On 01/15/2014 10:05 AM, Karoline Haus
wrote:
This usually means that libvirt has been configured to run the qemu process as root, which introduces the possibility that a guest exploiting some theoretical security exploit in qemu could gain control of the host system. Normally libvirt installations will by default be configured to run the qemu-kvm process as user qemu, with all privilege bits cleared; either gentoo's default install of libvirt doesn't set things up this way, or you or someone else has modified /etc/libvirt/qemu.conf to change the "user" and "group" parameters to "root". To fix this problem, edit /etc/libvirt/qemu.conf and either comment out those two parameters (if they aren't already commented out), or change them to set both user and group to "qemu" (assuming that gentoo follows the standard of adding a "qemu" user when installing libvirt), then restart the libvirt service and try starting the guest again. Note, however, that this is a *warning*, not an error, so the guest should still be starting up and running. If not, then there should be some subsequent error message in the log (and/or look at the end of /var/log/libvirt/qemu/${vm}.log for error messages from qemu)
The problem is that the part that tells you something is pretty short: "Domain [...] is tainted: high-privileges"
Because when you run qemu-kvm from the commandline, it is being run as root. libvirt goes to great lengths to enable running the qemu-kvm process as "unprivileged" as possible, so that any potential security exploits in qemu-kvm will be as limited as possible in the damage they can do. Any operation that requires elevated privileges (e.g. creating a tap device to hook up the guest's networking, modifying the selinux labelling of various resources) is done by libvirt, which passed open file descriptors to the newly created resources to a qemu-kvm process that has been created running as an unprivileged user, with all privilege bits reset and pretty much all system resources limited by cgroups.
Well, in your system's libvirt configuration anyway. |
_______________________________________________ libvirt-users mailing list libvirt-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvirt-users