[Bug 640767] New: libvirt should use non-root for qemu-kvm process if possible.
https://bugzilla.novell.com/show_bug.cgi?id=640767 https://bugzilla.novell.com/show_bug.cgi?id=640767#c0 Summary: libvirt should use non-root for qemu-kvm process if possible. Classification: openSUSE Product: openSUSE 11.3 Version: Final Platform: x86 OS/Version: openSUSE 11.3 Status: NEW Severity: Minor Priority: P5 - None Component: Other AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: zhubr@mail.ru QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3 libvirt should use non-root for starting qemu-kvm, as recommended in qemu docs (Let's be paranoid!) This in fact seems to work fine after some trivial tweaking like: useradd vm_runner -G kvm --- /etc/libvirt/qemu.conf.save>2010-09-20 15:53:49.851690646 +0400 +++ /etc/libvirt/qemu.conf<---->2010-09-21 13:49:02.391942397 +0400 @@ -168,3 +168,7 @@ # be assigned to guests. # # relaxed_acs_check = 1 + +# Avoid running qemu-kvm as root. +user = "vm_runner" +group = "kvm" Reproducible: Always Steps to Reproduce: 1. Install libvirt and qemu-kvm 2. Create and start some kvm-type vm 3. ps -A -f | grep qemu Actual Results: qemu running as root:root Expected Results: qemu should be running as non-root -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=640767 https://bugzilla.novell.com/show_bug.cgi?id=640767#c1 --- Comment #1 from Nikolai Zhubr <zhubr@mail.ru> 2010-09-22 11:07:13 UTC --- (In reply to comment #0) I meant for the 'system' instance, of course (qemu://system) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=640767 https://bugzilla.novell.com/show_bug.cgi?id=640767#c wei wang <wewang@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |wewang@novell.com AssignedTo|bnc-team-screening@forge.pr |uli@novell.com |ovo.novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=640767 https://bugzilla.novell.com/show_bug.cgi?id=640767#c2 Bruno Friedmann <bruno@ioda-net.ch> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bruno@ioda-net.ch --- Comment #2 from Bruno Friedmann <bruno@ioda-net.ch> 2010-11-23 15:07:34 UTC --- is that patch work also with the libvirt/virt-manager and remote management too ? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=640767 https://bugzilla.novell.com/show_bug.cgi?id=640767#c3 Bruce Rogers <brogers@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |brogers@suse.com, | |jfehlig@suse.com --- Comment #3 from Bruce Rogers <brogers@suse.com> 2011-11-01 16:11:59 UTC --- Our most recent libvirt package does operate in this mode. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=640767 https://bugzilla.novell.com/show_bug.cgi?id=640767#c4 James Fehlig <jfehlig@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED Target Milestone|--- |Factory --- Comment #4 from James Fehlig <jfehlig@suse.com> 2011-11-02 05:10:48 UTC --- Wow, how did this bug go under the radar for so long... Anyhow, as Bruce mentioned, the request here has been done in SLES11 SP2 and openSUSE12.1/Factory. By default, libvirt now launches qemu instances as user:group qemu:qemu. But I don't see us making this change in released products such as openSUSE11.3. Users can change the behavior in released products as described by Nikolai in the bug report description. Feel free to reopen if you disagree. Thanks! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com