On Wed, Jul 22, 2009 at 04:23:47PM +0100, Daniel P. Berrange wrote:
* qemud/libvirtd_qemu.aug, qemud/test_libvirtd_qemu.aug, src/qemu.conf: Add 'cgroups_controllers' and 'cgroups_device_acl' parameters * src/qemu_conf.h, src/qemu_conf.c: Load & parse configuration params for cgroups * src/qemu_driver.c: Only use cgroups controllers that are activated, and use configured device whitelist instead of default, if set.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- qemud/libvirtd_qemu.aug | 2 + qemud/test_libvirtd_qemu.aug | 21 +++++++- src/Makefile.am | 3 +- src/cgroup.c | 11 ---- src/cgroup.h | 12 +++++ src/qemu.conf | 34 +++++++++++++ src/qemu_conf.c | 61 ++++++++++++++++++++++++ src/qemu_conf.h | 3 + src/qemu_driver.c | 106 ++++++++++++++++++++++++------------------ [...] +++ b/src/qemu.conf @@ -95,3 +95,37 @@
# The group ID for QEMU processes run by the system instance #group = "root" + + +# What cgroup controllers to make use of with QEMU guests +# +# - 'cpu' - use for schedular tunables +# - 'devices' - use for device whitelisting +# +# NB, even if configured here, they won't be used unless +# the adminsitrator has mounted cgroups. eg +# +# mkdir /dev/cgroup +# mount -t cgroup -o devices,cpu none /dev/cgroup +# +# They can be mounted anywhere, and different controlers +# can be mounted in different locations. libvirt will detect +# where they are located. +# +# cgroup_controllers = [ "cpu", "devices" ] + +# This is the basic set of devices allowed / required by +# all virtual machines. +# +# As well as this, any configured block backed disks, +# all sound device, and all PTY devices are allowed. +# +# This will only need setting if newer QEMU suddenly +# wants some device we don't already know a bout. +# +#cgroup_device_acl = [ +# "/dev/null", "/dev/full", "/dev/zero", +# "/dev/random", "/dev/urandom", +# "/dev/ptmx", "/dev/kvm", "/dev/kqemu", +# "/dev/rtc", "/dev/hpet", "/dev/net/tun", +#]
great, but that doesn't really replace documentation :-) [...]
- if (vm->def->nsounds) { - rc = virCgroupAllowDeviceMajor(cgroup, 'c', DEVICE_SND_MAJOR); + rc = virCgroupAllowDeviceMajor(cgroup, 'c', DEVICE_PTY_MAJOR); if (rc != 0) { virReportSystemError(conn, -rc, "%s", - _("unable to allow /dev/snd/ devices")); + _("unable to allow /dev/pts/ devices")); goto cleanup;
diff is really making the patch hard to read ... ACK, Daniel -- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ daniel@veillard.com | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ | virtualization library http://libvirt.org/