# VMTUI
*a text user interface to control libvirt VMs on a per user basis.*
## libvirt polkit configuration
`VMTUI` is intended as a simple interface to allow unprivileged user accounts to control (i.e. (re)start, shutdown, install) their personal virtual machines.
To make use of this, libvirt must be configured to use polkit. The package provides a helper script `gen_libvirt_polkit_acl` that allows the generation of an ACL policy based on a yaml database.
The `libvirtd.conf` file must be modified [src](https://fedoraproject.org/wiki/QA:Testcase_Virt_ACLs) and `virtqemud.conf` as well:
`/etc/libvirt/libvirtd.conf` and `/etc/libvirt/virtqemud.conf`:
~~~conf
access_drivers = [ "polkit" ]
~~~
In this example, a user account must belong to the `adm_vmhost` group to get full priviliges.
User accounts with personal VMs must belong to the `user_vm` group.
`/etc/polkit-1/rules.d/100-libvirt-acl.rules`:
~~~javascript
polkit.addRule(function(action, subject) {
if (
subject.isInGroup("adm_vmhost") ||
false // makes generation easier
) {
if (action.id == "org.libvirt.unix.manage" || action.id.startsWith("org.libvirt.api")) {
return polkit.Result.YES;
}
} else if ( subject.isInGroup("user_vm") ) {
if (action.id == "org.libvirt.unix.manage" || action.id.startsWith("org.libvirt.api.connect")) {
return polkit.Result.YES;
} else if (action.id.startsWith("org.libvirt.api.domain") && action.lookup("connect_driver")=="QEMU") {
var dom = action.lookup("domain_name");
if((subject.user == "alice" && dom == "rocky9-2") ||
(subject.user == "bob" && dom == "rocky9-3") || // these are the "entry types that must be read from a file, either to grant access to a user or a group
false // makes generation easier
) {
return polkit.Result.YES;
} else {
return polkit.Result.NO;
}
} else if ( action.id.startsWith("org.libvirt.api.network") ) {
if ( action.id.endsWith("getattr") ||
action.id.endsWith("read") ||
action.id.endsWith("create")
) {
return polkit.Result.YES;
} else {
return polkit.Result.NO;
}
}
}
return polkit.Result.NO;
}
);
~~~
> The example grants the user `alice` access to the domain `rocky9-2`, while `bob` is allowed to manage `rocky9-3`.
To simplify the generation of the polkit ACL use the `s` script and provide a `user_acl.yaml`:
~~~yaml
libvirt_acl:
admin_groups: # configure groups that have full access
- adm_vmhost
domains: # domain specific ACL
rocky9: # grant users alice and bob and members of the group mod_vmhost access to 'rocky9''
users:
- alice
- bob
groups:
- mod_vmhost
rocky9-2: # grant alice access to rocky9-2
users:
- alice
rocky9-3: # grant bob access to rocky9-3
users:
- bob
~~~
To generate the ACL (as root):
~~~bash
gen_libvirt_polkit_acl --acl /etc/libvirt_acl.yaml
~~~
It might be necessary to restart libvirt and polkit.
~~~bash
systemctl restart polkit # usually automatically reloads files
systemctl restart libvirtd
~~~
## SSH configuration for vmtui
You can limit ssh access to vmtui with the following configuration (limits members of the `user_vm` group to `vmtui`).
It is recommended to use a virtual environment (here `/opt/vmtui`).
`/etc/ssh/sshd_config.d/10-vmtui-conf`
~~~conf
Match Group user_vm
ForceCommand /opt/vmtui/bin/vmtui
~~~
Raw data
{
"_id": null,
"home_page": "https://github.com/cgruhl/vmtui",
"name": "vmtui",
"maintainer": null,
"docs_url": null,
"requires_python": null,
"maintainer_email": null,
"keywords": "libvirt, KVM, VM",
"author": "Christian Gruhl",
"author_email": "cgruhl@uni-kassel.de",
"download_url": "https://files.pythonhosted.org/packages/eb/21/44d82728aeb5c292def4d0fcd0e55ee34c4b014510ed0050014935e117a1/vmtui-0.9.5.tar.gz",
"platform": null,
"description": "# VMTUI\n\n*a text user interface to control libvirt VMs on a per user basis.*\n\n## libvirt polkit configuration\n\n`VMTUI` is intended as a simple interface to allow unprivileged user accounts to control (i.e. (re)start, shutdown, install) their personal virtual machines.\nTo make use of this, libvirt must be configured to use polkit. The package provides a helper script `gen_libvirt_polkit_acl` that allows the generation of an ACL policy based on a yaml database.\n\nThe `libvirtd.conf` file must be modified [src](https://fedoraproject.org/wiki/QA:Testcase_Virt_ACLs) and `virtqemud.conf` as well:\n\n`/etc/libvirt/libvirtd.conf` and `/etc/libvirt/virtqemud.conf`:\n\n~~~conf\naccess_drivers = [ \"polkit\" ]\n~~~\n\nIn this example, a user account must belong to the `adm_vmhost` group to get full priviliges.\nUser accounts with personal VMs must belong to the `user_vm` group.\n\n`/etc/polkit-1/rules.d/100-libvirt-acl.rules`:\n\n~~~javascript\npolkit.addRule(function(action, subject) {\n if (\n subject.isInGroup(\"adm_vmhost\") ||\n\n false // makes generation easier\n ) {\n if (action.id == \"org.libvirt.unix.manage\" || action.id.startsWith(\"org.libvirt.api\")) {\n return polkit.Result.YES;\n }\n\n } else if ( subject.isInGroup(\"user_vm\") ) {\n if (action.id == \"org.libvirt.unix.manage\" || action.id.startsWith(\"org.libvirt.api.connect\")) {\n return polkit.Result.YES;\n } else if (action.id.startsWith(\"org.libvirt.api.domain\") && action.lookup(\"connect_driver\")==\"QEMU\") {\n var dom = action.lookup(\"domain_name\");\n if((subject.user == \"alice\" && dom == \"rocky9-2\") ||\n (subject.user == \"bob\" && dom == \"rocky9-3\") || // these are the \"entry types that must be read from a file, either to grant access to a user or a group\n false // makes generation easier\n ) {\n return polkit.Result.YES;\n } else {\n return polkit.Result.NO;\n }\n } else if ( action.id.startsWith(\"org.libvirt.api.network\") ) {\n if ( action.id.endsWith(\"getattr\") ||\n action.id.endsWith(\"read\") ||\n action.id.endsWith(\"create\")\n ) {\n return polkit.Result.YES;\n } else {\n return polkit.Result.NO;\n }\n }\n }\n return polkit.Result.NO;\n}\n);\n\n~~~\n\n> The example grants the user `alice` access to the domain `rocky9-2`, while `bob` is allowed to manage `rocky9-3`.\n\nTo simplify the generation of the polkit ACL use the `s` script and provide a `user_acl.yaml`:\n\n~~~yaml\nlibvirt_acl:\n admin_groups: # configure groups that have full access\n - adm_vmhost\n domains: # domain specific ACL\n rocky9: # grant users alice and bob and members of the group mod_vmhost access to 'rocky9''\n users:\n - alice\n - bob\n groups:\n - mod_vmhost\n rocky9-2: # grant alice access to rocky9-2 \n users:\n - alice\n rocky9-3: # grant bob access to rocky9-3\n users:\n - bob\n~~~\n\nTo generate the ACL (as root):\n\n~~~bash\ngen_libvirt_polkit_acl --acl /etc/libvirt_acl.yaml \n~~~\n\nIt might be necessary to restart libvirt and polkit.\n\n~~~bash\nsystemctl restart polkit # usually automatically reloads files\nsystemctl restart libvirtd\n~~~\n\n## SSH configuration for vmtui\n\nYou can limit ssh access to vmtui with the following configuration (limits members of the `user_vm` group to `vmtui`).\nIt is recommended to use a virtual environment (here `/opt/vmtui`).\n\n`/etc/ssh/sshd_config.d/10-vmtui-conf`\n\n~~~conf\nMatch Group user_vm\n ForceCommand /opt/vmtui/bin/vmtui\n~~~\n\n",
"bugtrack_url": null,
"license": null,
"summary": "A text user interface (TUI) to control virtual machines on a per user basis",
"version": "0.9.5",
"project_urls": {
"Homepage": "https://github.com/cgruhl/vmtui"
},
"split_keywords": [
"libvirt",
" kvm",
" vm"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "060e6ee6cae5eaa1bead38310e42260bee70836f3f97a57f6a00733287a265a3",
"md5": "8eb3c635bee6420d1629e6aa1eb2e351",
"sha256": "a49c31daa5250151f0d371a1846c3f2c96a543fd969cef9eef926e58dfe09fa7"
},
"downloads": -1,
"filename": "vmtui-0.9.5-py3-none-any.whl",
"has_sig": false,
"md5_digest": "8eb3c635bee6420d1629e6aa1eb2e351",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": null,
"size": 11054,
"upload_time": "2024-09-27T13:38:36",
"upload_time_iso_8601": "2024-09-27T13:38:36.405369Z",
"url": "https://files.pythonhosted.org/packages/06/0e/6ee6cae5eaa1bead38310e42260bee70836f3f97a57f6a00733287a265a3/vmtui-0.9.5-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "eb2144d82728aeb5c292def4d0fcd0e55ee34c4b014510ed0050014935e117a1",
"md5": "7328ce7b73bfa322c1bf58021d4534cc",
"sha256": "e92d7dcb061f72ff7d63be7846b32afb6cec44834b53b6d80446e0b2493fb95e"
},
"downloads": -1,
"filename": "vmtui-0.9.5.tar.gz",
"has_sig": false,
"md5_digest": "7328ce7b73bfa322c1bf58021d4534cc",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 11743,
"upload_time": "2024-09-27T13:38:39",
"upload_time_iso_8601": "2024-09-27T13:38:39.983591Z",
"url": "https://files.pythonhosted.org/packages/eb/21/44d82728aeb5c292def4d0fcd0e55ee34c4b014510ed0050014935e117a1/vmtui-0.9.5.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-09-27 13:38:39",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "cgruhl",
"github_project": "vmtui",
"github_not_found": true,
"lcname": "vmtui"
}
JSON
