On 16.02.2017 13:47, Marc-André Lureau wrote: > Hi > > On Fri, Feb 10, 2017 at 6:57 PM Michal Privoznik <mprivozn@xxxxxxxxxx> > wrote: > >> When enabling virgl, qemu opens /dev/dri/render*. So far, we are >> not allowing that in devices cgroup nor creating the file in >> domain's namespace and thus requiring users to set the paths in >> qemu.conf. This, however, is suboptimal as it allows access to >> ALL qemu processes even those which don't have virgl configured. >> >> Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx> >> > > > Thanks, but that doesn't work :) > > You should loop over the spice/gl graphics nodes (virtio accel3d is not > actually using 3d, as of today, if the graphics configuration/layer doesn't > provide it) > > See also Ján Tomko "qemu_cgroup: allow access to /dev/dri/render*" patch, > which use to work. > > After my series "[PATCH 0/5] Add rendernode selection support", it will > further have to narrow the path allowed to the specified rendernode. This > can be done in my series or yours, depending on applied order. Correct, I've pushed your patches on Friday so now I'll work on allowing selected render node in cgroup. BTW: what about /dev/dri/card0 and /dev/dri/controlD4 - do they need to be allowed in devices CGroup too? BTW: I've merged patches 1-6/7 since you reviewed them. Thanks! Michal -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
