Libvirt in session mode : run as group=libvirt & owner=qemu

Hello,

On my personal laptop, I would like to deactivate monolithic mode (Fedora 39) & reinforced systemd use, in order to secure my setup and permit easy non-root access.

I would like to share my approach (systemd v255) & have validation from someone more experienced than me on the approach & help me resolve one last small problem.

Nota Bene - activate session mode:

  • session mode only has two unix sockets (no ro socket, unlike system mode)

disable monolitic mode:

#check rights
systemctl cat 'libvirt*' |egrep --line-buffered "Socket|# /"
systemctl stop libvirtd.service
systemctl stop libvirtd{,-ro,-admin,-tcp,-tls}.socket
systemctl disable libvirtd.service
systemctl disable libvirtd{,-ro,-admin,-tcp,-tls}.socket
systemctl mask libvirtd.service
systemctl mask libvirtd{,-ro,-admin,-tcp,-tls}.socket

add relevant rights:

usermod -d /var/lib/libvirt/qemu qemu
install --group=libvirt --owner=qemu --mode=775 -d /var/lib/libvirt/qemu/{.cache,.local/share,.config} /run/libvirt/

Creation of service confs:

for drv in qemu interface network nodedev nwfilter secret storage log proxy lock
do
	SYSTEMD_EDITOR=tee systemctl edit  --full --force --system virt${drv}d.service <<-gnark
		[Service]
		User=qemu
		Group=libvirt
		Environment=VIRTNETWORKD_ARGS="--timeout 120"
		ExecStart=/usr/sbin/virt${drv}d \$VIRTNETWORKD_ARGS

		RunTimeDirectory=libvirt:user/$(id -u qemu)/
		RunTimeDirectoryMode=775
		RunTimeDirectoryPreserve=yes
	gnark
done

Creation of socket confs:

for drv in qemu interface network nodedev nwfilter secret storage log proxy lock
do
	SYSTEMD_EDITOR=tee systemctl edit  --full --force --system virt${drv}d{,-admin}.socket <<-EOF
		[Socket]
		SocketUser=qemu
		SocketGroup=libvirt
		DirectoryMode=0777
		SocketMode=0660
		ListenStream=/run/libvirt/%N-sock

		RemoveOnStop=yes
		Service=virt${drv}d.service
	EOF
done

should not exist and be necessary. But I don’t know how to easily ignore the system conf: Requires=virtqemud-ro.socket:

for drv in qemu interface network nodedev nwfilter secret storage proxy 
do
	SYSTEMD_EDITOR=tee systemctl edit  --full --force --system virt${drv}d-ro.socket <<-EOF 
		[Socket]
		#Before=virt${drv}d.service
		SocketUser=qemu
		SocketGroup=libvirt
		DirectoryMode=0777
		SocketMode=0660
		ListenStream=/run/libvirt/${drv}-sock-ro

		RemoveOnStop=yes
		Service=virt${drv}d.service
	EOF
done

Activate services and sockets:

for drv in qemu interface network nodedev nwfilter secret storage  log proxy
do
	systemctl unmask virt${drv}d.service
	systemctl unmask virt${drv}d{,-admin}.socket
	systemctl enable virt${drv}d.service
	systemctl enable --now virt${drv}d{,-admin}.socket
done

RUN:

for drv in qemu interface network nodedev nwfilter secret storage
do
	systemctl start  virt${drv}d{-ro,-admin}.socket
done

but

journactl

virtsecretd[1410]: libvirt version: 9.7.0, package: 3.fc39 (Fedora Project, 2024-03-12-17:39:29, )
virtsecretd[1410]: hostname: mymachine.local.example.fr
virtsecretd[1410]: erreur interne : Certains descripteurs de fichiers d’activation n’ont pas Ă©tĂ© rĂ©clamĂ©s
virtinterfaced[1397]: libvirt version: 9.7.0, package: 3.fc39 (Fedora Project, 2024-03-12-17:39:29, )
virtinterfaced[1397]: hostname: mymachine.local.example.fr
virtinterfaced[1397]: erreur interne : Certains descripteurs de fichiers d’activation n’ont pas Ă©tĂ© rĂ©clamĂ©s
virtnodedevd[1401]: libvirt version: 9.7.0, package: 3.fc39 (Fedora Project, 2024-03-12-17:39:29, )
virtnodedevd[1401]: hostname: mymachine.local.example.fr
virtnodedevd[1401]: erreur interne : Certains descripteurs de fichiers d’activation n’ont pas Ă©tĂ© rĂ©clamĂ©s
virtproxyd[1403]: libvirt version: 9.7.0, package: 3.fc39 (Fedora Project, 2024-03-12-17:39:29, )
virtproxyd[1403]: hostname: mymachine.local.example.fr
virtproxyd[1403]: erreur interne : Certains descripteurs de fichiers d’activation n’ont pas Ă©tĂ© rĂ©clamĂ©s
virtnetworkd[1399]: libvirt version: 9.7.0, package: 3.fc39 (Fedora Project, 2024-03-12-17:39:29, )
virtnetworkd[1399]: hostname: mymachine.local.example.fr
virtnetworkd[1399]: erreur interne : Certains descripteurs de fichiers d’activation n’ont pas Ă©tĂ© rĂ©clamĂ©s
systemd[1]: virtsecretd.service: Main process exited, code=exited, status=6/NOTCONFIGURED
systemd[1]: virtsecretd.service: Failed with result ‘exit-code’.
virtqemud[1406]: libvirt version: 9.7.0, package: 3.fc39 (Fedora Project, 2024-03-12-17:39:29, )
virtqemud[1406]: hostname: mymachine.local.example.fr
virtqemud[1406]: erreur interne : Certains descripteurs de fichiers d’activation n’ont pas Ă©tĂ© rĂ©clamĂ©s
systemd[1]: virtinterfaced.service: Main process exited, code=exited, status=6/NOTCONFIGURED
systemd[1]: virtinterfaced.service: Failed with result ‘exit-code’.
virtnwfilterd[1402]: libvirt version: 9.7.0, package: 3.fc39 (Fedora Project, 2024-03-12-17:39:29, )
virtnwfilterd[1402]: hostname: mymachine.local.example.fr
virtnwfilterd[1402]: erreur interne : Certains descripteurs de fichiers d’activation n’ont pas Ă©tĂ© rĂ©clamĂ©s
systemd[1]: virtnetworkd.service: Main process exited, code=exited, status=6/NOTCONFIGURED
systemd[1]: virtnetworkd.service: Failed with result ‘exit-code’.
systemd[1]: virtnodedevd.service: Main process exited, code=exited, status=6/NOTCONFIGURED
systemd[1]: virtnodedevd.service: Failed with result ‘exit-code’.
systemd[1]: virtnwfilterd.service: Main process exited, code=exited, status=6/NOTCONFIGURED
systemd[1]: virtnwfilterd.service: Failed with result ‘exit-code’.
systemd[1]: virtproxyd.service: Main process exited, code=exited, status=6/NOTCONFIGURED
systemd[1]: virtproxyd.service: Failed with result ‘exit-code’.
systemd[1]: virtqemud.service: Main process exited, code=exited, status=6/NOTCONFIGURED
systemd[1]: virtqemud.service: Failed with result ‘exit-code’.
virtstoraged[1411]: libvirt version: 9.7.0, package: 3.fc39 (Fedora Project, 2024-03-12-17:39:29, )
virtstoraged[1411]: hostname: mymachine.local.example.fr
virtstoraged[1411]: erreur interne : Certains descripteurs de fichiers d’activation n’ont pas Ă©tĂ© rĂ©clamĂ©s
systemd[1]: virtstoraged.service: Main process exited, code=exited, status=6/NOTCONFIGURED
systemd[1]: virtstoraged.service: Failed with result ‘exit-code’.

ping mymachine.local.example.fr is ok

Thanks in advance for your help!
Best regards

1 Like

this is a useful approach and also would fix my issue

pushing this up.

Really interesting topic, I am highly curious about it

Added proposed-howto