From mboxrd@z Thu Jan  1 00:00:00 1970
From: Jim Fehlig <jfehlig@suse.com>
Subject: Re: [PATCH v2] run QEMU as non-root
Date: Fri, 15 May 2015 11:58:30 -0600
Message-ID: <555633C6.6080007@suse.com>
References: <1431690240-15873-1-git-send-email-stefano.stabellini@eu.citrix.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <1431690240-15873-1-git-send-email-stefano.stabellini@eu.citrix.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Cc: ian.jackson@eu.citrix.com, xen-devel@lists.xensource.com, wei.liu2@citrix.com, ian.campbell@citrix.com
List-Id: xen-devel@lists.xenproject.org

Stefano Stabellini wrote:
> Try to use "xen-qemudepriv-$domname" first, then "xen-qemudepriv-base" +
> domid, finally "xen-qemudepriv-shared" and root if everything else fails.
>
> The uids need to be manually created by the user or, more likely, by the
> xen package maintainer.
>   

FYI, the libvirt qemu driver supports specifying a global uid:gid for
qemu processes in /etc/libvirt/qemu.conf.  The uid:gid can also be tuned
per-domain with something like

  <seclabel type='static' model='dac' relabel='yes'>
    <label>uid:gid</label>
  </seclabel>

The model is a bit different in Xen where only the associated qemu (not
the entire domain) would be running as uid:gid, so I'm not sure if this
is something you want to expose through libxl.

Regards,
Jim