On Wed, Sep 24, 2025 at 11:31:31AM +0100, Richard W.M. Jones wrote:
On Wed, Sep 24, 2025 at 11:09:09AM +0200, Stefano Brivio wrote:
And now that you say that, I just realised that it would be as simple as:
https://libguestfs.org/guestfs-faq.1.html#permission-denied-when-running-lib...
LIBGUESTFS_BACKEND=direct virt-edit...
While that will indeed work, we're trying to discourage people from doing that, since it removes the other good things that libvirt does, such as setting up SELinux.
The real solution here IMHO is for libvirt to make session mode work for root without changing UID. It actually goes out of its way to stop this working at the moment[1].
We made it possible to run QEMU as root:root while still using system mode quite a while ago now. It requires adding this to the XML: <seclabel type='static' model='dac' relabel='yes'> <label>+0:+0</label> </seclabel> AFAICT, the resulting QEMU will also still have all capabiltiies set, most importantly CAP_DAC_OVERRIDE. So unless I'm missing something there shouldn't be anything that can't be done with system mode, that a session mode would allow. I thought I had already suggested that libguestfs use this seclabel, but don't recall if it was ever tried, or if we hit some other roadblock.
[1] In qemuStateInitialize -> virQEMUDriverConfigNew, I think
Well that's where the initial control is, but it isn't a simple as just removing/changing that code. When running as root, we have access to a lot of system wide resources, and libvirt needs to track which are in use by VMs or not. We can't do that tracking if we have two separate privileged daemons for both system mode and a root-session mode. It might be possible to have a single daemon service both roles. VMs defined via a session mode connection would auto-add the above <seclabel> to default to running as root. It would also need to dynamically change what's reported in capabilities to reflect this different default, and more systemd socket unit files at the locations that the session mode client app looks for. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|