Root squashing virtiofsd with --uid-map

K

kayson

Member
Feb 13, 2024
58
13
13
I want to use virtiofsd for mounting storage points into VMs without the guests having root access to the storage. virtiofsd supports --uid-map and --gid-map options, but if I use
--uid-map=:0:65534:1 (by replacing the binary with a wrapper script) then the VM won't start. I don't see any error messages or anything so I'm not quite sure how to debug further. Any ideas?
 
So the issue turned out to be that you can't use --uid-map or --gid-map if you are not running virtiofsd in a namespace. PVE runs it as root in the PID1 default namespace so it was failing and exiting. Annoyingly, PVE doesn't do anything to log virtiofsd, so the error messages were disappearing into a black hole.

The solution is to use --translate-uid (or gid) which is implemented by the daemon itself. I added this to mimic nfs root squashing: --translate-uid guest:0:65534:1 --translate-gid guest:0:65534:1

@fabian - it would be really nice if PVE ran virtiofsd with something like --syslog so the messages are visible in journalctl.
 
virtiofsd is started with "--syslog" already: https://git.proxmox.com/?p=qemu-ser...8eb68331390072e8414fbce638f0c6e2;hb=HEAD#l187 . it's executed as part of the qemu scope, so should be logged there as well:

Code: 
# journalctl -f
Jun 11 10:56:28 yuna pvedaemon[1927358]: start VM 107: UPID:yuna:001D68BE:00933B6A:6A2A783C:qmstart:107:fgruenbichler@pam:
Jun 11 10:56:28 yuna pvedaemon[10795]: <fgruenbichler@pam> starting task UPID:yuna:001D68BE:00933B6A:6A2A783C:qmstart:107:fgruenbichler@pam:
Jun 11 10:56:29 yuna systemd[1]: Started 107.scope.
Jun 11 10:56:29 yuna virtiofsd[1927391]: yuna virtiofsd[1927388]: Waiting for vhost-user socket connection...
Jun 11 10:56:29 yuna virtiofsd[1927391]: yuna virtiofsd[1927388]: Client connected, servicing requests

Code: 
# journalctl -u 107.scope -b
Jun 11 10:56:29 yuna systemd[1]: Started 107.scope.
Jun 11 10:56:29 yuna virtiofsd[1927391]: yuna virtiofsd[1927388]: Waiting for vhost-user socket connection...
Jun 11 10:56:29 yuna virtiofsd[1927391]: yuna virtiofsd[1927388]: Client connected, servicing requests

this also seems to be true for messages by virtiofsd in case you pass invalid arguments.
 
  • Like
Reactions: kayson and Johannes S
fabian said:
virtiofsd is started with "--syslog" already: https://git.proxmox.com/?p=qemu-ser...8eb68331390072e8414fbce638f0c6e2;hb=HEAD#l187 . it's executed as part of the qemu scope, so should be logged there as well:

Code: 
# journalctl -f
Jun 11 10:56:28 yuna pvedaemon[1927358]: start VM 107: UPID:yuna:001D68BE:00933B6A:6A2A783C:qmstart:107:fgruenbichler@pam:
Jun 11 10:56:28 yuna pvedaemon[10795]: <fgruenbichler@pam> starting task UPID:yuna:001D68BE:00933B6A:6A2A783C:qmstart:107:fgruenbichler@pam:
Jun 11 10:56:29 yuna systemd[1]: Started 107.scope.
Jun 11 10:56:29 yuna virtiofsd[1927391]: yuna virtiofsd[1927388]: Waiting for vhost-user socket connection...
Jun 11 10:56:29 yuna virtiofsd[1927391]: yuna virtiofsd[1927388]: Client connected, servicing requests

Code: 
# journalctl -u 107.scope -b
Jun 11 10:56:29 yuna systemd[1]: Started 107.scope.
Jun 11 10:56:29 yuna virtiofsd[1927391]: yuna virtiofsd[1927388]: Waiting for vhost-user socket connection...
Jun 11 10:56:29 yuna virtiofsd[1927391]: yuna virtiofsd[1927388]: Client connected, servicing requests

this also seems to be true for messages by virtiofsd in case you pass invalid arguments.
Click to expand...
Hmm. I do see that now. Not sure how I missed it the error messages originalyl... Thanks for pointing it out
 
You must log in or register to reply here.
Top Bottom
Back