Re: [Libguestfs] [PATCH v2v] lib: Use an ACL to allow qemu to access the v2v directory
On Tue, Mar 22, 2022 at 02:35:54PM +0000, Richard W.M. Jones wrote:
For fuller explanation see:
https://bugzilla.redhat.com/show_bug.cgi?id=2066773#c1
I'm not very happy with this patch for a few reasons:
- Does every distro use "qemu" as the user that runs qemu?
Not sure, but you can query this from libvirt
# virsh capabilities | xmllint -xpath
'//secmodel[./model="dac"]/baselabel[@type="kvm"]' -
<baselabel type="kvm">+107:+107</baselabel>
The base level here is the label that any files must have in order
to be writable by QEMU, using a default process label.
In the case of the 'dac' model this is a UID:GID pair (+ indicates
numeric ID, as opposed to a username with all numbers).
NB, this doesn't apply if you're overriding the default label to
use a distinct UID per VM, but I assume v2v isn't doing that and
controls its own VMs
- Having to run an external process (not a big deal, but a bit
clumsy)
In theory libacl gives you programmatic API for this.
- Aren't ACLs actually deprecated?
Not that I know of.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|