Michal, thanks. i have another question which is related to kata-container. when there is only one virtiofs-device , how does it do that in guest there are 4 times of virtiofs-mounts that have same src and different targets. # in guest [root@kvm kata-containers]# docker exec efda32ca6a93 mount | grep kataShared kataShared on / type virtiofs (rw,relatime) kataShared on /etc/resolv.conf type virtiofs (rw,relatime) kataShared on /etc/hostname type virtiofs (rw,relatime) kataShared on /etc/hosts type virtiofs (rw,relatime) # qemu-kvm -chardev socket,id=char-c91f3c6a619cec75,path=/run/vc/vm/efda32ca6a93491ac173dc2ad8a38ac095abab3bd8147a1101851f2a0a8d9012/vhost-fs.sock -device vhost-user-fs-pci,chardev=char-c91f3c6a619cec75,tag=kataShared,romfile= At 2021-01-27 21:31:49, "Michal Privoznik" <mprivozn@xxxxxxxxxx> wrote: >On 1/26/21 2:13 PM, longguang.yue wrote: >> Hi, all: >> >> there is no error when launch qemu-kvm from cli directly, but vm fails to start via libvirtd. >> i have tried to chmod 0666 /dev/vhost-vsock. >> >> >> error: internal error: qemu unexpectedly closed the monitor: 2021-01-26T13:06:06.403097Z qemu-kvm: -device vhost-vsock-pci,id=vhost-vsock-pci0,guest-cid=4: vhost-vsock: failed to open vhost device: Unknown error -13 > >Errno 13 is EACCES (Permission denied) which means that libvirt didn't >set seclabel on something ... > >> >> >> >> <qemu:commandline> >> <qemu:arg value='-device'/> >> <qemu:arg value='vhost-vsock-pci,id=vhost-vsock-pci0,guest-cid=4'/> >> </qemu:commandline> > >.. and this is explains why. Anything that's added via qemu commandline >passthru is opaque to libvirt. Libvirt does not examine it, nor it sets >any labels, nothing. If you use it, you're on your own. However, vsock >was added to libvirt (almost 3 years ago) and instead of passing through >a command line you can define vsock device: > >https://libvirt.org/formatdomain.html#vsock > >For instance like this: > > <vsock model='virtio'> > <cid auto='no' address='3'/> > </vsock> > >Michal
