Sent: Tuesday, July 02, 2024 at 5:25 PM From: "Michal Prívozník" <mprivozn@redhat.com> To: "daggs" <daggs@gmx.com> Cc: users@lists.libvirt.org Subject: Re: per user vm isolation with shared network
On 7/2/24 16:19, daggs wrote:
thanks, seems like I'm past this part, the vm start fails because of insufficient permissions to detach/reattach the pci nodes, I assumed that there is no fast solution so I fixed it with a script that uses doas to preform the detach/reattach.
No sysadmin wants to allow regular users to bind PCI devices to "random" drivers, surely. PCI devices must be "detached" (i.e. bound to vfio driver) by sysadmin (e.g. virsh -c qemu:///system nodedev-detach ...) BEFORE qemu:///session domain wants to use the device. so I should call virsh -c qemu:///system nodedev-detach from within the libvirt hook? wont that might cause a hangup? I did got that in some scenarios.
No, calling libvirt from hooks is strongly discouraged as deadlocks are likely to occur. Just detach PCI devices before starting any qemu:///session domain. Either right at startup (write an init service), do that manually, doesn't matter really.
Michal
that seems more complicated as I want to be sure that all devs are reattached on termination, so I cannot use autostart as I need to detach the devs prior to starting it from the init script. I can add a test to see if the vm was started via the init script, if not error. I can use atd daemon to call run the reattachment from the hook but depend on the condition that virsh was terminated. regarding the error I got, can you point me to the location in the code that preforms it? waiting for the distro's devs might take too long so I want to try and solve it by myself