On 11/10/2016 05:59 AM, Daniel P. Berrange wrote: > On Thu, Nov 10, 2016 at 10:35:46AM +0000, Marc-André Lureau wrote: >> Hi >> >> What's the status with this patch? If I understand the discussion, it is >> needed, but not enough. Now that SELinux has been fixed (both in f24/f25 >> now), I can see only the ACL left: setfacl -m u:qemu:rw /dev/dri/renderD128 >> + this patch allows me to setup a system VM with virgl. (though tbh, I >> would be fine restricting virgl to qemu:///session only) > > This ties in with the discussion we've just been having around udev > and DAC/MAC labelling of device nodes. With my proposed solution of > using a new mount namespace + dedicated /dev per VM, then granting > DAC access to the DRI nodes is easy. The DAC thing at least has an easy workaround like Marc-André pointed out. The only workaround for the cgroup issue is a custom cgroup_device_acl in qemu.conf, which sucks: if a user adds a custom list to their qemu.conf, and then forgets about it, future libvirt updates might extend the default cgroup_device_acl, the user misses these updates, possibly causing hard to diagnose errors or bugs. In the meantime we have people that are trying to make this work regardless of workarounds (see libvirt-users thread, and comments on bug 1337290). So IMO better to make the needed workarounds less intrusive. So I still vote for this patch. But if it's still not acceptable, maybe we can add a new qemu.conf option like cgroup_device_acl_append= which users can manually edit, which avoids the upgrade issues of cgroup_device_acl= - Cole -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
