Hi, all! We use an interesting approach when starting/migrating/etc domain with usb hostdev with startupPolicy=optional. We add qemu usb-host device with missing hostaddr/hostbus parameters (dummy device). I guess there are 2 reasons why we do it. First without dummy device migration will fail as described in [1]. Second is an interesting property of dummy device that qemu starts to monitor for attaching of usb devices and binds the first attached to node to the dummy device. So one can start a domain with missing hostdev and attach it later or migrate a domain then detach hostdev on source and attach it on destination. But as qemu binds the first attached device this is not reliable, to say the least. And after all this does not work if domain uses distinct mount namespace which is default.

So I question does it make sense to use dummy device at all? In case of migration/resume from suspend/revert to snapshot we can either fix qemu to ignore incoming missing hostdev data or add dummy device temporarily. The latter solution is worse as it brings dummy device behaviour even for a short period of time. However having a temporary dummy device is neccessary step towards the time when all supported versions of qemu do the mentioned ignoring. As to handling attaching of missing hostdev device to node it should be done in libvirt which can do necessary mount namespace actions. (Actually I developing such patches right now but some peculiarities of dummy device bring me here).

On Fri, Aug 30, 2019 at 10:09:06AM +0100, Daniel P. Berrangé wrote: > On Fri, Aug 30, 2019 at 08:44:03AM +0000, Nikolay Shirokovskiy wrote: >> Hi, all! >> >> We use an interesting approach when starting/migrating/etc domain with usb >> hostdev with startupPolicy=optional. We add qemu usb-host device with >> missing hostaddr/hostbus parameters (dummy device). I guess there are >> 2 reasons why we do it. First without dummy device migration will fail as >> described in [1]. Second is an interesting property of dummy device that >> qemu starts to monitor for attaching of usb devices and binds the first >> attached to node to the dummy device. So one can start a domain with >> missing hostdev and attach it later or migrate a domain then detach >> hostdev on source and attach it on destination. But as qemu binds the >> first attached device this is not reliable, to say the least. And after >> all this does not work if domain uses distinct mount namespace which >> is default. > > Even without mount namespaces, it should fail as QEMU is running non-root > and libvirt won't have granted access to any host USB devices in /dev, and > also SELinux policy will forbid this. Right, but the case with mount namespaces is particularly problematic: if the device open fails due to missing device node, libusb removes the device from its internal device list. This results in the following scenario: - libvirt adds a dummy usb-host device to QEMU in place of a missing device - QEMU (via libusb) installs a watch for udev add events - the physical device is plugged into the host - QEMU detects the addition of the device and, since the dummy device matches everything, tries to open it - by this time libvirt may have not created a device node in QEMU's mount namespace, so the open fails due to missing device node, and libusb removes the device from its internal list - libvirt removes the dummy usb-host device and adds the actual usb-host device - QEMU fails to open it because it's no longer seen by libusb

On Fri, Aug 30, 2019 at 05:08:52PM +0200, Michal Privoznik wrote: > On 8/30/19 2:30 PM, Roman Kagan wrote: >> On Fri, Aug 30, 2019 at 10:09:06AM +0100, Daniel P. Berrangé wrote: >>> On Fri, Aug 30, 2019 at 08:44:03AM +0000, Nikolay Shirokovskiy wrote: >>>> Hi, all! >>>> >>>> We use an interesting approach when starting/migrating/etc domain with usb >>>> hostdev with startupPolicy=optional. We add qemu usb-host device with >>>> missing hostaddr/hostbus parameters (dummy device). I guess there are >>>> 2 reasons why we do it. First without dummy device migration will fail as >>>> described in [1]. Second is an interesting property of dummy device that >>>> qemu starts to monitor for attaching of usb devices and binds the first >>>> attached to node to the dummy device. So one can start a domain with >>>> missing hostdev and attach it later or migrate a domain then detach >>>> hostdev on source and attach it on destination. But as qemu binds the >>>> first attached device this is not reliable, to say the least. And after >>>> all this does not work if domain uses distinct mount namespace which >>>> is default. >>> >>> Even without mount namespaces, it should fail as QEMU is running non-root >>> and libvirt won't have granted access to any host USB devices in /dev, and >>> also SELinux policy will forbid this. >> >> Right, but the case with mount namespaces is particularly problematic: >> if the device open fails due to missing device node, libusb removes the >> device from its internal device list. This results in the following >> scenario: >> >> - libvirt adds a dummy usb-host device to QEMU in place of a missing >> device >> >> - QEMU (via libusb) installs a watch for udev add events >> >> - the physical device is plugged into the host >> >> - QEMU detects the addition of the device and, since the dummy device >> matches everything, tries to open it >> >> - by this time libvirt may have not created a device node in QEMU's >> mount namespace, so the open fails due to missing device node, and >> libusb removes the device from its internal list >> >> - libvirt removes the dummy usb-host device and adds the actual usb-host >> device >> >> - QEMU fails to open it because it's no longer seen by libusb > > There is a bug filed against libusb exactly for this: > > https://bugzilla.redhat.com/show_bug.cgi?id=1595525 > > BTW: you don't have to migrate, it's sufficient to start a domain with a > missing USB and startupPolicy='optional' and then physically plug it into > the host and then try to hotplug it into the domain. AFAIR, the startupPolicy=optional was never really intended to allow for the device to be dynamically added after startup. It was only trying drop the device if it didn't exist at startup.

On Fri, Aug 30, 2019 at 04:19:23PM +0100, Daniel P. Berrangé wrote: > On Fri, Aug 30, 2019 at 05:08:52PM +0200, Michal Privoznik wrote: > > On 8/30/19 2:30 PM, Roman Kagan wrote: > > > On Fri, Aug 30, 2019 at 10:09:06AM +0100, Daniel P. Berrangé wrote: > > > > On Fri, Aug 30, 2019 at 08:44:03AM +0000, Nikolay Shirokovskiy wrote: > > > > > Hi, all! > > > > > > > > > > We use an interesting approach when starting/migrating/etc domain with usb > > > > > hostdev with startupPolicy=optional. We add qemu usb-host device with > > > > > missing hostaddr/hostbus parameters (dummy device). I guess there are > > > > > 2 reasons why we do it. First without dummy device migration will fail as > > > > > described in [1]. Second is an interesting property of dummy device that > > > > > qemu starts to monitor for attaching of usb devices and binds the first > > > > > attached to node to the dummy device. So one can start a domain with > > > > > missing hostdev and attach it later or migrate a domain then detach > > > > > hostdev on source and attach it on destination. But as qemu binds the > > > > > first attached device this is not reliable, to say the least. And after > > > > > all this does not work if domain uses distinct mount namespace which > > > > > is default. > > > > > > > > Even without mount namespaces, it should fail as QEMU is running non-root > > > > and libvirt won't have granted access to any host USB devices in /dev, and > > > > also SELinux policy will forbid this. > > > > > > Right, but the case with mount namespaces is particularly problematic: > > > if the device open fails due to missing device node, libusb removes the > > > device from its internal device list. This results in the following > > > scenario: > > > > > > - libvirt adds a dummy usb-host device to QEMU in place of a missing > > > device > > > > > > - QEMU (via libusb) installs a watch for udev add events > > > > > > - the physical device is plugged into the host > > > > > > - QEMU detects the addition of the device and, since the dummy device > > > matches everything, tries to open it > > > > > > - by this time libvirt may have not created a device node in QEMU's > > > mount namespace, so the open fails due to missing device node, and > > > libusb removes the device from its internal list > > > > > > - libvirt removes the dummy usb-host device and adds the actual usb-host > > > device > > > > > > - QEMU fails to open it because it's no longer seen by libusb > > > > There is a bug filed against libusb exactly for this: > > > > https://bugzilla.redhat.com/show_bug.cgi?id=1595525 > > > > BTW: you don't have to migrate, it's sufficient to start a domain with a > > missing USB and startupPolicy='optional' and then physically plug it into > > the host and then try to hotplug it into the domain. > > AFAIR, the startupPolicy=optional was never really intended to allow > for the device to be dynamically added after startup. It was only > trying drop the device if it didn't exist at startup. > > If we do want a way to dynamically add after startup, then libvirt itself > would have to monitor the USB devices on the host, and then perform QMP > commands to hot-add to QEMU. This is actually what Nikolay was trying to achieve with his patchset (https://www.redhat.com/archives/libvir-list/2019-August/msg01413.html). Is this a NAK to it, with a suggestion that it's the upper layer's responsibility?