[Libguestfs] [PATCH v2v] lib: Use an ACL to allow qemu to access the v2v directory
Laszlo Ersek
lersek at redhat.com
Tue Mar 22 16:14:56 UTC 2022
On 03/22/22 15:51, Daniel P. Berrangé wrote:
> On Tue, Mar 22, 2022 at 02:35:54PM +0000, Richard W.M. Jones wrote:
>> For fuller explanation see:
>> https://bugzilla.redhat.com/show_bug.cgi?id=2066773#c1
>>
>> I'm not very happy with this patch for a few reasons:
>>
>> - Does every distro use "qemu" as the user that runs qemu?
>
> Not sure, but you can query this from libvirt
>
> # virsh capabilities | xmllint -xpath '//secmodel[./model="dac"]/baselabel[@type="kvm"]' -
> <baselabel type="kvm">+107:+107</baselabel>
There is XML support in OCaml, and I guess we can figure out if we use
TCG vs. KVM, so the "xmllint" command could be written in v2v.
I'm not sure about "virsh capabilities" :/ Would we need to wrap
virConnectGetCapabilities() <https://libvirt.org/formatcaps.html>?
Thanks,
Laszlo
>
> The base level here is the label that any files must have in order
> to be writable by QEMU, using a default process label.
>
> In the case of the 'dac' model this is a UID:GID pair (+ indicates
> numeric ID, as opposed to a username with all numbers).
>
> NB, this doesn't apply if you're overriding the default label to
> use a distinct UID per VM, but I assume v2v isn't doing that and
> controls its own VMs
>
>> - Having to run an external process (not a big deal, but a bit clumsy)
>
> In theory libacl gives you programmatic API for this.
>
>> - Aren't ACLs actually deprecated?
>
> Not that I know of.
>
> With regards,
> Daniel
>
More information about the Libguestfs
mailing list