On Tue, Mar 14, 2017 at 01:50:58PM +0000, Richard W.M. Jones wrote:
Previously we had assumed that when running as root, libvirt would
always run qemu as a non-root user (eg. qemu.qemu), unless you modify
a global configuration file (/etc/libvirt/qemu.conf).
It turns out there is a little-known feature to make libvirt run qemu
as root without modifying any configuration files. We have to add a
<seclabel/> element to the appliance XML:
<seclabel type='static' model='dac' relabel='no'>
<label>root:root</label>
</seclabel>
There is a hidden problem with this patch which was discussed on IRC:
Libvirt drops all capabilities from the qemu process before running it
as root. This means that although it runs as the root user, it cannot
do usual root-like things. In particular it cannot access files as
the root owner (it will access them as if "other", so a file with mode
0644 for example can only be opened for reading).
Rich.
--
Richard Jones, Virtualization Group, Red Hat
http://people.redhat.com/~rjones
Read my programming and virtualization blog:
http://rwmj.wordpress.com
virt-p2v converts physical machines to virtual machines. Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v