qemu_cgroup: Only try to allow devices if devices CGroup's available

When a domain needs an access to some device (be it a disk, RNG, chardev, whatever), we have to allow it in the devices CGroup (if it is available), because by default we disallow all the devices. But some of the functions that are responsible for setting up devices CGroup are lacking check whether there is any CGroup available. Thus users might be unable to hotplug some devices: virsh # attach-device fedora rng.xml error: Failed to attach device from rng.xml error: internal error: Controller 'devices' is not mounted Signed-off-by: N Michal Privoznik <mprivozn@redhat.com>

qemu_cgroup: Only try to allow devices if devices CGroup's available
When a domain needs an access to some device (be it a disk, RNG, chardev, whatever), we have to allow it in the devices CGroup (if it is available), because by default we disallow all the devices. But some of the functions that are responsible for setting up devices CGroup are lacking check whether there is any CGroup available. Thus users might be unable to hotplug some devices: virsh # attach-device fedora rng.xml error: Failed to attach device from rng.xml error: internal error: Controller 'devices' is not mounted Signed-off-by: N Michal Privoznik <mprivozn@redhat.com>
3cddd63a · Michal Privoznik · 5d84f596 · 3cddd63a
隐藏空白更改
内联并排

Showing with 21 addition and 0 deletion

src/qemu/qemu_cgroup.c src/qemu/qemu_cgroup.c +21 -0

未找到文件。
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -176,6 +176,9 @@ qemuSetupChrSourceCgroup(virDomainObjPtr vm,
    qemuDomainObjPrivatePtr priv = vm->privateData;
    int ret;
+    if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
+        return 0;
    if (source->type != VIR_DOMAIN_CHR_TYPE_DEV)
        return 0;
@@ -197,6 +200,9 @@ qemuTeardownChrSourceCgroup(virDomainObjPtr vm,
    qemuDomainObjPrivatePtr priv = vm->privateData;
    int ret;
+    if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
+        return 0;
    if (source->type != VIR_DOMAIN_CHR_TYPE_DEV)
        return 0;
@@ -247,6 +253,9 @@ qemuSetupInputCgroup(virDomainObjPtr vm,
    qemuDomainObjPrivatePtr priv = vm->privateData;
    int ret = 0;
+    if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
+        return 0;
    switch (dev->type) {
    case VIR_DOMAIN_INPUT_TYPE_PASSTHROUGH:
        VIR_DEBUG("Process path '%s' for input device", dev->source.evdev);
@@ -270,6 +279,9 @@ qemuSetupHostdevCgroup(virDomainObjPtr vm,
    size_t i, npaths = 0;
    int rv, ret = -1;
+    if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
+        return 0;
    if (qemuDomainGetHostdevPath(NULL, dev, false, &npaths, &path, &perms) < 0)
        goto cleanup;
@@ -344,6 +356,9 @@ qemuSetupGraphicsCgroup(virDomainObjPtr vm,
    const char *rendernode = gfx->data.spice.rendernode;
    int ret;
+    if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
+        return 0;
    if (gfx->type != VIR_DOMAIN_GRAPHICS_TYPE_SPICE ||
        gfx->data.spice.gl != VIR_TRISTATE_BOOL_YES ||
        !rendernode)
@@ -481,6 +496,9 @@ qemuSetupRNGCgroup(virDomainObjPtr vm,
    qemuDomainObjPrivatePtr priv = vm->privateData;
    int rv;
+    if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
+        return 0;
    if (rng->backend == VIR_DOMAIN_RNG_BACKEND_RANDOM) {
        VIR_DEBUG("Setting Cgroup ACL for RNG device");
        rv = virCgroupAllowDevicePath(priv->cgroup,
@@ -505,6 +523,9 @@ qemuTeardownRNGCgroup(virDomainObjPtr vm,
    qemuDomainObjPrivatePtr priv = vm->privateData;
    int rv;
+    if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
+        return 0;
    if (rng->backend == VIR_DOMAIN_RNG_BACKEND_RANDOM) {
        VIR_DEBUG("Tearing down Cgroup ACL for RNG device");
        rv = virCgroupDenyDevicePath(priv->cgroup,