|
Am 12.07.2012 00:38, schrieb Eric
Blake:
This may be the result of a security fix in the new kernel. I know at least one older version of Intel chips has a bug where IOMMU can be exploited by a guest to take control over the host, so on those chips, newer kernels now require to explicitly enable a kernel module parameter to state that you are going to allow passthrough to the guest in spite of the security risk. That is, you may need to use: modprobe kvm allow_unsafe_assigned_interrupts=1 with your newer kernel. Unfortunately, I wasn't able to find a better URL to a page documenting this issue, so that implies we probably also need a patch to the libvirt documentation with regards to using device passthrough. Hi Eric, thanks for the info. Reading https://bugzilla.redhat.com/show_bug.cgi?id=715555 , it seems that 5.8 shouldn't be affected since the kvm on that version doesn't support interrupt remapping, if I understand correctly. Additionally, if I run the script provided in the issue description, the check passes with "Interrupt remapping support available" and the error message differs: I don't get "Operation not permitted" but "Invalid argument". I also can't set provides switch in /sys/module/kvm/parameters/allow_unsafe_assigned_interrupts, since the file isn't there on my box. Are there any other circumstances where pci passthrough could fail? Googling for the error message i get, I can't seem to find any case that matches mine. This makes me guess that I'd rather accidentally introduced a misconfiguration than encountered a qemu-kvm/libvirt bug. I have attached the configuration file of that machine, maybe someone could have a look at the hostdev section? Unfortunately, i am currently not able to switch back to the prior kernel, since the system is in production right now - I will test that later during the day. Thanks & cheers, Rouven -- Blinkenlichten Open Source Solutions Maass Sacha GbR | Weigandufer 45 | 12059 Berlin tel: +493013896247 | fax: +493013896249 | mob: +491744220127 Web: http://www.blinkenlichten.de/ G+: http://gplus.to/blinkenlichten Blinkenlichten Zarafa Hosted Tweets: http://twitter.com/zarafamail/ |
<domain type='kvm'>
<name>ld-vm002-vectron</name>
<uuid>79ea445c-3d14-3ae8-c90c-9ce79ddc7d77</uuid>
<memory>1048576</memory>
<currentMemory>1048576</currentMemory>
<vcpu>2</vcpu>
<os>
<type arch='i686' machine='rhel5.4.0'>hvm</type>
<boot dev='cdrom'/>
<boot dev='hd'/>
<boot dev='fd'/>
</os>
<features>
<acpi/>
<apic/>
<pae/>
</features>
<clock offset='localtime'>
<timer name='pit' tickpolicy='delay'/>
</clock>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>restart</on_crash>
<devices>
<emulator>/usr/libexec/qemu-kvm</emulator>
<disk type='file' device='cdrom'>
<driver name='qemu' type='raw'/>
<target dev='hdc' bus='ide'/>
<readonly/>
<address type='drive' controller='0' bus='1' unit='0'/>
</disk>
<disk type='file' device='floppy'>
<driver name='qemu' type='raw'/>
<source file='/var/lib/libvirt/images/virtio-win-1.1.11-0.vfd'/>
<target dev='fda' bus='fdc'/>
<address type='drive' controller='0' bus='0' unit='0'/>
</disk>
<disk type='file' device='disk'>
<driver name='qemu' type='raw'/>
<source file='/var/lib/libvirt/images/Vectron.img'/>
<target dev='vda' bus='virtio'/>
</disk>
<controller type='fdc' index='0'/>
<controller type='ide' index='0'/>
<interface type='bridge'>
<mac address='52:54:00:2f:e1:02'/>
<source bridge='br0.1'/>
<model type='virtio'/>
</interface>
<interface type='bridge'>
<mac address='52:54:00:c3:0b:45'/>
<source bridge='br0.3'/>
<model type='virtio'/>
</interface>
<serial type='pty'>
<target port='0'/>
</serial>
<serial type='dev'>
<source path='/dev/ttyS0'/>
<target port='1'/>
</serial>
<console type='pty'>
<target port='0'/>
</console>
<hostdev mode='subsystem' type='pci' managed='yes'>
<source>
<address domain='0x0000' bus='0x14' slot='0x00' function='0x2'/>
</source>
</hostdev>
<input type='tablet' bus='usb'/>
<input type='mouse' bus='ps2'/>
<graphics type='vnc' port='-1' autoport='yes' keymap='de'/>
<video>
<model type='cirrus' vram='9216' heads='1'/>
</video>
</devices>
</domain>
_______________________________________________ libvirt-users mailing list libvirt-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvirt-users
