Features/VirtPrivileges

From FedoraProject

< Features(Difference between revisions)
Jump to: navigation, search
(Release Notes)
(cleanups, ready for wrangler)
Line 2: Line 2:
  
 
== Summary ==
 
== Summary ==
Adjust privileges allowed to the libvirt management daemon and QEMU processes to improve security and features
+
 
 +
Improve security by adjusting the privileges of QEMU processes managed by libvirt. Also, allow KVM to be used by unprivileged users.
  
 
== Owner ==
 
== Owner ==
Line 37: Line 38:
  
 
== How To Test ==
 
== How To Test ==
 
XXX this is too simplistic. When capabilities are in use, user ID is not good enough check of actual privileges,cf  /proc/$PID/status CapXXX fields
 
  
 
* Verify that when using 'qemu:///system', no QEMU processes run as root
 
* Verify that when using 'qemu:///system', no QEMU processes run as root
* Verify that the 'libvirtd' daemon started from init is not running as root
+
* Verify that when using 'qemu:///session', it is possible to launch a guest using KVM
* Using qemu:///session provision a new guest, and verify that it is able to use hardware acceleration
+
 
* Verify that when running virt-manager for first time as a new user, it defaults to qemu:///session
+
'''FIXME''' this is too simplistic. When capabilities are in use, user ID is not good enough check of actual privileges,cf  /proc/$PID/status CapXXX fields
  
 
== User Experience ==
 
== User Experience ==
Line 51: Line 50:
 
== Dependencies ==
 
== Dependencies ==
  
Scope extends to at last
+
Scope of the changes are limited to libvirt and qemu.
 
+
* libvirt
+
* qemu
+
* virt-manager
+
* python-virtinst
+
 
+
  
 
== Contingency Plan ==
 
== Contingency Plan ==
Line 65: Line 58:
 
== Documentation ==
 
== Documentation ==
  
Documentation will magically come into existance as the features are developed in the upstream apps
+
* libvirt [http://www.redhat.com/archives/libvir-list/2009-July/msg00390.html patch]
  
 
== Release Notes ==
 
== Release Notes ==
Line 71: Line 64:
 
In the Fedora 12 release a couple of changes are introduced for QEMU/KVM virtual machines to improve host security in the event of a flaw in the QEMU binary.
 
In the Fedora 12 release a couple of changes are introduced for QEMU/KVM virtual machines to improve host security in the event of a flaw in the QEMU binary.
  
* /dev/kvm is now world readable & writable. This allows all users on a machine to use hardware acceleration out of the box. This means more people can use the fully unprivileged 'qemu:///session' instance of libvirt, instead of qemu:///system.
+
# /dev/kvm is now world readable & writable. This allows all users on a machine to use hardware acceleration out of the box. This means more people can use the fully unprivileged <code>qemu:///session</code> instance of libvirt, instead of <code>qemu:///system</code>.
* QEMU processes spawned by the privileged libvirtd daemon (qemu:///system), are now run under an unprivileged account, user 'qemu', group 'qemu'
+
# QEMU processes spawned by the privileged libvirtd daemon (<code>qemu:///system</code>), are now run under an unprivileged account, user 'qemu', group 'qemu'
* libvirtd will change ownership of any disks assigned to a virtual machine at startup, to user 'qemu', group 'qemu', except for readonly/shared disks.
+
# libvirtd will change ownership of any disks assigned to a virtual machine at startup, to user 'qemu', group 'qemu', except for readonly/shared disks.
* To revert to previous Fedora behaviour of running all QEMU instances as 'root', two config parameters are introduced in /etc/libvirt/qemu.conf. It is not recommended to change these
+
  
 
== Comments and Discussion ==
 
== Comments and Discussion ==
 
* See [[Talk:Features/VirtPrivileges]]  
 
* See [[Talk:Features/VirtPrivileges]]  
  
<!-- Category:FeatureReadyForWrangler -->
+
[[Category:Category:FeatureReadyForWrangler]]
[[Category:FeaturePageIncomplete]]
+
 
[[Category:F12_Virt_Features|VirtPrivileges]]
 
[[Category:F12_Virt_Features|VirtPrivileges]]
 +
[[Category:Virtualization|VirtPrivileges]]

Revision as of 16:53, 22 July 2009

Contents

VirtPrivileges

Summary

Improve security by adjusting the privileges of QEMU processes managed by libvirt. Also, allow KVM to be used by unprivileged users.

Owner

Current status

  • Targeted release: Fedora 12
  • Last updated: 2009-07-22
  • Percentage of completion: 95%

Detailed Description

The libvirtd daemon and QEMU driver has two modes of operation:

  1. A single system instance per machine, that runs with root privileges, launches QEMU instances as root, can use TAP device networking for QEMU, and has full storage and network management capabilities
  2. Fully unprivileged instances, which run as the same UID as the user accessing the API, but have a significantly reduced level of functionality.

The goal of this feature are to reduce the privileges of QEMU processes run by the system instance to improve security.

Specifically all QEMU processes will run as an unprivileged user/group called 'qemu'. libvirtd will be responsible for setting up file permissions to allow them to work

Benefit to Fedora

Reducing the privileges of the libvirt system instance will improve the security of a critical piece of infrastructure. Increasing the functionality of the session instance, will allow more widespread usage. By reducing the scenarios in which the system instance is needed, it will also improve security, since the session instance has far less privileges. Running everything as the same user account will also allow for better desktop session integration, particularly for the sound daemon, and facilitate usage of user home directories for disk image storage.

Scope

  • cap-ng: get this new library to be added to Fedora [DONE]
  • libvirt QEMU: ability to spawn QEMU instances as a non-root user / group ID (requires chown'ing of resources) [DONE]
  • libvirt QEMU: ability to drop capabilities before exec'ing QEMU instances. [DONE]
  • qemu: add a kvm or qemu user and group ID, and use to set /dev/kvm group ownership [DONE]
  • qemu: make /dev/kvm mod 666 by default to allow any user access to hardware acceleration [DONE]

How To Test

  • Verify that when using 'qemu:///system', no QEMU processes run as root
  • Verify that when using 'qemu:///session', it is possible to launch a guest using KVM

FIXME this is too simplistic. When capabilities are in use, user ID is not good enough check of actual privileges,cf /proc/$PID/status CapXXX fields

User Experience

All virtual machines run by virt-manager on a local desktop install will be running under their user account. All virt-manager machiens run on a server install will running as an reduced privilege system account.

Dependencies

Scope of the changes are limited to libvirt and qemu.

Contingency Plan

This functionality is incrementally building on existing functionality. No existing functionality will be lost, so if problems are encountered, new features can be dropped or postponed to later Fedora releases.

Documentation

Release Notes

In the Fedora 12 release a couple of changes are introduced for QEMU/KVM virtual machines to improve host security in the event of a flaw in the QEMU binary.

  1. /dev/kvm is now world readable & writable. This allows all users on a machine to use hardware acceleration out of the box. This means more people can use the fully unprivileged qemu:///session instance of libvirt, instead of qemu:///system.
  2. QEMU processes spawned by the privileged libvirtd daemon (qemu:///system), are now run under an unprivileged account, user 'qemu', group 'qemu'
  3. libvirtd will change ownership of any disks assigned to a virtual machine at startup, to user 'qemu', group 'qemu', except for readonly/shared disks.

Comments and Discussion