-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathstart-dlp-us-sv-win1
executable file
·338 lines (273 loc) · 12.2 KB
/
start-dlp-us-sv-win1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
#!/bin/bash
set -e
#################
# Configuration #
#################
#VM_DOMAIN="local"
VM_DOMAIN="dlp-us-sv-win1"
#
# List of devices that need to be passed through to the VM
#
# 01:00.0 VGA compatible controller: NVIDIA Corporation GP104 [GeForce GTX 1070] (rev a1)
# 01:00.1 Audio device: NVIDIA Corporation GP104 High Definition Audio Controller (rev a1)
# 00:1f.3 Audio device: Intel Corporation 200 Series PCH HD Audio
# 00:14.0 USB device: Intel Corporation 200 Series/Z370 Chipset Family USB 3.0 xHCI Controller
#
# Pass through but do not force through stub driver
# 0b:00.0 Non-Volatile memory controller: Phison Electronics Corporation E12 NVMe Controller (rev 01)
#
PCI_DEVICEIDS="0000:01:00.0 0000:01:00.1 0000:00:1f.3 0000:00:14.0"
# Blacklised services and modules are stopped before devices are passed through and restarted
# after the VM is stopped
BLACKLISTED_SERVICES="gdm bumblebeed"
BLACKLISTED_MODULES="nvidia_drm nvidia_modeset nvidia_uvm nvidia snd_hda_intel xhci_pci"
#BLACKLISTED_MODULES="nvidia_modeset nvidia"
# Ensured services and modules are started before devices are passed through, but are not
# stopped after devices are reattached
ENSURE_SERVICES="libvirtd"
#ENSURE_MODULES="virtio virtio_net virtio_blk virtio_console virtio_balloon virtio_ring 9pnet_virtio virtio_crypto iptable_nat ip_conntrack_netbios_ns nf_nat nf_tables nft_masq_ipv4 nft_masq_ipv6 nft_chain_nat_ipv6 nft_chain_nat_ipv4"
ENSURE_MODULES="vfio-pci virtio virtio_net virtio_blk virtio_console virtio_balloon virtio_ring 9pnet_virtio virtio_crypto iptable_nat ip_conntrack_netbios_ns nf_nat nf_tables nft_masq nft_chain_nat"
# Start services and modules are started before devices are passed through and stopped after
# devices are reattached
START_SERVICES="nmb smb" # winbind"
START_MODULES="virtio-pci"
# Number of HugePages to request.
# Should be approximately memory allocation divided by 1GiB
HUGEPAGE_COUNT=16
# Cpu Isolation Config
TOTAL_CORES='0-7'
TOTAL_CORES_MASK=FF # 0-7, bitmask 0b11111111
HOST_CORES='0,4' # Cores reserved for host
HOST_CORES_MASK=11 # 0,4, bitmask 0b00010001
VIRT_CORES='1-3,5-7' # Cores reserved for virtual machine(s). This prevents other processes from touching these cores. This is not the same as the cpu list of the VM
################
# DO NOT TOUCH #
################
# Check root access
if [[ $EUID -ne 0 ]]; then
echo "this script must be run as the super-user"
exit 1
fi
case "$1" in
"")
;&
start)
echo "[INFO] Verifying Configuration"
if [[ ! $(virsh domstate ${VM_DOMAIN}) =~ "shut off" ]]; then
echo "[ERROR] The virtual machine ${VM_DOMAIN} is already started"
exit 1
fi
echo "[INFO] Rescanning PCI devices in case prior run failed"
echo 1 > /sys/bus/pci/rescan
sleep 0.5
echo "[INFO] Verifying that devices exist"
for i in ${PCI_DEVICEIDS}; do
if [[ ! -e "/sys/bus/pci/devices/${dev}" ]]; then
echo "[ERROR] Device ${dev} was not found"
echo "[ERROR] /sys/bus/pci/devices/${dev} was not found"
exit 1
fi
done
echo "[INFO] Verifying that kernel modules exist"
modprobe -n ${ENSURE_MODULES} ${START_MODULES}
echo "[INFO] Configuration Verified"
;&
prep-services)
echo "[INFO] Preparing services and drivers"
! ps axco command | grep gnome | xargs killall 2>/dev/null
! ps axco command | grep gdm- | xargs killall 2>/dev/null
! virsh net-start default 2>/dev/null
sleep 3
for i in ${BLACKLISTED_SERVICES}; do
echo "[INFO] -> Stopping service ${i}"
systemctl is-active --quiet ${i} && systemctl stop ${i}
done
echo "[INFO] -> Unloading kernel module ${BLACKLISTED_MODULES}"
modprobe -r ${BLACKLISTED_MODULES}
for i in ${ENSURE_SERVICES} ${START_SERVICES}; do
echo "[INFO] -> Starting service ${i}"
systemctl start ${i}
done
for i in ${ENSURE_MODULES} ${START_MODULES}; do
echo "[INFO] -> Loading kernel module ${i}"
modprobe ${i}
done
sleep 0.25
;&
passthrough-devices)
echo "[INFO] Passing through PCI devices"
# Trying to unbind the GPU results in general protection faults.
for dev in ${PCI_DEVICEIDS}
do
for it in {1..5}; do
if [[ ! -e "/sys/bus/pci/drivers/vfio-pci/${dev}" ]]; then
vendor=$(cat /sys/bus/pci/devices/${dev}/vendor)
device=$(cat /sys/bus/pci/devices/${dev}/device)
echo "[INFO] -> Passing through device ${dev} (${vendor} ${device}) Attempt ${it}"
echo "[INFO] ----> Issuing PCI hotplug remove command"
echo 1 > /sys/bus/pci/devices/${dev}/remove
while [[ -e "/sys/bus/pci/devices/${dev}" ]]; do sleep 0.1; done
echo "[INFO] ----> Rescan PCI bus to rediscover device"
echo 1 > /sys/bus/pci/rescan
while [[ ! -e "/sys/bus/pci/devices/${dev}" ]]; do sleep 0.1; done
echo "[INFO] ----> Adding device to vfio-pci id list"
! echo ${vendor} ${device} > /sys/bus/pci/drivers/vfio-pci/new_id
sleep 2
echo "[INFO] ----> Verifying device is attached to vfio-pci stub driver"
if [[ ! -e "/sys/bus/pci/drivers/vfio-pci/${dev}" ]]; then
if [[ "${it}" -eq 5 ]]; then
echo "[ERROR] ----> DEVICE IS NOT ATTACHED TO VFIO-PCI"
exit 1
else
echo "[WARN] ----> DEVICE IS NOT ATTACHED TO VFIO-PCI"
sleep 5
continue
fi
fi
break
else
echo "[INFO] -> Device ${dev} is already attached to vfio-pci"
break
fi
done
done
;&
setup-hugepages)
echo "[INFO] Dropping kernel caches & compacting memory"
echo 3 > /proc/sys/vm/drop_caches
echo 1 > /proc/sys/vm/compact_memory
sleep 3
echo "[INFO] Attempting to allocate ${HUGEPAGE_COUNT} HugePages"
echo ${HUGEPAGE_COUNT} > /sys/kernel/mm/hugepages/hugepages-1048576kB/nr_hugepages
ALLOC_PAGES=`cat /sys/kernel/mm/hugepages/hugepages-1048576kB/nr_hugepages`
echo "[INFO] Tried to allocate hugepages. Got pages ${ALLOC_PAGES} / ${HUGEPAGE_COUNT}"
if [ "${ALLOC_PAGES}" -ne "${HUGEPAGE_COUNT}" ]
then
echo "[ERROR] Unable to allocate sufficient hugepages"
echo 0 > /proc/sys/vm/nr_hugepages
exit 1
fi
;&
isolate-cores)
echo "[INFO] Reserving CPUs ${VIRT_CORES} for VM"
systemctl set-property --runtime -- user.slice AllowedCPUs=$HOST_CORES
systemctl set-property --runtime -- system.slice AllowedCPUs=$HOST_CORES
systemctl set-property --runtime -- init.scope AllowedCPUs=$HOST_CORES
# the kernel's dirty page writeback mechanism uses kthread workers. They introduce
# massive arbitrary latencies when doing disk writes on the host and aren't
# migrated by systemd. Restrict the workqueue to use only cpu 0.
echo $HOST_CORES_MASK > /sys/bus/workqueue/devices/writeback/cpumask
echo 0 > /sys/bus/workqueue/devices/writeback/numa
;&
start-vm)
echo "[INFO] Starting virtual machine (${VM_DOMAIN})"
#ulimit -r 99
#sysctl -w kernel.sched_rt_runtime_us=-1
sysctl vm.stat_interval=120
sysctl -w kernel.watchdog=0
virsh start ${VM_DOMAIN}
sleep 15
# Set the nice of all vCPUs
for f in /sys/fs/cgroup/machine.slice/machine-qemu*.scope/cgroup.threads
do
echo "[INFO] libvirt-qemu nice: Setting $($f)'s nice level to -1"
for pid in $(cat $f)
do
renice -n "-1" -p "$pid"
done
done
;&
wait-vm)
#read -p "[WAIT] Press enter when VM has completed"
echo "[INFO] Waiting for virtual machine to exit"
while true; do
[[ $(virsh domstate ${VM_DOMAIN}) =~ "shut off" ]] && break
sleep 15
done
;&
restore-settings)
#ulimit -r 0
#sysctl -w kernel.sched_rt_runtime_us=950000
sysctl vm.stat_interval=1
sysctl -w kernel.watchdog=1
;&
unisolate-cores)
echo "[INFO] Unreserving CPUs ${VIRT_CORES}"
systemctl set-property --runtime -- user.slice AllowedCPUs=$TOTAL_CORES
systemctl set-property --runtime -- system.slice AllowedCPUs=$TOTAL_CORES
systemctl set-property --runtime -- init.scope AllowedCPUs=$TOTAL_CORES
echo $TOTAL_CORES_MASK > /sys/bus/workqueue/devices/writeback/cpumask
echo 1 > /sys/bus/workqueue/devices/writeback/numa
;&
teardown-hugepages)
echo "[INFO] Attempting to deallocate ${HUGEPAGE_COUNT} HugePages"
echo 0 > /sys/kernel/mm/hugepages/hugepages-1048576kB/nr_hugepages
;&
restore-modules)
for i in ${START_MODULES}; do
echo "[INFO] -> Unloading kernel module ${i}"
! modprobe -r ${i} 2>/dev/null
done
for i in ${BLACKLISTED_MODULES}; do
echo "[INFO] -> Trying to load kernel module ${i}"
! modprobe ${i}
done
;&
restore-devices)
for dev in ${PCI_DEVICEIDS}
do
for it in {1..5}; do
if [[ -e "/sys/bus/pci/drivers/vfio-pci/${dev}" ]]; then
vendor=$(cat /sys/bus/pci/devices/${dev}/vendor)
device=$(cat /sys/bus/pci/devices/${dev}/device)
echo "[INFO] -> Returning device ${dev} to host (${vendor} ${device}) Attempt ${it}"
echo "[INFO] ----> Removing device from vfio-pci id list"
! echo ${vendor} ${device} > /sys/bus/pci/drivers/vfio-pci/remove_id
sleep 2
echo "[INFO] ----> Issuing PCI hotplug remove command"
echo 1 > /sys/bus/pci/devices/${dev}/remove
while [[ -e "/sys/bus/pci/devices/${dev}" ]]; do sleep 0.1; done
echo "[INFO] ----> Rescan PCI bus to rediscover device"
echo 1 > /sys/bus/pci/rescan
while [[ ! -e "/sys/bus/pci/devices/${dev}" ]]; do sleep 0.1; done
echo "[INFO] ----> Verifying device is no longer attached to vfio-pci stub driver"
if [[ -e "/sys/bus/pci/drivers/vfio-pci/${dev}" ]]; then
if [[ "${it}" -eq 5 ]]; then
echo "[ERROR] ----> DEVICE IS STILL ATTACHED TO VFIO-PCI"
echo "Run $0 restore-devices again"
exit 1
else
echo "[WARN] ----> DEVICE IS STILL ATTACHED TO VFIO-PCI"
sleep 5
continue
fi
fi
break
else
echo "[INFO] -> Device ${dev} is not attached to vfio-pci"
break
fi
done
done
# Try reloading modules again after hardware dependencies have loaded
for i in ${BLACKLISTED_MODULES}; do
echo "[INFO] -> Trying to load kernel module ${i}"
! modprobe ${i}
done
;&
restore-services)
echo "[INFO] Restoring services and drivers"
for i in ${START_SERVICES}; do
echo "[INFO] -> Stopping service ${i}"
systemctl is-active --quiet ${i} && systemctl stop ${i}
done
for i in ${BLACKLISTED_SERVICES}; do
echo "[INFO] -> Starting service ${i}"
! systemctl start ${i}
done
sleep 0.25
;&
restore-services)
echo "[INFO] Done!"
;&
esac