On 12/09/2013 03:20 PM, Eduardo Otubo wrote:
This option was requested by virt-test team so they can run tests with Qemu and "-sandbox on" set without breaking whole test if host doesn't have support for seccomp in kernel. It covers two possibilities:1) Host kernel support does not support seccomp, but user installed Qemu package with sandbox support: Libseccomp will fail -> qemu will fail nicely and won't stop execution. 2) Host kernel has support but Qemu package wasn't built with sandbox feature. Qemu will fail nicely and won't stop execution.
It seems there was a misunderstanding of what we wanted here. The problem we had there happened on a -sandbox bug on Fedora 19 that got one of our team members confused, since qemu did not give any sort of useful output that would allow him to identify the bug was related to -sandbox (qemu was accessing a syscall outside of the whitelist on Fedora 19).
He took a while until he figured out -sandbox was the problem, due to the lack of any clues of what was going on. I was not affected due to the fact I was already on Fedora 20 by that time.
I assume Eduardo thought that we somehow wanted qemu to just carry on when seccomp requirements could not be fulfilled, but that was not our point. What I thought I'd commented with hum was that some more useful message could be printed to stderr, and perhaps make the qemu process to exit with rc != 0 on such errors, instead of just going dead silently.
I still couldn't quite grasp why that could not be done, but if it can't, so be it. No big deal.
Lucas
