From: Wei Liu <wei.liu2@citrix.com>
To: Anthony PERARD <anthony.perard@citrix.com>
Cc: Wei Liu <wei.liu2@citrix.com>,
Ian Jackson <ian.jackson@eu.citrix.com>,
xen-devel@lists.xen.org
Subject: Re: [PATCH] libxl: Do not warn about non existing user for the device model
Date: Mon, 23 May 2016 12:57:26 +0100 [thread overview]
Message-ID: <20160523115726.GO31272@citrix.com> (raw)
In-Reply-To: <1464003302-12187-1-git-send-email-anthony.perard@citrix.com>
On Mon, May 23, 2016 at 12:35:02PM +0100, Anthony PERARD wrote:
> Running QEMU as non-root user is not ready yet, so avoid avertising it
> with a warning.
>
> Also improve the doc to include more potential issue with running QEMU
> as non-root.
>
> Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
> ---
> docs/man/xl.cfg.pod.5 | 5 +++--
> docs/misc/qemu-deprivilege.txt | 4 ++--
> tools/libxl/libxl_dm.c | 2 +-
> 3 files changed, 6 insertions(+), 5 deletions(-)
>
> diff --git a/docs/man/xl.cfg.pod.5 b/docs/man/xl.cfg.pod.5
> index accd9b4..8a4f4c5 100644
> --- a/docs/man/xl.cfg.pod.5
> +++ b/docs/man/xl.cfg.pod.5
> @@ -1953,8 +1953,9 @@ option to the device-model.
>
> Run the device model as user "username", instead of
> B<xen-qemuuser-domid$domid> or B<xen-qemuuser-shared> or B<root>.
> -Please note that running QEMU as non-root causes migration and PCI
> -passthrough not to work properly.
> +Please note that running QEMU as non-root causes several features like
> +migration and PCI passthrough to not work properly and may prevent the guest
> +from booting.
>
What is not clear is that whether using this option would buy the user
anything security-wise. If it doesn't improve security but only break
things we should probably remove it from man page all together.
Just my 2 cents.
Wei.
> =back
>
> diff --git a/docs/misc/qemu-deprivilege.txt b/docs/misc/qemu-deprivilege.txt
> index 879a98e..7751194 100644
> --- a/docs/misc/qemu-deprivilege.txt
> +++ b/docs/misc/qemu-deprivilege.txt
> @@ -31,5 +31,5 @@ adduser --no-create-home --system xen-qemuuser-shared
> As a last resort, libxl will start QEMU as root.
>
>
> -Please note that running QEMU as non-root causes migration and PCI
> -passthrough not to work properly.
> +Please note that running QEMU as non-root causes several features like migration and
> +PCI passthrough to not work properly and may prevent the guest from booting.
> diff --git a/tools/libxl/libxl_dm.c b/tools/libxl/libxl_dm.c
> index 4aff323a..4248f4c 100644
> --- a/tools/libxl/libxl_dm.c
> +++ b/tools/libxl/libxl_dm.c
> @@ -1482,7 +1482,7 @@ static int libxl__build_device_model_args_new(libxl__gc *gc,
> }
>
> user = NULL;
> - LOG(WARN, "Could not find user %s, starting QEMU as root",
> + LOG(DEBUG, "Could not find user %s, starting QEMU as root",
> LIBXL_QEMU_USER_SHARED);
>
> end_search:
> --
> Anthony PERARD
>
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
next prev parent reply other threads:[~2016-05-23 11:57 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-20 15:48 [PATCH] docs: Fix device_model_user description of its default value Anthony PERARD
2016-05-20 16:34 ` Ian Jackson
2016-05-20 16:40 ` Andrew Cooper
2016-05-20 16:48 ` Anthony PERARD
2016-05-20 16:53 ` Wei Liu
2016-05-23 11:21 ` George Dunlap
2016-05-23 11:35 ` [PATCH] libxl: Do not warn about non existing user for the device model Anthony PERARD
2016-05-23 11:57 ` Wei Liu [this message]
2016-05-23 14:09 ` Anthony PERARD
2016-05-23 14:14 ` Wei Liu
2016-05-23 15:49 ` Ian Jackson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160523115726.GO31272@citrix.com \
--to=wei.liu2@citrix.com \
--cc=anthony.perard@citrix.com \
--cc=ian.jackson@eu.citrix.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.