Description of problem: rjones asked why oz-install needed root. I responded that it: a) Needs to connect to qemu:///system, and b) Does some iptables manipulation rjones pointed out that it is possible to configure PolicyKit to allow a normal user to connect to qemu:///system. That eliminates the first problem. The second problem has to do with the iptables manipulation. After install, the guest contacts the host via TCP to report the IP address. In order for this to work, the host needs to be running a server (which Oz does), and that port needs to be open for communication (which Oz also does). It's that last bit that requires the iptables manipulation. rjones and danpb suggested two alternate solutions that could remove the iptables manipulation: 1) Use the qemu-agent to report the IP address. This isn't quite ready, and will only work for very new Qemu. 2) Write the IP address to a local file in the guest, and then use libguestfs in read-only mode to read that file. This seems very doable.
(In reply to comment #0) > Description of problem: > rjones asked why oz-install needed root. I responded that it: > a) Needs to connect to qemu:///system, and > b) Does some iptables manipulation > > rjones pointed out that it is possible to configure PolicyKit to allow a normal > user to connect to qemu:///system. That eliminates the first problem. > > The second problem has to do with the iptables manipulation. After install, > the guest contacts the host via TCP to report the IP address. In order for > this to work, the host needs to be running a server (which Oz does), and that > port needs to be open for communication (which Oz also does). It's that last > bit that requires the iptables manipulation. rjones and danpb suggested two > alternate solutions that could remove the iptables manipulation: > > 1) Use the qemu-agent to report the IP address. This isn't quite ready, and > will only work for very new Qemu. > 2) Write the IP address to a local file in the guest, and then use libguestfs > in read-only mode to read that file. This seems very doable. So I ended up having problems with 2) because libguestfs wouldn't see new files that appeared in the underlying "live" filesystem. I probably could have gotten around that by re-launching libguestfs every time I looped, but that seemed heavyweight. I instead went with a different solution where I use a serial port to do the IP address announcement. The libvirt XML is modified before launch to have a <serial> element that starts a network server in qemu. Writes to the serial port from the guest get exposed via the network server, and clients can connect to get that data. So Oz launches the guest with the network server, then connects to the network server and waits for the guest to output the IP address over the serial line. Once that happens, the rest of Oz proceeds as before. This removes the need for any iptables manipulation, and is the first step to making this run as non-root. There is still the problem of Oz trying to read and write from system locations like /var/lib/oz and /etc/oz/oz.cfg. That should be solvable by detecting whether we are root or not, and then modifying the paths accordingly, but it is not prepared at the moment to do this.
(In reply to comment #1) > (In reply to comment #0) > > 2) Write the IP address to a local file in the guest, and then use libguestfs > > in read-only mode to read that file. This seems very doable. > > So I ended up having problems with 2) because libguestfs wouldn't see new files > that appeared in the underlying "live" filesystem. I probably could have > gotten around that by re-launching libguestfs every time I looped, but that > seemed heavyweight. Another way to do it would be to write it to some known part of the disk, eg. in an unused bit of the boot sector. Or yet another way is to try calling drop-caches: http://libguestfs.org/guestfs.3.html#guestfs_drop_caches (Whether this works, or is even a good idea, is another matter ...) In any case, looks like the serial port is working for you.
As of Oz 0.9.0, this should work if PackageKit is configured properly. I'm closing this as UPSTREAM; let me know if it doesn't work for you.