于 2011年02月15日 05:01, Iain MacDonnell 写道:
Hi All,
I find that I am able to attach a disk device do a Xen domain, using
virDomainAttachDevice(), running as a non-root user, but I am unable
to use virDomainDetachDevice() - it results in an "unknown failure".
Using "virsh [attach|detach]-device" exhibits this behviour.
$ virsh attach-device domu1 attach.xml
Device attached successfully
$ virsh detach-device domu1 attach.xml
error: Failed to detach device from attach.xml
error: Unknown failure
$
With some digging, I determined that the problem arises when libvirt
tries to translate the device name to a number, using the XenStore API
(xenStoreDomainGetDiskID()), which requires use of the "xenstored"
UNIX socket, and that socket is only accessible by root. On making
that socket accessible to the user (by group), virDomainAttachDevice()
starts working, but I'm then unable to list domains, because
xenStoreDoListDomains() waits to verify each domain using
xenHypervisorHasDomain(), and that requires access to another socket -
"/proc/xen/privcmd"
My question, before going down the path of trying to hack permissions
for these sockets permanently ..... is this how it's supposed to be,
or could, perhaps, libvirtd, which runs as root, access these sockets
on behalf of the user? It seems it should at least fail more
gracefully....
Recall there was discussion on problems like these before, but I can't
find the thread now, if I remember well, the conclusion was libvirt
will need a more robust solution for non-root users' priv.
And in my mind, Justin was involed in the discussion, so cc' to him to
see if he could help. :-)
Regards
Osier