libvirt users - Jul 2013 - Re: filesystem accessmode='passthrough'

Hello.
I am trying to 'passthrough' the part of host filesystem to kvm guest.
libvirt xml:
    <filesystem type='mount' accessmode='passthrough'>
      <source dir='/var/guests/mail-var'/>
      <target dir='mail-var'/>
    </filesystem>
kvm is started from root.

After mounting in guest
	mount -t 9p mail-var /mnt -o trans=virtio,version=9p2000.L
or
	mount -t 9p www-var /mnt -o trans=virtio
if I try to make file or directory in guest, I have problem with permissions:
	ruser@www:~# ls -ld /mnt/ruser/
	drwxr-xr-x 2 ruser www-data 4096 May 28 13:13 /mnt/ruser/
	ruser@www:~# ls -ld /mnt/tmp/
	drwxrwxrwx 2 root root 4096 Jul 26 09:01 /mnt/tmp/

	root@www:~# touch /mnt/tmp/file1
		OK:
	root@www:~# touch /mnt/ruser/file2
	touch: cannot touch `/mnt/ruser/file2': Permission denied

	root@www:~# su ruser
	ruser@www:~$ touch /mnt/ruser/file3
	touch: cannot touch `/mnt/ruser/file3': Permission denied
	ruser@www:~$ touch /mnt/tmp/file4
	touch: setting times of `/mnt/tmp/file4': No such file or directory

I have read in documentation, that in "passthrough" security model, 
files are stored using the same credentials as they are created on the guest
(like NFS3).

Suggest me, please, what is it:
	I do something wrong, or I must update qemu-kvm or/and libvirt to recent
version,
	or I need to find other solution for sharing host filesystem?

Thanks. Yury

in host:
	root@host:~# libvirtd --version
	libvirtd (libvirt) 0.9.12
	root@host:~# kvm --version
	QEMU emulator version 1.1.2 (qemu-kvm-1.1.2+dfsg-6, Debian), Copyright
	(c) 2003-2008 Fabrice Bellard
	root@host:~# uname -a
	Linux host 3.2.0-4-amd64 #1 SMP Debian 3.2.46-1 x86_64 GNU/Linux
	root@host:~$ cat /etc/os-release 
	PRETTY_NAME="Debian GNU/Linux 7 (wheezy)"

On Fri, Jul 26, 2013 at 10:24:52AM +0400, Yury Goltsov
wrote:
> Hello.
> I am trying to 'passthrough' the part of host filesystem to kvm
guest.
> libvirt xml:
>     <filesystem type='mount'
accessmode='passthrough'>
>       <source dir='/var/guests/mail-var'/>
>       <target dir='mail-var'/>
>     </filesystem>
> kvm is started from root.
> 
> After mounting in guest
> 	mount -t 9p mail-var /mnt -o trans=virtio,version=9p2000.L
> or
> 	mount -t 9p www-var /mnt -o trans=virtio
> if I try to make file or directory in guest, I have problem with
permissions:
> 	ruser@www:~# ls -ld /mnt/ruser/
> 	drwxr-xr-x 2 ruser www-data 4096 May 28 13:13 /mnt/ruser/
> 	ruser@www:~# ls -ld /mnt/tmp/
> 	drwxrwxrwx 2 root root 4096 Jul 26 09:01 /mnt/tmp/
> 
> 	root@www:~# touch /mnt/tmp/file1
> 		OK:
> 	root@www:~# touch /mnt/ruser/file2
> 	touch: cannot touch `/mnt/ruser/file2': Permission denied
> 
> 	root@www:~# su ruser
> 	ruser@www:~$ touch /mnt/ruser/file3
> 	touch: cannot touch `/mnt/ruser/file3': Permission denied
> 	ruser@www:~$ touch /mnt/tmp/file4
> 	touch: setting times of `/mnt/tmp/file4': No such file or directory
> 
> I have read in documentation, that in "passthrough" security
model,
> files are stored using the same credentials as they are created on the
guest (like NFS3).
> 
> Suggest me, please, what is it:
> 	I do something wrong, or I must update qemu-kvm or/and libvirt to recent
version,
> 	or I need to find other solution for sharing host filesystem?
You have to remember that the QEMU processes on the host is running
as qemu:qemu by default, without any capabilities. So with passthrough
mode, the guest will see all the correct user/group owners, but it will
still not be able to write to arbitrary files. It'll only be able to
write stuff which is owned qemu:qemu, or has global write permission
(like /tmp does in your example)


Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

On 26.07.13 10:07:27, Daniel P. Berrange wrote:
> On Fri, Jul 26, 2013 at 10:24:52AM +0400, Yury Goltsov wrote:
> > Hello.
> > I am trying to 'passthrough' the part of host filesystem to
kvm guest.
> > libvirt xml:
> >     <filesystem type='mount'
accessmode='passthrough'>
> >       <source dir='/var/guests/mail-var'/>
> >       <target dir='mail-var'/>
> >     </filesystem>
> > kvm is started from root.
> > 
> > After mounting in guest
> > 	mount -t 9p mail-var /mnt -o trans=virtio,version=9p2000.L
> > or
> > 	mount -t 9p www-var /mnt -o trans=virtio
> > if I try to make file or directory in guest, I have problem with
permissions:
> > 	ruser@www:~# ls -ld /mnt/ruser/
> > 	drwxr-xr-x 2 ruser www-data 4096 May 28 13:13 /mnt/ruser/
> > 	ruser@www:~# ls -ld /mnt/tmp/
> > 	drwxrwxrwx 2 root root 4096 Jul 26 09:01 /mnt/tmp/
> > 
> > 	root@www:~# touch /mnt/tmp/file1
> > 		OK:
> > 	root@www:~# touch /mnt/ruser/file2
> > 	touch: cannot touch `/mnt/ruser/file2': Permission denied
> > 
> > 	root@www:~# su ruser
> > 	ruser@www:~$ touch /mnt/ruser/file3
> > 	touch: cannot touch `/mnt/ruser/file3': Permission denied
> > 	ruser@www:~$ touch /mnt/tmp/file4
> > 	touch: setting times of `/mnt/tmp/file4': No such file or
directory
> > 
> > I have read in documentation, that in "passthrough" security
model,
> > files are stored using the same credentials as they are created on the
guest (like NFS3).
> > 
> > Suggest me, please, what is it:
> > 	I do something wrong, or I must update qemu-kvm or/and libvirt to
recent version,
> > 	or I need to find other solution for sharing host filesystem?
> 
> You have to remember that the QEMU processes on the host is running
> as qemu:qemu by default, without any capabilities. So with passthrough
> mode, the guest will see all the correct user/group owners, but it will
> still not be able to write to arbitrary files. It'll only be able to
> write stuff which is owned qemu:qemu, or has global write permission
> (like /tmp does in your example)
> 
> 
> Daniel
> -- 
> |: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/
:|
> |: http://libvirt.org              -o-             http://virt-manager.org
:|
> |: http://autobuild.org       -o-         http://search.cpan.org/~danberr/
:|
> |: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc
:|
Hello Daniel. Thanks for the quick reply.
Gemu processes is running as libvirt_qemu:libvirt_qemu by
default. But after changing in /etc/libvirt/qemu.conf
	user=root
	group=root
and restarting libvirtd and all qemu processes, qemu is running as
root:root.

Moreover, this strange behaviour does not correspond to
qemu_libvirt:qemu_libvirt credencioals.
root in guest can write (append) to ANY file, but can't write (create file)
to directory, if he
(root) is not owner of this directory. Other users can't create files in
ALL directories (rwxrwxrwx for exaple), but can append files, if it is
permitted (user is owner of file, for example).

I was looking through Google solution to this problem. There are some (two or
three) posts on the forums about it (qemu allow write to
files, but do not allow write to directories), but the answer was not
there.

Yury.

After adding the line 
	clear_emulator_capabilities = 0 
to the file 
	/etc/libvirt/qemu.conf 
the results of file system operations are the expected color.

Thanks.

On Wed, Jul 31, 2013 at 09:03:01AM +0400, Yury Goltsov
wrote:
> After adding the line 
> 	clear_emulator_capabilities = 0 
> to the file 
> 	/etc/libvirt/qemu.conf 
> the results of file system operations are the expected color.
NB setting  user=root and clear_emulator_capabilities=0 is a very
insecure configuration. If there was an exploit in QEMU, it would
allow it to compromise your entire host, unless you have SELinux
or AppArmor providing protection on QEMU.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|