[elbe-devel] [PATCH] init: attach open filedescriptors to init domain
Thomas Weißschuh
thomas.weissschuh at linutronix.de
Tue Feb 6 10:38:43 CET 2024
libvirt can access the disk file through these open filedescriptors.
This removes the need for libvirt to have direct access to the file
which may require loosened permissions on a users homedirectory.
Especially since Debian bookworm the default permissions of home
directories prevent such a direct access from libvirt.
Fixes #391
Signed-off-by: Thomas Weißschuh <thomas.weissschuh at linutronix.de>
---
elbepack/init/libvirt.xml.mako | 8 +++++++-
elbepack/initvmaction.py | 19 +++++++++++++++++++
2 files changed, 26 insertions(+), 1 deletion(-)
diff --git a/elbepack/init/libvirt.xml.mako b/elbepack/init/libvirt.xml.mako
index 6ef22f63..dacd5399 100644
--- a/elbepack/init/libvirt.xml.mako
+++ b/elbepack/init/libvirt.xml.mako
@@ -23,6 +23,7 @@ memory = size_to_int(prj.text('mem', default=defs, key='mem')) // 1024
imagetype = prj.text('img', default=defs, key='img')
img = os.path.join(opt.directory, 'initvm.img')
+img_base = os.path.join(opt.directory, 'initvm-base.img')
emulator = shutil.which(prj.text('interpreter', default=defs, key='interpreter'))
nicmac = prj.text('buildimage/NIC/MAC', default=defs, key='nicmac')
@@ -70,8 +71,13 @@ xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'>
<memballoon model='none' />
<disk type='file' device='disk'>
<driver name='qemu' type='${imagetype}' />
- <source file='${img}' />
+ <source file='${img}' fdgroup='initvm.img' />
<target dev='vda' bus='virtio' />
+ <backingStore type='file'>
+ <format type='qcow2'/>
+ <source file='${img_base}' fdgroup='initvm-base.img'/>
+ <backingStore/>
+ </backingStore>
<address type='pci' domain='0x0000' bus='0x00' slot='0x07'
function='0x0' />
</disk>
diff --git a/elbepack/initvmaction.py b/elbepack/initvmaction.py
index 412fe393..b4a37874 100644
--- a/elbepack/initvmaction.py
+++ b/elbepack/initvmaction.py
@@ -153,6 +153,23 @@ class StartAction(InitVMAction):
def __init__(self, node):
InitVMAction.__init__(self, node)
+ def _attach_disk_fds(self, _initvmdir):
+ # libvirt does not necessarily have permissions to directly access the
+ # image file. libvirt 9.0 provides FDAssociate() to pass an open file
+ # descriptor to libvirt which is used to access files via the context
+ # of the client, which has permissions.
+
+ if not hasattr(self.initvm, 'FDAssociate'):
+ return
+
+ # Use raw unmanaged FDs as libvirt will take full ownership of them.
+ self.initvm.FDAssociate('initvm.img', [
+ os.open(os.path.join(_initvmdir, "initvm.img"), os.O_RDWR),
+ ])
+ self.initvm.FDAssociate('initvm-base.img', [
+ os.open(os.path.join(_initvmdir, "initvm-base.img"), os.O_RDONLY),
+ ])
+
def execute(self, _initvmdir, _opt, _args):
import libvirt
@@ -160,6 +177,8 @@ class StartAction(InitVMAction):
print('Initvm already running.')
sys.exit(20)
elif self.initvm_state() == libvirt.VIR_DOMAIN_SHUTOFF:
+ self._attach_disk_fds(_initvmdir)
+
# Domain is shut off. Let's start it!
self.initvm.create()
# Wait five seconds for the initvm to boot
--
2.43.0
More information about the elbe-devel
mailing list