-=-=-=-=-
Laine Stump
2018-Apr-02 15:22 UTC
[libvirt-users] Possible to edit/apply nwfilter at runtime?
On 03/30/2018 04:29 PM, Andre Goree wrote:> On 2018/02/16 12:12 pm, Daniel P. Berrang? wrote: >> On Fri, Feb 16, 2018 at 11:59:42AM -0500, Andre Goree wrote: >>> I'm trying to determine if it's possible to edit/attach/apply >>> nwfilter rules >>> at runtime?? I.e., after a VM is already running, can I apply a >>> nwfilter to >>> the VM and have it work without rebooting the machine?? Thus far, >>> I've not >>> come across a way to do so, but I thought I'd ask here before I chase my >>> tail around Google. >> >> Simply re-define the nwfilter in question using? virsh nwfilter-define. >> Any VMs using that filter will automatically update. >> >> >> Regards, >> Daniel >> -- >> |: https://berrange.com????? -o-??? >> https://www.flickr.com/photos/dberrange :| >> |: https://libvirt.org???????? -o-??????????? >> https://fstop138.berrange.com :| >> |: https://entangle-photo.org??? -o-??? >> https://www.instagram.com/dberrange :| > > > I've run into an issue here that I thought you might have some insight on. > > I can't seem to "re-define" a nwfilter.Why is that? The only thing (aside from a syntax error) that would cause nwfilter-define to fail when the filter already exists would be if you tried to define the filter with the same name but different (or non-existent) uuid, or vice versa. As long as the new definition has the same name and uuid, there should be no problem. If you're relying on libvirt to provide the uuid when the filter is originally defined, just modify your "update" script to do virsh nwfilter-dumpxml to read the current text of the filter, modify that text, then send the result to virsh nwfilter-define (that's exactly what virsh nwfilter-edit does).> I must first 'virsh > nwfilter-undefine' then 'virsh nwfilter-define', or else use 'virsh > nwfilter-edit'.? The problem being, I cannot use nwfilter-edit from a > script :/ > > My real problem is that if I want to add to and/or adjust a filter for a > VM, I basically have to call 'virsh update-device ...' which > unfortunately leaves the VM wide-open for a short period of time, which > is very undesirable. > > I wonder if there's a way to edit the nwfilter _without_ libvirt having > to drop the filter for the VM before applying any changes. >If this really doesn't work when using the same name and uuid as the original nwfilter, please reply with the exact error message you receive, along with the output of virsh nwfilter-dumpxml prior to the attempt at redefinition, and the text you are sending that results in a failed nwfilter-define.
Andre Goree
2018-Apr-02 18:02 UTC
Re: [libvirt-users] Possible to edit/apply nwfilter at runtime?
On 2018/04/02 11:22 am, Laine Stump wrote:>> >> >> I've run into an issue here that I thought you might have some insight >> on. >> >> I can't seem to "re-define" a nwfilter. > > Why is that? The only thing (aside from a syntax error) that would > cause > nwfilter-define to fail when the filter already exists would be if you > tried to define the filter with the same name but different (or > non-existent) uuid, or vice versa. As long as the new definition has > the > same name and uuid, there should be no problem. > > If you're relying on libvirt to provide the uuid when the filter is > originally defined, just modify your "update" script to do virsh > nwfilter-dumpxml to read the current text of the filter, modify that > text, then send the result to virsh nwfilter-define (that's exactly > what > virsh nwfilter-edit does). > >> I must first 'virsh >> nwfilter-undefine' then 'virsh nwfilter-define', or else use 'virsh >> nwfilter-edit'. The problem being, I cannot use nwfilter-edit from a >> script :/ >> >> My real problem is that if I want to add to and/or adjust a filter for >> a >> VM, I basically have to call 'virsh update-device ...' which >> unfortunately leaves the VM wide-open for a short period of time, >> which >> is very undesirable. >> >> I wonder if there's a way to edit the nwfilter _without_ libvirt >> having >> to drop the filter for the VM before applying any changes. >> > > If this really doesn't work when using the same name and uuid as the > original nwfilter, please reply with the exact error message you > receive, along with the output of virsh nwfilter-dumpxml prior to the > attempt at redefinition, and the text you are sending that results in a > failed nwfilter-define.You're absolutely correct! It must've been bc I allowed libvirt to define the UUID, which I was not adding to my xml for the update. After dumping the live rule and making changes to that xml, then defining again, it worked as expected, thank you for checking me on that. Also discovered that when I do it this way, the ebtables rules aren't actually dropped as I thought was the case. Thanks for your help! -- Andre Goree -=-=-=-=-=- Email - andre at drenet.net Website - http://blog.drenet.net PGP key - http://www.drenet.net/pubkey.html -=-=-=-=-=-