On Thu, Feb 05, 2026 at 12:52:33PM +0100, Martin Wilck wrote: > On Wed, 2026-02-04 at 13:32 -0500, Stefan Hajnoczi wrote: > > On Wed, Feb 04, 2026 at 02:19:48PM +0100, Martin Wilck wrote: > > > Hi Stefan, > > > > > > So the ioctls will pass through qemu into the kernel, to be > > > intercepted > > > by the dm-mpath driver, which will use an upcall to have them > > > handled > > > by mpathpersistd (for the actual command) and multipathd (for the > > > path > > > registrations). > > > > > > I don't fully understand the advantage, security and complexity- > > > wise, > > > of this concept, compared to intercepting them qemu and using a > > > socket > > > to talk to mpathpersistd directly. If we did this, we could even > > > support both generic and SCSI PR commands. > > > > Hi Martin, > > The simplification and security benefits are on the application side, > > not on the DM-Multipath side, so I can see what you're getting at. > > From > > the DM-Multipath perspective things get a little more complex. > > > > From an application perspective, a single API that works across block > > device types (SCSI, NVMe, DM-Multipath) and requires no privileges or > > sockets (they are a pain in container environments) is the most > > convenient. The <linux/pr.h> ioctl API offers exactly this. > > I may be missing something, but AFAICS the PR ioctls require having a > block device open for writing, which does either require root > privileges, or some file descriptor previously opened with privileges > and forwarded to another, less privileged process. No?
While QEMU is run unprivileged, libvirt will grant QEMU access any block devices that have been configured for the guest in question. On Linux, libvirt will create a new /dev tmpfs populated with the allow-list of device nodes the guest is permitted to access, with suitable file permissions, ownership & SELinux labels set. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
