[PATCH 1/2] tools: start-vmm: output serial to VM directory
When we run the VMM as non-root, it shouldn't be able to create files directly under /run, so this needs to go somewhere else. Really this should probably be going through s6-log, but I think it makes sense to revisit that after we have persistent storage figured out, so that we can get lots out of RAM. Signed-off-by: Alyssa Ross <hi@alyssa.is> --- release/checks/integration/networking.c | 2 +- release/checks/integration/portal.c | 2 +- tools/start-vmm/lib.rs | 2 +- tools/start-vmm/tests/vm_command-basic.rs | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/release/checks/integration/networking.c b/release/checks/integration/networking.c index 078e31fc..c3d873f5 100644 --- a/release/checks/integration/networking.c +++ b/release/checks/integration/networking.c @@ -153,7 +153,7 @@ void test(struct config c) "s6-rc -bu change vmm-env && " "vm-import user /run/mnt/vms && " "vm-start \"$(basename \"$(readlink /run/vm/by-name/user.nc)\")\" && " - "tail -Fc +0 /run/log/current /run/*.log &\n", + "tail -Fc +0 /run/log/current /run/vm/by-id/*/serial &\n", vm_console_writer(vm)) == EOF) { fputs("error writing to console\n", stderr); exit(EXIT_FAILURE); diff --git a/release/checks/integration/portal.c b/release/checks/integration/portal.c index 6ba5654a..9af225e5 100644 --- a/release/checks/integration/portal.c +++ b/release/checks/integration/portal.c @@ -17,7 +17,7 @@ void test(struct config c) "mount \"$(findfs UUID=a7834806-2f82-4faf-8ac4-4f8fd8a474ca)\" /run/mnt && " "s6-rc -bu change vmm-env && " "vm-import user /run/mnt/vms && " - "(tail -Fc +0 /run/*.log &) && " + "(tail -Fc +0 /run/vm/by-id/*/serial &) && " "s6-svc -O /run/vm/by-name/user.portal/service && " "vm-start \"$(basename \"$(readlink /run/vm/by-name/user.portal)\")\" && " "s6-svwait -d /run/vm/by-name/user.portal/service\n", diff --git a/tools/start-vmm/lib.rs b/tools/start-vmm/lib.rs index dfbca8d8..a536f0f6 100644 --- a/tools/start-vmm/lib.rs +++ b/tools/start-vmm/lib.rs @@ -160,7 +160,7 @@ pub fn vm_config(vm_dir: &Path) -> Result<VmConfig, String> { }, serial: ConsoleConfig { mode: "File", - file: Some(format!("/run/{vm_name}.log")), + file: Some(format!("/run/vm/by-id/{vm_name}/serial")), }, vsock: VsockConfig { cid: 3, diff --git a/tools/start-vmm/tests/vm_command-basic.rs b/tools/start-vmm/tests/vm_command-basic.rs index 95c43f86..2e9ad0c7 100644 --- a/tools/start-vmm/tests/vm_command-basic.rs +++ b/tools/start-vmm/tests/vm_command-basic.rs @@ -40,7 +40,7 @@ fn main() -> std::io::Result<()> { assert_eq!(config.memory.size, 0x40000000); assert!(config.memory.shared); assert_eq!(config.serial.mode, "File"); - assert_eq!(config.serial.file.unwrap(), "/run/testvm.log"); + assert_eq!(config.serial.file.unwrap(), "/run/vm/by-id/testvm/serial"); assert_eq!(config.vsock.cid, 3); assert_eq!(config.vsock.socket, "/run/vsock/testvm/vsock"); base-commit: 227a3ea149281b6dddb0c1ba70008fffb7404c1f -- 2.51.0
Signed-off-by: Alyssa Ross <hi@alyssa.is> --- host/rootfs/Makefile | 1 + .../etc/s6-linux-init/run-image/etc/group | 1 + .../template/data/service/spectrum-router/run | 3 ++ .../template/data/service/vhost-user-fs/run | 3 ++ .../template/data/service/vhost-user-gpu/run | 2 ++ .../xdg-desktop-portal-spectrum-host/run | 2 +- host/rootfs/image/usr/bin/assign-devices | 29 +++++++++++++++++-- host/rootfs/image/usr/bin/run-appimage | 3 ++ host/rootfs/image/usr/bin/run-flatpak | 3 ++ host/rootfs/image/usr/bin/run-vmm | 4 +++ host/rootfs/image/usr/bin/vm-import | 3 ++ 11 files changed, 51 insertions(+), 3 deletions(-) diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile index 00036ccd..4ee145d5 100644 --- a/host/rootfs/Makefile +++ b/host/rootfs/Makefile @@ -35,6 +35,7 @@ DIRS = \ etc/s6-linux-init/run-image/user \ etc/s6-linux-init/run-image/vm/by-id \ etc/s6-linux-init/run-image/vm/by-name \ + etc/s6-linux-init/run-image/vsock \ home \ media \ proc \ diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/etc/group b/host/rootfs/image/etc/s6-linux-init/run-image/etc/group index 86243847..48c576da 100644 --- a/host/rootfs/image/etc/s6-linux-init/run-image/etc/group +++ b/host/rootfs/image/etc/s6-linux-init/run-image/etc/group @@ -15,4 +15,5 @@ tape:x:13: kvm:x:14: wayland:x:15:wayland router:x:16:router +vmm:x:17: fs:x:1000: diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/spectrum-router/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/spectrum-router/run index 2c6626e3..73959602 100755 --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/spectrum-router/run +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/spectrum-router/run @@ -13,6 +13,9 @@ fdmove -c 4 0 redirfd -r 0 /dev/null +if { chown -- vmm-${VM} /run/vm/by-id/${VM}/router-driver.sock } +if { chgrp -- vmm /run/router/${VM} } + # Notify readiness. if { fdmove -c 5 1 diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run index aa2b8cc1..b6bbc2d6 100755 --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run @@ -4,6 +4,9 @@ s6-ipcserver-socketbinder -a 0700 -B env/virtiofsd.sock +importas -i VM VM +if { chown vmm-${VM} env/virtiofsd.sock } + if { fdmove 1 3 echo } fdmove -c 3 0 redirfd -r 0 /dev/null diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run index 1341691b..b1f9bac0 100755 --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run @@ -10,6 +10,8 @@ multisubstitute { importas -Si WAYLAND_DISPLAY } +if { chown vmm-${VM} env/crosvm.sock } + s6-envuidgid gpu-${VM} s6-applyuidgid -UzG 15 # wayland s6-ipcserverd -1c 1 diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run index 42c29b3b..caa1ee7a 100755 --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run @@ -6,8 +6,8 @@ importas -i VM VM export DBUS_SESSION_BUS_ADDRESS unix:path=/run/portal-bus/${VM} -if { mkdir -p /run/vsock/${VM} } s6-ipcserver-socketbinder -a 0700 /run/vsock/${VM}/vsock_219 +if { chown -- vmm-${VM}: /run/vsock/${VM}/vsock_219 } # Notify readiness. if { fdmove 1 3 echo } diff --git a/host/rootfs/image/usr/bin/assign-devices b/host/rootfs/image/usr/bin/assign-devices index 58dd3cc0..3dae3b35 100755 --- a/host/rootfs/image/usr/bin/assign-devices +++ b/host/rootfs/image/usr/bin/assign-devices @@ -2,12 +2,37 @@ # SPDX-License-Identifier: EUPL-1.2+ # SPDX-FileCopyrightText: 2025 Alyssa Ross <hi@alyssa.is> +backtick id { + backtick -E path { readlink -- /run/vm/by-name/sys.netvm } + basename -- $path +} + elglob -0 devices /sys/bus/pci/drivers/vfio-pci/????:??:??.? -forx -pE device { $devices } +forx -p device { $devices } + +if { + backtick iommu_group { + backtick -E iommu_group_path { + importas -Siu device + readlink -- ${device}/iommu_group + } + basename -- $iommu_group_path + } + multisubstitute { + importas -Siu id + importas -Siu iommu_group + } + chown -- vmm-${id} /dev/vfio/${iommu_group} +} + +multisubstitute { + importas -Siu id + importas -Siu device +} # This script is designed to be re-entrant and called multiple times. # This means we expect to sometimes get an error due to the device # already having been added. If there's a different error, # cloud-hypervisor will probably log it itself anyway. redirfd -w 2 /dev/null -ch-remote --api-socket /run/vm/by-name/sys.netvm/vmm add-device path=${device} +ch-remote --api-socket /run/vm/by-id/${id}/vmm add-device path=${device} diff --git a/host/rootfs/image/usr/bin/run-appimage b/host/rootfs/image/usr/bin/run-appimage index b9464f8b..a36d2c17 100755 --- a/host/rootfs/image/usr/bin/run-appimage +++ b/host/rootfs/image/usr/bin/run-appimage @@ -11,7 +11,10 @@ if { importas -Siu id if { useradd -P /run -Urd / -s /bin/nologin gpu-${id} } + if { useradd -P /run -Urd / -s /bin/nologin -G tty,vmm vmm-${id} } if { useradd -P /run -Urd / -s /bin/nologin xdp-spectrum-${id} } + if { mkdir /run/vsock/${id} } + if { chown vmm-${id} /run/vm/by-id/${id} /run/vsock/${id} } if { install -do fs /run/configs/${id}/fs } diff --git a/host/rootfs/image/usr/bin/run-flatpak b/host/rootfs/image/usr/bin/run-flatpak index 2d3e7ea0..be715538 100755 --- a/host/rootfs/image/usr/bin/run-flatpak +++ b/host/rootfs/image/usr/bin/run-flatpak @@ -11,7 +11,10 @@ if { importas -Siu id if { useradd -P /run -Urd / -s /bin/nologin gpu-${id} } + if { useradd -P /run -Urd / -s /bin/nologin -G tty,vmm vmm-${id} } if { useradd -P /run -Urd / -s /bin/nologin xdp-spectrum-${id} } + if { mkdir /run/vsock/${id} } + if { chown vmm-${id} /run/vm/by-id/${id} /run/vsock/${id} } if { install -do fs /run/configs/${id}/fs } diff --git a/host/rootfs/image/usr/bin/run-vmm b/host/rootfs/image/usr/bin/run-vmm index 7c2b9af5..a07a1271 100755 --- a/host/rootfs/image/usr/bin/run-vmm +++ b/host/rootfs/image/usr/bin/run-vmm @@ -54,6 +54,9 @@ redirfd -r 0 /dev/null s6-softlimit -H -l 18446744073709551615 if { udevadm wait /dev/kvm } + +s6-envuidgid vmm-${1} +s6-applyuidgid -Uz bwrap --unshare-all --unshare-user @@ -84,4 +87,5 @@ bwrap --ro-bind /dev/null /proc/kallsyms --ro-bind /dev/null /proc/sysrq-trigger -- + cloud-hypervisor --api-socket fd=3 diff --git a/host/rootfs/image/usr/bin/vm-import b/host/rootfs/image/usr/bin/vm-import index 014eab87..22cfa376 100755 --- a/host/rootfs/image/usr/bin/vm-import +++ b/host/rootfs/image/usr/bin/vm-import @@ -12,7 +12,10 @@ backtick -E id { basename -- $dir } if { useradd -P /run -Urd / -s /bin/nologin gpu-${id} } +if { useradd -P /run -Urd / -s /bin/nologin -G tty,vmm vmm-${id} } if { useradd -P /run -Urd / -s /bin/nologin xdp-spectrum-${id} } +if { mkdir /run/vsock/${id} } +if { chown vmm-${id} /run/vm/by-id/${id} /run/vsock/${id} } if { ln -s -- /run/vm/by-id/${id} /run/vm/by-name/${1}.${name} } if { ln -s -- ${2}/${name} /run/vm/by-id/${id}/config } -- 2.51.0
This patch has been committed as 6138e44a6f530a8c98e8609518f39a60c58f9716, which can be viewed online at https://spectrum-os.org/git/spectrum/commit/?id=6138e44a6f530a8c98e8609518f3.... This is an automated message. Send comments/questions/requests to: Alyssa Ross <hi@alyssa.is>
This patch has been committed as b75b13d8a97b39640e9b241705b095c2c03ff67c, which can be viewed online at https://spectrum-os.org/git/spectrum/commit/?id=b75b13d8a97b39640e9b241705b0.... This is an automated message. Send comments/questions/requests to: Alyssa Ross <hi@alyssa.is>
participants (2)
-
Alyssa Ross -
Alyssa Ross