Arch Linux

Deeznu1s

Member

Registered: 2022-08-23

Posts: 1

Isolated virtual machines for each user.

System Config : Ryzen 5, nvidia gpu, 16GB ram, msi b450 mobo, latest kernel with headers installed.
I am using kvm with virt-manager. I used this guide from linuxhint. Essentially, after configuring everything, I add my current user to the libvirt group using sudo usermod -a -G libvirt $(whoami) , thus I can access virtmanager and libvirtd without any sort of authentication.

Now, suppose I have 3 local users - A, B and C. Only user A has sudo priviledges, I've setup kvm from this user. I've setup a manjaro vm in user A, for testing purposes. Now, I add user B to the libvirt group too, so that I can easily use kvm there too. I then setup a Win10 vm in user B.

Now, the problem arises as I can see both manjaro and win10 vm from both users, despite of them originating from different users. I want to seperate the manjaro vm to user A and the Win10 vm to user B only. How can I achive this ?? I don't want both of them showing up at the same time. There are other users (eg. user C) who are also in the libvirt group but I don't want to expose any info about my VMs to them. How can I seperate and limit the VMs showing up to their respective users only ??

Sorry if this is a bit messy. Please ask for any more info if needed. Any help or correction is appreciated

Last edited by Deeznu1s (2022-08-23 09:53:10)

aldyrius

Member

Registered: 2015-12-31

Posts: 39

Re: Isolated virtual machines for each user.

I think I understand your dilemma, but you may have to expand on what you mean by:

the problem arises as I can see both manjaro and win10 vm from both users, despite of them originating from different users.

If you are "seeing" both VMs in the virt-manager GUI upon launching it as each user, there might be an issue with your libvirt configuration. In particular, that section's discussion of system-level vs. user-session administration seems applicable. For example (only theorizing) - instead of VM components getting installed in /var/lib/libvirt, maybe they should be getting installed under each user's home directory if what you intend is per-user VM creation/access.

But - without unleashing a full soapbox diatribe stemming from this school of thought - I'm generally opposed to "wrappers" and "manager" programs that try to be all things to all people, of which libvirt/virt-manager are probably valid examples. The article you posted is well-intentioned, but glosses over some things in a conflation of several concepts that need to be understood distinctly first (Virtualbox vs Qemu vs KVM vs libvirt, etc.) Put another way, the approach of "immediately jump to using libvirt and virt-manager because you want to start a couple of VMs" is what's hurting you here. Unless you really need this to scale and are already married to the idea of using libvirt/virt-manager moving forward, why not just run the VMs with a tiny Bash script running Qemu in each user's home directory?

Since your subject line was related to having isolated VMs and not using virt-manager specifically, hopefully this is of some assistance, though not a direct answer to your question.

Also, as an aside -- you aren't going to prevent "expos[ing] any info about my VMs" between users with access to the host system, without locking down the host system in ways beyond the scope of this subject. If all you want is for each GUI user to only see and interact with VMs they've created, let us know how it goes proceeding based on the wiki link above (and feel free to update it if you make discoveries that might help others with this same goal!) But as long as your host users can do basic things like run process listings with `ps`, they are going to be able to know that other users are running VMs, etc.