[Pkg-libvirt-maintainers] Bug#764849: Bug#764849: libvirt-daemon-system: user libvirt-qemu vs. groups libvirt[-qemu]|kvm and VNC socket access

Guido Günther agx at sigxcpu.org
Sat Oct 11 16:27:16 UTC 2014 

severity 764849 wishlist
thanks

On Sat, Oct 11, 2014 at 05:37:10PM +0200, Christoph Anton Mitterer wrote:
> Package: libvirt-daemon-system
> Version: 1.2.9-2
> Severity: normal
> 
> 
> Hi.
> 
> I just saw that https://bugzilla.redhat.com/show_bug.cgi?id=947020 was
> fixed this summer and that virt-manager should be able to open
> VNC (not SPICE though) connections to running QEMU VMs again over
> UNIX sockets, when
> vnc_auto_unix_socket = 1
> is set in /etc/libvirt/qemu.conf.
> 
> Now unfortunately this doesn't work in Debian (at least not out of the
> box), and one get's a permission error on the socket:
> /var/lib/libvirt/qemu/someVMimage.vnc
> 
> 
> The reason is quite clear, while my user belongs to the group libvirt
> so that I can open /var/run/libvirt/libvirt-sock and
> /var/run/libvirt/libvirt-sock-ro in order to connect to libvirtd, it
> doesn't belong to libvirt-qemu, which is the owner of that socket
> someVMimage.vnc (and the parent dir).
> 
> 
> 
> Now this is the actual issue here:
> Debian's libvirt packages create the following users:
> libvirt-qemu
> and groups:
> libvirt-qemu
> kvm
> 
> As far as I can see, it's nowhere documented on how they're intended
> to be used, with the exception of the libvirt group, which is briefly
> explained in libvirtd.conf
> 
> 
> 
> 
> So following points:
> 
> 1) Could you possibly explain/document, what the other users/groups
> are actually used for and for which purpose people my grant users
> membership to libvirt-qemu/kvm groups?
> 
> 
> 2) Is the kvm group still used?
> The only place I found it was /dev/kvm
> 
> 
> And most important here:
> 
> 
> 3) I see it's a good idea to have livirt and libvirt-qemu, at least if
> intended as the following:
> - libvirt to allow users group membership to connect to the dameon
> - libvirt-qmue to make it own stuff (e.g. images) where the normal user
>   should have access to, even when belonging to libvirt
> 
> But in that case, shouldn't the sockets for VNC and monitor, i.e.
> /var/lib/libvirt/qemu/someVMimage.vnc
> /var/lib/libvirt/qemu/someVMimage.monitor
> be owned by libvirt instead of libvirt-qemu.
> And of course they'd need to access the parent dir (which is
> libvirt-qemu owned) as well.

Libvirt is for connections to the libvirt daemon. Libvirt-qemu is the
uid/gid qemu runs with. If you want to connect so socket created by
qemu itself you need libvirt-qemu too.
 -- Guido

More information about the Pkg-libvirt-maintainers mailing list