I want to know if it is possible to create a multi user environment using KVM libvirt
that is each user can create there own vm but that must not be accessible by others
saw this Multiuser use of virt-manager
seems like its not working
EDIT1: I want to set owners for each vm
Asked
Active
Viewed 1,678 times
5
4 Answers
4
Thanks to libvirt's PolicyKit support, I believe this can be done, based on how much features you require.
The rules can be created by you and accessed by PolicyKit ACLs as a database (file, server, etc.) to get the information about the owners. Also, if the PolicyKit rule has write access to the database, you can assign VMs to their respective owners when they get created, hence creating that database automatically. It might not be foolproof (e.g. when the VM definition fails the database will already have that record), so some more hooks might be necessary, based on how much functionality you are looking for. That's why there are projects building on top of libvirt (or just scripts deployed by admins) that can have more functionality.
If a simpler thing is enough for you, then you can say that users can call APIs only on VMs that start with their username. Just make sure corner cases are covered (e.g. user "bla" cannot access user's "blabla" machines).
As said, based on how much functionality you need, it can be either done easily, or with few lines of a script or you might need a full blown virtualisation system sitting on top of libvirt.
One more thing that nobody mentioned (and it might be what you want/are looking for). If you (as a non-root user) connect to qemu:///session (instead of system, see Connections to QEMU driver) you will connect to your own instance of libvirt daemon and you will only see your own machines (in other words, it will be isolated from other user's session daemons).
nert
- 143
- 4
-
-
Yes, of course there are some limitations. Unfortunately some of them cannot be worked around. So if you need to use any of the "privileged" features that are only available to root, then session is not for you, sorry. – nert Nov 09 '16 at 16:10
-
hey how to use a java script module in polkit?? should i use import or require – Dravigon Nov 09 '16 at 18:40
-
I'm not a polkit expert, so i don't know. But [polkit(8)](https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html) says that you can polkit.spawn(["command", "arguments"]), so that should help at least. – nert Nov 09 '16 at 20:57
2
Well, just like advertised in the article you link, libvirt does support PolicyKit on per API basis (we call it ACL). So if you set up some polkit rules, you should be able to get what you want. For instance, domain X would be visible just to user Y. Unfortunately, I don't think it's possible to make those rules dynamic (I mean, if an user creates a domain it will be visible just to them).
Michal Privoznik
- 21
- 1
-
Ok man i'll give it a try but polkit is java script based right so can i access a db using it i mean in the .rules – Dravigon Oct 12 '16 at 13:22
-
see the comments https://www.berrange.com/posts/2013/08/12/fine-grained-access-control-in-libvirt-using-polkit/ – Dravigon Oct 12 '16 at 13:28
-
-
0
Unless you want to write your own wrapper/management system, you simply need something more than just libvirt, to manage access and VM to user relationships. oVirt/RHV have that out of the box, even with a special user portal where a logged in user can only see the VMs that belong to him. I'm pretty sure other virtualization management systems also have this capability
dyasny
- 18,802
- 6
- 49
- 64
-
can't it be done with just libvirt or additional programming/configurations? – Dravigon Oct 11 '16 at 17:03
-
You can write your own front end, which will take care of user management and auth as well as keep a database of which VM belongs to whom, and give access only to the right VMs – dyasny Oct 11 '16 at 18:17
-
yeah i am trying to do that but users can easily hack their way into other users if they know ho to right?? – Dravigon Oct 12 '16 at 06:35
-
That would completely depend on how you implement it. I would just use an existing system – dyasny Oct 12 '16 at 14:12
-
see the comments in https://www.berrange.com/posts/2013/08/12/fine-grained-access-control-in-libvirt-using-polkit/ – Dravigon Oct 13 '16 at 13:39
-
-
0
This file as polkit rule
function myFunction(username, virtualmachine) {
var arr = virtualmachine.split("*");
if(arr[0]==username){
return true;
}
else{
return false;
}
}
// Allow passwordless connection to qemu:///system
polkit.addRule(function(action, subject) {
if (action.id == "org.libvirt.unix.manage")
{
return polkit.Result.YES;
}
});
// Give full access to 'vm'
polkit.addRule(function(action, subject) {
if (action.id.indexOf("org.libvirt.api.domain.") == 0 ) {
if (action.lookup("connect_driver") == 'QEMU' && myFunction(subject.user, action.lookup("domain_name"))) {
polkit.log("vm=" + action.lookup("domain_name") + "action =>"+myFunction(subject.user, action.lookup("domain_name")));
polkit.log("subject=" + subject);
polkit.log("ok");
return polkit.Result.YES;
} else {
return polkit.Result.NO;
}
}
});
here the vm in the format
username*vmname
this vm is only accessible for the corresponding user
PS this is only primitive rule that is you can't create a new pool or modify it ,etc., therefore furthure development of rule is required
Dravigon
- 81
- 9
2)fedora – Dravigon Oct 10 '16 at 16:00