[PATCH v1 16/34] qemuDomainBuildNamespace: Populate basic /dev from daemon's namespace

Michal Prívozník mprivozn at redhat.com
Thu Sep 3 16:07:09 UTC 2020

On 9/3/20 4:42 PM, Daniel P. Berrangé wrote:
> On Thu, Sep 03, 2020 at 04:40:52PM +0200, Michal Prívozník wrote:
>> On 9/3/20 2:09 PM, Daniel P. Berrangé wrote:
>>> On Wed, Jul 22, 2020 at 11:40:10AM +0200, Michal Privoznik wrote:
>>>> As mentioned in previous commit, populating domain's namespace
>>>> from pre-exec() hook is dangerous. This commit moves population
>>>> of the namespace with basic /dev nodes (e.g. /dev/null, /dev/kvm,
>>>> etc.) into daemon's namespace.
>>>> Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
>>>> ---
>>>>    src/qemu/qemu_domain_namespace.c | 23 +++++++++++------------
>>>>    src/qemu/qemu_domain_namespace.h |  3 ++-
>>>>    src/qemu/qemu_process.c          |  2 +-
>>>>    3 files changed, 14 insertions(+), 14 deletions(-)
>>> I don't understand why, but this commit has broken QEMU startup on
>>> hosts without KVM. It now always dies with
>>> error : qemuNamespaceMknodItemInit:1341 : Unable to access /dev/kvm: No such file or directory
>>> This was git bisect identified, but since theres no mention of kvm in
>>> this patch, I'm going to assume the actual bug is hiding dormant in
>>> a previous patch until this patch activates the bug.
>> Let me try to reproduce and write a fix. I assume unloading KVM module is
>> enough, isn't it?
> Yep, unloading, or even just rm /dev/kvm is enough

So I think I know what the problem is. When domain's /dev is being 
built, it's firstly populated with cfg->cgroupDeviceACL (which contains 
/dev/kvm by default). Previously, the code was ENOENT tolerant, now it 
is not. Let me post a patch for that.


More information about the libvir-list mailing list