[Ovirt-devel] root access required?
Daniel P. Berrange
berrange at redhat.com
Mon Sep 8 16:08:16 UTC 2008
On Mon, Sep 08, 2008 at 11:58:42AM -0400, Ben Guthro wrote:
> Hello,
>
> In my endeavor to set up a build environment for our developers
> experimenting with oVirt / libvirt, I have come across a general
> dislike that the build of the ovirt managed node requires the user
> to be root.
Yep, I don't much like it building as root either :-(
> In looking into this we have found 2 areas that I am unable to work out a solution for:
>
> 1. livecd-tools must mount a filesystem image, requiring:
> (a) losetup /dev/loopX fs-image
> Where the user must have write access to /dev/loopX (which by
> default is writable only by root, readable by group 'disk'). Could be
> worked around by changing /dev/loopX permissions (once, as root).
> (b) mount /dev/loopX /mnt/point
> Also requires root. Can be worked around with /etc/fstab entry
> allowing user mount.
>
> 2. 'rpm --root ...' is used to build the image.
> --root must chroot to the specified directory to run the various RPM scripts.
> chroot can't run under 'fakeroot' (AFAIK).
> I don't know how to avoid or workaround this.
Those are basically the same two places where I get to a roadblock.
> Does anyone here have any suggestions/recommended practices on how to go
> about working around these so that root access is not required?
>
> Or - are we stuck with "that's just the way it is" for building the
> managed node image?
The 'mock' program gets around this by using a setuid helper todo the
chroot/bind mount stuff it requires. So this lets you run it non-root,
but you can't really claim it is secure against anything other than
accidental user error. In the absence of other ideas that's the only
option I see for the livecd tools. Its probably a fair bit of work todo
this though.
I'd recommend doing the builds inside a virtual machine to protect your
real host from accidental/delibrate damage
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
More information about the ovirt-devel
mailing list