[QEMU]通用对象创建(1)

default

默认主机策略

preferred

首选给定的主机节点列表进行分配

bind

将内存分配限制为给定的主机节点列表

interleave

在给定主机节点列表中交错内存分配

-object memory-backend-file,id=id,size=size,mem-path=dir,share=on|off,discard-data=on|off,merge=on|off,dump=on|off,prealloc=on|off,host-nodes=host-nodes,policy=default|preferred|bind|interleave,align=align,readonly=on|off

创建内存文件后端对象，该对象可用于支持具有大页面的来宾 RAM。

该参数是一个唯一的 ID，将用于在其他参数（例如 、等）中引用此内存区域。id-numa-device nvdimm

该选项提供内存区域的大小，并接受公共后缀，例如 。size500M

提供共享内存或大页面文件系统挂载的路径。mem-path

布尔选项确定内存区域是标记为 QEMU 专用还是共享。后者允许协同工作的外部进程访问 QEMU 内存区域。share

由于 Linux 提供的 RDMA API 中的限制，pvrdma 设备也需要 。share

在某些情况下，设置 share=on 可能会影响为内存后端配置 NUMA 绑定的能力，有关其他详细信息，请参阅 Linux 内核源代码树上的文档/vm/numa_memory_policy.txt。

将布尔选项设置为 on 表示在 QEMU 退出时可以销毁文件内容，以避免不必要地将数据刷新到支持文件。请注意，这只是一种优化，如果 QEMU 意外中止或使用 SIGKILL 终止，QEMU 可能不会丢弃文件内容。discard-datadiscard-data

布尔选项启用内存合并（也称为MADV_MERGEABLE），以便内核同页合并将考虑内存重复数据删除的页面。merge

将布尔选项设置为 off 会从核心转储中排除内存。此功能也称为MADV_DONTDUMP。dump

布尔选项启用内存预分配。prealloc

该选项将内存范围绑定到 NUMA 主机节点的列表。host-nodes

该选项将 NUMA 策略设置为以下值之一：policy

该选项指定 QEMU mmap（2） 时的基址对齐方式，并接受常用后缀，例如 .指定的某些后端存储需要与 QEMU 使用的默认对齐方式不同的对齐方式，例如设备 DAX /dev/dax0.0 需要 2M 对齐而不是 4K。在这种情况下，用户可以通过此选项指定所需的对齐方式。alignmem-path2Mmem-path

该选项指定 由 指定的支持文件是否位于可以使用 SNIA NVM 编程模型（例如英特尔 NVDIMM）访问的主机持久内存中。如果设置为“on”，QEMU将采取必要的操作来保证其自身写入的持久性（例如，在vNVDIMM标签仿真和实时迁移中）。此外，我们将使用MAP_SYNC标志映射后端文件，以确保文件元数据在主机崩溃或电源故障的情况下保持同步。MAP_SYNC需要主机内核（从 Linux 内核 4.15 开始）和使用 DAX 选项挂载的文件系统的支持。pmemmem-pathpmemmem-pathmem-pathmem-path

该选项指定备份文件是以只读方式打开还是以读写方式打开（默认值）。readonly

-object memory-backend-ram,id=id,merge=on|off,dump=on|off,share=on|off,prealloc=on|off,size=size,host-nodes=host-nodes,policy=default|preferred|bind|interleave

创建内存后端对象，该对象可用于备份来宾 RAM。内存后端对象提供比传统上用于定义来宾 RAM 的选项更多的控制。有关选项的说明，请参阅。-mmemory-backend-file

-object memory-backend-memfd,id=id,merge=on|off,dump=on|off,share=on|off,prealloc=on|off,size=size,host-nodes=host-nodes,policy=default|preferred|bind|interleave,seal=on|off,hugetlb=on|off,hugetlbsize=size

创建一个匿名内存文件后端对象，该对象允许 QEMU 与外部进程共享内存（例如，使用 vhost-user 时）。内存分配有 memfd 和可选密封。（仅限 Linux）

该选项创建一个密封文件，该文件将阻止进一步调整内存大小（默认情况下为“on”）。seal

该选项指定要创建的文件驻留在 hugetlbfs 文件系统中（从 Linux 4.14 开始）。与该选项结合使用时，该选项指定支持多个 hugetlb 页面大小的系统上的 hugetlb 页面大小（它必须是系统支持的 2 的幂值）。hugetlbhugetlbhugetlbsize

在某些版本的 Linux 中，该选项与该选项不兼容（至少需要 Linux 4.16）。hugetlbseal

有关其他选项的说明，请参阅。memory-backend-file

The boolean option is on by default with memfd.share

-object rng-builtin,id=id

Creates a random number generator backend which obtains entropy from QEMU builtin functions. The parameter is a unique ID that will be used to reference this entropy backend from the device. By default, the device uses this RNG backend.idvirtio-rngvirtio-rng

-object rng-random,id=id,filename=/dev/random

Creates a random number generator backend which obtains entropy from a device on the host. The parameter is a unique ID that will be used to reference this entropy backend from the device. The parameter specifies which file to obtain entropy from and if omitted defaults to .idvirtio-rngfilename/dev/urandom

-object rng-egd,id=id,chardev=chardevid

Creates a random number generator backend which obtains entropy from an external daemon running on the host. The parameter is a unique ID that will be used to reference this entropy backend from the device. The parameter is the unique ID of a character device backend that provides the connection to the RNG daemon.idvirtio-rngchardev

-object tls-creds-anon,id=id,endpoint=endpoint,dir=/path/to/cred/dir,verify-peer=on|off

Creates a TLS anonymous credentials object, which can be used to provide TLS support on network backends. The parameter is a unique ID which network backends will use to access the credentials. The is either or depending on whether the QEMU network backend that uses the credentials will be acting as a client or as a server. If is enabled (the default) then once the handshake is completed, the peer credentials will be verified, though this is a no-op for anonymous credentials.idendpointserverclientverify-peer

The dir parameter tells QEMU where to find the credential files. For server endpoints, this directory may contain a file dh-params.pem providing diffie-hellman parameters to use for the TLS server. If the file is missing, QEMU will generate a set of DH parameters at startup. This is a computationally expensive operation that consumes random pool entropy, so it is recommended that a persistent set of parameters be generated upfront and saved.

-object tls-creds-psk,id=id,endpoint=endpoint,dir=/path/to/keys/dir[,username=username]

Creates a TLS Pre-Shared Keys (PSK) credentials object, which can be used to provide TLS support on network backends. The parameter is a unique ID which network backends will use to access the credentials. The is either or depending on whether the QEMU network backend that uses the credentials will be acting as a client or as a server. For clients only, is the username which will be sent to the server. If omitted it defaults to “qemu”.idendpointserverclientusername

The dir parameter tells QEMU where to find the keys file. It is called “dir/keys.psk” and contains “username:key” pairs. This file can most easily be created using the GnuTLS program.psktool

For server endpoints, dir may also contain a file dh-params.pem providing diffie-hellman parameters to use for the TLS server. If the file is missing, QEMU will generate a set of DH parameters at startup. This is a computationally expensive operation that consumes random pool entropy, so it is recommended that a persistent set of parameters be generated up front and saved.

-object tls-creds-x509,id=id,endpoint=endpoint,dir=/path/to/cred/dir,priority=priority,verify-peer=on|off,passwordid=id

Creates a TLS anonymous credentials object, which can be used to provide TLS support on network backends. The parameter is a unique ID which network backends will use to access the credentials. The is either or depending on whether the QEMU network backend that uses the credentials will be acting as a client or as a server. If is enabled (the default) then once the handshake is completed, the peer credentials will be verified. With x509 certificates, this implies that the clients must be provided with valid client certificates too.idendpointserverclientverify-peer

The dir parameter tells QEMU where to find the credential files. For server endpoints, this directory may contain a file dh-params.pem providing diffie-hellman parameters to use for the TLS server. If the file is missing, QEMU will generate a set of DH parameters at startup. This is a computationally expensive operation that consumes random pool entropy, so it is recommended that a persistent set of parameters be generated upfront and saved.

For x509 certificate credentials the directory will contain further files providing the x509 certificates. The certificates must be stored in PEM format, in filenames ca-cert.pem, ca-crl.pem (optional), server-cert.pem (only servers), server-key.pem (only servers), client-cert.pem (only clients), and client-key.pem (only clients).

For the server-key.pem and client-key.pem files which contain sensitive private keys, it is possible to use an encrypted version by providing the passwordid parameter. This provides the ID of a previously created object containing the password for decryption.secret

The priority parameter allows to override the global default priority used by gnutls. This can be useful if the system administrator needs to use a weaker set of crypto priorities for QEMU without potentially forcing the weakness onto all applications. Or conversely if one wants wants a stronger default for QEMU than for all other applications, they can do this through this parameter. Its format is a gnutls priority string as described at https://gnutls.org/manual/html_node/Priority-Strings.html.

-object tls-cipher-suites,id=id,priority=priority

Creates a TLS cipher suites object, which can be used to control the TLS cipher/protocol algorithms that applications are permitted to use.

The parameter is a unique ID which frontends will use to access the ordered list of permitted TLS cipher suites from the host.id

The parameter allows to override the global default priority used by gnutls. This can be useful if the system administrator needs to use a weaker set of crypto priorities for QEMU without potentially forcing the weakness onto all applications. Or conversely if one wants wants a stronger default for QEMU than for all other applications, they can do this through this parameter. Its format is a gnutls priority string as described at https://gnutls.org/manual/html_node/Priority-Strings.html.priority

An example of use of this object is to control UEFI HTTPS Boot. The tls-cipher-suites object exposes the ordered list of permitted TLS cipher suites from the host side to the guest firmware, via fw_cfg. The list is represented as an array of IANA_TLS_CIPHER objects. The firmware uses the IANA_TLS_CIPHER array for configuring guest-side TLS.

In the following example, the priority at which the host-side policy is retrieved is given by the property. Given that QEMU uses GNUTLS, may be used to refer to /etc/crypto-policies/back-ends/gnutls.config.prioritypriority=@SYSTEM

# qemu-system-x86_64 \    -object tls-cipher-suites,id=mysuite0,priority=@SYSTEM \    -fw_cfg name=etc/edk2/https/ciphers,gen_id=mysuite0

-object filter-buffer,id=id,netdev=netdevid,interval=t[,queue=all|rx|tx][,status=on|off][,position=head|tail|id=<id>][,insert=behind|before]

Interval t can’t be 0, this filter batches the packet delivery: all packets arriving in a given interval on netdev netdevid are delayed until the end of the interval. Interval is in microseconds. is optional that indicate whether the netfilter is on (enabled) or off (disabled), the default status for netfilter will be ‘on’.status

queue all|rx|tx is an option that can be applied to any netfilter.

all: the filter is attached both to the receive and the transmit queue of the netdev (default).

rx: the filter is attached to the receive queue of the netdev, where it will receive packets sent to the netdev.

tx: the filter is attached to the transmit queue of the netdev, where it will receive packets sent by the netdev.

position head|tail|id=<id> is an option to specify where the filter should be inserted in the filter list. It can be applied to any netfilter.

head: the filter is inserted at the head of the filter list, before any existing filters.

tail: the filter is inserted at the tail of the filter list, behind any existing filters (default).

id=<id>: the filter is inserted before or behind the filter specified by <id>, see the insert option below.

insert behind|before is an option to specify where to insert the new filter relative to the one specified with position=id=<id>. It can be applied to any netfilter.

before: insert before the specified filter.

behind: insert behind the specified filter (default).

-object filter-mirror,id=id,netdev=netdevid,outdev=chardevid,queue=all|rx|tx[,vnet_hdr_support][,position=head|tail|id=<id>][,insert=behind|before]

filter-mirror on netdev netdevid,mirror net packet to chardevchardevid, if it has the vnet_hdr_support flag, filter-mirror will mirror packet with vnet_hdr_len.

-object filter-redirector,id=id,netdev=netdevid,indev=chardevid,outdev=chardevid,queue=all|rx|tx[,vnet_hdr_support][,position=head|tail|id=<id>][,insert=behind|before]

filter-redirector on netdev netdevid,redirect filter’s net packet to chardev chardevid,and redirect indev’s packet to filter.if it has the vnet_hdr_support flag, filter-redirector will redirect packet with vnet_hdr_len. Create a filter-redirector we need to differ outdev id from indev id, id can not be the same. we can just use indev or outdev, but at least one of indev or outdev need to be specified.

-object filter-rewriter,id=id,netdev=netdevid,queue=all|rx|tx,[vnet_hdr_support][,position=head|tail|id=<id>][,insert=behind|before]

Filter-rewriter is a part of COLO project.It will rewrite tcp packet to secondary from primary to keep secondary tcp connection,and rewrite tcp packet to primary from secondary make tcp packet can be handled by client.if it has the vnet_hdr_support flag, we can parse packet with vnet header.

usage: colo secondary: -object filter-redirector,id=f1,netdev=hn0,queue=tx,indev=red0 -object filter-redirector,id=f2,netdev=hn0,queue=rx,outdev=red1 -object filter-rewriter,id=rew0,netdev=hn0,queue=all

-object filter-dump,id=id,netdev=dev[,file=filename][,maxlen=len][,position=head|tail|id=<id>][,insert=behind|before]

Dump the network traffic on netdev dev to the file specified by filename. At most len bytes (64k by default) per packet are stored. The file format is libpcap, so it can be analyzed with tools such as tcpdump or Wireshark.

-object colo-compare,id=id,primary_in=chardevid,secondary_in=chardevid,outdev=chardevid,iothread=id[,vnet_hdr_support][,notify_dev=id][,compare_timeout=@var{ms}][,expired_scan_cycle=@var{ms}][,max_queue_size=@var{size}]

Colo-compare gets packet from primary_in chardevid and secondary_in, then compare whether the payload of primary packet and secondary packet are the same. If same, it will output primary packet to out_dev, else it will notify COLO-framework to do checkpoint and send primary packet to out_dev. In order to improve efficiency, we need to put the task of comparison in another iothread. If it has the vnet_hdr_support flag, colo compare will send/recv packet with vnet_hdr_len. The compare_timeout=@var{ms} determines the maximum time of the colo-compare hold the packet. The expired_scan_cycle=@var{ms} is to set the period of scanning expired primary node network packets. The max_queue_size=@var{size} is to set the max compare queue size depend on user environment. If user want to use Xen COLO, need to add the notify_dev to notify Xen colo-frame to do checkpoint.

COLO-compare must be used with the help of filter-mirror, filter-redirector and filter-rewriter.

KVM COLOprimary:-netdev tap,id=hn0,vhost=off,script=/etc/qemu-ifup,downscript=/etc/qemu-ifdown-device e1000,id=e0,netdev=hn0,mac=52:a4:00:12:78:66-chardev socket,id=mirror0,host=3.3.3.3,port=9003,server=on,wait=off-chardev socket,id=compare1,host=3.3.3.3,port=9004,server=on,wait=off-chardev socket,id=compare0,host=3.3.3.3,port=9001,server=on,wait=off-chardev socket,id=compare0-0,host=3.3.3.3,port=9001-chardev socket,id=compare_out,host=3.3.3.3,port=9005,server=on,wait=off-chardev socket,id=compare_out0,host=3.3.3.3,port=9005-object iothread,id=iothread1-object filter-mirror,id=m0,netdev=hn0,queue=tx,outdev=mirror0-object filter-redirector,netdev=hn0,id=redire0,queue=rx,indev=compare_out-object filter-redirector,netdev=hn0,id=redire1,queue=rx,outdev=compare0-object colo-compare,id=comp0,primary_in=compare0-0,secondary_in=compare1,outdev=compare_out0,iothread=iothread1secondary:-netdev tap,id=hn0,vhost=off,script=/etc/qemu-ifup,down script=/etc/qemu-ifdown-device e1000,netdev=hn0,mac=52:a4:00:12:78:66-chardev socket,id=red0,host=3.3.3.3,port=9003-chardev socket,id=red1,host=3.3.3.3,port=9004-object filter-redirector,id=f1,netdev=hn0,queue=tx,indev=red0-object filter-redirector,id=f2,netdev=hn0,queue=rx,outdev=red1Xen COLOprimary:-netdev tap,id=hn0,vhost=off,script=/etc/qemu-ifup,downscript=/etc/qemu-ifdown-device e1000,id=e0,netdev=hn0,mac=52:a4:00:12:78:66-chardev socket,id=mirror0,host=3.3.3.3,port=9003,server=on,wait=off-chardev socket,id=compare1,host=3.3.3.3,port=9004,server=on,wait=off-chardev socket,id=compare0,host=3.3.3.3,port=9001,server=on,wait=off-chardev socket,id=compare0-0,host=3.3.3.3,port=9001-chardev socket,id=compare_out,host=3.3.3.3,port=9005,server=on,wait=off-chardev socket,id=compare_out0,host=3.3.3.3,port=9005-chardev socket,id=notify_way,host=3.3.3.3,port=9009,server=on,wait=off-object filter-mirror,id=m0,netdev=hn0,queue=tx,outdev=mirror0-object filter-redirector,netdev=hn0,id=redire0,queue=rx,indev=compare_out-object filter-redirector,netdev=hn0,id=redire1,queue=rx,outdev=compare0-object iothread,id=iothread1-object colo-compare,id=comp0,primary_in=compare0-0,secondary_in=compare1,outdev=compare_out0,notify_dev=nofity_way,iothread=iothread1secondary:-netdev tap,id=hn0,vhost=off,script=/etc/qemu-ifup,down script=/etc/qemu-ifdown-device e1000,netdev=hn0,mac=52:a4:00:12:78:66-chardev socket,id=red0,host=3.3.3.3,port=9003-chardev socket,id=red1,host=3.3.3.3,port=9004-object filter-redirector,id=f1,netdev=hn0,queue=tx,indev=red0-object filter-redirector,id=f2,netdev=hn0,queue=rx,outdev=red1

如果你想知道上面命令行的细节，你可以阅读colo-compare git日志。

-object cryptodev-backend-builtin,id=id[,queues=queues]

创建一个加密开发后端，该后端从 QEMU 密码 API 执行加密操作。id 参数是一个唯一的 ID，将用于从设备引用此 cryptodev 后端。queues参数是可选的，它指定cryptodev后端的队列编号，队列的默认值为1。virtio-crypto

# qemu-system-x86_64 \  [...] \      -object cryptodev-backend-builtin,id=cryptodev0 \      -device virtio-crypto-pci,id=crypto0,cryptodev=cryptodev0 \  [...]