7:57 a.m.
Tuning NUMA or network interface parameters require root
privileges to manage cgroups, thus an attempt to set some of these
parameters in session mode on a running domain should be invalid
followed by an error.
As an example might be memory tuning which raises an error in such case.
Following behavior in session mode will be present after applying
this patch:
Tuning | SET | GET |
----------|---------------|--------|
NUMA | shut off only | always |
Memory | never | never |
Interface | never | always |
Resolves https://bugzilla.redhat.com/show_bug.cgi?id=1126762
---
src/qemu/qemu_command.c | 13 ++++++++++++-
src/qemu/qemu_driver.c | 35 +++++++++++++++++++++++++----------
2 files changed, 37 insertions(+), 11 deletions(-)
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index eb72451..4c335dc 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -7671,7 +7671,7 @@ qemuBuildCommandLine(virConnectPtr conn,
emulator = def->emulator;
if (!cfg->privileged) {
- /* If we have no cgroups than we can have no tunings that
+ /* If we have no cgroups then we can have no tunings that
* require them */
if (def->mem.hard_limit || def->mem.soft_limit ||
@@ -7694,6 +7694,17 @@ qemuBuildCommandLine(virConnectPtr conn,
_("CPU tuning is not available in session mode"));
goto error;
}
+
+ virDomainNetDefPtr *nets = def->nets;
+ virNetDevBandwidthPtr bandwidth = NULL;
+ size_t nnets = def->nnets;
+ for (i = 0; i < nnets; i++) {
+ if ((bandwidth = virDomainNetGetActualBandwidth(nets[i])) != NULL) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("Network bandwidth tuning is not available in session
mode"));
+ goto error;
+ }
+ }
}
for (i = 0; i < def->ngraphics; ++i) {
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 6606154..c64d272 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -8974,6 +8974,13 @@ qemuDomainSetNumaParameters(virDomainPtr dom,
&persistentDef) < 0)
goto cleanup;
+ if (!cfg->privileged &&
+ flags & VIR_DOMAIN_AFFECT_LIVE) {
+ virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s",
+ _("NUMA tuning is not available in session mode"));
+ goto cleanup;
+ }
+
if (flags & VIR_DOMAIN_AFFECT_LIVE) {
if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_CPUSET)) {
virReportError(VIR_ERR_OPERATION_INVALID, "%s",
@@ -9058,6 +9065,7 @@ qemuDomainGetNumaParameters(virDomainPtr dom,
size_t i;
virDomainObjPtr vm = NULL;
virDomainDefPtr persistentDef = NULL;
+ virQEMUDriverConfigPtr cfg = NULL;
char *nodeset = NULL;
int ret = -1;
virCapsPtr caps = NULL;
@@ -9076,6 +9084,7 @@ qemuDomainGetNumaParameters(virDomainPtr dom,
return -1;
priv = vm->privateData;
+ cfg = virQEMUDriverGetConfig(driver);
if (virDomainGetNumaParametersEnsureACL(dom->conn, vm->def) < 0)
goto cleanup;
@@ -9093,14 +9102,6 @@ qemuDomainGetNumaParameters(virDomainPtr dom,
goto cleanup;
}
- if (flags & VIR_DOMAIN_AFFECT_LIVE) {
- if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_MEMORY)) {
- virReportError(VIR_ERR_OPERATION_INVALID,
- "%s", _("cgroup memory controller is not
mounted"));
- goto cleanup;
- }
- }
-
for (i = 0; i < QEMU_NB_NUMA_PARAM && i < *nparams; i++) {
virMemoryParameterPtr param = ¶ms[i];
@@ -9123,9 +9124,16 @@ qemuDomainGetNumaParameters(virDomainPtr dom,
if (!nodeset)
goto cleanup;
} else {
- if (virCgroupGetCpusetMems(priv->cgroup, &nodeset) < 0)
- goto cleanup;
+ if (!virCgroupHasController(priv->cgroup,
+ VIR_CGROUP_CONTROLLER_MEMORY) ||
+ virCgroupGetCpusetMems(priv->cgroup, &nodeset) < 0) {
+ nodeset = virDomainNumatuneFormatNodeset(vm->def->numatune,
+ NULL, -1);
+ if (!nodeset)
+ goto cleanup;
+ }
}
+
if (virTypedParameterAssign(param, VIR_DOMAIN_NUMA_NODESET,
VIR_TYPED_PARAM_STRING, nodeset) < 0)
goto cleanup;
@@ -9150,6 +9158,7 @@ qemuDomainGetNumaParameters(virDomainPtr dom,
if (vm)
virObjectUnlock(vm);
virObjectUnref(caps);
+ virObjectUnref(cfg);
return ret;
}
@@ -10120,6 +10129,12 @@ qemuDomainSetInterfaceParameters(virDomainPtr dom,
if (virDomainSetInterfaceParametersEnsureACL(dom->conn, vm->def, flags) <
0)
goto cleanup;
+ if (!cfg->privileged) {
+ virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s",
+ _("Network bandwidth tuning is not available in session
mode"));
+ goto cleanup;
+ }
+
if (!(caps = virQEMUDriverGetCapabilities(driver, false)))
goto cleanup;
--
1.9.3
2 p.m.
On 10/01/2014 08:57 AM, Erik Skultety wrote:
Tuning NUMA or network interface parameters require root
privileges to manage cgroups, thus an attempt to set some of these
parameters in session mode on a running domain should be invalid
followed by an error.
As an example might be memory tuning which raises an error in such case.
Following behavior in session mode will be present after applying
this patch:
Tuning | SET | GET |
----------|---------------|--------|
NUMA | shut off only | always |
Memory | never | never |
Interface | never | always |
Resolves https://bugzilla.redhat.com/show_bug.cgi?id=1126762
---
src/qemu/qemu_command.c | 13 ++++++++++++-
src/qemu/qemu_driver.c | 35 +++++++++++++++++++++++++----------
2 files changed, 37 insertions(+), 11 deletions(-)
I was going through some of my list backlog - it seems this was orphaned
:-)... Since v3 addressed Mark's comment, I rebased it to top of
tree... adjusted the title to be just:
"qemu: Disallow NUMA/network tuning for session mode"
adjusted the grammar of the commit message a bit, and pushed
John
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index eb72451..4c335dc 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -7671,7 +7671,7 @@ qemuBuildCommandLine(virConnectPtr conn,
emulator = def->emulator;
if (!cfg->privileged) {
- /* If we have no cgroups than we can have no tunings that
+ /* If we have no cgroups then we can have no tunings that
* require them */
if (def->mem.hard_limit || def->mem.soft_limit ||
@@ -7694,6 +7694,17 @@ qemuBuildCommandLine(virConnectPtr conn,
_("CPU tuning is not available in session mode"));
goto error;
}
+
+ virDomainNetDefPtr *nets = def->nets;
+ virNetDevBandwidthPtr bandwidth = NULL;
+ size_t nnets = def->nnets;
+ for (i = 0; i < nnets; i++) {
+ if ((bandwidth = virDomainNetGetActualBandwidth(nets[i])) != NULL) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("Network bandwidth tuning is not available in session
mode"));
+ goto error;
+ }
+ }
}
for (i = 0; i < def->ngraphics; ++i) {
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 6606154..c64d272 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -8974,6 +8974,13 @@ qemuDomainSetNumaParameters(virDomainPtr dom,
&persistentDef) < 0)
goto cleanup;
+ if (!cfg->privileged &&
+ flags & VIR_DOMAIN_AFFECT_LIVE) {
+ virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s",
+ _("NUMA tuning is not available in session mode"));
+ goto cleanup;
+ }
+
if (flags & VIR_DOMAIN_AFFECT_LIVE) {
if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_CPUSET)) {
virReportError(VIR_ERR_OPERATION_INVALID, "%s",
@@ -9058,6 +9065,7 @@ qemuDomainGetNumaParameters(virDomainPtr dom,
size_t i;
virDomainObjPtr vm = NULL;
virDomainDefPtr persistentDef = NULL;
+ virQEMUDriverConfigPtr cfg = NULL;
char *nodeset = NULL;
int ret = -1;
virCapsPtr caps = NULL;
@@ -9076,6 +9084,7 @@ qemuDomainGetNumaParameters(virDomainPtr dom,
return -1;
priv = vm->privateData;
+ cfg = virQEMUDriverGetConfig(driver);
if (virDomainGetNumaParametersEnsureACL(dom->conn, vm->def) < 0)
goto cleanup;
@@ -9093,14 +9102,6 @@ qemuDomainGetNumaParameters(virDomainPtr dom,
goto cleanup;
}
- if (flags & VIR_DOMAIN_AFFECT_LIVE) {
- if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_MEMORY)) {
- virReportError(VIR_ERR_OPERATION_INVALID,
- "%s", _("cgroup memory controller is not
mounted"));
- goto cleanup;
- }
- }
-
for (i = 0; i < QEMU_NB_NUMA_PARAM && i < *nparams; i++) {
virMemoryParameterPtr param = ¶ms[i];
@@ -9123,9 +9124,16 @@ qemuDomainGetNumaParameters(virDomainPtr dom,
if (!nodeset)
goto cleanup;
} else {
- if (virCgroupGetCpusetMems(priv->cgroup, &nodeset) < 0)
- goto cleanup;
+ if (!virCgroupHasController(priv->cgroup,
+ VIR_CGROUP_CONTROLLER_MEMORY) ||
+ virCgroupGetCpusetMems(priv->cgroup, &nodeset) < 0) {
+ nodeset = virDomainNumatuneFormatNodeset(vm->def->numatune,
+ NULL, -1);
+ if (!nodeset)
+ goto cleanup;
+ }
}
+
if (virTypedParameterAssign(param, VIR_DOMAIN_NUMA_NODESET,
VIR_TYPED_PARAM_STRING, nodeset) < 0)
goto cleanup;
@@ -9150,6 +9158,7 @@ qemuDomainGetNumaParameters(virDomainPtr dom,
if (vm)
virObjectUnlock(vm);
virObjectUnref(caps);
+ virObjectUnref(cfg);
return ret;
}
@@ -10120,6 +10129,12 @@ qemuDomainSetInterfaceParameters(virDomainPtr dom,
if (virDomainSetInterfaceParametersEnsureACL(dom->conn, vm->def, flags) <
0)
goto cleanup;
+ if (!cfg->privileged) {
+ virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s",
+ _("Network bandwidth tuning is not available in session
mode"));
+ goto cleanup;
+ }
+
if (!(caps = virQEMUDriverGetCapabilities(driver, false)))
goto cleanup;
2:05 a.m.
Splendid, thank you John :).
Erik
On 10/22/2014 09:00 PM, John Ferlan wrote:
On 10/01/2014 08:57 AM, Erik Skultety wrote:
> Tuning NUMA or network interface parameters require root
> privileges to manage cgroups, thus an attempt to set some of these
> parameters in session mode on a running domain should be invalid
> followed by an error.
> As an example might be memory tuning which raises an error in such case.
> Following behavior in session mode will be present after applying
> this patch:
>
> Tuning | SET | GET |
> ----------|---------------|--------|
> NUMA | shut off only | always |
> Memory | never | never |
> Interface | never | always |
>
> Resolves https://bugzilla.redhat.com/show_bug.cgi?id=1126762
> ---
> src/qemu/qemu_command.c | 13 ++++++++++++-
> src/qemu/qemu_driver.c | 35 +++++++++++++++++++++++++----------
> 2 files changed, 37 insertions(+), 11 deletions(-)
>
I was going through some of my list backlog - it seems this was orphaned
:-)... Since v3 addressed Mark's comment, I rebased it to top of
tree... adjusted the title to be just:
"qemu: Disallow NUMA/network tuning for session mode"
adjusted the grammar of the commit message a bit, and pushed
John
> diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
> index eb72451..4c335dc 100644
> --- a/src/qemu/qemu_command.c
> +++ b/src/qemu/qemu_command.c
> @@ -7671,7 +7671,7 @@ qemuBuildCommandLine(virConnectPtr conn,
> emulator = def->emulator;
>
> if (!cfg->privileged) {
> - /* If we have no cgroups than we can have no tunings that
> + /* If we have no cgroups then we can have no tunings that
> * require them */
>
> if (def->mem.hard_limit || def->mem.soft_limit ||
> @@ -7694,6 +7694,17 @@ qemuBuildCommandLine(virConnectPtr conn,
> _("CPU tuning is not available in session
mode"));
> goto error;
> }
> +
> + virDomainNetDefPtr *nets = def->nets;
> + virNetDevBandwidthPtr bandwidth = NULL;
> + size_t nnets = def->nnets;
> + for (i = 0; i < nnets; i++) {
> + if ((bandwidth = virDomainNetGetActualBandwidth(nets[i])) != NULL) {
> + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
> + _("Network bandwidth tuning is not available in session
mode"));
> + goto error;
> + }
> + }
> }
>
> for (i = 0; i < def->ngraphics; ++i) {
> diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
> index 6606154..c64d272 100644
> --- a/src/qemu/qemu_driver.c
> +++ b/src/qemu/qemu_driver.c
> @@ -8974,6 +8974,13 @@ qemuDomainSetNumaParameters(virDomainPtr dom,
> &persistentDef) < 0)
> goto cleanup;
>
> + if (!cfg->privileged &&
> + flags & VIR_DOMAIN_AFFECT_LIVE) {
> + virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s",
> + _("NUMA tuning is not available in session
mode"));
> + goto cleanup;
> + }
> +
> if (flags & VIR_DOMAIN_AFFECT_LIVE) {
> if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_CPUSET))
{
> virReportError(VIR_ERR_OPERATION_INVALID, "%s",
> @@ -9058,6 +9065,7 @@ qemuDomainGetNumaParameters(virDomainPtr dom,
> size_t i;
> virDomainObjPtr vm = NULL;
> virDomainDefPtr persistentDef = NULL;
> + virQEMUDriverConfigPtr cfg = NULL;
> char *nodeset = NULL;
> int ret = -1;
> virCapsPtr caps = NULL;
> @@ -9076,6 +9084,7 @@ qemuDomainGetNumaParameters(virDomainPtr dom,
> return -1;
>
> priv = vm->privateData;
> + cfg = virQEMUDriverGetConfig(driver);
>
> if (virDomainGetNumaParametersEnsureACL(dom->conn, vm->def) < 0)
> goto cleanup;
> @@ -9093,14 +9102,6 @@ qemuDomainGetNumaParameters(virDomainPtr dom,
> goto cleanup;
> }
>
> - if (flags & VIR_DOMAIN_AFFECT_LIVE) {
> - if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_MEMORY))
{
> - virReportError(VIR_ERR_OPERATION_INVALID,
> - "%s", _("cgroup memory controller is not
mounted"));
> - goto cleanup;
> - }
> - }
> -
> for (i = 0; i < QEMU_NB_NUMA_PARAM && i < *nparams; i++) {
> virMemoryParameterPtr param = ¶ms[i];
>
> @@ -9123,9 +9124,16 @@ qemuDomainGetNumaParameters(virDomainPtr dom,
> if (!nodeset)
> goto cleanup;
> } else {
> - if (virCgroupGetCpusetMems(priv->cgroup, &nodeset) < 0)
> - goto cleanup;
> + if (!virCgroupHasController(priv->cgroup,
> + VIR_CGROUP_CONTROLLER_MEMORY) ||
> + virCgroupGetCpusetMems(priv->cgroup, &nodeset) < 0) {
> + nodeset =
virDomainNumatuneFormatNodeset(vm->def->numatune,
> + NULL, -1);
> + if (!nodeset)
> + goto cleanup;
> + }
> }
> +
> if (virTypedParameterAssign(param, VIR_DOMAIN_NUMA_NODESET,
> VIR_TYPED_PARAM_STRING, nodeset) < 0)
> goto cleanup;
> @@ -9150,6 +9158,7 @@ qemuDomainGetNumaParameters(virDomainPtr dom,
> if (vm)
> virObjectUnlock(vm);
> virObjectUnref(caps);
> + virObjectUnref(cfg);
> return ret;
> }
>
> @@ -10120,6 +10129,12 @@ qemuDomainSetInterfaceParameters(virDomainPtr dom,
> if (virDomainSetInterfaceParametersEnsureACL(dom->conn, vm->def, flags)
< 0)
> goto cleanup;
>
> + if (!cfg->privileged) {
> + virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s",
> + _("Network bandwidth tuning is not available in session
mode"));
> + goto cleanup;
> + }
> +
> if (!(caps = virQEMUDriverGetCapabilities(driver, false)))
> goto cleanup;
>
>
--
libvir-list mailing list
libvir-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
11:48 a.m.
On 10/22/2014 03:00 PM, John Ferlan wrote:
On 10/01/2014 08:57 AM, Erik Skultety wrote:
> Tuning NUMA or network interface parameters require root
> privileges to manage cgroups, thus an attempt to set some of these
> parameters in session mode on a running domain should be invalid
> followed by an error.
> As an example might be memory tuning which raises an error in such case.
> Following behavior in session mode will be present after applying
> this patch:
>
> Tuning | SET | GET |
> ----------|---------------|--------|
> NUMA | shut off only | always |
> Memory | never | never |
> Interface | never | always |
>
> Resolves https://bugzilla.redhat.com/show_bug.cgi?id=1126762
> ---
> src/qemu/qemu_command.c | 13 ++++++++++++-
> src/qemu/qemu_driver.c | 35 +++++++++++++++++++++++++----------
> 2 files changed, 37 insertions(+), 11 deletions(-)
>
I was going through some of my list backlog - it seems this was orphaned
:-)... Since v3 addressed Mark's comment, I rebased it to top of
tree... adjusted the title to be just:
"qemu: Disallow NUMA/network tuning for session mode"
adjusted the grammar of the commit message a bit, and pushed
John
> diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
> index eb72451..4c335dc 100644
> --- a/src/qemu/qemu_command.c
> +++ b/src/qemu/qemu_command.c
> @@ -7671,7 +7671,7 @@ qemuBuildCommandLine(virConnectPtr conn,
> emulator = def->emulator;
>
> if (!cfg->privileged) {
> - /* If we have no cgroups than we can have no tunings that
> + /* If we have no cgroups then we can have no tunings that
> * require them */
>
> if (def->mem.hard_limit || def->mem.soft_limit ||
> @@ -7694,6 +7694,17 @@ qemuBuildCommandLine(virConnectPtr conn,
> _("CPU tuning is not available in session
mode"));
> goto error;
> }
> +
> + virDomainNetDefPtr *nets = def->nets;
> + virNetDevBandwidthPtr bandwidth = NULL;
> + size_t nnets = def->nnets;
> + for (i = 0; i < nnets; i++) {
> + if ((bandwidth = virDomainNetGetActualBandwidth(nets[i])) != NULL) {
> + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
> + _("Network bandwidth tuning is not available in session
mode"));
> + goto error;
> + }
> + }
John's review mail popped this patch (which I had missed before) up in
my inbox, and I noticed this snippet.
I think this is the wrong place to do this check - all the other bits
being checked inside this if (!cfg->privileged) are, as the comment
suggests, related to cgroups, while bandwidth management isn't (at least
not directly - it's setup with the "tc" command). I think it would be
better to check for !privileged at the place where the bandwidth is
actually set (although it doesn't have access to cfg, so you would only
be able to look at getuid() - is that adequate?). Doing the check at
that location would assure that it's properly done for *all* situations
when someone tries to set bandwidth, e.g. for an interface hotplug, for
LXC, for virDomainSetInterfaceParameters()...
3717
days inactive
3740
days old
3 comments
3 participants
participants (3)
-
Erik Skultety -
John Ferlan -
Laine Stump