[CentOS-virt] CentOS 6.2: Start and use guest as regular user under qemu-kvm?

Trey Dockendorf treydock at gmail.com
Sat Feb 11 12:36:35 EST 2012

On Sat, Feb 11, 2012 at 9:33 AM, David McGuffey
<davidmcguffey at verizon.net> wrote:
> Trying to set up a copy of CentOS 6.2 for home use and give each family
> member their own guest.
> Goal is to cripple the host so that no meaningful work can be done
> through it and each family member must use their own guest.
> "Gold Disk" masters would be kept of each guest, so if they screw it up,
> I can simply overwrite their current guest from the master.
> SELinux is enabled and sVirt separates each guest (I want to keep it
> that way).
> Default settings require a regular user to run the Virtual Machine
> Manager via sudo.  Once they do that, they can see (and access) any
> other family member's guest.  Would really like to avoid this.
> Have read several blurbs about getting qemu-kvm to run under a regular
> user, but not sure if the version provided with CentOS 6 is compiled
> with the options to allow that. When I follow the guidance to put users
> in the kvm group and change the ownership of key files, I fail.
> Appears to me that qemu-kvm with CentOS 6 is not set up (compliled) to
> run under a regular user.
> Say users are u1, u2, u3, and u4, and all are in the kvm group.
> What else do I need to do to allow them to start, suspend, and stop
> their own guest VM?
> Dave
> _______________________________________________
> CentOS-virt mailing list
> CentOS-virt at centos.org
> http://lists.centos.org/mailman/listinfo/centos-virt

The access controls with libvirt are done using Policy Kit,
http://libvirt.org/auth.html.  However I don't think it's fine grained
enough to limit access per guest.

Maybe instead of giving each user access to their guest via the
management host, you give them access to the guest itself not the
host.  Something like XDMCP.  That will give them a desktop session on
the VM.  You can then lock down the virtual host and open up access to
only the guests.  I've used this setup before in situations when I
needed to see a desktop remotely...


- Trey

More information about the CentOS-virt mailing list