[Bug 619843] Re: euca-get-console-output returns one single line

Jamie Strandboge jamie at ubuntu.com
Tue Aug 24 15:42:17 BST 2010


To summarize the IRC discussion:

libvirt uses a stacked security driver. The one at the bottom is always
on and is the DAC driver. MAC drivers such as the AppArmor one used in
Ubuntu sit on top of the DAC driver. The DAC driver looks at
/etc/libvirt/qemu.conf for the user and group to run qemu/kvm as and as
of libvirt 0.8.3 the DAC driver will consistently chown files to the
user and group as defined in /etc/libvirt/qemu.conf. The DAC driver
changes started to appear in earlier releases of the 0.8 series, and
Debian started to use them during the Lucid cycle. Since Karmic, libvirt
uses the AppArmor security driver and therefore qemu/kvm is confined
more thoroughly by AppArmor than with the DAC driver and it was deemed
too risky to run kvm/qemu as non-root since the libvirt code was not as
well tested. So in Lucid, we changed qemu.conf back to running as root.
Now because of 0.8.3's behavior of unconditionally chowning what
qemu/kvm needs access to, disks and the console.log are chowned to
'root:root', which is why the euca user doesn't have access to the
console.log.

The proper fix is to drop the 9008-run-as-root-by-default.patch patch
and adding eucalyptus to the 'kvm' group. In addition to fixing this
bug, it has the side benefits of reducing the Debian delta slightly and
providing better protection for when the AppArmor driver is turned off.

-- 
euca-get-console-output returns one single line
https://bugs.launchpad.net/bugs/619843
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to eucalyptus in ubuntu.



More information about the Ubuntu-server-bugs mailing list