I wanted to play a little bit with KVM on my Debian, and I installed the needed tools. The three groups showed up in the /etc/group
file: kvm
, libvirt
and libvirt-qemu
. What's the purpose of each of these groups?
For now I know that the libvirt
group allows a regular user (via policykit) to connect to the libvirtd daemon without asking for root password, and hence it allows to create/remove/configure/manage of virtual machines.
I also know, that the /dev/kvm
device has set the kvm
group. What can a user do when he has read/write permissions to this device? Should I add a regular user to this group? If so, why?
I don't really know what's the purpose of the libvirt-qemu
group. It looks like it's redundant, but many HowTos on the net suggest to add a regular user also to this group. Is this required?
Best Answer
See
/usr/share/doc/libvirt-daemon/README.Debian
: thelibvirt
group controls access to libvirt, through PolicyKit (as you determined), andlibvirt-qemu
is the user and group used to run system QEMU/KVM processes. You needn’t care about the latter, it’s an implementation detail, not a group end users need to be added to.Membership of the
kvm
group grants access to/dev/kvm
, which is necessary to run VMs using KVM. This is controlled usinguaccess
now, so the currently-active user on the console gets access automatically.libvirt-qemu
’s primary group iskvm
, which is how libvirt-managed VMs get access to KVM.