I’ve noticed that if I create and start a VM with Gnome Boxes the /usr/bin/qemu-system-x86_64 process started by Gnome Boxes runs as “me” the user. Equally I can just type /usr/bin/qemu-system-x86_64 in a shell and it runs without any permission errors. But how? I thought that some requirement for sudo or membership of the group libvirt would be required to start a virtual machine. I thought maybe it’s a polkit thing and took a look inside /etc/polkit-1 but didn’t see anything. What feature/configuration make running a VM as a normal user possible in Fedora?
QEMU relies on /dev/kvm for hardware virtualization:
> lsof /dev/kvm
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
qemu-syst 7691 vgaetera 14u CHR 10,232 0t0 792 /dev/kvm
> ls -l /dev/kvm
crw-rw-rw-. 1 root kvm 10, 232 Jan 25 21:31 /dev/kvm
The necessary permissions are provided by systemd:
https://github.com/systemd/systemd/pull/5597
The libvirt group membership allows to access qemu:///system:
Thanks @vgaetera , for this very helpful information. The key information (for me at least) was in the post you shared, that was a real eye opener.
This means each user has their own
qemu:///sessionVMs, separate from all other users. gnome-boxes and libguestfs use this by default.
So it’s because gnome-boxes chose to use qemu:///session that the VMs run as an unprivileged user.