[elbe-devel] Start initvm on system boot as normal user
Lukasz Walewski
lwalewski at s-can.at
Mon Mar 13 12:06:26 CET 2017
Hi,
I think I figured out what the problem was. My systemd configuration files were all OK, however systemd could not run initvm under the configured UID (lwa in my case) because of the /dev/kvm file permissions: the device has permissions 660 and belongs to user root and group kvm so other users do not have access to this device, and the startup script ended up with "Permission denied" error. After adding the user designated to run initvm to the group kvm all runs fine.
The fact that I could start initvm using systemd from the command line after logging in is explained by the fact, that Linux adds an ACL for /dev/kvm upon login, which gives rw access to it to the logged-in user. It can be verified by comparing the /dev/kvm's ACL at boot time (e.g. by manipulating /lib/systemd/system/elbe.service) and after logging in:
at boot time (a snapshot from 'journalctl -u elbe.service' output after booting with manipulated startup script):
Mar 13 10:44:22 jessie getfacl[540]: # file: dev/kvm
Mar 13 10:44:22 jessie getfacl[540]: # owner: root
Mar 13 10:44:22 jessie getfacl[540]: # group: kvm
Mar 13 10:44:22 jessie getfacl[540]: user::rw-
Mar 13 10:44:22 jessie getfacl[540]: group::rw-
Mar 13 10:44:22 jessie getfacl[540]: other::---
and after logging in as 'lwa':
lwa at jessie:~$ getfacl /dev/kvm
getfacl: Removing leading '/' from absolute path names
# file: dev/kvm
# owner: root
# group: kvm
user::rw-
user:lwa:rw-
group::rw-
mask::rw-
other::---
(observe the second 'user:' entry in the latter, which is missing in the former output)
My concluding question: is it correct/safe/the right way to go (the Elbe way) to add the user configured as the one that is used to start the initvm to the 'kvm' group?
Best regards,
Lukasz
----------------------------------------
scan Messtechnik GmbH
Brigittagasse 22-24
A-1200 Wien/Vienna
tel. +43 1 219 73 93 - 0
fax +43 1 219 73 93 - 12
http://www.s-can.at
office at s-can.at
Geschaeftsfuehrer/President: DI Andreas Weingartner
Firmenbuchnummer/Incorporation No: FN178880i
Gerichtsstand/Court of Jurisdiction: Wien/Vienna
----------------------------------------
s::can - intelligent, optical, online
i::scan - compact, precise and affordable!
UV254::NTU::FTU::TOC::DOC::COD::BOD::Colour ...and many more to come!
http://www.i-scan.at
----------------------------------------
"YES WE SCAN !"
More information about the elbe-devel
mailing list