[libvirt] [PATCH] spec: Yet another permission fix for qemu dirs

[Daniel P. Berrange]

On Wed, Feb 25, 2015 at 03:08:03PM +0100, Martin Kletzander wrote:
> On Wed, Feb 25, 2015 at 01:29:31PM +0000, Daniel P. Berrange wrote:
> >On Wed, Feb 25, 2015 at 09:50:27AM +0100, Martin Kletzander wrote:
> >>Since we autogenerate path for QEMU guest agent into
> >>LOCALSTATEDIR /lib/libvirt/qemu/channel/target/, the process should be
> >>able to access that socket no matter under what user/group it is
> >>running co you can set the user/group in qemu.conf.
> >>
> >>Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1146886
> >
> >> %config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.qemu
> >> %dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/qemu/
> >> %ghost %dir %attr(0700, root, root) %{_localstatedir}/run/libvirt/qemu/
> >>-%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/
> >>-%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/
> >>-%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/target/
> >>+%dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/
> >>+%dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/
> >>+%dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/channel/target/
> >> %dir %attr(0711, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/nvram/
> >> %dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/cache/libvirt/qemu/
> >
> >I'm confused how this solves the problem.  If I edit a guest and add
> >
> > <seclabel type='static' model='dac' relabel='yes'>
> >   <label>berrange:berrange</label>
> > </seclabel>
> >
> >And launch it, it fails to create the QEMU monitor socket
> >
> > error: Failed to start domain serial
> > error: internal error: process exited while connecting to monitor: 2015-02-25T13:26:51.620498Z qemu-system-x86_64: -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/serial.monitor,server,nowait: Failed to bind socket: Permission denied
> > 2015-02-25T13:26:51.620608Z qemu-system-x86_64: -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/serial.monitor,server,nowait: chardev: opening backend "socket" failed
> >
> >Because a process running berrange:berrange does not have write permission on
> >the /var/lib/libvirt/qemu directory.
> >
> 
> Yes.  I'm still thinking about how to make this *just work* for
> various users on the same system.  The only valid thing would seem to
> pass an fd for such sockets which I don't know whether QEMU supports.

We could argue it is just a documentation task.

ie, you are free to choose any user you wish, but must always keep the
standard qemu group. Or you are free to choose any group but must keep
the standard qemu user. iow they're not allowed to change both.

If we want to make it just work though, I think we'd have to stop putting
the sockets in /var/lib/libvirt/qemu directly and create one subdir per
guest. So set

   /var/lib/libvirt/qemu - 0751

and create a directory

   /var/lib/libvirt/qemu/$GUESTNAME  $user:group 0770

which is owned by the user+group of the QEMU process as per the XML

and then put all the UNIX sockets in

   /var/lib/libvirt/qemu/$GUESTNAME/monitor.sock
   /var/lib/libvirt/qemu/$GUESTNAME/org.qemu.guest.agent.1.sock
   etc

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|