start qemu fail : qemu-system-x86_64: -sandbox on,obsolete=deny,
elevateprivileges=deny,spawn=deny,resourcecontrol=deny:
seccomp support is disabled
libvirt version : 4.3
qemu version : 2.12
reproducer : recompile qemu with ./configure --disable-seccomp, or
remove libseccomp package.
with default seccompSandbox -1, libvirt try to get config from qemu
cmdline. if qemu disables seccomp (or misses seccomp package), qemu
still reports sandbox help message. libvirt mistakens about qemu real
capability.
set default seccompSandbox as 0 in code, and still get user conf
from qemu.conf. if user wants to enable seccomp, he should check
qemu firstly, then use the right qemu.conf.
Signed-off-by: zhenwei pi <zhenwei.pi@xxxxxxxxxxxxxxx>
---
src/qemu/qemu_conf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index 277ab83..d17b4b1 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -313,7 +313,7 @@ virQEMUDriverConfigPtr virQEMUDriverConfigNew(bool privileged)
cfg->keepAliveInterval = 5;
cfg->keepAliveCount = 5;
- cfg->seccompSandbox = -1;
+ cfg->seccompSandbox = 0;
cfg->logTimestamp = true;
cfg->glusterDebugLevel = 4;
--
2.7.4
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
