On Mon, Nov 12, 2018 at 01:30 PM +0100, Pavel Hrdina <phrdina@redhat.com> wrote:
On Mon, Nov 12, 2018 at 12:50:41PM +0100, Marc Hartmayer wrote:
On Thu, Nov 01, 2018 at 09:31 AM +0100, Martin Kletzander <mkletzan@redhat.com> wrote:
[...]
How can you run a machine/QEMU VM under a different user:group other than changing the user:group in qemu.conf and restart/reload libvirtd?
As soon as a VM is running we have not to verify /dev/kvm access, no? (so there should be no problem when libvirtd tries to “reconnect” to already running VMs).
You can add this into your domain XML:
<seclabel type='static' model='dac' relabel='yes'> <label>phrdina:phrdina</label> </seclabel>
And it will run the qemu process under that user.
Interesting :) Actually, if we consider this then the QEMU caps caching is broken anyway since 'virQEMUCapsNewData' is calling 'virQEMUCapsNewForBinaryInternal(…, priv->runUid, priv->runGid, …)'. And 'priv->runUid/runGid' is only set once in virQEMUCapsCacheNew. Maybe I missed something.
Pavel -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
-- Kind regards / Beste Grüße Marc Hartmayer IBM Deutschland Research & Development GmbH Vorsitzende des Aufsichtsrats: Martina Koederitz Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294