[1/2] Qemu: add a group kvm to access /dev/kvm eaiser
| Message ID | 1465551408-1022-1-git-send-email-jonatan.schlag@ipfire.org |
|---|---|
| State | Superseded |
| Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (hedwig.ipfire.org [172.28.1.200]) by web02.ipfire.org (Postfix) with ESMTP id A26A761550 for <patchwork@ipfire.org>; Fri, 10 Jun 2016 11:28:00 +0200 (CEST) Received: from mail01.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 293AF150C; Fri, 10 Jun 2016 11:28:00 +0200 (CEST) Received: from fangorn.local.familyschlag (dslb-088-073-217-236.088.073.pools.vodafone-ip.de [88.73.217.236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id AC2BA150C; Fri, 10 Jun 2016 11:27:57 +0200 (CEST) From: Jonatan Schlag <jonatan.schlag@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH 1/2] Qemu: add a group kvm to access /dev/kvm eaiser Date: Fri, 10 Jun 2016 11:36:47 +0200 Message-Id: <1465551408-1022-1-git-send-email-jonatan.schlag@ipfire.org> X-Mailer: git-send-email 2.1.4 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <http://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <http://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Message
Jonatan Schlag
June 10, 2016, 7:36 p.m. UTC
As a normal user, it is not possible to use qemu with KVM. This is bad
because it is better when it is possible to start the machine with a
less privileged user. To achieve this a group KVM is created and the
access to /dev/kvm is allowed for this group. So every user in this
group can use qemu with KVM.
This change is also useful for libvirt because the VMs can be started
with user nobody and group kvm.
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
---
config/qemu/65-kvm.rules | 2 ++
config/rootfiles/packages/qemu | 1 +
lfs/qemu | 4 +++-
src/paks/qemu/install.sh | 2 ++
4 files changed, 8 insertions(+), 1 deletion(-)
create mode 100644 config/qemu/65-kvm.rules
Comments
On Fri, 2016-06-10 at 11:36 +0200, Jonatan Schlag wrote: > As a normal user, it is not possible to use qemu with KVM. This is bad > because it is better when it is possible to start the machine with a > less privileged user. To achieve this a group KVM is created and the > access to /dev/kvm is allowed for this group. So every user in this > group can use qemu with KVM. > This change is also useful for libvirt because the VMs can be started > with user nobody and group kvm. > > Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org> > --- > config/qemu/65-kvm.rules | 2 ++ > config/rootfiles/packages/qemu | 1 + > lfs/qemu | 4 +++- > src/paks/qemu/install.sh | 2 ++ > 4 files changed, 8 insertions(+), 1 deletion(-) > create mode 100644 config/qemu/65-kvm.rules > > diff --git a/config/qemu/65-kvm.rules b/config/qemu/65-kvm.rules > new file mode 100644 > index 0000000..569ded9 > --- /dev/null > +++ b/config/qemu/65-kvm.rules > @@ -0,0 +1,2 @@ > +KERNEL=="kvm", GROUP="kvm", MODE="0660" > +KERNEL=="vhost-net", GROUP="kvm", MODE="0660", TAG+="uaccess", > OPTIONS+="static_node=vhost-net" > diff --git a/config/rootfiles/packages/qemu b/config/rootfiles/packages/qemu > index 482087b..3b3f361 100644 > --- a/config/rootfiles/packages/qemu > +++ b/config/rootfiles/packages/qemu > @@ -1,3 +1,4 @@ > +lib/udev/rules.d/65-kvm.rules > usr/bin/qemu > usr/bin/qemu-arm > usr/bin/qemu-ga > diff --git a/lfs/qemu b/lfs/qemu > index 804ec26..c32953c 100644 > --- a/lfs/qemu > +++ b/lfs/qemu > @@ -33,7 +33,7 @@ DIR_APP = $(DIR_SRC)/$(THISAPP) > TARGET = $(DIR_INFO)/$(THISAPP) > SUP_ARCH = i586 x86_64 > PROG = qemu > -PAK_VER = 18 > +PAK_VER = 19 > > DEPS = "sdl spice" > > @@ -95,6 +95,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > paxctl -m -r /usr/bin/qemu-arm > paxctl -m -r /usr/bin/qemu-i386 > paxctl -m -r /usr/bin/qemu-x86_64 > + # install an udev script to set the permissions of /dev/kvm > + cp -avf $(DIR_SRC)/config/qemu/65-kvm.rules /lib/udev/rules.d/65- > kvm.rules > > @rm -rf $(DIR_APP) > @$(POSTBUILD) > diff --git a/src/paks/qemu/install.sh b/src/paks/qemu/install.sh > index a9f7321..9afe7f9 100644 > --- a/src/paks/qemu/install.sh > +++ b/src/paks/qemu/install.sh > @@ -22,6 +22,8 @@ > ############################################################################ > # > . /opt/pakfire/lib/functions.sh > +create the group kvm when they not exist The line above should be a comment... > +getent group kvm >/dev/null || groupadd kvm > extract_files > restore_backup ${NAME} > echo shm /dev/shm tmpfs defaults,size=256M 0 > 0 >> /etc/fstab