[libvirt] FYI: Updated QEMU driver docs on security model
Daniel P. Berrange
berrange at redhat.com
Wed Aug 19 16:04:33 UTC 2009
On Wed, Aug 19, 2009 at 03:01:59PM +0100, Mark McLoughlin wrote:
> On Wed, 2009-08-19 at 14:32 +0100, Daniel P. Berrange wrote:
> > FYI, I just pushed the following patch to the repo which adds documentation
> > to the website for all the security model related aspects of libvirt's
> > QEMU driver. It should appear here shortly
> >
> > http://libvirt.org/drvqemu.html
>
> Looks good, mostly just typos below
>
> ACK etc.
>
> > + <h3><a name="securitydac">POSIX DAC users/groups</a></h3>
> > +
> > + <p>
> > + In the "session" instance, the POSIX DAC model restricts QEMU virtual
>
> Should expand the acronym, it's pretty obscure
Actually they really served little purpose, so i just removed the
acronyms entirely.
> > + The directories <code>/var/run/libvirt/qemu/</code>,
> > + <code>/var/lib/libvirt/qemu/</code> and
> > + <code>/var/cache/libvirt/qemu/</code> must all have their
> > + ownership set to match the user / group ID that QEMU
> > + guests will be run as. If the vendor has set a non-root
> > + user/group for the QEMU driver at build time, the
> > + permissions should be set automatically at install time.
> > + If a host administrator customizes user/group in
> > + <code>/etc/libvirt/qemu.conf</code>, they will need to
> > + manually set the ownership on these directories.
>
> It's good to have this documented, but I'd much prefer us to handle it
> automatically
>
> e.g. libvirtd knows that if the permissions on the dir is wrong, the
> guest won't start
>
> So, it could warn the user, or create an alternative directory and chown
> it or ...
Yeah, after reading this now I think you're right. We should simply make
libvirtd QEMU driver chown the directories it uses when the driver starts
up, to match the configured user/group. For a default install this would
be a no-op since RPM would have got it right. And it saves pain in the
non-default case
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
More information about the libvir-list
mailing list