From Fedora Project Wiki

< FWN‎ | Beats

(→‎Fedora Virtualization List: Non-root User Image Locations)
Line 51: Line 51:
  
 
==== Non-root User Image Locations ====
 
==== Non-root User Image Locations ====
http://www.redhat.com/archives/fedora-virt/2009-April/msg00195.html
+
[[RobertDay|Robert Day]]
 +
asked<ref>http://www.redhat.com/archives/fedora-virt/2009-April/msg00195.html</ref>
 +
"by default, new VM images are created in
 +
{{filename|/var/lib/libvirt/images}}, and that directory is not accessible to
 +
non-root users."
 +
 
 +
[[DanielBerrange|Daniel Berrange]]
 +
<ref>http://www.redhat.com/archives/fedora-virt/2009-April/msg00198.html</ref>
 +
<pre>
 +
There are two classes of libvirt driver connection
 +
 
 +
- Privileged, per-host connections
 +
- Unprivileged, per-user connections
 +
 
 +
Xen provides a per-host connection. UserModeLinux and QEMU provide
 +
both (qemu:///system and qemu:///session). VirtualBox just proivides
 +
a per-user instance (vbox:///session) and so on.
 +
 
 +
Now by default in Fedora, when connecting to QEMU, virt-manager will
 +
use the privileged per-host connection, so VMs end up in the system
 +
directory /var/lib/libvirt/images.
 +
 
 +
Our goal (perhaps for F12) should be for local desktop virt use
 +
cases to use the unprivileged  QEMU connection qemu://session
 +
by default, and have VM disk images stored in your home directory
 +
</pre>
 +
<pre>
 +
> How would we allow KVM access? Unix groups or something else?
 +
 
 +
Two options
 +
 
 +
- A UNIX group for /dev/kvm
 +
- Just make it world writable
 +
 
 +
 
 +
In theory now KVM no longer pins all guest RAM into host RAM, it is
 +
reasonable safe to allow users to access it without any restrictions.
 +
(eg option 2) Will need to confirm with KVM developers if this is
 +
really so, but that was the intention last time i asked them.
 +
</pre>
 +
<ref>http://www.redhat.com/archives/fedora-virt/2009-April/msg00239.html</ref>
 +
<pre>
 +
Historically SELinux has wanted images in particular locations. With
 +
the introduction of SVirt in libvirt, we have much more advanced
 +
SELinux integration and will in fact automatically re-label images
 +
to match the needs of a VM. So allowing arbitary locations *and*
 +
still being in compliance with SELinux policy is now practical
 +
</pre>
 +
 
 
<references />
 
<references />
  

Revision as of 16:02, 25 April 2009


Virtualization

In this section, we cover discussion on the @et-mgmnt-tools-list, @fedora-xen-list, and @libvirt-list of Fedora virtualization technologies.

Contributing Writer: Dale Bewley

Enterprise Management Tools List

This section contains the discussion happening on the et-mgmt-tools list


Fedora Virtualization List

This section contains the discussion happening on the fedora-virt list.

New Release libguestfs 1.0.10

Richard Jones announced[1] release 1.0.10 of Package-x-generic-16.pnglibguestfs[2] Born only a couple of weeks ago(FWN#171[3]), libguestfs has progressed very far very fast.

"libguestfs is a library for accessing and modifying guest disk images. Amongst the things this is good for: making batch configuration changes to guests, getting disk used/free statistics (see also: Package-x-generic-16.pngvirt-df), migrating between virtualization systems (see also: virt-p2v), performing partial backups, performing partial guest clones, cloning guests and changing registry/UUID/hostname info, and much else besides."

Features in 1.0.10 include:

  • bindings for: C, C++, Perl, Python, OCaml, Ruby, Java and shell scripting
  • KVM support
  • QEMU binary is completely configurable at compile & runtime
  • ext4 support
  • support for uploading and downloading arbitrary-sized files
  • support for uploading and downloading tar and tar.gz content
  • support for querying size of block devices, setting r/o
  • support for reading ext2/3 superblocks
  • stat, lstat, statvfs commands
  • commands to mount filesystems read-only
  • run arbitrary commands from the guest
  • file(1) command
  • readline in guestfish with history and tab completion
  • guestfish 'edit' command
  • big documentation improvements, including more on the internals
  • pkgconfig file

Richard posted some example uses[4] of the libguestfs command line tool called guestfish.

Non-root User Image Locations

Robert Day asked[1] "by default, new VM images are created in /var/lib/libvirt/images, and that directory is not accessible to non-root users."

Daniel Berrange [2]

There are two classes of libvirt driver connection

 - Privileged, per-host connections
 - Unprivileged, per-user connections

Xen provides a per-host connection. UserModeLinux and QEMU provide 
both (qemu:///system and qemu:///session). VirtualBox just proivides
a per-user instance (vbox:///session) and so on.

Now by default in Fedora, when connecting to QEMU, virt-manager will
use the privileged per-host connection, so VMs end up in the system
directory /var/lib/libvirt/images.

Our goal (perhaps for F12) should be for local desktop virt use
cases to use the unprivileged  QEMU connection qemu://session
by default, and have VM disk images stored in your home directory
> How would we allow KVM access? Unix groups or something else?

Two options

 - A UNIX group for /dev/kvm
 - Just make it world writable


In theory now KVM no longer pins all guest RAM into host RAM, it is 
reasonable safe to allow users to access it without any restrictions.
(eg option 2) Will need to confirm with KVM developers if this is 
really so, but that was the intention last time i asked them.

[3]

Historically SELinux has wanted images in particular locations. With
the introduction of SVirt in libvirt, we have much more advanced
SELinux integration and will in fact automatically re-label images
to match the needs of a VM. So allowing arbitary locations *and*
still being in compliance with SELinux policy is now practical

Fedora Xen List

This section contains the discussion happening on the fedora-xen list.

Dom0 Kernel Not Before 2.6.31

The upstream Xen dom0 work done by Jeremy Fitzhardinge has been cleaned up and reorganized[1] into

Michael Young built[2] a new experimental dom0 kernel "version (2.6.30-0.1.2.21.rc3.xendom0.fc12) is based on the Fedora devel kernel branch and xen-tip/next branch from the pvops kernel repository." This kernel may be found in Michael's yum repo[3].

Michael added that "very few xen patches made it into 2.6.30, just bugfixes and tidy ups, so we are waiting at least until 2.6.31[4] for mainline dom0 support."

Libvirt List

This section contains the discussion happening on the libvir-list.