[libvirt-users] Xen disk device detach fails as non-root [libvirt-0.8.7 and older versions]

Osier Yang jyang at redhat.com
Tue Feb 15 05:29:26 UTC 2011


于 2011年02月15日 05:01, Iain MacDonnell 写道:
> Hi All,
>
> I find that I am able to attach a disk device do a Xen domain, using
> virDomainAttachDevice(), running as a non-root user, but I am unable
> to use virDomainDetachDevice() - it results in an "unknown failure".
> Using "virsh [attach|detach]-device" exhibits this behviour.
>
> $ virsh attach-device domu1 attach.xml
> Device attached successfully
>
> $ virsh detach-device domu1 attach.xml
> error: Failed to detach device from attach.xml
> error: Unknown failure
>
> $
>
> With some digging, I determined that the problem arises when libvirt
> tries to translate the device name to a number, using the XenStore API
> (xenStoreDomainGetDiskID()), which requires use of the "xenstored"
> UNIX socket, and that socket is only accessible by root. On making
> that socket accessible to the user (by group), virDomainAttachDevice()
> starts working, but I'm then unable to list domains, because
> xenStoreDoListDomains() waits to verify each domain using
> xenHypervisorHasDomain(), and that requires access to another socket -
> "/proc/xen/privcmd"
>
> My question, before going down the path of trying to hack permissions
> for these sockets permanently ..... is this how it's supposed to be,
> or could, perhaps, libvirtd, which runs as root, access these sockets
> on behalf of the user? It seems it should at least fail more
> gracefully....

Recall there was discussion on problems like these before, but I can't
find the thread now, if I remember well, the conclusion was libvirt
will need a more robust solution for non-root users' priv.

And in my mind, Justin was involed in the discussion, so cc' to him to
see if he could help. :-)

Regards
Osier




More information about the libvirt-users mailing list