Re: [PATCH] test: Update README.md

public inbox for passt-dev@passt.top
 help / color / mirror / code / Atom feed

From: "Daniel P. Berrangé" <berrange@redhat.com>
To: "Richard W.M. Jones" <rjones@redhat.com>
Cc: Stefano Brivio <sbrivio@redhat.com>,
	Yumei Huang <yuhuang@redhat.com>,
	passt-dev@passt.top, david@gibson.dropbear.id.au
Subject: Re: [PATCH] test: Update README.md
Date: Wed, 24 Sep 2025 12:00:04 +0100	[thread overview]
Message-ID: <aNPPNDr9mlz_zH8s@redhat.com> (raw)
In-Reply-To: <20250924103131.GU1460@redhat.com>

On Wed, Sep 24, 2025 at 11:31:31AM +0100, Richard W.M. Jones wrote:
> On Wed, Sep 24, 2025 at 11:09:09AM +0200, Stefano Brivio wrote:
> > And now that you say that, I just realised that it would be as simple
> > as:
> > 
> >   https://libguestfs.org/guestfs-faq.1.html#permission-denied-when-running-libguestfs-as-root
> > 
> >   LIBGUESTFS_BACKEND=direct virt-edit...
> 
> While that will indeed work, we're trying to discourage people from
> doing that, since it removes the other good things that libvirt does,
> such as setting up SELinux.
> 
> The real solution here IMHO is for libvirt to make session mode work
> for root without changing UID.  It actually goes out of its way to
> stop this working at the moment[1].

We made it possible to run QEMU as root:root while still using
system mode quite a while ago now. It requires adding this
to the XML:

  <seclabel type='static' model='dac' relabel='yes'>
    <label>+0:+0</label>
  </seclabel>

AFAICT, the resulting QEMU will also still have all capabiltiies
set, most importantly CAP_DAC_OVERRIDE.  So unless I'm missing
something there shouldn't be anything that can't be done with
system mode, that a session mode would allow.

I thought I had already suggested that libguestfs use this
seclabel, but don't recall if it was ever tried, or if we
hit some other roadblock.

> [1] In qemuStateInitialize -> virQEMUDriverConfigNew, I think

Well that's where the initial control is, but it isn't a simple as just
removing/changing that code. When running as root, we have access to a
lot of system wide resources, and libvirt needs to track which are in
use by VMs or not. We can't do that tracking if we have two separate
privileged daemons for both system mode and a root-session mode.

It might be possible to have a single daemon service both roles. VMs
defined via a session mode connection would auto-add the above
<seclabel> to default to running as root. It would also need to
dynamically change what's reported in capabilities to reflect this
different default, and more systemd socket unit files at the locations
that the session mode client app looks for.

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

next prev parent reply	other threads:[~2025-09-24 11:00 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-09-19  1:43 Yumei Huang
2025-09-19  5:00 ` David Gibson
2025-09-19  9:58 ` Stefano Brivio
2025-09-22  3:03   ` Yumei Huang
2025-09-22 20:03     ` Stefano Brivio
2025-09-23  6:36       ` Yumei Huang
2025-09-23  7:16         ` Yumei Huang
2025-09-23 10:32         ` Stefano Brivio
2025-09-24  1:58           ` David Gibson
2025-09-24  1:58           ` Yumei Huang
2025-09-24  3:44             ` David Gibson
2025-09-24  4:02               ` Yumei Huang
2025-09-24  8:46             ` Stefano Brivio
2025-09-24  8:56               ` Richard W.M. Jones
2025-09-24  9:09                 ` Stefano Brivio
2025-09-24 10:31                   ` Richard W.M. Jones
2025-09-24 11:00                     ` Daniel P. Berrangé [this message]
2025-09-25  9:21                       ` Richard W.M. Jones
2025-09-24 11:05                     ` Stefano Brivio
2025-09-24 11:20                       ` Daniel P. Berrangé
2025-09-24 11:48                         ` Stefano Brivio
2025-09-25  5:16                       ` Yumei Huang
2025-09-23  7:49   ` David Gibson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aNPPNDr9mlz_zH8s@redhat.com \
    --to=berrange@redhat.com \
    --cc=david@gibson.dropbear.id.au \
    --cc=passt-dev@passt.top \
    --cc=rjones@redhat.com \
    --cc=sbrivio@redhat.com \
    --cc=yuhuang@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://passt.top/passt

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).