Re: [Libguestfs] [PATCH v2v] lib: Use an ACL to allow qemu to access the v2v directory
On 03/22/22 15:51, Daniel P. Berrangé wrote:
On Tue, Mar 22, 2022 at 02:35:54PM +0000, Richard W.M. Jones wrote:
> For fuller explanation see:
> https://bugzilla.redhat.com/show_bug.cgi?id=2066773#c1
>
> I'm not very happy with this patch for a few reasons:
>
> - Does every distro use "qemu" as the user that runs qemu?
Not sure, but you can query this from libvirt
# virsh capabilities | xmllint -xpath
'//secmodel[./model="dac"]/baselabel[@type="kvm"]' -
<baselabel type="kvm">+107:+107</baselabel>
There is XML support in OCaml, and I guess we can figure out if we use
TCG vs. KVM, so the "xmllint" command could be written in v2v.
I'm not sure about "virsh capabilities" :/ Would we need to wrap
virConnectGetCapabilities() <https://libvirt.org/formatcaps.html>?
Thanks,
Laszlo
The base level here is the label that any files must have in order
to be writable by QEMU, using a default process label.
In the case of the 'dac' model this is a UID:GID pair (+ indicates
numeric ID, as opposed to a username with all numbers).
NB, this doesn't apply if you're overriding the default label to
use a distinct UID per VM, but I assume v2v isn't doing that and
controls its own VMs
> - Having to run an external process (not a big deal, but a bit clumsy)
In theory libacl gives you programmatic API for this.
> - Aren't ACLs actually deprecated?
Not that I know of.
With regards,
Daniel