Re: [libvirt] Fwd: libvirtd failing on MacOS in setgroups
On Mon, Sep 30, 2019 at 02:06:07PM +0200, Bruno Haible wrote:
Daniel P. Berrangé wrote:
> > > FWIW I compiled libvirt without the setgroups code on Mac and it
> > > worked as expected. Not sure what the implications of that are though?
> >
> > OK, then the fix would be to not use setgroups on Mac, and nothing to do
> > in gnulib. Right?
>
> Not calling setgroups means the QEMU process doesn't run with any of
> the supplementary groups associated with its user account, so this is
> not really a working solution. It re-introduces the bug that the
> setgroups call was added to fix.
For what purpose is libvirt or QEMU using setgroups()? What goes wrong if
setgroups() fails?
QEMU potentially needs access to files owned by a supplementary group.
On Linux for example, /dev/kvm is often owned by 'kvm' group, but the
'qemu' user on Fedora has 'qemu' group as its primary group. So QEMU
would be unable to open /dev/kvm without the setgroups call to set up
supplementary groups.
The problem is that the Darwin kernel does not support setting more
than
NGROUPS_MAX (= 16) groups. So
- What happens when you have a user account which is in more than 16
groups? What do other processes do in this sitation?
Samba appears to use initgroups on Darwin, while clamping to 16 groups
only:
https://github.com/samba-team/samba/blob/v4-11-stable/source3/smbd/sec_ct...
- Is using the first 16 groups and ignoring the extra ones an
acceptable
solution?
Certainly that's better than just ignoring groups entirely, as it will
work for many more cases, even if not perfect.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|