mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-01-12 07:42:56 +00:00
qemu: Explicitly add/remove /dev/vfio/vfio to/from NS/CGroups
In near future, the decision what to do with /dev/vfio/vfio with respect to domain namespace and CGroup is going to be moved out of qemuDomainGetHostdevPath() because there will be some other types of devices than hostdevs that need access to VFIO. All functions that I'm changing (except qemuSetupHostdevCgroup()) assume that hostdev we are adding/removing to VM is not in the definition yet (because of how qemuDomainNeedsVFIO() is written). Fortunately, this assumption is true. For qemuSetupHostdevCgroup(), the worst thing that may happen is that we allow /dev/vfio/vfio which was already allowed. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Cole Robinson <crobinso@redhat.com>
This commit is contained in:
parent
a9fdcb0b78
commit
6f43c505d9
@ -25,6 +25,7 @@
|
|||||||
#include "qemu_domain.h"
|
#include "qemu_domain.h"
|
||||||
#include "qemu_process.h"
|
#include "qemu_process.h"
|
||||||
#include "qemu_extdevice.h"
|
#include "qemu_extdevice.h"
|
||||||
|
#include "qemu_hostdev.h"
|
||||||
#include "virlog.h"
|
#include "virlog.h"
|
||||||
#include "viralloc.h"
|
#include "viralloc.h"
|
||||||
#include "virerror.h"
|
#include "virerror.h"
|
||||||
@ -359,6 +360,16 @@ qemuTeardownInputCgroup(virDomainObjPtr vm,
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* qemuSetupHostdevCgroup:
|
||||||
|
* vm: domain object
|
||||||
|
* @dev: device to allow
|
||||||
|
*
|
||||||
|
* For given host device @dev allow access to in Cgroups.
|
||||||
|
*
|
||||||
|
* Returns: 0 on success,
|
||||||
|
* -1 otherwise.
|
||||||
|
*/
|
||||||
int
|
int
|
||||||
qemuSetupHostdevCgroup(virDomainObjPtr vm,
|
qemuSetupHostdevCgroup(virDomainObjPtr vm,
|
||||||
virDomainHostdevDefPtr dev)
|
virDomainHostdevDefPtr dev)
|
||||||
@ -385,6 +396,16 @@ qemuSetupHostdevCgroup(virDomainObjPtr vm,
|
|||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (qemuHostdevNeedsVFIO(dev)) {
|
||||||
|
VIR_DEBUG("Cgroup allow %s perms=%d", QEMU_DEV_VFIO, VIR_CGROUP_DEVICE_RW);
|
||||||
|
rv = virCgroupAllowDevicePath(priv->cgroup, QEMU_DEV_VFIO,
|
||||||
|
VIR_CGROUP_DEVICE_RW, false);
|
||||||
|
virDomainAuditCgroupPath(vm, priv->cgroup, "allow",
|
||||||
|
QEMU_DEV_VFIO, "rw", rv);
|
||||||
|
if (rv < 0)
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
ret = 0;
|
ret = 0;
|
||||||
|
|
||||||
cleanup:
|
cleanup:
|
||||||
@ -395,9 +416,21 @@ qemuSetupHostdevCgroup(virDomainObjPtr vm,
|
|||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* qemuTeardownHostdevCgroup:
|
||||||
|
* @vm: doamin object
|
||||||
|
* @dev: device to tear down
|
||||||
|
*
|
||||||
|
* For given host device @dev deny access to it in CGroups.
|
||||||
|
* Note, @dev must not be in @vm's definition.
|
||||||
|
*
|
||||||
|
* Returns: 0 on success,
|
||||||
|
* -1 otherwise.
|
||||||
|
*/
|
||||||
int
|
int
|
||||||
qemuTeardownHostdevCgroup(virDomainObjPtr vm,
|
qemuTeardownHostdevCgroup(virDomainObjPtr vm,
|
||||||
virDomainHostdevDefPtr dev)
|
virDomainHostdevDefPtr dev)
|
||||||
{
|
{
|
||||||
qemuDomainObjPrivatePtr priv = vm->privateData;
|
qemuDomainObjPrivatePtr priv = vm->privateData;
|
||||||
char **path = NULL;
|
char **path = NULL;
|
||||||
@ -421,6 +454,17 @@ qemuTeardownHostdevCgroup(virDomainObjPtr vm,
|
|||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (qemuHostdevNeedsVFIO(dev) &&
|
||||||
|
!qemuDomainNeedsVFIO(vm->def)) {
|
||||||
|
VIR_DEBUG("Cgroup deny " QEMU_DEV_VFIO);
|
||||||
|
rv = virCgroupDenyDevicePath(priv->cgroup, QEMU_DEV_VFIO,
|
||||||
|
VIR_CGROUP_DEVICE_RWM, false);
|
||||||
|
virDomainAuditCgroupPath(vm, priv->cgroup, "deny",
|
||||||
|
QEMU_DEV_VFIO, "rwm", rv);
|
||||||
|
if (rv < 0)
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
ret = 0;
|
ret = 0;
|
||||||
cleanup:
|
cleanup:
|
||||||
for (i = 0; i < npaths; i++)
|
for (i = 0; i < npaths; i++)
|
||||||
@ -803,6 +847,8 @@ qemuSetupDevicesCgroup(virDomainObjPtr vm)
|
|||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
|
||||||
for (i = 0; i < vm->def->nhostdevs; i++) {
|
for (i = 0; i < vm->def->nhostdevs; i++) {
|
||||||
|
/* This may allow /dev/vfio/vfio multiple times, but that
|
||||||
|
* is not a problem. Kernel will have only one record. */
|
||||||
if (qemuSetupHostdevCgroup(vm, vm->def->hostdevs[i]) < 0)
|
if (qemuSetupHostdevCgroup(vm, vm->def->hostdevs[i]) < 0)
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
|
@ -14503,6 +14503,10 @@ qemuDomainSetupHostdev(virQEMUDriverConfigPtr cfg G_GNUC_UNUSED,
|
|||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (qemuHostdevNeedsVFIO(dev) &&
|
||||||
|
qemuDomainCreateDevice(QEMU_DEV_VFIO, data, false) < 0)
|
||||||
|
goto cleanup;
|
||||||
|
|
||||||
ret = 0;
|
ret = 0;
|
||||||
cleanup:
|
cleanup:
|
||||||
for (i = 0; i < npaths; i++)
|
for (i = 0; i < npaths; i++)
|
||||||
@ -15526,6 +15530,17 @@ qemuDomainNamespaceTeardownDisk(virDomainObjPtr vm G_GNUC_UNUSED,
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* qemuDomainNamespaceSetupHostdev:
|
||||||
|
* @vm: domain object
|
||||||
|
* @hostdev: hostdev to create in @vm's namespace
|
||||||
|
*
|
||||||
|
* For given @hostdev, create its devfs representation (if it has one) in
|
||||||
|
* domain namespace. Note, @hostdev must not be in @vm's definition.
|
||||||
|
*
|
||||||
|
* Returns: 0 on success,
|
||||||
|
* -1 otherwise.
|
||||||
|
*/
|
||||||
int
|
int
|
||||||
qemuDomainNamespaceSetupHostdev(virDomainObjPtr vm,
|
qemuDomainNamespaceSetupHostdev(virDomainObjPtr vm,
|
||||||
virDomainHostdevDefPtr hostdev)
|
virDomainHostdevDefPtr hostdev)
|
||||||
@ -15540,6 +15555,11 @@ qemuDomainNamespaceSetupHostdev(virDomainObjPtr vm,
|
|||||||
if (qemuDomainNamespaceMknodPaths(vm, (const char **)paths, npaths) < 0)
|
if (qemuDomainNamespaceMknodPaths(vm, (const char **)paths, npaths) < 0)
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
|
||||||
|
if (qemuHostdevNeedsVFIO(hostdev) &&
|
||||||
|
!qemuDomainNeedsVFIO(vm->def) &&
|
||||||
|
qemuDomainNamespaceMknodPath(vm, QEMU_DEV_VFIO) < 0)
|
||||||
|
goto cleanup;
|
||||||
|
|
||||||
ret = 0;
|
ret = 0;
|
||||||
cleanup:
|
cleanup:
|
||||||
for (i = 0; i < npaths; i++)
|
for (i = 0; i < npaths; i++)
|
||||||
@ -15549,6 +15569,17 @@ qemuDomainNamespaceSetupHostdev(virDomainObjPtr vm,
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* qemuDomainNamespaceTeardownHostdev:
|
||||||
|
* @vm: domain object
|
||||||
|
* @hostdev: hostdev to remove in @vm's namespace
|
||||||
|
*
|
||||||
|
* For given @hostdev, remove its devfs representation (if it has one) in
|
||||||
|
* domain namespace. Note, @hostdev must not be in @vm's definition.
|
||||||
|
*
|
||||||
|
* Returns: 0 on success,
|
||||||
|
* -1 otherwise.
|
||||||
|
*/
|
||||||
int
|
int
|
||||||
qemuDomainNamespaceTeardownHostdev(virDomainObjPtr vm,
|
qemuDomainNamespaceTeardownHostdev(virDomainObjPtr vm,
|
||||||
virDomainHostdevDefPtr hostdev)
|
virDomainHostdevDefPtr hostdev)
|
||||||
@ -15564,6 +15595,11 @@ qemuDomainNamespaceTeardownHostdev(virDomainObjPtr vm,
|
|||||||
if (qemuDomainNamespaceUnlinkPaths(vm, (const char **)paths, npaths) < 0)
|
if (qemuDomainNamespaceUnlinkPaths(vm, (const char **)paths, npaths) < 0)
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
|
||||||
|
if (qemuHostdevNeedsVFIO(hostdev) &&
|
||||||
|
!qemuDomainNeedsVFIO(vm->def) &&
|
||||||
|
qemuDomainNamespaceUnlinkPath(vm, QEMU_DEV_VFIO) < 0)
|
||||||
|
goto cleanup;
|
||||||
|
|
||||||
ret = 0;
|
ret = 0;
|
||||||
cleanup:
|
cleanup:
|
||||||
for (i = 0; i < npaths; i++)
|
for (i = 0; i < npaths; i++)
|
||||||
|
Loading…
x
Reference in New Issue
Block a user