Re: [PATCH 15/15] qemu: set CAP_COMPROMISE_KERNEL so that pci passthrough works

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 02/07/2013 02:37 PM, Laine Stump wrote:
> Any system with CAP_COMPROMISE_KERNEL available in the kernel was not
> able to perform PCI passthrough device assignment without 1) running
> qemu as root *and* 2) setting "clear_emulator_capabilities=0" in
> /etc/libvirt/qemu.conf.
> 
> This patch is the final piece to make pci passthrough once again work
> properly with a non-root qemu. It sets CAP_COMPROMISE_KERNEL; now that
> virCommand is properly setup to honor that request for non-root child
> processes, it will actually do some good.
> 
> It is still necessary to set the file capability for the qemu binary,
> however (see the rules for determining effective caps of a process
> running as non-root in "man 7 capabilities"). This can be done with:
> 
>   filecap $path-to-qemu-binary compromise_kernel

Sounds like something that should be done by default at least for the
Fedora packaging of qemu - that is, if the kernel folks don't honor our
request to make CAP_COMPROMISE_KERNEL needed only on open() rather than
all read()/write().

We may not need this patch, if the kernel folks are sensible.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]