Re: [Qemu-devel] [PATCH v3 for-1.7] rdma: rename 'x-rdma' => 'rdma'

[Daniel P. Berrange]

On Fri, Nov 15, 2013 at 12:25:30PM -0700, Eric Blake wrote:
> On 11/15/2013 10:40 AM, Michael R. Hines wrote:
> > 
> > This is unrelated to RDMA - accessing the /dev/infiniband
> > device nodes is already supported by libvirt my modifying
> > the configuration file in /etc and that works just fine.
> 
> http://wiki.qemu.org/Features/RDMALiveMigration states that you modify
> the .conf file to expose /dev/infiniband/rdma_cm and friends.  Are all
> of these devices read/write accessible to non-root?  Or is there going
> to be a problem if using user="qemu" group="qemu"?  (That is, merely
> exposing the devices through cgroup device ACL checking may be
> insufficient if you can't access the devices when not running root/root).
> 
> Libvirt can be patched so that the .conf file does not have to be edited
> (ie. change the defaults so that if cgroup_device_acl is not present in
> the conf file, the defaults could still let a domainaccess the
> /dev/infiniband devices).

There's also an SELinux question to deal with there. If multiple QEMUs
need concurrent access we can't do a selective grant of the device just
when migration is running - we would have to give all QEMU's access
all the time.  This would be a case where doing FD passing of the
pre-opened devices might be a better option. It depends on what the
downsides are to giving QEMU access to the devices unconditionally.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|