On 02/07/2013 02:37 PM, Laine Stump wrote: > Any system with CAP_COMPROMISE_KERNEL available in the kernel was not > able to perform PCI passthrough device assignment without 1) running > qemu as root *and* 2) setting "clear_emulator_capabilities=0" in > /etc/libvirt/qemu.conf. > > This patch is the final piece to make pci passthrough once again work > properly with a non-root qemu. It sets CAP_COMPROMISE_KERNEL; now that > virCommand is properly setup to honor that request for non-root child > processes, it will actually do some good. > > It is still necessary to set the file capability for the qemu binary, > however (see the rules for determining effective caps of a process > running as non-root in "man 7 capabilities"). This can be done with: > > filecap $path-to-qemu-binary compromise_kernel Sounds like something that should be done by default at least for the Fedora packaging of qemu - that is, if the kernel folks don't honor our request to make CAP_COMPROMISE_KERNEL needed only on open() rather than all read()/write(). We may not need this patch, if the kernel folks are sensible. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list