On Mon, Nov 12, 2018 at 01:30 PM +0100, Pavel Hrdina <phrdina@xxxxxxxxxx> wrote: > On Mon, Nov 12, 2018 at 12:50:41PM +0100, Marc Hartmayer wrote: >> On Thu, Nov 01, 2018 at 09:31 AM +0100, Martin Kletzander <mkletzan@xxxxxxxxxx> wrote: > > [...] > >> How can you run a machine/QEMU VM under a different user:group other >> than changing the user:group in qemu.conf and restart/reload libvirtd? >> >> As soon as a VM is running we have not to verify /dev/kvm access, no? >> (so there should be no problem when libvirtd tries to “reconnect” to >> already running VMs). > > You can add this into your domain XML: > > <seclabel type='static' model='dac' relabel='yes'> > <label>phrdina:phrdina</label> > </seclabel> > > And it will run the qemu process under that user. Interesting :) Actually, if we consider this then the QEMU caps caching is broken anyway since 'virQEMUCapsNewData' is calling 'virQEMUCapsNewForBinaryInternal(…, priv->runUid, priv->runGid, …)'. And 'priv->runUid/runGid' is only set once in virQEMUCapsCacheNew. Maybe I missed something. > > Pavel > -- > libvir-list mailing list > libvir-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/libvir-list -- Kind regards / Beste Grüße Marc Hartmayer IBM Deutschland Research & Development GmbH Vorsitzende des Aufsichtsrats: Martina Koederitz Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
