<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Title" content="">
<meta name="Keywords" content="">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Menlo;
panose-1:2 11 6 9 3 8 4 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:Calibri;
color:windowtext;}
p.p1, li.p1, div.p1
{mso-style-name:p1;
margin:0cm;
margin-bottom:.0001pt;
background:#FEF49C;
font-size:9.0pt;
font-family:Menlo;
color:black;}
span.s2
{mso-style-name:s2;
color:#BD311B;}
span.s1
{mso-style-name:s1;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.msoIns
{mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
color:teal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">Hey just a follow up on this ...<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">FYI ... it does appear that when UEFI booting a VM, a per-instance copy of the
<span style="background:aqua;mso-highlight:aqua">OVMF_VARS.fd</span> is indeed created.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">See below:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<p class="p1"><span class="s1">root</span><span class="apple-converted-space">
</span><span class="s1">97276</span><span class="apple-converted-space"> </span>
<span class="s1">1</span><span class="apple-converted-space"> </span><span class="s1">0 Oct05 ?</span><span class="apple-converted-space">
</span><span class="s1">00:01:41 /usr/libexec/qemu-kvm -c 0x00000000000000000000000000000001 -n 4 --proc-type=secondary --file-prefix=vs -- -enable-dpdk -name guest=instance-0000003a,debug-threads=on -S -object secret,id=masterKey0,format=raw,file=/var/lib/libvirt/qemu/domain-2-instance-0000003a/master-key.aes
-machine pc-i440fx-rhel7.3.0,accel=kvm,usb=off,dump-guest-core=off -drive file=/usr/share/OVMF/OVMF_CODE.fd,if=pflash,format=raw,unit=0,readonly=on
<span style="background:aqua;mso-highlight:aqua">-drive file=/var/lib/libvirt/qemu/nvram/instance-0000003a_VARS.fd,if=pflash</span>,format=raw,unit=1 -m 512 -realtime mlock=off -smp 1,sockets=1,cores=1,threads=1 -object memory-backend-file,id=ram-node0,prealloc=yes,mem-path=/mnt/huge-2048kB/libvirt/qemu/2-instance-0000003a,share=yes,size=536870912,host-nodes=0,policy=bind
-numa node,nodeid=0,cpus=0,memdev=ram-node0 -uuid 13c69f91-e91d-4162-aea5-d53aaa7053b0 -sm</span><span class="s2"><b>bios</b></span><span class="s1"> type=1,manufacturer=Fedora Project,product=OpenStack Nova,version=14.0.3-1.tis.243,serial=81f8fdfa-744c-4f60-bd39-edb5f0cfd39d,uuid=13c69f91-e91d-4162-aea5-d53aaa7053b0,family=Virtual
Machine -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/domain-2-instance-0000003a/monitor.sock,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc,driftfix=slew -global kvm-pit.lost_tick_policy=delay
-no-hpet -no-shutdown -boot reboot-timeout=5000,strict=on -global i440FX-pcihost.pci-hole64-size=67108864K -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/dev/disk/by-path/ip-192.168.205.6:3260-iscsi-iqn.2010-10.org.openstack:volume-4c1d2d08-5f13-42ee-8cd4-db950614e031-lun-0,format=raw,if=none,id=drive-ide0-0-0,readonly=on,serial=4c1d2d08-5f13-42ee-8cd4-db950614e031,cache=none,aio=native
-device ide-cd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=2 -drive file=/dev/disk/by-path/ip-192.168.205.6:3260-iscsi-iqn.2010-10.org.openstack:volume-c2c57148-c7ca-4516-8f06-6ed205524057-lun-0,format=raw,if=none,id=drive-virtio-disk0,serial=c2c57148-c7ca-4516-8f06-6ed205524057,cache=none,aio=native
-device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -chardev socket,id=charnet0,path=/var/run/vswitch/usvhost-b3113aee-fc06-4277-8e65-c6f2c3b0415d -netdev vhost-user,chardev=charnet0,id=hostnet0 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=fa:16:3e:69:16:ec,bus=pci.0,addr=0x3
-add-fd set=0,fd=30 -chardev file,id=charserial0,path=/dev/fdset/0,append=on -device isa-serial,chardev=charserial0,id=serial0 -chardev pty,id=charserial1 -device isa-serial,chardev=charserial1,id=serial1 -device usb-tablet,id=input0,bus=usb.0,port=1 -vnc
0.0.0.0:0 -k en-us -device cirrus-vga,id=video0,bus=pci.0,addr=0x2 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5 -msg timestamp=on</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">Greg.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-family:Calibri;color:black">From: </span>
</b><span style="font-family:Calibri;color:black">Steve Gordon <sgordon@redhat.com><br>
<b>Reply-To: </b>"openstack-dev@lists.openstack.org" <openstack-dev@lists.openstack.org><br>
<b>Date: </b>Thursday, September 28, 2017 at 2:50 PM<br>
<b>To: </b>"openstack-dev@lists.openstack.org" <openstack-dev@lists.openstack.org><br>
<b>Subject: </b>Re: [openstack-dev] [nova] how does UEFI booting of VM manage per-instance copies of OVMF_VARS.fd ?<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">----- Original Message -----<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #B5C4DF 4.5pt;padding:0cm 0cm 0cm 4.0pt;margin-left:3.75pt;margin-right:0cm" id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE">
<div>
<p class="MsoNormal">From: "Jay Pipes" <<a href="mailto:jaypipes@gmail.com">jaypipes@gmail.com</a>><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">To: <a href="mailto:openstack-dev@lists.openstack.org">openstack-dev@lists.openstack.org</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Sent: Thursday, September 28, 2017 12:53:16 PM<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Subject: Re: [openstack-dev] [nova] how does UEFI booting of VM manage per-instance copies of OVMF_VARS.fd ?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">On 09/27/2017 09:09 AM, Waines, Greg wrote:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">> Hey there ... a question about UEFI booting of VMs.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">> i.e.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">> glance image-create --file cloud-2730. qcow --disk-format qcow2<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">> --container-format bare --property “hw-firmware-type=uefi” --name<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">> clear-linux-image<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">> in order to specify that you want to use UEFI (instead of BIOS) when<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">> booting VMs with this image<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">> i.e. /usr/share/OVMF/OVMF_CODE.fd<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">> /usr/share/OVMF/OVMF_VARS.fd<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">> and I believe you can boot into the UEFI Shell, i.e. to change UEFI<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">> variables in NVRAM (OVMF_VARS.fd) by<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">> booting VM with /usr/share/OVMF/UefiShell.iso in cd ...<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">> e.g. to changes Secure Boot keys or something like that.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">> My QUESTION ...<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">> ·how does NOVA manage a unique instance of OVMF_VARS.fd for each instance ?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">> oi believe OVMF_VARS.fd is suppose to just be used as a template, and<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">> is supposed to be copied to make a unique instance for each VM that UEFI<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">> boots<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">> ohow does NOVA manage this ?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">> §e.g. is the unique instance of OVMF_VARS.fd created in<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">> /etc/nova/instances/<UUID>/ ?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">> o... and does this get migrated to another compute if VM is migrated ?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Hi Greg,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">I think the following part of the code essentially sums up what you're<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">experiencing [1]:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">LOG.warning("uefi support is without some kind of "<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> "functional testing and therefore "<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> "considered experimental.")<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">[1]<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><a href="https://github.com/openstack/nova/blob/master/nova/virt/libvirt/driver.py#L4530-L4532">https://github.com/openstack/nova/blob/master/nova/virt/libvirt/driver.py#L4530-L4532</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> From what I can tell, the bootloader is hardcoded to<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">"/usr/share/OVMF/OVMF_CODE.fd" for x86_64:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><a href="https://github.com/openstack/nova/blob/master/nova/virt/libvirt/driver.py#L130">https://github.com/openstack/nova/blob/master/nova/virt/libvirt/driver.py#L130</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><a href="https://github.com/openstack/nova/blob/master/nova/virt/libvirt/driver.py#L4534-L4535">https://github.com/openstack/nova/blob/master/nova/virt/libvirt/driver.py#L4534-L4535</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">and I see no way to change it via a configuration variable...<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Yet another half-baked, completely untested "feature" added to Nova. :(<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">-jay<o:p></o:p></p>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Pretty much, just enough to convince folks it could work without enough for it to actually...work. Kasyhap was looking at this recently and has this WIP specification up for further discussion of how to best clean this up:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"> <a href="https://review.openstack.org/#/c/506720/">https://review.openstack.org/#/c/506720/</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">It's not clear to me that this covers all of the above issues as yet. As noted the existing implementation will only work with a bootloader path that lines up perfectly with what is hardcoded, and even with the distro included ones that
is not necessarily the case.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">-- <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Steve Gordon,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Principal Product Manager,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Red Hat OpenStack Platform<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">__________________________________________________________________________<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">OpenStack Development Mailing List (not for usage questions)<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Unsubscribe: <a href="mailto:OpenStack-dev-request@lists.openstack.org">
OpenStack-dev-request@lists.openstack.org</a>?subject:unsubscribe<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</body>
</html>