|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH v10] run QEMU as non-root
On Wed, Mar 14, 2018 at 4:14 PM, Anthony PERARD <anthony.perard@xxxxxxxxxx> wrote: > On Wed, Mar 14, 2018 at 02:49:37PM +0000, George Dunlap wrote: >> On Thu, Nov 5, 2015 at 12:47 PM, Stefano Stabellini >> <stefano.stabellini@xxxxxxxxxxxxx> wrote: >> > diff --git a/docs/misc/qemu-deprivilege.txt >> > b/docs/misc/qemu-deprivilege.txt >> > new file mode 100644 >> > index 0000000..dde74ab >> > --- /dev/null >> > +++ b/docs/misc/qemu-deprivilege.txt >> > @@ -0,0 +1,31 @@ >> > +For security reasons, libxl tries to pass a non-root username to QEMU as >> > +argument. During initialization QEMU calls setuid and setgid with the >> > +user ID and the group ID of the user passed as argument. >> > +Libxl looks for the following users in this order: >> > + >> > +1) a user named "xen-qemuuser-domid$domid", >> > +Where $domid is the domid of the domain being created. >> > +This requires the reservation of 65535 uids from xen-qemuuser-domid1 >> > +to xen-qemuuser-domid65535. To use this mechanism, you might want to >> > +create a large number of users at installation time. For example: >> > + >> > +for ((i=1; i<65536; i++)) >> > +do >> > + adduser --no-create-home --system xen-qemuuser-domid$i >> > +done >> >> This fails for me after a few hundred uids: >> >> adduser: No UID is available in the range 100-999 (FIRST_SYS_UID - >> LAST_SYS_UID). >> adduser: The user `xen-qemuuser-domid892' was not created. >> adduser: No UID is available in the range 100-999 (FIRST_SYS_UID - >> LAST_SYS_UID). >> adduser: The user `xen-qemuuser-domid893' was not created. >> adduser: No UID is available in the range 100-999 (FIRST_SYS_UID - >> LAST_SYS_UID). >> adduser: The user `xen-qemuuser-domid894' was not created. >> >> It looks like even if --system were omitted, this would fail on a >> normal system, as the default UID range looks to be [1000,29999]. >> >> Also, on my test box a single 'adduser' takes about 1 second, meaning >> just doing up to the normal number of domains (around 32k) would take >> 9 hours or so; is that really a practical suggestion? > > Using systemd, it's a bit faster: > > for ((i=1; i<5000; i++)); do > echo "u xen-qemuuser-domid$i -" >> /etc/sysusers.d/xen-qemu-depriv.conf; > done > $ time systemd-sysusers xen-qemu-depriv.conf > systemd-sysusers xen-qemu-depriv.conf 1.19s user 1.71s system 45% cpu 6.351 > total > > but that also fails to create user xen-qemuuser-domid940 and the > following. And uid for all new users was < 1000. > > That works better if you start my little script here with: > echo "r - 2000-9000" >> /etc/sysusers.d/xen-qemu-depriv.conf > # for 5000 uid: > systemd-sysusers xen-qemu-depriv.conf 2.29s user 3.54s system 47% cpu 12.237 > total Well, that may be, but *this particular document* doesn't mention systemd, nor modifying the range of UIDs available; so it's not a practical suggestion. > George, if you read the manual for dm_restrict, the first option > presented is to create a single userid that is the start of a range of > uid to use: Right, I did miss that from the man page -- but again, that option is not mentioned here in this document. A lot of the stuff in the man page there isn't really suitable for a man page; it should be put in a separate document. I'll submit some patches. :-) -George _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |