On 12/6/25 12:46, Alyssa Ross wrote:
Demi Marie Obenour <demiobenour@gmail.com> writes:
On 12/4/25 09:35, Alyssa Ross wrote:
Demi Marie Obenour <demiobenour@gmail.com> writes:
It only needs access to a small number of resources. Unfortunately, it needs access to /dev/vfio right now. This should be fixed by using file descriptor passing instead.
Furthermore, Cloud Hypervisor needs to be able to lock memory. Running in a user namespace prevents it from having CAP_IPC_LOCK. Therefore, it is necessary to increase RLIMIT_MLOCK before running Cloud Hypervisor.
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com> --- .../image/etc/udev/rules.d/99-spectrum.rules | 3 ++ host/rootfs/image/usr/bin/run-vmm | 33 +++++++++++++++++++++- 2 files changed, 35 insertions(+), 1 deletion(-)
diff --git a/host/rootfs/image/etc/udev/rules.d/99-spectrum.rules b/host/rootfs/image/etc/udev/rules.d/99-spectrum.rules index 337bbe47dbbc6f3828722d8244f2689a39f3090f..de0f682aa40f8481dc3c25a90c695e2326536316 100644 --- a/host/rootfs/image/etc/udev/rules.d/99-spectrum.rules +++ b/host/rootfs/image/etc/udev/rules.d/99-spectrum.rules @@ -3,3 +3,6 @@
# systemd-udevd unsets PATH, so fix that. ACTION!="remove", ENV{PCI_CLASS}=="2????", RUN+="/usr/bin/env PATH=/usr/bin /usr/libexec/net-add" + +# make /dev/kvm world-accessible +KERNEL=="kvm", MODE="0666" diff --git a/host/rootfs/image/usr/bin/run-vmm b/host/rootfs/image/usr/bin/run-vmm index ba8b59c2677408acdd01c2eda3cf2dd60992d881..24c3d607bfcf6fea6196b61d2941141486d33fd6 100755 --- a/host/rootfs/image/usr/bin/run-vmm +++ b/host/rootfs/image/usr/bin/run-vmm @@ -52,5 +52,36 @@ unexport ! fdmove -c 3 0 redirfd -r 0 /dev/null
+s6-softlimit -H -l 18446744073709551615
The s6-softlimit documentation says that hard limits should generally only be set once, at boot, and that's what we now do for PipeWire in img/app. Is the idea here that it would be undesirable to incraese the hard limit for all processes, so only do it for Cloud Hypervisor?
s6-softlimit -H also increases the soft limit. Allowing every process on the system to lock an unlimited amount of memory doesn't seem ideal. For interactive logins, soft limits will be set via PAM, but Spectrum doesn't use PAM yet. This keeps the change localized, rather than having to bump the hard limit everywhere and then undo the change elsewhere.
I wonder why the documentation says that, then. I suppose that's something I should take up with skarnet rather than you?
I think so. I suspect it's subjective but am not sure. -- Sincerely, Demi Marie Obenour (she/her/hers)