Commit Graph

5 Commits

Author SHA1 Message Date
Foster Snowhill
419ad1ab49 docs: fix typo in qemu-passthrough-security
Signed-off-by: Foster Snowhill <2486761-ForstPenguin@users.noreply.gitlab.com>
2024-01-03 16:05:03 +00:00
Michal Privoznik
0377177c78 qemu_process.c: Propagate hugetlbfs mounts on reconnect
When reconnecting to a running QEMU process, we construct the
per-domain path in all hugetlbfs mounts. This is a relict from
the past (v3.4.0-100-g5b24d25062) where we switched to a
per-domain path and we want to create those paths when libvirtd
restarts on upgrade.

And with namespaces enabled there is one corner case where the
path is not created. In fact an error is reported and the
reconnect fails. Ideally, all mount events are propagated into
the QEMU's namespace. And they probably are, except when the
target path does not exist inside the namespace. Now, it's pretty
common for users to mount hugetlbfs under /dev (e.g.
/dev/hugepages), but if domain is started without hugepages (or
more specifically - private hugetlbfs path wasn't created on
domain startup), then the reconnect code tries to create it.
But it fails to do so, well, it fails to set seclabels on the
path because, because the path does not exist in the private
namespace. And it doesn't exist because we specifically create
only a subset of all possible /dev nodes. Therefore, the mount
event, whilst propagated, is not successful and hence the
filesystem is not mounted. We have to do it ourselves.

If hugetlbfs is mount anywhere else there's no problem and this
is effectively a dead code.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2123196
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
2022-09-23 16:33:48 +02:00
Michal Privoznik
d3397885d5 kbase: Document QEMU private mount NS limitations
There are two points I've taken for granted:

  1) the mount points are set before starting a guest,
  2) the / and its submounts are marked as shared, so that mount
     events propagate into child namespaces when assumption 1) is
     not held.

But what's obvious to me might not be obvious to our users.
Document these known limitations.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2123196
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
2022-09-12 12:05:07 +02:00
Daniel P. Berrangé
60e4d9d04e docs: remove use of the term 'whitelist' from cgroup docs
The term "access control list" better describes the concept involved.

Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2020-06-26 15:38:34 +01:00
Daniel P. Berrangé
958d6ebe53 docs: add a kbase explaining security protections for QEMU passthrough
When using command line passthrough users will often trip up over the
security protections like SELinux, DAC, namespaces, etc which will
deny access to files they are passing. This document explains the
various protections and how to deal with their policy, and/or how
to disable them.

Reviewed-by: Kashyap Chamarthy <kchamart@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2020-02-24 12:52:24 +00:00