Re: [libvirt] Problem configuring selective dropping of root

On Tue, 9 Jul 2019 09:40:23 +0100 Daniel P. Berrangé <berrange(a)redhat.com&gt; wrote: > On Mon, Jul 08, 2019 at 09:47:24PM +0200, Stephan von Krawczynski wrote: > > Hello list, > > > > I came across a fundamental flaw in the libvirt user configuration lately > > and try to find a solution now. Here is the problem: > > I run several qemu instances on arch linux all configured via libvirt. The > > default config as user nobody:kvm was fine up to the day I tried to use a > > host filesystem via 9p. If you want to gain all user rights on the guest > > inside that fs you have to run qemu as root. So far so good. But if you > > have several qemus running and only one needs to be root, what to do? You > > can try to give a -runas by using <qemu:args>. But that does not work, > > qemu instantly crashes. I think this is because to have _one_ root qemu, > > you have to configure libvirt to use root user. This means all rights to > > fs and so on are set to root and this is what lets qemu probably go crazy > > if dropping root by -runas. The whole thing would be a lot easier and more > > transparent if the user in libvirt wouldn't be a global config, but > > instead be part of the domain xml. This way every qemu started could use a > > different user and have different rights. > > In my case all but one could be nobody:kvm, and one root:root. > > This should not be to complicated based on whats already there, is it? > > Libvirt needs to know about the user/group QEMU is running at in order to > ensure it gets given access to the various files it needs to use. If you > look at the XML of the running guest you should see a <seclabel> describing > the user/group it is running as currently. > > If no <seclabel> is in the offline config, libvirt adds the default > seclabel, but if you want a different user/group, you can add the > <seclabel> yourself. > > Regards, > Daniel Hello Daniel, well, tried that (as good as the docs are) by adding: <seclabel type='dynamic' model='dac'> <label>nobody:kvm</label> </seclabel> This edit worked in virsh without giving errors. Starting the domain and then looking into the xml showed: <seclabel type='dynamic' model='dac' relabel='yes'/> Consequently qemu runs still as root. My user:group setting simply vanished. I think at least some better docs are needed with a striking example of how to change user and group ... I may be biased, but how to set user and group is probably the most basic example of how to use seclabel - and I cannot find one.