NoxDaFox
2015-May-28 07:29 UTC
[libvirt-users] virDomainCoreDumpWithFormat files created as root
Greetings, I am dumping a guest VM memory for inspection using the command "virDomainCoreDumpWithFormat" and the created files appear to belong to root (both user and group). I have searched around but didn't find any answer. Is there a way to instruct QEMU to create those files under a different user? Thank you.
Daniel P. Berrange
2015-May-28 09:03 UTC
Re: [libvirt-users] virDomainCoreDumpWithFormat files created as root
On Thu, May 28, 2015 at 10:29:22AM +0300, NoxDaFox wrote:> Greetings, > > I am dumping a guest VM memory for inspection using the command > "virDomainCoreDumpWithFormat" and the created files appear to belong to > root (both user and group). > > I have searched around but didn't find any answer. Is there a way to > instruct QEMU to create those files under a different user?No, this is a limitation of the current API & impl Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
Michal Privoznik
2015-May-28 09:04 UTC
Re: [libvirt-users] virDomainCoreDumpWithFormat files created as root
On 28.05.2015 09:29, NoxDaFox wrote:> Greetings, > > I am dumping a guest VM memory for inspection using the command > "virDomainCoreDumpWithFormat" and the created files appear to belong to > root (both user and group). > > I have searched around but didn't find any answer. Is there a way to > instruct QEMU to create those files under a different user? >The coredump should belong to the user:group that the domain in question is running under. If (by default) your qemu processes run under root:root so will the coredump. Although, I'm wondering if we should not disregard this and make coredump be always owned by root:root since a coredump may contain sensitive info, e.g. all kinds of cipher keys. We do that with disk images, so maybe we should reconsider our politics with coredumps. Michal
NoxDaFox
2015-May-29 08:39 UTC
Re: [libvirt-users] virDomainCoreDumpWithFormat files created as root
2015-05-28 12:04 GMT+03:00 Michal Privoznik <mprivozn@redhat.com>:> On 28.05.2015 09:29, NoxDaFox wrote: > > Greetings, > > > > I am dumping a guest VM memory for inspection using the command > > "virDomainCoreDumpWithFormat" and the created files appear to belong to > > root (both user and group). > > > > I have searched around but didn't find any answer. Is there a way to > > instruct QEMU to create those files under a different user? > > > > The coredump should belong to the user:group that the domain in question > is running under. If (by default) your qemu processes run under > root:root so will the coredump. >I changed default settings but it didn't work. I can see the qemu processes now belonging to my user but yet the core dump is root:root. I used to generate such file with plain QMP 'pmemsave' command and it was creating it under libvirt-qemu group which was a bit better. This new command is way more handy but if I can't sort this issue out I'll need to fallback to the previous one. I set in /etc/libvirt/qemu.conf the keys user = "myuser" group = "mygroup" dynamic_ownership = 1 And restarted libvirtd.> > Although, I'm wondering if we should not disregard this and make > coredump be always owned by root:root since a coredump may contain > sensitive info, e.g. all kinds of cipher keys. We do that with disk > images, so maybe we should reconsider our politics with coredumps. > > Michal >This would limit the API quite much. There are use cases in which the need is to dump the memory for inspection and forcing it to be root would cripple the design quite a lot. A policy and an expert SysAdmin is all you need in these cases. In my specific case I'm building a test automation system and I was forced to run everything as admin or spawn a separate process, with admin rights, which would reset the correct user:group at every core dump taken. Quite clumsy!
Maybe Matching Threads
- Re: virDomainCoreDumpWithFormat files created as root
- Re: virDomainCoreDumpWithFormat files created as root
- Re: virDomainCoreDumpWithFormat files created as root
- Re: virDomainCoreDumpWithFormat files created as root
- Re: virDomainCoreDumpWithFormat files created as root