|
 |
e9d682 |
From 332386ae7bc02618d1860f726065448324a6734a Mon Sep 17 00:00:00 2001
|
|
|
e9d682 |
Message-Id: <332386ae7bc02618d1860f726065448324a6734a@dist-git>
|
|
|
e9d682 |
From: Michal Privoznik <mprivozn@redhat.com>
|
|
|
e9d682 |
Date: Mon, 5 Sep 2022 12:37:16 +0200
|
|
|
e9d682 |
Subject: [PATCH] kbase: Document QEMU private mount NS limitations
|
|
|
e9d682 |
|
|
|
e9d682 |
There are two points I've taken for granted:
|
|
|
e9d682 |
|
|
|
e9d682 |
1) the mount points are set before starting a guest,
|
|
|
e9d682 |
2) the / and its submounts are marked as shared, so that mount
|
|
|
e9d682 |
events propagate into child namespaces when assumption 1) is
|
|
|
e9d682 |
not held.
|
|
|
e9d682 |
|
|
|
e9d682 |
But what's obvious to me might not be obvious to our users.
|
|
|
e9d682 |
Document these known limitations.
|
|
|
e9d682 |
|
|
|
e9d682 |
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2123196
|
|
|
e9d682 |
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
|
|
|
e9d682 |
Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
|
|
|
e9d682 |
(cherry picked from commit d3397885d589c25b8962ae221fd0a71ced5597cb)
|
|
|
e9d682 |
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2152083
|
|
|
e9d682 |
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
|
|
|
e9d682 |
---
|
|
|
e9d682 |
docs/kbase/qemu-passthrough-security.rst | 22 ++++++++++++++++++++++
|
|
|
e9d682 |
1 file changed, 22 insertions(+)
|
|
|
e9d682 |
|
|
|
e9d682 |
diff --git a/docs/kbase/qemu-passthrough-security.rst b/docs/kbase/qemu-passthrough-security.rst
|
|
|
e9d682 |
index 4381d9f3a6..106c3cc5b9 100644
|
|
|
e9d682 |
--- a/docs/kbase/qemu-passthrough-security.rst
|
|
|
e9d682 |
+++ b/docs/kbase/qemu-passthrough-security.rst
|
|
|
e9d682 |
@@ -156,3 +156,25 @@ will affect all virtual machines. These settings are all made in
|
|
|
e9d682 |
|
|
|
e9d682 |
* Cgroups - set ``cgroup_device_acl`` to include the desired device node, or
|
|
|
e9d682 |
``cgroup_controllers = [...]`` to exclude the ``devices`` controller.
|
|
|
e9d682 |
+
|
|
|
e9d682 |
+Private monunt namespace
|
|
|
e9d682 |
+----------------------------
|
|
|
e9d682 |
+
|
|
|
e9d682 |
+As mentioned above, libvirt launches each QEMU process in its own ``mount``
|
|
|
e9d682 |
+namespace. It's recommended that all mount points are set up prior starting any
|
|
|
e9d682 |
+guest. For cases when that can't be assured, mount points in the namespace are
|
|
|
e9d682 |
+marked as slave so that mount events happening in the parent namespace are
|
|
|
e9d682 |
+propagated into this child namespace. But this may require an additional step:
|
|
|
e9d682 |
+mounts in the parent namespace need to be marked as shared (if the distribution
|
|
|
e9d682 |
+doesn't do that by default). This can be achieved by running the following
|
|
|
e9d682 |
+command before any guest is started:
|
|
|
e9d682 |
+
|
|
|
e9d682 |
+::
|
|
|
e9d682 |
+
|
|
|
e9d682 |
+ # mount --make-rshared /
|
|
|
e9d682 |
+
|
|
|
e9d682 |
+Another requirement for dynamic mount point propagation is to not place
|
|
|
e9d682 |
+``hugetlbfs`` mount points under ``/dev`` because these won't be propagated as
|
|
|
e9d682 |
+corresponding directories do not exist in the private namespace. Or just use
|
|
|
e9d682 |
+``memfd`` memory backend instead which does not require ``hugetlbfs`` mount
|
|
|
e9d682 |
+points.
|
|
|
e9d682 |
--
|
|
|
e9d682 |
2.39.0
|
|
|
e9d682 |
|