docs/formatdomain.html.in | 46 +- docs/schemas/domaincommon.rng | 22 + po/POTFILES.in | 1 + src/Makefile.am | 1 + src/conf/domain_conf.c | 225 ++++++++-- src/conf/domain_conf.h | 9 + src/libvirt_private.syms | 25 ++ src/qemu/qemu_command.c | 45 ++ src/qemu/qemu_command.h | 5 + src/qemu/qemu_domain.c | 24 +- src/qemu/qemu_domain.h | 1 + src/qemu/qemu_domain_address.c | 14 +- src/qemu/qemu_hostdev.c | 56 +++ src/qemu/qemu_hostdev.h | 10 + src/qemu/qemu_hotplug.c | 2 + src/security/security_apparmor.c | 22 + src/security/security_dac.c | 43 ++ src/security/security_selinux.c | 45 ++ src/util/virhostdev.c | 165 ++++++- src/util/virhostdev.h | 23 + src/util/virmdev.c | 487 +++++++++++++++++++++ src/util/virmdev.h | 123 ++++++ tests/domaincapsschemadata/full.xml | 1 + ...ml2argv-hostdev-mdev-invalid-target-address.xml | 33 ++ ...muxml2argv-hostdev-mdev-src-address-invalid.xml | 35 ++ .../qemuxml2argv-hostdev-mdev-unmanaged.args | 25 ++ .../qemuxml2argv-hostdev-mdev-unmanaged.xml | 35 ++ tests/qemuxml2argvtest.c | 9 + .../qemuxml2xmlout-hostdev-mdev-unmanaged.xml | 40 ++ tests/qemuxml2xmltest.c | 1 + 30 files changed, 1518 insertions(+), 55 deletions(-) create mode 100644 src/util/virmdev.c create mode 100644 src/util/virmdev.h create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-hostdev-mdev-invalid-target-address.xml create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-hostdev-mdev-src-address-invalid.xml create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-hostdev-mdev-unmanaged.args create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-hostdev-mdev-unmanaged.xml create mode 100644 tests/qemuxml2xmloutdata/qemuxml2xmlout-hostdev-mdev-unmanaged.xml
since v1: - new <hostdev> attribute model introduced which tells libvirt which device API should be considered when auto-assigning guest address - device_api is properly checked, thus taking the 'model' attribute only as a hint to assign "some" address - new address type 'mdev' is introduced rather than using plain <uuid> element, since the address element is more conveniently extendable. - the emulated mtty driver now works as well out of the box, so no HW needed to review this series --> let's try it :) - fixed all the nits from v1 since v2: - dropped the patch introducing new address type 'mdev' since I added by mistake and only after that realized that the device address type enum is used for guest addresses only --> the mdevs are still identified by address element containing an 'uuid' attribute, I just dropped the enum - resolved the driver hostdev list race condition raised by Pavel in his review --> the device API is now checked every time our internal mdev object is created as opposed to the previous version where because of the model being checked separately, the locking issues arose. - rewrote the docs, reflecting the mdev address type drop change - squashed all security related stuff into 1 patch, also added app-armor bits - as Pavel suggested, moved most of the mdev-related functions out of virhostdev.c to virmdev.c - added a few more test cases - created a new branch 'mdev-next' on my github (more suitable name than a strict version number) on https://github.com/eskultety/libvirt/commits/mdev-next since v3: - 'undo' an accidental squash of virmdev.{c,h} module introduction into patch 4/15 and made it a separate patch again - squash 5/15 into 4/15 as Pavel suggested - dropped the NEWS patch, as I've so far got at least 4 merge conflicts because of it when rebasing...I'll add it before the series is ready to be merged...or I'll forget about it like I usually do and add it later :/ Erik Erik Skultety (14): conf: hostdev: Enforce enum-in-switch compile-time checks conf: hostdev: Introduce virDomainHostdevSubsysSCSIClear conf: Introduce virDomainHostdevDefPostParse util: Introduce new module virmdev conf: Introduce new hostdev device type mdev security: Enable labeling of vfio mediated devices conf: Enable cold-plug of a mediated device qemu: Assign PCI addresses for mediated devices as well hostdev: Maintain a driver list of active mediated devices qemu: cgroup: Adjust cgroups' logic to allow mediated devices qemu: Bump the memory locking limit for mdevs as well qemu: Format mdevs on qemu command line test: Add some test cases for our test suite regarding the mdevs docs: Document the new hostdev and address type 'mdev' docs/formatdomain.html.in | 46 +- docs/schemas/domaincommon.rng | 22 + po/POTFILES.in | 1 + src/Makefile.am | 1 + src/conf/domain_conf.c | 225 ++++++++-- src/conf/domain_conf.h | 9 + src/libvirt_private.syms | 25 ++ src/qemu/qemu_command.c | 45 ++ src/qemu/qemu_command.h | 5 + src/qemu/qemu_domain.c | 24 +- src/qemu/qemu_domain.h | 1 + src/qemu/qemu_domain_address.c | 14 +- src/qemu/qemu_hostdev.c | 56 +++ src/qemu/qemu_hostdev.h | 10 + src/qemu/qemu_hotplug.c | 2 + src/security/security_apparmor.c | 22 + src/security/security_dac.c | 43 ++ src/security/security_selinux.c | 45 ++ src/util/virhostdev.c | 165 ++++++- src/util/virhostdev.h | 23 + src/util/virmdev.c | 487 +++++++++++++++++++++ src/util/virmdev.h | 123 ++++++ tests/domaincapsschemadata/full.xml | 1 + ...ml2argv-hostdev-mdev-invalid-target-address.xml | 33 ++ ...muxml2argv-hostdev-mdev-src-address-invalid.xml | 35 ++ .../qemuxml2argv-hostdev-mdev-unmanaged.args | 25 ++ .../qemuxml2argv-hostdev-mdev-unmanaged.xml | 35 ++ tests/qemuxml2argvtest.c | 9 + .../qemuxml2xmlout-hostdev-mdev-unmanaged.xml | 40 ++ tests/qemuxml2xmltest.c | 1 + 30 files changed, 1518 insertions(+), 55 deletions(-) create mode 100644 src/util/virmdev.c create mode 100644 src/util/virmdev.h create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-hostdev-mdev-invalid-target-address.xml create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-hostdev-mdev-src-address-invalid.xml create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-hostdev-mdev-unmanaged.args create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-hostdev-mdev-unmanaged.xml create mode 100644 tests/qemuxml2xmloutdata/qemuxml2xmlout-hostdev-mdev-unmanaged.xml -- 2.12.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Verify Summary: * the none rooted mode starting a high-privileges VM actually. The configurations is source generated default value except tls disabled. 1. rooted virsh define ./libvirt/vgpu-win10.xml Domain vgpu-win10 defined from ./libvirt/vgpu-win10.xml ubuntu@z-nuc-11:~/vgpu-meta/libvirt-stage$ virsh start vgpu-win10 2017-03-26 23:28:57.385+0000: 2886: info : libvirt version: 3.2.0 2017-03-26 23:28:57.385+0000: 2886: info : hostname: z-nuc-11.maas 2017-03-26 23:28:57.385+0000: 2886: warning : qemuDomainObjTaint:4155 : Domain id=1 name='vgpu-win10' uuid=916c5c36-0437-11e7-a23d-830ed1295d00 is tainted: high-privileges 2017-03-26 23:28:58.010+0000: 2886: warning : virDomainAuditHostdev:456 : Unexpected hostdev type while encoding audit message: 4 Domain vgpu-win10 started 2. None rooted virsh -c qemu:///session Welcome to lt-virsh, the virtualization interactive terminal. virsh # define ./libvirt/vgpu-win10.xml Domain vgpu-win10 defined from ./libvirt/vgpu-win10.xml virsh # start vgpu-win10 2017-03-26 23:38:11.220+0000: 2882: warning : qemuDomainObjTaint:4155 : Domain id=4 name='vgpu-win10' uuid=916c5c36-0437-11e7-a23d-830ed1295d00 is tainted: high-privileges 2017-03-26 23:38:12.356+0000: 2882: warning : virDomainAuditHostdev:456 : Unexpected hostdev type while encoding audit message: 4 Domain vgpu-win10 started Regards Yongli He > since v1: > - new <hostdev> attribute model introduced which tells libvirt which device API > should be considered when auto-assigning guest address > - device_api is properly checked, thus taking the 'model' attribute only as a > hint to assign "some" address > - new address type 'mdev' is introduced rather than using plain <uuid> element, > since the address element is more conveniently extendable. > - the emulated mtty driver now works as well out of the box, so no HW needed to > review this series --> let's try it :) > - fixed all the nits from v1 > > since v2: > - dropped the patch introducing new address type 'mdev' since I added by > mistake and only after that realized that the device address type enum is used > for guest addresses only > --> the mdevs are still identified by address element containing an 'uuid' > attribute, I just dropped the enum > - resolved the driver hostdev list race condition raised by Pavel in his review > --> the device API is now checked every time our internal mdev object is > created as opposed to the previous version where because of the model being > checked separately, the locking issues arose. > - rewrote the docs, reflecting the mdev address type drop change > - squashed all security related stuff into 1 patch, also added app-armor bits > - as Pavel suggested, moved most of the mdev-related functions out of > virhostdev.c to virmdev.c > - added a few more test cases > - created a new branch 'mdev-next' on my github (more suitable name than a > strict version number) on https://github.com/eskultety/libvirt/commits/mdev-next > > since v3: > - 'undo' an accidental squash of virmdev.{c,h} module introduction into patch > 4/15 and made it a separate patch again > - squash 5/15 into 4/15 as Pavel suggested > - dropped the NEWS patch, as I've so far got at least 4 merge conflicts because > of it when rebasing...I'll add it before the series is ready to be > merged...or I'll forget about it like I usually do and add it later :/ > > Erik > > Erik Skultety (14): > conf: hostdev: Enforce enum-in-switch compile-time checks > conf: hostdev: Introduce virDomainHostdevSubsysSCSIClear > conf: Introduce virDomainHostdevDefPostParse > util: Introduce new module virmdev > conf: Introduce new hostdev device type mdev > security: Enable labeling of vfio mediated devices > conf: Enable cold-plug of a mediated device > qemu: Assign PCI addresses for mediated devices as well > hostdev: Maintain a driver list of active mediated devices > qemu: cgroup: Adjust cgroups' logic to allow mediated devices > qemu: Bump the memory locking limit for mdevs as well > qemu: Format mdevs on qemu command line > test: Add some test cases for our test suite regarding the mdevs > docs: Document the new hostdev and address type 'mdev' > > docs/formatdomain.html.in | 46 +- > docs/schemas/domaincommon.rng | 22 + > po/POTFILES.in | 1 + > src/Makefile.am | 1 + > src/conf/domain_conf.c | 225 ++++++++-- > src/conf/domain_conf.h | 9 + > src/libvirt_private.syms | 25 ++ > src/qemu/qemu_command.c | 45 ++ > src/qemu/qemu_command.h | 5 + > src/qemu/qemu_domain.c | 24 +- > src/qemu/qemu_domain.h | 1 + > src/qemu/qemu_domain_address.c | 14 +- > src/qemu/qemu_hostdev.c | 56 +++ > src/qemu/qemu_hostdev.h | 10 + > src/qemu/qemu_hotplug.c | 2 + > src/security/security_apparmor.c | 22 + > src/security/security_dac.c | 43 ++ > src/security/security_selinux.c | 45 ++ > src/util/virhostdev.c | 165 ++++++- > src/util/virhostdev.h | 23 + > src/util/virmdev.c | 487 +++++++++++++++++++++ > src/util/virmdev.h | 123 ++++++ > tests/domaincapsschemadata/full.xml | 1 + > ...ml2argv-hostdev-mdev-invalid-target-address.xml | 33 ++ > ...muxml2argv-hostdev-mdev-src-address-invalid.xml | 35 ++ > .../qemuxml2argv-hostdev-mdev-unmanaged.args | 25 ++ > .../qemuxml2argv-hostdev-mdev-unmanaged.xml | 35 ++ > tests/qemuxml2argvtest.c | 9 + > .../qemuxml2xmlout-hostdev-mdev-unmanaged.xml | 40 ++ > tests/qemuxml2xmltest.c | 1 + > 30 files changed, 1518 insertions(+), 55 deletions(-) > create mode 100644 src/util/virmdev.c > create mode 100644 src/util/virmdev.h > create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-hostdev-mdev-invalid-target-address.xml > create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-hostdev-mdev-src-address-invalid.xml > create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-hostdev-mdev-unmanaged.args > create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-hostdev-mdev-unmanaged.xml > create mode 100644 tests/qemuxml2xmloutdata/qemuxml2xmlout-hostdev-mdev-unmanaged.xml > -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
On 2017年03月27日 15:42, yonglihe wrote: > > Verify Summary: > * the none rooted mode starting a high-privileges VM actually. > > The configurations is source generated default value except tls disabled. > > > 1. rooted > > virsh define ./libvirt/vgpu-win10.xml > Domain vgpu-win10 defined from ./libvirt/vgpu-win10.xml > > ubuntu@z-nuc-11:~/vgpu-meta/libvirt-stage$ virsh start vgpu-win10 > 2017-03-26 23:28:57.385+0000: 2886: info : libvirt version: 3.2.0 > 2017-03-26 23:28:57.385+0000: 2886: info : hostname: z-nuc-11.maas > 2017-03-26 23:28:57.385+0000: 2886: warning : qemuDomainObjTaint:4155 > : Domain id=1 name='vgpu-win10' > uuid=916c5c36-0437-11e7-a23d-830ed1295d00 is tainted: high-privileges > 2017-03-26 23:28:58.010+0000: 2886: warning : > virDomainAuditHostdev:456 : Unexpected hostdev type while encoding > audit message: 4 > Domain vgpu-win10 started > > > 2. None rooted > virsh -c qemu:///session > Welcome to lt-virsh, the virtualization interactive terminal. > > virsh # define ./libvirt/vgpu-win10.xml > Domain vgpu-win10 defined from ./libvirt/vgpu-win10.xml > > virsh # start vgpu-win10 > 2017-03-26 23:38:11.220+0000: 2882: warning : qemuDomainObjTaint:4155 > : Domain id=4 name='vgpu-win10' > uuid=916c5c36-0437-11e7-a23d-830ed1295d00 is tainted: high-privileges > 2017-03-26 23:38:12.356+0000: 2882: warning : > virDomainAuditHostdev:456 : Unexpected hostdev type while encoding > audit message: 4 > Domain vgpu-win10 started Please ignore above none rooted testing result, my fault. the proper test given following result: to successfully starting a non rooted vm, the following operation needed: 1.change the ownership/access right of the mdev corresponding vfio sudo chown ubuntu:ubuntu /dev/vfio/0 2. set a correct ulimit -l for the vm sudo sh -c "ulimit -l 3074424832 && exec su $LOGNAME" otherwise, it running into the following error: virsh # start vgpu-win10 internal error: Process exited prior to exec: libvirt: error : cannot limit locked memory to 3074424832: Operation not permitted my testing bed is Ubuntu 14.04, there is a similar bug ever reported: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1276719 I could not make sure if there is special requirements run virsh directly from the source tree using the ./run scripts. fix me. Yongli He > > > > Regards > Yongli He > >> since v1: >> - new <hostdev> attribute model introduced which tells libvirt which >> device API >> should be considered when auto-assigning guest address >> - device_api is properly checked, thus taking the 'model' attribute >> only as a >> hint to assign "some" address >> - new address type 'mdev' is introduced rather than using plain >> <uuid> element, >> since the address element is more conveniently extendable. >> - the emulated mtty driver now works as well out of the box, so no HW >> needed to >> review this series --> let's try it :) >> - fixed all the nits from v1 >> >> since v2: >> - dropped the patch introducing new address type 'mdev' since I added by >> mistake and only after that realized that the device address type >> enum is used >> for guest addresses only >> --> the mdevs are still identified by address element containing >> an 'uuid' >> attribute, I just dropped the enum >> - resolved the driver hostdev list race condition raised by Pavel in >> his review >> --> the device API is now checked every time our internal mdev >> object is >> created as opposed to the previous version where because of the >> model being >> checked separately, the locking issues arose. >> - rewrote the docs, reflecting the mdev address type drop change >> - squashed all security related stuff into 1 patch, also added >> app-armor bits >> - as Pavel suggested, moved most of the mdev-related functions out of >> virhostdev.c to virmdev.c >> - added a few more test cases >> - created a new branch 'mdev-next' on my github (more suitable name >> than a >> strict version number) on >> https://github.com/eskultety/libvirt/commits/mdev-next >> >> since v3: >> - 'undo' an accidental squash of virmdev.{c,h} module introduction >> into patch >> 4/15 and made it a separate patch again >> - squash 5/15 into 4/15 as Pavel suggested >> - dropped the NEWS patch, as I've so far got at least 4 merge >> conflicts because >> of it when rebasing...I'll add it before the series is ready to be >> merged...or I'll forget about it like I usually do and add it later :/ >> >> Erik >> >> Erik Skultety (14): >> conf: hostdev: Enforce enum-in-switch compile-time checks >> conf: hostdev: Introduce virDomainHostdevSubsysSCSIClear >> conf: Introduce virDomainHostdevDefPostParse >> util: Introduce new module virmdev >> conf: Introduce new hostdev device type mdev >> security: Enable labeling of vfio mediated devices >> conf: Enable cold-plug of a mediated device >> qemu: Assign PCI addresses for mediated devices as well >> hostdev: Maintain a driver list of active mediated devices >> qemu: cgroup: Adjust cgroups' logic to allow mediated devices >> qemu: Bump the memory locking limit for mdevs as well >> qemu: Format mdevs on qemu command line >> test: Add some test cases for our test suite regarding the mdevs >> docs: Document the new hostdev and address type 'mdev' >> >> docs/formatdomain.html.in | 46 +- >> docs/schemas/domaincommon.rng | 22 + >> po/POTFILES.in | 1 + >> src/Makefile.am | 1 + >> src/conf/domain_conf.c | 225 ++++++++-- >> src/conf/domain_conf.h | 9 + >> src/libvirt_private.syms | 25 ++ >> src/qemu/qemu_command.c | 45 ++ >> src/qemu/qemu_command.h | 5 + >> src/qemu/qemu_domain.c | 24 +- >> src/qemu/qemu_domain.h | 1 + >> src/qemu/qemu_domain_address.c | 14 +- >> src/qemu/qemu_hostdev.c | 56 +++ >> src/qemu/qemu_hostdev.h | 10 + >> src/qemu/qemu_hotplug.c | 2 + >> src/security/security_apparmor.c | 22 + >> src/security/security_dac.c | 43 ++ >> src/security/security_selinux.c | 45 ++ >> src/util/virhostdev.c | 165 ++++++- >> src/util/virhostdev.h | 23 + >> src/util/virmdev.c | 487 >> +++++++++++++++++++++ >> src/util/virmdev.h | 123 ++++++ >> tests/domaincapsschemadata/full.xml | 1 + >> ...ml2argv-hostdev-mdev-invalid-target-address.xml | 33 ++ >> ...muxml2argv-hostdev-mdev-src-address-invalid.xml | 35 ++ >> .../qemuxml2argv-hostdev-mdev-unmanaged.args | 25 ++ >> .../qemuxml2argv-hostdev-mdev-unmanaged.xml | 35 ++ >> tests/qemuxml2argvtest.c | 9 + >> .../qemuxml2xmlout-hostdev-mdev-unmanaged.xml | 40 ++ >> tests/qemuxml2xmltest.c | 1 + >> 30 files changed, 1518 insertions(+), 55 deletions(-) >> create mode 100644 src/util/virmdev.c >> create mode 100644 src/util/virmdev.h >> create mode 100644 >> tests/qemuxml2argvdata/qemuxml2argv-hostdev-mdev-invalid-target-address.xml >> create mode 100644 >> tests/qemuxml2argvdata/qemuxml2argv-hostdev-mdev-src-address-invalid.xml >> create mode 100644 >> tests/qemuxml2argvdata/qemuxml2argv-hostdev-mdev-unmanaged.args >> create mode 100644 >> tests/qemuxml2argvdata/qemuxml2argv-hostdev-mdev-unmanaged.xml >> create mode 100644 >> tests/qemuxml2xmloutdata/qemuxml2xmlout-hostdev-mdev-unmanaged.xml >> > > > > -- > libvir-list mailing list > libvir-list@redhat.com > https://www.redhat.com/mailman/listinfo/libvir-list -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
On 03/28/2017 10:05 PM, yonglihe wrote: > On 2017年03月27日 15:42, yonglihe wrote: >> >> Verify Summary: >> * the none rooted mode starting a high-privileges VM actually. >> >> The configurations is source generated default value except tls disabled. >> >> >> 1. rooted >> >> virsh define ./libvirt/vgpu-win10.xml >> Domain vgpu-win10 defined from ./libvirt/vgpu-win10.xml >> >> ubuntu@z-nuc-11:~/vgpu-meta/libvirt-stage$ virsh start vgpu-win10 >> 2017-03-26 23:28:57.385+0000: 2886: info : libvirt version: 3.2.0 >> 2017-03-26 23:28:57.385+0000: 2886: info : hostname: z-nuc-11.maas >> 2017-03-26 23:28:57.385+0000: 2886: warning : qemuDomainObjTaint:4155 >> : Domain id=1 name='vgpu-win10' >> uuid=916c5c36-0437-11e7-a23d-830ed1295d00 is tainted: high-privileges >> 2017-03-26 23:28:58.010+0000: 2886: warning : >> virDomainAuditHostdev:456 : Unexpected hostdev type while encoding >> audit message: 4 >> Domain vgpu-win10 started >> >> >> 2. None rooted >> virsh -c qemu:///session >> Welcome to lt-virsh, the virtualization interactive terminal. The above line makes me think that you're mixing up "unprivileged libvirtd" with "unprivileged qemu". When you connect to virsh with "virsh -c qemu:///session" you are using an unprivileged copy of libvirtd started for your specific uid, and that libvirtd will: 1) not do any of the uid/permission/selinux/apparmor changes to the files/devices that will be used by the qemu process. (because it can't) 2) try to modify the locked memory limit for the qemu process, but likely fail because it needs more than the user's default limit. (I see below that you ran into this). 3) run qemu as the same unprivileged user. When you connect to virsh with the default URL (qemu:///system) you will connect to the system instance of libvirtd, which is running as root. It will: 1) modify uid/permissions/selinux/apparmor settings of any files/devices according to the "user" setting in /etc/libvirt/qemu.conf. and after forking the qemu process: 2) modify the locked memory limit to accommodate the needs of any assigned devices and 3) change the uid of the qemu process to the "user" setting from qemu.conf and drop all privileges (in the case that the "user" in qemu.conf is set to root, then step 3 doesn't happen). It sounds like you are using an "unprivileged libvirtd" in your tests, which will create the need to chown the various device files and manually change the ulimit for the login session that is running "virsh -c qemu:///session" (and thus starting up the unprivileged libvirtd which gets started on demand). The more common scenario is to use virsh -c qemu:///system (or simply run virsh as root and not add the URL so that the default is used), and to leave the qemu user set to "qemu" (or in some distros I think it is set to "kvm" by default). >> >> virsh # define ./libvirt/vgpu-win10.xml >> Domain vgpu-win10 defined from ./libvirt/vgpu-win10.xml >> >> virsh # start vgpu-win10 >> 2017-03-26 23:38:11.220+0000: 2882: warning : qemuDomainObjTaint:4155 >> : Domain id=4 name='vgpu-win10' >> uuid=916c5c36-0437-11e7-a23d-830ed1295d00 is tainted: high-privileges >> 2017-03-26 23:38:12.356+0000: 2882: warning : >> virDomainAuditHostdev:456 : Unexpected hostdev type while encoding >> audit message: 4 >> Domain vgpu-win10 started > Please ignore above none rooted testing result, my fault. the proper > test given following result: > > to successfully starting a non rooted vm, the following operation needed: > 1.change the ownership/access right of the mdev corresponding vfio > sudo chown ubuntu:ubuntu /dev/vfio/0 > > 2. set a correct ulimit -l for the vm > sudo sh -c "ulimit -l 3074424832 && exec su $LOGNAME" > > otherwise, it running into the following error: > virsh # start vgpu-win10 > internal error: Process exited prior to exec: libvirt: error : cannot > limit locked memory to 3074424832: Operation not permitted This is to be expected - both of these extra steps are also needed if you try to assign a standard PCI device using VFIO using unprivileged libvirtd. This is the best that can be expected without any component having root privileges. If you run the same test using qemu:///system, both of these should be taken care of automatically. > > my testing bed is Ubuntu 14.04, there is a similar bug ever reported: > https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1276719 The original report (filed 2.5 years ago, and resolved soon after) was due to apparmor not doing the right stuff to the necessary files in sysfs. Many later comments and error messages were from people who were using the tools incorrectly (e.g. using <qemu:commandline> to manually add "-device vfio-pci" args to the qemu process, making it impossible for libvirt to recognize that it must perform steps 2 & 3 listed above. > > I could not make sure if there is special requirements run virsh > directly from the source tree using the ./run scripts. fix me. I'm fairly certain the reason you're needing to perform those two extra steps are because you're using qemu:///session instead of qemu:///system. -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
> On 03/28/2017 10:05 PM, yonglihe wrote: >> On 2017年03月27日 15:42, yonglihe wrote: >>> Verify Summary: >>> * the none rooted mode starting a high-privileges VM actually. >>> >>> The configurations is source generated default value except tls disabled. >>> >>> >>> 1. rooted >>> >>> virsh define ./libvirt/vgpu-win10.xml >>> Domain vgpu-win10 defined from ./libvirt/vgpu-win10.xml >>> >>> ubuntu@z-nuc-11:~/vgpu-meta/libvirt-stage$ virsh start vgpu-win10 >>> 2017-03-26 23:28:57.385+0000: 2886: info : libvirt version: 3.2.0 >>> 2017-03-26 23:28:57.385+0000: 2886: info : hostname: z-nuc-11.maas >>> 2017-03-26 23:28:57.385+0000: 2886: warning : qemuDomainObjTaint:4155 >>> : Domain id=1 name='vgpu-win10' >>> uuid=916c5c36-0437-11e7-a23d-830ed1295d00 is tainted: high-privileges >>> 2017-03-26 23:28:58.010+0000: 2886: warning : >>> virDomainAuditHostdev:456 : Unexpected hostdev type while encoding >>> audit message: 4 >>> Domain vgpu-win10 started >>> >>> >>> 2. None rooted >>> virsh -c qemu:///session >>> Welcome to lt-virsh, the virtualization interactive terminal. > > The above line makes me think that you're mixing up "unprivileged > libvirtd" with "unprivileged qemu". > > When you connect to virsh with "virsh -c qemu:///session" you are using > an unprivileged copy of libvirtd started for your specific uid, and that > libvirtd will: > > 1) not do any of the uid/permission/selinux/apparmor changes to the > files/devices that will be used by the qemu process. (because it can't) > > 2) try to modify the locked memory limit for the qemu process, but > likely fail because it needs more than the user's default limit. (I see > below that you ran into this). > > 3) run qemu as the same unprivileged user. > > > When you connect to virsh with the default URL (qemu:///system) you will > connect to the system instance of libvirtd, which is running as root. It > will: > > 1) modify uid/permissions/selinux/apparmor settings of any files/devices > according to the "user" setting in /etc/libvirt/qemu.conf. > > and after forking the qemu process: > > 2) modify the locked memory limit to accommodate the needs of any > assigned devices and > > 3) change the uid of the qemu process to the "user" setting from > qemu.conf and drop all privileges > > (in the case that the "user" in qemu.conf is set to root, then step 3 > doesn't happen). > > It sounds like you are using an "unprivileged libvirtd" in your tests, > which will create the need to chown the various device files and > manually change the ulimit for the login session that is running "virsh > -c qemu:///session" (and thus starting up the unprivileged libvirtd > which gets started on demand). > > The more common scenario is to use virsh -c qemu:///system (or simply > run virsh as root and not add the URL so that the default is used), and > to leave the qemu user set to "qemu" (or in some distros I think it is > set to "kvm" by default). thanks explain all of these, this is so big help to better understanding the processes of libvirt and what problem i'm encounter, thanks, very much! Regards Yongli He > >>> virsh # define ./libvirt/vgpu-win10.xml >>> Domain vgpu-win10 defined from ./libvirt/vgpu-win10.xml >>> >>> virsh # start vgpu-win10 >>> 2017-03-26 23:38:11.220+0000: 2882: warning : qemuDomainObjTaint:4155 >>> : Domain id=4 name='vgpu-win10' >>> uuid=916c5c36-0437-11e7-a23d-830ed1295d00 is tainted: high-privileges >>> 2017-03-26 23:38:12.356+0000: 2882: warning : >>> virDomainAuditHostdev:456 : Unexpected hostdev type while encoding >>> audit message: 4 >>> Domain vgpu-win10 started >> Please ignore above none rooted testing result, my fault. the proper >> test given following result: >> >> to successfully starting a non rooted vm, the following operation needed: >> 1.change the ownership/access right of the mdev corresponding vfio >> sudo chown ubuntu:ubuntu /dev/vfio/0 >> >> 2. set a correct ulimit -l for the vm >> sudo sh -c "ulimit -l 3074424832 && exec su $LOGNAME" >> >> otherwise, it running into the following error: >> virsh # start vgpu-win10 >> internal error: Process exited prior to exec: libvirt: error : cannot >> limit locked memory to 3074424832: Operation not permitted > This is to be expected - both of these extra steps are also needed if > you try to assign a standard PCI device using VFIO using unprivileged > libvirtd. This is the best that can be expected without any component > having root privileges. > > If you run the same test using qemu:///system, both of these should be > taken care of automatically. > >> my testing bed is Ubuntu 14.04, there is a similar bug ever reported: >> https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1276719 > The original report (filed 2.5 years ago, and resolved soon after) was > due to apparmor not doing the right stuff to the necessary files in > sysfs. Many later comments and error messages were from people who were > using the tools incorrectly (e.g. using <qemu:commandline> to manually > add "-device vfio-pci" args to the qemu process, making it impossible > for libvirt to recognize that it must perform steps 2 & 3 listed above. > >> I could not make sure if there is special requirements run virsh >> directly from the source tree using the ./run scripts. fix me. > I'm fairly certain the reason you're needing to perform those two extra > steps are because you're using qemu:///session instead of qemu:///system. > > > -- > libvir-list mailing list > libvir-list@redhat.com > https://www.redhat.com/mailman/listinfo/libvir-list -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
© 2016 - 2024 Red Hat, Inc.