Bug 1045040
Summary: | /var/lib/libvirt/qemu permissions are wrong | ||
---|---|---|---|
Product: | [Community] Virtualization Tools | Reporter: | Richard W.M. Jones <rjones> |
Component: | libvirt | Assignee: | Libvirt Maintainers <libvirt-maint> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | unspecified | CC: | crobinso, dyuan, hannsj_uhl, jfehlig, mhcerri, mzhan, pwouters, rbalakri, shyu, zhwang |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-04-10 17:21:40 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1045069 | ||
Bug Blocks: | 805141 |
Description
Richard W.M. Jones
2013-12-19 13:59:58 UTC
libvirt currently creates the monitor sockets directly in /var/lib/libvirt/qemu/ eg: $ sudo ls -l /var/lib/libvirt/qemu/ total 16 srwxr-xr-x. 1 qemu qemu 0 Jan 6 16:00 builder-rhel6.monitor srwxr-xr-x. 1 qemu qemu 0 Dec 20 22:04 builder-rhel7.monitor [etc] The problem is this doesn't work if we told libvirt to run qemu as another UID, which is possible (albeit undocumented): <seclabel model='dac' type='static'> <label>user:group</label> </seclabel> If you do that you'll find that qemu won't be able to access the monitor socket in some situations. To fix this, libvirt should create a subdirectory per guest. The permissions on /var/lib/libvirt/qemu/ should be relaxed, and the owner or SELinux label of /var/lib/libvirt/qemu/<guestname> should be set so qemu can access it. (I suspect the monitor sockets should really go in /run, but the same arguments apply) I agree. for libreswan we run a test suite with libvirt where our own user 'build' creates the vms and every libvirt update my tests start failing and I have to run: chmod g+w /var/lib/libvirt/qemu/ So at least group qemu write permissions would be nice. Upstream libvirt does this nowadays: $ sudo ls /var/lib/libvirt/qemu/ channel domain-9-f23 dump nvram save snapshot Where domain-9-f23 is used for the monitor socket for running vm name=f23 id=9 |