libvirt dynamic file ownership

Michal Prívozník mprivozn at redhat.com
Mon Mar 23 16:26:14 UTC 2020 

On 20. 3. 2020 20:57, Martin Kletzander wrote:
> On Fri, Mar 20, 2020 at 03:38:36PM +0000, Joe Muro wrote:
>> Hi,
>>
> 
> Hi, could you please configure your client to send plaintext version as
> well?
> We mainly prefer plaintext on this list ;-)
> 
>> I am trying to understand libvirt dynamic ownership behavior. I have a
>> VM that
>> uses a qcow2 image with the following permissions:
>>
>> $ ll t257kvxg-10-20-101-40.qcow2
>> -rw-r--r-- 1 jmuro libvirt 2279079936 Mar 20 11:10
>> t257kvxg-10-20-101-40.qcow2
>>
>> When I start the domain the permissions are changed:
>>
>> $ virsh start t257kvxg-10-20-101-40
>> Domain t257kvxg-10-20-101-40 started
>> $ ll t257kvxg-10-20-101-40.qcow2
>> -rw-r--r-- 1 libvirt-qemu libvirt 2279079936 Mar 20 11:18
>> t257kvxg-10-20-101-40.qcow2
>>
>> This is expected behavior based on the settings in
>> /etc/libvirt/qemu.conf:
>>
>> user = "libvirt-qemu"
>> group = "libvirt"
>> # Whether libvirt should dynamically change file ownership
>> # to match the configured user/group above. Defaults to 1.
>> # Set to 0 to disable file ownership changes.
>> #dynamic_ownership = 1
>>
>> However, when I shutdown the domain, the file permissions revert to root.
>>
>> $ ll t257kvxg-10-20-101-40.qcow2
>> -rw-r--r-- 1 root root 2282749952 Mar 20 11:20
>> t257kvxg-10-20-101-40.qcow2
>>
>> I expect libvirt to revert the file permissions back to the original.
>> Otherwise, a regular user would lose ownership of the image file.
>> FWIW: I am
>> starting the domain as a non-root user under qemu:///system
>>
> 
> This has always been the case because the original information is lost
> (which is
> actually not that easy to store properly, race-free, etc.) and the
> safest way to
> make sure nobody accesses the disks (e.g. another domain running under
> libvirt-qemu:libvirt, that would get exploited) is to just change it to
> root:root.  Michal finally managed to make this work, in limited cases,
> but I
> think it landed in 6.1.0, I'm not sure.
> 
> Anyway, there are some workarounds you can do:
> 
>  a) set relabel=no for the disk in the XML (and make sure the VM will be
> able to
>     access it),
> 
>  b) set relabel=no for the whole domain (and make sure the VM will be
> able to
>     access everything), or
> 
>  c) if worse comes to worse, just disable the whole dynamic ownership
> and handle
>     it yourself
> 
> If possible, try upgrading libvirt and checking if that helps.

Remembering of the original owner was enabled even in 6.0.0, but there
are some prerequisites:

1) the FS that hosts the image must be capable of XATTRs. Note the NFS
still isn't.

2) the disk XML. Can you please share the <disk/> snippet for this disk?
It needs to be the top most layer of backing chain (if you have some
snapshots over it).

Upgrading to 6.1.0 would help though, because I'm constantly fixing some
bugs in that area as I go along.

BTW: you can check if the original owner remembering is enabled for your
domain if you look whether the domain status XML has rememberOwner set:

grep rememberOwner /var/run/libvirt/qemu/$domain.xml

Michal

More information about the libvirt-users mailing list