dropping privileges for qemu-lite-system-x86_64

[zeigerpuppy]

Usually when running qemu, it is recommended to drop privileges when a machine starts.

For standard qemu with libvirt this is achieved by setting the values in /etc/libvirt/qemu.conf to:

user = "libvirt-qemu"
group = "libvirt-qemu"
clear_emulator_capabilities = 1

I note that currently qemu-lite-system-x86_64 runs all processes as root.
Is there a way to similarly drop privileges?

I understand that this has some impact on image ownership and sharing, which would require permissions to be set properly but it still seems like it would be a good idea to ensure a rogue machine can do less damage to the host if it escapes confinement.

[jodh-intel]

We are looking at doing this, but only in the new Kata Containers project:

• Isolate hypervisor process through namespaces kata-containers/runtime#345

I'd recommend upgrading to Kata Containers since this is the development focus:

• https://github.com/kata-containers/documentation/tree/master/install
• https://github.com/kata-containers/documentation/blob/master/Upgrading.md#upgrade-from-clear-containers

[zeigerpuppy]

thanks @jodh-intel, good to see it's being addressed. You're right that it's time to migrate. I have to get over the fact that clearcontainers works so well at the moment and take the dive!

[jodh-intel]

Hi @zeigerpuppy - we'd like to think you'll be equally if not more impressed with Kata 😄

fwiw, if you are on a non-critical system, you can remove the cc-ksm-throttler package (it may not be installed as its non-essential) and then simply install the Kata packages so that you'll be able to run both on the same system!

The upgrading guide recommends removing Clear Containers since:

• It could be confusing for some to have both systems installed.
• Clear Containers is no longer the focus of development so it makes sense for many reasons to switch to Kata Containers.

However, short term you can play with both if you wish :)

[zeigerpuppy]

Oh great, it will make my migration simpler if I can run both for a while!

[zeigerpuppy]

Hi @jodh-intel,
I was trying your advice to remove cc-ksm-throttler, however, it appears that this can't be done with .deb packages, as cc-runtime cc-runtime-bin cc-runtime-config depend on it.

apt remove cc-ksm-throttler
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
  clear-containers-image linux-container
Use 'sudo apt autoremove' to remove them.
The following packages will be REMOVED:
  cc-ksm-throttler cc-runtime cc-runtime-bin cc-runtime-config
0 upgraded, 0 newly installed, 4 to remove and 8 not upgraded.
After this operation, 26.4 MB disk space will be freed.
Do you want to continue? [Y/n]

Therefore, I removed it with the following workaround (I thought it may be useful to document for others in the same situation):

apt-mark hold cc-runtime
apt-mark hold cc-runtime-bin
apt-mark hold cc-runtime-config
dpkg -r --force-depends cc-ksm-throttler

[grahamwhaley]

Thanks for posting the info @zeigerpuppy !
/cc @jcvenegas for packaging view/input.

[zeigerpuppy]

I think this may be a little tricker than I expected. The kata packages don't install on Debian Stretch because of dependency issues:

The following packages have unmet dependencies:
 qemu-vanilla : Depends: librbd1 (>= 12.0.3) but 10.2.5-7.2 is to be installed

I will file a more complete report on the kata repo

EDIT
report filed here: kata-containers/documentation#193