2

I need to have user access control over how they can use the Virtual machines and what they can do via Virsh on a KVM based hypervisor.

So far what I learned from http://wiki.libvirt.org is that I have to enable the unix socket permissions at /etc/libvirt/libvirtd.conf for the unix socket and create a new group called libvirtd and add users into that. So that went all fine, however, with those users I can't see any virtual machines when I do

virsh list --all

The documentation at libvirt.ogr also mentions using polkit and other techniques.

If someone could help me with any working example of either using simple unix socket permission method or polikit or sudoer method or any other method.

I would like have user permissions in such a way that a user from virsh can perform only limited tasks such as cant do virsh start but can't virsh destroy.

chandank
  • 847
  • 3
  • 14
  • 31

3 Answers3

1

I had success with using PolicyKit on CentOS 6.5 using the libvirt wiki:

http://wiki.libvirt.org/page/SSHPolicyKitSetup

The missing step to getting it to work with virsh: is to add the following to your .bash_profile:

if test -x `which virsh`; then
  export LIBVIRT_DEFAULT_URI=qemu:///system
fi

(this is from this post)

This setup also allows pretty seamless usage from virt-manager on a remote computer.

rockpenguin
  • 11
  • 1
0

For proper RBAC you will need a more sophisticated VM management platform than libvirt, which is there to control VM lifecycle, and little else really. Take a look at oVirt.org for a good example

dyasny
  • 18,802
  • 6
  • 49
  • 64
  • I found out that it will be possible with sudoers, however, not sure how to get variable arugument work. Cases like virsh start $vm-name. – chandank Mar 17 '13 at 18:47
0

Answering my own question. The easiest and simplest solution is sudoers. We can do lot of stuff with sudoers regular expressions. I simply added one sudoer rule.

Keep all the guest machines name in such a way that you could specify them using some kind of regex. In my case I kept all guest machines, those I want to be controller by non root users, starting with vmname-.

Below rule would allow non root users to start and get the console the vm and wont allow to destroy it.

Cmnd_Alias KVMCMD = /usr/bin/virsh list --all,/usr/bin/virsh start vmname*
Cmnd_Alias KVMBAD = virsh destroy vmname*

Hope this helps someone who is looking for similar solution.

chandank
  • 847
  • 3
  • 14
  • 31