[libvirt] [PATCH] qemu_cgroup: Only try to allow devices if devices CGroup's available

Michal Privoznik posted 1 patch 4 years, 2 months ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/9adf876a35527f8798f129c3c3974027d91d87cb.1487777939.git.mprivozn@redhat.com
src/qemu/qemu_cgroup.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)

[libvirt] [PATCH] qemu_cgroup: Only try to allow devices if devices CGroup's available

Posted by Michal Privoznik 4 years, 2 months ago
When a domain needs an access to some device (be it a disk, RNG,
chardev, whatever), we have to allow it in the devices CGroup (if
it is available), because by default we disallow all the devices.
But some of the functions that are responsible for setting up
devices CGroup are lacking check whether there is any CGroup
available. Thus users might be unable to hotplug some devices:

  virsh # attach-device fedora rng.xml
  error: Failed to attach device from rng.xml
  error: internal error: Controller 'devices' is not mounted

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
 src/qemu/qemu_cgroup.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
index f0729743a..42a47a798 100644
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -176,6 +176,9 @@ qemuSetupChrSourceCgroup(virDomainObjPtr vm,
     qemuDomainObjPrivatePtr priv = vm->privateData;
     int ret;
 
+    if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
+        return 0;
+
     if (source->type != VIR_DOMAIN_CHR_TYPE_DEV)
         return 0;
 
@@ -197,6 +200,9 @@ qemuTeardownChrSourceCgroup(virDomainObjPtr vm,
     qemuDomainObjPrivatePtr priv = vm->privateData;
     int ret;
 
+    if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
+        return 0;
+
     if (source->type != VIR_DOMAIN_CHR_TYPE_DEV)
         return 0;
 
@@ -247,6 +253,9 @@ qemuSetupInputCgroup(virDomainObjPtr vm,
     qemuDomainObjPrivatePtr priv = vm->privateData;
     int ret = 0;
 
+    if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
+        return 0;
+
     switch (dev->type) {
     case VIR_DOMAIN_INPUT_TYPE_PASSTHROUGH:
         VIR_DEBUG("Process path '%s' for input device", dev->source.evdev);
@@ -270,6 +279,9 @@ qemuSetupHostdevCgroup(virDomainObjPtr vm,
     size_t i, npaths = 0;
     int rv, ret = -1;
 
+    if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
+        return 0;
+
     if (qemuDomainGetHostdevPath(NULL, dev, false, &npaths, &path, &perms) < 0)
         goto cleanup;
 
@@ -344,6 +356,9 @@ qemuSetupGraphicsCgroup(virDomainObjPtr vm,
     const char *rendernode = gfx->data.spice.rendernode;
     int ret;
 
+    if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
+        return 0;
+
     if (gfx->type != VIR_DOMAIN_GRAPHICS_TYPE_SPICE ||
         gfx->data.spice.gl != VIR_TRISTATE_BOOL_YES ||
         !rendernode)
@@ -481,6 +496,9 @@ qemuSetupRNGCgroup(virDomainObjPtr vm,
     qemuDomainObjPrivatePtr priv = vm->privateData;
     int rv;
 
+    if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
+        return 0;
+
     if (rng->backend == VIR_DOMAIN_RNG_BACKEND_RANDOM) {
         VIR_DEBUG("Setting Cgroup ACL for RNG device");
         rv = virCgroupAllowDevicePath(priv->cgroup,
@@ -505,6 +523,9 @@ qemuTeardownRNGCgroup(virDomainObjPtr vm,
     qemuDomainObjPrivatePtr priv = vm->privateData;
     int rv;
 
+    if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
+        return 0;
+
     if (rng->backend == VIR_DOMAIN_RNG_BACKEND_RANDOM) {
         VIR_DEBUG("Tearing down Cgroup ACL for RNG device");
         rv = virCgroupDenyDevicePath(priv->cgroup,
-- 
2.11.0

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] qemu_cgroup: Only try to allow devices if devices CGroup's available

Posted by Ján Tomko 4 years, 2 months ago
On Wed, Feb 22, 2017 at 04:38:59PM +0100, Michal Privoznik wrote:
>When a domain needs an access to some device (be it a disk, RNG,
>chardev, whatever), we have to allow it in the devices CGroup (if
>it is available), because by default we disallow all the devices.
>But some of the functions that are responsible for setting up
>devices CGroup are lacking check whether there is any CGroup
>available. Thus users might be unable to hotplug some devices:
>
>  virsh # attach-device fedora rng.xml
>  error: Failed to attach device from rng.xml
>  error: internal error: Controller 'devices' is not mounted
>
>Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
>---
> src/qemu/qemu_cgroup.c | 21 +++++++++++++++++++++
> 1 file changed, 21 insertions(+)
>

ACK

Jan
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list