Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: KVM/QEMU - how do I allow regular users to crate / view VM

  1. #1

    Default KVM/QEMU - how do I allow regular users to crate / view VM

    I've set a learning project for this weekend - setting up KVM with PCIe Passthrough. It would be awesome if I could set up a VM machine in a way regular users could see / access it , or even better if users that belong to certain group could browse VMs or add their own. How do I set it up?

  2. #2
    Join Date
    May 2012
    Location
    Finland
    Posts
    2,188

    Default Re: KVM/QEMU - how do I allow regular users to crate / view VM

    Take a peek at; https://doc.opensuse.org/documentati...t_color_en.pdf

    Under heading "10.2.1 “system” Access for Non-Privileged Users"

    It shows you how to configure per user or per group permissions to the libvirt interface - allowing non-root users to manipulate, for example, KVM virtual machines.
    .: miuku @ #opensuse @ irc.libera.chat

  3. #3
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    13,295
    Blog Entries
    2

    Default Re: KVM/QEMU - how do I allow regular users to crate / view VM

    Providing this advice should always be accompanied with the warning that this should <never> be done on a Production system, and only with great care in all other cases because it opens up a giant security hole in your network, granting <ordinary User accounts> permissions similar to root on a machine in your network.

    IMO this warning is so important that it should be in the docs.

    As I described in another thread elsewhere in these forums, if compromised a possible scenario could be a virtualized version of the infamous Belgian shipping incident reported by Bloomberg a couple years ago where criminals were able to deploy their own WiFi AP in the network of a major shipping conglomerate. The diff is that in that case, it's possible for someone to stumble on a physical device. Virtualized, you may have no way of detecting except if you inspected your system processes and threads.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  4. #4

    Default Re: KVM/QEMU - how do I allow regular users to crate / view VM

    it's on the workstation in the (relatively small) workshop so I don't think it will be a big problem. VM won't make much sense to me if the users won't be able to launch those I've set and see those. That's crucial.
    It would be awesome (and that's what I've achieved thx to Miuku's link - added users to kvm, libvirt, qemu groups) if some of the other users will be able to create VMs of their own. But if that's a huge security problem I won't pressure for this. But if you could advise how it should be set up you'd rock !

  5. #5
    Join Date
    May 2012
    Location
    Finland
    Posts
    2,188

    Default Re: KVM/QEMU - how do I allow regular users to crate / view VM

    Quote Originally Posted by tsu2 View Post
    permissions similar to root on a machine in your network.
    Not really any different than giving people sudo permissions which people do all the time.
    .: miuku @ #opensuse @ irc.libera.chat

  6. #6
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    13,295
    Blog Entries
    2

    Default Re: KVM/QEMU - how do I allow regular users to crate / view VM

    First,
    sudo can be sandboxed to a certain extent so it's not the same as root.
    And, using the same password for root and sudo is unique to openSUSE, if someone wanted to tighten up security, that's a good place to start particularly when you start granting the power to create machines with full access to the network... That's a significant security issue compared to granting sudo permissions on a machine with more "ordinary" apps on the machine.

    It should be common to create machines that Users can remote into (eg SSH),
    But it's another thing altogether to grant permissions to create, manage, start and restart virtual machines.
    Remember that it's not difficult to create machines that don't show up in the graphical management console (eg vm manager), and virtual machine files don't have to be in storage pools along with other machines.
    If any one of those ordinary User accounts were compromised and the intruder comes to understand that you granted the ability to create virtual machines, he could easily create machines you won't likely be able to detect unless you were supernaturally vigilant (or some pretty good IDS).

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  7. #7
    Join Date
    Sep 2012
    Posts
    7,106

    Default Re: KVM/QEMU - how do I allow regular users to crate / view VM

    Quote Originally Posted by tsu2 View Post
    granted the ability to create virtual machines
    Every user can use qemu to run VM. No special "ability" is needed, so there is nothing to "grant" here. Unless you restrict access to qemu binary, but I do not see any restrictions, even in paranoid permissions mode.

  8. #8
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    13,295
    Blog Entries
    2

    Default Re: KVM/QEMU - how do I allow regular users to crate / view VM

    Quote Originally Posted by arvidjaar View Post
    Every user can use qemu to run VM. No special "ability" is needed, so there is nothing to "grant" here. Unless you restrict access to qemu binary, but I do not see any restrictions, even in paranoid permissions mode.
    If it's true that running the QEMU binary does not require root permissions, then that is a development I wasn't aware of (It hasn't always been that way). Would be interesting to trace the permissions history (likely Apparmor but might also be simply the directory where the binary is located).

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  9. #9
    Join Date
    Sep 2012
    Posts
    7,106

    Default Re: KVM/QEMU - how do I allow regular users to crate / view VM

    Quote Originally Posted by tsu2 View Post
    If it's true that running the QEMU binary does not require root permissions
    I use it almost every day. I run all my VMs using direct QEMU invocation under my regular account.

  10. #10

    Default Re: KVM/QEMU - how do I allow regular users to crate / view VM

    Does not?

    The way I have always started the Windows VM I have is through Virtual machine manager. This alone can be just started as normal user indeed, but in order to see the virtual machine(s) -and all virtual machine options such as storage, network...- one always needs to "connect" to the qemu server, and that always requires admin privileges!

    In other words, I always need to enter root privileges just to start a virtual machine through Virtual machine manager, which is why I'm fearful of, say, using Firefox -and on email- or IRC client while at same time VM running. I have only used Gedit and the terminal -*never* as root user- while VM running.

    Hope someone could illustrate me in this...

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •