Re: [libvirt] [PATCH 1/2] qemu: Create hugepage path on per domain basis
On Tue, Nov 22, 2016 at 01:45:42PM +0100, Michal Privoznik wrote:
If you've ever tried running a huge page backed guest under
different user than root, you probably failed. Problem is even
It works fine - this functionality has existed for years and apps
like OpenStack use it and certainly never run QEMU as root.
In qemuStateInitialize we create $MOUNT/libvirt/qemu and
chown it to the qemu:qemu user/group pair.
That all said....
though we have corresponding APIs in the security drivers,
there's no implementation and thus we don't relabel the huge page
path. But even if we did, so far all of the domains share the
same path:
/hugepageMount/libvirt/qemu
Our only option there would be to set 0777 mode on the qemu dir
which is totally unsafe. Therefore, we can create dir on
per-domain basis, i.e.:
/hugepageMount/libvirt/qemu/domainName
and chown domainName dir to the user that domain is configured to
run under.
...I agree it is better to create a dir per QEMU, since that
lets us run each QEMU as a distinct user or group ID.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://entangle-photo.org -o- http://search.cpan.org/~danberr/ :|