aljaz/kata-containers
1
0
Fork 0
mirror of https://github.com/aljazceru/kata-containers.git synced 2025-12-18 23:04:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

runtime: Run QEMU using a non-root user/group

Browse Source 
A random generated user/group is used to start QEMU VMM process.
The /dev/kvm group owner is also added to the QEMU process to grant it access.

Fixes #2444

Signed-off-by: Feng Wang <feng.wang@databricks.com>
This commit is contained in:
Feng Wang
2021-08-09 15:29:49 -07:00
parent fff82b4ef5
commit 1cfe59304d
17 changed files with 505 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/runtime/virtcontainers/virtiofsd.go
View File

@@ -79,6 +79,12 @@ func (v *virtiofsd) getSocketFD() (*os.File, error) {
return nil, err
}
// Need to change the filesystem ownership of the socket because virtiofsd runs as root while qemu can run as non-root.
// This can be removed once virtiofsd can also run as non-root (https://github.com/kata-containers/kata-containers/issues/2542)
if err := utils.ChownToParent(v.socketPath); err != nil {
return nil, err
}
// no longer needed since fd is a dup
defer listener.Close()