FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Server Development

 
 
LinkBack Thread Tools
 
Old 03-31-2010, 02:41 PM
Dustin Kirkland
 
Default qemu-kvm vde networking

On Wed, 2010-03-31 at 10:32 +0200, Christian Rößner wrote:
> excuse me please that I contact you directly. Before I go building my
> own kvm package with vde support I want to ask you, if you could give
> me detailed arguments, why vde is not in main repo and why you
> consider it not secure (enough; you said _more secure than_).
>
> I wait from release to release always missing the vde support and I
> can not understand why you do not include it. Where are the reasons?
> And why is vde not in main?
>
> I have really good experiences with vde and kvm for years now. I use
> KVM for several minor internet service providers here in Germany and
> all the servers use vde, cause it is ingenious.
>
> Seperating local guest communication from outside. And!!!: You do not
> need bridging network, which makes firewalling so much easier. And you
> still can reach the host operating system from the guests, which gives
> you are real intranet.
>
> So there are so many arguments FOR vde. Any other solution is really a
> pain. And I tested them all! I am not a newie.
>
> So if security is an argument, then I would say ok.

Hi Christian, thanks for the kind, detailed email. I hope you don't
mind that I'm CC'ing this response to the ubuntu-server@ and
ubuntu-devel@ mailing lists, as this has come up a few times, and I'd
like to collate a single response here...

Okay, let me eat my words on the security aspect of VDE... I can't say
that VDE is more or less secure than the other recommended networking
models at:
* https://help.ubuntu.com/community/KVM/Networking

What I can say is that:

a) Per discussions with upstream QEMU, tap is the 'official',
'supported', 'recommended' networking mechanism for QEMU and KVM
* Upstream also says that VDE performance is poor because it doesn't
support offloading, tap networking should suffice for vast majority of
users, VDE security is mostly untested for things like mac flooding and
ip spoofing, and upstream does virtually no testing of VDE before they
release

b) The required library, libvdeplug2-dev and its source package, vde2
are in Ubuntu Universe, while qemu-kvm is in Ubuntu Main (Main packages
cannot build against libraries in Universe)

c) Canonical-long-term-supported KVM in Ubuntu's Lucid Main repository
will not differ from Upstream's recommendation on this point

d) The other networking models (ie, through KVM/Libvirt) are *far* more
heavily tested over the last 2 years of Ubuntu Hypervisor development,
through Hardy->Intrepid->Jaunty->Karmic->Lucid.

What we can offer is this:

1) A qemu-kvm package in a PPA managed by ~ubuntu-virt in Launchpad
that does build against libvdeplug2-dev
* We can try to keep this package "in sync" with what goes into Lucid
(ie, upload at the same time and just enable vde in the PPA build)
* But any problems or issues caused by or related to VDE will be
supported on a best-effort, wishlist-priority basis (as are most PPA
builds)

2) If someone who has interest in, and experience with VDE will write
the Main Inclusion Report (MIR) for vde2, we can propose vde2 for
inclusion in Main for Lucid+1, and I'll enable VDE in the qemu-kvm
builds for Lucid+1 if the MIR is approved. See:
* https://wiki.ubuntu.com/MainInclusionProcess
I have marked your bug a duplicate of another one, marked wont-fix
against Lucid, but marked it triaged/high for Lucid+1, at:
* https://bugs.edge.launchpad.net/ubuntu/+source/vde2/+bug/253230

> But please include it. It is an LTS version, so big chance to make
> this pain an end ;-)

I understand your concern. But this is the precise reason why we cannot
just enable VDE networking at this time. We're at a Beta2 freeze for
our LTS release. I appreciate your confidence in VDE -- that will
support the MIR process for Lucid+1. But the vast majority of testing
and stabilization of Ubuntu's Hypervisor stack has been intensely
focused on the KVM+Libvirt networking model. Slipping VDE networking
into Ubuntu 10.04 LTS at Beta2, and then committing to supporting that
code for 5 years is simply not something we can do, I'm sorry.

> As you read, I am from Germany. Sometimes my English may sound a
> little bit rough, but I do not mean it like this.

No problem ;-)

Cheers,
--
:-Dustin

Dustin Kirkland
Canonical, LTD
kirkland@canonical.com
GPG: 1024D/83A61194
--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 03-31-2010, 04:15 PM
Christian Rößner
 
Default qemu-kvm vde networking

Hi,

first of all: Very much thanks for the time you take to answer.

Putting KVM into PPA would really be something that I would like. I already tried to build it, but at the moment lucid is broken on my server ;-) (mdadm/lvm bug).

I am going to write the MIR. But first I got arp-tools and want to test arp-flooding on the switch. Also checking performance from 2 client pairs concurrently on the switch with netcat. Afterwards I will do it.

Thanks very, very much and I hope vde will find its way to main and kvm into PPA ;-)

Regards
Christian

Am 31.03.2010 um 16:41 schrieb Dustin Kirkland:

> On Wed, 2010-03-31 at 10:32 +0200, Christian Rößner wrote:
>> excuse me please that I contact you directly. Before I go building my
>> own kvm package with vde support I want to ask you, if you could give
>> me detailed arguments, why vde is not in main repo and why you
>> consider it not secure (enough; you said _more secure than_).
>>
>> I wait from release to release always missing the vde support and I
>> can not understand why you do not include it. Where are the reasons?
>> And why is vde not in main?
>>
>> I have really good experiences with vde and kvm for years now. I use
>> KVM for several minor internet service providers here in Germany and
>> all the servers use vde, cause it is ingenious.
>>
>> Seperating local guest communication from outside. And!!!: You do not
>> need bridging network, which makes firewalling so much easier. And you
>> still can reach the host operating system from the guests, which gives
>> you are real intranet.
>>
>> So there are so many arguments FOR vde. Any other solution is really a
>> pain. And I tested them all! I am not a newie.
>>
>> So if security is an argument, then I would say ok.
>
> Hi Christian, thanks for the kind, detailed email. I hope you don't
> mind that I'm CC'ing this response to the ubuntu-server@ and
> ubuntu-devel@ mailing lists, as this has come up a few times, and I'd
> like to collate a single response here...
>
> Okay, let me eat my words on the security aspect of VDE... I can't say
> that VDE is more or less secure than the other recommended networking
> models at:
> * https://help.ubuntu.com/community/KVM/Networking
>
> What I can say is that:
>
> a) Per discussions with upstream QEMU, tap is the 'official',
> 'supported', 'recommended' networking mechanism for QEMU and KVM
> * Upstream also says that VDE performance is poor because it doesn't
> support offloading, tap networking should suffice for vast majority of
> users, VDE security is mostly untested for things like mac flooding and
> ip spoofing, and upstream does virtually no testing of VDE before they
> release
>
> b) The required library, libvdeplug2-dev and its source package, vde2
> are in Ubuntu Universe, while qemu-kvm is in Ubuntu Main (Main packages
> cannot build against libraries in Universe)
>
> c) Canonical-long-term-supported KVM in Ubuntu's Lucid Main repository
> will not differ from Upstream's recommendation on this point
>
> d) The other networking models (ie, through KVM/Libvirt) are *far* more
> heavily tested over the last 2 years of Ubuntu Hypervisor development,
> through Hardy->Intrepid->Jaunty->Karmic->Lucid.
>
> What we can offer is this:
>
> 1) A qemu-kvm package in a PPA managed by ~ubuntu-virt in Launchpad
> that does build against libvdeplug2-dev
> * We can try to keep this package "in sync" with what goes into Lucid
> (ie, upload at the same time and just enable vde in the PPA build)
> * But any problems or issues caused by or related to VDE will be
> supported on a best-effort, wishlist-priority basis (as are most PPA
> builds)
>
> 2) If someone who has interest in, and experience with VDE will write
> the Main Inclusion Report (MIR) for vde2, we can propose vde2 for
> inclusion in Main for Lucid+1, and I'll enable VDE in the qemu-kvm
> builds for Lucid+1 if the MIR is approved. See:
> * https://wiki.ubuntu.com/MainInclusionProcess
> I have marked your bug a duplicate of another one, marked wont-fix
> against Lucid, but marked it triaged/high for Lucid+1, at:
> * https://bugs.edge.launchpad.net/ubuntu/+source/vde2/+bug/253230
>
>> But please include it. It is an LTS version, so big chance to make
>> this pain an end ;-)
>
> I understand your concern. But this is the precise reason why we cannot
> just enable VDE networking at this time. We're at a Beta2 freeze for
> our LTS release. I appreciate your confidence in VDE -- that will
> support the MIR process for Lucid+1. But the vast majority of testing
> and stabilization of Ubuntu's Hypervisor stack has been intensely
> focused on the KVM+Libvirt networking model. Slipping VDE networking
> into Ubuntu 10.04 LTS at Beta2, and then committing to supporting that
> code for 5 years is simply not something we can do, I'm sorry.
>
>> As you read, I am from Germany. Sometimes my English may sound a
>> little bit rough, but I do not mean it like this.
>
> No problem ;-)
>
> Cheers,
> --
> :-Dustin
>
> Dustin Kirkland
> Canonical, LTD
> kirkland@canonical.com
> GPG: 1024D/83A61194

---
Roessner-Network-Solutions
Bachelor of Science Informatik
Nahrungsberg 81, 35390 Gießen
F: +49 641 5879091, M: +49 641 93118939
USt-IdNr.: DE225643613
http://www.roessner-net.com


--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 03-31-2010, 04:42 PM
Dustin Kirkland
 
Default qemu-kvm vde networking

On Wed, Mar 31, 2010 at 7:41 AM, Dustin Kirkland <kirkland@canonical.com> wrote:
> *1) A qemu-kvm package in a PPA managed by ~ubuntu-virt in Launchpad
> that does build against libvdeplug2-dev
> ** We can try to keep this package "in sync" with what goes into Lucid
> (ie, upload at the same time and just enable vde in the PPA build)
> ** But any problems or issues caused by or related to VDE will be
> supported on a best-effort, wishlist-priority basis (as are most PPA
> builds)

FYI, I have uploaded such a package to:
* https://launchpad.net/~ubuntu-virt/+archive/vde

I'll try to keep this package up-to-date with whatever goes into
10.04, but as stated above, it's minimally-supported.

If you're happy with VDE networking as is, you're welcome to use this PPA.

Cheers,
:-Dustin

--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 03-31-2010, 04:56 PM
Christian Rößner
 
Default qemu-kvm vde networking

Hi,

finished tests.

4 clients 2<->2 netcat /dev/zero to /dev/null makes about 100MBit/s each connection using UDP.
arpoison does not have success on the switch.

Gonna write the MIR later today

Bye

Christian

Am 31.03.2010 um 18:42 schrieb Dustin Kirkland:

> On Wed, Mar 31, 2010 at 7:41 AM, Dustin Kirkland <kirkland@canonical.com> wrote:
>> 1) A qemu-kvm package in a PPA managed by ~ubuntu-virt in Launchpad
>> that does build against libvdeplug2-dev
>> * We can try to keep this package "in sync" with what goes into Lucid
>> (ie, upload at the same time and just enable vde in the PPA build)
>> * But any problems or issues caused by or related to VDE will be
>> supported on a best-effort, wishlist-priority basis (as are most PPA
>> builds)
>
> FYI, I have uploaded such a package to:
> * https://launchpad.net/~ubuntu-virt/+archive/vde
>
> I'll try to keep this package up-to-date with whatever goes into
> 10.04, but as stated above, it's minimally-supported.
>
> If you're happy with VDE networking as is, you're welcome to use this PPA.
>
> Cheers,
> :-Dustin

---
Roessner-Network-Solutions
Bachelor of Science Informatik
Nahrungsberg 81, 35390 Gießen
F: +49 641 5879091, M: +49 641 93118939
USt-IdNr.: DE225643613
http://www.roessner-net.com


--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 

Thread Tools




All times are GMT. The time now is 09:43 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org