Restrict users access to particular VM (libvirt)

kvm-virtualizationlibvirtvirshvirtualization

I have a linux host (SLES12) and bunch of VMs on up of it via libvirt (KVM hypervisor). I assigned one GPU per each VM, and would like to be able to restrict each users access to particular VMs (e.g. user 'A' can only restart VM 'Z' and 'Y' or can only connect to VM 'Y'). So, is there any way to do this type of user management via virsh or other tools?

Best Answer

It is possible to do this with libvirt's access control framework, using polkit rules

http://libvirt.org/aclpolkit.html

There is an example config in libvirt GIT tree:

http://libvirt.org/git/?p=libvirt.git;a=blob;f=examples/polkit/libvirt-acl.rules;hb=HEAD

This access control system applies all apps that connect to libvirtd (virsh, virt-manager, virt-install, etc)

Related Solutions

KVM+libvirt – Get List of DHCP Clients

This feature was requested a long time ago. Now libvirt supports it by providing two new commands: domifaddr and net-dhcp-leases

 Usage: domifaddr <domain> [interface] [--full] [--source lease|agent]

 Example outputs:
 virsh # domifaddr f20 --source agent
 Name       MAC address          Protocol     Address
 -------------------------------------------------------------------------------
 lo         00:00:00:00:00:00    ipv4         127.0.0.1/8
 -          -                    ipv6         ::1/128
 eth0       52:54:00:2e:45:ce    ipv4         10.1.33.188/24
 -          -                    ipv6         2001:db8:0:f101::2/64
 -          -                    ipv6         fe80::5054:ff:fe2e:45ce/64
 eth1       52:54:00:b1:70:19    ipv4         192.168.105.201/16
 -          -                    ipv4         192.168.201.195/16
 -          -                    ipv6         2001:db8:ca2:2:1::bd/128
 eth2       52:54:00:36:2a:e5    N/A          N/A
 eth3       52:54:00:20:70:3d    ipv4         192.168.105.240/16
 -          -                    ipv6         fe80::5054:ff:fe20:703d/64

 virsh # domifaddr f20 --full
 Name       MAC address          Protocol     Address
 -------------------------------------------------------------------------------
 vnet0      52:54:00:2e:45:ce    ipv6         2001:db8:0:f101::2/64
 vnet1      52:54:00:b1:70:19    ipv4         192.168.105.201/16
 vnet1      52:54:00:b1:70:19    ipv6         2001:db8:ca2:2:1::bd/128
 vnet3      52:54:00:20:70:3d    ipv4         192.168.105.240/16

 virsh # domifaddr f20 eth0 --source agent --full
 Name       MAC address          Protocol     Address
 -------------------------------------------------------------------------------
 eth0       52:54:00:2e:45:ce    ipv4         10.1.33.188/24
 eth0       52:54:00:2e:45:ce    ipv6         2001:db8:0:f101::2/128
 eth0       52:54:00:2e:45:ce    ipv6         fe80::5054:ff:fe2e:45ce/64

For eth0, ipv6 is managed by libvirt, but ipv4 is not.
For eth1, the second IP is created using ip aliasing.
For eth2, there is no IP configured as of yet.
For eth3, only ipv4 has been configured.
fd00::/8 are private ipv6 ranges. Hence not visible through --source lease

In a different scenario:

 Example Usage: net-dhcp-leases <network> [mac]

 virsh # net-dhcp-leases --network default6
 Expiry Time          MAC address        Protocol  IP address                Hostname        Client ID or DUID
 -------------------------------------------------------------------------------------------------------------------
 2014-06-16 03:40:14  52:54:00:85:90:e2  ipv4      192.168.150.231/24        fedora20-test   01:52:54:00:85:90:e2
 2014-06-16 03:40:17  52:54:00:85:90:e2  ipv6      2001:db8:ca2:2:1::c0/64   fedora20-test   00:04:b1:d8:86:42:e1:6a:aa:cf:d5:86:94:23:6f:94:04:cd
 2014-06-16 03:34:42  52:54:00:e8:73:eb  ipv4      192.168.150.181/24        ubuntu14-vm     -
 2014-06-16 03:34:46  52:54:00:e8:73:eb  ipv6      2001:db8:ca2:2:1::5b/64   -               00:01:00:01:1b:30:c6:aa:52:54:00:e8:73:eb

Virt-manager: unable to open a connection to the libvirt management daemon

I needed to install the openssh-askpass package.

Best Answer

Related Solutions

KVM+libvirt – Get List of DHCP Clients

Virt-manager: unable to open a connection to the libvirt management daemon

Related Topic