Just following up for future reference, sbaugh@xxxxxxxxxx writes: > Hi libvirt-users, > > I find myself wanting to do something that seems like it must have some > obvious solution: I have multiple users (let's just assume local Unix > accounts) on a Linux system, and I want them all to have access to > KVM-accelerated virtualization. But, I don't want them to be able to > meddle with each other's virtual machines. Is there a solution to this > problem? > > Methods of attack that have occured to me: > > - Use PolicyKit to only allow a user to access qemu:///system VMs that > are somehow marked as owned by that user > - Run multiple libvirt qemu:///system daemons and restrict access to > each on a per-user basis > - Allow qemu:///session VMs to actually be KVM-accelerated (this seems > like the best way to do it, but I have no idea if that's even > possible) This way worked well! If /dev/kvm is accessible to your user (perhaps through being world-writable), qemu can be KVM-accelerated without privileges, and libvirt uses this automatically. Likewise, qemu-bridge-helper[0] allows access to bridged networking without privileges, and libvirt uses it automatically when it can. So now I have a working setup for multiple users to have production-quality virtual machines using qemu:///session, which has many benefits. (For one, you can limit user virtual machines with ulimits!) I'll probably write a blog post about this once I have explored it more. [0] http://wiki.qemu.org/Features-Done/HelperNetworking > Again, the third seems like the best way, but I'm not sure of how to > allow such VMs to be KVM-accelerated, and not sure if it's possible for > them to use anything other than usermode networking. > > Hopefully I'm missing some obvious way to do it! > > Thanks for any assistance! _______________________________________________ libvirt-users mailing list libvirt-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvirt-users
