[libvirt] Change virQEMUDriverConfig defaults?

Daniel P. Berrangé berrange at redhat.com
Thu Nov 28 10:15:43 UTC 2019 

On Thu, Nov 28, 2019 at 09:34:36AM +0100, Michal Privoznik wrote:
> Dear list,
> 
> lately I was confronted with the way how KubeVirt uses libvirt. They run it
> inside a docker container with UID mapping and some capabilities dropped.
> See [1] for more info. Problem is that because of the way we initialize our
> defaults they had to disable some features.

Is that really "a problem" though ? The config file exists precisely so
that admins/apps can customize the behaviour of libvirtd, so this sounds
like it is working as intended. If you are runing libvirtd privileged
but restricting capabilities, I think it is not unreasonable to turn off
features in libvirtd.

Or to put it another way. Kubevirt has decided they don't need certain
features in libvirtd so they wish to disable their use. With them disabled
they now have the ability to turn off some capabilities when running
libvirtd.

>                                             Specifically,
> virQEMUDriverConfigNew() is passed @privileged argument which equals
> geteuid() == 0. Apparently, due to UID mapping this leads us to create not
> valid defaults. For instance, rememberOwner will be set to true in this
> case, but trying to write any XATTR is going to fail because the container
> and subsequently libvirtd does have CAP_SYS_ADMIN (and writing trusted.*
> XATTRs is reserve to CAP_SYS_ADMIN). Similarly, dynamicOwnership won't work
> unless CAP_CHOWN is granted and if SELinux driver is enabled then we will
> also need CAP_SYS_ADMIN because setfilecon_raw() does nothing more than
> write XATTR [2].
> So instead of using @privileged we could use capabilities to enable/disable
> features by default. There is one problem with this though - do we know the
> full set of capabilities we need for given feature? For instance, does
> rememberOwner needs just CAP_SYS_ADMIN or also some other capability?

It is technically possible to check capabilities & dynamically change
features use. As you say though, the challenge with checking capabilities
is figuring out exactly which ones we want/need to have for each feature,
especially if we're calling out to 3rd party libraries.

I would also note that capabilities are Linux specific, so we'll still
need the fallback to UID checks.

> Users could still override our defaults through qemu.conf, but I can see us
> throwing a warning if they are trying to enable say rememberOwner while the
> libvird lacks CAP_SYS_ADMIN.
> 
> What is your opinion?

We certainly could do something but I'm not convinced there's a real
problem here that needs addressing.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

More information about the libvir-list mailing list