[Libguestfs] [PATCH] lib: libvirt: If root, run qemu as root.root.
Richard W.M. Jones
rjones at redhat.com
Tue Mar 14 14:10:31 UTC 2017
On Tue, Mar 14, 2017 at 01:50:58PM +0000, Richard W.M. Jones wrote:
> Previously we had assumed that when running as root, libvirt would
> always run qemu as a non-root user (eg. qemu.qemu), unless you modify
> a global configuration file (/etc/libvirt/qemu.conf).
>
> It turns out there is a little-known feature to make libvirt run qemu
> as root without modifying any configuration files. We have to add a
> <seclabel/> element to the appliance XML:
>
> <seclabel type='static' model='dac' relabel='no'>
> <label>root:root</label>
> </seclabel>
There is a hidden problem with this patch which was discussed on IRC:
Libvirt drops all capabilities from the qemu process before running it
as root. This means that although it runs as the root user, it cannot
do usual root-like things. In particular it cannot access files as
the root owner (it will access them as if "other", so a file with mode
0644 for example can only be opened for reading).
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-p2v converts physical machines to virtual machines. Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v
More information about the Libguestfs
mailing list