From: Michal Privoznik <mprivozn@redhat.com> Here's the deal: the 'devices' controller as such does not exist in CGroupsV2. The alternative is to load eBPF program that mimics the controller's behavior from CGroupsV1. But, only privileged user can load such program. This means that virt-host-validate (when ran as a regular user) claims 'devices' controller missing (rightfully so), and suggests enabling it in Kconfig. This last bit might be misleading to users [1]. Now, to fix this ideally, all three conditions should be checked (CGroupsV2, 'devices' controller and regular user), but our virCgroup module deliberately hides the version of CGroups. So check for the other two conditions. 1: https://lists.libvirt.org/archives/list/users@lists.libvirt.org/thread/USDFF... Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- tools/virt-host-validate-common.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/tools/virt-host-validate-common.c b/tools/virt-host-validate-common.c index 6bca661ffc..a0373b03ce 100644 --- a/tools/virt-host-validate-common.c +++ b/tools/virt-host-validate-common.c @@ -218,9 +218,17 @@ int virHostValidateCGroupControllers(const char *hvname, if (!virCgroupHasController(group, i)) { ret = VIR_VALIDATE_FAILURE(level); - virValidateFail(level, "Enable '%s' in kernel Kconfig file or " - "mount/enable cgroup controller in your system", - cg_name); + + /* Ideally we would also verify that @group is CGroupsV2, but + * our internal APIs hide that fact away, intentionally. */ + if (i == VIR_CGROUP_CONTROLLER_DEVICES && geteuid() != 0) { + virValidateFail(level, "Controller '%s' not available for unprivileged users", + cg_name); + } else { + virValidateFail(level, "Enable '%s' in kernel Kconfig file or " + "mount/enable cgroup controller in your system", + cg_name); + } } else { virValidatePass(); } -- 2.53.0