[PATCH v2 6/6] tpm: Add swtpm to emulator cgroup

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Add the external swtpm to the emulator cgroup so that upper limits of CPU
usage can be enforced on the emulated TPM.

To enable this we need to have the swtpm write its process id (pid) into a
file. We then read it from the file to configure the emulator cgroup.

The PID file is created in /var/run/libvirt/qemu/swtpm:

[root@localhost swtpm]# ls -lZ /var/run/libvirt/qemu/swtpm/
total 4
-rw-r--r--. 1 tss  tss  system_u:object_r:qemu_var_run_t:s0          5 Apr 10 12:26 testvm-swtpm.pid
srw-rw----. 1 qemu qemu system_u:object_r:svirt_image_t:s0:c597,c632 0 Apr 10 12:26 testvm-swtpm.sock

The swtpm command line now looks as follows:

root@localhost testvm]# ps auxZ | grep swtpm | grep socket | grep -v grep
system_u:system_r:virtd_t:s0:c597,c632 tss 18697 0.0  0.0 28172 3892 ?       Ss   16:46   0:00 /usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/var/run/libvirt/qemu/swtpm/testvm-swtpm.sock,mode=0660 --tpmstate dir=/var/lib/libvirt/swtpm/testvm --log file=/var/log/swtpm/libvirt/qemu/testvm-swtpm.log --pid file=/var/run/libvirt/qemu/swtpm/testvm-swtpm.pid

Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>
---
 src/conf/domain_conf.c    |  1 +
 src/conf/domain_conf.h    |  1 +
 src/libvirt_private.syms  |  1 +
 src/qemu/qemu_cgroup.c    | 53 +++++++++++++++++++++++++++++++++++++++++++++++
 src/qemu/qemu_cgroup.h    |  1 +
 src/qemu/qemu_extdevice.c | 19 +++++++++++++++++
 src/qemu/qemu_process.c   |  4 ++++
 src/util/vircgroup.c      | 42 +++++++++++++++++++++++++++++++++++++
 src/util/vircgroup.h      |  1 +
 src/util/virtpm.c         | 33 +++++++++++++++++++++++++++++
 10 files changed, 156 insertions(+)

diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 0bbb547..e19f7dc 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -2620,6 +2620,7 @@ void virDomainTPMDefFree(virDomainTPMDefPtr def)
         VIR_FREE(def->data.emulator.source.data.nix.path);
         VIR_FREE(def->data.emulator.storagepath);
         VIR_FREE(def->data.emulator.logfile);
+        VIR_FREE(def->data.emulator.pidfile);
         break;
     case VIR_DOMAIN_TPM_TYPE_LAST:
         break;
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index 80f599c..34bd4a2 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -1309,6 +1309,7 @@ struct _virDomainTPMDef {
             virDomainChrSourceDef source;
             char *storagepath;
             char *logfile;
+            char *pidfile;
         } emulator;
     } data;
 };
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index af9163f..00cb294 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -1467,6 +1467,7 @@ virBufferVasprintf;
 
 # util/vircgroup.h
 virCgroupAddMachineTask;
+virCgroupAddProc;
 virCgroupAddTask;
 virCgroupAddTaskController;
 virCgroupAllowAllDevices;
diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
index bd4859c..859ed55 100644
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -37,6 +37,7 @@
 #include "virtypedparam.h"
 #include "virnuma.h"
 #include "virsystemd.h"
+#include "virpidfile.h"
 
 #define VIR_FROM_THIS VIR_FROM_QEMU
 
@@ -1106,6 +1107,58 @@ qemuSetupCgroupCpusetCpus(virCgroupPtr cgroup,
 
 
 int
+qemuSetupCgroupForExtDevices(virDomainObjPtr vm)
+{
+    qemuDomainObjPrivatePtr priv = vm->privateData;
+    virDomainTPMDefPtr tpm = vm->def->tpm;
+    virCgroupPtr cgroup_temp = NULL;
+    pid_t pid;
+    int ret = -1;
+
+    if (priv->cgroup == NULL)
+        return 0; /* Not supported, so claim success */
+
+    /*
+     * If CPU cgroup controller is not initialized here, then we need
+     * neither period nor quota settings.  And if CPUSET controller is
+     * not initialized either, then there's nothing to do anyway.
+     */
+    if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_CPU) &&
+        !virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_CPUSET))
+        return 0;
+
+    if (virCgroupNewThread(priv->cgroup, VIR_CGROUP_THREAD_EMULATOR, 0,
+                           false, &cgroup_temp) < 0)
+        goto cleanup;
+
+    if (tpm) {
+        switch (tpm->type) {
+        case VIR_DOMAIN_TPM_TYPE_EMULATOR:
+            if (virPidFileReadPath(tpm->data.emulator.pidfile, &pid) < 0) {
+                virReportError(VIR_ERR_INTERNAL_ERROR,
+                               _("Could not read swtpm's pidfile %s"),
+                               tpm->data.emulator.pidfile);
+                goto cleanup;
+            }
+            if (virCgroupAddProc(cgroup_temp, pid) < 0)
+                goto cleanup;
+            break;
+        case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
+        case VIR_DOMAIN_TPM_TYPE_LAST:
+            break;
+        }
+    }
+
+    ret = 0;
+
+cleanup:
+    virCgroupFree(&cgroup_temp);
+
+    return ret;
+}
+
+
+int
 qemuSetupGlobalCpuCgroup(virDomainObjPtr vm)
 {
     qemuDomainObjPrivatePtr priv = vm->privateData;
diff --git a/src/qemu/qemu_cgroup.h b/src/qemu/qemu_cgroup.h
index 3b8ff60..478bf7e 100644
--- a/src/qemu/qemu_cgroup.h
+++ b/src/qemu/qemu_cgroup.h
@@ -69,6 +69,7 @@ int qemuSetupCgroupVcpuBW(virCgroupPtr cgroup,
                           long long quota);
 int qemuSetupCgroupCpusetCpus(virCgroupPtr cgroup, virBitmapPtr cpumask);
 int qemuSetupGlobalCpuCgroup(virDomainObjPtr vm);
+int qemuSetupCgroupForExtDevices(virDomainObjPtr vm);
 int qemuRemoveCgroup(virDomainObjPtr vm);
 
 typedef struct _qemuCgroupEmulatorAllNodesData qemuCgroupEmulatorAllNodesData;
diff --git a/src/qemu/qemu_extdevice.c b/src/qemu/qemu_extdevice.c
index ee327ca..23ec310 100644
--- a/src/qemu/qemu_extdevice.c
+++ b/src/qemu/qemu_extdevice.c
@@ -128,6 +128,9 @@ qemuExtTPMStartEmulator(virQEMUDriverPtr driver,
     char *errbuf = NULL;
     virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver);
     virDomainTPMDefPtr tpm = def->tpm;
+    char *pidfiledata = NULL;
+    int timeout;
+    int len;
 
     /* stop any left-over TPM emulator for this VM */
     virTPMEmulatorStop(cfg->swtpmStateDir, def->name);
@@ -170,6 +173,22 @@ qemuExtTPMStartEmulator(virQEMUDriverPtr driver,
         goto error;
     }
 
+    /* check that the swtpm has written its pid into the file */
+    timeout = 1000; /* ms */
+    while  ((len = virFileReadHeaderQuiet(tpm->data.emulator.pidfile,
+                                          10, &pidfiledata)) <= 0) {
+        if (len == 0 && timeout > 0) {
+            timeout -= 50;
+            usleep(50 * 1000);
+            continue;
+        }
+        virReportError(VIR_ERR_INTERNAL_ERROR,
+                       _("swtpm did not write pidfile '%s'"),
+                       tpm->data.emulator.pidfile);
+        goto error;
+    }
+    VIR_FREE(pidfiledata);
+
     ret = 0;
 
  cleanup:
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 7bf90a4..4877c49 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -6072,6 +6072,10 @@ qemuProcessLaunch(virConnectPtr conn,
     if (qemuProcessSetupEmulator(vm) < 0)
         goto cleanup;
 
+    VIR_DEBUG("Setting cgroup for external devices (if required)");
+    if (qemuSetupCgroupForExtDevices(vm) < 0)
+        goto cleanup;
+
     VIR_DEBUG("Setting up resctrl");
     if (qemuProcessResctrlCreate(driver, vm) < 0)
         goto cleanup;
diff --git a/src/util/vircgroup.c b/src/util/vircgroup.c
index 0a31947..4809f12 100644
--- a/src/util/vircgroup.c
+++ b/src/util/vircgroup.c
@@ -1245,6 +1245,38 @@ virCgroupAddMachineTask(virCgroupPtr group, pid_t pid)
     return virCgroupAddTaskInternal(group, pid, true);
 }
 
+/**
+ * virCgroupAddProc:
+ *
+ * @group: The cgroup to add a process to
+ * @pid: The pid of the process to add
+ *
+ * Returns: 0 on success, -1 on error
+ */
+int
+virCgroupAddProc(virCgroupPtr group, pid_t pid)
+{
+    int ret = -1;
+    size_t i;
+
+    for (i = 0; i < VIR_CGROUP_CONTROLLER_LAST; i++) {
+        /* Skip over controllers not mounted */
+        if (!group->controllers[i].mountPoint)
+            continue;
+
+        /* We must never add tasks in systemd's hierarchy */
+        if (i == VIR_CGROUP_CONTROLLER_SYSTEMD)
+            continue;
+
+        if (virCgroupSetValueU64(group, i, "cgroup.procs", pid) < 0)
+            goto cleanup;
+    }
+
+    ret = 0;
+ cleanup:
+    return ret;
+}
+
 
 /**
  * virCgroupAddTaskController:
@@ -4298,6 +4330,16 @@ virCgroupAddMachineTask(virCgroupPtr group ATTRIBUTE_UNUSED,
 
 
 int
+virCgroupAddProc(virCgroupPtr group ATTRIBUTE_UNUSED,
+                 pid_t pid ATTRIBUTE_UNUSED)
+{
+    virReportSystemError(ENXIO, "%s",
+                         _("Control groups not supported on this platform"));
+    return -1;
+}
+
+
+int
 virCgroupAddTaskController(virCgroupPtr group ATTRIBUTE_UNUSED,
                            pid_t pid ATTRIBUTE_UNUSED,
                            int controller ATTRIBUTE_UNUSED)
diff --git a/src/util/vircgroup.h b/src/util/vircgroup.h
index d833927..82b3964 100644
--- a/src/util/vircgroup.h
+++ b/src/util/vircgroup.h
@@ -132,6 +132,7 @@ int virCgroupPathOfController(virCgroupPtr group,
 
 int virCgroupAddTask(virCgroupPtr group, pid_t pid);
 int virCgroupAddMachineTask(virCgroupPtr group, pid_t pid);
+int virCgroupAddProc(virCgroupPtr group, pid_t pid);
 
 int virCgroupAddTaskController(virCgroupPtr group,
                                pid_t pid,
diff --git a/src/util/virtpm.c b/src/util/virtpm.c
index 3bb911e..af2e1d2 100644
--- a/src/util/virtpm.c
+++ b/src/util/virtpm.c
@@ -39,6 +39,7 @@
 #include "virlog.h"
 #include "virtpm.h"
 #include "virutil.h"
+#include "virpidfile.h"
 #include "configmake.h"
 
 #define VIR_FROM_THIS VIR_FROM_NONE
@@ -370,6 +371,25 @@ int virTPMEmulatorInitPaths(virDomainTPMDefPtr tpm,
 }
 
 /*
+ * virTPMCreatePidfileName
+ */
+static char *virTPMCreatePidfileName(const char *swtpmStateDir,
+                                     const char *vmname)
+{
+    char *pidfile = NULL;
+    char *devname = NULL;
+
+    if (virAsprintf(&devname, "%s-swtpm", vmname) < 0)
+        return NULL;
+
+    pidfile = virPidFileBuildPath(swtpmStateDir, devname);
+
+    VIR_FREE(devname);
+
+    return pidfile;
+}
+
+/*
  * virTPMEmulatorPrepareHost:
  *
  * @tpm: tpm definition
@@ -427,6 +447,10 @@ int virTPMEmulatorPrepareHost(virDomainTPMDefPtr tpm,
         goto cleanup;
     tpm->data.emulator.source.type = VIR_DOMAIN_CHR_TYPE_UNIX;
 
+    if (!(tpm->data.emulator.pidfile =
+           virTPMCreatePidfileName(swtpmStateDir, vmname)))
+        goto cleanup;
+
     ret = 0;
 
  cleanup:
@@ -577,6 +601,9 @@ virTPMEmulatorBuildCommand(virDomainTPMDefPtr tpm, const char *vmname,
         break;
     }
 
+    virCommandAddArg(cmd, "--pid");
+    virCommandAddArgFormat(cmd, "file=%s", tpm->data.emulator.pidfile);
+
     return cmd;
 
  error:
@@ -604,6 +631,7 @@ virTPMEmulatorStop(const char *swtpmStateDir, const char *vmname)
     virCommandPtr cmd;
     char *pathname;
     char *errbuf = NULL;
+    char *pidfile;
 
     if (virTPMEmulatorInit() < 0)
         return;
@@ -632,6 +660,11 @@ virTPMEmulatorStop(const char *swtpmStateDir, const char *vmname)
     unlink(pathname);
 
  cleanup:
+    /* clean up the PID file */
+    if ((pidfile = virTPMCreatePidfileName(swtpmStateDir, vmname))) {
+        unlink(pidfile);
+        VIR_FREE(pidfile);
+    }
     VIR_FREE(pathname);
     VIR_FREE(errbuf);
 }
-- 
2.5.5

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux