When a domain needs an access to some device (be it a disk, RNG,
chardev, whatever), we have to allow it in the devices CGroup (if
it is available), because by default we disallow all the devices.
But some of the functions that are responsible for setting up
devices CGroup are lacking check whether there is any CGroup
available. Thus users might be unable to hotplug some devices:
virsh # attach-device fedora rng.xml
error: Failed to attach device from rng.xml
error: internal error: Controller 'devices' is not mounted
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
src/qemu/qemu_cgroup.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
index f0729743a..42a47a798 100644
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -176,6 +176,9 @@ qemuSetupChrSourceCgroup(virDomainObjPtr vm,
qemuDomainObjPrivatePtr priv = vm->privateData;
int ret;
+ if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
+ return 0;
+
if (source->type != VIR_DOMAIN_CHR_TYPE_DEV)
return 0;
@@ -197,6 +200,9 @@ qemuTeardownChrSourceCgroup(virDomainObjPtr vm,
qemuDomainObjPrivatePtr priv = vm->privateData;
int ret;
+ if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
+ return 0;
+
if (source->type != VIR_DOMAIN_CHR_TYPE_DEV)
return 0;
@@ -247,6 +253,9 @@ qemuSetupInputCgroup(virDomainObjPtr vm,
qemuDomainObjPrivatePtr priv = vm->privateData;
int ret = 0;
+ if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
+ return 0;
+
switch (dev->type) {
case VIR_DOMAIN_INPUT_TYPE_PASSTHROUGH:
VIR_DEBUG("Process path '%s' for input device", dev->source.evdev);
@@ -270,6 +279,9 @@ qemuSetupHostdevCgroup(virDomainObjPtr vm,
size_t i, npaths = 0;
int rv, ret = -1;
+ if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
+ return 0;
+
if (qemuDomainGetHostdevPath(NULL, dev, false, &npaths, &path, &perms) < 0)
goto cleanup;
@@ -344,6 +356,9 @@ qemuSetupGraphicsCgroup(virDomainObjPtr vm,
const char *rendernode = gfx->data.spice.rendernode;
int ret;
+ if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
+ return 0;
+
if (gfx->type != VIR_DOMAIN_GRAPHICS_TYPE_SPICE ||
gfx->data.spice.gl != VIR_TRISTATE_BOOL_YES ||
!rendernode)
@@ -481,6 +496,9 @@ qemuSetupRNGCgroup(virDomainObjPtr vm,
qemuDomainObjPrivatePtr priv = vm->privateData;
int rv;
+ if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
+ return 0;
+
if (rng->backend == VIR_DOMAIN_RNG_BACKEND_RANDOM) {
VIR_DEBUG("Setting Cgroup ACL for RNG device");
rv = virCgroupAllowDevicePath(priv->cgroup,
@@ -505,6 +523,9 @@ qemuTeardownRNGCgroup(virDomainObjPtr vm,
qemuDomainObjPrivatePtr priv = vm->privateData;
int rv;
+ if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
+ return 0;
+
if (rng->backend == VIR_DOMAIN_RNG_BACKEND_RANDOM) {
VIR_DEBUG("Tearing down Cgroup ACL for RNG device");
rv = virCgroupDenyDevicePath(priv->cgroup,
--
2.11.0
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
On Wed, Feb 22, 2017 at 04:38:59PM +0100, Michal Privoznik wrote: >When a domain needs an access to some device (be it a disk, RNG, >chardev, whatever), we have to allow it in the devices CGroup (if >it is available), because by default we disallow all the devices. >But some of the functions that are responsible for setting up >devices CGroup are lacking check whether there is any CGroup >available. Thus users might be unable to hotplug some devices: > > virsh # attach-device fedora rng.xml > error: Failed to attach device from rng.xml > error: internal error: Controller 'devices' is not mounted > >Signed-off-by: Michal Privoznik <mprivozn@redhat.com> >--- > src/qemu/qemu_cgroup.c | 21 +++++++++++++++++++++ > 1 file changed, 21 insertions(+) > ACK Jan -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
© 2016 - 2024 Red Hat, Inc.