On Fri, Feb 08, 2013 at 12:07:16PM -0700, Eric Blake wrote: > On 02/07/2013 02:37 PM, Laine Stump wrote: > > Any system with CAP_COMPROMISE_KERNEL available in the kernel was not > > able to perform PCI passthrough device assignment without 1) running > > qemu as root *and* 2) setting "clear_emulator_capabilities=0" in > > /etc/libvirt/qemu.conf. > > > > This patch is the final piece to make pci passthrough once again work > > properly with a non-root qemu. It sets CAP_COMPROMISE_KERNEL; now that > > virCommand is properly setup to honor that request for non-root child > > processes, it will actually do some good. > > > > It is still necessary to set the file capability for the qemu binary, > > however (see the rules for determining effective caps of a process > > running as non-root in "man 7 capabilities"). This can be done with: > > > > filecap $path-to-qemu-binary compromise_kernel > > Sounds like something that should be done by default at least for the > Fedora packaging of qemu - that is, if the kernel folks don't honor our > request to make CAP_COMPROMISE_KERNEL needed only on open() rather than > all read()/write(). > > We may not need this patch, if the kernel folks are sensible. Yes, I want to push this back onto the kernel developers. IMHO this is a userspace ABI change they've made here. The secureboot stuff should be a complete no-op if the kernel is not booted in secureboot mode, but the current kernel patch does not satisfy that. I don't think it should be libvirt or KVM's job to fix this kernel breakage. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list