As a normal user, it is not possible to use qemu with KVM. This is bad because it is better when it is possible to start the machine with a less privileged user. To achieve this a group KVM is created and the access to /dev/kvm is allowed for this group. So every user in this group can use qemu with KVM. This change is also useful for libvirt because the VMs can be started with user nobody and group kvm.
Signed-off-by: Jonatan Schlag jonatan.schlag@ipfire.org --- config/qemu/65-kvm.rules | 2 ++ config/rootfiles/packages/qemu | 1 + lfs/qemu | 4 +++- src/paks/qemu/install.sh | 2 ++ 4 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 config/qemu/65-kvm.rules
diff --git a/config/qemu/65-kvm.rules b/config/qemu/65-kvm.rules new file mode 100644 index 0000000..569ded9 --- /dev/null +++ b/config/qemu/65-kvm.rules @@ -0,0 +1,2 @@ +KERNEL=="kvm", GROUP="kvm", MODE="0660" +KERNEL=="vhost-net", GROUP="kvm", MODE="0660", TAG+="uaccess", OPTIONS+="static_node=vhost-net" diff --git a/config/rootfiles/packages/qemu b/config/rootfiles/packages/qemu index 482087b..3b3f361 100644 --- a/config/rootfiles/packages/qemu +++ b/config/rootfiles/packages/qemu @@ -1,3 +1,4 @@ +lib/udev/rules.d/65-kvm.rules usr/bin/qemu usr/bin/qemu-arm usr/bin/qemu-ga diff --git a/lfs/qemu b/lfs/qemu index 804ec26..c32953c 100644 --- a/lfs/qemu +++ b/lfs/qemu @@ -33,7 +33,7 @@ DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) SUP_ARCH = i586 x86_64 PROG = qemu -PAK_VER = 18 +PAK_VER = 19
DEPS = "sdl spice"
@@ -95,6 +95,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) paxctl -m -r /usr/bin/qemu-arm paxctl -m -r /usr/bin/qemu-i386 paxctl -m -r /usr/bin/qemu-x86_64 + # install an udev script to set the permissions of /dev/kvm + cp -avf $(DIR_SRC)/config/qemu/65-kvm.rules /lib/udev/rules.d/65-kvm.rules
@rm -rf $(DIR_APP) @$(POSTBUILD) diff --git a/src/paks/qemu/install.sh b/src/paks/qemu/install.sh index a9f7321..9afe7f9 100644 --- a/src/paks/qemu/install.sh +++ b/src/paks/qemu/install.sh @@ -22,6 +22,8 @@ ############################################################################ # . /opt/pakfire/lib/functions.sh +create the group kvm when they not exist +getent group kvm >/dev/null || groupadd kvm extract_files restore_backup ${NAME} echo shm /dev/shm tmpfs defaults,size=256M 0 0 >> /etc/fstab
Signed-off-by: Jonatan Schlag jonatan.schlag@ipfire.org --- lfs/libvirt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/lfs/libvirt b/lfs/libvirt index 3c7413f..5af28cb 100644 --- a/lfs/libvirt +++ b/lfs/libvirt @@ -33,7 +33,7 @@ DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) SUP_ARCH = i586 x86_64 PROG = libvirt -PAK_VER = 2 +PAK_VER = 3
DEPS = "libpciaccess libyajl ncat qemu"
@@ -84,6 +84,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --without-uml --without-vbox --without-lxc --without-esx --without-vmware --without-openvz \ --without-firewalld --without-network -with-interface --with-virtualport --with-macvtap \ --disable-nls --without-avahi --without-test-suite -without-dbus \ + --with-qemu-user=nobody --with-qemu-group=kvm \ --with-storage-dir --without-storage-fs --without-storage-lvm --without-storage-iscsi \ --without-storage-scsi --without-storage-mpath --without-storage-disk --without-storage-rbd --without-storage-sheepdog --without-storage-gluster --without-storage-zfs cd $(DIR_APP) && make $(MAKETUNING) $(EXTRA_MAKE)
On Fri, 2016-06-10 at 11:36 +0200, Jonatan Schlag wrote:
As a normal user, it is not possible to use qemu with KVM. This is bad because it is better when it is possible to start the machine with a less privileged user. To achieve this a group KVM is created and the access to /dev/kvm is allowed for this group. So every user in this group can use qemu with KVM. This change is also useful for libvirt because the VMs can be started with user nobody and group kvm.
Signed-off-by: Jonatan Schlag jonatan.schlag@ipfire.org
config/qemu/65-kvm.rules | 2 ++ config/rootfiles/packages/qemu | 1 + lfs/qemu | 4 +++- src/paks/qemu/install.sh | 2 ++ 4 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 config/qemu/65-kvm.rules
diff --git a/config/qemu/65-kvm.rules b/config/qemu/65-kvm.rules new file mode 100644 index 0000000..569ded9 --- /dev/null +++ b/config/qemu/65-kvm.rules @@ -0,0 +1,2 @@ +KERNEL=="kvm", GROUP="kvm", MODE="0660" +KERNEL=="vhost-net", GROUP="kvm", MODE="0660", TAG+="uaccess", OPTIONS+="static_node=vhost-net" diff --git a/config/rootfiles/packages/qemu b/config/rootfiles/packages/qemu index 482087b..3b3f361 100644 --- a/config/rootfiles/packages/qemu +++ b/config/rootfiles/packages/qemu @@ -1,3 +1,4 @@ +lib/udev/rules.d/65-kvm.rules usr/bin/qemu usr/bin/qemu-arm usr/bin/qemu-ga diff --git a/lfs/qemu b/lfs/qemu index 804ec26..c32953c 100644 --- a/lfs/qemu +++ b/lfs/qemu @@ -33,7 +33,7 @@ DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) SUP_ARCH = i586 x86_64 PROG = qemu -PAK_VER = 18 +PAK_VER = 19 DEPS = "sdl spice" @@ -95,6 +95,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) paxctl -m -r /usr/bin/qemu-arm paxctl -m -r /usr/bin/qemu-i386 paxctl -m -r /usr/bin/qemu-x86_64
- # install an udev script to set the permissions of /dev/kvm
- cp -avf $(DIR_SRC)/config/qemu/65-kvm.rules /lib/udev/rules.d/65-
kvm.rules @rm -rf $(DIR_APP) @$(POSTBUILD) diff --git a/src/paks/qemu/install.sh b/src/paks/qemu/install.sh index a9f7321..9afe7f9 100644 --- a/src/paks/qemu/install.sh +++ b/src/paks/qemu/install.sh @@ -22,6 +22,8 @@ ############################################################################ # . /opt/pakfire/lib/functions.sh +create the group kvm when they not exist
The line above should be a comment...
+getent group kvm >/dev/null || groupadd kvm extract_files restore_backup ${NAME} echo shm /dev/shm tmpfs defaults,size=256M 0 0 >> /etc/fstab
-
Jonatan Schlag -
Michael Tremer