Here's the deal: the 'devices' controller as such does not exist
in CGroupsV2. The alternative is to load eBPF program that mimics
the controller's behavior from CGroupsV1. But, only privileged
user can load such program. This means that virt-host-validate
(when ran as a regular user) claims 'devices' controller missing
(rightfully so), and suggests enabling it in Kconfig. This last
bit might be misleading to users [1].
Now, to fix this ideally, all three conditions should be checked
(CGroupsV2, 'devices' controller and regular user), but our
virCgroup module deliberately hides the version of CGroups. So
check for the other two conditions.
1: https://lists.libvirt.org/archives/list/users@lists.libvirt.org/thread/USDFFRJK74GYHRGMXOE2FSAA4PQD23RE/
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Pavel Hrdina <pavel@hrdina.info>
if (!virCgroupHasController(group, i)) {
ret = VIR_VALIDATE_FAILURE(level);
- virValidateFail(level, "Enable '%s' in kernel Kconfig file or "
- "mount/enable cgroup controller in your system",
- cg_name);
+
+ /* Ideally we would also verify that @group is CGroupsV2, but
+ * our internal APIs hide that fact away, intentionally. */
+ if (i == VIR_CGROUP_CONTROLLER_DEVICES && geteuid() != 0) {
+ virValidateFail(level, "Controller '%s' not available for unprivileged users",
+ cg_name);
+ } else {
+ virValidateFail(level, "Enable '%s' in kernel Kconfig file or "
+ "mount/enable cgroup controller in your system",
+ cg_name);
+ }
} else {
virValidatePass();
}
projects / thirdparty / libvirt.git / commitdiff
