[libvirt] [PATCH 15/15] qemu: set CAP_COMPROMISE_KERNEL so that pci passthrough works
Daniel P. Berrange
berrange at redhat.com
Fri Feb 8 19:12:54 UTC 2013
On Fri, Feb 08, 2013 at 12:07:16PM -0700, Eric Blake wrote:
> On 02/07/2013 02:37 PM, Laine Stump wrote:
> > Any system with CAP_COMPROMISE_KERNEL available in the kernel was not
> > able to perform PCI passthrough device assignment without 1) running
> > qemu as root *and* 2) setting "clear_emulator_capabilities=0" in
> > /etc/libvirt/qemu.conf.
> >
> > This patch is the final piece to make pci passthrough once again work
> > properly with a non-root qemu. It sets CAP_COMPROMISE_KERNEL; now that
> > virCommand is properly setup to honor that request for non-root child
> > processes, it will actually do some good.
> >
> > It is still necessary to set the file capability for the qemu binary,
> > however (see the rules for determining effective caps of a process
> > running as non-root in "man 7 capabilities"). This can be done with:
> >
> > filecap $path-to-qemu-binary compromise_kernel
>
> Sounds like something that should be done by default at least for the
> Fedora packaging of qemu - that is, if the kernel folks don't honor our
> request to make CAP_COMPROMISE_KERNEL needed only on open() rather than
> all read()/write().
>
> We may not need this patch, if the kernel folks are sensible.
Yes, I want to push this back onto the kernel developers. IMHO this is
a userspace ABI change they've made here. The secureboot stuff should
be a complete no-op if the kernel is not booted in secureboot mode,
but the current kernel patch does not satisfy that. I don't think it
should be libvirt or KVM's job to fix this kernel breakage.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list