[libvirt] [PATCH 15/15] qemu: set CAP_COMPROMISE_KERNEL so that pci passthrough works

Eric Blake eblake at redhat.com
Fri Feb 8 19:07:16 UTC 2013


On 02/07/2013 02:37 PM, Laine Stump wrote:
> Any system with CAP_COMPROMISE_KERNEL available in the kernel was not
> able to perform PCI passthrough device assignment without 1) running
> qemu as root *and* 2) setting "clear_emulator_capabilities=0" in
> /etc/libvirt/qemu.conf.
> 
> This patch is the final piece to make pci passthrough once again work
> properly with a non-root qemu. It sets CAP_COMPROMISE_KERNEL; now that
> virCommand is properly setup to honor that request for non-root child
> processes, it will actually do some good.
> 
> It is still necessary to set the file capability for the qemu binary,
> however (see the rules for determining effective caps of a process
> running as non-root in "man 7 capabilities"). This can be done with:
> 
>   filecap $path-to-qemu-binary compromise_kernel

Sounds like something that should be done by default at least for the
Fedora packaging of qemu - that is, if the kernel folks don't honor our
request to make CAP_COMPROMISE_KERNEL needed only on open() rather than
all read()/write().

We may not need this patch, if the kernel folks are sensible.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 621 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20130208/99e5bd50/attachment-0001.sig>


More information about the libvir-list mailing list