Re: [libvirt] [PATCH 15/15] qemu: set CAP_COMPROMISE_KERNEL so that pci passthrough works

On 02/07/2013 02:37 PM, Laine Stump wrote: > Any system with CAP_COMPROMISE_KERNEL available in the kernel was not > able to perform PCI passthrough device assignment without 1) running > qemu as root *and* 2) setting "clear_emulator_capabilities=0" in > /etc/libvirt/qemu.conf. > > This patch is the final piece to make pci passthrough once again work > properly with a non-root qemu. It sets CAP_COMPROMISE_KERNEL; now that > virCommand is properly setup to honor that request for non-root child > processes, it will actually do some good. > > It is still necessary to set the file capability for the qemu binary, > however (see the rules for determining effective caps of a process > running as non-root in "man 7 capabilities"). This can be done with: > > filecap $path-to-qemu-binary compromise_kernel Sounds like something that should be done by default at least for the Fedora packaging of qemu - that is, if the kernel folks don't honor our request to make CAP_COMPROMISE_KERNEL needed only on open() rather than all read()/write(). We may not need this patch, if the kernel folks are sensible.