1728703 – libvirtd chowns my kernel image to root:root

Bug 1728703 - libvirtd chowns my kernel image to root:root

Summary: libvirtd chowns my kernel image to root:root

Keywords:
Status:	CLOSED DEFERRED
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	libvirt
Sub Component:
Version:	30
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Libvirt Maintainers
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-07-10 13:47 UTC by Andrew Price
Modified:	2019-07-12 08:20 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2019-07-11 17:50:53 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Andrew Price 2019-07-10 13:47:32 UTC

Description of problem:

For kernel testing I have VMs configured to direct boot the kernel from my Linux source tree:

  <os>
    <type arch='x86_64' machine='pc-i440fx-2.9'>hvm</type>
    <kernel>/home/andy/src/linux/arch/x86/boot/bzImage</kernel>
    <cmdline>console=ttyS0,115200 root=/dev/vda2</cmdline>
    <boot dev='hd'/>
  </os>

After upgrading to Fedora 30 libvirtd has started to chown that file to qemu:qemu when the VM is started, and then to root:root when it has shut down. This makes my subsequent builds fail as I cannot overwrite the root-owned kernel image. This happens even if the image is owned by andy:qemu with mode 0664 to begin with.

Version-Release number of selected component (if applicable):

libvirt-5.1.0-8.fc30.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Build kernel as normal user
2. Set VM to direct boot it
3. Start VM
4. ls -l /path/to/image
5. Power off vm
6. ls -l /path/to/image

Actual results:
The image is owned by qemu:qemu when VM is running and root:root afterwards.

Expected results:
Image ownership is left untouched, VM just fails to boot if it doesn't have permission.

Additional info:
This is a way for someone to set root ownership on an arbitrary file but luckily the setuid bit is not left set in my tests.

Comment 1 Cole Robinson 2019-07-11 17:50:53 UTC

Thanks for the report. This is long known suboptimal behavior. You are using the libvirt URI qemu:///system which talks to the system libvirtd instance running as root. But libvirt wants to run VMs as the unprivileged qemu user. So libvirtd will chown all the VM media to qemu:qemu when starting the VM. The problem is, it doesn't have any way[1] to know what the starting owner of the image was, so when the VM shuts down, it chown's the image to root:root

There's a lot of ways to work around it by manipulating the file in some way, for exmaple write a wrapper script to copy the kernel you care about to some other location first and have the VM boot from that, so it doesn't mess with the permissions of your built kernel. Or sidestep the issue entirely by using qemu:///session which launches libvirtd and VMs as your UID so it doesn't perform any chowning. More info on that distinction: https://blog.wikichoon.com/2016/01/qemusystem-vs-qemusession.html

Because this behavior has been the same for a decade at this point, I'm closing this; a Fedora bug isn't going to effect change here. But feel free to ask follow up questions if necessary

[1] libvirt does have some support in the next release for 'remembering' the starting state here, but it's only for r/w media, so it doesn't change anything for kernel/initrd which are readonly. It's possible this behavior will get 'smarter' at some point in the future but

Comment 2 Andrew Price 2019-07-12 08:20:16 UTC

Thanks for taking the time to provide a thorough explanation, Cole. That's very useful. I'll give qemu:///session a try. With the bridge helper I think it should work for my use case.

Note You need to log in before you can comment on or make changes to this bug.