[fedora-virt] Prevent virt-manager from chowning ISOs
Cole Robinson
crobinso at redhat.com
Sun Jul 27 19:56:12 UTC 2014
On 07/12/2014 11:20 PM, Sudhir Khanger wrote:
> Hello,
>
> VirtualBox when run as a userspace tool would not require root
> password, not chown ISOs and VMs are created with regular user
> privileges. Virt-Manager on the other hand requires root password,
> changes ISO's owner to either qemu or root and VMs also created under
> root user. Personally using root for such a trivial task is not
> prefered. I can start Virt-Manager without root password using this
> guide [1] but other two doesn't seem to be possible. Anyone know
> anything about the issues I am facing.
>
I wouldn't exactly describe virtualization management as a trivial task :)
virt-manager defaults to using the libvirt URI qemu:///system, which connects
to the system libvirtd instance, which runs as root. What you're requesting is
basically the qemu:///session URI, which auto-launches a libvirtd instance
running as your regular user, runs VMs as your user, and defaults to storing
images in $HOME/VirtualMachines. You can use that like 'virt-manager --connect
qemu:///session' or File->Add Connection->QEMU/KVM user session in new enough
virt-manager.
There's a lot of reasons why virt-manager doesn't default to qemu:///session,
here's the two big ones:
- Networking: historically the only real networking mode available with
qemu:///session is usermode networking, which has limited functionality
compared to what some users will expect by default. See
http://wiki.qemu.org/Documentation/Networking#User_Networking_.28SLIRP.29
- Historical reasons: when virt-manager first grew qemu/kvm support,
qemu:///session couldn't even be used for actual KVM acceleration, which would
have made it a poor default. Nowadays that is no longer true, but to change
the default would require serious work: either lots of documentation and
warnings to explain to users the subtle differences between qemu:///system and
qemu:///session and importing of pre-existing VMs, or lots of work to try and
narrow the functionality gap between the two methods.
The chown'ing and selinux labeling of any storage attached to a VM is a
libvirt security feature that's not virt-manager's explicit doing. It has
historically been quite a pain WRT install media as you've likely discovered.
I've had a long standing todo item to fully investigate the issues that people
hit and try and come up with a solution, whether it's libvirt fixes,
virt-manager fixes, or just better error messages. But I haven't gotten around
to it yet.
- Cole
More information about the virt
mailing list