On Tue, Nov 22, 2016 at 01:45:42PM +0100, Michal Privoznik wrote: > If you've ever tried running a huge page backed guest under > different user than root, you probably failed. Problem is even It works fine - this functionality has existed for years and apps like OpenStack use it and certainly never run QEMU as root. In qemuStateInitialize we create $MOUNT/libvirt/qemu and chown it to the qemu:qemu user/group pair. That all said.... > though we have corresponding APIs in the security drivers, > there's no implementation and thus we don't relabel the huge page > path. But even if we did, so far all of the domains share the > same path: > > /hugepageMount/libvirt/qemu > > Our only option there would be to set 0777 mode on the qemu dir > which is totally unsafe. Therefore, we can create dir on > per-domain basis, i.e.: > > /hugepageMount/libvirt/qemu/domainName > > and chown domainName dir to the user that domain is configured to > run under. ...I agree it is better to create a dir per QEMU, since that lets us run each QEMU as a distinct user or group ID. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://entangle-photo.org -o- http://search.cpan.org/~danberr/ :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
