[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH v2 0/5] RFC: grant KVM guests retain arbitrary capabilities



Thank you for your comment.

On Wed, 28 Dec 2011 10:44:50 +0800
Shu Ming <shuming linux vnet ibm com> wrote:

> On 2011-12-22 14:49, Taku Izumi wrote:
> > Hi Daniel-san and all,
> >
> > This patchset adds an option for KVM guests to retain arbitrary capabilities.
> > The first version is here:
> >    http://www.redhat.com/archives/libvir-list/2011-December/msg00857.html
> >
> > According to Daniel-san's comment, I changed my patch like the following:
> >
> > v1 ->  v2
> >   - introduce "process" and "cap" elements in the capability XML
> >   - change XML element name of domain XML likewise
> >
> > ; process capabilities host supports are found in the capability XML.
> > # virsh capabilities
> > <capabilities>
> >
> >    <host>
> >      <uuid>00000000-0000-0000-0000-00199914f1c5</uuid>
> >      ...
> >      <process>
> >        <cap name='chown'/>
> >        <cap name='dac_override'/>
> >        <cap name='dac_read_search'/>
> >        <cap name='fowner'/>
> >         ...
> >      </process>
> >    </host>
> >    ...
> >
> > ; VM can retain cap_sys_rawio capability
> > # virsh edit VM
> > ...
> >    </features>
> >    <process>
> >      <cap name='sys_rawio'/>
> >    </process>
> >    <clock offset='utc'/>
> > ...
> >
> > # virsh start VM
> > # cat /proc/<VM's PID>/status
> > ...
> > CapInh: 0000000000000000
> > CapPrm: fffffffc00020000
> > CapEff: fffffffc00020000
> > CapBnd: fffffffc00020000
> > ...
> 
> Does this mean that if the 'sys_rawio' is not set in the "features" 
> list, there will be no "CapInh", "CapPrm"... in the proc status file?

  By default libvirt executes qemu under non-root user, qemu process has
  no capability. By specifying user and group option in /etc/libvirt/qemu.conf,
  libvirt executes qemu under specified user account. By specifying user and
  group option as "root", libvirt executes qemu under root user.
  However in that case, qemu process has no capability despite running under
  root user, because libvirt clears all capability by default.
  This patch adds option for qemu process to retain arbitrary capabilities
  instead of clearing all capability. This should be libvirt's option.

  I hope you have a happy new year.

> I was just wondering it is more like a QEMU/KVM options instead of a 
> libvirt options, it is more reasonable to make QEMU/KVM
> to guard these options in proc status file instead of libvirt xml file.
> 
> >
> >    *[PATCH v2 1/5] conf: add XML schema for capability XML
> >    *[PATCH v2 2/5] conf: add XML schema for domain XML
> >    *[PATCH v2 3/5] util: add functions to keep capabilities
> >    *[PATCH v2 4/5] util: extend virExecWithHook()
> >    *[PATCH v2 5/5] qemu: make qemu processes to retain capabilities
> >
> >
> > Best regards,
> > Taku Izumi
> >
> > --
> > libvir-list mailing list
> > libvir-list redhat com
> > https://www.redhat.com/mailman/listinfo/libvir-list
> >
> 
> 
> -- 
> Shu Ming<shuming linux vnet ibm com>
> IBM China Systems and Technology Laboratory
> 
> 
> 


-- 
Taku Izumi <izumi taku jp fujitsu com>


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]