> Sent: Tuesday, July 02, 2024 at 5:25 PM > From: "Michal Prívozník" <mprivozn@xxxxxxxxxx> > To: "daggs" <daggs@xxxxxxx> > Cc: users@xxxxxxxxxxxxxxxxx > Subject: Re: per user vm isolation with shared network > > On 7/2/24 16:19, daggs wrote: > > >>> thanks, seems like I'm past this part, the vm start fails because of insufficient permissions to detach/reattach the pci nodes, I assumed that there is no fast solution so > >>> I fixed it with a script that uses doas to preform the detach/reattach. > >> > >> No sysadmin wants to allow regular users to bind PCI devices to "random" > >> drivers, surely. PCI devices must be "detached" (i.e. bound to vfio > >> driver) by sysadmin (e.g. virsh -c qemu:///system nodedev-detach ...) > >> BEFORE qemu:///session domain wants to use the device. > > so I should call virsh -c qemu:///system nodedev-detach from within the libvirt hook? wont that might cause a hangup? > > I did got that in some scenarios. > > No, calling libvirt from hooks is strongly discouraged as deadlocks are > likely to occur. Just detach PCI devices before starting any > qemu:///session domain. Either right at startup (write an init service), > do that manually, doesn't matter really. > > Michal > > that seems more complicated as I want to be sure that all devs are reattached on termination, so I cannot use autostart as I need to detach the devs prior to starting it from the init script. I can add a test to see if the vm was started via the init script, if not error. I can use atd daemon to call run the reattachment from the hook but depend on the condition that virsh was terminated. regarding the error I got, can you point me to the location in the code that preforms it? waiting for the distro's devs might take too long so I want to try and solve it by myself
