[Ovirt-devel] root access required?

Daniel P. Berrange berrange at redhat.com
Mon Sep 8 16:08:16 UTC 2008

On Mon, Sep 08, 2008 at 11:58:42AM -0400, Ben Guthro wrote:
> Hello,
> In my endeavor to set up a build environment for our developers 
> experimenting with oVirt / libvirt, I have come across a general
> dislike that the build of the ovirt managed node requires the user
> to be root.

Yep, I don't much like it building as root either :-(

> In looking into this we have found 2 areas that I am unable to work out a solution for:
> 1. livecd-tools must mount a filesystem image, requiring:
>     (a) losetup /dev/loopX fs-image
>         Where the user must have write access to /dev/loopX (which by
>         default is writable only by root, readable by group 'disk'). Could be
>         worked around by changing /dev/loopX permissions (once, as root).
>     (b) mount /dev/loopX /mnt/point
>         Also requires root. Can be worked around with /etc/fstab entry
>         allowing user mount.
> 2. 'rpm --root ...' is used to build the image.
>     --root must chroot to the specified directory to run the various RPM scripts.
>     chroot can't run under 'fakeroot' (AFAIK).
>     I don't know how to avoid or workaround this.

Those are basically the same two places where I get to a roadblock.

> Does anyone here have any suggestions/recommended practices on how to go 
> about working around these so that root access is not required?
> Or - are we stuck with "that's just the way it is" for building the 
> managed node image?

The 'mock' program gets around this by using a setuid helper todo the
chroot/bind mount stuff it requires. So this lets you run it non-root,
but you can't really claim it is secure against anything other than
accidental user error. In the absence of other ideas that's the only
option I see for the livecd tools. Its probably a fair bit of work todo
this though.

I'd recommend doing the builds inside a virtual machine to protect your
real host from accidental/delibrate damage

|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

More information about the ovirt-devel mailing list