于 2011年02月15日 05:01, Iain MacDonnell 写道:
Hi All, I find that I am able to attach a disk device do a Xen domain, using virDomainAttachDevice(), running as a non-root user, but I am unable to use virDomainDetachDevice() - it results in an "unknown failure". Using "virsh [attach|detach]-device" exhibits this behviour. $ virsh attach-device domu1 attach.xml Device attached successfully $ virsh detach-device domu1 attach.xml error: Failed to detach device from attach.xml error: Unknown failure $ With some digging, I determined that the problem arises when libvirt tries to translate the device name to a number, using the XenStore API (xenStoreDomainGetDiskID()), which requires use of the "xenstored" UNIX socket, and that socket is only accessible by root. On making that socket accessible to the user (by group), virDomainAttachDevice() starts working, but I'm then unable to list domains, because xenStoreDoListDomains() waits to verify each domain using xenHypervisorHasDomain(), and that requires access to another socket - "/proc/xen/privcmd" My question, before going down the path of trying to hack permissions for these sockets permanently ..... is this how it's supposed to be, or could, perhaps, libvirtd, which runs as root, access these sockets on behalf of the user? It seems it should at least fail more gracefully....
Recall there was discussion on problems like these before, but I can't find the thread now, if I remember well, the conclusion was libvirt will need a more robust solution for non-root users' priv. And in my mind, Justin was involed in the discussion, so cc' to him to see if he could help. :-) Regards Osier
