Skip to content

CA-393417: Drop device controller of cgroup v1 and fix USB passthrough for XS9 #6572

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jul 8, 2025
Merged

CA-393417: Drop device controller of cgroup v1 and fix USB passthrough for XS9 #6572

merged 3 commits into from
Jul 8, 2025

Conversation

@liulinC
Copy link
Collaborator

@liulinC liulinC commented Jul 4, 2025
edited
Loading

The approach work for both XS8 and XS9

  • 4357061 for xs9
  • 4357062 for xs8
Date:   Fri Jul 4 15:40:00 2025 +0800

    CA-393417: Bind mount /proc/<pid> into chroot
    
    From strace/gdb, XS9 qemu requires /proc/self/fd/<fd> to work well
    This is due to systemd/libudev update.
    
    Just bind mount /proc/self/ to the chroot to permit qemu access
    
    ```
    1047 openat(AT_FDCWD, "/proc/self/fd/46", O_RDONLY|O_NOCTTY|O_CLOEXEC|O_PATH) = -1 ENOENT (No such file or directory)
    1048 openat(AT_FDCWD, "/proc/", O_RDONLY|O_NOCTTY|O_CLOEXEC|O_PATH) = -1 ENOENT (No such file or directory)
    
        ../sysdeps/unix/sysv/linux/fstatfs64.c:30
        out>, dir_fd=<optimized out>) at ../src/basic/stat-util.c:566
        magic_value=1650812274) at ../src/basic/stat-util.c:369
        fd=<optimized out>) at ../src/basic/stat-util.h:66
        verify=<optimized out>) at
    ../src/libsystemd/sd-device/sd-device.c:221
        (ret=0x7ffc67ebba20, syspath=0x7ffc67ebb950
    "/sys/bus/usb/devices/usb1", strict=true)
        at ../src/libsystemd/sd-device/sd-device.c:271
        (syspath=0x7ffc67ebb950 "/sys/bus/usb/devices/usb1",
    ret=0x7ffc67ebba20)
        at ../src/libsystemd/sd-device/sd-device.c:280
    ```
    
    Signed-off-by: Lin Liu <[email protected]>

commit fc5f98b80badd2c9bb952b9a6ee7d7367bcb4f70
Author: Lin Liu <[email protected]>
Date:   Tue Jul 1 15:56:18 2025 +0800

    CA-393417: Drop device controller of cgroup v1
    
    For deprivileged qemu, following ops are performed
    - bind mount /dev/ to qemu chroot, so qemu can access it
    - cgroup controller deny all devices, except the target usb device
    
    However, new XS updated to cgroup v2 and the devices controller
    available anymore.
    
    Instead of bind mount all /dev folder, only the permitted usb
    devices are created into the chroot. Thus, the cgroup controller
    is no longer necessary.
    
    Besides, there are following updates accordingly
    - qemu pid is no longer necessary as command line args, as cgroup
    is dropped.
    - save and restore system /etc/ devices file ownership is no longer
    necessary. New file is cloned into chroot instead of bind mount system
    device file, so only need to set ownership of chroot file directly
    ```

liulinC added 2 commits July 2, 2025 10:58
@liulinC
CA-393417: Drop device controller of cgroup v1
fc5f98b 
For deprivileged qemu, following ops are performed
- bind mount /dev/ to qemu chroot, so qemu can access it
- cgroup controller deny all devices, except the target usb device

However, new XS updated to cgroup v2 and the devices controller
available anymore.

Instead of bind mount all /dev folder, only the permitted usb
devices are created into the chroot. Thus, the cgroup controller
is no longer necessary.

Besides, there are following updates accordingly
- qemu pid is no longer necessary as command line args, as cgroup
is dropped.
- save and restore system /etc/ devices file ownership is no longer
necessary. New file is cloned into chroot instead of bind mount system
device file, so only need to set ownership of chroot file directly

Signed-off-by: Lin Liu <[email protected]>
@liulinC
CA-393417: Bind mount /proc/<pid> into chroot
0fd510f 
From strace/gdb, XS9 qemu requires /proc/self/fd/<fd> to work well
This is due to systemd/libudev update.

Just bind mount /proc/self/ to the chroot to permit qemu access

```
1047 openat(AT_FDCWD, "/proc/self/fd/46", O_RDONLY|O_NOCTTY|O_CLOEXEC|O_PATH) = -1 ENOENT (No such file or directory)
1048 openat(AT_FDCWD, "/proc/", O_RDONLY|O_NOCTTY|O_CLOEXEC|O_PATH) = -1 ENOENT (No such file or directory)

    ../sysdeps/unix/sysv/linux/fstatfs64.c:30
    out>, dir_fd=<optimized out>) at ../src/basic/stat-util.c:566
    magic_value=1650812274) at ../src/basic/stat-util.c:369
    fd=<optimized out>) at ../src/basic/stat-util.h:66
    verify=<optimized out>) at
../src/libsystemd/sd-device/sd-device.c:221
    (ret=0x7ffc67ebba20, syspath=0x7ffc67ebb950
"/sys/bus/usb/devices/usb1", strict=true)
    at ../src/libsystemd/sd-device/sd-device.c:271
    (syspath=0x7ffc67ebb950 "/sys/bus/usb/devices/usb1",
ret=0x7ffc67ebba20)
    at ../src/libsystemd/sd-device/sd-device.c:280
```

Signed-off-by: Lin Liu <[email protected]>
psafont
psafont reviewed Jul 4, 2025
View reviewed changes
changlei-li
changlei-li approved these changes Jul 7, 2025
View reviewed changes
Copy link
Contributor

@changlei-li changlei-li left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems you need add a new blank line at the end of the file to pass CI.

@liulinC liulinC force-pushed the private/linl/usb branch from 569e69b to f3d0e5d Compare July 7, 2025 02:57
@liulinC
Copy link
Collaborator Author

liulinC commented Jul 7, 2025

Seems you need add a new blank line at the end of the file to pass CI.

The CI failed due to coverage rate 😞 , Fixed now.

@liulinC liulinC force-pushed the private/linl/usb branch from f3d0e5d to 1d8a256 Compare July 7, 2025 03:26
psafont
psafont reviewed Jul 7, 2025
View reviewed changes
@liulinC liulinC force-pushed the private/linl/usb branch 3 times, most recently from 7bf4565 to 9c45887 Compare July 7, 2025 09:50
psafont
psafont approved these changes Jul 7, 2025
View reviewed changes
Copy link
Member

@psafont psafont left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm surprised all the dance around /dev was needed before, since the vastly simpler approach seems to work

@liulinC
Copy link
Collaborator Author

liulinC commented Jul 8, 2025
edited
Loading

I'm surprised all the dance around /dev was needed before, since the vastly simpler approach seems to work

Yes, this is because previously, whole /dev is mounted into chroot, and then control which device qemu process can access by cgroup(device controller), thus, it needs to

  • set/unset the devices qemu can access by cgroup
  • set/restore the mounted device owner.

Now we mount the target device (USB) into chroot only, thus we can drop above ops.

@liulinC liulinC force-pushed the private/linl/usb branch from 9c45887 to 5416081 Compare July 8, 2025 01:33
@liulinC liulinC enabled auto-merge July 8, 2025 01:34
@liulinC liulinC added this pull request to the merge queue Jul 8, 2025
@liulinC
CA-393417: Fix CI failure
bd3b75e 
- Add unitest for usb_reset for coverage
- Move mock to unittest.mock as python3 only now
- exit -> sys.exit

Signed-off-by: Lin Liu <[email protected]>
@liulinC liulinC force-pushed the private/linl/usb branch from 5416081 to bd3b75e Compare July 8, 2025 01:47
Merged via the queue into xapi-project:master with commit 5a4e109 Jul 8, 2025
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@psafont psafont psafont approved these changes

@changlei-li changlei-li changlei-li approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@liulinC @psafont @changlei-li