[libvirt] [PATCH 0/1] Bug: Sandbox: libvirt breakdowns qemu guest
Christian Borntraeger
borntraeger at de.ibm.com
Mon May 7 12:12:27 UTC 2018
On 05/07/2018 02:02 PM, Ján Tomko wrote:
> On Mon, May 07, 2018 at 12:33:20PM +0200, Eduardo Otubo wrote:
>> On 07/05/2018 - 11:29:57, Christian Borntraeger wrote:
>>> On 05/07/2018 05:32 AM, Yi Min Zhao wrote:
>>> > 1. Problem Description
>>> > ======================
>>> > If QEMU is built without seccomp support, 'elevatorprivileges' remains compiled.
>>> > This option of sandbox is treated as an indication for seccomp blacklist support
>>> > in libvirt. This behavior is introduced by the libvirt commits 31ca6a5 and
>>> > 3527f9d. It would make libvirt build wrong QEMU cmdline, and then the guest
>>> > startup would fail.
>>>
>>> Adding libvirt list.
>>>
>>> This would still fail with older QEMUs, so the question is if we should also OR instead
>>> change something in libvirt.
>>
>> Perhaps I'm missing something here, but libvirt can differentiate between
>> different versions of QEMU, therefore not calling it with wrong or outdated
>> arguments.
>>
>
> The code introduced in libvirt commit 31ca6a5 specifically looks for
> 'elevateprivileges' in 'parameters' of the 'sandbox' option through
> query-command-line-options.
>
> Outdated QEMUs should not have this option there.
>
> However, libvirtd does add the option by default not knowing whether it
> can fail for other reasons, e.g. SECCOMP not being enabled in the
> running kernel. I wonder if that is worth addressing.
So you prefer the qemu patch (with cc stable) as the best solution?
More information about the libvir-list
mailing list