From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS22989 209.51.188.0/24 X-Spam-Status: No, score=-3.6 required=3.0 tests=AWL,BAYES_00, DKIM_ADSP_CUSTOM_MED,DKIM_INVALID,DKIM_SIGNED, FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id F30CB1F4C0 for ; Tue, 15 Oct 2019 16:08:07 +0000 (UTC) Received: from localhost ([::1]:51398 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iKPMk-0006fU-CN for normalperson@yhbt.net; Tue, 15 Oct 2019 12:08:06 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:34970) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iKPMe-0006ca-Ad for bug-gnulib@gnu.org; Tue, 15 Oct 2019 12:08:01 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iKPMc-0007t0-Va for bug-gnulib@gnu.org; Tue, 15 Oct 2019 12:08:00 -0400 Received: from mail-ot1-x344.google.com ([2607:f8b0:4864:20::344]:34683) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1iKPMc-0007s0-NB for bug-gnulib@gnu.org; Tue, 15 Oct 2019 12:07:58 -0400 Received: by mail-ot1-x344.google.com with SMTP id m19so17429672otp.1 for ; Tue, 15 Oct 2019 09:07:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=l/JK8GMWsWRLKJOn3nz5PGfrMxYdRGgJtYyE6/GL8Z8=; b=RC0f7dp+fJnZLwGl7YT12odJ6apVdcEzFZON8Z7Zjpw3gAnV/oK/D3fg9mvGVsG99V Q4/UvBlnx4XEZpVFpeZEWS9z8c4v63yWfP1I38DJMRoyjFfYU5mogTxb9lty2MtaUn4T s14bZi22aICQr4iLgB5EoO+Th2gyXFu1TfeXc52iS7cw9xtfqRVjILTzQfqZPGLMjvvZ Dl1mdf98AZbd2HuMmBLKP0mw1UmklCc1O9E61e740uizNsGIyvUifBZV4V1qKLRhb2wI ItxVVGLOdlCfLP72fXb6CwmQje97NmYzyQhiLUT/+62rsfSVAknfkDQO2JWGtQip3dxK 9c+A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=l/JK8GMWsWRLKJOn3nz5PGfrMxYdRGgJtYyE6/GL8Z8=; b=TMrkcUQUtLlmPIPgx+zatCtcvxpDYmHrnYG6wk6mcm24oaDrp7Lu0dS6qxyo37VjqH F0M2vOJlYfr/ZMGVHZhVUK+SuK+FvMyYOm5Ziyt6mev7EMS771GXD5pUeFup8AbyJjbe U2ty/hcbps11a8boWDbrCdIKUg4q5WRqnGCcKGuuRW0Eg+bOBfxBPM2Je5r2qbYGpL8r 0BgK5A/99S2eMMC+ouPTTrW6ZU/4DN7j8V6Yp2Ncuy/a77GQ9MgO8AlTutx5oJm98BHj FbRs5XTY4rsDJt3fD1beyAF9dn5ehM2i6xL0gseUbD2HcsHZ+xzaclX93gudq6Lz3yLE HVWg== X-Gm-Message-State: APjAAAXcGjx4pXVvnranTt7IGQRWNO9Rq997tYTOzZl94F9Z1pizAMKL uucQqmJKrxA/MKQGM0r/J7d2xpXSbV58C6NhvjA= X-Google-Smtp-Source: APXvYqy7XpR5lblZIil8nDeJNMwJvAmfYAB3DXAo5h/UlBHzAAlYwYwIXygJPT7eB/88K1gJoDfUYN5ZWHEOdUKniUQ= X-Received: by 2002:a9d:77d4:: with SMTP id w20mr29356942otl.148.1571155676760; Tue, 15 Oct 2019 09:07:56 -0700 (PDT) MIME-Version: 1.0 References: <1703015.ZU562xqnTS@omega> <20190930121610.GJ11996@redhat.com> <1863371.rquq6mm99F@omega> In-Reply-To: <1863371.rquq6mm99F@omega> From: Marcus Furlong Date: Tue, 15 Oct 2019 17:07:19 +0100 Message-ID: Subject: Re: [libvirt] Fwd: libvirtd failing on MacOS in setgroups To: Bruno Haible Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2607:f8b0:4864:20::344 X-BeenThere: bug-gnulib@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Gnulib discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: libvir-list@redhat.com, bug-gnulib@gnu.org, Roman Bolshakov , =?UTF-8?Q?Daniel_P=2E_Berrang=C3=A9?= , Eric Blake Errors-To: bug-gnulib-bounces+normalperson=yhbt.net@gnu.org Sender: "bug-gnulib" On Mon, 30 Sep 2019 at 21:05, Bruno Haible wrote: > > Daniel P. Berrang=C3=A9 wrote: > > > For what purpose is libvirt or QEMU using setgroups()? What goes wron= g if > > > setgroups() fails? On macOS, as far as I can see, everything works as expected without it. So not sure if it's actually needed? > > QEMU potentially needs access to files owned by a supplementary group. > > On Linux for example, /dev/kvm is often owned by 'kvm' group, but the > > 'qemu' user on Fedora has 'qemu' group as its primary group. So QEMU > > would be unable to open /dev/kvm without the setgroups call to set up > > supplementary groups. > > Ah, it's libvirt which calls setgroups and qemu which needs the groups. > Then my suggested workaround that consists of overriding setgroups() and > open() won't work. > > > > - Is using the first 16 groups and ignoring the extra ones an accep= table > > > solution? > > > > Certainly that's better than just ignoring groups entirely, as it will > > work for many more cases, even if not perfect. > > Hmm. If the group of /dev/kvm comes at 17th group, it will still not work= . > I.e. it will be unreliable. > > Then, how about if libvirt collects the set of groups that qemu might nee= d > for accessing devices (surely less than 16), then fills up the remaining > up to 16 slots with secondary groups? Admittedly it makes qemu less > self-contained. But given that setgroups() works only for root on macOS [= 1] > I see no better way. Note that /dev/kvm is for linux and does not exist on macOS. Unless we identify specific devices on macOS that qemu requires access to, then something like the following might work? https://github.com/furlongm/libvirt/commit/01a1d3d0e37c7f81a04da2e9707ac1c3= 9f4642b9 Seems to work correctly for me (virsh capabilities now returns the correct output, and VMs run). --=20 Marcus Furlong