Stonecraft's questions

I am trying to configure re-encryption on a backend, so that traffic between nginx and the upstream app is encrypted separately from traffic between the user and nginx. For the purpose of a test example, I am using this: https://github.com/jlengstorf/tutorial-deploy-nodejs-ssl-digitalocean-app.git. I have read many threads, but I always end up getting Error 502: Bad Gateway. Also, I am not sure how paranoid it is to even bother with this. Everything is on one host, but I will be running several services and my reasoning is that any one of them might have exploits and that risk could be mitigated by each app communicating with nginx under a different certificate. To keep the example simple, I just used one key for Everything. Obviously if I were doing this for real I would make a new certificate for each instance of re-encryption. I'm new to web hosting and thinking about security, so please let me know if I said anything cringy above.

mydomain.conf

# HTTP — redirect all traffic to HTTPS
server {
    listen 443 ssl;
    server_name 127.0.0.1:5000;
    ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;
    root /var/www/html;
    index test_index.html;
    return 301 https://$host$request_uri;
}


# HTTPS — proxy all requests to the Node app
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name mydomain.com;
    root /var/www/html;
    index test_index.html;
    # Use the Let’s Encrypt certificates
    ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;
    # Include the SSL configuration from cipherli.st
    include snippets/ssl-params.conf;
    location /app {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass https://localhost:5000/;
        proxy_ssl_verify on;
        proxy_ssl_trusted_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
        proxy_ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;
        proxy_ssl_session_reuse off;
        proxy_set_header Host $http_host;
        proxy_cache_bypass $http_upgrade;
        proxy_redirect off;
    }
}

The corresponding error from /var/nginx/error.log:

2020/10/22 16:17:13 [error] 11311#11311: *1 SSL_do_handshake() failed
(SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number
) while SSL handshaking to upstream, client: xx.xxx.xx.xx, server: the
3guys.com, request: "GET /app HTTP/1.1", upstream: "https://127.0.0.1:
5000/", host: "mydomain.com"

In ssl-params.conf snippet included in the nginx site conf, I set to use all versions of TLS that I am aware of:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

I got extremely confused and decided to re-write the question from scratch, so if some of the comments do not make sense, that is why. Apoplogies to anyone whose time I wasted.

I am having a problem with my entire system freezing when using KVM virtual machines (both with PCI passthrough). The host is Ubuntu 20.04, and this is running on a Threadripper 1950X with an ASRock x399 Taichi motherboard.

It seems that there are a lot of ways to trigger it, but one of the most reliable is to use my Kubuntu VM while playing audio in my Windows VM. It rarely if ever happens when using just the Kubuntu VM. When using the Windows VM alone, it usually happens more slowly, but happens eventually.

Probably not important, but, this entire problem started while watching a video in my Windows VM last night. The guest froze, so I forced it off, and then subsequently the guest brought down the whole system.

In any case, my strategy is to insert descriptions of what I am doing into journalctl, flagged as "###Admin note:" by using

 echo '###Admin note: test' | systemd-cat

The output as viewed with journalctl -b -1 after reboot: https://pastebin.com/fi1iR8Zx

The last message I sent to journalctl does not seem to have been saved, but did appear in the terminal:

And the output of journalctl -k -b -1 https://pastebin.com/1t38WsWh

Are there any other logs I should look in? What additional information would be helpful? I was thinking to post info about my PCI devices and my virsh XML file, but I don't want to over-clutter this post with irrelevant stuff.

Edit: I notice that I have a high temperature on something called SMBUSMASTER. So far I have found only speculation about what exactly that is. If the maximum safe temperature is the same as for CPUTIN (68C), then I guess I have a problem.

Also, other than PCI passthrough of GPUs, one unusual feature of my system is that Windows' USB devices are all connected to a PCI USB-C card, which is passed through. I don't see anything to implicate it in the log, but seemed worth mentioning.

Possible solution?

I think I may have figuered it out.

In looking over my logs, I noticed many entries like this:

Jul 10 23:43:20 virtland kernel: [Firmware Bug]: ACPI MWAIT C-state 0x0 not supported by HW (0x0)

Googling that led me to this Ryzen bug: https://bugzilla.kernel.org/show_bug.cgi?id=196683

which led me to this thread: http://forum.asrock.com/forum_posts.asp?TID=11690&title=x370-taichi-c-states

Now I could have sworn I turned off suspend to memory long ago, but sure enough it was set to auto. In any case, I turned it off and now I am listening to music from Windows and working in Kubuntu.

Perhaps the setting got changed back to default when I did a firmware update before I set up the host, but I still don't get why it would be a problem. Could it be related to power? We are having a heatwave, and the lights sometimes flicker. I am behind an APC UPS for exactly this reason, but it has been making a lot of clicking noises when I have my air conditioning is on. I certainly was not trying to suspend to RAM at any point, but could a power fluctuation that the UPS did not correct fast enough have somehow triggered something related to this.

In any case, I won't be confident that this is fixed until I have gone a couple days without it, but this is very promising.

Indeed I did speak too soon, here are the logs from that session. I was using Windows and Kubuntu for a few hours without issue, which was a record. The MWAIT errors are still there:

journalctl -b -1 : https://pastebin.com/1feLq19U

Edit: I noticed that the last log seems to cut off well before the crash actually happens, so I reproduced the crash one more time. The output of journalctl -b -1 after rebooting cuts off more than ten minutes before the crash. Fortunately, I was running `journalctl -f, and that actually captured everything until my last comment (the crash happened less than a minute later). Unfortunately, I don't see any errors right at the time of the crash.

I am puzzled as to why the journalctl as saved to the system logs and viewable later cut off ten minutes before the output as sent to a file live. A few seconds I can understand, but ten minutes?

Anyway, for comparison, here are the logs plus my picture of the crashed screen.

1. Output of journalctl -b -1 : Cuts off 10 minutes early, but included for comparison. https://pastebin.com/mKu4bBzL

2. Text saved from journalctl -f > file.txt, which is complete: https://pastebin.com/kSXDRkBp

3. Picture of the screen

Edit: Another detail that might matter is that the Windows VM was created with a previous host installation (it was created with Arch, but with an earlier version of QEMU, so that shouldn't be a problem, right?)

Edit: Disabled C-states on my motherboard, no luck

Edit: I set up Kernel Crash Dumps as described here: https://ubuntu.com/server/docs/kernel-crash-dump There is a lot there, but one thing that caught my eye is this:

[  463.983070] vfio-pci 0000:09:00.0: vfio_ecap_init: hiding ecap 0x1b@0x2d0
[  463.983308] vfio-pci 0000:09:00.0: vfio_ecap_init: hiding ecap 0x1e@0x370
[  465.131213] vfio-pci 0000:0a:00.0: vfio_ecap_init: hiding ecap 0x19@0x280
...
[ 1047.680144] vfio-pci 0000:43:00.0: enabling device (0000 -> 0003)
[ 1047.680422] vfio-pci 0000:43:00.0: vfio_ecap_init: hiding ecap 0x19@0x900

Those are the PCI ids of all the cards I am passing through (43 is to Kubuntu, 09 and 0a to Windows). Googling hiding ecap did find threads about problems with similar hardware to mine (AMD CPU + AMD GPU passthrough): https://forums.gentoo.org/viewtopic-t-1070816-start-0.html https://forum.level1techs.com/t/rx-470-stuck-in-d3-single-gpu-passthrough/147401

I passed through my RX470 to Windows and was able to shut down or start again without issue for months. I gave up on trying to make it work with Linux long ago due to the AMD reset bug. Is it possible that this bug is showing itself again in a different form?

I have been having some problems with crashes on my KVM host (Lubuntu 20.04), and when troubleshooting, I noticed some time-related errors.

Upon further investigation, to my horror, I saw that time was not being synced. I am sure it was set up before, I have no clue how it became un-setup.

admin@virtland:~$ sudo timedatectl
[sudo] password for admin: 
               Local time: Fri 2020-07-10 09:14:14 EDT  
           Universal time: Fri 2020-07-10 13:14:14 UTC  
                 RTC time: Fri 2020-07-10 13:14:14      
                Time zone: America/New_York (EDT, -0400)
System clock synchronized: no                           
              NTP service: n/a                          
          RTC in local TZ: no                           
admin@virtland:~$ 

I found this thread and tried the top answer, but no no avail. https://askubuntu.com/questions/929805/timedatectl-ntp-sync-cannot-set-to-yes

admin@virtland:~$ sudo systemctl stop ntp
admin@virtland:~$ sudo ntpd -gq
10 Jul 09:17:57 ntpd[34358]: ntpd [email protected] (1): Starting
10 Jul 09:17:57 ntpd[34358]: Command line: ntpd -gq
10 Jul 09:17:57 ntpd[34358]: proto: precision = 0.070 usec (-24)
10 Jul 09:17:57 ntpd[34358]: leapsecond file ('/usr/share/zoneinfo/leap-seconds.list'): good hash signature
10 Jul 09:17:57 ntpd[34358]: leapsecond file ('/usr/share/zoneinfo/leap-seconds.list'): loaded, expire=2020-12-28T00:00:00Z last=2017-01-01T00:00:00Z ofs=37
10 Jul 09:17:57 ntpd[34358]: Listen and drop on 0 v6wildcard [::]:123
10 Jul 09:17:57 ntpd[34358]: Listen and drop on 1 v4wildcard 0.0.0.0:123
10 Jul 09:17:57 ntpd[34358]: Listen normally on 2 lo 127.0.0.1:123
10 Jul 09:17:57 ntpd[34358]: Listen normally on 3 enp6s0 10.0.0.18:123
10 Jul 09:17:57 ntpd[34358]: Listen normally on 4 lo [::1]:123
10 Jul 09:17:57 ntpd[34358]: Listen normally on 5 enp6s0 [fe80::7285:c2ff:fe65:9f19%3]:123
10 Jul 09:17:57 ntpd[34358]: Listening on routing socket on fd #22 for interface updates
10 Jul 09:17:58 ntpd[34358]: Soliciting pool server 209.50.63.74
10 Jul 09:17:59 ntpd[34358]: Soliciting pool server 4.53.160.75
10 Jul 09:18:00 ntpd[34358]: Soliciting pool server 69.89.207.199
10 Jul 09:18:00 ntpd[34358]: Soliciting pool server 72.30.35.88
10 Jul 09:18:01 ntpd[34358]: Soliciting pool server 173.0.48.220
10 Jul 09:18:01 ntpd[34358]: Soliciting pool server 162.159.200.1
10 Jul 09:18:01 ntpd[34358]: Soliciting pool server 108.61.73.243
10 Jul 09:18:02 ntpd[34358]: Soliciting pool server 208.79.89.249
10 Jul 09:18:02 ntpd[34358]: Soliciting pool server 208.67.75.242
10 Jul 09:18:02 ntpd[34358]: Soliciting pool server 91.189.94.4
10 Jul 09:18:03 ntpd[34358]: Soliciting pool server 91.189.89.198
10 Jul 09:18:03 ntpd[34358]: Soliciting pool server 67.217.112.181
10 Jul 09:18:04 ntpd[34358]: Soliciting pool server 91.189.89.199
10 Jul 09:18:04 ntpd[34358]: Soliciting pool server 64.225.34.103             
10 Jul 09:18:05 ntpd[34358]: Soliciting pool server 91.189.91.157             
10 Jul 09:18:06 ntpd[34358]: Soliciting pool server 2001:67c:1560:8003::c8    
10 Jul 09:18:06 ntpd[34358]: ntpd: time slew +0.001834 s                      
ntpd: time slew +0.001834s                                                    
admin@virtland:~$ sudo service ntp start                                       
admin@virtland:~$ sudo timedatectl                             
               Local time: Fri 2020-07-10 09:18:21 EDT                        
           Universal time: Fri 2020-07-10 13:18:21 UTC                        
                 RTC time: Fri 2020-07-10 13:18:21                            
                Time zone: America/New_York (EDT, -0400)                      
System clock synchronized: no                                                 
              NTP service: n/a                                                
          RTC in local TZ: no                                                 
admin@virtland:~$                  

I thought maybe I needed to use some more up-to-date instructions, so I tried this: https://linuxconfig.org/how-to-sync-time-on-ubuntu-20-04-focal-fossa-linux

admin@virtland:~$ timedatectl set-ntp off
Failed to set ntp: NTP not supported                                          
admin@virtland:~$ timedatectl set-ntp on
Failed to set ntp: NTP not supported                                          

Then I tried this, from a different thread:

admin@virtland:~$ sudo systemctl status systemd-timesyncd.service
[sudo] password for admin: 
● systemd-timesyncd.service
     Loaded: masked (Reason: Unit systemd-timesyncd.service is masked.)
     Active: inactive (dead)

I have never touched timesyncd.conf, but it is entirely commented out anyway:

cat /etc/systemd/timesyncd.conf                         
#  This file is part of systemd.                                              
#                                                                             
#  systemd is free software; you can redistribute it and/or modify it         
#  under the terms of the GNU Lesser General Public License as published by   
#  the Free Software Foundation; either version 2.1 of the License, or        
#  (at your option) any later version.                                        
#                                                                             
# Entries in this file show the compile time defaults.                        
# You can change settings by editing this file.                               
# Defaults can be restored by simply deleting this file.                      
#                                                                             
# See timesyncd.conf(5) for details.                                          
                                                                              
[Time]                                                                        
#NTP=                                                                         
#FallbackNTP=ntp.ubuntu.com                                                   
#RootDistanceMaxSec=5                                                         
#PollIntervalMinSec=32                                                        
#PollIntervalMaxSec=2048 

I checked timedatectl again, and now it is on, but still not using NTP. I understand that NTP is more precise, and that can be important in some situations. Not sure if virtualization with pci passthrough needs extremely precise time or not.

From other stuff I was reading, I thought maybe NTP was conflicting with timesyncd. So remove ntp for the time being:

sudo systemctl stop ntp
sudo apt-get purge ntp

But after purging ntp, NTP showed as active!

admin@virtland:~$ timedatectl
               Local time: Fri 2020-07-10 09:34:52 EDT  
           Universal time: Fri 2020-07-10 13:34:52 UTC  
                 RTC time: Fri 2020-07-10 13:34:52      
                Time zone: America/New_York (EDT, -0400)
System clock synchronized: yes                          
              NTP service: active                       
          RTC in local TZ: no     

Am I going crazy? Is NTP still here somehow? Nope.

admin@virtland:~$ sudo systemctl start ntp
Failed to start ntp.service: Unit ntp.service not found.

Apologies for not asking a more focused question, but what the heck is going on here?

I am well and truly lost. Also, I will edit this post later and make a not as to whether removing NTP (and thus activating it?!) fixed the stability problems that led me down this rabbit hole.

Edit: The next thing I did was disable ntp on timesyncd and (re)install NTP as described here. https://www.digitalocean.com/community/tutorials/how-to-set-up-time-synchronization-on-ubuntu-18-04

That resulted in:

admin@virtland:~$ ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 0.us.pool.ntp.o .POOL.          16 p    -   64    0    0.000    0.000   0.000
 1.us.pool.ntp.o .POOL.          16 p    -   64    0    0.000    0.000   0.000
 2.us.pool.ntp.o .POOL.          16 p    -   64    0    0.000    0.000   0.000
 3.us.pool.ntp.o .POOL.          16 p    -   64    0    0.000    0.000   0.000
 0.ubuntu.pool.n .POOL.          16 p    -   64    0    0.000    0.000   0.000
 1.ubuntu.pool.n .POOL.          16 p    -   64    0    0.000    0.000   0.000
 2.ubuntu.pool.n .POOL.          16 p    -   64    0    0.000    0.000   0.000
 3.ubuntu.pool.n .POOL.          16 p    -   64    0    0.000    0.000   0.000
 ntp.ubuntu.com  .POOL.          16 p    -   64    0    0.000    0.000   0.000
admin@virtland:~$ timedatectl
               Local time: Fri 2020-07-10 10:35:39 EDT  
           Universal time: Fri 2020-07-10 14:35:39 UTC  
                 RTC time: Fri 2020-07-10 14:35:40      
                Time zone: America/New_York (EDT, -0400)
System clock synchronized: no                                                 
              NTP service: n/a                                                
          RTC in local TZ: no                                                 
admin@virtland:~$ systemctl status systemd-timesyncd 
● systemd-timesyncd.service                                                   
     Loaded: masked (Reason: Unit systemd-timesyncd.service is masked.)       
     Active: inactive (dead)                                                  
admin@virtland:~$ nano /etc/ntp.conf
admin@virtland:~$ systemctl status systemd-timesyncd                           
● systemd-timesyncd.service                                                   
     Loaded: masked (Reason: Unit systemd-timesyncd.service is masked.)       
     Active: inactive (dead)                                                  
admin@virtland:~$ ntpstat
unsynchronised                                                                
   polling server every 8 s 

I reversed those changes as recommended my Michael Hampton: Does this mean it's working?

boss@virtland:~$ sudo systemctl stop ntp
Failed to stop ntp.service: Unit ntp.service not loaded.
boss@virtland:~$ sudo timedatectl set-ntp yes
boss@virtland:~$ sudo timedatectl set-ntp on
boss@virtland:~$ ntpq -p
bash: /usr/bin/ntpq: No such file or directory
boss@virtland:~$ systemctl status systemd-timesyncd 
● systemd-timesyncd.service - Network Time Synchronization
     Loaded: loaded (/lib/systemd/system/systemd-timesyncd.service; enabled; >
     Active: active (running) since Fri 2020-07-10 10:49:18 EDT; 50s ago
       Docs: man:systemd-timesyncd.service(8)
   Main PID: 108365 (systemd-timesyn)
     Status: "Initial synchronization to time server 91.189.94.4:123 (ntp.ubu>
      Tasks: 2 (limit: 154317)
     Memory: 1.8M
     CGroup: /system.slice/systemd-timesyncd.service
             └─108365 /lib/systemd/systemd-timesyncd

Jul 10 10:49:17 virtland systemd[1]: Starting Network Time Synchronization...
Jul 10 10:49:18 virtland systemd[1]: Started Network Time Synchronization.
Jul 10 10:49:18 virtland systemd-timesyncd[108365]: Initial synchronization t>
lines 1-14/14 (END)

 timedatectl
               Local time: Fri 2020-07-10 10:52:56 EDT  
           Universal time: Fri 2020-07-10 14:52:56 UTC  
                 RTC time: Fri 2020-07-10 14:52:56      
                Time zone: America/New_York (EDT, -0400)
System clock synchronized: yes                          
              NTP service: active                       
          RTC in local TZ: no            

So I guess it is working. Since the crashes that took me down this path are still happening, I guess the time wasn't the issue.

With a ZFS root install, which partitions need to be canmount=noauto and why?

I am looking at a fresh installation of Ubuntu 20.04 with ZFS on root. I am using these instructions on the openzfs site, but there is one thing that I don't get which is bugging me.

from the guide:

3.2 Create filesystem datasets for the root and boot filesystems:

zfs create -o canmount=noauto -o mountpoint=/ rpool/ROOT/ubuntu
zfs mount rpool/ROOT/ubuntu

zfs create -o canmount=noauto -o mountpoint=/boot bpool/BOOT/ubuntu
zfs mount bpool/BOOT/ubuntu

With ZFS, it is not normally necessary to use a mount command (either mount or zfs mount). This situation is an exception because of canmount=noauto.

I understand that the noauto means that fstab or a mount command is needed to mount the volumes. but I don't get why it is necessary/recommended for some datasets but not others. Can someone help me understand that?

I am having a problem where virt-install gets stuck in the very early stages and cant be killed (after saying "starting installation", but before the VM is visible in virt-manager).

Ctrl-C does not work to cancel virt-install, and systemctl restart libvirtd just hangs. I have to hard restart the machine. Even kill $libvirtPID just hangs. If I restart, restart hangs with a message of kvm: exiting hardware virtualization, and I have to hard restart.

For the moment, I am not asking for help with the cause of the hang, but rather I want to know whether there is a better/safer way to cancel a frozen virt-install.

I recently installed the latest version (3.1.0) of QEMU, and I have been having trouble getting virt-manager to work correctly, presumably because it isn't connected to the right dependencies. Some of my other troubles are described in this thread.

I run the following command:

~$ virt-install \
> --name myWINVM \
> --boot uefi \
> --ram 32768 \
> --graphics vnc,listen=0.0.0.0 \
> --machine pc \
> --features kvm_hidden=on \
> --hostdev 9:00.0,address.type=pci,address.multifunction=on \
> --hostdev 9:00.1,address.type=pci \
> --hostdev 0a:00.0,address.type=pci,address.multifunction=on \
> --machine pc \
> --vcpus 4 \
> --os-type windows \
> --os-variant win10 \
> --network bridge=virbr0 \
> --console pty,target_type=serial \
> --disk /home/boss/Downloads/Win10_1809Oct_English_x64.iso,device=cdrom \
> --disk /home/boss/Downloads/virtio-win-0.1.164.iso,device=cdrom \
> --disk path=/home/boss/testVM/WINVM.img,bus=virtio,size=120

and my output is this:

Starting install...
Allocating 'WINVM.img'                                      | 120 GB  00:04     
ERROR    internal error: process exited while connecting to monitor: 2019-02-21T01:58:56.827372Z qemu-system-x86_64: -enable-kvm: unsupported machine type 'pc-i440fx-3.1'
Use -machine help to list supported machines
Removing disk 'WINVM.img'                                   |    0 B  00:00     
Domain installation does not appear to have been successful.
If it was, you can restart your domain by running:
  virsh --connect qemu:///system start myWINVM
otherwise, please restart your installation.

In addition to trying the git version of qemu, I also tried building the current SPICE server from the SPICE website:

Note: if I specify q35, I get the exact same error:

~$ virt-install \
> --name myWINVM \
> --boot uefi \
> --ram 32768 \
> --graphics vnc,listen=0.0.0.0 \
> --machine q35 \
> --features kvm_hidden=on \
> --hostdev 9:00.0,address.type=pci,address.multifunction=on \
> --hostdev 9:00.1,address.type=pci \
> --hostdev 0a:00.0,address.type=pci,address.multifunction=on \
> --machine pc \
> --vcpus 4 \
> --os-type windows \
> --os-variant win10 \
> --network bridge=virbr0 \
> --console pty,target_type=serial \
> --disk /home/boss/Downloads/Win10_1809Oct_English_x64.iso,device=cdrom \
> --disk /home/boss/Downloads/virtio-win-0.1.164.iso,device=cdrom \
> --disk path=/home/boss/testVM/WINVM.img,bus=virtio,size=120

Starting install...
Allocating 'WINVM.img'                                      | 120 GB  00:04     
ERROR    internal error: process exited while connecting to monitor: 2019-02-21T04:08:50.597025Z qemu-system-x86_64: -enable-kvm: unsupported machine type 'pc-i440fx-3.1'
Use -machine help to list supported machines
Removing disk 'WINVM.img'                                   |    0 B  00:00     
Domain installation does not appear to have been successful.
If it was, you can restart your domain by running:
  virsh --connect qemu:///system start myWINVM
otherwise, please restart your installation.

Edit: I think the issue must be with virt-manager, because I was able to create a qemu system and view it with VNC using the following:

sudo qemu-system-x86_64 \
> -name WINVM,process=WINVM \
> -machine type=q35,accel=kvm \
> -smp 4,sockets=1,cores=2,threads=2 \
> -m 16G \
> -rtc clock=host,base=localtime \
> -serial none \
> -vga qxl \
> -parallel none \
> -boot order=dc \
> -drive file=/home/boss/Downloads/virtio-win-0.1.164.iso,index=1,media=cdrom \
> -drive file=/home/boss/Downloads/virtio-win-0.1.164.iso,index=2,media=cdrom
qemu-system-x86_64: This family of AMD CPU doesn't support hyperthreading(2). Please configure -smp options properly or try enabling topoext feature.
VNC server running on ::1:5900

Edit: My next step will to be to start from scratch from a new host system, and manually build and install all the latest software components before. So that would be QEMU, libvirt, virt-manager, and spice-server.. Am I forgetting anything? Is there anything I should do to make sure the packages I am building find each other?

Anyway, if that fails I'll probably admit defeat and go back to the repository version, even if it has some issues.

Update: I was not able to get the manually compiled qemu, libvirtd, and virt-manager to all work together, and decided to admit defeat (for the moment). If the reset bug that started this whole thing gets too annoying, maybe I will throw caution to the wind and try Arch.

In setting up a domain with virsh, I had always assumed that the "slot" of a PCI card referred to which slot on the motherboard it was in. However, that seems not two be the case, cards in two different physical slots are assigned to the same "slot" by virsh. The first two devices are part of a GTX 1070, the third is a Sonnet PCI usb card.

Also, what are these two different bus IDs? Is the bus ID of the first one 67 or 43?

~$ virsh nodedev-dumpxml pci_0000_43_00_0
<device>
  <name>pci_0000_43_00_0</name>
  <path>/sys/devices/pci0000:40/0000:40:01.3/0000:43:00.0</path>
  <parent>pci_0000_40_01_3</parent>
  <driver>
    <name>nouveau</name>
  </driver>
  <capability type='pci'>
    <domain>0</domain>
    <bus>67</bus>
    <slot>0</slot>
    <function>0</function>
    <product id='0x1b81'>GP104 [GeForce GTX 1070]</product>
    <vendor id='0x10de'>NVIDIA Corporation</vendor>
    <iommuGroup number='39'>
      <address domain='0x0000' bus='0x43' slot='0x00' function='0x0'/>
      <address domain='0x0000' bus='0x43' slot='0x00' function='0x1'/>
    </iommuGroup>
    <pci-express>
      <link validity='cap' port='0' speed='8' width='16'/>
      <link validity='sta' speed='2.5' width='8'/>
    </pci-express>
  </capability>
</device>

~$ virsh nodedev-dumpxml pci_0000_43_00_1
<device>
  <name>pci_0000_43_00_1</name>
  <path>/sys/devices/pci0000:40/0000:40:01.3/0000:43:00.1</path>
  <parent>pci_0000_40_01_3</parent>
  <driver>
    <name>snd_hda_intel</name>
  </driver>
  <capability type='pci'>
    <domain>0</domain>
    <bus>67</bus>
    <slot>0</slot>
    <function>1</function>
    <product id='0x10f0'>GP104 High Definition Audio Controller</product>
    <vendor id='0x10de'>NVIDIA Corporation</vendor>
    <iommuGroup number='39'>
      <address domain='0x0000' bus='0x43' slot='0x00' function='0x0'/>
      <address domain='0x0000' bus='0x43' slot='0x00' function='0x1'/>
    </iommuGroup>
    <pci-express>
      <link validity='cap' port='0' speed='8' width='16'/>
      <link validity='sta' speed='2.5' width='8'/>
    </pci-express>
  </capability>
</device>

~$ virsh nodedev-dumpxml pci_0000_0a_00_0
<device>
  <name>pci_0000_0a_00_0</name>
  <path>/sys/devices/pci0000:00/0000:00:03.1/0000:0a:00.0</path>
  <parent>pci_0000_00_03_1</parent>
  <driver>
    <name>xhci_hcd</name>
  </driver>
  <capability type='pci'>
    <domain>0</domain>
    <bus>10</bus>
    <slot>0</slot>
    <function>0</function>
    <product id='0x1242'>ASM1142 USB 3.1 Host Controller</product>
    <vendor id='0x1b21'>ASMedia Technology Inc.</vendor>
    <iommuGroup number='18'>
      <address domain='0x0000' bus='0x0a' slot='0x00' function='0x0'/>
    </iommuGroup>
    <numa node='0'/>
    <pci-express>
      <link validity='cap' port='1' speed='5' width='2'/>
      <link validity='sta' speed='5' width='2'/>
    </pci-express>
  </capability>
</device>

I want to use the latest kernel (currently 4.19) with Ubuntu Server 18.04, and I also want to use ZFS.

Although ZFS appears to install correctly, it apparently does not get installed into the right kernel. Is there something additional I need to do to get kernel module like ZFS to install into the right kernel? Or do I need to build it specially for my kernel until a backport is provided?

Also, I did install the new kernel before installing ZFS. Previously I had tried upgrading the kernel after installing ZFS, which broke ZFS and gave me a "no installation candidate" message when I tried to reinstall it from that version.

~$ zpool list
The ZFS modules are not loaded.
Try running '/sbin/modprobe zfs' as root to load them.
~$ sudo /sbin/modprobe zfs
modprobe: FATAL: Module zfs not found in directory /lib/modules/4.19.6-041906-generic
~$ sudo apt install -y zfsutils
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Note, selecting 'zfsutils-linux' instead of 'zfsutils'
zfsutils-linux is already the newest version (0.7.5-1ubuntu16.4).
0 upgraded, 0 newly installed, 0 to remove and 127 not upgraded.
~$ sudo apt install zfs-initramfs 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
zfs-initramfs is already the newest version (0.7.5-1ubuntu16.4).
0 upgraded, 0 newly installed, 0 to remove and 127 not upgraded.

~$ ls /lib/modules/4.15.0-29-generic/kernel
arch   crypto   fs      lib  net    ubuntu  zfs
block  drivers  kernel  mm   sound  virt
~$ ls /lib/modules/4.19.6-041906-generic/kernel
arch  block  crypto  drivers  fs  kernel  lib  mm  net  sound  virt

I am attempting to set up iSCSI with a virtual machine as the initiator and the host as the target. I was looking at these instructions, among others: https://www.tecmint.com/setup-iscsi-target-and-initiator-on-debian-9/ and https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/virtualization_administration_guide/sect-virtualization-storage_pools-creating-iscsi-adding_target_virt-manager

I suspect that my LUN is not set up correctly, because tgt doesn't seem to know where the backing storage is:

$ sudo tgtadm --mode target --op show
Target 1: iqn.2018-11.ubuntu:ssdShare
    System information:
        Driver: iscsi
        State: ready
    I_T nexus information:
    LUN information:
        LUN: 0
            Type: controller
            SCSI ID: IET     00010000
            SCSI SN: beaf10
            Size: 0 MB, Block size: 1
            Online: Yes
            Removable media: No
            Prevent removal: No
            Readonly: No
            SWP: No
            Thin-provisioning: No
            Backing store type: null
            Backing store path: None
            Backing store flags: 
    Account information:
    ACL information:
        ALL

But as far as I can tell, the configuration file is set up correctly:

$ nano /etc/tgt/targets.conf

include /etc/tgt/conf.d/*.conf
<target iqn.2018-11.ubuntu:ssdShare>
 backing-store /dev/nvme2n1p1
 backing-store /dev/nvme1n11
</target>

and according to the webmin panel I set up, it looks OK as far as I know:

I am suspect that this is why I can't provision a virtual machine with the drive I am sharing via iscsi:

So my questions are:

1. Does the lack of a device path in the output of tgtadm explain my inability to provision the VM?

2. If so, what else do I need to configure to make that happen?

3. If not, where else should I look to figure out what's wrong?

Edit: Also, what is backing-store /dev/nvme1n11? It's not a device that exists on my machine or ever has, and I did not add it. In any case, deleting that line did not help, but I am confused as to how a non-existent device path ended up there.

I am confused about how ZFS snapshots and rollback are supposed to work. I have a zpool containing a couple zvols (each made from partitions of a mirrorvdev). I make a snapshot like this:

~$ sudo zfs snapshot nvme-tank@roll_test

Then I boot a VM located on one of the zvols in the zpool and create a test file

~$ echo "This is a test of the rollback system" > rbtest.txt

Then I shut down the VM and do the rollback. As I understand the concept, the rollback should revert everything in nvme-tank to the state it was when I took the snapshot, before making rbtest.txt.

~$ sudo zfs rollback nvme-tank@roll_test

I then reboot the vm, check for rbtest.txt, and there it is, still there!

The snapshot is there:

~$ zfs list -t all -r nvme-tank
NAME                  USED  AVAIL  REFER  MOUNTPOINT
nvme-tank             887G  12.1G    24K  /media/nvme-tank
nvme-tank@nov82018      0B      -    24K  -
nvme-tank@roll_test     0B      -    24K  -
nvme-tank/ext4-zvol   474G   449G  37.8G  -
nvme-tank/ntfs-zvol   413G  23.9G   401G  -

So, am I misunderstanding what snapshots are supposed to do, using them incorrectly, or is something broken with my zfs?

First, I create a clear linux vm with virt-install

virt-install \
--name CLEAR \
--ram 65536 \
--disk path=/guest_images/Linux_main/CLEAR.img,bus=virtio,size=450 \
--vcpus 8 \
--os-type linux \
--os-variant generic \
--network bridge=virbr0 \
--graphics vnc  \
--console pty,target_type=serial \
--cdrom /media/big-tank-8TB/OSISOS/clear-25720-installer.iso

The installer starts up and I choose the only available device "vda", which I assume must be the CLEAR.img file, so I choose to create a parition there and install (also, not sure why no partitions show, this img is on a zvol that I had previously formatted to ext4)

The installer apparently completes successfully.

But after rebooting, I am stuck in Seabios "booting from the hard disk"

I tried changing the drive interface from virtio to ide, but it did not help. Not sure what to try next.

I also tried these instructions from the Clear Linux website with which I was able to start up, but ran into problems connecting via vnc, and more relevant to my question, when I tried to virt-install start the provided .img file, I got the same seabios "booting from hard disk" forever that I got after installing via the .iso. I suspect the problem might be that I need to provide a UEFI file like in the Clear Linux instructions, but I am not sure how to do this when using virsh and and existing VM.

I am trying to figure out the optimal way to share storage with multiple VMs on the same box. I am aware of a range of options: NFS, iSCSI, fibrechannel, bridged, etc, but I am unclear how they fit together or are mutually exclusive.

Here are a few statments of what I understand to be true based on what I have read so far, but an not certain of. If someone could either affirm or correct my understanding, that would be great. At this time I am thinking about using Proxmox (KVM+ZFS), but if other hypervisors have important differences with respect to these statements, please do explain.

True or False?:

1. For sharing storage devices between VMs on the same host, I can used bridged networking to maximize speed.

2. With bridged networking, no physical network hardware is being used, instead the CPU is acting as a virtual NIC, which is faster because the limit is the speed of the system bus, rather than of ethernet/fibrechannel etc.

3. For the reason stated above, there is no benefit to using something fancy like fibrechannel to share storage with VMs, except the elimination of a small amount of CPU overhead. Using a fibrechannel card would be needlessly creating an extra step for VM interaction with the hosted storage.

4. The speed and complexity of setup of iSCSI vs NFS is something that varies a lot between hypervisors, so this choice should be made once I have everything else decided.

What are the performance and stability implications of running resource intensive services in a hypervisor vs guest OS?

I want to set up a workstation with both Linux and Windows, hosted by (probably) KVM. Both will use some of the same services: For example, the VMs will be stored on zvols and share a zpool devoted to file storage.

I am hung up on deciding which services to run in the hypervisor OS, and which to run in a VM. If I put services like ZFS in a VM, I am worried that they might be slower (as they will have to work via the hypervisor) or more error prone, as they will depend on controller pass-through (one more thing to have problems with).

On the other hand, I am worried that burdening the hypervisor with too many extra tasks will cause problems, and I am also worried about how much memory ZFS will consume if I don’t put it in a virtual machine with defined limits (I’m thinking to devote 32 Gb to whichever OS is running ZFS. And I’m worried that having too much stuff installed in the hypervisor will make conflicts which affect the whole system more likely (as those conflicts would occur inside the hypervisor).

I am planning to build a multi-OS workstation overseen by (probably) KVM, on which I will do a variety of tasks. Some of these tasks lend themselves to multithreading better than others, so I want to maximize clock speed as much as possible. To this end, I am considering the pros and cons of a dual socket setup so that I can get more clock speed with the same number of cores. However, it is my understanding that the usefulness of dual socket builds is limited by slow communication between the CPUs. So my thought is that if I allot resources intelligently, dual socket might work well, but if not it could be a disaster.

So here are a few things that I'd like to understand:

1. If the host OS is exclusively using one socket and the actively used guest exclusively using the other socket, how much will those two sockets need to communicate?

2. How much does the hypervisor benefit from having access to more cores?

3. How smart is KVM (or other hypervisors) in terms of alloting resources between CPU sockets vs CPU cores? Are there some things I should set manually and others I should let be decided by the hypervisor?

An important consideration is that at any given time, only one or at most two VMs will be needing lots of resources, the other two or three should be pretty light at all times.