[elbe-devel] Start initvm on system boot as normal user
Dr. Johann Pfefferl
johann.pfefferl at siemens.com
Mon Mar 13 12:56:25 CET 2017
Hello Lukasz,
I run the ELBE virtual machine under libvirtd with frontend virt-manager
to get rid of all these permission things. The startup, restart, shutdown of the
virtual machine is then managed completely by libvirtd. With this
approach you do not have a tmux running but instead you can use a normal
ssh to get access to the build machine.
Best regards,
Johann Pfefferl
Lukasz Walewski <lwalewski at s-can.at> wrote:
> Hi,
>
> I think I figured out what the problem was. My systemd configuration files were all OK, however systemd could not run initvm under the configured UID (lwa in my case) because of the /dev/kvm file permissions: the device has permissions 660 and belongs to user root and group kvm so other users do not have access to this device, and the startup script ended up with "Permission denied" error. After adding the user designated to run initvm to the group kvm all runs fine.
>
> The fact that I could start initvm using systemd from the command line after logging in is explained by the fact, that Linux adds an ACL for /dev/kvm upon login, which gives rw access to it to the logged-in user. It can be verified by comparing the /dev/kvm's ACL at boot time (e.g. by manipulating /lib/systemd/system/elbe.service) and after logging in:
>
> at boot time (a snapshot from 'journalctl -u elbe.service' output after booting with manipulated startup script):
>
> Mar 13 10:44:22 jessie getfacl[540]: # file: dev/kvm
> Mar 13 10:44:22 jessie getfacl[540]: # owner: root
> Mar 13 10:44:22 jessie getfacl[540]: # group: kvm
> Mar 13 10:44:22 jessie getfacl[540]: user::rw-
> Mar 13 10:44:22 jessie getfacl[540]: group::rw-
> Mar 13 10:44:22 jessie getfacl[540]: other::---
>
> and after logging in as 'lwa':
>
> lwa at jessie:~$ getfacl /dev/kvm
> getfacl: Removing leading '/' from absolute path names
> # file: dev/kvm
> # owner: root
> # group: kvm
> user::rw-
> user:lwa:rw-
> group::rw-
> mask::rw-
> other::---
>
> (observe the second 'user:' entry in the latter, which is missing in the former output)
>
> My concluding question: is it correct/safe/the right way to go (the Elbe way) to add the user configured as the one that is used to start the initvm to the 'kvm' group?
>
> Best regards,
> Lukasz
>
>
>
> ----------------------------------------
>
> scan Messtechnik GmbH
> Brigittagasse 22-24
> A-1200 Wien/Vienna
> tel. +43 1 219 73 93 - 0
> fax +43 1 219 73 93 - 12
> http://www.s-can.at
> office at s-can.at
>
> Geschaeftsfuehrer/President: DI Andreas Weingartner
> Firmenbuchnummer/Incorporation No: FN178880i
> Gerichtsstand/Court of Jurisdiction: Wien/Vienna
>
> ----------------------------------------
>
> s::can - intelligent, optical, online
>
> i::scan - compact, precise and affordable!
> UV254::NTU::FTU::TOC::DOC::COD::BOD::Colour ...and many more to come!
> http://www.i-scan.at
> ----------------------------------------
> "YES WE SCAN !"
> _______________________________________________
> elbe-devel mailing list
> elbe-devel at linutronix.de
> https://lists.linutronix.de/mailman/listinfo/elbe-devel
--
Siemens AG
Corporate Technology
Research & Technology Center
CT RDA ITP SES-DE
Otto-Hahn-Ring 6
81739 Muenchen, Germany
mailto: johann.pfefferl at siemens.com
phone: +49 89 636 634 021
fax: +49 89 636 33045
_____________________________________________________
SIEMENS AG: Vorsitzender des Aufsichtsrats: Gerhard Cromme
Vorstand: Joe Kaeser, Vorsitzender
Roland Busch, Klaus Helmrich, Hermann Requardt,
Siegfried Russwurm, Michael Süß, Ralf P. Thomas
Sitz der Gesellschaft: Berlin und München, Deutschland;
Registergericht: Berlin Charlottenburg, HRB 12300, München, HRB 6684
WEEE-Reg.-Nr. DE 23691322
More information about the elbe-devel
mailing list