[libvirt] Can jobs suck like qemu-pr-helper does be transfered to libvirtd?

Tue Apr 2 07:11:31 UTC 2019

On Tue, Apr 02, 2019 at 06:44:13 +0000, Zhangbo (Oscar) wrote:
> >[...]
> >
> >> >>This does not play well with the fact that processes as the PR helper
> >> >>are always required.
> >> >>
> >> >>Merging them into libvirtd would make the VM stop until libvirtd is
> >> >>running again. Additionally if any of the operations require persistent
> >> >>kernel state as e.g. file descriptors, this would be impossible as
> >> >>stopping libvirtd process would close the FDs which may be then
> >> >>impossible to reopen properly e.g. due to state.
> >> >
> >> >Thanks! Besides these reasons above, will it weaken security if we let libvirtd
> >do
> >> >these jobs? For example,
> >> >Such sayings, like "libvirtd would become the focus from attacking forces",
> >make
> >> >sense?
> >>
> >> If there's no security concern, then, will it be OK to add a new KVM ioctl, which
> >allows
> >> qemu to ask kvm module to do the high prilidged jobs?
> >
> >Well there actually is security concern in qemu. Libvirt attempts to run
> >qemu with the least amount of privileges possible as the 'untrusted'
> >guest interacts directly with qemu.
> >
> >That is in the end the reason 'qemu-pr-helper' exists separately.
> 
> Then, suppose we have this scenario:
> 1 Inside the guest,  the user binds certain irqs to certain vcpus
> 2 qemu helps to bind the irqs to the pcpus

Binding virtual cpus to physical cpus is usually done via libvirt at
this point but it's not automatic. Any automatic pinning approach must
not override the pinning set on the host side.

> Besides letting another agent daemon(similar to pr-helper) to do the binding job, can
> we add a new KVM ioctl and let qemu call kvm module to do the binding job?

Your description of what you want to do is not very specific. At any
rate if the automatic setting approach has always better properties and
does not override limits configured on the host side it should be
considered as a good idea. Just don't forget that the gues OS is always
treated as untrusted so you should make sure that any input you consider
from the guest is treated as such.

Depending on "realtimeness" requirements of the operation you want to do
bud did not describe properly any of the approaches you describe may
make sense. One other, if the operation is not critical and thus can
wait is to implement it via a QMP event + query command where libvirt
can respond do that.

The situation really depends on what you are doing. In case of the
pr-helper it is not possible to wait for libvirt to do it as it has IO
implications.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20190402/411d11a0/attachment-0001.sig>