Create a bhyve vm that uses pci-passthrough inside a jail.
Details
- Reviewers
- None
Diff Detail
- Repository
- rS FreeBSD src repository - subversion
- Lint
Lint Passed - Unit
No Test Coverage - Build Status
Buildable 34743 Build 31799: arc lint + arc unit
Event Timeline
I don't think this will go anywhere. There was an attempt to do this a while ago, with a new jail parameter allow.kmem (default not allowed) to not let it happen accidentally. Even with that, it fell flat - see commits r261266 and r261326. While I'm not against it myself, I don't wear a security hat, and I defer to those that do.
Now maybe bhyve in a jail will be considered more important than an X server in a jail, especially given that it was a listed release feature. But it'll definitely take some security buy-in first.
Thanks jamie,
Do we need to include a security dev in this revision or they will pick
this up for review eventually ?
So we could get some insight on how to make this change better.
Bests
It looks like you can just include "security" which will get the security team's attention. But first, I suggest you need to at least put in what r216266 had (the allow.kmem privilege).
I was wrong about bhyve in jails being mentioned in a release - I was thinking of the mention of Linux emulation in jails noted in the 12.2 release (something that already existed before but presumably is brought up to date and/or improved). Turns out is was in your own bug report that I read it. I imagine you'll want to make a case for bhyve inside a jail being worth what has already been turned down as a security problem.
Also, you may want to reach out to Alexander Leidinger <netchild@>, who fought this battle last time around.