Ubuntu Server Guide Changes, errors and bugs
Huge page usage in libvirt
Download 1.27 Mb. Pdf ko'rish
|
ubuntu-server-guide
- Bu sahifa navigatsiya:
- Apparmor isolation
|
Huge page usage in libvirt
With the above in place libvirt can map guest memory to huge pages. In a guest definition add the most simple form of That will allocate the huge pages using the default huge page size from a autodetected mountpoint. For more control e.g. how memory is spread over Numa nodes or which page size to use check out the details at the libvirt doc. Apparmor isolation By default libvirt will spawn qemu guests using apparmor isolation for enhanced security. The apparmor rules for a guest will consist of multiple elements: • a static part that all guests share => /etc/apparmor.d/abstractions/libvirt−qemu • a dynamic part created at guest start time and modified on hotplug/unplug => /etc/apparmor.d/ libvirt/ libvirt −f9533e35−6b63−45f5−96be−7cccc9696d5e.files Of the above the former is provided and updated by the libvirt −daemon package and the latter is generated on guest start. None of the two should be manually edited. They will by default cover the vast majority of use cases and work fine. But there are certain cases where users either want to: • further lock down the guest (e.g. by explicitly denying access that usually would be allowed) • open up the guest isolation (most of the time this is needed if the setup on the local machine does not follow the commonly used paths. To do so there are two files to do so. Both are local overrides which allow you to modify them without getting them clobbered or command file prompts on package upgrades. • /etc/apparmor.d/local/abstractions/libvirt−qemu this will be applied to every guest. Therefore it is rather powerful, but also a rather blunt tool. It is a quite useful place thou to add additional deny rules. • /etc/apparmor.d/local/usr.lib. libvirt . virt −aa−helper the above mentioned dynamic part that is in- dividual per guest is generated by a tool called libvirt . virt −aa−helper. That is under apparmor isolation as well. This is most commonly used if you want to use uncommon paths as it allows to ahve those uncommon paths in the guest XML (see virsh edit) and have those paths rendered to the per-guest dynamic rules. Download 1.27 Mb. Do'stlaringiz bilan baham: 
|