Re: [Xen-devel] [PATCH v10] run QEMU as non-root

[George Dunlap <dunlapg@xxxxxxxxx>]

On Thu, Nov 5, 2015 at 12:47 PM, Stefano Stabellini
<stefano.stabellini@xxxxxxxxxxxxx> wrote:
> diff --git a/docs/misc/qemu-deprivilege.txt b/docs/misc/qemu-deprivilege.txt
> new file mode 100644
> index 0000000..dde74ab
> --- /dev/null
> +++ b/docs/misc/qemu-deprivilege.txt
> @@ -0,0 +1,31 @@
> +For security reasons, libxl tries to pass a non-root username to QEMU as
> +argument. During initialization QEMU calls setuid and setgid with the
> +user ID and the group ID of the user passed as argument.
> +Libxl looks for the following users in this order:
> +
> +1) a user named "xen-qemuuser-domid$domid",
> +Where $domid is the domid of the domain being created.
> +This requires the reservation of 65535 uids from xen-qemuuser-domid1
> +to xen-qemuuser-domid65535. To use this mechanism, you might want to
> +create a large number of users at installation time. For example:
> +
> +for ((i=1; i<65536; i++))
> +do
> +    adduser --no-create-home --system xen-qemuuser-domid$i
> +done

This fails for me after a few hundred uids:

adduser: No UID is available in the range 100-999 (FIRST_SYS_UID -
LAST_SYS_UID).
adduser: The user `xen-qemuuser-domid892' was not created.
adduser: No UID is available in the range 100-999 (FIRST_SYS_UID -
LAST_SYS_UID).
adduser: The user `xen-qemuuser-domid893' was not created.
adduser: No UID is available in the range 100-999 (FIRST_SYS_UID -
LAST_SYS_UID).
adduser: The user `xen-qemuuser-domid894' was not created.

It looks like even if --system were omitted, this would fail on a
normal system, as the default UID range looks to be [1000,29999].

Also, on my test box a single 'adduser' takes about 1 second, meaning
just doing up to the normal number of domains (around 32k) would take
9 hours or so; is that really a practical suggestion?

 -George

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel