Proposal for EFI firmware support on KVM

[Nathan Johnson <nj...@ena.com.INVALID>]

I've put together an approach for EFI support that we would like to get some feedback on before I create a PR.  Constructive criticism would be appreciated.

I've added the following properties to be configured in the agent.properties:

guest.loader.efi - boolean to switch efi on.  This must be true before it will inject any <loader> entries into the domain xml
guest.loader.image - this would be the path to the bios/efi image
guest.loader.nvram - this optionally points to an nvram image


Even when a host is configured so that it can use EFI, it will only actually create a virtual machine when both of the following conditions are met:

1) the host has guest.locader.efi set to true in its agent.properties
2) the vm has the vm details parameter efi=true

At present there is no automatic way for the management server to know in advance which hosts have EFI enabled.  I suppose this could be approximated using tags.  It might be nice to make this more automatic, and have the resource planner aware of the efi toggle on the VM, but I'm not sure how best to implement that or if it's even worth it.

Thanks in advance!


Nathan Johnson
Senior R&D Engineer
Education Networks of America

Re: Proposal for EFI firmware support on KVM

[Nux! <nu...@li.nux.ro>]

Thanks!

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

----- Original Message -----
> From: "Sven Vogel" <sv...@qform.de>
> To: "dev" <de...@cloudstack.apache.org>
> Sent: Wednesday, 27 March, 2019 22:34:24
> Subject: Re: Proposal for EFI firmware support on KVM

> Hi Nux,
> 
> I think kvm is the same like VMware. Have a look here.
> 
> „Do I need a host with EFI firmware?
> 
> No.  The host's firmware is totally independent of the virtual machine's
> firmware, so BIOS hosts can run EFI virtual machines, and EFI hosts can run
> BIOS virtual machines. „
> 
> https://communities.vmware.com/docs/DOC-28494
> 
> Von
> 
>> Am 27.03.2019 um 13:06 schrieb Nux! <nu...@li.nux.ro>:
>> 
>> Stupid question: does the hypervisor need to be running in EFI mode as well for
>> this to work properly?
>> 
>> I don't think that's a requirement at all, but just making sure. I am avoiding
>> EFI like the plague, but at some point I'll need to bite the bullet.
>> 
>> --
>> Sent from the Delta quadrant using Borg technology!
>> 
>> Nux!
>> www.nux.ro
>> 
>> ----- Original Message -----
>>> From: "Nathan Johnson" <nj...@ena.com.INVALID>
>>> To: "dev" <de...@cloudstack.apache.org>
>>> Sent: Wednesday, 13 March, 2019 14:29:29
>>> Subject: Proposal for EFI firmware support on KVM
>> 
>>> I've put together an approach for EFI support that we would like to get some
>>> feedback on before I create a PR.  Constructive criticism would be appreciated.
>>> 
>>> I've added the following properties to be configured in the agent.properties:
>>> 
>>> guest.loader.efi - boolean to switch efi on.  This must be true before it will
>>> inject any <loader> entries into the domain xml
>>> guest.loader.image - this would be the path to the bios/efi image
>>> guest.loader.nvram - this optionally points to an nvram image
>>> 
>>> 
>>> Even when a host is configured so that it can use EFI, it will only actually
>>> create a virtual machine when both of the following conditions are met:
>>> 
>>> 1) the host has guest.locader.efi set to true in its agent.properties
>>> 2) the vm has the vm details parameter efi=true
>>> 
>>> At present there is no automatic way for the management server to know in
>>> advance which hosts have EFI enabled.  I suppose this could be approximated
>>> using tags.  It might be nice to make this more automatic, and have the
>>> resource planner aware of the efi toggle on the VM, but I'm not sure how best
>>> to implement that or if it's even worth it.
>>> 
>>> Thanks in advance!
>>> 
>>> 
>>> Nathan Johnson
>>> Senior R&D Engineer
> >> Education Networks of America

Re: Proposal for EFI firmware support on KVM

[Sven Vogel <sv...@qform.de>]

Hi Nux,

I think kvm is the same like VMware. Have a look here. 

„Do I need a host with EFI firmware?

No.  The host's firmware is totally independent of the virtual machine's firmware, so BIOS hosts can run EFI virtual machines, and EFI hosts can run BIOS virtual machines. „

https://communities.vmware.com/docs/DOC-28494

Von

> Am 27.03.2019 um 13:06 schrieb Nux! <nu...@li.nux.ro>:
> 
> Stupid question: does the hypervisor need to be running in EFI mode as well for this to work properly?
> 
> I don't think that's a requirement at all, but just making sure. I am avoiding EFI like the plague, but at some point I'll need to bite the bullet.
> 
> --
> Sent from the Delta quadrant using Borg technology!
> 
> Nux!
> www.nux.ro
> 
> ----- Original Message -----
>> From: "Nathan Johnson" <nj...@ena.com.INVALID>
>> To: "dev" <de...@cloudstack.apache.org>
>> Sent: Wednesday, 13 March, 2019 14:29:29
>> Subject: Proposal for EFI firmware support on KVM
> 
>> I've put together an approach for EFI support that we would like to get some
>> feedback on before I create a PR.  Constructive criticism would be appreciated.
>> 
>> I've added the following properties to be configured in the agent.properties:
>> 
>> guest.loader.efi - boolean to switch efi on.  This must be true before it will
>> inject any <loader> entries into the domain xml
>> guest.loader.image - this would be the path to the bios/efi image
>> guest.loader.nvram - this optionally points to an nvram image
>> 
>> 
>> Even when a host is configured so that it can use EFI, it will only actually
>> create a virtual machine when both of the following conditions are met:
>> 
>> 1) the host has guest.locader.efi set to true in its agent.properties
>> 2) the vm has the vm details parameter efi=true
>> 
>> At present there is no automatic way for the management server to know in
>> advance which hosts have EFI enabled.  I suppose this could be approximated
>> using tags.  It might be nice to make this more automatic, and have the
>> resource planner aware of the efi toggle on the VM, but I'm not sure how best
>> to implement that or if it's even worth it.
>> 
>> Thanks in advance!
>> 
>> 
>> Nathan Johnson
>> Senior R&D Engineer
>> Education Networks of America

Re: Proposal for EFI firmware support on KVM

[Nux! <nu...@li.nux.ro>]

Stupid question: does the hypervisor need to be running in EFI mode as well for this to work properly?

I don't think that's a requirement at all, but just making sure. I am avoiding EFI like the plague, but at some point I'll need to bite the bullet.

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

----- Original Message -----
> From: "Nathan Johnson" <nj...@ena.com.INVALID>
> To: "dev" <de...@cloudstack.apache.org>
> Sent: Wednesday, 13 March, 2019 14:29:29
> Subject: Proposal for EFI firmware support on KVM

> I've put together an approach for EFI support that we would like to get some
> feedback on before I create a PR.  Constructive criticism would be appreciated.
> 
> I've added the following properties to be configured in the agent.properties:
> 
> guest.loader.efi - boolean to switch efi on.  This must be true before it will
> inject any <loader> entries into the domain xml
> guest.loader.image - this would be the path to the bios/efi image
> guest.loader.nvram - this optionally points to an nvram image
> 
> 
> Even when a host is configured so that it can use EFI, it will only actually
> create a virtual machine when both of the following conditions are met:
> 
> 1) the host has guest.locader.efi set to true in its agent.properties
> 2) the vm has the vm details parameter efi=true
> 
> At present there is no automatic way for the management server to know in
> advance which hosts have EFI enabled.  I suppose this could be approximated
> using tags.  It might be nice to make this more automatic, and have the
> resource planner aware of the efi toggle on the VM, but I'm not sure how best
> to implement that or if it's even worth it.
> 
> Thanks in advance!
> 
> 
> Nathan Johnson
> Senior R&D Engineer
> Education Networks of America

Re: Proposal for EFI firmware support on KVM

[Nathan Johnson <nj...@ena.com.INVALID>]

Nathan Johnson
Senior R&D Engineer
Education Networks of America



> On Mar 14, 2019, at 9:14 AM, Wido den Hollander <wi...@widodh.nl> wrote:
> 
> 
> 
> On 3/13/19 3:29 PM, Nathan Johnson wrote:
>> I've put together an approach for EFI support that we would like to get some feedback on before I create a PR.  Constructive criticism would be appreciated.
>> 
>> I've added the following properties to be configured in the agent.properties:
>> 
>> guest.loader.efi - boolean to switch efi on.  This must be true before it will inject any <loader> entries into the domain xml
>> guest.loader.image - this would be the path to the bios/efi image
>> guest.loader.nvram - this optionally points to an nvram image
>> 
>> 
>> Even when a host is configured so that it can use EFI, it will only actually create a virtual machine when both of the following conditions are met:
>> 
>> 1) the host has guest.locader.efi set to true in its agent.properties
> 
> Can't we detect if the host is EFI capable without the need of adding a
> new flag to the agent.properties?

There is no way that I'm aware of.  libvirt expects its EFI configuration to come from the domain xml.

> 
> It advertises the capability of EFI to the Mgmt server and only then can
> efi=true Instances be started on that host.
> 
>> 2) the vm has the vm details parameter efi=true
>>> At present there is no automatic way for the management server to know
> in advance which hosts have EFI enabled.  I suppose this could be
> approximated using tags.  It might be nice to make this more automatic,
> and have the resource planner aware of the efi toggle on the VM, but I'm
> not sure how best to implement that or if it's even worth it.
>> 
> 
> As others already mentioned. The Agent/Host capabilities should be
> sufficient?

Technically any host with a sufficiently new version of qemu can support efi, but again the domain xml has to be modified so that it points to the EFI firmware image location on disk.  There really is no "host" level configuration, it's really per-domain.

Re: Proposal for EFI firmware support on KVM

[Wido den Hollander <wi...@widodh.nl>]

On 3/13/19 3:29 PM, Nathan Johnson wrote:
> I've put together an approach for EFI support that we would like to get some feedback on before I create a PR.  Constructive criticism would be appreciated.
> 
> I've added the following properties to be configured in the agent.properties:
> 
> guest.loader.efi - boolean to switch efi on.  This must be true before it will inject any <loader> entries into the domain xml
> guest.loader.image - this would be the path to the bios/efi image
> guest.loader.nvram - this optionally points to an nvram image
> 
> 
> Even when a host is configured so that it can use EFI, it will only actually create a virtual machine when both of the following conditions are met:
> 
> 1) the host has guest.locader.efi set to true in its agent.properties

Can't we detect if the host is EFI capable without the need of adding a
new flag to the agent.properties?

It advertises the capability of EFI to the Mgmt server and only then can
efi=true Instances be started on that host.

> 2) the vm has the vm details parameter efi=true
> > At present there is no automatic way for the management server to know
in advance which hosts have EFI enabled.  I suppose this could be
approximated using tags.  It might be nice to make this more automatic,
and have the resource planner aware of the efi toggle on the VM, but I'm
not sure how best to implement that or if it's even worth it.
> 

As others already mentioned. The Agent/Host capabilities should be
sufficient?

Wido

> Thanks in advance!
> 
> 
> Nathan Johnson
> Senior R&D Engineer
> Education Networks of America
> 
> 
> 

Re: Proposal for EFI firmware support on KVM

[Nathan Johnson <nj...@ena.com.INVALID>]

> On Mar 13, 2019, at 10:56 AM, Nicolas Vazquez <Ni...@shapeblue.com> wrote:
> 
> Hi Nathan,
> 
> I propose a similar approach than taken to enable DPDK on guest VMs for KVM: https://github.com/apache/cloudstack/pull/2839. I think you can follow a similar approach here:
> 
> - Add a property to enable EFI on the KVM hosts 'agent.properties' file
> - Pass VM additional configurations (pieces of XML to include on the VM domain) on VM deployments or stopped VMs. These additional configurations are passed to the hypervisors only if setting 'enable.additional.vm.configuration' is enabled.
> 
> Regarding letting management server know which hosts are EFI enabled, I think you can use host capabilities. When agents connect to management server, they send the list of capabilities. A new capability for EFI can be sent to management server only when the property on agent.properties is set to true. Host tags is a good approach as well but capabilities will make it more robust in case host tags are not created.

I will look into this, thanks for the suggestion.  So I guess the deployment planner would then need to be aware of that specific VM detail at that point - "efi" in this case?

Thanks!

> 
> 
> Regards,
> 
> Nicolas Vazquez
> 
> ________________________________
> From: Sven Vogel <S....@ewerk.com>
> Sent: Wednesday, March 13, 2019 11:55 AM
> To: dev@cloudstack.apache.org
> Subject: Re: Proposal for EFI firmware support on KVM
> 
> Hi Nathan,
> 
> Sounds not bad. Yes we think it could be a good idea.
> 
> It point 2) is where can be found the efi=true?
> 
> And Second
> 
> How can we decide which machine will use efi or normal bios? efi=true flag?
> 
> The settings for the agent sound good.
> 
> After that it should be possible to use tianocore ovmf
> 
> https://github.com/tianocore/tianocore.github.io/wiki/OVMF
> 
> Greetings
> 
> Sven
> 
> 
> Von meinem iPhone gesendet
> 
> 
> __
> 
> Sven Vogel
> Teamlead Platform
> 
> EWERK RZ GmbH
> Br?hl 24, D-04109 Leipzig
> P +49 341 42649 - 11
> F +49 341 42649 - 18
> S.Vogel@ewerk.com
> www.ewerk.com<http://www.ewerk.com>
> 
> Gesch?ftsf?hrer:
> Dr. Erik Wende, Hendrik Schubert, Frank Richter, Gerhard Hoyer
> Registergericht: Leipzig HRB 17023
> 
> Zertifiziert nach:
> ISO/IEC 27001:2013
> DIN EN ISO 9001:2015
> DIN ISO/IEC 20000-1:2011
> 
> EWERK-Blog<https://blog.ewerk.com/> | LinkedIn<https://www.linkedin.com/company/ewerk-group> | Xing<https://www.xing.com/company/ewerk> | Twitter<https://twitter.com/EWERK_Group> | Facebook<https://de-de.facebook.com/EWERK.IT/>
> 
> Ausk?nfte und Angebote per Mail sind freibleibend und unverbindlich.
> 
> Disclaimer Privacy:
> Der Inhalt dieser E-Mail (einschlie?lich etwaiger beigef?gter Dateien) ist vertraulich und nur f?r den Empf?nger bestimmt. Sollten Sie nicht der bestimmungsgem??e Empf?nger sein, ist Ihnen jegliche Offenlegung, Vervielf?ltigung, Weitergabe oder Nutzung des Inhalts untersagt. Bitte informieren Sie in diesem Fall unverz?glich den Absender und l?schen Sie die E-Mail (einschlie?lich etwaiger beigef?gter Dateien) von Ihrem System. Vielen Dank.
> 
> The contents of this e-mail (including any attachments) are confidential and may be legally privileged. If you are not the intended recipient of this e-mail, any disclosure, copying, distribution or use of its contents is strictly prohibited, and you should please notify the sender immediately and then delete it (including any attachments) from your system. Thank you.
> 
> Am 13.03.2019 um 15:30 schrieb Nathan Johnson <nj...@ena.com.invalid>>:
> 
> I've put together an approach for EFI support that we would like to get some feedback on before I create a PR.  Constructive criticism would be appreciated.
> 
> I've added the following properties to be configured in the agent.properties:
> 
> guest.loader.efi - boolean to switch efi on.  This must be true before it will inject any <loader> entries into the domain xml
> guest.loader.image - this would be the path to the bios/efi image
> guest.loader.nvram - this optionally points to an nvram image
> 
> 
> Even when a host is configured so that it can use EFI, it will only actually create a virtual machine when both of the following conditions are met:
> 
> 1) the host has guest.locader.efi set to true in its agent.properties
> 2) the vm has the vm details parameter efi=true
> 
> At present there is no automatic way for the management server to know in advance which hosts have EFI enabled.  I suppose this could be approximated using tags.  It might be nice to make this more automatic, and have the resource planner aware of the efi toggle on the VM, but I'm not sure how best to implement that or if it's even worth it.
> 
> Thanks in advance!
> 
> 
> Nathan Johnson
> Senior R&D Engineer
> Education Networks of America
> 
> 
> 
> 
> Nicolas.Vazquez@shapeblue.com 
> www.shapeblue.com
> Amadeus House, Floral Street, London  WC2E 9DPUK
> @shapeblue
> 
> 
> 

Nathan Johnson
Senior R&D Engineer
Education Networks of America

Re: Proposal for EFI firmware support on KVM

[Nicolas Vazquez <Ni...@shapeblue.com>]

Hi Nathan,

I propose a similar approach than taken to enable DPDK on guest VMs for KVM: https://github.com/apache/cloudstack/pull/2839. I think you can follow a similar approach here:

- Add a property to enable EFI on the KVM hosts 'agent.properties' file
- Pass VM additional configurations (pieces of XML to include on the VM domain) on VM deployments or stopped VMs. These additional configurations are passed to the hypervisors only if setting 'enable.additional.vm.configuration' is enabled.

Regarding letting management server know which hosts are EFI enabled, I think you can use host capabilities. When agents connect to management server, they send the list of capabilities. A new capability for EFI can be sent to management server only when the property on agent.properties is set to true. Host tags is a good approach as well but capabilities will make it more robust in case host tags are not created.


Regards,

Nicolas Vazquez

________________________________
From: Sven Vogel <S....@ewerk.com>
Sent: Wednesday, March 13, 2019 11:55 AM
To: dev@cloudstack.apache.org
Subject: Re: Proposal for EFI firmware support on KVM

Hi Nathan,

Sounds not bad. Yes we think it could be a good idea.

It point 2) is where can be found the efi=true?

And Second

How can we decide which machine will use efi or normal bios? efi=true flag?

The settings for the agent sound good.

After that it should be possible to use tianocore ovmf

https://github.com/tianocore/tianocore.github.io/wiki/OVMF

Greetings

Sven


Von meinem iPhone gesendet


__

Sven Vogel
Teamlead Platform

EWERK RZ GmbH
Br?hl 24, D-04109 Leipzig
P +49 341 42649 - 11
F +49 341 42649 - 18
S.Vogel@ewerk.com
www.ewerk.com<http://www.ewerk.com>

Gesch?ftsf?hrer:
Dr. Erik Wende, Hendrik Schubert, Frank Richter, Gerhard Hoyer
Registergericht: Leipzig HRB 17023

Zertifiziert nach:
ISO/IEC 27001:2013
DIN EN ISO 9001:2015
DIN ISO/IEC 20000-1:2011

EWERK-Blog<https://blog.ewerk.com/> | LinkedIn<https://www.linkedin.com/company/ewerk-group> | Xing<https://www.xing.com/company/ewerk> | Twitter<https://twitter.com/EWERK_Group> | Facebook<https://de-de.facebook.com/EWERK.IT/>

Ausk?nfte und Angebote per Mail sind freibleibend und unverbindlich.

Disclaimer Privacy:
Der Inhalt dieser E-Mail (einschlie?lich etwaiger beigef?gter Dateien) ist vertraulich und nur f?r den Empf?nger bestimmt. Sollten Sie nicht der bestimmungsgem??e Empf?nger sein, ist Ihnen jegliche Offenlegung, Vervielf?ltigung, Weitergabe oder Nutzung des Inhalts untersagt. Bitte informieren Sie in diesem Fall unverz?glich den Absender und l?schen Sie die E-Mail (einschlie?lich etwaiger beigef?gter Dateien) von Ihrem System. Vielen Dank.

The contents of this e-mail (including any attachments) are confidential and may be legally privileged. If you are not the intended recipient of this e-mail, any disclosure, copying, distribution or use of its contents is strictly prohibited, and you should please notify the sender immediately and then delete it (including any attachments) from your system. Thank you.

Am 13.03.2019 um 15:30 schrieb Nathan Johnson <nj...@ena.com.invalid>>:

I've put together an approach for EFI support that we would like to get some feedback on before I create a PR.  Constructive criticism would be appreciated.

I've added the following properties to be configured in the agent.properties:

guest.loader.efi - boolean to switch efi on.  This must be true before it will inject any <loader> entries into the domain xml
guest.loader.image - this would be the path to the bios/efi image
guest.loader.nvram - this optionally points to an nvram image


Even when a host is configured so that it can use EFI, it will only actually create a virtual machine when both of the following conditions are met:

1) the host has guest.locader.efi set to true in its agent.properties
2) the vm has the vm details parameter efi=true

At present there is no automatic way for the management server to know in advance which hosts have EFI enabled.  I suppose this could be approximated using tags.  It might be nice to make this more automatic, and have the resource planner aware of the efi toggle on the VM, but I'm not sure how best to implement that or if it's even worth it.

Thanks in advance!


Nathan Johnson
Senior R&D Engineer
Education Networks of America




Nicolas.Vazquez@shapeblue.com 
www.shapeblue.com
Amadeus House, Floral Street, London  WC2E 9DPUK
@shapeblue
  
 

Re: Proposal for EFI firmware support on KVM

[Sven Vogel <S....@ewerk.com>]

Hi Nathan,

Sounds not bad. Yes we think it could be a good idea.

It point 2) is where can be found the efi=true?

And Second

How can we decide which machine will use efi or normal bios? efi=true flag?

The settings for the agent sound good.

After that it should be possible to use tianocore ovmf

https://github.com/tianocore/tianocore.github.io/wiki/OVMF

Greetings

Sven


Von meinem iPhone gesendet


__

Sven Vogel
Teamlead Platform

EWERK RZ GmbH
Br?hl 24, D-04109 Leipzig
P +49 341 42649 - 11
F +49 341 42649 - 18
S.Vogel@ewerk.com
www.ewerk.com

Gesch?ftsf?hrer:
Dr. Erik Wende, Hendrik Schubert, Frank Richter, Gerhard Hoyer
Registergericht: Leipzig HRB 17023

Zertifiziert nach:
ISO/IEC 27001:2013
DIN EN ISO 9001:2015
DIN ISO/IEC 20000-1:2011

EWERK-Blog<https://blog.ewerk.com/> | LinkedIn<https://www.linkedin.com/company/ewerk-group> | Xing<https://www.xing.com/company/ewerk> | Twitter<https://twitter.com/EWERK_Group> | Facebook<https://de-de.facebook.com/EWERK.IT/>

Ausk?nfte und Angebote per Mail sind freibleibend und unverbindlich.

Disclaimer Privacy:
Der Inhalt dieser E-Mail (einschlie?lich etwaiger beigef?gter Dateien) ist vertraulich und nur f?r den Empf?nger bestimmt. Sollten Sie nicht der bestimmungsgem??e Empf?nger sein, ist Ihnen jegliche Offenlegung, Vervielf?ltigung, Weitergabe oder Nutzung des Inhalts untersagt. Bitte informieren Sie in diesem Fall unverz?glich den Absender und l?schen Sie die E-Mail (einschlie?lich etwaiger beigef?gter Dateien) von Ihrem System. Vielen Dank.

The contents of this e-mail (including any attachments) are confidential and may be legally privileged. If you are not the intended recipient of this e-mail, any disclosure, copying, distribution or use of its contents is strictly prohibited, and you should please notify the sender immediately and then delete it (including any attachments) from your system. Thank you.

Am 13.03.2019 um 15:30 schrieb Nathan Johnson <nj...@ena.com.invalid>>:

I've put together an approach for EFI support that we would like to get some feedback on before I create a PR.  Constructive criticism would be appreciated.

I've added the following properties to be configured in the agent.properties:

guest.loader.efi - boolean to switch efi on.  This must be true before it will inject any <loader> entries into the domain xml
guest.loader.image - this would be the path to the bios/efi image
guest.loader.nvram - this optionally points to an nvram image


Even when a host is configured so that it can use EFI, it will only actually create a virtual machine when both of the following conditions are met:

1) the host has guest.locader.efi set to true in its agent.properties
2) the vm has the vm details parameter efi=true

At present there is no automatic way for the management server to know in advance which hosts have EFI enabled.  I suppose this could be approximated using tags.  It might be nice to make this more automatic, and have the resource planner aware of the efi toggle on the VM, but I'm not sure how best to implement that or if it's even worth it.

Thanks in advance!


Nathan Johnson
Senior R&D Engineer
Education Networks of America