On Tue, Jul 09, 2019 at 02:03:15PM +0200, Stephan von Krawczynski wrote:
On Tue, 9 Jul 2019 09:40:23 +0100 Daniel P. Berrangé <berrange@redhat.com> wrote:
On Mon, Jul 08, 2019 at 09:47:24PM +0200, Stephan von Krawczynski wrote:
Hello list,
I came across a fundamental flaw in the libvirt user configuration lately and try to find a solution now. Here is the problem: I run several qemu instances on arch linux all configured via libvirt. The default config as user nobody:kvm was fine up to the day I tried to use a host filesystem via 9p. If you want to gain all user rights on the guest inside that fs you have to run qemu as root. So far so good. But if you have several qemus running and only one needs to be root, what to do? You can try to give a -runas by using <qemu:args>. But that does not work, qemu instantly crashes. I think this is because to have _one_ root qemu, you have to configure libvirt to use root user. This means all rights to fs and so on are set to root and this is what lets qemu probably go crazy if dropping root by -runas. The whole thing would be a lot easier and more transparent if the user in libvirt wouldn't be a global config, but instead be part of the domain xml. This way every qemu started could use a different user and have different rights. In my case all but one could be nobody:kvm, and one root:root. This should not be to complicated based on whats already there, is it?
Libvirt needs to know about the user/group QEMU is running at in order to ensure it gets given access to the various files it needs to use. If you look at the XML of the running guest you should see a <seclabel> describing the user/group it is running as currently.
If no <seclabel> is in the offline config, libvirt adds the default seclabel, but if you want a different user/group, you can add the <seclabel> yourself.
Regards, Daniel
Hello Daniel,
well, tried that (as good as the docs are) by adding:
<seclabel type='dynamic' model='dac'> <label>nobody:kvm</label> </seclabel>
This edit worked in virsh without giving errors. Starting the domain and then looking into the xml showed:
<seclabel type='dynamic' model='dac' relabel='yes'/>
Consequently qemu runs still as root. My user:group setting simply vanished.
I think at least some better docs are needed with a striking example of how to change user and group ... I may be biased, but how to set user and group is probably the most basic example of how to use seclabel - and I cannot find one.
I agree that the documentation is not the best one. You need to use type='static' relabel='yes': <seclabel type='static' model='dac' relabel='yes'> <label>nobody:kvm</label> </seclabel> To achieve that. In addition if you would like to have only one VM as root:root you should keep the default config as nobody:kvm and use the root:root for that specific VM. Pavel