- 25 7月, 2019 1 次提交
-
-
由 Jim Fehlig 提交于
Some VM configurations may result in a large number of threads created by the associated qemu process which can exceed the system default limit. The maximum number of threads allowed per process is controlled by the pids cgroup controller and is set to 16k when creating VMs with systemd's machined service. The maximum number of threads per process is recorded in the pids.max file under the machine's pids controller cgroup hierarchy, e.g. $cgrp-mnt/pids/machine.slice/machine-qemu\\x2d1\\x2dtest.scope/pids.max Maximum threads per process is controlled with the TasksMax property of the systemd scope for the machine. This patch adds an option to qemu.conf which can be used to override the maximum number of threads allowed per qemu process. If the value of option is greater than zero, it will be set in the TasksMax property of the machine's scope after creating the machine. Signed-off-by: NJim Fehlig <jfehlig@suse.com> Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
-
- 03 7月, 2019 1 次提交
-
-
由 Michal Privoznik 提交于
There are some paths (e.g. /dev/vfio/vfio or /dev/mapper/control) which are defined in qemu_domain.c and then in qemu_cgroup.c again. This is suboptimal. Let's move paths into qemu_domain.h and drop duplicate definitions. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NAndrea Bolognani <abologna@redhat.com>
-
- 18 4月, 2019 1 次提交
-
-
由 Michal Privoznik 提交于
This function is not used anymore. Let's remove it. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NMartin Kletzander <mkletzan@redhat.com>
-
- 19 2月, 2019 1 次提交
-
-
由 Ján Tomko 提交于
We dropped support in commit 8e91a400 (November 2015), but some occurrences still remained, even in live code. Signed-off-by: NJán Tomko <jtomko@redhat.com> Reported-by: NThomas Huth <thuth@redhat.com> Reviewed-by: NErik Skultety <eskultet@redhat.com>
-
- 01 2月, 2019 2 次提交
-
-
由 Erik Skultety 提交于
SEV has a limit on number of concurrent guests. From security POV we should only expose resources (any resources for that matter) to domains that truly need them. Signed-off-by: NErik Skultety <eskultet@redhat.com> Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Erik Skultety 提交于
We should not give domains access to something they don't necessarily need by default. Remove it from the qemu driver docs too. Signed-off-by: NErik Skultety <eskultet@redhat.com> Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
-
- 31 1月, 2019 1 次提交
-
-
由 Peter Krempa 提交于
Since the disk is necessary only to get the source modify the functions to take the source directly and rename them to qemu[Setup|Teardown]ImageChainCgroup. Additionally drop a pointless comment containing the old function name. Signed-off-by: NPeter Krempa <pkrempa@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
- 14 12月, 2018 1 次提交
-
-
由 Daniel P. Berrangé 提交于
In many files there are header comments that contain an Author: statement, supposedly reflecting who originally wrote the code. In a large collaborative project like libvirt, any non-trivial file will have been modified by a large number of different contributors. IOW, the Author: comments are quickly out of date, omitting people who have made significant contribitions. In some places Author: lines have been added despite the person merely being responsible for creating the file by moving existing code out of another file. IOW, the Author: lines give an incorrect record of authorship. With this all in mind, the comments are useless as a means to identify who to talk to about code in a particular file. Contributors will always be better off using 'git log' and 'git blame' if they need to find the author of a particular bit of code. This commit thus deletes all Author: comments from the source and adds a rule to prevent them reappearing. The Copyright headers are similarly misleading and inaccurate, however, we cannot delete these as they have legal meaning, despite being largely inaccurate. In addition only the copyright holder is permitted to change their respective copyright statement. Reviewed-by: NErik Skultety <eskultet@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
- 03 12月, 2018 1 次提交
-
-
由 Erik Skultety 提交于
Just like for SPICE, we need to put the render node DRI device into the device cgroup list so that users don't need to add it manually via qemu.conf file. Signed-off-by: NErik Skultety <eskultet@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
- 30 7月, 2018 1 次提交
-
-
由 Michal Privoznik 提交于
This reverts commit 0f80c718. Turns out, our code relies on virCgroupFree(&var) setting var = NULL. Conflicts: src/util/vircgroup.c: context because 94f1855f is not reverted. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NPavel Hrdina <phrdina@redhat.com>
-
- 27 7月, 2018 1 次提交
-
-
由 Sukrit Bhatnagar 提交于
Modify virCgroupFree function signature to take a value of type virCgroupPtr instead of virCgroupPtr * as the parameter. Change the argument type in all calls to virCgroupFree function from virCgroupPtr * to virCgroupPtr. This is a step towards having consistent function signatures for Free helpers so that they can be used with VIR_AUTOPTR cleanup macro. Signed-off-by: NSukrit Bhatnagar <skrtbhtngr@gmail.com> Reviewed-by: NErik Skultety <eskultet@redhat.com>
-
- 13 7月, 2018 1 次提交
-
-
由 Michal Privoznik 提交于
https://bugzilla.redhat.com/show_bug.cgi?id=1591732 On kernels without device mapper support there won't be /dev/mapper/control. Therefore it doesn't make much sense to put it into devices CGroup. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
- 13 6月, 2018 1 次提交
-
-
由 Anya Harter 提交于
And replace all calls with virObjectEventStateQueue such that: qemuDomainEventQueue(driver, event); becomes: virObjectEventStateQueue(driver->domainEventState, event); And remove NULL checking from all callers. Signed-off-by: NAnya Harter <aharter@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com> Signed-off-by: NJán Tomko <jtomko@redhat.com>
-
- 12 6月, 2018 1 次提交
-
-
由 Brijesh Singh 提交于
QEMU uses /dev/sev device while creating the SEV guest, lets add /dev/sev in the list of devices allowed to be accessed by the QEMU. Signed-off-by: NBrijesh Singh <brijesh.singh@amd.com> Reviewed-by: NErik Skultety <eskultet@redhat.com>
-
- 06 6月, 2018 2 次提交
-
-
由 Stefan Berger 提交于
Add the external swtpm to the emulator cgroup so that upper limits of CPU usage can be enforced on the emulated TPM. To enable this we need to have the swtpm write its process id (pid) into a file. We then read it from the file to configure the emulator cgroup. The PID file is created in /var/run/libvirt/qemu/swtpm: [root@localhost swtpm]# ls -lZ /var/run/libvirt/qemu/swtpm/ total 4 -rw-r--r--. 1 tss tss system_u:object_r:qemu_var_run_t:s0 5 Apr 10 12:26 1-testvm-swtpm.pid srw-rw----. 1 qemu qemu system_u:object_r:svirt_image_t:s0:c597,c632 0 Apr 10 12:26 1-testvm-swtpm.sock The swtpm command line now looks as follows: root@localhost testvm]# ps auxZ | grep swtpm | grep socket | grep -v grep system_u:system_r:virtd_t:s0:c597,c632 tss 18697 0.0 0.0 28172 3892 ? Ss 16:46 0:00 /usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/var/run/libvirt/qemu/swtpm/1-testvm-swtpm.sock,mode=0600 --tpmstate dir=/var/lib/libvirt/swtpm/485d0004-a48f-436a-8457-8a3b73e28568/tpm1.2/ --log file=/var/log/swtpm/libvirt/qemu/testvm-swtpm.log --pid file=/var/run/libvirt/qemu/swtpm/1-testvm-swtpm.pid Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
由 Stefan Berger 提交于
This patch adds support for an external swtpm TPM emulator. The XML for this type of TPM looks as follows: <tpm model='tpm-tis'> <backend type='emulator'/> </tpm> The XML will currently only define a TPM 1.2. Extend the documentation. Add a test case testing the XML parser and formatter. Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
- 11 5月, 2018 1 次提交
-
-
由 Michal Privoznik 提交于
Just like in previous commit, qemu-pr-helper might want to open /dev/mapper/control under certain circumstances. Therefore we have to allow it in cgroups. The change virdevmapper.c might look spurious but it isn't. After 6dd84f68 any path that we're allowing in deivces CGroup is subject to virDevMapperGetTargets() inspection. And libdevmapper returns ENXIO for the path from subject. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
- 05 4月, 2018 1 次提交
-
-
由 Michal Privoznik 提交于
https://bugzilla.redhat.com/show_bug.cgi?id=1557769 Problem with device mapper targets is that there can be several other devices 'hidden' behind them. For instance, /dev/dm-1 can consist of /dev/sda, /dev/sdb and /dev/sdc. Therefore, when setting up devices CGroup and namespaces we have to take this into account. This bug was exposed after Linux kernel was fixed. Initially, kernel used different functions for getting block device in open() and ioctl(). While CGroup permissions were checked in the former case, due to a bug in kernel they were not checked in the latter case. This changed with the upstream commit of 519049afead4f7c3e6446028c41e99fde958cc04 (v4.16-rc5~11^2~4). Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 31 1月, 2018 1 次提交
-
-
由 Martin Kletzander 提交于
The virresctrl will use this as well and we need to have that info after restart to properly clean up /sys/fs/resctrl. Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>
-
- 04 1月, 2018 1 次提交
-
-
由 Eduardo Habkost 提交于
All calls to virDomainAuditCgroupPath() were passing 'rc == 0' as argument, when it was supposed to pass the 'rc' value directly. As a consequence, the audit events that were supposed to be logged (actual cgroup changes) were never being logged, and bogus audit events were logged when using regular files as disk image. Fix all calls to use the return value of virCgroup{Allow,Deny}Device*() directly as the 'rc' argument. Signed-off-by: NEduardo Habkost <ehabkost@redhat.com> Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 25 11月, 2017 1 次提交
-
-
由 Ján Tomko 提交于
Export qemuSetupInputCgroup and introduce qemuTeardownInputCgroup for hotunplug.
-
- 17 10月, 2017 1 次提交
-
-
由 Peter Krempa 提交于
Add helpers that will simplify checking if a backing file is valid or whether it has backing store. The helper virStorageSourceIsBacking returns true if the given virStorageSource is a valid backing store member. virStorageSourceHasBacking returns true if the virStorageSource has a backing store child. Adding these functions creates a central points for further refactors.
-
- 26 7月, 2017 1 次提交
-
-
由 Martin Kletzander 提交于
Since commit 2e6ecba1, the pointer to the qemu driver is saved in domain object's private data and hence does not have to be passed as yet another parameter if domain object is already one of them. This is a first (example) patch of this kind of clean up, others will hopefully follow. Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>
-
- 25 7月, 2017 1 次提交
-
-
由 Martin Kletzander 提交于
It is more related to a domain as we might use it even when there is no systemd and it does not use any dbus/systemd functions. In order not to use code from conf/ in util/ pass machineName in cgroups code as a parameter. That also fixes a leak of machineName in the lxc driver and cleans up and de-duplicates some code. Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>
-
- 15 3月, 2017 1 次提交
-
-
由 Michal Privoznik 提交于
Some users might want to pass a blockdev or a chardev as a backend for NVDIMM. In fact, this is expected to be the mostly used configuration. Therefore libvirt should allow the device in devices CGroup then. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 23 2月, 2017 1 次提交
-
-
由 Michal Privoznik 提交于
When a domain needs an access to some device (be it a disk, RNG, chardev, whatever), we have to allow it in the devices CGroup (if it is available), because by default we disallow all the devices. But some of the functions that are responsible for setting up devices CGroup are lacking check whether there is any CGroup available. Thus users might be unable to hotplug some devices: virsh # attach-device fedora rng.xml error: Failed to attach device from rng.xml error: internal error: Controller 'devices' is not mounted Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 20 2月, 2017 7 次提交
-
-
由 Michal Privoznik 提交于
When enabling virgl, qemu opens /dev/dri/render*. So far, we are not allowing that in devices CGroup nor creating the file in domain's namespace and thus requiring users to set the paths in qemu.conf. This, however, is suboptimal as it allows access to ALL qemu processes even those which don't have virgl configured. Now that we have a way to specify render node that qemu will use we can be more cautious and enable just that. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
由 Michal Privoznik 提交于
So far, qemuDomainGetHostdevPath has no knowledge of the reasong it is called and thus reports /dev/vfio/vfio for every VFIO backed device. This is suboptimal, as we want it to: a) report /dev/vfio/vfio on every addition or domain startup b) report /dev/vfio/vfio only on last VFIO device being unplugged If a domain is being stopped then namespace and CGroup die with it so no need to worry about that. I mean, even when a domain that's exiting has more than one VFIO devices assigned to it, this function does not clean /dev/vfio/vfio in CGroup nor in the namespace. But that doesn't matter. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NMarc-André Lureau <marcandre.lureau@redhat.com>
-
由 Michal Privoznik 提交于
So far, we are allowing /dev/vfio/vfio in the devices cgroup unconditionally (and creating it in the namespace too). Even if domain has no hostdev assignment configured. This is potential security hole. Therefore, when starting the domain (or hotplugging a hostdev) create & allow /dev/vfio/vfio too (if needed). Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NMarc-André Lureau <marcandre.lureau@redhat.com>
-
由 Michal Privoznik 提交于
Since these two functions are nearly identical (with qemuSetupHostdevCgroup actually calling virCgroupAllowDevicePath) we can have one function call the other and thus de-duplicate some code. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NMarc-André Lureau <marcandre.lureau@redhat.com>
-
由 Michal Privoznik 提交于
There's no need for this function. Currently it is passed as a callback to virSCSIVHostDeviceFileIterate(). However, SCSI host devices have just one file path. Therefore we can mimic approach used in qemuDomainGetHostdevPath() to get path and call virCgroupAllowDevicePath() directly. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NMarc-André Lureau <marcandre.lureau@redhat.com>
-
由 Michal Privoznik 提交于
There's no need for this function. Currently it is passed as a callback to virSCSIDeviceFileIterate(). However, SCSI devices have just one file path. Therefore we can mimic approach used in qemuDomainGetHostdevPath() to get path and call virCgroupAllowDevicePath() directly. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NMarc-André Lureau <marcandre.lureau@redhat.com>
-
由 Michal Privoznik 提交于
There's no need for this function. Currently it is passed as a callback to virUSBDeviceFileIterate(). However, USB devices have just one file path. Therefore we can mimic approach used in qemuDomainGetHostdevPath() to get path and call virCgroupAllowDevicePath() directly. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NMarc-André Lureau <marcandre.lureau@redhat.com>
-
- 15 12月, 2016 1 次提交
-
-
由 Michal Privoznik 提交于
This is a list of devices that qemu needs for its run (apart from what's configured for domain). The devices on the list are enabled in the CGroups by default so they will be good candidates for initial /dev for new qemu. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 25 11月, 2016 3 次提交
-
-
由 Boris Fiuczynski 提交于
If libvirt is compiled without NUMACTL support starting libvirtd reports a libvirt internal error "NUMA isn't available on this host" without checking if NUMA support is compiled into the libvirt binaries. This patch adds the missing NUMA support check to prevent the internal error. It also includes a check if the cgroup controller cpuset is available before using it. The error was noticed when libvirtd was restarted with running domains and on libvirtd start the qemuConnectCgroup gets called during qemuProcessReconnect. Signed-off-by: NBoris Fiuczynski <fiuczy@linux.vnet.ibm.com> Reviewed-by: NBjoern Walk <bwalk@linux.vnet.ibm.com>
-
由 Eric Farman 提交于
Open /dev/vhost-scsi, and record the resulting file descriptor, so that the guest has access to the host device outside of the libvirt daemon. Pass this information, along with data parsed from the XML file, to build a device string for the qemu command line. That device string will be for either a vhost-scsi-ccw device in the case of an s390 machine, or vhost-scsi-pci for any others. Signed-off-by: NEric Farman <farman@linux.vnet.ibm.com>
-
由 Eric Farman 提交于
We already have a "scsi" hostdev subsys type, which refers to a single LUN that is passed through to a guest. But what of things where multiple LUNs are passed through via a single SCSI HBA, such as with the vhost-scsi target? Create a new hostdev subsys type that will carry this. Signed-off-by: NEric Farman <farman@linux.vnet.ibm.com>
-
- 23 11月, 2016 2 次提交
-
-
由 Michal Privoznik 提交于
Just like in the previous commit, we are not updating CGroups on chardev hot(un-)plug and thus leaving qemu unable to access any non-default device users are trying to hotplug. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
由 Michal Privoznik 提交于
If users try to hotplug RNG device with a backend different to /dev/random or /dev/urandom the whole operation fails as qemu is unable to access the device. The problem is we don't update device CGroups during the operation. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 12 11月, 2016 1 次提交
-
-
由 Eric Farman 提交于
As was suggested in an earlier review comment[1], we can catch some additional code points by cleaning up how we use the hostdev subsystem type in some switch statements. [1] End of https://www.redhat.com/archives/libvir-list/2016-September/msg00399.htmlSigned-off-by: NEric Farman <farman@linux.vnet.ibm.com> Signed-off-by: NJohn Ferlan <jferlan@redhat.com>
-