[libvirt] [PATCH] spec: Yet another permission fix for qemu dirs
Martin Kletzander
mkletzan at redhat.com
Wed Feb 25 14:08:03 UTC 2015
On Wed, Feb 25, 2015 at 01:29:31PM +0000, Daniel P. Berrange wrote:
>On Wed, Feb 25, 2015 at 09:50:27AM +0100, Martin Kletzander wrote:
>> Since we autogenerate path for QEMU guest agent into
>> LOCALSTATEDIR /lib/libvirt/qemu/channel/target/, the process should be
>> able to access that socket no matter under what user/group it is
>> running co you can set the user/group in qemu.conf.
>>
>> Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1146886
>
>> %config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.qemu
>> %dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/qemu/
>> %ghost %dir %attr(0700, root, root) %{_localstatedir}/run/libvirt/qemu/
>> -%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/
>> -%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/
>> -%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/target/
>> +%dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/
>> +%dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/
>> +%dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/target/
>> %dir %attr(0711, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/nvram/
>> %dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/cache/libvirt/qemu/
>
>I'm confused how this solves the problem. If I edit a guest and add
>
> <seclabel type='static' model='dac' relabel='yes'>
> <label>berrange:berrange</label>
> </seclabel>
>
>And launch it, it fails to create the QEMU monitor socket
>
> error: Failed to start domain serial
> error: internal error: process exited while connecting to monitor: 2015-02-25T13:26:51.620498Z qemu-system-x86_64: -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/serial.monitor,server,nowait: Failed to bind socket: Permission denied
> 2015-02-25T13:26:51.620608Z qemu-system-x86_64: -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/serial.monitor,server,nowait: chardev: opening backend "socket" failed
>
>Because a process running berrange:berrange does not have write permission on
>the /var/lib/libvirt/qemu directory.
>
Yes. I'm still thinking about how to make this *just work* for
various users on the same system. The only valid thing would seem to
pass an fd for such sockets which I don't know whether QEMU supports.
>Changing the mode to 0751 doesn't do anything to solve that. After setting the
>dir to mode 0751 qemu still gets the same permission denied when creating the
>monitor socket as it still lacks write permission.
>
I realized that a while after I sent it and I replied to John that
this doesn't fix the problem. I was just in the middle of writing
that mail when you replied (probably).
>Regards,
>Daniel
>--
>|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
>|: http://libvirt.org -o- http://virt-manager.org :|
>|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
>|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20150225/1980f29e/attachment-0001.sig>
More information about the libvir-list
mailing list