On Wed, Feb 25, 2015 at 01:29:31PM +0000, Daniel P. Berrange wrote:
On Wed, Feb 25, 2015 at 09:50:27AM +0100, Martin Kletzander wrote:Since we autogenerate path for QEMU guest agent into LOCALSTATEDIR /lib/libvirt/qemu/channel/target/, the process should be able to access that socket no matter under what user/group it is running co you can set the user/group in qemu.conf. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1146886%config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.qemu %dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/qemu/ %ghost %dir %attr(0700, root, root) %{_localstatedir}/run/libvirt/qemu/ -%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/ -%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/ -%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/target/ +%dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/ +%dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/ +%dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/target/ %dir %attr(0711, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/nvram/ %dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/cache/libvirt/qemu/I'm confused how this solves the problem. If I edit a guest and add <seclabel type='static' model='dac' relabel='yes'> <label>berrange:berrange</label> </seclabel> And launch it, it fails to create the QEMU monitor socket error: Failed to start domain serial error: internal error: process exited while connecting to monitor: 2015-02-25T13:26:51.620498Z qemu-system-x86_64: -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/serial.monitor,server,nowait: Failed to bind socket: Permission denied 2015-02-25T13:26:51.620608Z qemu-system-x86_64: -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/serial.monitor,server,nowait: chardev: opening backend "socket" failed Because a process running berrange:berrange does not have write permission on the /var/lib/libvirt/qemu directory.
Yes. I'm still thinking about how to make this *just work* for various users on the same system. The only valid thing would seem to pass an fd for such sockets which I don't know whether QEMU supports.
Changing the mode to 0751 doesn't do anything to solve that. After setting the dir to mode 0751 qemu still gets the same permission denied when creating the monitor socket as it still lacks write permission.
I realized that a while after I sent it and I replied to John that this doesn't fix the problem. I was just in the middle of writing that mail when you replied (probably).
Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
Attachment:
pgpQ4v4pSTJg2.pgp
Description: PGP signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list