Re: per user vm isolation with shared network
Sent: Tuesday, July 02, 2024 at 5:25 PM
From: "Michal Prívozník" <mprivozn(a)redhat.com>
To: "daggs" <daggs(a)gmx.com>
Cc: users(a)lists.libvirt.org
Subject: Re: per user vm isolation with shared network
On 7/2/24 16:19, daggs wrote:
>>> thanks, seems like I'm past this part, the vm start fails because of
insufficient permissions to detach/reattach the pci nodes, I assumed that there is no fast
solution so
>>> I fixed it with a script that uses doas to preform the detach/reattach.
>>
>> No sysadmin wants to allow regular users to bind PCI devices to
"random"
>> drivers, surely. PCI devices must be "detached" (i.e. bound to vfio
>> driver) by sysadmin (e.g. virsh -c qemu:///system nodedev-detach ...)
>> BEFORE qemu:///session domain wants to use the device.
> so I should call virsh -c qemu:///system nodedev-detach from within the libvirt
hook? wont that might cause a hangup?
> I did got that in some scenarios.
No, calling libvirt from hooks is strongly discouraged as deadlocks are
likely to occur. Just detach PCI devices before starting any
qemu:///session domain. Either right at startup (write an init service),
do that manually, doesn't matter really.
Michal
that seems more complicated as I want to be sure that all devs are reattached on
termination, so I cannot use autostart as I need to detach the devs prior to starting it
from the init script.
I can add a test to see if the vm was started via the init script, if not error.
I can use atd daemon to call run the reattachment from the hook but depend on the
condition that virsh was terminated.
regarding the error I got, can you point me to the location in the code that preforms it?
waiting for the distro's devs might take too long so I want to try and solve it by
myself