[libvirt] Problem configuring selective dropping of root

Pavel Hrdina phrdina at redhat.com
Tue Jul 9 12:26:08 UTC 2019 

On Tue, Jul 09, 2019 at 02:03:15PM +0200, Stephan von Krawczynski wrote:
> On Tue, 9 Jul 2019 09:40:23 +0100
> Daniel P. Berrangé <berrange at redhat.com> wrote:
> 
> > On Mon, Jul 08, 2019 at 09:47:24PM +0200, Stephan von Krawczynski wrote:
> > > Hello list,
> > > 
> > > I came across a fundamental flaw in the libvirt user configuration lately
> > > and try to find a solution now. Here is the problem:
> > > I run several qemu instances on arch linux all configured via libvirt. The
> > > default config as user nobody:kvm was fine up to the day I tried to use a
> > > host filesystem via 9p. If you want to gain all user rights on the guest
> > > inside that fs you have to run qemu as root. So far so good. But if you
> > > have several qemus running and only one needs to be root, what to do? You
> > > can try to give a -runas by using <qemu:args>. But that does not work,
> > > qemu instantly crashes. I think this is because to have _one_ root qemu,
> > > you have to configure libvirt to use root user. This means all rights to
> > > fs and so on are set to root and this is what lets qemu probably go crazy
> > > if dropping root by -runas. The whole thing would be a lot easier and more
> > > transparent if the user in libvirt wouldn't be a global config, but
> > > instead be part of the domain xml. This way every qemu started could use a
> > > different user and have different rights.
> > > In my case all but one could be nobody:kvm, and one root:root.
> > > This should not be to complicated based on whats already there, is it?  
> > 
> > Libvirt needs to know about the user/group QEMU is running at in order to
> > ensure it gets given access to the various files it needs to use. If you
> > look at the XML of the running guest you should see a <seclabel> describing
> > the user/group it is running as currently.
> > 
> > If no <seclabel> is in the offline config, libvirt adds the default
> > seclabel, but if you want a different user/group, you can add the
> > <seclabel> yourself.
> > 
> > Regards,
> > Daniel
> 
> Hello Daniel,
> 
> well, tried that (as good as the docs are) by adding:
> 
> <seclabel type='dynamic' model='dac'>
> 	<label>nobody:kvm</label>
> </seclabel>
> 
> This edit worked in virsh without giving errors.
> Starting the domain and then looking into the xml showed:
> 
>   <seclabel type='dynamic' model='dac' relabel='yes'/>
> 
> Consequently qemu runs still as root. My user:group setting simply vanished.
> 
> I think at least some better docs are needed with a striking example of how to
> change user and group ...
> I may be biased, but how to set user and group is probably the most basic
> example of how to use seclabel - and I cannot find one.

I agree that the documentation is not the best one.

You need to use type='static' relabel='yes':

<seclabel type='static' model='dac' relabel='yes'>
  <label>nobody:kvm</label>
</seclabel>

To achieve that.

In addition if you would like to have only one VM as root:root you
should keep the default config as nobody:kvm and use the root:root for
that specific VM.

Pavel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20190709/652a0962/attachment-0001.sig>

More information about the libvir-list mailing list