
On Fri, Feb 08, 2013 at 12:07:16PM -0700, Eric Blake wrote:
On 02/07/2013 02:37 PM, Laine Stump wrote:
Any system with CAP_COMPROMISE_KERNEL available in the kernel was not able to perform PCI passthrough device assignment without 1) running qemu as root *and* 2) setting "clear_emulator_capabilities=0" in /etc/libvirt/qemu.conf.
This patch is the final piece to make pci passthrough once again work properly with a non-root qemu. It sets CAP_COMPROMISE_KERNEL; now that virCommand is properly setup to honor that request for non-root child processes, it will actually do some good.
It is still necessary to set the file capability for the qemu binary, however (see the rules for determining effective caps of a process running as non-root in "man 7 capabilities"). This can be done with:
filecap $path-to-qemu-binary compromise_kernel
Sounds like something that should be done by default at least for the Fedora packaging of qemu - that is, if the kernel folks don't honor our request to make CAP_COMPROMISE_KERNEL needed only on open() rather than all read()/write().
We may not need this patch, if the kernel folks are sensible.
Yes, I want to push this back onto the kernel developers. IMHO this is a userspace ABI change they've made here. The secureboot stuff should be a complete no-op if the kernel is not booted in secureboot mode, but the current kernel patch does not satisfy that. I don't think it should be libvirt or KVM's job to fix this kernel breakage. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|