QEMU/KVM: shared file protections?

I have created a QEMU/KVM virtual machine, but I do not get protections to operate correctly in vmshare directory.
The host user is raija in openSUSE Tumbleweed 20201229
The guest user is kaino in Linux Mint 20

When vmshare directory is viewed in guest, the protections are as below and are correct (both directories available):

kaino @ VM: ~ / vmshare $ ls -la
a total of 8
drwxrwxrwx 1 kaino users 118 Jan 1 14:58.
drwxr-xr-x 22 kaino kaino 4096 Jan 1 14:53 …
-rw ------- 1 kaino users 34 Jan 1 00:12 .directory
drwxrwxr-x 1 kaino kaino 0 Jan 1 14:57 guest-made-this-directory
drwxr-xr-x 1 kaino users 0 Jan 1 14:58 host-made-this-directory

But on the host, the protections are too strict:

raija @ localhost: ~ / vmshare> l
in total 4
drwxrwxrwx 1 raija users 118 1. 1. 14:58 ./
drwxr-xr-x 1 raija users 2186 31.12. 23:33 …/
-rw ------- 1 raija users 34 1. 1. 00:12 .directory
drwx ------ 1 qemu qemu 0 1. 1. 14:57 guest-made-this-directory /
drwxr-xr-x 1 raija users 0 1. 1. 14:58 host-made-this-directory /
raija @ localhost: ~ / vmshare>

User raija has added to user groups libvirt and qemu. How should I set the usernames and protections so that the guest (kaino) files are available on the host (raija)?

I used the commands below to configure the vmshare



host:


mkdir /home/raija/vmshare
chown libvirt-qemu /home/raija/vmshare -this command doesn't work, what's wrong?


=======================================================


guest:


with GUI


Type: mount
Mode: mapped
Source path: /home/raija/vmshare
Target path: /vmshare


_______________________________________________________


Check that the relevant modules can be found in the GUEST modules file. If not: sudo nano /etc/initramfs-tools/modules


9p
9pnet9p
9pnet_virtio


Update initramfs:


sudo update-initramfs -u


_______________________________________________________




mkdir /home/kaino/vmshare
sudo nano /etc/fstab this line:


/vmshare   /home/kaino/vmshare    9p  trans=virtio,version=9p2000.L,rw    0   0

Do you have a user “libvirt-qemu” on your system? That command cannot work without such a user.

I have a user “qemu” and I have groups “libvirt”, “qemu” and “kvm”. I do not have a user “libvirt-qemu”

It depends on what you need. If only need wider file permissions, you can use dmask and umask options of qemu fsdev:

    ``fmode=fmode``        Specifies the default mode for newly created files on the host.
        Works only with security models "mapped-xattr" and
        "mapped-file".


    ``dmode=dmode``
        Specifies the default mode for newly created directories on the
        host. Works only with security models "mapped-xattr" and
        "mapped-file".

Files will be owned by user/group qemu runs under. I do not know if libvirt exposes these options, you may need to edit VM definition directly.

https://www.turek.dev/posts/set-libvirt-qemu-9pfs-umask-using-fmode-dmode/

Alternative is to use fsdev with security=none; files will be created with the same mode as in guest.

Sorry, I cannot use the quate command :frowning:

nrickert:
"Do you have a user “libvirt-qemu” on your system? That command cannot work without such a user.
I have a user “qemu” and I have groups “libvirt”, “qemu” and “kvm”. I do not have a user “libvirt-qemu”

No, I don’t have user “libvirt-qemu”. I have also user qemu and those user groups. That chown command was in a script I found on the internet.
https://cialu.net/qemu-kvm-on-ubuntu-and-sharing-files-between-host-and-guests/

arvidjaar:
“It depends on what you need. If only need wider file permissions, you can use dmask and umask options of qemu fsdev:…”

I hope I don’t have to change protections every time as a root user when user raija-the-host wants to open a directory / file created by the user-kaino-the-guest. In the other direction, the job is working properly (host creates, guest reads).

“Alternative is to use fsdev with security=none; files will be created with the same mode as in guest.”

This is enough for me, but how is this done in practice (Can it be found in the xml files of the virtual machine?)?

Have you tried to actually read the link I posted?

This is enough for me, but how is this done in practice (Can it be found in the xml files of the virtual machine?)?

I do not use libvirt (I call qemu directly) but it took me 5 seconds to search for “libvirt shared folder” and the very first hit contains screenshot of shared folder configuration in virt-manager with selection for security mode.

I have read many times the link you posted and didn’t stil understood what I should do. I translated the text into Finnish with google translator and I understand even less. I don’t want to argue about who is smart and who isn’t. I just want to know how to edit "use fsdev with security = none;. Apparently I’m asking too much. :cry:

Although something can always happen,
I haven’t heard of any recent (like in the last decade) changes to the 9p protocol,
And although possible, I hadn’t personally heard of permissions issues that need to be addressed setting up a Shared Folder.

I’d recommend the following…
If your TW system is itself virtualized, you can simply make a copy of your entire system for backup.
Else, you may want to make a backup to quickly return to your current status.
I don’t think BTRFS snapshots support virtual machine configurations in standard locations, so you need some way of returning to your current status later if you wish… Unless you’re taking really good notes and can undo/restore changes manually.

In other words,
When experimenting or trying new configurations,
The default status of your system is likely the best starting point.
But, you may find that you want your current situation as a good starting point for other tries.
Set up a way you can get to various points in your troubleshooting as best as possible.

After the above…
I’d recommend you try to restart your investigations with default settings and permissions and without your customizations.
I’d also ask you what guide you may have followed to set up Shared Folders.
Many years ago, I published the following which has worked for many years but recently one person said it didn’t work for him for some unknown reason.
https://en.opensuse.org/User:Tsu2/virtfs

An important part of the setup procedure I recommended was to use the Squash “mode” and squashfs.
If that’s no longer working immediately, other settings can be tried as well very easily.
Note also that I opened up the file permissions applying 0777 to the shared directory. That might be too open for some but you should consider the security implications on your own (ie What is the likelihood your system gets hacked allowing a locally logged in intruder or a remote hacker with knowledge of your file system?)
Note also that the 9p protocol as used by QEMU isn’t typically usable as a network protocol and if the whole idea of Shared Folders makes you uncomfortable, you can always set up a normal network share as an alternative.

In other words,
Before you start hacking configuration files manually,
I recommend exhausting the possibilities using the default settings using recommended tools.

TSU

I said from the very beginning that I do not use libvirt, virt-manager or any other wrapper around QEMU. So I cannot give you step by step instructions, even less so as you do not say what tools you are using. Sorry. If it helps you, here is what I am using with qemu:

-virtfs local,path=$HOME,security_model=none,mount_tag=home

I don’t want to argue about who is smart and who isn’t.

It is not about being smart or not, it is about willing to invest your own time to learn tools you are using. It is understandable when you do not know what to look for (nobody knows all features of every software) but when you do, answer is one google search away.

Let’s start from the beginning.
My brother and uncle use Linux Mint. They are not interested in computers. Sometimes they ask for something that is hard to answer verbally, so I take a screenshot or the like.

So I installed a KVM server and KVM tools + libvirt on my computer.

kvm_server Version: 20200325-2.1
kvm_tools Version: 20200325-2.1
qemu Version: 5.2.0-1.1
libvirt Version: 6.10.0-3.1

I created LinuxMint as a guest on the same SDA disk as the host.by Virtual Machine Manager vers 3.2.0. The guest user name is **kaino (**in practice).
The configuration works well, except for vmshare protections
I have varied graphically (by GUI) the guest file system but I have not received the protections to operate.

Note! I can’t select a file system type other than “mapped” (reference: https://en.opensuse.org/User:Tsu2/virtfs)

So now the files systemi s like this:
Type: mount
Mode: mapped
Source path: / home / raija / vmshare
Target path: / vmshare

I mount vmshare like this and each command makes the connection:

  1. sudo mount -t 9p -o trans = virtio, version = 9p2000.L / vmshare / home / guest / vmshare
  2. in fstabissa: /vmshare /home/guest/vmshare 9p trans=virtio,version:p92000.L,rw 0 0 <- this is in use

I have also edited qemu.conf file (of course, I took first a back up) without success to change the protections
(reference: https://libvirt.org/kbase/qemu-passthrough-security.html)

Disabling security protection host-wide
As a last resort it is possible to disable security protection host wide which will affect all virtual machines. These settings are all made in /etc/libvirt/qemu.conf

SELinux - set security_default_confied = 0 to make QEMU run unconfined by default, while still allowing explicit opt-in to SELinux for VMs.

DAC - set user = root and group = root to make QEMU run as the root account.

SELinux, DAC - set security_driver = ] to entirely disable both the SELinux and DAC security drivers.

(Parameters below not tried:
Namespaces - set namespaces = ] to disable use of the mount namespaces, causing QEMU to see the normal fully popualated dev.

Seccomp - set seccomp_sandbox = 0 to disable use of the Seccomp sandboxing in QEMU.

Cgroups - set cgroup_device_acl to include the desired device node, or cgroup_controllers = …] to exclude the devices controller.)

rgs,
Raija

That’s OK.
I have explained this about a week now and have asked solution to the problem also in other pages in my own language. No solution found.

The actual installation of the virtual machine itself and the installation of LinuxMint was an easy task but this security thing did not.

ps. it 's not easy to translate a thing you barely know from finnish to english, so google search doesn’t always work all at once.

Jos voisinkin kirjoittaa suomeksi niin, johan tulisi tekstiä ihan toiseen malliin… :wink:

First thing to note is that ideally you should have installed KVM in the beginning by using the YaST Virtualization module… Installing by using the module sets you up from the beginning with a default configuration and installed modules that everyone understands and assumes. When people install KVM and Libvirt manually, you can end up with a customized installation with different settings others can’t anticipate or have experienced.

I guess my question is why you can’t configure any other Shared Folder mode than “mapped.”
You should have something like 4 different options…
Is that the only option that’s available at all, do any other options display but are greyed out?

In fact, a quick search based on this specific problem you described returned the following top result which might provide answers to both options and permissions… I suspect that “mapped” may be a very strict linking of filesystems which in my mind can cause problems other options wouldn’t have.

https://askubuntu.com/questions/772784/9p-libvirt-qemu-share-modes

As I opened,
I don’t recommend people go configuring things on their own and especially on non-defaults.
Computing is complex under the hood and there are lots of ways for things to go wrong by not following well worn paths.
You’re currently going down a rabbit hole of unknown complications which may build on itself.
Following a guide is the best way to avoid problems.
Is why although your KVM might work mostly the way you expect, it can be a time saver in the long run to make sure you’re installed properly using the YaST virtualization module and configure Shared Folders as I’ve described in my Wiki article.

TSU

First thing to note is that ideally you should have installed KVM in the beginning by using the YaST Virtualization module… Installing by using the module sets you up from the beginning with a default configuration and installed modules that everyone understands and assumes. When people install KVM and Libvirt manually, you can end up with a customized installation with different settings others can’t anticipate or have experienced.

I installed qemu/kvm with yast2 with virtualization module. And some reasnn also libvirt with yast2. Then I installed LinuxMint (and Windows 10) with Virtual Machine Manager. Was this the error I made?

I guess my question is why you can’t configure any other Shared Folder mode than “mapped.”, “squash” and “hpervision default”
You should have something like 4 different options…
Is that the only option that’s available at all, do any other options display but are greyed out?

I have 3 options for Shared Folder mode: “mapped.”, “squash” and “hypervision default”. But no “passthru”.

In fact, a quick search based on this specific problem you described returned the following top result which might provide answers to both options and permissions… I suspect that “mapped” may be a very strict linking of filesystems which in my mind can cause problems other options wouldn’t have.

https://askubuntu.com/questions/772784/9p-libvirt-qemu-share-modes

Looks like my problem.

As I opened,
I don’t recommend people go configuring things on their own and especially on non-defaults.
Computing is complex under the hood and there are lots of ways for things to go wrong by not following well worn paths.
You’re currently going down a rabbit hole of unknown complications which may build on itself.
Following a guide is the best way to avoid problems.
Is why although your KVM might work mostly the way you expect, it can be a time saver in the long run to make sure you’re installed properly using the YaST virtualization module and configure Shared Folders as I’ve described in my Wiki article.

That is my vitutuksen reason because I have not done any patches. I have configured qemu/kvm with yast2. Well, I try to configure another Linux Mint (same but different name with Yast Virtual manage). I don’t understand how this can so hard: only few commands…

If you had installed KVM using the YaST virtualization module (and I’m not talking about Software Manager when you can install any software), you should have seen the options to install KVM, Xen and/or LXC. Libvirt would be installed automatically with whatever choice you made, and when the actual installation happened, you would have been offered the option to have the br0 device installed for you. Libvirt is not installed separately. If you didn’t see all that, you didn’t install using the YaST virtualization module.

I recommend setting up your Shared Folder using “squash,” not one of the other modes.
Note also in my article that you need to set the permissions on your HostOS shared folder to 0777 which is to enable full access by anyone/everyone which should eliminate any problems related to access from your HostOS or Guest, read or write or read/write, etc.
This permissions setting is not unusual and has been the standard setting for more than a decade with no known issue so should be safe although I can imagine someone wanting to tighten up security in special scenarios.

Yes,
Not many ways to go wrong,
But that’s how computing can be… Sometimes it only takes one faulty setting for things not to work.

TSU

If you had installed KVM using the YaST virtualization module (and I’m not talking about Software Manager when you can install any software), you should have seen the options to install KVM, Xen and/or LXC. Libvirt would be installed automatically with whatever choice you made, and when the actual installation happened, you would have been offered the option to have the br0 device installed for you. Libvirt is not installed separately. If you didn’t see all that, you didn’t install using the YaST virtualization module.

That’s exactly what I did. I saw also the br0 notice and I had to do it manually (commands: virsh net-start default and virsh net-autostart default).

I recommend setting up your Shared Folder using “squash,” not one of the other modes.
Note also in my article that you need to set the permissions on your HostOS shared folder to 0777 which is to enable full access by anyone/everyone which should eliminate any problems related to access from your HostOS or Guest, read or write or read/write, etc.
This permissions setting is not unusual and has been the standard setting for more than a decade with no known issue so should be safe although I can imagine someone wanting to tighten up security in special scenarios.

Thanks, I wil try this. I have set the permissions to 0777 but qemu sets it back. Looks like this (in host directory): drwx------ 1 qemu qemu 0 3. 1. 01:29 Guest-made-this/

[/QUOTE]Btw: I tried to patch LinuxMint20 file but it was succesful (maybe I wrote ‘passthrough’ wrong or there is something else):

**localhost:~ #** virsh edit LinuxMint20
error: XML document failed to validate against schema: Asiakirjaa ei voida vahvistaa /usr/share/libvirt/schemas/domain.rng:n vastaan
Extra element devices in interleave
Element domain failed to validate content

Failed. Try again? [y,n,i,f,?]:
error: unsupported configuration: unknown filesystem type ‘passthrough’
Failed. Try again? [y,n,f,?]:

localhost:~ #

[QUOTE]Yes,
Not many ways to go wrong,
But that’s how computing can be… Sometimes it only takes one faulty setting for things not to work.

That’s how it is. The biggest problem for me here is that I can’t find specs on how this should be done.

It has been tested.
It still doesn’t seem to work as I would like.
The situation in practice is the fact that I am a user of both host and guest, so protections does not matter, as long as I can use vmsharea both host and guest. There are no other users on this computer than me (raija=kaino).

My humble request is this:
When host (=raija) creates file/direcory in vmshare then guest (=kaino) can read/use it.
When guest (=kaino) creates file/direcory in vmshare then host (=raija) can read/use it.

Maybe this is impossible or maybe there is a bug. :\

Everything you’re describing says that your installation using the YaST virtualization module was unsuccessful.
You should not have had to run those virsh commands.
QEMU should not have reversed your permissions.
It should be just as I described in my Wiki article… In a default system, you should be able to configure using only the GUI and not need to execute any CLI.

I strongly suspect that you’ve made changes to your system you don’t remember making and are unable to return your system to default. And, without close inspection I suspect that even if you’re installed on BTRFS, trying to return to a prior snapshot so long ago may be impossible or extremely painful (wiping out numerous other apps and adjustments to your system over time).

Do you have another physical machine you can run try installing from scratch and learning from the experience?
I’d hate to suggest trying to purge your system manually of KVM and libvirt, and re-install without some hands-on experience… I’ve done such a thing with various apps but not with KVM and libvirt (I’ve done it with Virtualbox a few times and there are Forum threads describing the procedure).

BTW - You should know that because of the large number of changes TW makes regularly, I don’t recommend it as a HostOS for important virtualization systems… Only maybe for personal or experimental use which aren’t providing critical services for others if TW experiences a problem.

TSU

“squash” should translate to “security_model=none” qemu option (https://www.linux-kvm.org/page/9p_virtio). Please show full command line when your VM instance is running (ps -efwww | grep qemu).

“passthrough” requires that qemu runs as root. You probably does not want it anyway.

Ok.
Now very simple question: how do I get rid of this configuration? I mean so that there is nothing,really nothing left about qemu/kvm in the system? Do I uninstall also all programs that Yast2 modelu installed?

Well, I answer myself:

  1. unistalled linuxmint and windows with virtual machine manager
  2. removed linuxmint and windows staff (xml,log and qcow2)
  3. uninstalled all qemu related programs etc. (hopely)

ReiInstalling programs with yast module…

  • Got warning: Network Manager is in use. Bridge needs to be configured manually (this is my own translation). clicked OK

Starting configurring linuxmint with yast:

  • iso file selected (linux mint 20)
  • error: qemu unexpecgtedly closed the monitor
    • solution: changed display spice -> vnc
  • succesful creation but mouse is not working. Have to jump with tabulator and then enter

Linuxmint is ready for installing

  • mouse is not working. Have to jump with tabulator and then enter
  • installing continues …

Installation continues, part2

Linux mint is intalled to ques and update done (and mouse is working)

Libvirt is not installed:
Information for package libvirt:

Repository : openSUSE-Tumbleweed-Oss
Name : libvirt
Version : 6.10.0-3.1
Arch : x86_64
Vendor : openSUSE
Installed Size : 0 B
Installed : No
Status : not installed

So I give this command: zypper in libvirt* virt-manager (62 program istalled)

Now I try to configure the share :shame:

host:
1.mkdir /home/raija/virtfs
2.chmod -R 0777 /home/raija/virtfs

guest

  1. add file system (type: mount, mode:qsuash)
    2.sudo mkdir /mnt/shared
    3.sudo mount -t 9p -o trans=virtio /hostshare /mnt/shared

There are still protection problems.

When guest creates files (dirctory/file) host can use them normally. That’s great!

raija@localhost:~> l virtfs/
yhteensä 4
drwxrwxrwx 1 raija users 66 3. 1. 12:39 ./
drwxr-xr-x 1 raija users 2232 3. 1. 12:33 …/
-rw-rw-r-- 1 qemu qemu 16 3. 1. 12:39 file
drwxrwxr-x 1 qemu qemu 42 3. 1. 12:39 directory
raija@localhost:~>

but host cannot (even it has created those itself). That’s not great
vm@vm:/mnt/shared$ ls -la
yhteensä 8
drwxrwxrwx 1 vm users 66 tammi 3 12:39 .
drwxr-xr-x 3 root root 4096 tammi 3 12:18 …
-rw-rw-r-- 1 rtkit input 16 tammi 3 12:39 ‘file’
drwxrwxr-x 1 rtkit input 42 tammi 3 12:39 ‘directory’

What is this user=rtkit, group=input? I know what real time means because I’ve been working with real time systems for over 30 years but what does it mean here?!