[libvirt] [PATCH 1/2] qemu: Create hugepage path on per domain basis
Michal Privoznik
mprivozn at redhat.com
Tue Nov 22 13:05:38 UTC 2016
On 22.11.2016 13:53, Daniel P. Berrange wrote:
> On Tue, Nov 22, 2016 at 01:45:42PM +0100, Michal Privoznik wrote:
>> If you've ever tried running a huge page backed guest under
>> different user than root, you probably failed. Problem is even
>
> It works fine - this functionality has existed for years and apps
> like OpenStack use it and certainly never run QEMU as root.
>
> In qemuStateInitialize we create $MOUNT/libvirt/qemu and
> chown it to the qemu:qemu user/group pair.
Well, this works as long as all the huge page enabled guests are run
under the the same user. For instance, if your user/group from qemu.conf
is root:root and you have one domain with qemu:qemu (configured via
domain XML) it won't start.
>
> That all said....
>
>> though we have corresponding APIs in the security drivers,
>> there's no implementation and thus we don't relabel the huge page
>> path. But even if we did, so far all of the domains share the
>> same path:
>>
>> /hugepageMount/libvirt/qemu
>>
>> Our only option there would be to set 0777 mode on the qemu dir
>> which is totally unsafe. Therefore, we can create dir on
>> per-domain basis, i.e.:
>>
>> /hugepageMount/libvirt/qemu/domainName
>>
>> and chown domainName dir to the user that domain is configured to
>> run under.
>
> ...I agree it is better to create a dir per QEMU, since that
> lets us run each QEMU as a distinct user or group ID.
Exactly.
Michal
More information about the libvir-list
mailing list