[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-discuss] manipulating raw disk image as non-root user

From: Jakob Bohm
Subject: Re: [Qemu-discuss] manipulating raw disk image as non-root user
Date: Mon, 04 Aug 2014 16:29:57 +0200
User-agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.0

On 8/4/2014 7:46 AM, Tony Su wrote:
  Apparently there is a Docker plugin for Jenkins.
Makes a lot of sense.
Although this blog is very thin on detail, I came across this today


On Sat, Aug 2, 2014 at 11:40 PM, Tony Su <address@hidden> wrote:
  Without knowing exactly what your app is, and what are its
requirements it's hard to propose something specific.

A small FYI -
I've been looking at several things recently that in general terms
might be considered to solve your problem, but without more detail I'd
be shooting in the dark.

Possible Solution 1
I've been looking at Docker recently, very recent new features allow a
person to do some really powerful things, and many are in combination
with other virtual technologies like QEMU. Docker has become a way to
create a PAAS using LXC (Linux Containers). it's now much easier to
create both "full OS" image-based containers and also "App specific"
containers. The latter is similar in concept with Terminal Service
Application Mode if you're familiar with that... It's the idea that
within a given OS you can deploy an App in an isolated "virtual"
instance on demand and without a normal installation. From a Dev point
of view, this allows you to deploy an app (eg based on a Jenkins
build) as its own fully contained instance with dependencies and when
you "stop" the app, the app and its dependencies disappear, leaving
the OS "clean."

Possible Solution 2
As I described in my earlier post, rights and permissions to
accomplish tasks are generally managed by Security Groups. You just
need to make your User account a member of the appropriate Security
Group (which may or may not be root). If you do this, to minimize
security issues as much as possible you should probably create a
special User account that isn't ordinarily used to Login. In the
Windows world, this would be called a Service account. The idea here
is that unlike Kris' suggestion, you don't need two separate processes
to accomplish tasks requiring different permissions... Use one account
and grant it all the permissions that are needed.

Possible Solution 3
I've been intrigued by a recent article I read about using nodemon in
nodejs. Basically, an app is launched configured with the contents of
a particular folder. When the contents of the folder changes, nodemon
automatically re-builds and re-launches the app based on the changed
folder contents.

All of the above are different solutions in different technologies
with a common thread... Deploying an app as dynamically as possible
for staging or production with minimal effort and if possible remove
all vestiges when the app is stopped.. Maybe one or more might be
relevant to finding a solution to your app. If your app is using a
technology different than the above, maybe you can find an equivalent
for the code you're working with.

I also doubt that you should need to do all the functions you list. I
myself create a base image to use as a deployment target and clone it
as many times as I need to test each version of code. I would not want
to build something from scratch every time unless that is the actual
code being tested.


On Sat, Aug 2, 2014 at 9:55 PM, Kris <address@hidden> wrote:
I have a solution, but it seems a little complex: you can run a program
(service A), and it provide some restful API. Then when Jenkins call your
script, and your script call service API. Last, service A do what you want
as root user.

Best regards,

在 2014年8月3日,下午12:42,Dallas Clement <address@hidden> 写道:

On Sat, Aug 2, 2014 at 11:30 PM, Kris <address@hidden> wrote:

How about to use sudo to run it.

Best regards,

在 2014年8月3日,上午10:05,Dallas Clement <address@hidden> 写道:

On Sat, Aug 2, 2014 at 8:46 PM, Dale R. Worley <address@hidden>

From: Dallas Clement <address@hidden>

I would like to be able to create, partition, format, mount, and
populate a
raw disk image file as a non-root user.  I am able to create the image
with dd and partition it with parted as a non-root user.  I have not
figured out a way to format, mount, and populate it as a non-root user.
  Tools such as losetup and kpartx seem perfect for the task, but
unfortunately require root.

Is it possible to do what I want with qemu?

Since you can run Qemu as a non-root user, and you can present an
arbitrary file to it as a disk, it seems that you should be able to
use the standard disk tools within a Qemu guest to do what you want.


Thanks Dale.  I was hoping I could do something like this.  I'll explore
that further.

Why do you wish to avoid root?

Tony, I am wanting to run as non-root because it is my Jenkins
build-server that will be doing all of this which needs to run as non-root
for security sake.  I want the last stage of my build to produce a uSD card

How about to use sudo to run it.

Can't do that unfortunately.  It's still elevated privileges.  Jenkins won't
allow it.

I am afraid that the last few suggestions above have all been about really getting (partial) root privileges in various roundabout ways.

That is a bad idea. The whole reason why tools such as Jenkins don't allow root is to ensure that an evil patch to some component (local or
upstream) cannot compromise the build server itself, and from there all
machines that run software built by that build server.

So here are some secure ways to create and manipulate disk images without any kind of root or other special privileges:

1. Formatting tools such as mkfs can be told to format a raw partition
image file directly by simply passing the filename where a disk device
is normally specified, plus sometimes adding an option not to complain
about that.

2. Partition images can be combined into disk images by clever use of

3. For some file systems there are programs that can create disk images
from a file tree.  The classic being mkisofs for CD images, but others
have been made.  For FAT file systems, the classic mtools can read and
write files in a raw image without root privileges.

4. The other option is to use qemu: Using the other techniques above,
create a bootable file system which will format and populate the second
hard drive of a virtual machine.  Then run qemu with the creator file
system as hard drive 1 and an empty raw disk image as hard drive 2. When the creator system completes, it should create some kind of "OK" file and shut down its machine, causing qemu to exit. Then your build system (Jenkins) can check if the OK file was created or not before
proceeding to compress or otherwise package the image file.  Be sure to
configure qemu to redirect the "console tty" of the creator system to
qemu's own stdout, so you can see the output in the build log.


Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

reply via email to

[Prev in Thread] Current Thread [Next in Thread]