Re: [Qemu-devel] [PATCHv4] block: add native support for NFS

[Fam Zheng <famz@redhat.com>]

On 2013年12月26日 14:10, ronnie sahlberg wrote:
> On Wed, Dec 25, 2013 at 9:42 PM, Fam Zheng <famz@redhat.com> wrote:
>> On 2013年12月21日 00:04, Peter Lieven wrote:
>>>
>>> This patch adds native support for accessing images on NFS shares without
>>> the requirement to actually mount the entire NFS share on the host.
>>>
>>> NFS Images can simply be specified by an url of the form:
>>> nfs://<host>/<export>/<filename>
>>>
>>> For example:
>>> qemu-img create -f qcow2 nfs://10.0.0.1/qemu-images/test.qcow2
>>>
>>> You need LibNFS from Ronnie Sahlberg available at:
>>>      git://github.com/sahlberg/libnfs.git
>>> for this to work.
>>>
>>> During configure it is automatically probed for libnfs and support
>>> is enabled on-the-fly. You can forbid or enforce libnfs support
>>> with --disable-libnfs or --enable-libnfs respectively.
>>>
>>> Due to NFS restrictions you might need to execute your binaries
>>> as root, allow them to open priviledged ports (<1024) or specify
>>> insecure option on the NFS server.
>>>
>>
>> What are the error messages like, if no privilege. Is root always required
>> for this to work?
>
> NFS servers often default to only allow client connections that
> originates from a system port.
> I know three different ways to solve this:
>
> 1, Run QEMU as root, which allows libnfs to bind to a system port.
> This is probably suboptimal since I guess most people would want to
> avoid running qemu as root if they can avoid it.
>
> 2, Change the NFS server to allow connections from nonsystem ports. On
> linux NFS servers this is done by adding
> "insecure" as the export option in /etc/exports.
> This may be preferable to option 1 (since secure/insecure does not
> really add much security in the first place).
>
> 3, Assign the capability to qemu to bind to system ports when running
> as non-root user.
> This is probably the most attractive option of the three.
> You can still run qemu as non-root  and you dont have to change the
> security mode on the NFS server.
> It is highly non-portable though and only work on platforms that
> provide capabilities.
> On linux you add this capability using :
> sudo setcap 'cap_net_bind_service=+ep' /path/to/executable
>
>

Thank you very much for elaboration, Ronnie. It's clear to me now and 
hopefully this can help users with their setup too.

Fam