filesystem access - document file ownership requirements

Bug #1445386 reported by Muelli
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Triaged
Medium
Unassigned
virt-manager (Ubuntu)
Triaged
Medium
Unassigned

Bug Description

I have configured host filesystem access via virt-manager.

    <filesystem type='mount' accessmode='squash'>
      <source dir='/tmp/share1'/>
      <target dir='/hostshare1'/>
      <alias name='fs0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x09' function='0x0'/>
    </filesystem>
    <filesystem type='mount' accessmode='mapped'>
      <source dir='/tmp/share2'/>
      <target dir='hostshare2'/>
      <alias name='fs1'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x0a' function='0x0'/>
    </filesystem>

now, in the guest, I can mount /hostshare1 -t 9p -o trans=virtio,version9p2000.L,access=any,posixacl /mnt/
but I cannot list the directory. I get a permission denied error.

cat /etc/apparmor.d/libvirt/libvirt-039f126b-da58-4dba-9317-4c7586c34a61.files

# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
  "/var/log/libvirt/**/ubuntutrusty-server.log" w,
  "/var/lib/libvirt/**/ubuntutrusty-server.monitor" rw,
  "/var/run/libvirt/**/ubuntutrusty-server.pid" rwk,
  "/run/libvirt/**/ubuntutrusty-server.pid" rwk,
  "/var/run/libvirt/**/*.tunnelmigrate.dest.ubuntutrusty-server" rw,
  "/run/libvirt/**/*.tunnelmigrate.dest.ubuntutrusty-server" rw,
  "/var/lib/libvirt/images/ubuntutrusty-server.qcow2" rw,
  "/tmp/share1/**" rwl,
  "/tmp/share1/" r,
  "/tmp/share2/**" rwl,
  "/tmp/share2/" r,
  /dev/vhost-net rw,
  "/dev/net/tun" rw,

but I needed to
sudo aa-complain libvirt/libvirt-039f126b-da58-4dba-9317-4c7586c34a61
in order to be able to list the directory. I cannot read or write files, though.

I expected it to work fine.

ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: libvirt-bin 1.2.12-0ubuntu11
ProcVersionSignature: Ubuntu 3.19.0-13.13-generic 3.19.3
Uname: Linux 3.19.0-13-generic x86_64
ApportVersion: 2.17-0ubuntu2
Architecture: amd64
CurrentDesktop: GNOME
Date: Fri Apr 17 10:15:24 2015
SourcePackage: libvirt
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.libvirt.qemu.conf: [inaccessible: [Errno 13] Permission denied: '/etc/libvirt/qemu.conf']
modified.conffile..etc.libvirt.qemu.networks.default.xml: [inaccessible: [Errno 13] Permission denied: '/etc/libvirt/qemu/networks/default.xml']

Revision history for this message
Muelli (ubuntu-bugs-auftrags-killer) wrote :
Revision history for this message
Serge Hallyn (serge-hallyn) wrote : Re: [Bug 1445386] [NEW] virtual machine cannot access p9 filesystem

libvirt domains are not allowed to access /tmp. Could you please try using
a different path, perhaps under your home directory, as the source dir?

 status: incomplete

Changed in libvirt (Ubuntu):
status: New → Incomplete
Revision history for this message
Muelli (ubuntu-bugs-auftrags-killer) wrote : Re: virtual machine cannot access p9 filesystem

on the host:

➜ tmp>echo foo > share1/bar
➜ tmp>echo foo > share2/bar
➜ tmp>ls -la share*
share1:
total 4
drwxrwxr-x 1 muelli muelli 6 Apr 24 11:22 ./
drwxrwxr-x 1 muelli muelli 30 Apr 24 11:17 ../
-rw-rw-r-- 1 muelli muelli 4 Apr 24 11:28 bar

share2:
total 4
drwxrwxr-x 1 muelli muelli 6 Apr 24 11:22 ./
drwxrwxr-x 1 muelli muelli 30 Apr 24 11:17 ../
-rw-rw-r-- 1 muelli muelli 4 Apr 24 11:28 bar
➜ tmp>pwd
/home/muelli/tmp
➜ tmp>

and then on the guest:

root@ubuntu:~# mkdir /tmp/mnt1
root@ubuntu:~# mkdir /tmp/mnt2
root@ubuntu:~# mount /hostshare1 -t 9p -o trans=virtio,version9p2000.L,access=any,posixacl /tmp/mnt1/
root@ubuntu:~# mount /hostshare2 -t 9p -o trans=virtio,version9p2000.L,access=any,posixacl /tmp/mnt2/
root@ubuntu:~# ls -la /tmp/mnt*/
/tmp/mnt1/:
total 8
drwxrwxr-x 1 foo foo 6 Apr 24 11:22 .
drwxrwxrwt 4 root root 4096 Apr 24 11:27 ..
-rw-rw-r-- 1 foo foo 4 Apr 24 11:28 bar

/tmp/mnt2/:
total 8
drwxrwxr-x 1 foo foo 6 Apr 24 11:22 .
drwxrwxrwt 4 root root 4096 Apr 24 11:27 ..
-rw-rw-r-- 1 foo foo 4 Apr 24 11:28 bar
root@ubuntu:~# cat /tmp/mnt*/bar
foo
foo
root@ubuntu:~# echo baz > /tmp/mnt1/baz
-bash: /tmp/mnt1/baz: Permission denied
root@ubuntu:~# echo baz > /tmp/mnt2/baz
-bash: /tmp/mnt2/baz: Permission denied

so reading seems to work, but writing not. I can imagine that to be a problem with the permissions of the folder being written to. However, changing the group of the folders to libvirtd didn't help.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

When I create ~/share1 and p9-mount it into a libvirt VM just as you did, I was able to create and write - but only to files owned by the libvirt-qemu user, of course (since qemu runs as that user). When the directory was owned by me I could not create files.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Can you please confirm that you are chowning the directories/files to libvirt-qemu user?

Changed in libvirt (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Muelli (ubuntu-bugs-auftrags-killer) wrote :

when the directory is chgrp()ed to kvm then I can indeed write to it from the guest.
I think it'd be good to show that information somewhere in virt-manager when creating the filesystem share.

it's a bit unfortunate, though. The user need to be either in the kvm or in the libvirt-qemu group. At least the latter seems to be a non standard requirement.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote : Re: [Bug 1445386] Re: virtual machine cannot access p9 filesystem

Quoting Muelli (<email address hidden>):
> when the directory is chgrp()ed to kvm then I can indeed write to it from the guest.

Thanks for confirming.

> I think it'd be good to show that information somewhere in virt-manager when creating the filesystem share.

Do you have any suggestions about where to add this? Where did you
look when you were looking for info?

> it's a bit unfortunate, though. The user need to be either in the kvm
> or in the libvirt-qemu group. At least the latter seems to be a non
> standard requirement.

Agreed. Perhaps libvirt should try to add an ACL for the libvirt-qemu
user.

Revision history for this message
Muelli (ubuntu-bugs-auftrags-killer) wrote : Re: virtual machine cannot access p9 filesystem

hm, maybe next to the source path (see attached screenshot). Something like "The directory you're about to share is not owned by $necessary_user:group. This may cause problems when writing from the guest.".

Revision history for this message
Serge Hallyn (serge-hallyn) wrote : Re: [Bug 1445386] Re: virtual machine cannot access p9 filesystem

Oh, interesting - I was thinking a wiki page or ubuntu server guide.
But yes virt-manager would also be good

 affects: virt-manager

summary: - virtual machine cannot access p9 filesystem
+ filesystem access - document file ownership requirements
Changed in libvirt (Ubuntu):
status: Incomplete → Triaged
no longer affects: virt-manager
Changed in virt-manager (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.