Verify Summary:
* the none rooted mode starting a high-privileges VM actually.
The configurations is source generated default value except tls disabled.
1. rooted
virsh define ./libvirt/vgpu-win10.xml
Domain vgpu-win10 defined from ./libvirt/vgpu-win10.xml
ubuntu@z-nuc-11:~/vgpu-meta/libvirt-stage$ virsh start vgpu-win10
2017-03-26 23:28:57.385+0000: 2886: info : libvirt version: 3.2.0
2017-03-26 23:28:57.385+0000: 2886: info : hostname: z-nuc-11.maas
2017-03-26 23:28:57.385+0000: 2886: warning : qemuDomainObjTaint:4155 :
Domain id=1 name='vgpu-win10' uuid=916c5c36-0437-11e7-a23d-830ed1295d00
is tainted: high-privileges
2017-03-26 23:28:58.010+0000: 2886: warning : virDomainAuditHostdev:456
: Unexpected hostdev type while encoding audit message: 4
Domain vgpu-win10 started
2. None rooted
virsh -c qemu:///session
Welcome to lt-virsh, the virtualization interactive terminal.
virsh # define ./libvirt/vgpu-win10.xml
Domain vgpu-win10 defined from ./libvirt/vgpu-win10.xml
virsh # start vgpu-win10
2017-03-26 23:38:11.220+0000: 2882: warning : qemuDomainObjTaint:4155 :
Domain id=4 name='vgpu-win10' uuid=916c5c36-0437-11e7-a23d-830ed1295d00
is tainted: high-privileges
2017-03-26 23:38:12.356+0000: 2882: warning : virDomainAuditHostdev:456
: Unexpected hostdev type while encoding audit message: 4
Domain vgpu-win10 started
Regards
Yongli He
since v1:
- new <hostdev> attribute model introduced which tells libvirt which device API
should be considered when auto-assigning guest address
- device_api is properly checked, thus taking the 'model' attribute only as a
hint to assign "some" address
- new address type 'mdev' is introduced rather than using plain <uuid>
element,
since the address element is more conveniently extendable.
- the emulated mtty driver now works as well out of the box, so no HW needed to
review this series --> let's try it :)
- fixed all the nits from v1
since v2:
- dropped the patch introducing new address type 'mdev' since I added by
mistake and only after that realized that the device address type enum is used
for guest addresses only
--> the mdevs are still identified by address element containing an 'uuid'
attribute, I just dropped the enum
- resolved the driver hostdev list race condition raised by Pavel in his review
--> the device API is now checked every time our internal mdev object is
created as opposed to the previous version where because of the model being
checked separately, the locking issues arose.
- rewrote the docs, reflecting the mdev address type drop change
- squashed all security related stuff into 1 patch, also added app-armor bits
- as Pavel suggested, moved most of the mdev-related functions out of
virhostdev.c to virmdev.c
- added a few more test cases
- created a new branch 'mdev-next' on my github (more suitable name than a
strict version number) on
https://github.com/eskultety/libvirt/commits/mdev-next
since v3:
- 'undo' an accidental squash of virmdev.{c,h} module introduction into patch
4/15 and made it a separate patch again
- squash 5/15 into 4/15 as Pavel suggested
- dropped the NEWS patch, as I've so far got at least 4 merge conflicts because
of it when rebasing...I'll add it before the series is ready to be
merged...or I'll forget about it like I usually do and add it later :/
Erik
Erik Skultety (14):
conf: hostdev: Enforce enum-in-switch compile-time checks
conf: hostdev: Introduce virDomainHostdevSubsysSCSIClear
conf: Introduce virDomainHostdevDefPostParse
util: Introduce new module virmdev
conf: Introduce new hostdev device type mdev
security: Enable labeling of vfio mediated devices
conf: Enable cold-plug of a mediated device
qemu: Assign PCI addresses for mediated devices as well
hostdev: Maintain a driver list of active mediated devices
qemu: cgroup: Adjust cgroups' logic to allow mediated devices
qemu: Bump the memory locking limit for mdevs as well
qemu: Format mdevs on qemu command line
test: Add some test cases for our test suite regarding the mdevs
docs: Document the new hostdev and address type 'mdev'
docs/formatdomain.html.in | 46 +-
docs/schemas/domaincommon.rng | 22 +
po/POTFILES.in | 1 +
src/Makefile.am | 1 +
src/conf/domain_conf.c | 225 ++++++++--
src/conf/domain_conf.h | 9 +
src/libvirt_private.syms | 25 ++
src/qemu/qemu_command.c | 45 ++
src/qemu/qemu_command.h | 5 +
src/qemu/qemu_domain.c | 24 +-
src/qemu/qemu_domain.h | 1 +
src/qemu/qemu_domain_address.c | 14 +-
src/qemu/qemu_hostdev.c | 56 +++
src/qemu/qemu_hostdev.h | 10 +
src/qemu/qemu_hotplug.c | 2 +
src/security/security_apparmor.c | 22 +
src/security/security_dac.c | 43 ++
src/security/security_selinux.c | 45 ++
src/util/virhostdev.c | 165 ++++++-
src/util/virhostdev.h | 23 +
src/util/virmdev.c | 487 +++++++++++++++++++++
src/util/virmdev.h | 123 ++++++
tests/domaincapsschemadata/full.xml | 1 +
...ml2argv-hostdev-mdev-invalid-target-address.xml | 33 ++
...muxml2argv-hostdev-mdev-src-address-invalid.xml | 35 ++
.../qemuxml2argv-hostdev-mdev-unmanaged.args | 25 ++
.../qemuxml2argv-hostdev-mdev-unmanaged.xml | 35 ++
tests/qemuxml2argvtest.c | 9 +
.../qemuxml2xmlout-hostdev-mdev-unmanaged.xml | 40 ++
tests/qemuxml2xmltest.c | 1 +
30 files changed, 1518 insertions(+), 55 deletions(-)
create mode 100644 src/util/virmdev.c
create mode 100644 src/util/virmdev.h
create mode 100644
tests/qemuxml2argvdata/qemuxml2argv-hostdev-mdev-invalid-target-address.xml
create mode 100644
tests/qemuxml2argvdata/qemuxml2argv-hostdev-mdev-src-address-invalid.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-hostdev-mdev-unmanaged.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-hostdev-mdev-unmanaged.xml
create mode 100644 tests/qemuxml2xmloutdata/qemuxml2xmlout-hostdev-mdev-unmanaged.xml