qemu.conf: Improve docs for 'dynamic_ownership' option

Add a note that the user/group can be overriden or relabelling disabled
using per-vm/disk <seclabel> elements instead of disabling it globally.

Add a note that read-only image labels are not restored.

Closes: https://gitlab.com/libvirt/libvirt/-/issues/512
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>

diff --git a/src/qemu/qemu.conf.in b/src/qemu/qemu.conf.in
index 042bb75b506f3c226f32fc93bc459aab95430070..221bfa8095773e71f1c098e4351dc7ac15281355 100644 (file)
--- a/src/qemu/qemu.conf.in
+++ b/src/qemu/qemu.conf.in
@@ -513,7 +513,17 @@
 
 # Whether libvirt should dynamically change file ownership
 # to match the configured user/group above. Defaults to 1.
-# Set to 0 to disable file ownership changes.
+#
+# Notes:
+#  - Per domain or per disk image user and group can be configured, or
+#    relabelling disabled using the <seclabel model='dac'> elements in XML:
+#
+#      https://www.libvirt.org/formatdomain.html#security-label
+#
+#  - The user/group of read-only images is not restored as with read-write
+#    images as they may be shared among more domains.
+#
+# Set to 0 to disable file ownership changes globally in the qemu driver.
 #dynamic_ownership = 1
 
 # Whether libvirt should remember and restore the original