Bug 1045040

Summary: /var/lib/libvirt/qemu permissions are wrong
Product: [Community] Virtualization Tools Reporter: Richard W.M. Jones <rjones>
Component: libvirtAssignee: Libvirt Maintainers <libvirt-maint>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: crobinso, dyuan, hannsj_uhl, jfehlig, mhcerri, mzhan, pwouters, rbalakri, shyu, zhwang
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-04-10 17:21:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1045069    
Bug Blocks: 805141    

Description Richard W.M. Jones 2013-12-19 13:59:58 UTC 
Currently:

drwxr-x---.  6 qemu qemu 4096 Dec 19 12:56 .

Dan thinks we should actually create subdirectories under
here for every guest, with the guest's uid:gid as the owner
of the subdirectory, allowing qemu to run as arbitrary
uid:gid and still access its monitor socket.

Version-Release number of selected component (if applicable):

libvirt 1.1.3 on Fedora 19

Also the same on Fedora 20.
Comment 1 Richard W.M. Jones 2014-01-09 16:57:32 UTC 
libvirt currently creates the monitor sockets directly in
/var/lib/libvirt/qemu/ eg:

$ sudo ls -l /var/lib/libvirt/qemu/
total 16
srwxr-xr-x. 1 qemu qemu    0 Jan  6 16:00 builder-rhel6.monitor
srwxr-xr-x. 1 qemu qemu    0 Dec 20 22:04 builder-rhel7.monitor
[etc]

The problem is this doesn't work if we told libvirt to run qemu as
another UID, which is possible (albeit undocumented):

  <seclabel model='dac' type='static'> <label>user:group</label> </seclabel>

If you do that you'll find that qemu won't be able to access the
monitor socket in some situations.

To fix this, libvirt should create a subdirectory per guest.  The
permissions on /var/lib/libvirt/qemu/ should be relaxed, and the owner
or SELinux label of /var/lib/libvirt/qemu/<guestname> should be set so
qemu can access it.

(I suspect the monitor sockets should really go in /run, but the
same arguments apply)
Comment 2 Paul Wouters 2015-10-13 19:31:06 UTC 
I agree. for libreswan we run a test suite with libvirt where our own user 'build' creates the vms and every libvirt update my tests start failing and I have to run:


chmod g+w /var/lib/libvirt/qemu/

So at least group qemu write permissions would be nice.
Comment 3 Cole Robinson 2016-04-10 17:21:40 UTC 
Upstream libvirt does this nowadays:

$ sudo ls /var/lib/libvirt/qemu/
channel  domain-9-f23  dump  nvram  save  snapshot

Where domain-9-f23 is used for the monitor socket for running vm name=f23 id=9