1823805 – [RFE] QEMU devices should have the option to enable/disable hotplug/unplug

Bug 1823805 - [RFE] QEMU devices should have the option to enable/disable hotplug/unplug

Summary: [RFE] QEMU devices should have the option to enable/disable hotplug/unplug

Keywords:
Status:	CLOSED DEFERRED
Alias:	None
Product:	Container Native Virtualization (CNV)
Classification:	Red Hat
Component:	Virtualization
Sub Component:
Version:	2.2.0
Hardware:	x86_64
OS:	All
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	future
Assignee:	Jed Lejosne
QA Contact:	Israel Pinto
Docs Contact:
URL:
Whiteboard:
Depends On:	1790899 1802592
Blocks:
TreeView+	depends on / blocked

Reported:	2020-04-14 14:29 UTC by Jaroslav Suchanek
Modified:	2021-09-17 07:38 UTC (History)
CC List:	30 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:
Clone Of:	1802592
Environment:
Last Closed:	2021-09-17 07:38:35 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jaroslav Suchanek 2020-04-14 14:29:01 UTC

+++ This bug was initially created as a clone of Bug #1802592 +++

This is a libvirt counterpart to consume QEMU's work.

+++ This bug was initially created as a clone of Bug #1790899 +++

Description of problem:
We have a customer that is using Windows guests with libvirt (CNV) with virtio drivers loaded on the guest. Non-admin users are seeing the options to 'safely remove ...' the NIC, disks, etc. They'd like this functionality disabled.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Install a Windows 10 guest with virtio drivers
2. Login as a non-admin user
3. Select 'Eject SAS Controller' from taskbar


Actual results:
Controller is removed

Expected results:
There should be an option to prevent non-admin users from such tasks.

Additional info:
1. Microsoft indicate that this has to be done in the driver, as opposed to registry changes to prevent it
2. In VMWare there is an option, devices.hotplug = “false”, that currently works for the customer

--- Additional comment from Michal Privoznik on 2020-02-13 14:33:28 CET ---

There was some upstream discussion:

https://www.redhat.com/archives/libvir-list/2020-February/msg00110.html


--- Additional comment from Fabian Deutsch on 2020-03-04 12:21:36 CET ---

The custoer request is ultimately a boolean per guest.

Thus
P1: boolean per domain
P2: boolean per device if P1 is not possible, as this option would still allow us to implement the per-VM-boolean on the mgmt layer


--- Additional comment from Laine Stump on 2020-03-10 16:49:13 CET ---

I now have patches that add a hotplug='off' attribute to a pcie-root-port's XML, e.g.:


   <controller type='pci' model='pcie-root-port'>
     <target hotplug='off'/>
   </controller>

I've tested this with a qemu build that has Julia's patch described in Bug 1790899 (upstream commit 530a0963184e57e71a5b538e9161f115df533e96), and it has the desired effect - when all the pcie-root-ports have hotplug='off', a Windows guest will no longer show the option to "safely eject" all the PCI devices.

I haven't posted the patches yet because right now libvirt itself will still attempt to plug/unplug a device into controllers that have hotplug='off', and just rely on QEMU to fail, but libvirt itself should be prohibiting this. As soon as I've added a patch for that to the series, I will post it upstream.

Note that this new attribute is a necessary building block for the new API/library Daniel mentions in Comment 7, and it can also be used on its own in the short term.

--- Additional comment from Laine Stump on 2020-04-07 17:44:53 CEST ---

patches posted upstream:

https://www.redhat.com/archives/libvir-list/2020-April/msg00254.html

--- Additional comment from Laine Stump on 2020-04-13 22:35:56 CEST ---

pushed upstream, will be in libvirt-6.3.0:

commit cbd4ab4cc6945e610b0a3061fcf3517755d65dcf
Author: Laine Stump <laine>
Date:   Thu Feb 27 15:22:59 2020 -0500

    qemu: new capabilities flag pcie-root-port.hotplug

commit 78f4d5e6f188a9f0f8d6da6b1fe78b9f4172d9ad
Author: Laine Stump <laine>
Date:   Tue Mar 3 12:23:52 2020 -0500

    conf: new attribute "hotplug" for pci controllers
    
commit 2d3cf60328c138f7a8fd5905eb345d5f48227ff8
Author: Laine Stump <laine>
Date:   Tue Mar 3 22:22:14 2020 -0500

    qemu: hook up pcie-root-port hotplug='off' option
    
commit 389811d517c270c4f916fce4b3d64f90331244d7
Author: Laine Stump <laine>
Date:   Thu Mar 5 15:17:41 2020 -0500

    docs: mention hotplug='off' in news.xml
    
commit c296a846ad7de3066a17404f4f407d3e1b6d7935
Author: Laine Stump <laine>
Date:   Sun Mar 22 22:32:49 2020 -0400

    conf: add new PCI_CONNECT flag AUTOASSIGN
    
commit 7c98f5e3652e19e4eb015d290c1eed2f1b58ee72
Author: Laine Stump <laine>
Date:   Sun Apr 5 17:16:55 2020 -0400

    conf/qemu: s/VIR_PCI_CONNECT_HOTPLUGGABLE/VIR_PCI_CONNECT_AUTOASSIGN/g
    
commit fcdf87d3ef14de9dfb0acaf4b4445e1580dfc629
Author: Laine Stump <laine>
Date:   Sun Apr 5 18:01:43 2020 -0400

    conf: simplify logic when checking for AUTOASSIGN PCI addresses
    
commit aa15e9259f1f246e69fb9742581ced720c88695d
Author: Laine Stump <laine>
Date:   Sun Apr 5 22:40:37 2020 -0400

    qemu/conf: set HOTPLUGGABLE connect flag during PCI address set init
    
commit a283189f8c64882681ea99259ccfc8d1b8e524dd
Author: Laine Stump <laine>
Date:   Sun Apr 5 22:57:43 2020 -0400

    conf: check HOTPLUGGABLE connect flag when validating a PCI address
    
commit 7118bdee1550b6022e7362402ca8204add4cf80b
Author: Laine Stump <laine>
Date:   Sun Apr 5 23:44:16 2020 -0400

    conf: during PCI hotplug, require that the controller support hotplug

Comment 3 Fabian Deutsch 2020-05-03 10:09:39 UTC

Can you please point us to public documentation of how to use this feature?

Comment 5 Laine Stump 2020-05-21 16:46:15 UTC

Sorry - since there was no needinfo set for the question in Comment 3, I didn't see it until I was randomly cleaning up messages in my mail client's "generic bugzilla comment" folder just now.

We've discussed it elsewhere already, but just for completeness - there isn't much to document. There is a paragraph in libvirt's domain XML documentation under https://libvirt.org/formatdomain.html#elementsControllers - search for "hotplug" and it will describe the attribute that needs to be added to the pcie-root-port controller for each device in the guest.

The way to make sure all devices are not hotpluggable is to pre-populate the config with at least as many pcie-root-ports  as there are pcie devices, each with <target hogplug='off'/>. So, for example to make sure you could have up to 20 devices that couldn't be unplugged, you would add 20 copies of this device to the <devices> section of the initial XML:


  <controller type='pci' model='pcie-root-port'>
    <target hotplug='off'/>
  </controller>

Note that you can still have one or more empty root-ports that *do* allow future hotplugging of a device, but just adding one or more:

  <controller type='pci' model='pcie-root-port'/>

to the config *after* the controllers that have hotplug='off' - the initial devices will all be assigned to the lower-numbered controllers that have hotplug disabled, while any attempt to hotplug a new device after boot will skip any unused non-hotplug controllers, and use the ones that have hotplug enabled (which is the default).

Comment 8 Fabian Deutsch 2021-09-17 07:38:35 UTC

This feature is no tracked in https://issues.redhat.com/browse/CNV-4325

Note You need to log in before you can comment on or make changes to this bug.

ailan
berrange
chhu
cnv-qe-bugs
danken
dcritch
dgilbert
fdeutsch
hhan
jcoscia
jinzhao
joedward
jsaucier
jsuchane
jusual
juzhang
kbidarka
laine
lhuang
lijin
lmen
mprivozn
mtessun
ncredi
sgordon
sgott
virt-maint
vrozenfe
xuzhang
yalzhang