[libvirt] [PATCH 15/15] qemu: set CAP_COMPROMISE_KERNEL so that pci passthrough works

Daniel P. Berrange berrange at redhat.com
Fri Feb 8 19:12:54 UTC 2013


On Fri, Feb 08, 2013 at 12:07:16PM -0700, Eric Blake wrote:
> On 02/07/2013 02:37 PM, Laine Stump wrote:
> > Any system with CAP_COMPROMISE_KERNEL available in the kernel was not
> > able to perform PCI passthrough device assignment without 1) running
> > qemu as root *and* 2) setting "clear_emulator_capabilities=0" in
> > /etc/libvirt/qemu.conf.
> > 
> > This patch is the final piece to make pci passthrough once again work
> > properly with a non-root qemu. It sets CAP_COMPROMISE_KERNEL; now that
> > virCommand is properly setup to honor that request for non-root child
> > processes, it will actually do some good.
> > 
> > It is still necessary to set the file capability for the qemu binary,
> > however (see the rules for determining effective caps of a process
> > running as non-root in "man 7 capabilities"). This can be done with:
> > 
> >   filecap $path-to-qemu-binary compromise_kernel
> 
> Sounds like something that should be done by default at least for the
> Fedora packaging of qemu - that is, if the kernel folks don't honor our
> request to make CAP_COMPROMISE_KERNEL needed only on open() rather than
> all read()/write().
> 
> We may not need this patch, if the kernel folks are sensible.

Yes, I want to push this back onto the kernel developers. IMHO this is
a userspace ABI change they've made here. The secureboot stuff should
be a complete no-op if the kernel is not booted in secureboot mode,
but the current kernel patch does not satisfy that. I don't think it
should be libvirt or KVM's job to fix this kernel breakage.


Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|




More information about the libvir-list mailing list