Re: [libvirt] Problem configuring selective dropping of root

On Tue, Jul 09, 2019 at 02:03:15PM +0200, Stephan von Krawczynski wrote: > On Tue, 9 Jul 2019 09:40:23 +0100 > Daniel P. Berrangé <berrange(a)redhat.com&gt; wrote: > > > On Mon, Jul 08, 2019 at 09:47:24PM +0200, Stephan von Krawczynski > > wrote: > > > Hello list, > > > > > > I came across a fundamental flaw in the libvirt user configuration > > > lately and try to find a solution now. Here is the problem: > > > I run several qemu instances on arch linux all configured via libvirt. > > > The default config as user nobody:kvm was fine up to the day I tried > > > to use a host filesystem via 9p. If you want to gain all user rights > > > on the guest inside that fs you have to run qemu as root. So far so > > > good. But if you have several qemus running and only one needs to be > > > root, what to do? You can try to give a -runas by using <qemu:args>. > > > But that does not work, qemu instantly crashes. I think this is > > > because to have _one_ root qemu, you have to configure libvirt to use > > > root user. This means all rights to fs and so on are set to root and > > > this is what lets qemu probably go crazy if dropping root by -runas. > > > The whole thing would be a lot easier and more transparent if the user > > > in libvirt wouldn't be a global config, but instead be part of the > > > domain xml. This way every qemu started could use a different user and > > > have different rights. In my case all but one could be nobody:kvm, and > > > one root:root. This should not be to complicated based on whats > > > already there, is it? > > > > Libvirt needs to know about the user/group QEMU is running at in order to > > ensure it gets given access to the various files it needs to use. If you > > look at the XML of the running guest you should see a <seclabel> > > describing the user/group it is running as currently. > > > > If no <seclabel> is in the offline config, libvirt adds the default > > seclabel, but if you want a different user/group, you can add the > > <seclabel> yourself. > > > > Regards, > > Daniel > > Hello Daniel, > > well, tried that (as good as the docs are) by adding: > > <seclabel type='dynamic' model='dac'> > <label>nobody:kvm</label> > </seclabel> > > This edit worked in virsh without giving errors. > Starting the domain and then looking into the xml showed: > > <seclabel type='dynamic' model='dac' relabel='yes'/> > > Consequently qemu runs still as root. My user:group setting simply > vanished. > > I think at least some better docs are needed with a striking example of > how to change user and group ... > I may be biased, but how to set user and group is probably the most basic > example of how to use seclabel - and I cannot find one. I agree that the documentation is not the best one. You need to use type='static' relabel='yes': <seclabel type='static' model='dac' relabel='yes'> <label>nobody:kvm</label> </seclabel> To achieve that. In addition if you would like to have only one VM as root:root you should keep the default config as nobody:kvm and use the root:root for that specific VM. Pavel