action #121729
closedcoordination #121726: [epic] Get management access to o3/osd and other QE related VMs
[timeboxed:10h][research] Find out what libvirt can do to provide access only to a single VM for users/groups
0%
Updated by okurz 10 months ago
- Status changed from New to In Progress
- Assignee set to okurz
- Target version changed from future to Ready
Picking this up in preparation for #132149
I researched on multiple pages including
- https://documentation.suse.com/sles/15-SP4/html/SLES-all/cha-libvirt-connect.html
- https://libvirt.org/auth.html
all I found are a lot of different ways how to support authenticating with libvirtd not needing user accounts or root on the hypervisor host but nothing really about restricting access to individual machines. The best I could think of is allowing ssh logins of non-privileged users and then use a customized sudo config to only allow selected calls like "virsh console ariel"
Updated by okurz 10 months ago
- Status changed from In Progress to Resolved
https://serverfault.com/questions/808172/how-to-create-a-environment-where-each-users-vm-is-isolated also explains that with PolicyKit this should generally be possible but I don't think we should ask Eng-Infra to do that for us as it looks like it's too complicated and low-level to be generally useful. ChatGPT supports that understanding. https://github.com/fxkr/virt-access is an unfinished showcase of that idea.