On 22.11.2016 13:53, Daniel P. Berrange wrote: > On Tue, Nov 22, 2016 at 01:45:42PM +0100, Michal Privoznik wrote: >> If you've ever tried running a huge page backed guest under >> different user than root, you probably failed. Problem is even > > It works fine - this functionality has existed for years and apps > like OpenStack use it and certainly never run QEMU as root. > > In qemuStateInitialize we create $MOUNT/libvirt/qemu and > chown it to the qemu:qemu user/group pair. Well, this works as long as all the huge page enabled guests are run under the the same user. For instance, if your user/group from qemu.conf is root:root and you have one domain with qemu:qemu (configured via domain XML) it won't start. > > That all said.... > >> though we have corresponding APIs in the security drivers, >> there's no implementation and thus we don't relabel the huge page >> path. But even if we did, so far all of the domains share the >> same path: >> >> /hugepageMount/libvirt/qemu >> >> Our only option there would be to set 0777 mode on the qemu dir >> which is totally unsafe. Therefore, we can create dir on >> per-domain basis, i.e.: >> >> /hugepageMount/libvirt/qemu/domainName >> >> and chown domainName dir to the user that domain is configured to >> run under. > > ...I agree it is better to create a dir per QEMU, since that > lets us run each QEMU as a distinct user or group ID. Exactly. Michal -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
