10:41 a.m.
I ran into trouble today trying to use the GIT level of QEMU.
In a nutshell: the capability detection with QMP is failing
and the fallback using -help isn't working with the GIT level
probably due to help text reformatting.
The failure reason is that QEMU cannot bind to the
QMP monitor socket in the /var/lib/libvirt/qemu directory.
That's because the child process is stripped of all
capabilities and this directory is chown'ed to qemu:qemu
by the QEMU driver.
Note that this is failing with the release QEMU as well,
with the difference that the fallback is working there.
I am willing to provide a patch, however I'd like
to get feedback on the approach to use:
1. Add back Linux capabilities CAP_DAC_OVERRIDE,
CAP_DAC_READ_SEARCH to allow QEMU to bind to
the monitor socket.
This seems to be hacky/dodging the problem.
2. Use a separate directory for the QMP probing
instance of QEMU.
3. Run the QMP QEMU under the configured qemu
user. This would be my favorite.
4. Other ideas?
--
Mit freundlichen Grüßen/Kind Regards
Viktor Mihajlovski
IBM Deutschland Research & Development GmbH
Vorsitzender des Aufsichtsrats: Martin Jetter
Geschäftsführung: Dirk Wittkopp
Sitz der Gesellschaft: Böblingen
Registergericht: Amtsgericht Stuttgart, HRB 243294
10:50 a.m.
On Thu, Nov 22, 2012 at 05:41:30PM +0100, Viktor Mihajlovski wrote:
I ran into trouble today trying to use the GIT level of QEMU.
In a nutshell: the capability detection with QMP is failing
and the fallback using -help isn't working with the GIT level
probably due to help text reformatting.
The failure reason is that QEMU cannot bind to the
QMP monitor socket in the /var/lib/libvirt/qemu directory.
That's because the child process is stripped of all
capabilities and this directory is chown'ed to qemu:qemu
by the QEMU driver.
Note that this is failing with the release QEMU as well,
with the difference that the fallback is working there.
I am willing to provide a patch, however I'd like
to get feedback on the approach to use:
1. Add back Linux capabilities CAP_DAC_OVERRIDE,
CAP_DAC_READ_SEARCH to allow QEMU to bind to
the monitor socket.
This seems to be hacky/dodging the problem.
2. Use a separate directory for the QMP probing
instance of QEMU.
3. Run the QMP QEMU under the configured qemu
user. This would be my favorite.
Yep, this seems like the right thing todo.
/me tries to understand why I didn't see this problem myself.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
11:35 a.m.
On 11/22/2012 05:50 PM, Daniel P. Berrange wrote:
>
> 3. Run the QMP QEMU under the configured qemu
> user. This would be my favorite.
Yep, this seems like the right thing todo.
OK, I'll go for it :-).
/me tries to understand why I didn't see this problem myself.
Daniel
This happens probably only for an RPM-installed libvirt
(I build my own RPMs). With a default local configure/
make/install the QEMU user is root:root - which would
not expose the issue.
--
Mit freundlichen Grüßen/Kind Regards
Viktor Mihajlovski
IBM Deutschland Research & Development GmbH
Vorsitzender des Aufsichtsrats: Martin Jetter
Geschäftsführung: Dirk Wittkopp
Sitz der Gesellschaft: Böblingen
Registergericht: Amtsgericht Stuttgart, HRB 243294
2:57 a.m.
On Thu, Nov 22, 2012 at 06:35:52PM +0100, Viktor Mihajlovski wrote:
On 11/22/2012 05:50 PM, Daniel P. Berrange wrote:
>>
>>3. Run the QMP QEMU under the configured qemu
>> user. This would be my favorite.
>
>Yep, this seems like the right thing todo.
>
OK, I'll go for it :-).
>/me tries to understand why I didn't see this problem myself.
>
>Daniel
>
This happens probably only for an RPM-installed libvirt
(I build my own RPMs). With a default local configure/
make/install the QEMU user is root:root - which would
not expose the issue.
Yeah, but I usually have user="qemu" set in qemu.conf to
deal with that. Oh well, at least we know now.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
4383
days inactive
4384
days old
3 comments
2 participants
participants (2)
-
Daniel P. Berrange -
Viktor Mihajlovski