libvirt users - Feb 2011 - Xen disk device detach fails as non-root [libvirt-0.8.7 and older versions]

Hi All,

I find that I am able to attach a disk device do a Xen domain, using
virDomainAttachDevice(), running as a non-root user, but I am unable
to use virDomainDetachDevice() - it results in an "unknown failure".
Using "virsh [attach|detach]-device" exhibits this behviour.

$ virsh attach-device domu1 attach.xml
Device attached successfully

$ virsh detach-device domu1 attach.xml
error: Failed to detach device from attach.xml
error: Unknown failure

$

With some digging, I determined that the problem arises when libvirt
tries to translate the device name to a number, using the XenStore API
(xenStoreDomainGetDiskID()), which requires use of the "xenstored"
UNIX socket, and that socket is only accessible by root. On making
that socket accessible to the user (by group), virDomainAttachDevice()
starts working, but I'm then unable to list domains, because
xenStoreDoListDomains() waits to verify each domain using
xenHypervisorHasDomain(), and that requires access to another socket -
"/proc/xen/privcmd"

My question, before going down the path of trying to hack permissions
for these sockets permanently ..... is this how it's supposed to be,
or could, perhaps, libvirtd, which runs as root, access these sockets
on behalf of the user? It seems it should at least fail more
gracefully....

TIA for any pointers....

    ~iain

? 2011?02?15? 05:01, Iain MacDonnell ??:
> Hi All,
>
> I find that I am able to attach a disk device do a Xen domain, using
> virDomainAttachDevice(), running as a non-root user, but I am unable
> to use virDomainDetachDevice() - it results in an "unknown
failure".
> Using "virsh [attach|detach]-device" exhibits this behviour.
>
> $ virsh attach-device domu1 attach.xml
> Device attached successfully
>
> $ virsh detach-device domu1 attach.xml
> error: Failed to detach device from attach.xml
> error: Unknown failure
>
> $
>
> With some digging, I determined that the problem arises when libvirt
> tries to translate the device name to a number, using the XenStore API
> (xenStoreDomainGetDiskID()), which requires use of the
"xenstored"
> UNIX socket, and that socket is only accessible by root. On making
> that socket accessible to the user (by group), virDomainAttachDevice()
> starts working, but I'm then unable to list domains, because
> xenStoreDoListDomains() waits to verify each domain using
> xenHypervisorHasDomain(), and that requires access to another socket -
> "/proc/xen/privcmd"
>
> My question, before going down the path of trying to hack permissions
> for these sockets permanently ..... is this how it's supposed to be,
> or could, perhaps, libvirtd, which runs as root, access these sockets
> on behalf of the user? It seems it should at least fail more
> gracefully....
Recall there was discussion on problems like these before, but I can't
find the thread now, if I remember well, the conclusion was libvirt
will need a more robust solution for non-root users' priv.

And in my mind, Justin was involed in the discussion, so cc' to him to
see if he could help. :-)

Regards
Osier