From patchwork Fri Mar 26 16:34:21 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cole Robinson X-Patchwork-Id: 409525 Delivered-To: patch@linaro.org Received: by 2002:a02:8562:0:0:0:0:0 with SMTP id g89csp1583041jai; Fri, 26 Mar 2021 09:34:45 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw5LuWHMc9roqV0iL2YFo/3nhTVwqw8zWNIUbfIWGZxZYIt6eDHUM4EafzOIFGfVMCNlxHA X-Received: by 2002:a05:6402:b48:: with SMTP id bx8mr16754035edb.162.1616776485707; Fri, 26 Mar 2021 09:34:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1616776485; cv=none; d=google.com; s=arc-20160816; b=gMmhUN6HuGHXKz0tYRGK81Mz/C0Bf2wioGKCN4U7dUG/ek9ALunmZHEEGpQHdOQ7mm KQ2QpMZSZ9yl1YqS807rEH6aGd5nSTowU/cOxygVVwjSq7JaJD1sYf8KJRXDBxgBqQt2 85F2ll/HCuczIbRrVbWyboKcr8Bucmg1XHtCSCFyTukxlP4D2oG8895PMeZioTbUSRsO lVW1R37A/ac8yoGPvUTRRIdGi6CaxBkNwBlaiRuZntMk+mEBvHKhBQQNNXOOIaB3QTvY ZPBn1lF0AAlZOk0Jf1L/mx8cObl9CtUI/QOGP58gJnYZck76Q6HdYZcK5CdUGXc3ezOi q5QQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:errors-to:sender:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:cc :mime-version:message-id:date:subject:to:from:delivered-to :dkim-signature; bh=9+2kXFLgKe36xkRtzXCPZjHMPra6bby+Y9vYr2GDAOs=; b=bKFLnKgh4rOu+s4wX5K78kQewsuKsJVWLO4tMUjHPV/YMUK9B18Ujj73dKG8fQJFfw yoTxncuzq16N0dPfXY5RctYznbnP57PbXtdIf5qVNVV0VQTF3MMWthvl+5RPf/7hMrJl BJ3g5aOi5DJk8pAY2MKDsuI/uDGfh5iWmJBk2W3Ka/DZtpn3HIATNU5mPFD3s0mz+P9J oZeZtkZZlkOsKyEdEttptbDrieaP3XZWprSRKIxlaZ46FDzbO2qy5pLvFHMIa4CslRva 629/irchoYXbUbNPr6VyizdCH/6VFerF/Cpc45o5OKYEci/eoudLA/oLBDUKsqTVZlPJ CR/g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=L9AV1v+U; spf=pass (google.com: domain of libvir-list-bounces@redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com. [216.205.24.124]) by mx.google.com with ESMTPS id l11si7224583edq.475.2021.03.26.09.34.45 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 26 Mar 2021 09:34:45 -0700 (PDT) Received-SPF: pass (google.com: domain of libvir-list-bounces@redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=L9AV1v+U; spf=pass (google.com: domain of libvir-list-bounces@redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1616776484; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=9+2kXFLgKe36xkRtzXCPZjHMPra6bby+Y9vYr2GDAOs=; b=L9AV1v+U8z5NaDq9f6eBp6VYp4btJAP6mgirKlZrPNMCu7oBs4Sz9DPq6Jf/Z+VaszBBl4 2pYEuVSxEooxzNiiHasUQSgWp7F5cvTNO1sgbyQ5Kj0VFlhGwRvSDqmnsrLPhD1rF9o2cg oUvpim01YwB9lFMhII+D8pRdKX93x9A= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-389-br64AFaDOAGzvOQLOISRQg-1; Fri, 26 Mar 2021 12:34:42 -0400 X-MC-Unique: br64AFaDOAGzvOQLOISRQg-1 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 4344F80086; Fri, 26 Mar 2021 16:34:27 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id DDBCA5D6DC; Fri, 26 Mar 2021 16:34:26 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id CC0671809C83; Fri, 26 Mar 2021 16:34:25 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 12QGYOtY001133 for ; Fri, 26 Mar 2021 12:34:24 -0400 Received: by smtp.corp.redhat.com (Postfix) id EFD9018E3E; Fri, 26 Mar 2021 16:34:23 +0000 (UTC) Delivered-To: libvir-list@redhat.com Received: from worklaptop.home (ovpn-117-183.rdu2.redhat.com [10.10.117.183]) by smtp.corp.redhat.com (Postfix) with ESMTP id 636544EF67; Fri, 26 Mar 2021 16:34:23 +0000 (UTC) From: Cole Robinson To: libvir-list@redhat.com Subject: [PATCH] qemu: don't reject virtiofs for qemu:///session Date: Fri, 26 Mar 2021 12:34:21 -0400 Message-Id: <632ce101c4a83a61a80ddbecb64e48d8e8d9d87c.1616776100.git.crobinso@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-loop: libvir-list@redhat.com Cc: Cole Robinson X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Currently libvirt rejects attempts to use virtiofs with qemu:///session. Indeed virtiofs does not have a chance of working with typical session usage, because virtiofsd needs multiple linux capabilities to perform its job. The only way to do this with out of the box qemu packaging is to run virtiofsd as root, so libvirtd must run as root, so qemu:///system is required. But it's possible that a custom environment could setuid or set file capabilities on the virtiofsd binary. In this case qemu:///session would work fine. This may be an option for kubevirt to help them transition to using qemu:///session everywhere Drop the two pieces that block virtiofs for qemu:///session. Attempts to use virtiofs for stock qemu:///session will fail at qemu startup, though it's a bit opaque: error: Failed to start domain 'f32' error: internal error: qemu unexpectedly closed the monitor: 2021-03-26T16:26:12.459293Z qemu-system-x86_64: -device vhost-user-fs-pci,chardev=chr-vu-fs0,tag=/foovirtiofs,bus=pci.10,addr=0x0: Failed to write msg. Wrote -1 instead of 12. 2021-03-26T16:26:12.459317Z qemu-system-x86_64: -device vhost-user-fs-pci,chardev=chr-vu-fs0,tag=/foovirtiofs,bus=pci.10,addr=0x0: vhost_dev_init failed: Operation not permitted Signed-off-by: Cole Robinson --- The SetUID/SetGID bits don't seem to be necessary for qemu:///system usage AFAICT, but it's a bit tough to decode virSetUIDGIDWithCaps. virtiofsd is meticulous about managing its capability set though src/qemu/qemu_validate.c | 7 +------ src/qemu/qemu_virtiofs.c | 4 ---- 2 files changed, 1 insertion(+), 10 deletions(-) -- 2.30.2 diff --git a/src/qemu/qemu_validate.c b/src/qemu/qemu_validate.c index 6043f974ce..d4079f6b67 100644 --- a/src/qemu/qemu_validate.c +++ b/src/qemu/qemu_validate.c @@ -4053,7 +4053,7 @@ qemuValidateDomainDeviceDefGraphics(const virDomainGraphicsDef *graphics, static int qemuValidateDomainDeviceDefFS(virDomainFSDefPtr fs, const virDomainDef *def, - virQEMUDriverPtr driver, + virQEMUDriverPtr driver G_GNUC_UNUSED, virQEMUCapsPtr qemuCaps) { if (fs->type != VIR_DOMAIN_FS_TYPE_MOUNT) { @@ -4107,11 +4107,6 @@ qemuValidateDomainDeviceDefFS(virDomainFSDefPtr fs, _("virtiofs does not yet support read-only mode")); return -1; } - if (!driver->privileged) { - virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", - _("virtiofs is not yet supported in session mode")); - return -1; - } if (fs->accessmode != VIR_DOMAIN_FS_ACCESSMODE_PASSTHROUGH) { virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", _("virtiofs only supports passthrough accessmode")); diff --git a/src/qemu/qemu_virtiofs.c b/src/qemu/qemu_virtiofs.c index 2e239cad66..0bb4e3c0d1 100644 --- a/src/qemu/qemu_virtiofs.c +++ b/src/qemu/qemu_virtiofs.c @@ -214,10 +214,6 @@ qemuVirtioFSStart(virLogManagerPtr logManager, if (!(cmd = qemuVirtioFSBuildCommandLine(cfg, fs, &fd))) goto cleanup; - /* so far only running as root is supported */ - virCommandSetUID(cmd, 0); - virCommandSetGID(cmd, 0); - virCommandSetPidFile(cmd, pidfile); virCommandSetOutputFD(cmd, &logfd); virCommandSetErrorFD(cmd, &logfd);