Re: [libvirt] [PATCH 2/4] virt-host-validate: distinguish exists vs accessible for devices
On Thu, Oct 08, 2015 at 05:06:29PM -0400, Laine Stump wrote:
On 10/07/2015 12:50 PM, Daniel P. Berrange wrote:
>Currently we just check that various devices are accessible.
>This leads to inaccurate errors reported for /dev/kvm and
>/dev/vhost-net if they exist but an unprivileged user lacks
>access. Switch existing checks to look for file existance,
>and add a separate check for accessibility of /dev/kvm
>since some distros don't grant users access by default.
One problem with this is that the people with those distros probably won't
be running virt-host-validate under the same uid as used by libvirt when
running qemu, so the results won't necessarily tell you what you need - if
you run it as root it will say that /dev/kvm is accessible, even though it
may not be for the case of the "qemu user", and if you run it as some
unprivileged user, if may say that /dev/kvm *isn't* accessible, even though
it is in the case of the qemu user.
Yep, this is not an exact science. Generally I was working on the assumption
that virt-host-validate be run as the same user as libvirtd itself runs as.
eg if you run it unprivileged, then its results should refect what an instance
of qemu:///session is able todo. If you run it as root, then it should check
what qemu:///system can do. Of course in some cases that would not work as
we'd be checking for root, rather than qemu. We could parse the qemu.conf
to find the user we should use as root, but I figure that can be a later
enhancement.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|