I need to have user access control over how they can use the Virtual machines and what they can do via Virsh on a KVM based hypervisor.
So far what I learned from http://wiki.libvirt.org is that I have to enable the unix socket permissions at /etc/libvirt/libvirtd.conf
for the unix socket and create a new group called libvirtd and add users into that. So that went all fine, however, with those users I can't see any virtual machines when I do
virsh list --all
The documentation at libvirt.ogr also mentions using polkit and other techniques.
If someone could help me with any working example of either using simple unix socket permission
method or polikit
or sudoer
method or any other method.
I would like have user permissions in such a way that a user from virsh can perform only limited tasks such as cant do virsh start
but can't virsh destroy
.
Best Answer
I had success with using PolicyKit on CentOS 6.5 using the libvirt wiki:
http://wiki.libvirt.org/page/SSHPolicyKitSetup
The missing step to getting it to work with
virsh:
is to add the following to your .bash_profile:(this is from this post)
This setup also allows pretty seamless usage from virt-manager on a remote computer.