qemu: Enable unprivileged userfaultfd for post-copy migration

Userfaultfd is by default allowed only for privileged processes. Since
libvirt runs QEMU unprivileged, we need to enable unprivileged access to
userfaultfd to enable post-copy migration.

https://bugzilla.redhat.com/show_bug.cgi?id=1945420

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>

libvirt.spec.in

@@ -1859,6 +1859,7 @@ exit 0
 %files daemon-driver-qemu
 %config(noreplace) %{_sysconfdir}/sysconfig/virtqemud
 %config(noreplace) %{_sysconfdir}/libvirt/virtqemud.conf
+%config(noreplace) %{_prefix}/lib/sysctl.d/60-qemu-postcopy-migration.conf
 %{_datadir}/augeas/lenses/virtqemud.aug
 %{_datadir}/augeas/lenses/tests/test_virtqemud.aug
 %{_unitdir}/virtqemud.service

src/qemu/meson.build

@@ -170,6 +170,14 @@ if conf.has('WITH_QEMU')
     'file': files('virtqemud.sysconf'),
   }
 
+  if conf.has('WITH_SYSCTL')
+    install_data(
+      'postcopy-migration.sysctl',
+      install_dir: prefix / 'lib' / 'sysctl.d',
+      rename: [ '60-qemu-postcopy-migration.conf' ],
+    )
+  endif
+
   virt_install_dirs += [
     localstatedir / 'lib' / 'libvirt' / 'qemu',
     runstatedir / 'libvirt' / 'qemu',

src/qemu/postcopy-migration.sysctl

@@ -0,0 +1,6 @@
+# This is needed to support post-copy migration for QEMU run by libvirt,
+# i.e., unprivileged, as userfaultfd is by default only available to
+# privileged processes.
+# It can be safely overridden by a file in /etc/sysctl.d/ in case post-copy
+# migration is not used on the host.
+vm.unprivileged_userfaultfd = 1