So as a temporal fix I have changed some things to make it work, I will
leave this in case it is useful:
1. Upgrade Debian libvirt packages
I had to upgrade the libvirt packages in order to use the socket
option for virtiofs, the updates were from Debian 11 back-ports and the
packages are 'qemu qemu-kvm qemu-system qemu-utils libvirt-clients
libvirt-daemon-system virtinst' after installing you should restart
libvirtd
2. Run virtiofsd as a systemd service
In order to use the socket option, we need to run virtiofsd, I
decided to run it as a systemd service:
[Unit]
Description=Virtiofsd for sharing disk WD-WX32D5143K0L
Documentation=https://gitlab.com/virtio-fs/virtiofsd
[Service]
ExecStart=/usr/lib/qemu/virtiofsd --socket-path=/var/virtiofsd.sock
--socket-group=libvirt-qemu -o
xattr,source="/mnt/WD-Disk",xattrmap=":map:security.selinux:trusted.virtiofs.:",modcaps=+sys_admin
[Install]
WantedBy=multi-user.target
The extra options are 'xattr' for enabling those, 'source' to
declare the dir to share, 'xattrmap' so you can have different selinux
context on the host and the guest, 'modcaps' so it is able to set
trusted xattr. The service should run as root.
3. Add the xml to the vm
With virsh edit you should edit the domain xml of the vm, on the
filesystem part to use the socket:
<filesystem type='mount'>
<driver type='virtiofs' queue='1024'/>
<source socket='/var/virtiofsd.sock'/>
<target dir='media'/>
<alias name='fs0'/>
<address type='pci' domain='0x0000' bus='0x07' slot='0x00'
function='0x0'/>
</filesystem>
I know that it may not be the most secure way but it is the best way I
could found to have a non selinux host with a selinux guest.
On 19/05/22 03:41, Michal Prívozník - mprivozn(a)redhat.com wrote:
On 5/19/22 00:53, ksobrenat32 wrote:
Hi!
I have a debian 11 (bullseye) machine running libvirtd version 7.0.0 and
a RHEL 9 virtual machine that I need to share a disk and though about
virtiofs.
The disk is a btrfs disk and I have successfully mount it with:
<filesystem type='mount' accessmode='passthrough'>
<driver type='virtiofs' queue='1024'/>
<binary path='/usr/lib/qemu/virtiofsd' xattr='on'>
<cache mode='always'/>
<lock posix='on' flock='on'/>
</binary>
<source dir='/mnt/WD-Disk'/>
<target dir='media'/>
<alias name='fs0'/>
<address type='pci' domain='0x0000' bus='0x07' slot='0x00'
function='0x0'/>
</filesystem>
The problem I have is with selinux, when I try to change the context of
a file inside the virtual machine I get a 'Operation not permitted'
error, I can change the context in the Debian host and see the changes
in the virtual machine but I would want to be able to change the context
from the vm to able to use podman containers with selinux enabled.
I see on the docs
https://qemu.readthedocs.io/en/latest/tools/virtiofsd.html#selinux-support
you can run virtiofsd with a xattr option so it is compatible with
selinux but I do not find a way to change the domain xml to add this
option, is there a way to add this option? Does a better option exists
(maybe on the guest side)?
Yeah, I don't think this was implemented. However, virtiofsd is running
as root:root and with no capabilities dropped. So I guess what we're
missing here is -o security_label or might as well implement the remap
as docs suggest which is much safer.
Michal
