qemu: Allow nvdimm in devices CGroups

Some users might want to pass a blockdev or a chardev as a backend for NVDIMM. In fact, this is expected to be the mostly used configuration. Therefore libvirt should allow the device in devices CGroup then. Signed-off-by: N Michal Privoznik <mprivozn@redhat.com>

qemu: Allow nvdimm in devices CGroups
Some users might want to pass a blockdev or a chardev as a backend for NVDIMM. In fact, this is expected to be the mostly used configuration. Therefore libvirt should allow the device in devices CGroup then. Signed-off-by: N Michal Privoznik <mprivozn@redhat.com>
6e95abb4 · Michal Privoznik · 78612aa5 · 6e95abb4 · 6e95abb4 · 6e95abb4
隐藏空白更改
内联并排

Showing with 63 addition and 0 deletion

src/qemu/qemu_cgroup.c src/qemu/qemu_cgroup.c +49 -0

src/qemu/qemu_cgroup.h src/qemu/qemu_cgroup.h +4 -0

src/qemu/qemu_hotplug.c src/qemu/qemu_hotplug.c +10 -0

未找到文件。
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -348,6 +348,50 @@ qemuTeardownHostdevCgroup(virDomainObjPtr vm,
 }


+int
+qemuSetupMemoryDevicesCgroup(virDomainObjPtr vm,
+                             virDomainMemoryDefPtr mem)
+{
+    qemuDomainObjPrivatePtr priv = vm->privateData;
+    int rv;
+
+    if (mem->model != VIR_DOMAIN_MEMORY_MODEL_NVDIMM)
+        return 0;
+
+    if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
+        return 0;
+
+    VIR_DEBUG("Setting devices Cgroup for NVDIMM device: %s", mem->nvdimmPath);
+    rv = virCgroupAllowDevicePath(priv->cgroup, mem->nvdimmPath,
+                                  VIR_CGROUP_DEVICE_RW, false);
+    virDomainAuditCgroupPath(vm, priv->cgroup, "allow",
+                             mem->nvdimmPath, "rw", rv == 0);
+
+    return rv;
+}
+
+
+int
+qemuTeardownMemoryDevicesCgroup(virDomainObjPtr vm,
+                                virDomainMemoryDefPtr mem)
+{
+    qemuDomainObjPrivatePtr priv = vm->privateData;
+    int rv;
+
+    if (mem->model != VIR_DOMAIN_MEMORY_MODEL_NVDIMM)
+        return 0;
+
+    if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
+        return 0;
+
+    rv = virCgroupDenyDevicePath(priv->cgroup, mem->nvdimmPath,
+                                 VIR_CGROUP_DEVICE_RWM, false);
+    virDomainAuditCgroupPath(vm, priv->cgroup,
+                             "deny", mem->nvdimmPath, "rwm", rv == 0);
+    return rv;
+}
+
+
 static int
 qemuSetupGraphicsCgroup(virDomainObjPtr vm,
                        virDomainGraphicsDefPtr gfx)
@@ -647,6 +691,11 @@ qemuSetupDevicesCgroup(virQEMUDriverPtr driver,
            goto cleanup;
    }

+    for (i = 0; i < vm->def->nmems; i++) {
+        if (qemuSetupMemoryDevicesCgroup(vm, vm->def->mems[i]) < 0)
+            goto cleanup;
+    }
+
    for (i = 0; i < vm->def->ngraphics; i++) {
        if (qemuSetupGraphicsCgroup(vm, vm->def->graphics[i]) < 0)
            goto cleanup;

--- a/src/qemu/qemu_cgroup.h
+++ b/src/qemu/qemu_cgroup.h
@@ -43,6 +43,10 @@ int qemuSetupHostdevCgroup(virDomainObjPtr vm,
 int qemuTeardownHostdevCgroup(virDomainObjPtr vm,
                              virDomainHostdevDefPtr dev)
   ATTRIBUTE_RETURN_CHECK;
+int qemuSetupMemoryDevicesCgroup(virDomainObjPtr vm,
+                                 virDomainMemoryDefPtr mem);
+int qemuTeardownMemoryDevicesCgroup(virDomainObjPtr vm,
+                                    virDomainMemoryDefPtr mem);
 int qemuSetupRNGCgroup(virDomainObjPtr vm,
                       virDomainRNGDefPtr rng);
 int qemuTeardownRNGCgroup(virDomainObjPtr vm,

--- a/src/qemu/qemu_hotplug.c
+++ b/src/qemu/qemu_hotplug.c
@@ -2216,6 +2216,7 @@ qemuDomainAttachMemory(virQEMUDriverPtr driver,
    const char *backendType;
    bool objAdded = false;
    bool teardownlabel = false;
+    bool teardowncgroup = false;
    virJSONValuePtr props = NULL;
    virObjectEventPtr event;
    int id;
@@ -2245,6 +2246,10 @@ qemuDomainAttachMemory(virQEMUDriverPtr driver,
                                  priv->qemuCaps, vm->def, mem, NULL, true) < 0)
        goto cleanup;

+    if (qemuSetupMemoryDevicesCgroup(vm, mem) < 0)
+        goto cleanup;
+    teardowncgroup = true;
+
    if (qemuSecuritySetMemoryLabel(driver, vm, mem) < 0)
        goto cleanup;
    teardownlabel = true;
@@ -2290,6 +2295,8 @@ qemuDomainAttachMemory(virQEMUDriverPtr driver,
    virDomainAuditMemory(vm, oldmem, newmem, "update", ret == 0);
 cleanup:
    if (mem && ret < 0) {
+        if (teardowncgroup && qemuTeardownMemoryDevicesCgroup(vm, mem) < 0)
+            VIR_WARN("Unable to remove memory device cgroup ACL on hotplug fail");
        if (teardownlabel && qemuSecurityRestoreMemoryLabel(driver, vm, mem) < 0)
            VIR_WARN("Unable to restore security label on memdev");
    }
@@ -3758,6 +3765,9 @@ qemuDomainRemoveMemoryDevice(virQEMUDriverPtr driver,
    if (qemuSecurityRestoreMemoryLabel(driver, vm, mem) < 0)
        VIR_WARN("Unable to restore security label on memdev");

+    if (qemuTeardownMemoryDevicesCgroup(vm, mem) < 0)
+        VIR_WARN("Unable to remove memory device cgroup ACL");
+
    virDomainMemoryDefFree(mem);

    /* fix the balloon size */