On Thu, Oct 10, 2019 at 11:29:17AM +0100, Richard W.M. Jones wrote:
On Wed, Oct 09, 2019 at 07:49:29PM -0400, Cole Robinson wrote:
In that bug, I see that rjones (cc'd) said that libvirt not remembering labels/uid causes issues for libguestfs that requires workarounds. Rich, do you have links to threads or bug reports where this is described in more detail?
I think there are two problems (which I often confuse) and they are possibly related. This one where libvirt doesn't restore permissions afterwards, and the other one where qemu:///session cannot be used as root which implies that when you run libguestfs as root it doesn't have access to things that root would normally have access to (bug 890291 / 1045069).
In answer to your question this is the only one I could find which is definitely related to this bug:
https://www.redhat.com/archives/libguestfs/2013-May/msg00115.html
Anything related to device nodes & permissions/ownership shouldn't be an issue any more. We switched to create a private mount namespace for each QEMU and setup a custom /dev populated with only the devices QEMU is allowed. Thus we should no longer be touching permisisons/owners in the real /dev
Here's another one, but I think this is related to the other bug:
https://bugs.launchpad.net/nova/+bug/1241659/comments/6
I suspect there are cases where openstack sets LIBGUESTFS_BACKEND=direct to workaround one of these two bugs.
Is fixing the qemu:///session as root problem going to also solve this?
If we had a real qemu:///session mode running QEMU itself as root, then we would never change permissions/ownership. We would still need to be changing SELinux labels & so the label restore logic is needd there. We should be able to use qemu:///system & the DAC driver to run QEMU as root though. There was previously a problem wrt monitor sockets that you hit when trying this with libguestfs, but I believe that should now be fixed: https://bugzilla.redhat.com/show_bug.cgi?id=890291#c30 If using the DAC driver to request running as root, the only remaining difference in terms of permissions is that we clear CAP_DAC_OVERRIDE, so the root user will only be able to access files which explicitly grant root access. We could fix this limitation in the DAC driver I believe to allow capabilities to be retained. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|