virt-host-validate: fix detection with cgroups v2

Using virtCgroupNewSelf() is not correct with cgroups v2 because the
the virt-host-validate process is executed from from the same cgroup
context as the terminal and usually not all controllers are enabled
by default.

To do a proper check we need to use the root cgroup to see what
controllers are actually available. Libvirt or systemd ensures that
all controllers are available for VMs as well.

This still doesn't solve the devices controller with cgroups v2 where
there is no controller as it was replaced by eBPF. Currently libvirt
tries to query eBPF programs which usually works only for root as
regular users will get permission denied for that operation.

Fixes: https://gitlab.com/libvirt/libvirt/-/issues/94
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>

diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 1d98f01334666a888c0577852935c9c41adb2921..79a23f34cba2f7351c25724ddf43abf1f2ad6199 100644 (file)
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -1796,6 +1796,7 @@ virCgroupHasController;
 virCgroupHasEmptyTasks;
 virCgroupKillPainfully;
 virCgroupKillRecursive;
+virCgroupNew;
 virCgroupNewDetect;
 virCgroupNewDetectMachine;
 virCgroupNewDomainPartition;

diff --git a/src/util/vircgroup.h b/src/util/vircgroup.h
index 78770f5d3bda1f811db2e2b76a351c1152eb0553..f7eed983ccea5c544dbb8caca4fceaa431d28c9b 100644 (file)
--- a/src/util/vircgroup.h
+++ b/src/util/vircgroup.h
@@ -60,6 +60,10 @@ typedef enum {
 
 bool virCgroupAvailable(void);
 
+int virCgroupNew(const char *path,
+                 int controllers,
+                 virCgroupPtr *group);
+
 int virCgroupNewSelf(virCgroupPtr *group)
     ATTRIBUTE_NONNULL(1);
 

diff --git a/src/util/vircgrouppriv.h b/src/util/vircgrouppriv.h
index baa84550f4027f14060cd7d579befd7025583a88..85ba5393e02b828d52a3c5f93a80272da195126b 100644 (file)
--- a/src/util/vircgrouppriv.h
+++ b/src/util/vircgrouppriv.h
@@ -110,10 +110,6 @@ int virCgroupGetValueForBlkDev(const char *str,
                                const char *devPath,
                                char **value);
 
-int virCgroupNew(const char *path,
-                 int controllers,
-                 virCgroupPtr *group);
-
 int virCgroupNewPartition(const char *path,
                           bool create,
                           int controllers,

diff --git a/tools/virt-host-validate-common.c b/tools/virt-host-validate-common.c
index a10ac03293436e65d0831d94ecea9bdc1772d948..fc43b2ddc8da40e5bb9362781f15741d9304e34c 100644 (file)
--- a/tools/virt-host-validate-common.c
+++ b/tools/virt-host-validate-common.c
@@ -293,7 +293,7 @@ int virHostValidateCGroupControllers(const char *hvname,
     int ret = 0;
     size_t i;
 
-    if (virCgroupNewSelf(&group) < 0)
+    if (virCgroupNew("/", -1, &group) < 0)
         return -1;
 
     for (i = 0; i < VIR_CGROUP_CONTROLLER_LAST; i++) {