public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed
* [PATCH 1/2] Qemu: add a group kvm to access /dev/kvm eaiser
@ 2016-06-10  9:36 Jonatan Schlag
  2016-06-10  9:36 ` [PATCH 2/2] Change the default qemu user and group of libvirt Changes the libvirt user to nobody and the group to kvm this is a bit safer as to use root for both Jonatan Schlag
  2016-06-16  8:31 ` [PATCH 1/2] Qemu: add a group kvm to access /dev/kvm eaiser Michael Tremer
  0 siblings, 2 replies; 3+ messages in thread
From: Jonatan Schlag @ 2016-06-10  9:36 UTC (permalink / raw)
  To: development

[-- Attachment #1: Type: text/plain, Size: 2510 bytes --]

As a normal user, it is not possible to use qemu with KVM. This is bad
because it is better when it is possible to start the machine with a
less privileged user. To achieve this a group KVM is created and the
access to /dev/kvm is allowed for this group. So every user in this
group can use qemu with KVM.
This change is also useful for libvirt because the VMs can be started
with user nobody and group kvm.

Signed-off-by: Jonatan Schlag <jonatan.schlag(a)ipfire.org>
---
 config/qemu/65-kvm.rules       | 2 ++
 config/rootfiles/packages/qemu | 1 +
 lfs/qemu                       | 4 +++-
 src/paks/qemu/install.sh       | 2 ++
 4 files changed, 8 insertions(+), 1 deletion(-)
 create mode 100644 config/qemu/65-kvm.rules

diff --git a/config/qemu/65-kvm.rules b/config/qemu/65-kvm.rules
new file mode 100644
index 0000000..569ded9
--- /dev/null
+++ b/config/qemu/65-kvm.rules
@@ -0,0 +1,2 @@
+KERNEL=="kvm", GROUP="kvm", MODE="0660"
+KERNEL=="vhost-net", GROUP="kvm", MODE="0660", TAG+="uaccess", OPTIONS+="static_node=vhost-net"
diff --git a/config/rootfiles/packages/qemu b/config/rootfiles/packages/qemu
index 482087b..3b3f361 100644
--- a/config/rootfiles/packages/qemu
+++ b/config/rootfiles/packages/qemu
@@ -1,3 +1,4 @@
+lib/udev/rules.d/65-kvm.rules
 usr/bin/qemu
 usr/bin/qemu-arm
 usr/bin/qemu-ga
diff --git a/lfs/qemu b/lfs/qemu
index 804ec26..c32953c 100644
--- a/lfs/qemu
+++ b/lfs/qemu
@@ -33,7 +33,7 @@ DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 SUP_ARCH   = i586 x86_64
 PROG       = qemu
-PAK_VER    = 18
+PAK_VER    = 19
 
 DEPS       = "sdl spice"
 
@@ -95,6 +95,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	paxctl -m -r /usr/bin/qemu-arm
 	paxctl -m -r /usr/bin/qemu-i386
 	paxctl -m -r /usr/bin/qemu-x86_64
+	# install an udev script to set the permissions of /dev/kvm
+	cp -avf $(DIR_SRC)/config/qemu/65-kvm.rules /lib/udev/rules.d/65-kvm.rules
 
 	@rm -rf $(DIR_APP)
 	@$(POSTBUILD)
diff --git a/src/paks/qemu/install.sh b/src/paks/qemu/install.sh
index a9f7321..9afe7f9 100644
--- a/src/paks/qemu/install.sh
+++ b/src/paks/qemu/install.sh
@@ -22,6 +22,8 @@
 ############################################################################
 #
 . /opt/pakfire/lib/functions.sh
+create the group kvm when they not exist
+getent group kvm >/dev/null || groupadd kvm
 extract_files
 restore_backup ${NAME}
 echo shm	/dev/shm	tmpfs	defaults,size=256M	0	0 >> /etc/fstab
-- 
2.1.4


^ permalink raw reply	[flat|nested] 3+ messages in thread
* [PATCH 2/2] Change the default qemu user and group of libvirt Changes the libvirt user to nobody and the group to kvm this is a bit safer as to use root for both.
  2016-06-10  9:36 [PATCH 1/2] Qemu: add a group kvm to access /dev/kvm eaiser Jonatan Schlag
@ 2016-06-10  9:36 ` Jonatan Schlag
  2016-06-16  8:31 ` [PATCH 1/2] Qemu: add a group kvm to access /dev/kvm eaiser Michael Tremer
  1 sibling, 0 replies; 3+ messages in thread
From: Jonatan Schlag @ 2016-06-10  9:36 UTC (permalink / raw)
  To: development

[-- Attachment #1: Type: text/plain, Size: 1198 bytes --]

Signed-off-by: Jonatan Schlag <jonatan.schlag(a)ipfire.org>
---
 lfs/libvirt | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lfs/libvirt b/lfs/libvirt
index 3c7413f..5af28cb 100644
--- a/lfs/libvirt
+++ b/lfs/libvirt
@@ -33,7 +33,7 @@ DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 SUP_ARCH   = i586 x86_64
 PROG       = libvirt
-PAK_VER    = 2
+PAK_VER    = 3
 
 DEPS       = "libpciaccess libyajl ncat qemu"
 
@@ -84,6 +84,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 			--without-uml --without-vbox --without-lxc --without-esx --without-vmware --without-openvz \
 			--without-firewalld --without-network -with-interface --with-virtualport --with-macvtap \
 			--disable-nls --without-avahi --without-test-suite -without-dbus \
+			--with-qemu-user=nobody --with-qemu-group=kvm \
 			--with-storage-dir --without-storage-fs --without-storage-lvm  --without-storage-iscsi \
 			--without-storage-scsi --without-storage-mpath --without-storage-disk --without-storage-rbd --without-storage-sheepdog --without-storage-gluster  --without-storage-zfs
 	cd $(DIR_APP) && make $(MAKETUNING) $(EXTRA_MAKE)
-- 
2.1.4


^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH 1/2] Qemu: add a group kvm to access /dev/kvm eaiser
  2016-06-10  9:36 [PATCH 1/2] Qemu: add a group kvm to access /dev/kvm eaiser Jonatan Schlag
  2016-06-10  9:36 ` [PATCH 2/2] Change the default qemu user and group of libvirt Changes the libvirt user to nobody and the group to kvm this is a bit safer as to use root for both Jonatan Schlag
@ 2016-06-16  8:31 ` Michael Tremer
  1 sibling, 0 replies; 3+ messages in thread
From: Michael Tremer @ 2016-06-16  8:31 UTC (permalink / raw)
  To: development

[-- Attachment #1: Type: text/plain, Size: 2844 bytes --]

On Fri, 2016-06-10 at 11:36 +0200, Jonatan Schlag wrote:
> As a normal user, it is not possible to use qemu with KVM. This is bad
> because it is better when it is possible to start the machine with a
> less privileged user. To achieve this a group KVM is created and the
> access to /dev/kvm is allowed for this group. So every user in this
> group can use qemu with KVM.
> This change is also useful for libvirt because the VMs can be started
> with user nobody and group kvm.
> 
> Signed-off-by: Jonatan Schlag <jonatan.schlag(a)ipfire.org>
> ---
>  config/qemu/65-kvm.rules       | 2 ++
>  config/rootfiles/packages/qemu | 1 +
>  lfs/qemu                       | 4 +++-
>  src/paks/qemu/install.sh       | 2 ++
>  4 files changed, 8 insertions(+), 1 deletion(-)
>  create mode 100644 config/qemu/65-kvm.rules
> 
> diff --git a/config/qemu/65-kvm.rules b/config/qemu/65-kvm.rules
> new file mode 100644
> index 0000000..569ded9
> --- /dev/null
> +++ b/config/qemu/65-kvm.rules
> @@ -0,0 +1,2 @@
> +KERNEL=="kvm", GROUP="kvm", MODE="0660"
> +KERNEL=="vhost-net", GROUP="kvm", MODE="0660", TAG+="uaccess",
> OPTIONS+="static_node=vhost-net"
> diff --git a/config/rootfiles/packages/qemu b/config/rootfiles/packages/qemu
> index 482087b..3b3f361 100644
> --- a/config/rootfiles/packages/qemu
> +++ b/config/rootfiles/packages/qemu
> @@ -1,3 +1,4 @@
> +lib/udev/rules.d/65-kvm.rules
>  usr/bin/qemu
>  usr/bin/qemu-arm
>  usr/bin/qemu-ga
> diff --git a/lfs/qemu b/lfs/qemu
> index 804ec26..c32953c 100644
> --- a/lfs/qemu
> +++ b/lfs/qemu
> @@ -33,7 +33,7 @@ DIR_APP    = $(DIR_SRC)/$(THISAPP)
>  TARGET     = $(DIR_INFO)/$(THISAPP)
>  SUP_ARCH   = i586 x86_64
>  PROG       = qemu
> -PAK_VER    = 18
> +PAK_VER    = 19
>  
>  DEPS       = "sdl spice"
>  
> @@ -95,6 +95,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>  	paxctl -m -r /usr/bin/qemu-arm
>  	paxctl -m -r /usr/bin/qemu-i386
>  	paxctl -m -r /usr/bin/qemu-x86_64
> +	# install an udev script to set the permissions of /dev/kvm
> +	cp -avf $(DIR_SRC)/config/qemu/65-kvm.rules /lib/udev/rules.d/65-
> kvm.rules
>  
>  	@rm -rf $(DIR_APP)
>  	@$(POSTBUILD)
> diff --git a/src/paks/qemu/install.sh b/src/paks/qemu/install.sh
> index a9f7321..9afe7f9 100644
> --- a/src/paks/qemu/install.sh
> +++ b/src/paks/qemu/install.sh
> @@ -22,6 +22,8 @@
>  ############################################################################
>  #
>  . /opt/pakfire/lib/functions.sh
> +create the group kvm when they not exist

The line above should be a comment...

> +getent group kvm >/dev/null || groupadd kvm
>  extract_files
>  restore_backup ${NAME}
>  echo shm	/dev/shm	tmpfs	defaults,size=256M	0	
> 0 >> /etc/fstab

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-06-16  8:31 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-06-10  9:36 [PATCH 1/2] Qemu: add a group kvm to access /dev/kvm eaiser Jonatan Schlag
2016-06-10  9:36 ` [PATCH 2/2] Change the default qemu user and group of libvirt Changes the libvirt user to nobody and the group to kvm this is a bit safer as to use root for both Jonatan Schlag
2016-06-16  8:31 ` [PATCH 1/2] Qemu: add a group kvm to access /dev/kvm eaiser Michael Tremer

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox