[libvirt-users] Access to virtualization on a multi-user system
Spencer Baugh
sbaugh at catern.com
Wed Jul 8 19:18:32 UTC 2015
Just following up for future reference,
sbaugh at catern.com writes:
> Hi libvirt-users,
>
> I find myself wanting to do something that seems like it must have some
> obvious solution: I have multiple users (let's just assume local Unix
> accounts) on a Linux system, and I want them all to have access to
> KVM-accelerated virtualization. But, I don't want them to be able to
> meddle with each other's virtual machines. Is there a solution to this
> problem?
>
> Methods of attack that have occured to me:
>
> - Use PolicyKit to only allow a user to access qemu:///system VMs that
> are somehow marked as owned by that user
> - Run multiple libvirt qemu:///system daemons and restrict access to
> each on a per-user basis
> - Allow qemu:///session VMs to actually be KVM-accelerated (this seems
> like the best way to do it, but I have no idea if that's even
> possible)
This way worked well! If /dev/kvm is accessible to your user (perhaps
through being world-writable), qemu can be KVM-accelerated without
privileges, and libvirt uses this automatically. Likewise,
qemu-bridge-helper[0] allows access to bridged networking without
privileges, and libvirt uses it automatically when it can. So now I have
a working setup for multiple users to have production-quality virtual
machines using qemu:///session, which has many benefits. (For one, you
can limit user virtual machines with ulimits!)
I'll probably write a blog post about this once I have explored it more.
[0] http://wiki.qemu.org/Features-Done/HelperNetworking
> Again, the third seems like the best way, but I'm not sure of how to
> allow such VMs to be KVM-accelerated, and not sure if it's possible for
> them to use anything other than usermode networking.
>
> Hopefully I'm missing some obvious way to do it!
>
> Thanks for any assistance!
More information about the libvirt-users
mailing list