major.io words of wisdom from a systems engineer

Run virsh and access libvirt as a regular user

libvirt logoLibvirt is a handy way to manage containers and virtual machines on various systems. On most distributions, you can only access the libvirt daemon via the root user by default. I’d rather use a regular non-root user to access libvirt and limit that access via groups.

Modern Linux distributions use Polkit to limit access to the libvirt daemon. You can add an extra rule to the existing set of Polkit rules to allow regular users to access libvirtd. Here’s an example rule (in Javascript) from the ArchWiki:

/* Allow users in kvm group to manage the libvirt
daemon without authentication */
polkit.addRule(function(action, subject) {
    if (action.id == "org.libvirt.unix.manage" &&
        subject.isInGroup("wheel")) {
            return polkit.Result.YES;
    }
});

As shown on the ArchWiki, I saved this file as /etc/polkit-1/rules.d/49-org.libvirt.unix.manager.rules. I’m using the wheel group to govern access to the libvirt daemon but you could use any group you choose. Just update the subject.isInGroup line in the rules file. You shouldn’t have to restart any daemons after adding the new rule file.

I’m now able to run virsh as my regular user:

[[email protected] ~]$ id
uid=1000(major) gid=1000(major) groups=1000(major),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[[email protected] ~]$ virsh list --all
 Id    Name                           State
----------------------------------------------------