On Tue, Nov 22, 2016 at 01:45:42PM +0100, Michal Privoznik wrote:
If you've ever tried running a huge page backed guest under different user than root, you probably failed. Problem is even
It works fine - this functionality has existed for years and apps like OpenStack use it and certainly never run QEMU as root. In qemuStateInitialize we create $MOUNT/libvirt/qemu and chown it to the qemu:qemu user/group pair. That all said....
though we have corresponding APIs in the security drivers, there's no implementation and thus we don't relabel the huge page path. But even if we did, so far all of the domains share the same path:
/hugepageMount/libvirt/qemu
Our only option there would be to set 0777 mode on the qemu dir which is totally unsafe. Therefore, we can create dir on per-domain basis, i.e.:
/hugepageMount/libvirt/qemu/domainName
and chown domainName dir to the user that domain is configured to run under.
...I agree it is better to create a dir per QEMU, since that lets us run each QEMU as a distinct user or group ID. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://entangle-photo.org -o- http://search.cpan.org/~danberr/ :|