[libvirt] [PATCH v4 18/25] security: Don't remember owner for shared resources

Daniel P. Berrangé berrange at redhat.com
Thu Jun 20 11:58:59 UTC 2019 

On Thu, Jun 20, 2019 at 12:23:07PM +0200, Michal Privoznik wrote:
> On 6/17/19 3:29 PM, Daniel P. Berrangé wrote:
> > On Thu, Apr 25, 2019 at 10:19:54AM +0200, Michal Privoznik wrote:
> > > This effectively reverts d7420430ce6 and adds new code.
> > > 
> > > Here is the problem: Imagine a file X that is to be shared
> > > between two domains as a disk. Let the first domain (vm1) have
> > > seclabel remembering turned on and the other (vm2) has it turned
> > > off. Assume that both domains will run under the same user, but
> > > the original owner of X is different (i.e. trying to access X
> > > without relabelling leads to EPERM).
> > 
> > How do we get into this situation ?  Is this the case when we
> > have a guest which was running before libvirt was upgraded, and
> > then a new guest is launched ?
> 
> Yes, that's one of the possible scenarios. Another possible scenario would
> be (and this won't happen yet in reality beacuse NFS still does not
> implement XATTRs, but once they do we might hit it): two daemons and one
> shared NFS mount. One of the daemons has the feature enabled, the other has
> it disabled. But as I say, this won't happen with NFS today. But maybe there
> are some other shared filesystems which do implement XATTRs?

IMHO if you are using a set of virt hosts with a shared NFS and have only
enabled label mgmt on a subset of hosts that's a deployment error in
general.

Having said that, this is precisely the scearnio you'd have if you are
part way through a libvirt upgrade across many hosts.

Our core problem is that we have zero knowledge about other hosts, neither
their config, or even whether they exist at all, so we can't do the safe
thing automatically.

I'm still not a fan of just giving up & deleting the feature though.

How about we create a qemu.conf option to turn on/off label mgmt for
shared volumes, defaulting to off.  Document that it should only be
turned off if all hosts are participating & no historical VMs are
running ?

In theory on upgrade, we could look at all running VMs on our own host
and record the ref count data that is otherwise missing. That could at
least let it work correctly on a the single-host non-shared FS scenario.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

More information about the libvir-list mailing list