Thank you for your comment. On Wed, 28 Dec 2011 10:44:50 +0800 Shu Ming <shuming@xxxxxxxxxxxxxxxxxx> wrote: > On 2011-12-22 14:49, Taku Izumi wrote: > > Hi Daniel-san and all, > > > > This patchset adds an option for KVM guests to retain arbitrary capabilities. > > The first version is here: > > http://www.redhat.com/archives/libvir-list/2011-December/msg00857.html > > > > According to Daniel-san's comment, I changed my patch like the following: > > > > v1 -> v2 > > - introduce "process" and "cap" elements in the capability XML > > - change XML element name of domain XML likewise > > > > ; process capabilities host supports are found in the capability XML. > > # virsh capabilities > > <capabilities> > > > > <host> > > <uuid>00000000-0000-0000-0000-00199914f1c5</uuid> > > ... > > <process> > > <cap name='chown'/> > > <cap name='dac_override'/> > > <cap name='dac_read_search'/> > > <cap name='fowner'/> > > ... > > </process> > > </host> > > ... > > > > ; VM can retain cap_sys_rawio capability > > # virsh edit VM > > ... > > </features> > > <process> > > <cap name='sys_rawio'/> > > </process> > > <clock offset='utc'/> > > ... > > > > # virsh start VM > > # cat /proc/<VM's PID>/status > > ... > > CapInh: 0000000000000000 > > CapPrm: fffffffc00020000 > > CapEff: fffffffc00020000 > > CapBnd: fffffffc00020000 > > ... > > Does this mean that if the 'sys_rawio' is not set in the "features" > list, there will be no "CapInh", "CapPrm"... in the proc status file? By default libvirt executes qemu under non-root user, qemu process has no capability. By specifying user and group option in /etc/libvirt/qemu.conf, libvirt executes qemu under specified user account. By specifying user and group option as "root", libvirt executes qemu under root user. However in that case, qemu process has no capability despite running under root user, because libvirt clears all capability by default. This patch adds option for qemu process to retain arbitrary capabilities instead of clearing all capability. This should be libvirt's option. I hope you have a happy new year. > I was just wondering it is more like a QEMU/KVM options instead of a > libvirt options, it is more reasonable to make QEMU/KVM > to guard these options in proc status file instead of libvirt xml file. > > > > > *[PATCH v2 1/5] conf: add XML schema for capability XML > > *[PATCH v2 2/5] conf: add XML schema for domain XML > > *[PATCH v2 3/5] util: add functions to keep capabilities > > *[PATCH v2 4/5] util: extend virExecWithHook() > > *[PATCH v2 5/5] qemu: make qemu processes to retain capabilities > > > > > > Best regards, > > Taku Izumi > > > > -- > > libvir-list mailing list > > libvir-list@xxxxxxxxxx > > https://www.redhat.com/mailman/listinfo/libvir-list > > > > > -- > Shu Ming<shuming@xxxxxxxxxxxxxxxxxx> > IBM China Systems and Technology Laboratory > > > -- Taku Izumi <izumi.taku@xxxxxxxxxxxxxx> -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list