* [PATCH] docs: Fix device_model_user description of its default value
@ 2016-05-20 15:48 Anthony PERARD
2016-05-20 16:34 ` Ian Jackson
2016-05-23 11:35 ` [PATCH] libxl: Do not warn about non existing user for the device model Anthony PERARD
0 siblings, 2 replies; 11+ messages in thread
From: Anthony PERARD @ 2016-05-20 15:48 UTC (permalink / raw)
To: xen-devel; +Cc: Anthony PERARD, Wei Liu, Ian Jackson
docs/misc/qemu-deprivilege.txt and libxl suggest that "xen-qemuuser" is
the default prefix, reflect that in the man.
Also add some emphasis.
Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
---
docs/man/xl.cfg.pod.5 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/man/xl.cfg.pod.5 b/docs/man/xl.cfg.pod.5
index a4cc1b3..accd9b4 100644
--- a/docs/man/xl.cfg.pod.5
+++ b/docs/man/xl.cfg.pod.5
@@ -1952,7 +1952,7 @@ option to the device-model.
=item B<device_model_user="username">
Run the device model as user "username", instead of
-xen-qemudepriv-domid$domid or xen-qemudepriv-shared or root.
+B<xen-qemuuser-domid$domid> or B<xen-qemuuser-shared> or B<root>.
Please note that running QEMU as non-root causes migration and PCI
passthrough not to work properly.
--
Anthony PERARD
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH] docs: Fix device_model_user description of its default value
2016-05-20 15:48 [PATCH] docs: Fix device_model_user description of its default value Anthony PERARD
@ 2016-05-20 16:34 ` Ian Jackson
2016-05-20 16:40 ` Andrew Cooper
2016-05-20 16:48 ` Anthony PERARD
2016-05-23 11:35 ` [PATCH] libxl: Do not warn about non existing user for the device model Anthony PERARD
1 sibling, 2 replies; 11+ messages in thread
From: Ian Jackson @ 2016-05-20 16:34 UTC (permalink / raw)
To: Anthony PERARD; +Cc: Wei Liu, xen-devel
Anthony PERARD writes ("[PATCH] docs: Fix device_model_user description of its default value"):
> docs/misc/qemu-deprivilege.txt and libxl suggest that "xen-qemuuser" is
> the default prefix, reflect that in the man.
>
> Also add some emphasis.
I'm going to make a perhaps-controversial suggestion:
This feature should be deprecated for 4.7. Specifically,
- the warning about running qemu as root should go away
- the docs should mention that running qemu not as root
may well break things
Right now, the privsep is not finished and I think trying to run qemu
as non-root won't (usually) actually work.
Ian.
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] docs: Fix device_model_user description of its default value
2016-05-20 16:34 ` Ian Jackson
@ 2016-05-20 16:40 ` Andrew Cooper
2016-05-20 16:48 ` Anthony PERARD
1 sibling, 0 replies; 11+ messages in thread
From: Andrew Cooper @ 2016-05-20 16:40 UTC (permalink / raw)
To: Ian Jackson, Anthony PERARD; +Cc: Wei Liu, xen-devel
On 20/05/16 17:34, Ian Jackson wrote:
> Anthony PERARD writes ("[PATCH] docs: Fix device_model_user description of its default value"):
>> docs/misc/qemu-deprivilege.txt and libxl suggest that "xen-qemuuser" is
>> the default prefix, reflect that in the man.
>>
>> Also add some emphasis.
> I'm going to make a perhaps-controversial suggestion:
>
> This feature should be deprecated for 4.7. Specifically,
> - the warning about running qemu as root should go away
> - the docs should mention that running qemu not as root
> may well break things
Definitely does break migration (as reported back around Christmas).
Probably breaks other things.
The warning is definitely annoying, and not helpful.
~Andrew
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] docs: Fix device_model_user description of its default value
2016-05-20 16:34 ` Ian Jackson
2016-05-20 16:40 ` Andrew Cooper
@ 2016-05-20 16:48 ` Anthony PERARD
2016-05-20 16:53 ` Wei Liu
1 sibling, 1 reply; 11+ messages in thread
From: Anthony PERARD @ 2016-05-20 16:48 UTC (permalink / raw)
To: Ian Jackson; +Cc: Wei Liu, xen-devel
On Fri, May 20, 2016 at 05:34:10PM +0100, Ian Jackson wrote:
> Anthony PERARD writes ("[PATCH] docs: Fix device_model_user description of its default value"):
> > docs/misc/qemu-deprivilege.txt and libxl suggest that "xen-qemuuser" is
> > the default prefix, reflect that in the man.
> >
> > Also add some emphasis.
>
> I'm going to make a perhaps-controversial suggestion:
>
> This feature should be deprecated for 4.7. Specifically,
> - the warning about running qemu as root should go away
> - the docs should mention that running qemu not as root
> may well break things
Yes. The doc bearly mention an issue with migration and pci passthrough.
I could boot a guest, but shutdown did not work.
> Right now, the privsep is not finished and I think trying to run qemu
> as non-root won't (usually) actually work.
>
> Ian.
--
Anthony PERARD
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] docs: Fix device_model_user description of its default value
2016-05-20 16:48 ` Anthony PERARD
@ 2016-05-20 16:53 ` Wei Liu
2016-05-23 11:21 ` George Dunlap
0 siblings, 1 reply; 11+ messages in thread
From: Wei Liu @ 2016-05-20 16:53 UTC (permalink / raw)
To: Anthony PERARD; +Cc: Wei Liu, Ian Jackson, xen-devel
On Fri, May 20, 2016 at 05:48:37PM +0100, Anthony PERARD wrote:
> On Fri, May 20, 2016 at 05:34:10PM +0100, Ian Jackson wrote:
> > Anthony PERARD writes ("[PATCH] docs: Fix device_model_user description of its default value"):
> > > docs/misc/qemu-deprivilege.txt and libxl suggest that "xen-qemuuser" is
> > > the default prefix, reflect that in the man.
> > >
> > > Also add some emphasis.
> >
> > I'm going to make a perhaps-controversial suggestion:
> >
> > This feature should be deprecated for 4.7. Specifically,
> > - the warning about running qemu as root should go away
> > - the docs should mention that running qemu not as root
> > may well break things
>
> Yes. The doc bearly mention an issue with migration and pci passthrough.
> I could boot a guest, but shutdown did not work.
>
So I guess we should just remove relevant manpage sections? The code can
be left as-is so that we can develop this thing further.
Wei.
> > Right now, the privsep is not finished and I think trying to run qemu
> > as non-root won't (usually) actually work.
> >
> > Ian.
>
> --
> Anthony PERARD
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] docs: Fix device_model_user description of its default value
2016-05-20 16:53 ` Wei Liu
@ 2016-05-23 11:21 ` George Dunlap
0 siblings, 0 replies; 11+ messages in thread
From: George Dunlap @ 2016-05-23 11:21 UTC (permalink / raw)
To: Wei Liu; +Cc: Anthony PERARD, Ian Jackson, xen-devel
On Fri, May 20, 2016 at 5:53 PM, Wei Liu <wei.liu2@citrix.com> wrote:
> On Fri, May 20, 2016 at 05:48:37PM +0100, Anthony PERARD wrote:
>> On Fri, May 20, 2016 at 05:34:10PM +0100, Ian Jackson wrote:
>> > Anthony PERARD writes ("[PATCH] docs: Fix device_model_user description of its default value"):
>> > > docs/misc/qemu-deprivilege.txt and libxl suggest that "xen-qemuuser" is
>> > > the default prefix, reflect that in the man.
>> > >
>> > > Also add some emphasis.
>> >
>> > I'm going to make a perhaps-controversial suggestion:
>> >
>> > This feature should be deprecated for 4.7. Specifically,
>> > - the warning about running qemu as root should go away
>> > - the docs should mention that running qemu not as root
>> > may well break things
>>
>> Yes. The doc bearly mention an issue with migration and pci passthrough.
>> I could boot a guest, but shutdown did not work.
>>
>
> So I guess we should just remove relevant manpage sections? The code can
> be left as-is so that we can develop this thing further.
I agree that if we're not going to actually recommend people use this
feature yet that the warning should go away.
-George
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 11+ messages in thread
* [PATCH] libxl: Do not warn about non existing user for the device model
2016-05-20 15:48 [PATCH] docs: Fix device_model_user description of its default value Anthony PERARD
2016-05-20 16:34 ` Ian Jackson
@ 2016-05-23 11:35 ` Anthony PERARD
2016-05-23 11:57 ` Wei Liu
1 sibling, 1 reply; 11+ messages in thread
From: Anthony PERARD @ 2016-05-23 11:35 UTC (permalink / raw)
To: xen-devel; +Cc: Anthony PERARD, Wei Liu, Ian Jackson
Running QEMU as non-root user is not ready yet, so avoid avertising it
with a warning.
Also improve the doc to include more potential issue with running QEMU
as non-root.
Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
---
docs/man/xl.cfg.pod.5 | 5 +++--
docs/misc/qemu-deprivilege.txt | 4 ++--
tools/libxl/libxl_dm.c | 2 +-
3 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/docs/man/xl.cfg.pod.5 b/docs/man/xl.cfg.pod.5
index accd9b4..8a4f4c5 100644
--- a/docs/man/xl.cfg.pod.5
+++ b/docs/man/xl.cfg.pod.5
@@ -1953,8 +1953,9 @@ option to the device-model.
Run the device model as user "username", instead of
B<xen-qemuuser-domid$domid> or B<xen-qemuuser-shared> or B<root>.
-Please note that running QEMU as non-root causes migration and PCI
-passthrough not to work properly.
+Please note that running QEMU as non-root causes several features like
+migration and PCI passthrough to not work properly and may prevent the guest
+from booting.
=back
diff --git a/docs/misc/qemu-deprivilege.txt b/docs/misc/qemu-deprivilege.txt
index 879a98e..7751194 100644
--- a/docs/misc/qemu-deprivilege.txt
+++ b/docs/misc/qemu-deprivilege.txt
@@ -31,5 +31,5 @@ adduser --no-create-home --system xen-qemuuser-shared
As a last resort, libxl will start QEMU as root.
-Please note that running QEMU as non-root causes migration and PCI
-passthrough not to work properly.
+Please note that running QEMU as non-root causes several features like migration and
+PCI passthrough to not work properly and may prevent the guest from booting.
diff --git a/tools/libxl/libxl_dm.c b/tools/libxl/libxl_dm.c
index 4aff323a..4248f4c 100644
--- a/tools/libxl/libxl_dm.c
+++ b/tools/libxl/libxl_dm.c
@@ -1482,7 +1482,7 @@ static int libxl__build_device_model_args_new(libxl__gc *gc,
}
user = NULL;
- LOG(WARN, "Could not find user %s, starting QEMU as root",
+ LOG(DEBUG, "Could not find user %s, starting QEMU as root",
LIBXL_QEMU_USER_SHARED);
end_search:
--
Anthony PERARD
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH] libxl: Do not warn about non existing user for the device model
2016-05-23 11:35 ` [PATCH] libxl: Do not warn about non existing user for the device model Anthony PERARD
@ 2016-05-23 11:57 ` Wei Liu
2016-05-23 14:09 ` Anthony PERARD
0 siblings, 1 reply; 11+ messages in thread
From: Wei Liu @ 2016-05-23 11:57 UTC (permalink / raw)
To: Anthony PERARD; +Cc: Wei Liu, Ian Jackson, xen-devel
On Mon, May 23, 2016 at 12:35:02PM +0100, Anthony PERARD wrote:
> Running QEMU as non-root user is not ready yet, so avoid avertising it
> with a warning.
>
> Also improve the doc to include more potential issue with running QEMU
> as non-root.
>
> Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
> ---
> docs/man/xl.cfg.pod.5 | 5 +++--
> docs/misc/qemu-deprivilege.txt | 4 ++--
> tools/libxl/libxl_dm.c | 2 +-
> 3 files changed, 6 insertions(+), 5 deletions(-)
>
> diff --git a/docs/man/xl.cfg.pod.5 b/docs/man/xl.cfg.pod.5
> index accd9b4..8a4f4c5 100644
> --- a/docs/man/xl.cfg.pod.5
> +++ b/docs/man/xl.cfg.pod.5
> @@ -1953,8 +1953,9 @@ option to the device-model.
>
> Run the device model as user "username", instead of
> B<xen-qemuuser-domid$domid> or B<xen-qemuuser-shared> or B<root>.
> -Please note that running QEMU as non-root causes migration and PCI
> -passthrough not to work properly.
> +Please note that running QEMU as non-root causes several features like
> +migration and PCI passthrough to not work properly and may prevent the guest
> +from booting.
>
What is not clear is that whether using this option would buy the user
anything security-wise. If it doesn't improve security but only break
things we should probably remove it from man page all together.
Just my 2 cents.
Wei.
> =back
>
> diff --git a/docs/misc/qemu-deprivilege.txt b/docs/misc/qemu-deprivilege.txt
> index 879a98e..7751194 100644
> --- a/docs/misc/qemu-deprivilege.txt
> +++ b/docs/misc/qemu-deprivilege.txt
> @@ -31,5 +31,5 @@ adduser --no-create-home --system xen-qemuuser-shared
> As a last resort, libxl will start QEMU as root.
>
>
> -Please note that running QEMU as non-root causes migration and PCI
> -passthrough not to work properly.
> +Please note that running QEMU as non-root causes several features like migration and
> +PCI passthrough to not work properly and may prevent the guest from booting.
> diff --git a/tools/libxl/libxl_dm.c b/tools/libxl/libxl_dm.c
> index 4aff323a..4248f4c 100644
> --- a/tools/libxl/libxl_dm.c
> +++ b/tools/libxl/libxl_dm.c
> @@ -1482,7 +1482,7 @@ static int libxl__build_device_model_args_new(libxl__gc *gc,
> }
>
> user = NULL;
> - LOG(WARN, "Could not find user %s, starting QEMU as root",
> + LOG(DEBUG, "Could not find user %s, starting QEMU as root",
> LIBXL_QEMU_USER_SHARED);
>
> end_search:
> --
> Anthony PERARD
>
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] libxl: Do not warn about non existing user for the device model
2016-05-23 11:57 ` Wei Liu
@ 2016-05-23 14:09 ` Anthony PERARD
2016-05-23 14:14 ` Wei Liu
0 siblings, 1 reply; 11+ messages in thread
From: Anthony PERARD @ 2016-05-23 14:09 UTC (permalink / raw)
To: Wei Liu; +Cc: Ian Jackson, xen-devel
On Mon, May 23, 2016 at 12:57:26PM +0100, Wei Liu wrote:
> On Mon, May 23, 2016 at 12:35:02PM +0100, Anthony PERARD wrote:
> > Running QEMU as non-root user is not ready yet, so avoid avertising it
> > with a warning.
> >
> > Also improve the doc to include more potential issue with running QEMU
> > as non-root.
> >
> > Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
> > ---
> > docs/man/xl.cfg.pod.5 | 5 +++--
> > docs/misc/qemu-deprivilege.txt | 4 ++--
> > tools/libxl/libxl_dm.c | 2 +-
> > 3 files changed, 6 insertions(+), 5 deletions(-)
> >
> > diff --git a/docs/man/xl.cfg.pod.5 b/docs/man/xl.cfg.pod.5
> > index accd9b4..8a4f4c5 100644
> > --- a/docs/man/xl.cfg.pod.5
> > +++ b/docs/man/xl.cfg.pod.5
> > @@ -1953,8 +1953,9 @@ option to the device-model.
> >
> > Run the device model as user "username", instead of
> > B<xen-qemuuser-domid$domid> or B<xen-qemuuser-shared> or B<root>.
> > -Please note that running QEMU as non-root causes migration and PCI
> > -passthrough not to work properly.
> > +Please note that running QEMU as non-root causes several features like
> > +migration and PCI passthrough to not work properly and may prevent the guest
> > +from booting.
> >
>
> What is not clear is that whether using this option would buy the user
> anything security-wise. If it doesn't improve security but only break
> things we should probably remove it from man page all together.
If having undocumented config options is fine, then I guess we can
remove this from the man.
--
Anthony PERARD
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] libxl: Do not warn about non existing user for the device model
2016-05-23 14:09 ` Anthony PERARD
@ 2016-05-23 14:14 ` Wei Liu
2016-05-23 15:49 ` Ian Jackson
0 siblings, 1 reply; 11+ messages in thread
From: Wei Liu @ 2016-05-23 14:14 UTC (permalink / raw)
To: Anthony PERARD; +Cc: Ian Jackson, Wei Liu, xen-devel
On Mon, May 23, 2016 at 03:09:17PM +0100, Anthony PERARD wrote:
> On Mon, May 23, 2016 at 12:57:26PM +0100, Wei Liu wrote:
> > On Mon, May 23, 2016 at 12:35:02PM +0100, Anthony PERARD wrote:
> > > Running QEMU as non-root user is not ready yet, so avoid avertising it
> > > with a warning.
> > >
> > > Also improve the doc to include more potential issue with running QEMU
> > > as non-root.
> > >
> > > Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
> > > ---
> > > docs/man/xl.cfg.pod.5 | 5 +++--
> > > docs/misc/qemu-deprivilege.txt | 4 ++--
> > > tools/libxl/libxl_dm.c | 2 +-
> > > 3 files changed, 6 insertions(+), 5 deletions(-)
> > >
> > > diff --git a/docs/man/xl.cfg.pod.5 b/docs/man/xl.cfg.pod.5
> > > index accd9b4..8a4f4c5 100644
> > > --- a/docs/man/xl.cfg.pod.5
> > > +++ b/docs/man/xl.cfg.pod.5
> > > @@ -1953,8 +1953,9 @@ option to the device-model.
> > >
> > > Run the device model as user "username", instead of
> > > B<xen-qemuuser-domid$domid> or B<xen-qemuuser-shared> or B<root>.
> > > -Please note that running QEMU as non-root causes migration and PCI
> > > -passthrough not to work properly.
> > > +Please note that running QEMU as non-root causes several features like
> > > +migration and PCI passthrough to not work properly and may prevent the guest
> > > +from booting.
> > >
> >
> > What is not clear is that whether using this option would buy the user
> > anything security-wise. If it doesn't improve security but only break
> > things we should probably remove it from man page all together.
>
> If having undocumented config options is fine, then I guess we can
> remove this from the man.
>
I would say it is OK to have some WIP options to go undocumented --
because you don't want users to use them anyway.
Another way is to state explicitly in manpage that people should not use
this option because it doesn't provide extra security at this stage.
Ian, do you have any opinion on this?
Wei.
> --
> Anthony PERARD
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] libxl: Do not warn about non existing user for the device model
2016-05-23 14:14 ` Wei Liu
@ 2016-05-23 15:49 ` Ian Jackson
0 siblings, 0 replies; 11+ messages in thread
From: Ian Jackson @ 2016-05-23 15:49 UTC (permalink / raw)
To: Wei Liu; +Cc: Anthony PERARD, xen-devel
Wei Liu writes ("Re: [PATCH] libxl: Do not warn about non existing user for the device model"):
> I would say it is OK to have some WIP options to go undocumented --
> because you don't want users to use them anyway.
I agree.
> Another way is to state explicitly in manpage that people should not use
> this option because it doesn't provide extra security at this stage.
>
> Ian, do you have any opinion on this?
Either is fine by me.
If the option goes undocumented it ought to have a note in the IDL or
whereever saying not to use it.
Ian.
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2016-05-23 15:49 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-05-20 15:48 [PATCH] docs: Fix device_model_user description of its default value Anthony PERARD
2016-05-20 16:34 ` Ian Jackson
2016-05-20 16:40 ` Andrew Cooper
2016-05-20 16:48 ` Anthony PERARD
2016-05-20 16:53 ` Wei Liu
2016-05-23 11:21 ` George Dunlap
2016-05-23 11:35 ` [PATCH] libxl: Do not warn about non existing user for the device model Anthony PERARD
2016-05-23 11:57 ` Wei Liu
2016-05-23 14:09 ` Anthony PERARD
2016-05-23 14:14 ` Wei Liu
2016-05-23 15:49 ` Ian Jackson
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.