On Tue, Jun 07, 2016 at 04:16:46PM +0100, Daniel P. Berrange wrote:
On Tue, Jun 07, 2016 at 05:15:54PM +0200, Peter Krempa wrote:
On Tue, Jun 07, 2016 at 15:50:38 +0100, Daniel Berrange wrote:
On Tue, Jun 07, 2016 at 08:24:14AM +0200, Peter Krempa wrote:
On Mon, Jun 06, 2016 at 14:25:23 -0500, Roy Keene wrote:
Patch to libvirt master to avoid failing when a user ID is specified, e.g. for <seclabel type='dac'>, that does not map to a user name.
This is useful if you want to run each VM as a separate user and not bother creating an /etc/passwd entry for each UID.
For this use case you shall prefix the name with a +. Please refer to the documentation on seclabels.
Empirically that does not currently work:
# virsh dumpxml serial | grep --after 2 '<seclabel' <seclabel type='static' model='dac' relabel='no'> <label>+21421:+12421421</label> </seclabel>
# virsh start serial error: Failed to start domain serial error: Cannot access storage file '/var/lib/libvirt/images/demo.qcow2' (as uid:21421, gid:12421421): Success
# ls -al /var/lib/libvirt/images/demo.qcow2 -rw-r--r--. 1 21421 12421421 197120 Apr 30 2015 /var/lib/libvirt/images/demo.qcow2
Looking at the libvirtd logs we see
2016-06-07 14:49:13.724+0000: 13490: debug : qemuDomainCheckDiskPresence:3954 : Checking for disk presence 2016-06-07 14:49:16.551+0000: 13490: error : virGetUserEnt:801 : Failed to find user record for uid '21421' 2016-06-07 14:49:16.551+0000: 13490: error : virStorageFileGetMetadataRecurse:3114 : Cannot access storage file '/var/lib/libvirt/images/demo.qcow2' (as uid:21421, gid:12421421): Success
So even though the QEMU driver has honoured the '+' syntax, some of the things QEMU is calling appears to be trying to resolve the UID back into a user password record and failing.
Indeed. This is caused by calling virFileAccessibleAs which calls virGetGroupList so that it can add all groups for the given UID which is very strange. The group list is then set after forking at attempting to check file presence. I hate root squashed NFS.
I guess we could just skip reporting the error if we can't get the group list in that case and just set the provided numerical UID/GID and try it that way.
Yep, if all we're doing is trying to get supplementary groups, then lack of an /etc/passwd or /etc/group entry really just semantically means zero supplementary groups are needed.
Roy, perhaps test if the following change makes it work for you: diff --git a/src/util/virutil.c b/src/util/virutil.c index d80d994..20a426d 100644 --- a/src/util/virutil.c +++ b/src/util/virutil.c @@ -1109,8 +1109,11 @@ virGetGroupList(uid_t uid, gid_t gid, gid_t **list) if (uid == (uid_t)-1) return 0; - if (virGetUserEnt(uid, &user, &primary, NULL) < 0) - return -1; + if (virGetUserEnt(uid, &user, &primary, NULL) < 0) { + VIR_INFO("No passwd entry for uid %llu, setting empty group list" + (unsigned long long)uid); + return 0; + } ret = mgetgroups(user, primary, list); if (ret < 0) { Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|