From: Lucas Meneghel Rodrigues <lmr@redhat.com>
To: Eduardo Otubo <otubo@linux.vnet.ibm.com>, qemu-devel@nongnu.org
Cc: pmoore@redhat.com, anthony@codemonkey.ws
Subject: Re: [Qemu-devel] [PATCH] seccomp: "-sandbox on" won't kill Qemu when option not built in
Date: Mon, 09 Dec 2013 17:11:16 -0200 [thread overview]
Message-ID: <52A615D4.2070208@redhat.com> (raw)
In-Reply-To: <1386609652-7876-1-git-send-email-otubo@linux.vnet.ibm.com>
On 12/09/2013 03:20 PM, Eduardo Otubo wrote:
> This option was requested by virt-test team so they can run tests with
> Qemu and "-sandbox on" set without breaking whole test if host doesn't
> have support for seccomp in kernel. It covers two possibilities:
>
> 1) Host kernel support does not support seccomp, but user installed Qemu
> package with sandbox support: Libseccomp will fail -> qemu will fail
> nicely and won't stop execution.
>
> 2) Host kernel has support but Qemu package wasn't built with sandbox
> feature. Qemu will fail nicely and won't stop execution.
It seems there was a misunderstanding of what we wanted here. The
problem we had there happened on a -sandbox bug on Fedora 19 that got
one of our team members confused, since qemu did not give any sort of
useful output that would allow him to identify the bug was related to
-sandbox (qemu was accessing a syscall outside of the whitelist on
Fedora 19).
He took a while until he figured out -sandbox was the problem, due to
the lack of any clues of what was going on. I was not affected due to
the fact I was already on Fedora 20 by that time.
I assume Eduardo thought that we somehow wanted qemu to just carry on
when seccomp requirements could not be fulfilled, but that was not our
point. What I thought I'd commented with hum was that some more useful
message could be printed to stderr, and perhaps make the qemu process to
exit with rc != 0 on such errors, instead of just going dead silently.
I still couldn't quite grasp why that could not be done, but if it
can't, so be it. No big deal.
Lucas
prev parent reply other threads:[~2013-12-09 19:11 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-12-09 17:20 [Qemu-devel] [PATCH] seccomp: "-sandbox on" won't kill Qemu when option not built in Eduardo Otubo
2013-12-09 17:33 ` Daniel P. Berrange
2013-12-09 17:51 ` Eduardo Otubo
2013-12-09 18:16 ` Paul Moore
2013-12-10 3:20 ` Corey Bryant
2013-12-10 18:48 ` Lucas Meneghel Rodrigues
2013-12-10 19:31 ` Paul Moore
2013-12-10 20:13 ` Lucas Meneghel Rodrigues
2013-12-10 19:35 ` Eduardo Otubo
2013-12-09 19:11 ` Lucas Meneghel Rodrigues [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52A615D4.2070208@redhat.com \
--to=lmr@redhat.com \
--cc=anthony@codemonkey.ws \
--cc=otubo@linux.vnet.ibm.com \
--cc=pmoore@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).