Features/VirtPrivileges

From FedoraProject

< Features(Difference between revisions)
Jump to: navigation, search
(Created page with '= Feature Name = Features/VirtPrivileges == Summary == Adjust privileges allowed to the libvirt management daemon and QEMU processes to improve security and features == Owner =...')
 
(minor tweaks)
Line 1: Line 1:
 
= Feature Name =
 
= Feature Name =
Features/VirtPrivileges
+
VirtPrivileges
  
 
== Summary ==
 
== Summary ==
Line 11: Line 11:
 
== Current status ==
 
== Current status ==
 
* Targeted release: [[Releases/12 | Fedora 12 ]]  
 
* Targeted release: [[Releases/12 | Fedora 12 ]]  
* Last updated: (DATE)
+
* Last updated: 2009-05-20
 
* Percentage of completion: 00%
 
* Percentage of completion: 00%
  
 
== Detailed Description ==
 
== Detailed Description ==
  
The libvirtd daemon and QEMU driver has two modes of operation. There is a single system instance per machine, that runs with root privileges, launches QEMU instances as root, can use TAP device networking for QEMU, and has full storage and network management capabilities. There are fully unprivileged instances, which run as the same UID as the user accessing the API, but have a significantly reduced level of functionality. The goals of this feature are to reduce the privileges of the system instance to improve its security, and increase the functionality of the per-user session instances to enable their use in preference to the system instance where practical.
+
The libvirtd daemon and QEMU driver has two modes of operation:
 +
 
 +
# A single system instance per machine, that runs with root privileges, launches QEMU instances as root, can use TAP device networking for QEMU, and has full storage and network management capabilities
 +
# Fully unprivileged instances, which run as the same UID as the user accessing the API, but have a significantly reduced level of functionality.
 +
 
 +
The goals of this feature are to reduce the privileges of the system instance to improve its security, and increase the functionality of the per-user session instances to enable their use in preference to the system instance where practical.
  
 
== Benefit to Fedora ==
 
== Benefit to Fedora ==
Line 68: Line 73:
  
 
== Comments and Discussion ==
 
== Comments and Discussion ==
* See [[Talk:Features/YourFeatureName]]  
+
* See [[Talk:Features/VirtPrivileges]]  
 
+
  
 +
<!-- Category:FeatureReadyForWrangler -->
 
[[Category:FeaturePageIncomplete]]
 
[[Category:FeaturePageIncomplete]]
[[Category:F12_Virt_Features]]
+
[[Category:F12_Virt_Features|VirtPrivileges]]
<!-- When your feature page is completed and ready for review -->
+
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->
+
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->
+
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->
+

Revision as of 10:25, 20 May 2009

Contents

Feature Name

VirtPrivileges

Summary

Adjust privileges allowed to the libvirt management daemon and QEMU processes to improve security and features

Owner

Current status

  • Targeted release: Fedora 12
  • Last updated: 2009-05-20
  • Percentage of completion: 00%

Detailed Description

The libvirtd daemon and QEMU driver has two modes of operation:

  1. A single system instance per machine, that runs with root privileges, launches QEMU instances as root, can use TAP device networking for QEMU, and has full storage and network management capabilities
  2. Fully unprivileged instances, which run as the same UID as the user accessing the API, but have a significantly reduced level of functionality.

The goals of this feature are to reduce the privileges of the system instance to improve its security, and increase the functionality of the per-user session instances to enable their use in preference to the system instance where practical.

Benefit to Fedora

Reducing the privileges of the libvirt system instance will improve the security of a critical piece of infrastructure. Increasing the functionality of the session instance, will allow more widespread usage. By reducing the scenarios in which the system instance is needed, it will also improve security, since the session instance has far less privileges. Running everything as the same user account will also allow for better desktop session integration, particularly for the sound daemon, and facilitate usage of user home directories for disk image storage.


Scope

  • libvirtd: switch from root to a less privileged 'libvirtd' account, using capabilities to maintain a sub-set of privileges required
  • libvirtd: allow specific functionality to be disabled by administrator to reduce number of capabilities that must be maintained when dropping privileges
  • libvirt QEMU: run QEMU instances as a 'kvm' or 'qemu' user ID to remove unneccessary privileges. requires chown'ing of resources to allow access while not privileged
  • qemu: add a kvm or qemu user and group ID, and use to set /dev/kvm group ownership
  • qemu: make /dev/kvm mod 666 by default to allow any user access to hardware acceleration
  • qemu: add support for passing pre-opened TAP device FD to QEMU monitor for network hotplug
  • libvirt QEMU: figure out a way to allow use of TAP devices for networking of non-root guests by non-root unprivileged libvirtd
  • virt-manager: switch to using qemu:///session by default to local desktop scenarios

How To Test

  • Verify that when using 'qemu:///system', no QEMU processes run as root
  • Verify that the 'libvirtd' daemon started from init is not running as root
  • Using qemu:///session provision a new guest, and verify that it is able to use hardware acceleration
  • Verify that when running virt-manager for first time as a new user, it defaults to qemu:///session

User Experience

All virtual machines run by virt-manager on a local desktop install will be running under their user account. All virt-manager machiens run on a server install will running as an reduced privilege system account.

Dependencies

Scope extends to at last

  • libvirt
  • qemu
  • virt-manager
  • python-virtinst


Contingency Plan

This functionality is incrementally building on existing functionality. No existing functionality will be lost, so if problems are encountered, new features can be dropped or postponed to later Fedora releases.

Documentation

Documentation will magically come into existance as the features are developed in the upstream apps

Release Notes

To be written once the new features actually exist.

Comments and Discussion