On Fri, Nov 15, 2013 at 12:25:30PM -0700, Eric Blake wrote: > On 11/15/2013 10:40 AM, Michael R. Hines wrote: > > > > This is unrelated to RDMA - accessing the /dev/infiniband > > device nodes is already supported by libvirt my modifying > > the configuration file in /etc and that works just fine. > > http://wiki.qemu.org/Features/RDMALiveMigration states that you modify > the .conf file to expose /dev/infiniband/rdma_cm and friends. Are all > of these devices read/write accessible to non-root? Or is there going > to be a problem if using user="qemu" group="qemu"? (That is, merely > exposing the devices through cgroup device ACL checking may be > insufficient if you can't access the devices when not running root/root). > > Libvirt can be patched so that the .conf file does not have to be edited > (ie. change the defaults so that if cgroup_device_acl is not present in > the conf file, the defaults could still let a domainaccess the > /dev/infiniband devices).
There's also an SELinux question to deal with there. If multiple QEMUs need concurrent access we can't do a selective grant of the device just when migration is running - we would have to give all QEMU's access all the time. This would be a case where doing FD passing of the pre-opened devices might be a better option. It depends on what the downsides are to giving QEMU access to the devices unconditionally. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|