© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
5466644
demo site
(Get the code!)
I did some history on this as we had that in the past.
We had it for bug 1678322
But then in a discussion around upstreaming dropped it https:/
What we missed back then is this:
A) system has hostdev in initial guest, virt-aa-helper adds /dev/vfio/vfio and all works
B) as A, but later one does hotplug with such a device - still works
C) the initial system has no hostdev, so virt-aa-helper adds no rule
But if on (c) later hotplug is done it will break as it will need to access /dev/vfio/vfio
before it knows anything.
The actual per device rule is added to the guest which is all the isolation we want.
Now one could try to find the spot in BEFORE the guest needs /dev/vfio/vfio and add it to the guest profile then. But I haven't found it and until one can spend more time on this we need to bring the static rule back.
After all /dev/vfio/vfio is safe to be shared.
So I don't mind if someone codes up a long term dynamic vfio access, but for now add the line to un-break case (C).