[libvirt] [PATCH 7/7] qemu: Allow /dev/dri/render* for virgl domains
Michal Privoznik
mprivozn at redhat.com
Mon Feb 20 06:42:42 UTC 2017
On 16.02.2017 13:47, Marc-André Lureau wrote:
> Hi
>
> On Fri, Feb 10, 2017 at 6:57 PM Michal Privoznik <mprivozn at redhat.com>
> wrote:
>
>> When enabling virgl, qemu opens /dev/dri/render*. So far, we are
>> not allowing that in devices cgroup nor creating the file in
>> domain's namespace and thus requiring users to set the paths in
>> qemu.conf. This, however, is suboptimal as it allows access to
>> ALL qemu processes even those which don't have virgl configured.
>>
>> Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
>>
>
>
> Thanks, but that doesn't work :)
>
> You should loop over the spice/gl graphics nodes (virtio accel3d is not
> actually using 3d, as of today, if the graphics configuration/layer doesn't
> provide it)
>
> See also Ján Tomko "qemu_cgroup: allow access to /dev/dri/render*" patch,
> which use to work.
>
> After my series "[PATCH 0/5] Add rendernode selection support", it will
> further have to narrow the path allowed to the specified rendernode. This
> can be done in my series or yours, depending on applied order.
Correct, I've pushed your patches on Friday so now I'll work on allowing
selected render node in cgroup. BTW: what about /dev/dri/card0 and
/dev/dri/controlD4 - do they need to be allowed in devices CGroup too?
BTW: I've merged patches 1-6/7 since you reviewed them.
Thanks!
Michal
More information about the libvir-list
mailing list