On 11/10/2016 05:59 AM, Daniel P. Berrange wrote:
On Thu, Nov 10, 2016 at 10:35:46AM +0000, Marc-André Lureau wrote:
> Hi
>
> What's the status with this patch? If I understand the discussion, it is
> needed, but not enough. Now that SELinux has been fixed (both in f24/f25
> now), I can see only the ACL left: setfacl -m u:qemu:rw /dev/dri/renderD128
> + this patch allows me to setup a system VM with virgl. (though tbh, I
> would be fine restricting virgl to qemu:///session only)
This ties in with the discussion we've just been having around udev
and DAC/MAC labelling of device nodes. With my proposed solution of
using a new mount namespace + dedicated /dev per VM, then granting
DAC access to the DRI nodes is easy.
The DAC thing at least has an easy workaround like Marc-André pointed out. The
only workaround for the cgroup issue is a custom cgroup_device_acl in
qemu.conf, which sucks: if a user adds a custom list to their qemu.conf, and
then forgets about it, future libvirt updates might extend the default
cgroup_device_acl, the user misses these updates, possibly causing hard to
diagnose errors or bugs.
In the meantime we have people that are trying to make this work regardless of
workarounds (see libvirt-users thread, and comments on bug 1337290). So IMO
better to make the needed workarounds less intrusive. So I still vote for this
patch. But if it's still not acceptable, maybe we can add a new qemu.conf
option like cgroup_device_acl_append= which users can manually edit, which
avoids the upgrade issues of cgroup_device_acl=
- Cole