On 01.06.2016 18:16, Wei Xu wrote:
On 2016年06月01日 00:44, Daniel P. Berrange wrote:
On Wed, Jun 01, 2016 at 12:30:44AM +0800, address@hidden wrote:
From: Wei Xu <address@hidden>
Recently I'm working on a fd passing issue, selinux forbids qemu to
create a unix socket for a chardev when managing VMs with libvirt,
because qemu don't have sufficient permissions in this case, and
proposal from libvirt team is opening the 'fd' in libvirt and merely
passing it to qemu.
This sounds like a bug in libvirt, or selinux, or a mistaken
of the guest. It is entirely possible for QEMU to create a unix socket
least because that is exactly what QEMU uses for its QMP monitor backend.
Looking at your example command line, I think the issue is simply that
should be putting the sockets in a different location. ie at
/var/lib/libvirt/qemu/$guest-vhost-user1.sock where QEMU has
create sockets already.
ah.. adjusting permission or file location can solve this problem, i'm
guessing maybe this is a more security concern, the socket is used as a
network interface for a vm, similar as the qcow image file, thus should
prevent it to be arbitrarily accessed.
Michael, do you have any comment on this?
I haven't seen the patches. But in libvirt we allow users to create a
vhostuser interface and even specify where the socket should be placed:
<source type='unix' path='/tmp/vhost1.sock' mode='server'/>
The following cmd line is generated by libvirt then:
-chardev socket,id=charnet1,path=/tmp/vhost1.sock,server \
-netdev type=vhost-user,id=hostnet1,chardev=charnet1 \
Now, if we accept only /var/run/openvwitch path in
/interface/source/@path (or whatever path to OVS is), we don't need this
and have users manually label the dir (unless already labeled). But
since we accept just any path in there, we should make sure that qemu is
then able to create the socket. One possible fix would be to allow qemu
create sockets just anywhere in the system. This, however, brings huge
security risks and it's not acceptable IMO. The other option would be
that libvirt would create the socket, and pass its FD to qemu (since
libvirt already is allowed to create sockets anywhere).