On Thu, Oct 10, 2019 at 11:29:17AM +0100, Richard W.M. Jones wrote: > On Wed, Oct 09, 2019 at 07:49:29PM -0400, Cole Robinson wrote: > > In that bug, I see that rjones (cc'd) said that libvirt not > > remembering labels/uid causes issues for libguestfs that requires > > workarounds. Rich, do you have links to threads or bug reports where > > this is described in more detail? > > I think there are two problems (which I often confuse) and they are > possibly related. This one where libvirt doesn't restore permissions > afterwards, and the other one where qemu:///session cannot be used as > root which implies that when you run libguestfs as root it doesn't > have access to things that root would normally have access to (bug 890291 > / 1045069). > > In answer to your question this is the only one I could find which is > definitely related to this bug: > > https://www.redhat.com/archives/libguestfs/2013-May/msg00115.html Anything related to device nodes & permissions/ownership shouldn't be an issue any more. We switched to create a private mount namespace for each QEMU and setup a custom /dev populated with only the devices QEMU is allowed. Thus we should no longer be touching permisisons/owners in the real /dev > Here's another one, but I think this is related to the other bug: > > https://bugs.launchpad.net/nova/+bug/1241659/comments/6 > > I suspect there are cases where openstack sets LIBGUESTFS_BACKEND=direct > to workaround one of these two bugs. > > Is fixing the qemu:///session as root problem going to also solve this? If we had a real qemu:///session mode running QEMU itself as root, then we would never change permissions/ownership. We would still need to be changing SELinux labels & so the label restore logic is needd there. We should be able to use qemu:///system & the DAC driver to run QEMU as root though. There was previously a problem wrt monitor sockets that you hit when trying this with libguestfs, but I believe that should now be fixed: https://bugzilla.redhat.com/show_bug.cgi?id=890291#c30 If using the DAC driver to request running as root, the only remaining difference in terms of permissions is that we clear CAP_DAC_OVERRIDE, so the root user will only be able to access files which explicitly grant root access. We could fix this limitation in the DAC driver I believe to allow capabilities to be retained. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
