commit a102b900be9c616b1c6e89e4098b314f1089b0ac · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

fork atom

Merge pull request #37281 from xeji/qemu-nonroot

nixos/libvirtd: add option to run qemu as non-root

authored by xeji and committed by GitHub 7 years ago a102b900 20378cbf

+26

2 changed files

expand all

unified split

nixos

modules

misc

ids.nix

virtualisation

libvirtd.nix

nixos/modules/misc/ids.nix

··· 325 325 hydron = 298; 326 326 cfssl = 299; 327 327 cassandra = 300; 328 + qemu-libvirtd = 301; 328 329 329 330 # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! 330 331 ··· 610 611 hydron = 298; 611 612 cfssl = 299; 612 613 cassandra = 300; 614 + qemu-libvirtd = 301; 613 615 614 616 # When adding a gid, make sure it doesn't match an existing 615 617 # uid. Users and groups with the same name should have equal

+24

nixos/modules/virtualisation/libvirtd.nix

··· 17 17 ${optionalString cfg.qemuOvmf '' 18 18 nvram = ["/run/libvirt/nix-ovmf/OVMF_CODE.fd:/run/libvirt/nix-ovmf/OVMF_VARS.fd"] 19 19 ''} 20 + ${optionalString (!cfg.qemuRunAsRoot) '' 21 + user = "qemu-libvirtd" 22 + group = "qemu-libvirtd" 23 + ''} 20 24 ${cfg.qemuVerbatimConfig} 21 25 ''; 22 26 ··· 56 60 ''; 57 61 }; 58 62 63 + virtualisation.libvirtd.qemuRunAsRoot = mkOption { 64 + type = types.bool; 65 + default = true; 66 + description = '' 67 + If true, libvirtd runs qemu as root. 68 + If false, libvirtd runs qemu as unprivileged user qemu-libvirtd. 69 + Changing this option to false may cause file permission issues 70 + for existing guests. To fix these, manually change ownership 71 + of affected files in /var/lib/libvirt/qemu to qemu-libvirtd. 72 + ''; 73 + }; 74 + 59 75 virtualisation.libvirtd.qemuVerbatimConfig = mkOption { 60 76 type = types.lines; 61 77 default = '' ··· 109 125 boot.kernelModules = [ "tun" ]; 110 126 111 127 users.groups.libvirtd.gid = config.ids.gids.libvirtd; 128 + 129 + # libvirtd runs qemu as this user and group by default 130 + users.extraGroups.qemu-libvirtd.gid = config.ids.gids.qemu-libvirtd; 131 + users.extraUsers.qemu-libvirtd = { 132 + uid = config.ids.uids.qemu-libvirtd; 133 + isNormalUser = false; 134 + group = "qemu-libvirtd"; 135 + }; 112 136 113 137 systemd.packages = [ pkgs.libvirt ]; 114 138