[PATCH] qemu: don't reject virtiofs for qemu:///session

Cole Robinson crobinso at redhat.com
Mon Mar 29 19:34:07 UTC 2021 

On 3/29/21 6:52 AM, Ján Tomko wrote:
> On a Friday in 2021, Cole Robinson wrote:
>> Currently libvirt rejects attempts to use virtiofs with
>> qemu:///session. Indeed virtiofs does not have a chance of working
>> with typical session usage, because virtiofsd needs multiple linux
>> capabilities to perform its job. The only way to do this with out
>> of the box qemu packaging is to run virtiofsd as root, so libvirtd
>> must run as root, so qemu:///system is required.
>>
>> But it's possible that a custom environment could setuid or set
>> file capabilities on the virtiofsd binary. In this case qemu:///session
>> would work fine. This may be an option for kubevirt to help them
>> transition to using qemu:///session everywhere
>>
>> Drop the two pieces that block virtiofs for qemu:///session. Attempts
>> to use virtiofs for stock qemu:///session will fail at qemu startup,
>> though it's a bit opaque:
>>
>> error: Failed to start domain 'f32'
>> error: internal error: qemu unexpectedly closed the monitor:
>> 2021-03-26T16:26:12.459293Z qemu-system-x86_64: -device
>> vhost-user-fs-pci,chardev=chr-vu-fs0,tag=/foovirtiofs,bus=pci.10,addr=0x0:
>> Failed to write msg. Wrote -1 instead of 12.
>> 2021-03-26T16:26:12.459317Z qemu-system-x86_64: -device
>> vhost-user-fs-pci,chardev=chr-vu-fs0,tag=/foovirtiofs,bus=pci.10,addr=0x0:
>> vhost_dev_init failed: Operation not permitted
>>
> 
> That is not a friendly error message for regular users.
> 
> Some alternatives come to mind:
> * XML element telling libvirt to ignore the check/do not set the UID.
>   The downside is, that we usually do this via:
>     <seclabel relabel='no'/>
>   and the seclabel code makes my head hurt.
> * Introduce a QEMU capability for this, that kubevirt could set via
>   <qemu:capabilities>
>   https://libvirt.org/drvqemu.html#xmlnsfeatures
> * Introduce the capability to 50-qemu-virtiofsd.json
> * Wait until the lockdown eases up and I finally post the patches
>   for externally launched virtiofsd
>   https://bugzilla.redhat.com/show_bug.cgi?id=1855789
> 

I don't have much of an opinion. The latter will be useful for CNV
someday but it will take some rearchitechting on their part

>> Signed-off-by: Cole Robinson <crobinso at redhat.com>
>> ---
>> The SetUID/SetGID bits don't seem to be necessary for qemu:///system
>> usage AFAICT, but it's a bit tough to decode virSetUIDGIDWithCaps.
> 
> I *think* the only difference without the two virCommandSet?ID calls
> is that we error out if UID/GID 0 can't be set. But yes it's tough
> to read.
> 

I just tested with the qemu_validate.c removal only, so SetUID still in
place. The error:

error: Failed to start domain 'f32'
error: internal error: process exited while connecting to monitor:
2021-03-29T19:11:41.217583Z qemu-system-x86_64: -chardev
socket,id=chr-vu-fs0,path=/home/crobinso/.config/libvirt/qemu/lib/domain-3-f32/fs0-fs.sock:
Failed to connect to
'/home/crobinso/.config/libvirt/qemu/lib/domain-3-f32/fs0-fs.sock':
Connection refused

virtiofsd log has:
libvirt:  error : internal error: cannot apply process capabilities -5

So seems like libvirt error reporting here needs some tweaks regardless.
Maybe if catching virtiofsd startup error is improved it will improve
the first error case as well.

- Cole

More information about the libvir-list mailing list