Demi Marie Obenour writes: > It only needs access to a small number of resources. Unfortunately, it > needs access to /dev/vfio right now. This should be fixed by using file > descriptor passing instead. > > Furthermore, Cloud Hypervisor needs to be able to lock memory. Running > in a user namespace prevents it from having CAP_IPC_LOCK. Therefore, it > is necessary to increase RLIMIT_MLOCK before running Cloud Hypervisor. > > Signed-off-by: Demi Marie Obenour > --- > .../image/etc/udev/rules.d/99-spectrum.rules | 3 ++ > host/rootfs/image/usr/bin/run-vmm | 33 +++++++++++++++++++++- > 2 files changed, 35 insertions(+), 1 deletion(-) > > diff --git a/host/rootfs/image/etc/udev/rules.d/99-spectrum.rules b/host/rootfs/image/etc/udev/rules.d/99-spectrum.rules > index 337bbe47dbbc6f3828722d8244f2689a39f3090f..de0f682aa40f8481dc3c25a90c695e2326536316 100644 > --- a/host/rootfs/image/etc/udev/rules.d/99-spectrum.rules > +++ b/host/rootfs/image/etc/udev/rules.d/99-spectrum.rules > @@ -3,3 +3,6 @@ > > # systemd-udevd unsets PATH, so fix that. > ACTION!="remove", ENV{PCI_CLASS}=="2????", RUN+="/usr/bin/env PATH=/usr/bin /usr/libexec/net-add" > + > +# make /dev/kvm world-accessible > +KERNEL=="kvm", MODE="0666" > diff --git a/host/rootfs/image/usr/bin/run-vmm b/host/rootfs/image/usr/bin/run-vmm > index ba8b59c2677408acdd01c2eda3cf2dd60992d881..24c3d607bfcf6fea6196b61d2941141486d33fd6 100755 > --- a/host/rootfs/image/usr/bin/run-vmm > +++ b/host/rootfs/image/usr/bin/run-vmm > @@ -52,5 +52,36 @@ unexport ! > fdmove -c 3 0 > redirfd -r 0 /dev/null > > +s6-softlimit -H -l 18446744073709551615 The s6-softlimit documentation says that hard limits should generally only be set once, at boot, and that's what we now do for PipeWire in img/app. Is the idea here that it would be undesirable to incraese the hard limit for all processes, so only do it for Cloud Hypervisor? > if { udevadm wait /dev/kvm } > -cloud-hypervisor --api-socket fd=3 > +bwrap > + --unshare-all > + --unshare-user > + --dev /dev > + --dev-bind /dev/kvm /dev/kvm > + --dev-bind /dev/vfio /dev/vfio > + --tmpfs /dev/shm > + --tmpfs /tmp > + --tmpfs /var/tmp > + --ro-bind /etc /etc > + --ro-bind /lib /lib > + --ro-bind /nix /nix > + --ro-bind /usr /usr > + --ro-bind /sys /sys > + --bind /run /run > + --proc /proc > + --ro-bind /proc/sys /proc/sys > + --tmpfs /proc/scsi > + --remount-ro /proc/scsi > + --tmpfs /proc/acpi > + --remount-ro /proc/acpi > + --tmpfs /proc/fs > + --remount-ro /proc/fs > + --tmpfs /proc/irq > + --remount-ro /proc/irq > + --ro-bind /dev/null /proc/timer_list > + --ro-bind /dev/null /proc/kcore > + --ro-bind /dev/null /proc/kallsyms > + --ro-bind /dev/null /proc/sysrq-trigger > + -- > + cloud-hypervisor --api-socket fd=3 > > -- > 2.52.0