sbaugh@catern.com
2015-Jun-22 00:20 UTC
[libvirt-users] Access to virtualization on a multi-user system
Hi libvirt-users, I find myself wanting to do something that seems like it must have some obvious solution: I have multiple users (let's just assume local Unix accounts) on a Linux system, and I want them all to have access to KVM-accelerated virtualization. But, I don't want them to be able to meddle with each other's virtual machines. Is there a solution to this problem? Methods of attack that have occured to me: - Use PolicyKit to only allow a user to access qemu:///system VMs that are somehow marked as owned by that user - Run multiple libvirt qemu:///system daemons and restrict access to each on a per-user basis - Allow qemu:///session VMs to actually be KVM-accelerated (this seems like the best way to do it, but I have no idea if that's even possible) Again, the third seems like the best way, but I'm not sure of how to allow such VMs to be KVM-accelerated, and not sure if it's possible for them to use anything other than usermode networking. Hopefully I'm missing some obvious way to do it! Thanks for any assistance!
Spencer Baugh
2015-Jul-08 19:18 UTC
Re: [libvirt-users] Access to virtualization on a multi-user system
Just following up for future reference, sbaugh@catern.com writes:> Hi libvirt-users, > > I find myself wanting to do something that seems like it must have some > obvious solution: I have multiple users (let's just assume local Unix > accounts) on a Linux system, and I want them all to have access to > KVM-accelerated virtualization. But, I don't want them to be able to > meddle with each other's virtual machines. Is there a solution to this > problem? > > Methods of attack that have occured to me: > > - Use PolicyKit to only allow a user to access qemu:///system VMs that > are somehow marked as owned by that user > - Run multiple libvirt qemu:///system daemons and restrict access to > each on a per-user basis > - Allow qemu:///session VMs to actually be KVM-accelerated (this seems > like the best way to do it, but I have no idea if that's even > possible)This way worked well! If /dev/kvm is accessible to your user (perhaps through being world-writable), qemu can be KVM-accelerated without privileges, and libvirt uses this automatically. Likewise, qemu-bridge-helper[0] allows access to bridged networking without privileges, and libvirt uses it automatically when it can. So now I have a working setup for multiple users to have production-quality virtual machines using qemu:///session, which has many benefits. (For one, you can limit user virtual machines with ulimits!) I'll probably write a blog post about this once I have explored it more. [0] http://wiki.qemu.org/Features-Done/HelperNetworking> Again, the third seems like the best way, but I'm not sure of how to > allow such VMs to be KVM-accelerated, and not sure if it's possible for > them to use anything other than usermode networking. > > Hopefully I'm missing some obvious way to do it! > > Thanks for any assistance!
Soeren Malchow
2015-Jul-08 19:27 UTC
Re: [libvirt-users] Access to virtualization on a multi-user system
The big question i have here is, why do the users have access to the system with the hypervisor, why not only to the VMS. Use something like ovirt or proxmox and you do not have that problem anymore On 22/06/15 08:20, "libvirt-users-bounces@redhat.com on behalf of sbaugh@catern.com" <libvirt-users-bounces@redhat.com on behalf of sbaugh@catern.com> wrote:> >Hi libvirt-users, > >I find myself wanting to do something that seems like it must have some >obvious solution: I have multiple users (let's just assume local Unix >accounts) on a Linux system, and I want them all to have access to >KVM-accelerated virtualization. But, I don't want them to be able to >meddle with each other's virtual machines. Is there a solution to this >problem? > >Methods of attack that have occured to me: > >- Use PolicyKit to only allow a user to access qemu:///system VMs that > are somehow marked as owned by that user >- Run multiple libvirt qemu:///system daemons and restrict access to > each on a per-user basis >- Allow qemu:///session VMs to actually be KVM-accelerated (this seems > like the best way to do it, but I have no idea if that's even > possible) > >Again, the third seems like the best way, but I'm not sure of how to >allow such VMs to be KVM-accelerated, and not sure if it's possible for >them to use anything other than usermode networking. > >Hopefully I'm missing some obvious way to do it! > >Thanks for any assistance! > >_______________________________________________ >libvirt-users mailing list >libvirt-users@redhat.com >https://www.redhat.com/mailman/listinfo/libvirt-users