Re: [libvirt] PATCH: Allow QEMU VMs to be run unprivileged
On Thu, Jul 16, 2009 at 01:37:49PM +0100, Daniel P. Berrange wrote:
This patch makes it such that the privileges libvirtd daemon can
run unprivileged QEMU guests. The default remains unchanged with
QEMU running as root:root, but the package maintainer can request
an alternative default user at build time, and the sysadmin can
also override this at install time with /etc/libvirt/qemu.conf.
As well as making QEMU setuid/gid to the non-root user, this
patch takes care of chown'ing all resources it needs to access.
This currently includes
- /dev/bus/usb/$BUS/$DEVICE for any assigned USB devices
- /sys/bus/pci/$ADDR/{config,resource*,rom} for PCI devs
- All disk paths
Upon shutdown it will restore ownership to root for all of
thesem, except shared/readonly disk images
NB one minor problem is that USB devices attached based
on vendor/product ID aren't handled. Need to figure out a
way to deal with this....
Okay, we can expect some side effect but the best is to get this out
in next release and make sure our rawhide build activates this (spec
patch need to be propagated).
I think somehow we should make an util function to change uid/gid
of a file or directory , with a flag to allow recursion, but there isn't
that much duplication,
ACK,
Daniel
--
Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
daniel(a)veillard.com | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library http://libvirt.org/