libxl: do not enable nested HVM unless global nested_hvm option enabled

Introduce global libxl option for enabling nested HVM feature, similar
to kvm module parameter. This will prevent enabling experimental feature
by mere presence of <cpu mode='host-passthrough'> element in domain
config, unless explicitly enabled. <cpu mode='host-passthrough'> element
may be used to configure other features, like NUMA, or CPUID.

Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Jim Fehlig <jfehlig@suse.com>

diff --git a/src/libxl/libvirtd_libxl.aug b/src/libxl/libvirtd_libxl.aug
index b31cc078d05f709ebe366f10ebc8117d3cf19596..58b9af3707d4bb68e7d20877eaa2057809f9f560 100644 (file)
--- a/src/libxl/libvirtd_libxl.aug
+++ b/src/libxl/libvirtd_libxl.aug
@@ -28,12 +28,14 @@ module Libvirtd_libxl =
    let lock_entry = str_entry "lock_manager"
    let keepalive_interval_entry = int_entry "keepalive_interval"
    let keepalive_count_entry = int_entry "keepalive_count"
+   let nested_hvm_entry = bool_entry "nested_hvm"
 
    (* Each entry in the config is one of the following ... *)
    let entry = autoballoon_entry
              | lock_entry
              | keepalive_interval_entry
              | keepalive_count_entry
+             | nested_hvm_entry
 
    let comment = [ label "#comment" . del /#[ \t]*/ "# " .  store /([^ \t\n][^\n]*)?/ . del /\n/ "\n" ]
    let empty = [ label "#empty" . eol ]

diff --git a/src/libxl/libxl.conf b/src/libxl/libxl.conf
index 264af7cf9e193e7db50f48a2b39cadf9fbd98f15..72825a71c5ef7db0db5c03b1e9c563f7b38bd9bd 100644 (file)
--- a/src/libxl/libxl.conf
+++ b/src/libxl/libxl.conf
@@ -41,3 +41,11 @@
 #
 #keepalive_interval = 5
 #keepalive_count = 5
+
+# Nested HVM default control. In order to use nested HVM feature, this option
+# needs to be enabled, in addition to specifying <cpu mode='host-passthrough'>
+# in domain configuration. This can be overridden in domain configuration by
+# explicitly setting <feature policy='require' name='vmx'/> inside <cpu/>
+# element.
+# By default it is disabled.
+#nested_hvm = 0

diff --git a/src/libxl/libxl_conf.c b/src/libxl/libxl_conf.c
index 2053ed332754ac1f7f801b83a44ca734e956407f..9ea37595a5c681f6243993272886bbb8055f0aaa 100644 (file)
--- a/src/libxl/libxl_conf.c
+++ b/src/libxl/libxl_conf.c
@@ -395,10 +395,12 @@ libxlMakeDomBuildInfo(virDomainDefPtr def,
             bool hasHwVirt = false;
             bool svm = false, vmx = false;
 
+            /* enable nested HVM only if global nested_hvm option enable it and
+             * host support it*/
             if (ARCH_IS_X86(def->os.arch)) {
                 vmx = virCPUCheckFeature(caps->host.arch, caps->host.cpu, "vmx");
                 svm = virCPUCheckFeature(caps->host.arch, caps->host.cpu, "svm");
-                hasHwVirt = vmx | svm;
+                hasHwVirt = cfg->nested_hvm && (vmx | svm);
             }
 
             if (def->cpu->nfeatures) {
@@ -415,6 +417,11 @@ libxlMakeDomBuildInfo(virDomainDefPtr def,
 
                         case VIR_CPU_FEATURE_FORCE:
                         case VIR_CPU_FEATURE_REQUIRE:
+                            if ((vmx && STREQ(def->cpu->features[i].name, "vmx")) ||
+                                (svm && STREQ(def->cpu->features[i].name, "svm")))
+                                hasHwVirt = true;
+                            break;
+
                         case VIR_CPU_FEATURE_OPTIONAL:
                         case VIR_CPU_FEATURE_LAST:
                             break;
@@ -1758,6 +1765,9 @@ int libxlDriverConfigLoadFile(libxlDriverConfigPtr cfg,
     if (virConfGetValueUInt(conf, "keepalive_count", &cfg->keepAliveCount) < 0)
         goto cleanup;
 
+    if (virConfGetValueBool(conf, "nested_hvm", &cfg->nested_hvm) < 0)
+        goto cleanup;
+
     ret = 0;
 
  cleanup:

diff --git a/src/libxl/libxl_conf.h b/src/libxl/libxl_conf.h
index 633ebf5467fd6c492fa2308589bbef66bd1c59da..61f586f04856a07ecb9aaeda9b71ba0f06601197 100644 (file)
--- a/src/libxl/libxl_conf.h
+++ b/src/libxl/libxl_conf.h
@@ -88,6 +88,8 @@ struct _libxlDriverConfig {
     int keepAliveInterval;
     unsigned int keepAliveCount;
 
+    bool nested_hvm;
+
     /* Once created, caps are immutable */
     virCapsPtr caps;
 

diff --git a/src/libxl/test_libvirtd_libxl.aug.in b/src/libxl/test_libvirtd_libxl.aug.in
index 63558e508fe4574618be90c99beb7fc3770cba81..372a43f94ab5c5b9685d912a82d25fae1fea997a 100644 (file)
--- a/src/libxl/test_libvirtd_libxl.aug.in
+++ b/src/libxl/test_libvirtd_libxl.aug.in
@@ -6,3 +6,4 @@ module Test_libvirtd_libxl =
 { "lock_manager" = "lockd" }
 { "keepalive_interval" = "5" }
 { "keepalive_count" = "5" }
+{ "nested_hvm" = "0" }

diff --git a/tests/libxlxml2domconfigtest.c b/tests/libxlxml2domconfigtest.c
index 9d280e97d4f4ee0920aed64d27bfb54b03de3350..2210d58427f95e3d42715c4446716e45fe6918f7 100644 (file)
--- a/tests/libxlxml2domconfigtest.c
+++ b/tests/libxlxml2domconfigtest.c
@@ -76,6 +76,9 @@ testCompareXMLToDomConfig(const char *xmlfile,
     if (!(log = (xentoollog_logger *)xtl_createlogger_stdiostream(stderr, XTL_DEBUG, 0)))
         goto cleanup;
 
+    /* for testing nested HVM */
+    cfg->nested_hvm = true;
+
     /* replace logger with stderr one */
     libxl_ctx_free(cfg->ctx);