[libvirt] Per-VM access control

[Radek Hladik]

Jan Kasprzak napsal(a):
> 	Hello,
> 
> is it possible to run libvirt as a "hosting-like" environment?
> we would like to provide virtual machines for our users, but we would
> like them to be able to reset/reboot/poweroff only their own VMs,
> connect to the serial console of their own VMs only, and even maybe
> connect to the graphical console of their own VMs.

I am solving the same problem.

The access to graphical console can be made via password protected VNC. 
Latest libvirt release support this. However in my setup the password 
sometimes disappears during other actions (i.e. removing iso image via 
virt-manager). I was not able to find if this is general bug or just my 
mistake. The second way is running consoles listening only on localhost, 
creating shell accounts with disabled shells, generating the SSH keys 
and specifying in authroized_keys allowed forwards for each key. User 
then logins via ssh with appropriate port-forward, and uses it to tunnel 
his vnc session. The same can be done with serial port as it can be 
configured to be accessible via tcp.
Starting and stopping can be done via some web script, authorizing the 
user and issuing virsh command.
I know that all this is rather complicated and wourkaroundy, but I could 
not find easier solution. I am looking forward to see replies from 
others in this list.
However all this is becomes more interesting problem when you want to 
migrate machines on to another hosts transparently.

Radek