Xen project Mailing List

Re: [Xen-devel] [PATCH v10] run QEMU as non-root

From: Anthony PERARD <anthony.perard@xxxxxxxxxx>

Date: Wed, 14 Mar 2018 16:14:28 +0000

Cc: "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>

Delivery-date: Wed, 14 Mar 2018 16:41:21 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Wed, Mar 14, 2018 at 02:49:37PM +0000, George Dunlap wrote: > On Thu, Nov 5, 2015 at 12:47 PM, Stefano Stabellini > <stefano.stabellini@xxxxxxxxxxxxx> wrote: > > diff --git a/docs/misc/qemu-deprivilege.txt b/docs/misc/qemu-deprivilege.txt > > new file mode 100644 > > index 0000000..dde74ab > > --- /dev/null > > +++ b/docs/misc/qemu-deprivilege.txt > > @@ -0,0 +1,31 @@ > > +For security reasons, libxl tries to pass a non-root username to QEMU as > > +argument. During initialization QEMU calls setuid and setgid with the > > +user ID and the group ID of the user passed as argument. > > +Libxl looks for the following users in this order: > > + > > +1) a user named "xen-qemuuser-domid$domid", > > +Where $domid is the domid of the domain being created. > > +This requires the reservation of 65535 uids from xen-qemuuser-domid1 > > +to xen-qemuuser-domid65535. To use this mechanism, you might want to > > +create a large number of users at installation time. For example: > > + > > +for ((i=1; i<65536; i++)) > > +do > > + adduser --no-create-home --system xen-qemuuser-domid$i > > +done > > This fails for me after a few hundred uids: > > adduser: No UID is available in the range 100-999 (FIRST_SYS_UID - > LAST_SYS_UID). > adduser: The user `xen-qemuuser-domid892' was not created. > adduser: No UID is available in the range 100-999 (FIRST_SYS_UID - > LAST_SYS_UID). > adduser: The user `xen-qemuuser-domid893' was not created. > adduser: No UID is available in the range 100-999 (FIRST_SYS_UID - > LAST_SYS_UID). > adduser: The user `xen-qemuuser-domid894' was not created. > > It looks like even if --system were omitted, this would fail on a > normal system, as the default UID range looks to be [1000,29999]. > > Also, on my test box a single 'adduser' takes about 1 second, meaning > just doing up to the normal number of domains (around 32k) would take > 9 hours or so; is that really a practical suggestion? Using systemd, it's a bit faster: for ((i=1; i<5000; i++)); do echo "u xen-qemuuser-domid$i -" >> /etc/sysusers.d/xen-qemu-depriv.conf; done $ time systemd-sysusers xen-qemu-depriv.conf systemd-sysusers xen-qemu-depriv.conf 1.19s user 1.71s system 45% cpu 6.351 total but that also fails to create user xen-qemuuser-domid940 and the following. And uid for all new users was < 1000. That works better if you start my little script here with: echo "r - 2000-9000" >> /etc/sysusers.d/xen-qemu-depriv.conf # for 5000 uid: systemd-sysusers xen-qemu-depriv.conf 2.29s user 3.54s system 47% cpu 12.237 total George, if you read the manual for dm_restrict, the first option presented is to create a single userid that is the start of a range of uid to use: > Ideally, set aside a range of 32752 uids (from N to N+32751) and > create a user whose name is xen-qemuuser-range-base and whose uid is N > and whose gid is a plain unprivileged gid. libxl will use one such > user for each domid. Which works fine. -- Anthony PERARD _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.