[libvirt] QMP Capability Detection Issues with GIT version of QEMU
I ran into trouble today trying to use the GIT level of QEMU. In a nutshell: the capability detection with QMP is failing and the fallback using -help isn't working with the GIT level probably due to help text reformatting. The failure reason is that QEMU cannot bind to the QMP monitor socket in the /var/lib/libvirt/qemu directory. That's because the child process is stripped of all capabilities and this directory is chown'ed to qemu:qemu by the QEMU driver. Note that this is failing with the release QEMU as well, with the difference that the fallback is working there. I am willing to provide a patch, however I'd like to get feedback on the approach to use: 1. Add back Linux capabilities CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH to allow QEMU to bind to the monitor socket. This seems to be hacky/dodging the problem. 2. Use a separate directory for the QMP probing instance of QEMU. 3. Run the QMP QEMU under the configured qemu user. This would be my favorite. 4. Other ideas? -- Mit freundlichen Grüßen/Kind Regards Viktor Mihajlovski IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294
On Thu, Nov 22, 2012 at 05:41:30PM +0100, Viktor Mihajlovski wrote:
I ran into trouble today trying to use the GIT level of QEMU.
In a nutshell: the capability detection with QMP is failing and the fallback using -help isn't working with the GIT level probably due to help text reformatting.
The failure reason is that QEMU cannot bind to the QMP monitor socket in the /var/lib/libvirt/qemu directory. That's because the child process is stripped of all capabilities and this directory is chown'ed to qemu:qemu by the QEMU driver.
Note that this is failing with the release QEMU as well, with the difference that the fallback is working there.
I am willing to provide a patch, however I'd like to get feedback on the approach to use:
1. Add back Linux capabilities CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH to allow QEMU to bind to the monitor socket. This seems to be hacky/dodging the problem.
2. Use a separate directory for the QMP probing instance of QEMU.
3. Run the QMP QEMU under the configured qemu user. This would be my favorite.
Yep, this seems like the right thing todo. /me tries to understand why I didn't see this problem myself. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
On 11/22/2012 05:50 PM, Daniel P. Berrange wrote:
3. Run the QMP QEMU under the configured qemu user. This would be my favorite.
Yep, this seems like the right thing todo.
OK, I'll go for it :-).
/me tries to understand why I didn't see this problem myself.
Daniel
This happens probably only for an RPM-installed libvirt (I build my own RPMs). With a default local configure/ make/install the QEMU user is root:root - which would not expose the issue. -- Mit freundlichen Grüßen/Kind Regards Viktor Mihajlovski IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294
On Thu, Nov 22, 2012 at 06:35:52PM +0100, Viktor Mihajlovski wrote:
On 11/22/2012 05:50 PM, Daniel P. Berrange wrote:
3. Run the QMP QEMU under the configured qemu user. This would be my favorite.
Yep, this seems like the right thing todo.
OK, I'll go for it :-).
/me tries to understand why I didn't see this problem myself.
Daniel
This happens probably only for an RPM-installed libvirt (I build my own RPMs). With a default local configure/ make/install the QEMU user is root:root - which would not expose the issue.
Yeah, but I usually have user="qemu" set in qemu.conf to deal with that. Oh well, at least we know now. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
participants (2)
-
Daniel P. Berrange -
Viktor Mihajlovski