[libvirt-dockerfiles PATCH 0/2] Update for MinGW changes
by Andrea Bolognani
Pushed under the Dockerfile refresh rule.
As usual, these patches cannot be applied to the git repository and
are posted to the list for humans' convenience only.
Andrea Bolognani (2):
Refresh after turning MinGW into a cross-building target
Add Dockerfiles for MinGW cross-compilation
buildenv-libosinfo-fedora-30-cross-mingw32.zip | Bin 0 -> 687 bytes
buildenv-libosinfo-fedora-30-cross-mingw64.zip | Bin 0 -> 689 bytes
buildenv-libosinfo-fedora-30.zip | Bin 605 -> 544 bytes
buildenv-libvirt-fedora-30-cross-mingw32.zip | Bin 0 -> 958 bytes
buildenv-libvirt-fedora-30-cross-mingw64.zip | Bin 0 -> 960 bytes
buildenv-libvirt-fedora-30.zip | Bin 897 -> 776 bytes
6 files changed, 0 insertions(+), 0 deletions(-)
create mode 100644 buildenv-libosinfo-fedora-30-cross-mingw32.zip
create mode 100644 buildenv-libosinfo-fedora-30-cross-mingw64.zip
create mode 100644 buildenv-libvirt-fedora-30-cross-mingw32.zip
create mode 100644 buildenv-libvirt-fedora-30-cross-mingw64.zip
--
2.24.1
4 years, 9 months
[dockerfiles PATCH] refresh: Drop MinGW hacks
by Andrea Bolognani
Up until now we have had to hardcode some information in our
refresh script, but with the recent improvements to lcitool that's
no longer necessary.
Signed-off-by: Andrea Bolognani <abologna(a)redhat.com>
---
This patch needs
https://www.redhat.com/archives/libvir-list/2020-February/msg00409.html
to be merged into libvirt-jenkins-ci.
refresh | 37 ++++++++++++-------------------------
1 file changed, 12 insertions(+), 25 deletions(-)
diff --git a/refresh b/refresh
index 5f3f5e3..6b644de 100755
--- a/refresh
+++ b/refresh
@@ -31,22 +31,19 @@ class Dockerfile:
CROSS = "-cross-"
SUFFIX = ".zip"
- # PROJECTS is a dictionary of dictionaries.
+ # PROJECTS is a dictionary of lists.
# The key is the project name, as present in the Dockerfile name and
- # the value is a dictionary containing the subprojects which the
- # dependencies should be installed together as the key and their value
- # being whether they support mingw builds or not.
- # This hack is needed till the moment libvirt-jenkins-ci treats mingw
- # builds in the very same way as cross-builds are treated.
+ # the value is a list containing the subprojects which the
+ # dependencies should be installed together as.
PROJECTS = {
- "libvirt" : {
- "libvirt" : True
- },
- "libosinfo" : {
- "libosinfo" : True,
- "osinfo-db" : False,
- "osinfo-db-tools" : True
- },
+ "libvirt" : [
+ "libvirt"
+ ],
+ "libosinfo" : [
+ "libosinfo",
+ "osinfo-db",
+ "osinfo-db-tools",
+ ],
}
def __init__(self, path):
@@ -91,17 +88,7 @@ class Dockerfile:
self.os = stem
self.cross_arch = None
- self.projects = []
-
- for project in Dockerfile.PROJECTS[project_name]:
- self.projects += [project]
- # Fedora 30 is special in that we use it to perform MinGW
- # builds, so we need to add the corresponding projects as well.
- # If a specific project needs to have the MinGW variant included,
- # the corresponding value in the dictionary will be True
- if (self.os == "fedora-30" and
- Dockerfile.PROJECTS[project_name][project]):
- self.projects += [project + "+mingw*"]
+ self.projects = Dockerfile.PROJECTS[project_name]
def refresh(self, lcitool):
--
2.24.1
4 years, 9 months
[libvirt PATCH 00/11] qemu: introduce a per-VM event loop thread
by Daniel P. Berrangé
This series changes the way we manage the QEMU monitor and
QEMU agent, such that all I/O is processed by a dedicated
event loop thread.
Many times in the past years people are reported issues
where long running monitor event callbacks block the main
libvirtd event loop for an unacceptably long period of
time. In the best case, this delays other work being
completed, but in bad cases it leads to mgmt app failures
when keepalive times trigger a client disconnect.
With this series, when we spawn QEMU, we also spawn a
dedicated thread running a GMainLoop instance. Then QEMU
monitor and QEMU agent UNIX sockets are switched to use
GMainContext for events instead of the traditional libvirt
event loop APIs. We kill off the event thread when we see
EOF on the QEMU monitor during shutdown.
The cost of this approach is one extra thread per VM,
which incurs a new OS process and a new stack allocation.
The QEMU driver already delegates some QMP event handling
to a thread pool for certain types of event. This was a
previous hack to mitigate the impact on the main event
loop. It is likely that we can remove this thread pool
from the QEMU driver & rely on the per-VM event threads
to do all the work. This will, however, require careful
analysis of each handler we pushed into the thread pool
to make sure its work doesn't have a dependency on the
event loop running in parallel.
This should also eliminate the need to have the libvirt
event loop registered when using the embedded QEMU driver.
This has not yet been validated, however, so it is left
for a future patch to relax the constraint.
Daniel P. Berrangé (11):
qemu: drop support for agent connections on PTYs
qemu: drop ability to open monitor from FD
src: set the OS level thread name
src: improve thread naming with human targetted names
src: introduce an abstraction for running event loops
qemu: start/stop an event loop thread for domains
qemu: start/stop an event thread for QMP probing
tests: start/stop an event thread for QEMU monitor/agent tests
qemu: convert monitor to use the per-VM event loop
qemu: fix variable naming in agent code
qemu: convert agent to use the per-VM event loop
po/POTFILES.in | 1 +
src/libvirt_private.syms | 6 +
src/libxl/libxl_domain.c | 10 +-
src/libxl/libxl_migration.c | 23 +-
src/lxc/lxc_fuse.c | 4 +-
src/node_device/node_device_udev.c | 7 +-
src/nwfilter/nwfilter_dhcpsnoop.c | 11 +-
src/nwfilter/nwfilter_learnipaddr.c | 10 +-
src/qemu/qemu_agent.c | 634 ++++++++++++++--------------
src/qemu/qemu_agent.h | 1 +
src/qemu/qemu_domain.c | 33 ++
src/qemu/qemu_domain.h | 6 +
src/qemu/qemu_driver.c | 3 +-
src/qemu/qemu_migration.c | 8 +-
src/qemu/qemu_monitor.c | 155 +++----
src/qemu/qemu_monitor.h | 8 +-
src/qemu/qemu_process.c | 61 ++-
src/qemu/qemu_process.h | 2 +
src/remote/remote_daemon.c | 9 +-
src/rpc/virnetserver.c | 9 +-
src/storage/storage_backend_scsi.c | 4 +-
src/storage/storage_driver.c | 4 +-
src/util/Makefile.inc.am | 2 +
src/util/vircommand.c | 5 +-
src/util/vireventthread.c | 175 ++++++++
src/util/vireventthread.h | 31 ++
src/util/virfdstream.c | 10 +-
src/util/virnodesuspend.c | 8 +-
src/util/virthread.c | 44 +-
src/util/virthread.h | 4 +-
src/util/virthreadpool.c | 14 +-
src/util/virthreadpool.h | 2 +-
tests/qemumonitortestutils.c | 15 +
33 files changed, 832 insertions(+), 487 deletions(-)
create mode 100644 src/util/vireventthread.c
create mode 100644 src/util/vireventthread.h
--
2.24.1
4 years, 9 months
[libvirt PATCH] vz: Fix return value in error path
by Rikard Falkeborn
If PrlVmDev_GetType(), PrlVmDev_GetIndex() or PrlVmCfg_GetBootDevCount()
fails, return false to indicate error. Returning -1 would be interpreted
as true when used in an if-statement.
Fixes: 8c9252aa6d95247537da0939b54fdd2f31695e32
Signed-off-by: Rikard Falkeborn <rikard.falkeborn(a)gmail.com>
---
src/vz/vz_sdk.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/vz/vz_sdk.c b/src/vz/vz_sdk.c
index 877692aeba..2c68c7cb27 100644
--- a/src/vz/vz_sdk.c
+++ b/src/vz/vz_sdk.c
@@ -1609,13 +1609,13 @@ prlsdkInBootList(PRL_HANDLE sdkdom,
size_t i;
pret = PrlVmDev_GetType(sdktargetdev, &targetType);
- prlsdkCheckRetExit(pret, -1);
+ prlsdkCheckRetExit(pret, false);
pret = PrlVmDev_GetIndex(sdktargetdev, &targetIndex);
- prlsdkCheckRetExit(pret, -1);
+ prlsdkCheckRetExit(pret, false);
pret = PrlVmCfg_GetBootDevCount(sdkdom, &bootNum);
- prlsdkCheckRetExit(pret, -1);
+ prlsdkCheckRetExit(pret, false);
for (i = 0; i < bootNum; ++i) {
pret = PrlVmCfg_GetBootDev(sdkdom, i, &bootDev);
--
2.25.1
4 years, 9 months
[libvirt PATCH] esx: Same order of arguments in definition and declaration
by Rikard Falkeborn
The order of arguments were not the same in the definition and
declaration. All callers use the same order as the definition, so there
is no bug, but change the function declaration to match the
implementation to avoid confusion.
Signed-off-by: Rikard Falkeborn <rikard.falkeborn(a)gmail.com>
---
src/esx/esx_vi.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/esx/esx_vi.h b/src/esx/esx_vi.h
index 5c60fd58f4..b960c0900a 100644
--- a/src/esx/esx_vi.h
+++ b/src/esx/esx_vi.h
@@ -204,8 +204,8 @@ struct _esxVI_Context {
int esxVI_Context_Alloc(esxVI_Context **ctx);
void esxVI_Context_Free(esxVI_Context **ctx);
-int esxVI_Context_Connect(esxVI_Context *ctx, const char *ipAddress,
- const char *url, const char *username,
+int esxVI_Context_Connect(esxVI_Context *ctx, const char *url,
+ const char *ipAddress, const char *username,
const char *password, esxUtil_ParsedUri *parsedUri);
int esxVI_Context_LookupManagedObjects(esxVI_Context *ctx);
int esxVI_Context_LookupManagedObjectsByPath(esxVI_Context *ctx, const char *path);
--
2.25.1
4 years, 9 months
Requesting Guidance
by Ritish kr singh
Hello, Sir
My name is Ritish Singh. I am currently pursuing my Bachelor of Technology
in Computer Science.
After going through a lot of GSoC Projects I found Libvirt project to be
quite interesting and challenging for me and I want to contribute to this
project this summer in GSoC. I want to contribute to
Test driver API coverage.
I would be grateful to you if you could guide me in the project and help me
to get started on the project.
Thanks
4 years, 9 months
[PATCH 00/16] Bhyve driver improvements
by Ryan Moeller
Ryan Moeller (16):
Fix build errors on FreeBSD
Simplify bhyve driver caps helpers
Remove redundant parameter to virBhyveProcessStart()
Fix indentation
Eliminate rc variable
Factor out conn
Don't bother seeking to the end of a file opened O_APPEND
Make bhyveMonitor a virClass
Refactor bhyve monitor register/unregister
Add hooks for bhyve backend
Add reboot support for bhyve backend
Refactor virBhyveProcessBuildBhyveCmd a bit
Reorder slot,bus,func -> bus,slot,func in parsers
Add hostdev handling for bhyve
Enable booting from hostdevs with bhyve
Allow PCI functions up to 255 for PCI ARI
docs/schemas/basictypes.rng | 10 +-
docs/schemas/domaincommon.rng | 30 ++
src/bhyve/bhyve_capabilities.c | 14 +
src/bhyve/bhyve_capabilities.h | 1 +
src/bhyve/bhyve_command.c | 285 +++++++++++++-----
src/bhyve/bhyve_command.h | 4 +-
src/bhyve/bhyve_driver.c | 67 ++--
src/bhyve/bhyve_driver.h | 4 +-
src/bhyve/bhyve_monitor.c | 165 ++++++----
src/bhyve/bhyve_monitor.h | 2 +
src/bhyve/bhyve_parse_command.c | 124 ++++++--
src/bhyve/bhyve_process.c | 107 +++++--
src/bhyve/bhyve_process.h | 4 +-
src/conf/domain_audit.c | 5 +
src/conf/domain_conf.c | 131 ++++++++
src/conf/domain_conf.h | 29 +-
src/conf/virconftypes.h | 3 +
src/conf/virnetworkobj.c | 5 +-
src/qemu/qemu_command.c | 2 +
src/qemu/qemu_domain.c | 5 +
src/qemu/qemu_hostdev.c | 1 +
src/qemu/qemu_hotplug.c | 2 +
src/qemu/qemu_migration.c | 1 +
src/security/security_apparmor.c | 1 +
src/security/security_dac.c | 28 ++
src/security/security_selinux.c | 8 +
src/util/virhook.c | 15 +
src/util/virhook.h | 11 +
src/util/virpci.c | 4 +-
.../bhyveargv2xml-passthru.args | 8 +
.../bhyveargv2xml-passthru.xml | 26 ++
.../bhyveargv2xml-virtio-scsi.args | 9 +
.../bhyveargv2xml-virtio-scsi.xml | 20 ++
tests/bhyveargv2xmltest.c | 2 +
.../bhyvexml2argv-passthru.args | 11 +
.../bhyvexml2argv-passthru.ldargs | 1 +
.../bhyvexml2argv-passthru.xml | 22 ++
.../bhyvexml2argv-virtio-scsi.args | 9 +
.../bhyvexml2argv-virtio-scsi.ldargs | 1 +
.../bhyvexml2argv-virtio-scsi.xml | 21 ++
tests/bhyvexml2argvtest.c | 8 +-
.../bhyvexml2xmlout-passthru.xml | 29 ++
.../bhyvexml2xmlout-virtio-scsi.xml | 23 ++
tests/bhyvexml2xmltest.c | 2 +
44 files changed, 1041 insertions(+), 219 deletions(-)
create mode 100644 tests/bhyveargv2xmldata/bhyveargv2xml-passthru.args
create mode 100644 tests/bhyveargv2xmldata/bhyveargv2xml-passthru.xml
create mode 100644 tests/bhyveargv2xmldata/bhyveargv2xml-virtio-scsi.args
create mode 100644 tests/bhyveargv2xmldata/bhyveargv2xml-virtio-scsi.xml
create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-passthru.args
create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-passthru.ldargs
create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-passthru.xml
create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-virtio-scsi.args
create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-virtio-scsi.ldargs
create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-virtio-scsi.xml
create mode 100644 tests/bhyvexml2xmloutdata/bhyvexml2xmlout-passthru.xml
create mode 100644 tests/bhyvexml2xmloutdata/bhyvexml2xmlout-virtio-scsi.xml
--
2.24.1
4 years, 9 months
[PATCH v3 0/5] lxc: Add VCPU features for LXC
by Julio Faracco
This series cover a lots of functionalities to LXC VCPUs. It enables
sharing some timer devices between host and LXC guest using `timer`
settings. It still has other improvements related to VCPU and LXC such
as virtual cpuinfo content based on VCPU settings and some better
resource limits. Each patch has the description of the problem and what
it is trying to fix.
v1-v2: Add Daniel's comments and some cleanups.
v2-v3: Remove dependency from patch 4 and 5.
Julio Faracco (5):
lxc: Add Real Time Clock device into allowed devices
lxc: Add HPET device into allowed devices
lxc: Replacing default strings definitions by g_autofree statement.
lxc: Implement virtual /proc/cpuinfo via LXC fuse
lxc: Count max VCPUs based on cpuset.cpus in native config.
docs/formatdomain.html.in | 4 +-
src/lxc/lxc_cgroup.c | 91 ++++++++-
src/lxc/lxc_container.c | 62 ++++--
src/lxc/lxc_container.h | 2 +
src/lxc/lxc_controller.c | 187 ++++++++++++------
src/lxc/lxc_fuse.c | 107 ++++++++--
src/lxc/lxc_native.c | 24 ++-
.../lxcconf2xml-cpusettune.xml | 2 +-
8 files changed, 368 insertions(+), 111 deletions(-)
--
2.20.1
4 years, 9 months
[PATCH v2 0/5] lxc: Add VCPU features for LXC
by Julio Faracco
This series cover a lots of functionalities to LXC VCPUs. It enables
sharing some timer devices between host and LXC guest using `timer`
settings. It still has other improvements related to VCPU and LXC such
as virtual cpuinfo content based on VCPU settings and some better
resource limits. Each patch has the description of the problem and what
it is trying to fix.
v1-v2: Add Daniel's comments and some cleanups.
Julio Faracco (5):
lxc: Add Real Time Clock device into allowed devices
lxc: Add HPET device into allowed devices
lxc: Replacing default strings definitions by g_autofree statement.
lxc: Implement virtual /proc/cpuinfo via LXC fuse
lxc: Count max VCPUs based on cpuset.cpus in native config.
docs/formatdomain.html.in | 4 +-
src/lxc/lxc_cgroup.c | 91 ++++++++-
src/lxc/lxc_container.c | 60 ++++--
src/lxc/lxc_container.h | 2 +
src/lxc/lxc_controller.c | 187 ++++++++++++------
src/lxc/lxc_fuse.c | 107 ++++++++--
src/lxc/lxc_native.c | 24 ++-
.../lxcconf2xml-cpusettune.xml | 2 +-
8 files changed, 367 insertions(+), 110 deletions(-)
--
2.20.1
4 years, 9 months
[libvirt PATCH] docs: add a kbase explaining security protections for QEMU passthrough
by Daniel P. Berrangé
When using command line passthrough users will often trip up over the
security protections like SELinux, DAC, namespaces, etc which will
deny access to files they are passing. This document explains the
various protections and how to deal with their policy, and/or how
to disable them.
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
docs/kbase.html.in | 4 +
docs/kbase/qemu-passthrough-security.rst | 157 +++++++++++++++++++++++
2 files changed, 161 insertions(+)
create mode 100644 docs/kbase/qemu-passthrough-security.rst
diff --git a/docs/kbase.html.in b/docs/kbase.html.in
index c156414c41..db84b95b60 100644
--- a/docs/kbase.html.in
+++ b/docs/kbase.html.in
@@ -29,6 +29,10 @@
<dt><a href="kbase/backing_chains.html">Backing chain management</a></dt>
<dd>Explanation of how disk backing chain specification impacts libvirt's
behaviour and basic troubleshooting steps of disk problems.</dd>
+
+ <dt><a href="kbase/qemu-passthrough-security.html">Security with QEMU passthrough</a></dt>
+ <dd>Examination of the security protections used for QEMU and how they need
+ configuring to allow use of QEMU passthrough with host files/devices.</dd>
</dl>
</div>
diff --git a/docs/kbase/qemu-passthrough-security.rst b/docs/kbase/qemu-passthrough-security.rst
new file mode 100644
index 0000000000..7fb1f6fbdd
--- /dev/null
+++ b/docs/kbase/qemu-passthrough-security.rst
@@ -0,0 +1,157 @@
+=============================
+QEMU command line passthrough
+=============================
+
+.. contents::
+
+Libvirt aims to provide explicit modelling of virtualization features in
+the domain XML document schema. QEMU has a very broad range of features
+and not all of these can be mapped to elements in the domain XML. Libvirt
+would like to reduce the gap to QEMU, however, with finite resources there
+will always be cases which aren't covered by the domain XML schema.
+
+
+XML document additions
+======================
+
+To deal with the problem, libvirt introduced support for command line
+passthrough of QEMU arguments. This is achieved by supporting a custom
+XML namespace, under which some QEMU driver specific elements are defined.
+
+The canonical place to declare the namespace is on the top level ``<domain>``
+element. At the very end of the document, arbitrary command line arguments
+can now be added, using the namespace prefix ``qemu:``
+
+::
+
+ <domain type='kvm' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'>
+ <name>QEMUGuest1</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+ ...
+ <qemu:commandline>
+ <qemu:arg value='-newarg'/>
+ <qemu:arg value='parameter'/>
+ <qemu:env name='ID' value='wibble'/>
+ <qemu:env name='BAR'/>
+ </qemu:commandline>
+ </domain>
+
+Note that when an argument takes a value eg ``-newarg parameter``, the argument
+and the value must be passed as separate ``<qemu:arg>`` entries.
+
+Instead of declaring the XML namespace on the top level ``<domain>`` it is also
+possible to declare it at time of use, which is more convenient for humans
+writing the XML documents manually. So the following example is functionally
+identical:
+
+::
+
+ <domain type='kvm'>
+ <name>QEMUGuest1</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+ ...
+ <commandline xmlns="http://libvirt.org/schemas/domain/qemu/1.0">
+ <arg value='-newarg'/>
+ <arg value='parameter'/>
+ <env name='ID' value='wibble'/>
+ <env name='BAR'/>
+ </commandline>
+ </domain>
+
+Note that when querying the XML from libvirt, it will have been translated into
+the canonical syntax once more with the namespace on the top level element.
+
+Security confinement / sandboxing
+=================================
+
+When libvirt launches a QEMU process it makes use of a number of security
+technologies to confine QEMU and thus protect the host from malicious VM
+breakouts.
+
+When configuring security protection, however, libvirt generally needs to know
+exactly which host resources the VM is permitted to access. It gets this
+information from the domain XML document. This only works for elements in the
+regular schema, the arguments used with command line passthrough are completely
+opaque to libvirt.
+
+As a result, if command line passthrough is used to expose a file on the host
+to QEMU, the security protections will activate and either kill QEMU or deny it
+access.
+
+There are two strategies for dealing with this problem, either figure out what
+steps are needed to grant QEMU access to the device, or disable the security
+protections. The former is harder, but more secure, while the latter is simple.
+
+Granting access per VM
+----------------------
+
+* SELinux - the file on the host needs an SELinux label that will grant access
+ to QEMU's ``svirt_t`` policy.
+
+ - Read only access - use the ``virt_content_t`` label
+ - Shared, write access - use the ``svirt_image_t:s0`` label (ie no MCS
+ category appended)
+ - Exclusive, write access - use the ``svirt_image_t:s0:MCS`` label for the VM.
+ The MCS is auto-generatd at boot time, so this may require re-configuring
+ the VM to have a fixed MCS label
+
+* DAC - the file on the host needs to be readable/writable to the ``qemu``
+ user or ``qemu`` group. This can be done by changing the file ownership to
+ ``qemu``, or relaxing the permissions to allow world read, or adding file
+ ACLs to allow access to ``qemu``.
+
+* Namespaces - a private ``mount`` namespace is used for QEMU by default
+ which populates a new ``/dev`` with only the device nodes needed by QEMU.
+ There is no way to augment the set of device nodes ahead of time.
+
+* Seccomp - libvirt launches QEMU with its built-in seccomp policy enabled with
+ ``obsolete=deny``, ``elevateprivileges=deny``, ``spawn=deny`` and
+ ``resourcecontrol=deny`` settings active. There is no way to change this
+ policy on a per VM basis
+
+* Cgroups - a custom cgroup is created per VM and this will either use the
+ ``devices`` controller or an ``BPF`` rule to whitelist a set of device nodes.
+ There is no way to change this policy on a per VM basis.
+
+Disabling security protection per VM
+------------------------------------
+
+Some of the security protections can be disabled per-VM:
+
+* SELinux - in the domain XML the ``<seclabel>`` model can be changed to
+ ``none`` instead of ``selinux``, which will make the VM run unconfined.
+
+* DAC - in the domain XML an ``<seclabel>`` element with the ``dac`` model can
+ be added, configured with a user / group account of ``root`` to make QEMU run
+ with full privileges
+
+* Namespaces - there is no way to disable this per VM
+
+* Seccomp - there is no way to disable this per VM
+
+* Cgroups - there is no way to disable this per VM
+
+Disabling security protection host-wide
+---------------------------------------
+
+As a last resort it is possible to disable security protection host wide which
+will affect all virtual machines. These settings are all made in
+``/etc/libvirt/qemu.conf``
+
+* SELinux - set ``security_default_confied = 0`` to make QEMU run unconfined by
+ default, while still allowing explicit opt-in to SELinux for VMs.
+
+* DAC - set ``user = root`` and ``group = root`` to make QEMU run as the root
+ account
+
+* SELinux, DAC - set ``security_driver = []`` to entirely disable both the
+ SELinux and DAC security drivers.
+
+* Namespaces - set ``namespaces = []`` to disable use of the ``mount``
+ namespaces, causing QEMU to see the normal fully popualated ``dev``
+
+* Seccomp - set ``seccomp_sandbox = 0`` to disable use of the Seccomp sandboxing
+ in QEMU
+
+* Cgroups - set ``cgroup_device_acl`` to include the desired device node, or
+ ``cgroup_controllers = [...]`` to exclude the ``devices`` controller.
--
2.24.1
4 years, 9 months
