[libvirt-users] Permission issue with cgroups

Antonio Carlos Salzvedel Furtado Junior acsfj08 at inf.ufpr.br
Fri May 11 21:51:41 UTC 2012

Thanks for the prompt response, it cleared a lot of my doubts

Actually, I could enable the other controllers. It's just that I have a
strong reason to use the cpu controller.
I need to set a hard limit for CPU consumption. Maybe 'cpu.shares' was a
bad example.
I'm working especially with two parameters, "cpu.cfs_period_us" and
"cpu.cfs_quota_us". For instance, sometimes I need to limit my VM to 20% of
the CPU share, regardless of the CPU load. Then I set
"cpu.cfs_period_us=100000" and "cpu.cfs_quota_us=20000".
I'm using the libcgroup API to do that, but I agree that it would be better
to use the libvirt API.

Looking at the documentation, The parameters I'd need to change would be
the following:


Unfortunately, I think virsh does not have tools to change these
parameters, as libcgroup does ( cgget and cgset ). However I guess it won't
be a problem, I'll try to use the libvirt API.

On Fri, May 11, 2012 at 5:50 PM, Eric Blake <eblake at redhat.com> wrote:

> On 05/11/2012 02:42 PM, Antonio Carlos Salzvedel Furtado Junior wrote:
> > Hello libvirt users,
> >
> >
> > I'm using the cgroup with QEMU guests. At /etc/libvirt/qemu.conf, I have
> > the following parameter:
> >
> > cgroup_controllers = [ "cpu" ]
> Libvirt would like to use a lot more cgroup controllers than just the
> cpu controller.  If you leave the line in qemu.conf commented out,
> libvirt will use all possible cgroup controllers, rather than limiting
> you to just one.
> > This controller is successfully mounted and  libvirt is able to create
> > subgroups for each VM, it's really great the cgroups support in libvirt.
> > The problem is that I can only set the parameters of a given cgroup under
> > the cpu controller if I'm logged in as root. I want another user to have
> > that permission as well.
> Unfortunately, that is not possible.  Libvirt MUST manage its own
> cgroups; you cannot go behind libvirt's back to change the cgroup
> settings, or you will confuse libvirt.
> What you should really be doing is figuring out what particular reason
> you have for modifying the cgroups, and then determining which libvirt
> API will let you modify the domain XML in such a way as to get that
> cgroup attribute automatically changed.  Since non-root users can
> connect to libvirtd to use libvirt's API in order to affect the cgroup
> settings, then you do not need anyone other than libvirtd to access the
> particular cgroups created for VMs managed by libvirt.
> > This configuration above does not seem to modify any of the
> administration
> > permissions. Only the root can edit the parameters under libvirt.
> > The cpu entry was added just to check whether this configuration was read
> > by cgroups at all. The 'cpu.shares' does change in group libvirt.
> In particular, changes to cpu.shares are done via the libvirt API
> virDomainSetSchedulerParameters, using the parameter name "cpu_shares";
> and are reflected into the domain XML under the XPath notation of
> /domain/cputune/shares.
> http://libvirt.org/formatdomain.html#elementsCPUTuning
> --
> Eric Blake   eblake at redhat.com    +1-919-301-3266
> Libvirt virtualization library http://libvirt.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20120511/7db01ce4/attachment.htm>

More information about the libvirt-users mailing list