[libvirt-users] filesystem accessmode='passthrough'

Daniel P. Berrange berrange at redhat.com
Fri Jul 26 09:07:27 UTC 2013 

On Fri, Jul 26, 2013 at 10:24:52AM +0400, Yury Goltsov wrote:
> Hello.
> I am trying to 'passthrough' the part of host filesystem to kvm guest.
> libvirt xml:
>     <filesystem type='mount' accessmode='passthrough'>
>       <source dir='/var/guests/mail-var'/>
>       <target dir='mail-var'/>
>     </filesystem>
> kvm is started from root.
> 
> After mounting in guest
> 	mount -t 9p mail-var /mnt -o trans=virtio,version=9p2000.L
> or
> 	mount -t 9p www-var /mnt -o trans=virtio
> if I try to make file or directory in guest, I have problem with permissions:
> 	ruser at www:~# ls -ld /mnt/ruser/
> 	drwxr-xr-x 2 ruser www-data 4096 May 28 13:13 /mnt/ruser/
> 	ruser at www:~# ls -ld /mnt/tmp/
> 	drwxrwxrwx 2 root root 4096 Jul 26 09:01 /mnt/tmp/
> 
> 	root at www:~# touch /mnt/tmp/file1
> 		OK:
> 	root at www:~# touch /mnt/ruser/file2
> 	touch: cannot touch `/mnt/ruser/file2': Permission denied
> 
> 	root at www:~# su ruser
> 	ruser at www:~$ touch /mnt/ruser/file3
> 	touch: cannot touch `/mnt/ruser/file3': Permission denied
> 	ruser at www:~$ touch /mnt/tmp/file4
> 	touch: setting times of `/mnt/tmp/file4': No such file or directory
> 
> I have read in documentation, that in "passthrough" security model, 
> files are stored using the same credentials as they are created on the guest (like NFS3).
> 
> Suggest me, please, what is it:
> 	I do something wrong, or I must update qemu-kvm or/and libvirt to recent version,
> 	or I need to find other solution for sharing host filesystem?

You have to remember that the QEMU processes on the host is running
as qemu:qemu by default, without any capabilities. So with passthrough
mode, the guest will see all the correct user/group owners, but it will
still not be able to write to arbitrary files. It'll only be able to
write stuff which is owned qemu:qemu, or has global write permission
(like /tmp does in your example)


Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the libvirt-users mailing list