[elbe-devel] Start initvm on system boot as normal user

Mon Mar 13 13:11:38 CET 2017

Hello again,

I have forgotten to mention that you have to adapt the port number under
which elbe is reachable by

elbe control --port=7588 --host=xxxyyyzz

because elbe normally uses port 7589 (correct?).

By the way I want to mention that I use gearman (http://gearman.org) in
front of ELBE as a job server. With this technique you can create a
cluster/cloud of ELBE builders distributed across a multitude of physical/virtual
machines. Even if you only have one ELBE instance gearmand serializes
your build job requests. That's important because ELBE can only handle one running job
at a time.

Best regards, 
  Johann Pfefferl

Dr. Johann Pfefferl <johann.pfefferl at siemens.com> wrote:
> Hello Lukasz,
> 
> I run the ELBE virtual machine under libvirtd with frontend virt-manager
> to get rid of all these permission things. The startup, restart, shutdown of the
> virtual machine is then managed completely by libvirtd. With this
> approach you do not have a tmux running but instead you can use a normal
> ssh to get access to the build machine.
> 
> Best regards,
>    Johann Pfefferl
> 
> Lukasz Walewski <lwalewski at s-can.at> wrote:
> > Hi,
> > 
> > I think I figured out what the problem was. My systemd configuration files were all OK, however systemd could not run initvm under the configured UID (lwa in my case) because of the /dev/kvm file permissions: the device has permissions 660 and belongs to user root and group kvm so other users do not have access to this device, and the startup script ended up with "Permission denied" error. After adding the user designated to run initvm to the group kvm all runs fine.
> > 
> > The fact that I could start initvm using systemd from the command line after logging in is explained by the fact, that Linux adds an ACL for /dev/kvm upon login, which gives rw access to it to the logged-in user. It can be verified by comparing the /dev/kvm's ACL at boot time (e.g. by manipulating /lib/systemd/system/elbe.service) and after logging in:
> > 
> > at boot time (a snapshot from 'journalctl -u elbe.service' output after booting with manipulated startup script):
> > 
> > Mar 13 10:44:22 jessie getfacl[540]: # file: dev/kvm
> > Mar 13 10:44:22 jessie getfacl[540]: # owner: root
> > Mar 13 10:44:22 jessie getfacl[540]: # group: kvm
> > Mar 13 10:44:22 jessie getfacl[540]: user::rw-
> > Mar 13 10:44:22 jessie getfacl[540]: group::rw-
> > Mar 13 10:44:22 jessie getfacl[540]: other::---
> > 
> > and after logging in as 'lwa':
> > 
> > lwa at jessie:~$ getfacl /dev/kvm
> > getfacl: Removing leading '/' from absolute path names
> > # file: dev/kvm
> > # owner: root
> > # group: kvm
> > user::rw-
> > user:lwa:rw-
> > group::rw-
> > mask::rw-
> > other::---
> > 
> > (observe the second 'user:' entry in the latter, which is missing in the former output)
> > 
> > My concluding question: is it correct/safe/the right way to go (the Elbe way) to add the user configured as the one that is used to start the initvm to the 'kvm' group?
> > 
> > Best regards,
> > Lukasz
> > 
> > 
> > 
> > ----------------------------------------
> > 
> > scan Messtechnik GmbH
> > Brigittagasse 22-24
> > A-1200 Wien/Vienna
> > tel. +43 1 219 73 93 - 0
> > fax +43 1 219 73 93 - 12
> > http://www.s-can.at
> > office at s-can.at
> > 
> > Geschaeftsfuehrer/President: DI Andreas Weingartner
> > Firmenbuchnummer/Incorporation No: FN178880i
> > Gerichtsstand/Court of Jurisdiction: Wien/Vienna
> > 
> > ----------------------------------------
> > 
> > s::can - intelligent, optical, online
> > 
> > i::scan - compact, precise and affordable!
> > UV254::NTU::FTU::TOC::DOC::COD::BOD::Colour ...and many more to come!
> > http://www.i-scan.at
> > ----------------------------------------
> > "YES WE SCAN !"
> > _______________________________________________
> > elbe-devel mailing list
> > elbe-devel at linutronix.de
> > https://lists.linutronix.de/mailman/listinfo/elbe-devel
> 
> -- 
> Siemens AG
> Corporate Technology
> Research & Technology Center
> CT RDA ITP SES-DE
> Otto-Hahn-Ring 6
> 81739 Muenchen, Germany
> mailto: johann.pfefferl at siemens.com
> phone: +49 89 636 634 021
> fax:   +49 89 636 33045
> _____________________________________________________
> SIEMENS AG: Vorsitzender des Aufsichtsrats: Gerhard Cromme
> Vorstand: Joe Kaeser, Vorsitzender
> Roland Busch, Klaus Helmrich, Hermann Requardt,
> Siegfried Russwurm, Michael Süß, Ralf P. Thomas
> Sitz der Gesellschaft: Berlin und München, Deutschland;
> Registergericht: Berlin Charlottenburg, HRB 12300, München, HRB 6684
> WEEE-Reg.-Nr. DE 23691322
> 
> _______________________________________________
> elbe-devel mailing list
> elbe-devel at linutronix.de
> https://lists.linutronix.de/mailman/listinfo/elbe-devel

-- 
Siemens AG
Corporate Technology
Research & Technology Center
CT RDA ITP SES-DE
Otto-Hahn-Ring 6
81739 Muenchen, Germany
mailto: johann.pfefferl at siemens.com
phone: +49 89 636 634 021
fax:   +49 89 636 33045
_____________________________________________________
SIEMENS AG: Vorsitzender des Aufsichtsrats: Gerhard Cromme
Vorstand: Joe Kaeser, Vorsitzender
Roland Busch, Klaus Helmrich, Hermann Requardt,
Siegfried Russwurm, Michael Süß, Ralf P. Thomas
Sitz der Gesellschaft: Berlin und München, Deutschland;
Registergericht: Berlin Charlottenburg, HRB 12300, München, HRB 6684
WEEE-Reg.-Nr. DE 23691322