[Pkg-libvirt-maintainers] Bug#764849: libvirt-daemon-system: user libvirt-qemu vs. groups libvirt[-qemu]|kvm and VNC socket access

Christoph Anton Mitterer calestyo at scientia.net
Sat Oct 11 15:37:10 UTC 2014 

Package: libvirt-daemon-system
Version: 1.2.9-2
Severity: normal


Hi.

I just saw that https://bugzilla.redhat.com/show_bug.cgi?id=947020 was
fixed this summer and that virt-manager should be able to open
VNC (not SPICE though) connections to running QEMU VMs again over
UNIX sockets, when
vnc_auto_unix_socket = 1
is set in /etc/libvirt/qemu.conf.

Now unfortunately this doesn't work in Debian (at least not out of the
box), and one get's a permission error on the socket:
/var/lib/libvirt/qemu/someVMimage.vnc


The reason is quite clear, while my user belongs to the group libvirt
so that I can open /var/run/libvirt/libvirt-sock and
/var/run/libvirt/libvirt-sock-ro in order to connect to libvirtd, it
doesn't belong to libvirt-qemu, which is the owner of that socket
someVMimage.vnc (and the parent dir).



Now this is the actual issue here:
Debian's libvirt packages create the following users:
libvirt-qemu
and groups:
libvirt-qemu
kvm

As far as I can see, it's nowhere documented on how they're intended
to be used, with the exception of the libvirt group, which is briefly
explained in libvirtd.conf




So following points:

1) Could you possibly explain/document, what the other users/groups
are actually used for and for which purpose people my grant users
membership to libvirt-qemu/kvm groups?


2) Is the kvm group still used?
The only place I found it was /dev/kvm


And most important here:


3) I see it's a good idea to have livirt and libvirt-qemu, at least if
intended as the following:
- libvirt to allow users group membership to connect to the dameon
- libvirt-qmue to make it own stuff (e.g. images) where the normal user
  should have access to, even when belonging to libvirt

But in that case, shouldn't the sockets for VNC and monitor, i.e.
/var/lib/libvirt/qemu/someVMimage.vnc
/var/lib/libvirt/qemu/someVMimage.monitor
be owned by libvirt instead of libvirt-qemu.
And of course they'd need to access the parent dir (which is
libvirt-qemu owned) as well.



Cheers,
Chris.

More information about the Pkg-libvirt-maintainers mailing list