libvirt users - May 2012 - Permission issue with cgroups

Hello libvirt users,


I'm using the cgroup with QEMU guests. At /etc/libvirt/qemu.conf, I have
the following parameter:

cgroup_controllers = [ "cpu" ]

This controller is successfully mounted and  libvirt is able to create
subgroups for each VM, it's really great the cgroups support in libvirt.
The problem is that I can only set the parameters of a given cgroup under
the cpu controller if I'm logged in as root. I want another user to have
that permission as well.

I tried to modify the file /etc/cgconfig.conf to change the permissions.
The file is exactly this:

group libvirt {
        perm {
                admin {
                        uid = opennebula;
                        gid = opennebula;
                }
                task {
                        uid = root;
                        gid = root;
                }
        }
       cpu {
              cpu.shares=512;
       }
}

This configuration above does not seem to modify any of the administration
permissions. Only the root can edit the parameters under libvirt.
The cpu entry was added just to check whether this configuration was read
by cgroups at all. The 'cpu.shares' does change in group libvirt.

I was careful to start libvirt only after the service cgconfig was
restarted.

Thanks in advance,

Antonio Carlos Furtado
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://listman.redhat.com/archives/libvirt-users/attachments/20120511/6551fe51/attachment.htm>

On 05/11/2012 02:42 PM, Antonio Carlos Salzvedel Furtado Junior
wrote:
> Hello libvirt users,
> 
> 
> I'm using the cgroup with QEMU guests. At /etc/libvirt/qemu.conf, I
have
> the following parameter:
> 
> cgroup_controllers = [ "cpu" ]
Libvirt would like to use a lot more cgroup controllers than just the
cpu controller.  If you leave the line in qemu.conf commented out,
libvirt will use all possible cgroup controllers, rather than limiting
you to just one.
> 
> This controller is successfully mounted and  libvirt is able to create
> subgroups for each VM, it's really great the cgroups support in
libvirt.
> The problem is that I can only set the parameters of a given cgroup under
> the cpu controller if I'm logged in as root. I want another user to
have
> that permission as well.
Unfortunately, that is not possible.  Libvirt MUST manage its own
cgroups; you cannot go behind libvirt's back to change the cgroup
settings, or you will confuse libvirt.

What you should really be doing is figuring out what particular reason
you have for modifying the cgroups, and then determining which libvirt
API will let you modify the domain XML in such a way as to get that
cgroup attribute automatically changed.  Since non-root users can
connect to libvirtd to use libvirt's API in order to affect the cgroup
settings, then you do not need anyone other than libvirtd to access the
particular cgroups created for VMs managed by libvirt.

> This configuration above does not seem to modify any of the administration
> permissions. Only the root can edit the parameters under libvirt.
> The cpu entry was added just to check whether this configuration was read
> by cgroups at all. The 'cpu.shares' does change in group libvirt.
In particular, changes to cpu.shares are done via the libvirt API
virDomainSetSchedulerParameters, using the parameter name
"cpu_shares";
and are reflected into the domain XML under the XPath notation of
/domain/cputune/shares.
http://libvirt.org/formatdomain.html#elementsCPUTuning

-- 
Eric Blake   eblake at redhat.com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 620 bytes
Desc: OpenPGP digital signature
URL:
<http://listman.redhat.com/archives/libvirt-users/attachments/20120511/6477ca05/attachment.sig>