[libvirt-users] Access to virtualization on a multi-user system

[sbaugh at catern.com]

Hi libvirt-users,

I find myself wanting to do something that seems like it must have some
obvious solution: I have multiple users (let's just assume local Unix
accounts) on a Linux system, and I want them all to have access to
KVM-accelerated virtualization. But, I don't want them to be able to
meddle with each other's virtual machines. Is there a solution to this
problem?

Methods of attack that have occured to me:

- Use PolicyKit to only allow a user to access qemu:///system VMs that
  are somehow marked as owned by that user
- Run multiple libvirt qemu:///system daemons and restrict access to
  each on a per-user basis
- Allow qemu:///session VMs to actually be KVM-accelerated (this seems
  like the best way to do it, but I have no idea if that's even
  possible)

Again, the third seems like the best way, but I'm not sure of how to
allow such VMs to be KVM-accelerated, and not sure if it's possible for
them to use anything other than usermode networking.

Hopefully I'm missing some obvious way to do it!

Thanks for any assistance!