Are root privileges really needed to run kvm?

Are root privileges really needed to run kvm?

[Dimitry Golubovsky]

Hi,

I am trying to find a way to run kvm (qemu_system) without sudo, at
user's privileges.

So far, I saw two things where root privileges were needed:

1. Adjusting RTC - can be done once
2. Access to /dev/kvm: I created a group named "vm", chowned /dev/kvm
to root.vm, and added the user to the vm group.

Now qemu_system does not complain and runs the virtual machine under
user's privileges. The qemu_system executable is not even suid-root  I
use kvm-17 with 2.6.21 kernel from ArchLinux distro.

Am I missing anything else root privileges might be needed for? There
was a discussion about qemu itself not capable to set up tun/tap (I
haven't tested the networking yet), but there was some solution
proposed to use the capabilities mechanism, or to pre-create the
tuntap device:

http://www.kidsquid.com/cgi-bin/moin.cgi/FrequentlyAskedQuestions
http://www.friedhoff.org/fscaps.html#Qemu

I intend running kvm for users that remotely login on the kvm host,
and ability to get rid of any sudo stuff would be much desired.

Thanks.

-- 
Dimitry Golubovsky

Anywhere on the Web

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Re: Are root privileges really needed to run kvm?

[Avi Kivity]

Dimitry Golubovsky wrote:
> Am I missing anything else root privileges might be needed for? 

I think you got it covered.

-- 
error compiling committee.c: too many arguments to function


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Re: Are root privileges really needed to run kvm?

[Anthony Liguori]

Avi Kivity wrote:
> Dimitry Golubovsky wrote:
>   
>> Am I missing anything else root privileges might be needed for? 
>>     
>
> I think you got it covered.
>   

One thing to consider is that if a userspace process can create KVM 
guests, they are capable of pinning large quantities of physical 
memory.  This could be used as a DoS attack so consider VM creation a 
privileged operation.

Regards,

Anthony Liguori


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Re: Are root privileges really needed to run kvm?

[Avi Kivity]

Anthony Liguori wrote:
> Avi Kivity wrote:
>> Dimitry Golubovsky wrote:
>>  
>>> Am I missing anything else root privileges might be needed for?     
>>
>> I think you got it covered.
>>   
>
> One thing to consider is that if a userspace process can create KVM 
> guests, they are capable of pinning large quantities of physical 
> memory.  This could be used as a DoS attack so consider VM creation a 
> privileged operation.
>

Good point.

This will go away when we merge the guest paging patch.  We will still 
pin 4MB per virtual machine for shadow page tables, but that, too, will 
go away when we move to a global limit on the number of shadow page 
tables (say 0.5-1% of total memory, configurable).


-- 
error compiling committee.c: too many arguments to function


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Re: Are root privileges really needed to run kvm?

[Dimitry Golubovsky]

Anthony,

On 6/13/07, Anthony Liguori <anthony-rdkfGonbjUSkNkDKm+mE6A@public.gmane.org> wrote:

> One thing to consider is that if a userspace process can create KVM
> guests, they are capable of pinning large quantities of physical
> memory.  This could be used as a DoS attack so consider VM creation a
> privileged operation.

No, that's not what is intended. I was asking about possibility to run
KVM at users privileges after some necessary actions have been
completed, and tried to compile a list of such actions.

That is,

- adjust RTC (I just added this to the system startup script)
- create a tap
- add tap to the bridge (if bridging is used)/adjust iptables if no
bridging (another example in qemu wiki)
- open /dev/kvm (as it has been found, group membership is sufficient
if group can write to /dev/kvm)

After that, process privileges might be dropped to those of the user
who logged (ssh'd) in. Images of disk volumes and CDs may then be
assigned proper permissions, so users may be more flexible on what to
run, and regular Unix filesystem mechanisms will control access.

BTW if qemu_system_x86-64 runs at user privileges, can the memory
consumed be subject to whatever per-user limits that may be set
systemwide?

-- 
Dimitry Golubovsky

Anywhere on the Web

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Re: Are root privileges really needed to run kvm?

[Avi Kivity]

Dimitry Golubovsky wrote:
>
> BTW if qemu_system_x86-64 runs at user privileges, can the memory
> consumed be subject to whatever per-user limits that may be set
> systemwide?
>

That's the intent, but currently this isn't implemented.

-- 
error compiling committee.c: too many arguments to function


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Re: Are root privileges really needed to run kvm?

[Dimitry Golubovsky]

Avi,

On 6/13/07, Avi Kivity <avi-atKUWr5tajBWk0Htik3J/w@public.gmane.org> wrote:

> > BTW if qemu_system_x86-64 runs at user privileges, can the memory
> > consumed be subject to whatever per-user limits that may be set
> > systemwide?
> >
>
> That's the intent, but currently this isn't implemented.

So, expecting that eventually it will be, it seems to be worth
pursuing running kvm at users privileges at the moment memory is being
consumed. Such memory limit control will be easier to implement in
this case rather than if all instances of KVM ran at root.

-- 
Dimitry Golubovsky

Anywhere on the Web

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Re: Are root privileges really needed to run kvm?

[Avi Kivity]

Dimitry Golubovsky wrote:
> Avi,
>
> On 6/13/07, Avi Kivity <avi-atKUWr5tajBWk0Htik3J/w@public.gmane.org> wrote:
>
>> > BTW if qemu_system_x86-64 runs at user privileges, can the memory
>> > consumed be subject to whatever per-user limits that may be set
>> > systemwide?
>> >
>>
>> That's the intent, but currently this isn't implemented.
>
> So, expecting that eventually it will be, it seems to be worth
> pursuing running kvm at users privileges at the moment memory is being
> consumed. Such memory limit control will be easier to implement in
> this case rather than if all instances of KVM ran at root.
>

Sure.  Running kvm as a nonprivileged user is a supported and 
recommended way of working.  A virtual machine is subject to all user 
access restrictions except, at the moment, the memory locking limits.

[We could as a temporary measure check against RLIMIT_MEMLOCK, but this 
seems hardly worthwhile; better to fix the issue instead]

-- 
error compiling committee.c: too many arguments to function


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Re: Are root privileges really needed to run kvm?

[Dimitry Golubovsky]

Avi,

On 6/13/07, Avi Kivity <avi-atKUWr5tajBWk0Htik3J/w@public.gmane.org> wrote:

> > So, expecting that eventually it will be, it seems to be worth
> > pursuing running kvm at users privileges at the moment memory is being
> > consumed. Such memory limit control will be easier to implement in
> > this case rather than if all instances of KVM ran at root.
> >
>
> Sure.  Running kvm as a nonprivileged user is a supported and
> recommended way of working.  A virtual machine is subject to all user
> access restrictions except, at the moment, the memory locking limits.

I did not look at the details in sources: is dropping privileges
already there? All examples in the Wiki involve sudo.

Thanks.

-- 
Dimitry Golubovsky

Anywhere on the Web

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Re: Are root privileges really needed to run kvm?

[Avi Kivity]

Dimitry Golubovsky wrote:
> Avi,
>
> On 6/13/07, Avi Kivity <avi-atKUWr5tajBWk0Htik3J/w@public.gmane.org> wrote:
>
>> > So, expecting that eventually it will be, it seems to be worth
>> > pursuing running kvm at users privileges at the moment memory is being
>> > consumed. Such memory limit control will be easier to implement in
>> > this case rather than if all instances of KVM ran at root.
>> >
>>
>> Sure.  Running kvm as a nonprivileged user is a supported and
>> recommended way of working.  A virtual machine is subject to all user
>> access restrictions except, at the moment, the memory locking limits.
>
> I did not look at the details in sources: is dropping privileges
> already there? All examples in the Wiki involve sudo.
>

qemu does not drop privileges.    Simply start it as a normal user 
without sudo.


-- 
error compiling committee.c: too many arguments to function


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Re: Are root privileges really needed to run kvm?

[Anthony Liguori]

Dimitry Golubovsky wrote:
> Anthony,
>
> On 6/13/07, Anthony Liguori <anthony-rdkfGonbjUSkNkDKm+mE6A@public.gmane.org> wrote:
>
>> One thing to consider is that if a userspace process can create KVM
>> guests, they are capable of pinning large quantities of physical
>> memory.  This could be used as a DoS attack so consider VM creation a
>> privileged operation.
>
> No, that's not what is intended. I was asking about possibility to run
> KVM at users privileges after some necessary actions have been
> completed, and tried to compile a list of such actions.
>
> That is,
>
> - adjust RTC (I just added this to the system startup script)

You can also just run guests with -no-rtc.

> - create a tap
> - add tap to the bridge (if bridging is used)/adjust iptables if no
> bridging (another example in qemu wiki)

You may want to look at VDE (http://vde.sf.net).  One of it's purposes 
was to allow non-privileged users to access bridges.

> - open /dev/kvm (as it has been found, group membership is sufficient
> if group can write to /dev/kvm)
>
> After that, process privileges might be dropped to those of the user
> who logged (ssh'd) in. Images of disk volumes and CDs may then be
> assigned proper permissions, so users may be more flexible on what to
> run, and regular Unix filesystem mechanisms will control access.

Yup.

> BTW if qemu_system_x86-64 runs at user privileges, can the memory
> consumed be subject to whatever per-user limits that may be set
> systemwide?

I don't think so although as Avi mentioned, this will be addressed when 
the overcommit patches are merged.

Regards,

Anthony Liguori


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/