libvirt users - Feb 2017 - provisioning with vagrant-libvirt leaves .img file only readable by root

I'm using libvirt on Debian/stretch (testing) with vagrant and the
vagrant-libvirt plugin.  When I import a vagrant box (jessie64.box), the
resulting file permssions let anyone in the "kvm" group read the img.
But when I build upon that box, only root can read it:

-rw------- 1 root         root 20198785024 Sep 19 18:19
buildserver_default.img
-rwxr--r-- 1 libvirt-qemu kvm   2148663296 Sep  5 22:55
jessie64_vagrant_box_image_0.img

How can I control those file permissions as a regular user in the
libvirtd group?  I need to read that image in order to use qemu-img to
rebase and create a new vagrant box.  The current `vagrant package`
command only works with VirtualBox VMs, but its easy to make a .box if
you have read access to the libvirt QEMU .img file.

/etc/libvirt/storage/default.xml says:
  <target>
    <path>/var/lib/libvirt/images</path>
    <permissions>
      <mode>0755</mode>
    </permissions>
  </target>


You can find the context for this work here:
https://gitlab.com/fdroid/fdroidserver/issues/238

.hc

-- 
PGP fingerprint: EE66 20C7 136B 0D2C 456C  0A4D E9E2 8DEA 00AA 5556
https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556

On Wed, Feb 15, 2017 at 02:25:12PM +0100, Hans-Christoph Steiner
wrote:
>
>I'm using libvirt on Debian/stretch (testing) with vagrant and the
>vagrant-libvirt plugin.  When I import a vagrant box (jessie64.box), the
>resulting file permssions let anyone in the "kvm" group read the
img.
>But when I build upon that box, only root can read it:
>
I don't have any Vagrant experience, but if you have a file that any VM
(with qemu://system) is using, by default libvirt will make sure the VM
can use it and after that, set it to root:root.  The proper way would be
setting it to permssions that it had before.  We're dealing with this
for a couple of years now.  It's still unfixed because we're trying to
fix every single corner-case and also there are so many things to
consider.

Anyway, if you will make sure that qemu can access it, you can disable
the automatic dynamic relabelling (either for the disk in the domain XML
by saying <seclabel ... relabel="no"/> for the disk or the whole
domain
or all domains by setting dynamic_ownership to 0 in qemu.conf).

HTH,
Martin
>-rw------- 1 root         root 20198785024 Sep 19 18:19
>buildserver_default.img
>-rwxr--r-- 1 libvirt-qemu kvm   2148663296 Sep  5 22:55
>jessie64_vagrant_box_image_0.img
>
>How can I control those file permissions as a regular user in the
>libvirtd group?  I need to read that image in order to use qemu-img to
>rebase and create a new vagrant box.  The current `vagrant package`
>command only works with VirtualBox VMs, but its easy to make a .box if
>you have read access to the libvirt QEMU .img file.
>
>/etc/libvirt/storage/default.xml says:
>  <target>
>    <path>/var/lib/libvirt/images</path>
>    <permissions>
>      <mode>0755</mode>
>    </permissions>
>  </target>
>
>
>You can find the context for this work here:
>https://gitlab.com/fdroid/fdroidserver/issues/238
>
>.hc
>
>--
>PGP fingerprint: EE66 20C7 136B 0D2C 456C  0A4D E9E2 8DEA 00AA 5556
>https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556
>
>_______________________________________________
>libvirt-users mailing list
>libvirt-users@redhat.com
>https://www.redhat.com/mailman/listinfo/libvirt-users