When we start a vm which have rawio = 'yes' settings without
any file caps settings for qemu, qemu process still cannot use
this caps (CAP_SYS_RAWIO) and the /proc/pidofqemu/status like
this:
CapInh: 0000000000020000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 0000001fffffffff
this is because we do not set file caps for qemu (see man 7
capabilities), although laine have mentioned this in commit
e11451, i think it will be good if we add this in docs.
Signed-off-by: Luyao Huang <lhuang@xxxxxxxxxx>
---
docs/formatdomain.html.in | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index fb0a0d1..2bcb59d 100644
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -1886,7 +1886,10 @@
than that (per-process basis, affects all the domain disks).
To confine the capability as much as possible for QEMU driver
as this stage, <code>sgio</code> is recommended, it's more
- secure than <code>rawio</code>.
+ secure than <code>rawio</code>. If you really want use rawio
+ = 'yes', please also add file caps for qemu (like this
+ 'setcap "cap_sys_rawio+ie" /usr/libexec/qemu-kvm', for more details
+ please see capabilities(7)).
</dd>
<dt><code>sgio</code> attribute
<span class="since">since 1.0.2</span></dt>
--
1.8.3.1
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list