[PATCH v2 1/2] Qemu: add a group kvm to access /dev/kvm eaiser

[PATCH v2 1/2] Qemu: add a group kvm to access /dev/kvm eaiser

[Jonatan Schlag]

[-- Attachment #1: Type: text/plain, Size: 2511 bytes --]

As a normal user, it is not possible to use qemu with KVM. This is bad
because it is better when it is possible to start the machine with a
less privileged user. To achieve this a group KVM is created and the
access to /dev/kvm is allowed for this group. So every user in this
group can use qemu with KVM.
This change is also useful for libvirt because the VMs can be started
with user nobody and group kvm.

Signed-off-by: Jonatan Schlag <jonatan.schlag(a)ipfire.org>
---
 config/qemu/65-kvm.rules       | 2 ++
 config/rootfiles/packages/qemu | 1 +
 lfs/qemu                       | 4 +++-
 src/paks/qemu/install.sh       | 2 ++
 4 files changed, 8 insertions(+), 1 deletion(-)
 create mode 100644 config/qemu/65-kvm.rules

diff --git a/config/qemu/65-kvm.rules b/config/qemu/65-kvm.rules
new file mode 100644
index 0000000..569ded9
--- /dev/null
+++ b/config/qemu/65-kvm.rules
@@ -0,0 +1,2 @@
+KERNEL=="kvm", GROUP="kvm", MODE="0660"
+KERNEL=="vhost-net", GROUP="kvm", MODE="0660", TAG+="uaccess", OPTIONS+="static_node=vhost-net"
diff --git a/config/rootfiles/packages/qemu b/config/rootfiles/packages/qemu
index 482087b..3b3f361 100644
--- a/config/rootfiles/packages/qemu
+++ b/config/rootfiles/packages/qemu
@@ -1,3 +1,4 @@
+lib/udev/rules.d/65-kvm.rules
 usr/bin/qemu
 usr/bin/qemu-arm
 usr/bin/qemu-ga
diff --git a/lfs/qemu b/lfs/qemu
index 804ec26..c32953c 100644
--- a/lfs/qemu
+++ b/lfs/qemu
@@ -33,7 +33,7 @@ DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 SUP_ARCH   = i586 x86_64
 PROG       = qemu
-PAK_VER    = 18
+PAK_VER    = 19
 
 DEPS       = "sdl spice"
 
@@ -95,6 +95,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	paxctl -m -r /usr/bin/qemu-arm
 	paxctl -m -r /usr/bin/qemu-i386
 	paxctl -m -r /usr/bin/qemu-x86_64
+	# install an udev script to set the permissions of /dev/kvm
+	cp -avf $(DIR_SRC)/config/qemu/65-kvm.rules /lib/udev/rules.d/65-kvm.rules
 
 	@rm -rf $(DIR_APP)
 	@$(POSTBUILD)
diff --git a/src/paks/qemu/install.sh b/src/paks/qemu/install.sh
index a9f7321..e44ba5e 100644
--- a/src/paks/qemu/install.sh
+++ b/src/paks/qemu/install.sh
@@ -22,6 +22,8 @@
 ############################################################################
 #
 . /opt/pakfire/lib/functions.sh
+#create the group kvm when they not exist
+getent group kvm >/dev/null || groupadd kvm
 extract_files
 restore_backup ${NAME}
 echo shm	/dev/shm	tmpfs	defaults,size=256M	0	0 >> /etc/fstab
-- 
2.1.4

[PATCH v2 2/2] Change the default qemu user and group of libvirt

[Jonatan Schlag]

[-- Attachment #1: Type: text/plain, Size: 1303 bytes --]

Changes the libvirt user to nobody and the group to kvm this is a bit
safer as to use root for both.

Signed-off-by: Jonatan Schlag <jonatan.schlag(a)ipfire.org>
---
 lfs/libvirt | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lfs/libvirt b/lfs/libvirt
index 3c7413f..5af28cb 100644
--- a/lfs/libvirt
+++ b/lfs/libvirt
@@ -33,7 +33,7 @@ DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 SUP_ARCH   = i586 x86_64
 PROG       = libvirt
-PAK_VER    = 2
+PAK_VER    = 3
 
 DEPS       = "libpciaccess libyajl ncat qemu"
 
@@ -84,6 +84,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 			--without-uml --without-vbox --without-lxc --without-esx --without-vmware --without-openvz \
 			--without-firewalld --without-network -with-interface --with-virtualport --with-macvtap \
 			--disable-nls --without-avahi --without-test-suite -without-dbus \
+			--with-qemu-user=nobody --with-qemu-group=kvm \
 			--with-storage-dir --without-storage-fs --without-storage-lvm  --without-storage-iscsi \
 			--without-storage-scsi --without-storage-mpath --without-storage-disk --without-storage-rbd --without-storage-sheepdog --without-storage-gluster  --without-storage-zfs
 	cd $(DIR_APP) && make $(MAKETUNING) $(EXTRA_MAKE)
-- 
2.1.4