On Wed, Mar 20, 2019 at 15:48:43 -0500, Eric Blake wrote:
On 3/20/19 1:50 PM, Mircea Husz wrote:
> I scripted the creation of snapshots and it works fine. Now I'd like to run the
script as non-root.
>
> virsh snapshot-create-as --domain hq-live-v01 \
> --name snappy \
> --diskspec
vda,file=/var/lib/libvirt/images/hq-live-v01.snappy,snapshot=external \
> --diskspec
vdb,file=/var/lib/libvirt/images/hq-live-storage.snappy,snapshot=external \
> --disk-only --quiesce --atomic
>
> This fragment creates the snapshots, but get created with mode 0600:
> -rw------- 1 qemu qemu 393216 Mar 19 17:08 hq-live-storage.snappy
> -rw------- 1 qemu qemu 1048576 Mar 19 17:08 hq-live-v01.snappy
>
> The user account is in the libvirt group and has permissions to do everything except
delete the files created by the snapshot, all I need is to get the snapshots created with
0660 mode.
>
> This is on a Centos 7.6 installation. What knobs do I need to turn to control the
umask?
I'm not sure if you can force libvirt to create the files with a
different mask, but perhaps a workaround would be to pre-create the
files yourself with desired permissions, then tell virsh to
--reuse-external (so that libvirt no longer has to try and create the
files, and thus doesn't mess with permissions).
--reuse-external is good only for using a custom-formatted image.
Libvirt will chown the image to qemu:qemu if you don't disable
relabelling. This is possible to do via the <seclabel> even in a
snapshot <disk> definition.
Note that it's not documented yet and also does not conform to the
schema, but the parser happily parses it and the code uses the correct
<seclabel> then. I have a not-sufficiently-tested patch that adds the
schema (and IIRC also docs) which I planned to send after testing.