Re: [libvirt] [PATCH 1/2] qemu: Create hugepage path on per domain basis
On 22.11.2016 13:53, Daniel P. Berrange wrote:
On Tue, Nov 22, 2016 at 01:45:42PM +0100, Michal Privoznik wrote:
> If you've ever tried running a huge page backed guest under
> different user than root, you probably failed. Problem is even
It works fine - this functionality has existed for years and apps
like OpenStack use it and certainly never run QEMU as root.
In qemuStateInitialize we create $MOUNT/libvirt/qemu and
chown it to the qemu:qemu user/group pair.
Well, this works as long as all the huge page enabled guests are run
under the the same user. For instance, if your user/group from qemu.conf
is root:root and you have one domain with qemu:qemu (configured via
domain XML) it won't start.
That all said....
> though we have corresponding APIs in the security drivers,
> there's no implementation and thus we don't relabel the huge page
> path. But even if we did, so far all of the domains share the
> same path:
>
> /hugepageMount/libvirt/qemu
>
> Our only option there would be to set 0777 mode on the qemu dir
> which is totally unsafe. Therefore, we can create dir on
> per-domain basis, i.e.:
>
> /hugepageMount/libvirt/qemu/domainName
>
> and chown domainName dir to the user that domain is configured to
> run under.
...I agree it is better to create a dir per QEMU, since that
lets us run each QEMU as a distinct user or group ID.
Exactly.
Michal