From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:48767) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Vw66f-0004he-Rq for qemu-devel@nongnu.org; Thu, 26 Dec 2013 03:15:54 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Vw66b-0003HK-1g for qemu-devel@nongnu.org; Thu, 26 Dec 2013 03:15:49 -0500 Received: from mx1.redhat.com ([209.132.183.28]:50824) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Vw66a-0003HD-Q3 for qemu-devel@nongnu.org; Thu, 26 Dec 2013 03:15:44 -0500 Message-ID: <52BBE59C.2020101@redhat.com> Date: Thu, 26 Dec 2013 16:15:24 +0800 From: Fam Zheng MIME-Version: 1.0 References: <1387555474-19751-1-git-send-email-pl@kamp.de> <52BBC1B3.3070808@redhat.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable Subject: Re: [Qemu-devel] [PATCHv4] block: add native support for NFS List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: ronnie sahlberg Cc: Kevin Wolf , Peter Lieven , "qemu-devel@nongnu.org" , Stefan Hajnoczi On 2013=E5=B9=B412=E6=9C=8826=E6=97=A5 14:10, ronnie sahlberg wrote: > On Wed, Dec 25, 2013 at 9:42 PM, Fam Zheng wrote: >> On 2013=E5=B9=B412=E6=9C=8821=E6=97=A5 00:04, Peter Lieven wrote: >>> >>> This patch adds native support for accessing images on NFS shares wit= hout >>> the requirement to actually mount the entire NFS share on the host. >>> >>> NFS Images can simply be specified by an url of the form: >>> nfs://// >>> >>> For example: >>> qemu-img create -f qcow2 nfs://10.0.0.1/qemu-images/test.qcow2 >>> >>> You need LibNFS from Ronnie Sahlberg available at: >>> git://github.com/sahlberg/libnfs.git >>> for this to work. >>> >>> During configure it is automatically probed for libnfs and support >>> is enabled on-the-fly. You can forbid or enforce libnfs support >>> with --disable-libnfs or --enable-libnfs respectively. >>> >>> Due to NFS restrictions you might need to execute your binaries >>> as root, allow them to open priviledged ports (<1024) or specify >>> insecure option on the NFS server. >>> >> >> What are the error messages like, if no privilege. Is root always requ= ired >> for this to work? > > NFS servers often default to only allow client connections that > originates from a system port. > I know three different ways to solve this: > > 1, Run QEMU as root, which allows libnfs to bind to a system port. > This is probably suboptimal since I guess most people would want to > avoid running qemu as root if they can avoid it. > > 2, Change the NFS server to allow connections from nonsystem ports. On > linux NFS servers this is done by adding > "insecure" as the export option in /etc/exports. > This may be preferable to option 1 (since secure/insecure does not > really add much security in the first place). > > 3, Assign the capability to qemu to bind to system ports when running > as non-root user. > This is probably the most attractive option of the three. > You can still run qemu as non-root and you dont have to change the > security mode on the NFS server. > It is highly non-portable though and only work on platforms that > provide capabilities. > On linux you add this capability using : > sudo setcap 'cap_net_bind_service=3D+ep' /path/to/executable > > Thank you very much for elaboration, Ronnie. It's clear to me now and=20 hopefully this can help users with their setup too. Fam