[PATCH v2 9/9] qemu: Place helper processes into the same trusted group

Wed Jul 13 16:25:07 UTC 2022

On Mon, Jun 27, 2022 at 12:44:41PM +0200, Michal Privoznik wrote:
> Since the level of trust that QEMU has is the same level of trust
> that helper processes have there's no harm in placing all of them
> into the same group.
> 
> Unfortunately, since these processes are started before QEMU we
> can't use brand new virCommand*() APIs (those are used on hotplug
> though) and have to use the low level virProcess*() APIs.
> 
> Moreover, because there no (kernel) API that would copy cookie
> from one process to another WITHOUT modifying the cookie of the
> process that's doing the copy, we have to fork() and use
> available copy APIs.
> 
> Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
> ---
>  src/qemu/qemu_extdevice.c | 120 ++++++++++++++++++++++++++++++++++++++
>  src/qemu/qemu_extdevice.h |   3 +
>  src/qemu/qemu_process.c   |   4 ++
>  3 files changed, 127 insertions(+)
> 
> diff --git a/src/qemu/qemu_extdevice.c b/src/qemu/qemu_extdevice.c
> index b8e3c1000a..41368a9cea 100644
> --- a/src/qemu/qemu_extdevice.c
> +++ b/src/qemu/qemu_extdevice.c
> @@ -335,3 +335,123 @@ qemuExtDevicesSetupCgroup(virQEMUDriver *driver,
>  
>      return 0;
>  }
> +
> +
> +static int
> +qemuExtDevicesSetupSchedHelper(pid_t ppid G_GNUC_UNUSED,
> +                               void *opaque)
> +{
> +    GSList *pids = opaque;
> +    GSList *next;
> +    pid_t vmPid;
> +
> +    /* The first item on the list is special: it's the PID of the
> +     * QEMU that has the cookie we want to copy to the rest. */
> +    vmPid = GPOINTER_TO_INT(pids->data);
> +    if (virProcessSchedCoreShareFrom(vmPid) < 0) {
> +        virReportSystemError(errno,
> +                             _("Unable to get core group of: %lld"),
> +                             (long long) vmPid);
> +        return -1;
> +    }
> +
> +    VIR_DEBUG("SCHED_CORE: vmPid = %lld", (long long) vmPid);
> +
> +    for (next = pids->next; next; next = next->next) {
> +        pid_t pid = GPOINTER_TO_INT(next->data);
> +
> +        VIR_DEBUG("SCHED_CORE: share to %lld", (long long) pid);
> +        if (virProcessSchedCoreShareTo(pid) < 0) {
> +            virReportSystemError(errno,
> +                                 _("Unable to share core group to: %lld"),
> +                                 (long long) pid);
> +            return -1;
> +        }
> +    }

The helper processes can have many threads, but this virProcessSchedCoreShareTo
call only sets scheduling cookie for a single thread.

It would need to use SCOPE_THREAD_GROUP, except even that is not sufficient
as the helper may have fork+exec'd another helper by this point, and our
call will only affect the first process.

IOW, to set core scheduling cookies on the helpers, we need to set them
upfront at the time we spawn the helper.

IOW, during startup, IIUC, we need to fork  a dummy process solely to
call PR_SCHED_CORE_CREATE. Then when forking anything else, whether a
helper, or QEMU itself, we need to pull the cookie from that dummy
process, and then finally kill that dummy process.

If hotplugging a device, we won't need the dummy process, we can pull
the cookie from the running QEMU.

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|