[libvirt] [PATCH 1/2] qemu: Create hugepage path on per domain basis
Daniel P. Berrange
berrange at redhat.com
Tue Nov 22 12:53:23 UTC 2016
On Tue, Nov 22, 2016 at 01:45:42PM +0100, Michal Privoznik wrote:
> If you've ever tried running a huge page backed guest under
> different user than root, you probably failed. Problem is even
It works fine - this functionality has existed for years and apps
like OpenStack use it and certainly never run QEMU as root.
In qemuStateInitialize we create $MOUNT/libvirt/qemu and
chown it to the qemu:qemu user/group pair.
That all said....
> though we have corresponding APIs in the security drivers,
> there's no implementation and thus we don't relabel the huge page
> path. But even if we did, so far all of the domains share the
> same path:
>
> /hugepageMount/libvirt/qemu
>
> Our only option there would be to set 0777 mode on the qemu dir
> which is totally unsafe. Therefore, we can create dir on
> per-domain basis, i.e.:
>
> /hugepageMount/libvirt/qemu/domainName
>
> and chown domainName dir to the user that domain is configured to
> run under.
...I agree it is better to create a dir per QEMU, since that
lets us run each QEMU as a distinct user or group ID.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://entangle-photo.org -o- http://search.cpan.org/~danberr/ :|
More information about the libvir-list
mailing list