Re: [libvirt] FYI: Updated QEMU driver docs on security model

On Wed, 2009-08-19 at 14:32 +0100, Daniel P. Berrange wrote: > FYI, I just pushed the following patch to the repo which adds documentation > to the website for all the security model related aspects of libvirt's > QEMU driver. It should appear here shortly > > http://libvirt.org/drvqemu.html Looks good, mostly just typos below ACK etc. > + <h3><a name="securitydac">POSIX DAC users/groups</a></h3> > + > + <p> > + In the "session" instance, the POSIX DAC model restricts QEMU virtual Should expand the acronym, it's pretty obscure

> + The directories <code>/var/run/libvirt/qemu/</code>, > + <code>/var/lib/libvirt/qemu/</code> and > + <code>/var/cache/libvirt/qemu/</code> must all have their > + ownership set to match the user / group ID that QEMU > + guests will be run as. If the vendor has set a non-root > + user/group for the QEMU driver at build time, the > + permissions should be set automatically at install time. > + If a host administrator customizes user/group in > + <code>/etc/libvirt/qemu.conf</code>, they will need to > + manually set the ownership on these directories. It's good to have this documented, but I'd much prefer us to handle it automatically e.g. libvirtd knows that if the permissions on the dir is wrong, the guest won't start So, it could warn the user, or create an alternative directory and chown it or ...