[libvirt] [PATCH] spec: Yet another permission fix for qemu dirs
Since we autogenerate path for QEMU guest agent into LOCALSTATEDIR /lib/libvirt/qemu/channel/target/, the process should be able to access that socket no matter under what user/group it is running co you can set the user/group in qemu.conf. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1146886 Signed-off-by: Martin Kletzander <mkletzan@redhat.com> --- libvirt.spec.in | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libvirt.spec.in b/libvirt.spec.in index 7f8be38..f300423 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -1960,9 +1960,9 @@ exit 0 %config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.qemu %dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/qemu/ %ghost %dir %attr(0700, root, root) %{_localstatedir}/run/libvirt/qemu/ -%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/ -%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/ -%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/target/ +%dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/ +%dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/ +%dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/target/ %dir %attr(0711, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/nvram/ %dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/cache/libvirt/qemu/ %{_datadir}/augeas/lenses/libvirtd_qemu.aug -- 2.3.0
On 02/25/2015 03:50 AM, Martin Kletzander wrote:
Since we autogenerate path for QEMU guest agent into LOCALSTATEDIR /lib/libvirt/qemu/channel/target/, the process should be able to access that socket no matter under what user/group it is running co you can set the user/group in qemu.conf.
s/co/so
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1146886
Signed-off-by: Martin Kletzander <mkletzan@redhat.com> --- libvirt.spec.in | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
Hmm... I have a faint recollection... See https://bugzilla.redhat.com/show_bug.cgi?id=1044561 Does this fix that one too? I think for that one it was the "difference" between using the 'yum install...' means of installation vs. the '[sudo ]make install' method from a git tree build. Although this seems reasonable and right, messing with libvirt.spec.in is not my specialty, but there's more than one entry for "qemu/channel/target" in the file. Is there a reason to not modify the other entry (in driver subpackages)? John FWIW: The channel was subdir was added by commit id '297c99a5', with a fix by commit id '297c99a5' to resolve a make rpm failure. Also commit id '010065d70' made sure we got the channel as well as target...
diff --git a/libvirt.spec.in b/libvirt.spec.in index 7f8be38..f300423 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -1960,9 +1960,9 @@ exit 0 %config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.qemu %dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/qemu/ %ghost %dir %attr(0700, root, root) %{_localstatedir}/run/libvirt/qemu/ -%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/ -%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/ -%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/target/ +%dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/ +%dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/ +%dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/target/ %dir %attr(0711, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/nvram/ %dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/cache/libvirt/qemu/ %{_datadir}/augeas/lenses/libvirtd_qemu.aug
On Wed, Feb 25, 2015 at 08:00:45AM -0500, John Ferlan wrote:
On 02/25/2015 03:50 AM, Martin Kletzander wrote:
Since we autogenerate path for QEMU guest agent into LOCALSTATEDIR /lib/libvirt/qemu/channel/target/, the process should be able to access that socket no matter under what user/group it is running co you can set the user/group in qemu.conf.
s/co/so
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1146886
Self-NACK, it doesn't even fix this one.
Signed-off-by: Martin Kletzander <mkletzan@redhat.com> --- libvirt.spec.in | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
Hmm... I have a faint recollection... See
and this is the exact same one, just for Fedora.
Does this fix that one too? I think for that one it was the "difference" between using the 'yum install...' means of installation vs. the '[sudo ]make install' method from a git tree build.
One problem is this and I haven't messed with how to fix it for "make install" type installations. The real problem I've found out (why this doesn't help) is that the qemu needs to *write* to the channel/target in order to bind it. Anyway, I'll have a look at the difference to monitor socket and will see what we can do. Until then, this gets postponed.
Although this seems reasonable and right, messing with libvirt.spec.in is not my specialty, but there's more than one entry for "qemu/channel/target" in the file. Is there a reason to not modify the other entry (in driver subpackages)?
I'll have a look at that, too. Thanks for the response.
John
FWIW: The channel was subdir was added by commit id '297c99a5', with a fix by commit id '297c99a5' to resolve a make rpm failure. Also commit id '010065d70' made sure we got the channel as well as target...
diff --git a/libvirt.spec.in b/libvirt.spec.in index 7f8be38..f300423 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -1960,9 +1960,9 @@ exit 0 %config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.qemu %dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/qemu/ %ghost %dir %attr(0700, root, root) %{_localstatedir}/run/libvirt/qemu/ -%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/ -%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/ -%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/target/ +%dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/ +%dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/ +%dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/target/ %dir %attr(0711, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/nvram/ %dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/cache/libvirt/qemu/ %{_datadir}/augeas/lenses/libvirtd_qemu.aug
On Wed, Feb 25, 2015 at 09:50:27AM +0100, Martin Kletzander wrote:
Since we autogenerate path for QEMU guest agent into LOCALSTATEDIR /lib/libvirt/qemu/channel/target/, the process should be able to access that socket no matter under what user/group it is running co you can set the user/group in qemu.conf.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1146886
%config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.qemu %dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/qemu/ %ghost %dir %attr(0700, root, root) %{_localstatedir}/run/libvirt/qemu/ -%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/ -%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/ -%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/target/ +%dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/ +%dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/ +%dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/target/ %dir %attr(0711, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/nvram/ %dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/cache/libvirt/qemu/
I'm confused how this solves the problem. If I edit a guest and add <seclabel type='static' model='dac' relabel='yes'> <label>berrange:berrange</label> </seclabel> And launch it, it fails to create the QEMU monitor socket error: Failed to start domain serial error: internal error: process exited while connecting to monitor: 2015-02-25T13:26:51.620498Z qemu-system-x86_64: -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/serial.monitor,server,nowait: Failed to bind socket: Permission denied 2015-02-25T13:26:51.620608Z qemu-system-x86_64: -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/serial.monitor,server,nowait: chardev: opening backend "socket" failed Because a process running berrange:berrange does not have write permission on the /var/lib/libvirt/qemu directory. Changing the mode to 0751 doesn't do anything to solve that. After setting the dir to mode 0751 qemu still gets the same permission denied when creating the monitor socket as it still lacks write permission. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
On Wed, Feb 25, 2015 at 01:29:31PM +0000, Daniel P. Berrange wrote:
On Wed, Feb 25, 2015 at 09:50:27AM +0100, Martin Kletzander wrote:
Since we autogenerate path for QEMU guest agent into LOCALSTATEDIR /lib/libvirt/qemu/channel/target/, the process should be able to access that socket no matter under what user/group it is running co you can set the user/group in qemu.conf.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1146886
%config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.qemu %dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/qemu/ %ghost %dir %attr(0700, root, root) %{_localstatedir}/run/libvirt/qemu/ -%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/ -%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/ -%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/target/ +%dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/ +%dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/ +%dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/target/ %dir %attr(0711, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/nvram/ %dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/cache/libvirt/qemu/
I'm confused how this solves the problem. If I edit a guest and add
<seclabel type='static' model='dac' relabel='yes'> <label>berrange:berrange</label> </seclabel>
And launch it, it fails to create the QEMU monitor socket
error: Failed to start domain serial error: internal error: process exited while connecting to monitor: 2015-02-25T13:26:51.620498Z qemu-system-x86_64: -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/serial.monitor,server,nowait: Failed to bind socket: Permission denied 2015-02-25T13:26:51.620608Z qemu-system-x86_64: -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/serial.monitor,server,nowait: chardev: opening backend "socket" failed
Because a process running berrange:berrange does not have write permission on the /var/lib/libvirt/qemu directory.
Yes. I'm still thinking about how to make this *just work* for various users on the same system. The only valid thing would seem to pass an fd for such sockets which I don't know whether QEMU supports.
Changing the mode to 0751 doesn't do anything to solve that. After setting the dir to mode 0751 qemu still gets the same permission denied when creating the monitor socket as it still lacks write permission.
I realized that a while after I sent it and I replied to John that this doesn't fix the problem. I was just in the middle of writing that mail when you replied (probably).
Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
On Wed, Feb 25, 2015 at 03:08:03PM +0100, Martin Kletzander wrote:
On Wed, Feb 25, 2015 at 01:29:31PM +0000, Daniel P. Berrange wrote:
On Wed, Feb 25, 2015 at 09:50:27AM +0100, Martin Kletzander wrote:
Since we autogenerate path for QEMU guest agent into LOCALSTATEDIR /lib/libvirt/qemu/channel/target/, the process should be able to access that socket no matter under what user/group it is running co you can set the user/group in qemu.conf.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1146886
%config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.qemu %dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/qemu/ %ghost %dir %attr(0700, root, root) %{_localstatedir}/run/libvirt/qemu/ -%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/ -%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/ -%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/target/ +%dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/ +%dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/ +%dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/target/ %dir %attr(0711, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/nvram/ %dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/cache/libvirt/qemu/
I'm confused how this solves the problem. If I edit a guest and add
<seclabel type='static' model='dac' relabel='yes'> <label>berrange:berrange</label> </seclabel>
And launch it, it fails to create the QEMU monitor socket
error: Failed to start domain serial error: internal error: process exited while connecting to monitor: 2015-02-25T13:26:51.620498Z qemu-system-x86_64: -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/serial.monitor,server,nowait: Failed to bind socket: Permission denied 2015-02-25T13:26:51.620608Z qemu-system-x86_64: -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/serial.monitor,server,nowait: chardev: opening backend "socket" failed
Because a process running berrange:berrange does not have write permission on the /var/lib/libvirt/qemu directory.
Yes. I'm still thinking about how to make this *just work* for various users on the same system. The only valid thing would seem to pass an fd for such sockets which I don't know whether QEMU supports.
We could argue it is just a documentation task. ie, you are free to choose any user you wish, but must always keep the standard qemu group. Or you are free to choose any group but must keep the standard qemu user. iow they're not allowed to change both. If we want to make it just work though, I think we'd have to stop putting the sockets in /var/lib/libvirt/qemu directly and create one subdir per guest. So set /var/lib/libvirt/qemu - 0751 and create a directory /var/lib/libvirt/qemu/$GUESTNAME $user:group 0770 which is owned by the user+group of the QEMU process as per the XML and then put all the UNIX sockets in /var/lib/libvirt/qemu/$GUESTNAME/monitor.sock /var/lib/libvirt/qemu/$GUESTNAME/org.qemu.guest.agent.1.sock etc Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
participants (3)
-
Daniel P. Berrange -
John Ferlan -
Martin Kletzander