[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Multiseat in Guix
|
From: |
Chris Marusich |
|
Subject: |
Multiseat in Guix |
|
Date: |
Sat, 19 Oct 2019 14:01:50 -0700 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) |
Hi,
Guix does not seem to have multiseat support. What would it take to add
it? Is anyone on the list familiar with how multiseat is achieved in
other distros, such as Fedora?
Here is an example of a problem that happens because we don't have good
multiseat support:
When I launch virt-manager via "sudo -E virt-manager", I can connect a
USB device from the host to a running VM by clicking on the "Virtual
Machine > Redirect USB Device" menu entry. However, if I launch
virt-manager normally (as the unprivileged user "marusich") and try
this, it fails due to insufficient permissions:
spice-client-error-quark: Could not redirect [the device] at [the
device's address]: Could not open usb device: Access denied
(insufficient permissions) [-3] (0)
I can work around the issue without root privileges by giving myself
write permission on the device in question. For example:
sudo setfacl -m u:marusich:rw /dev/bus/usb/001/007
Alternatively, I could have just changed the file mode or ownership.
Here are the file mode, ownership, and ACLs after I did this:
[0] marusich@garuda.local:~
$ ls -l /dev/bus/usb/001/007
crw-rw-r--+ 1 root root 189, 6 Oct 19 13:31 /dev/bus/usb/001/007
[0] marusich@garuda.local:~
$ getfacl /dev/bus/usb/001/007
getfacl: Removing leading '/' from absolute path names
# file: dev/bus/usb/001/007
# owner: root
# group: root
user::rw-
user:marusich:rw-
group::rw-
mask::rw-
other::r--
My user is in these groups:
$ id
uid=1000(marusich) gid=998(users)
groups=998(users),976(libvirt),977(tor),984(kvm),990(netdev),992(video),999(wheel),30001(plugdev)
I would like to be able to attach USB devices to VMs without running
virt-manager as root, and without manually granting access to device
files. How can we achieve that in Guix?
Well, to do that we would need an automatic mechanism which grants
appropriate permissions on the relevant device nodes. There are many
ways to accomplish that. For example, Fedora automatically detects when
a device is connected to a user's seat (I'm not sure if that's the right
terminology) and grants them access (via ACLs, I believe). Concretely,
Fedora accomplishes this by configuring systemd, udev rules, and perhaps
other parts of the system in specific ways. This allows two different
users Alice and Bob to have access to their own hardware on their own
seats (e.g., in a shared computer lab situation), without allowing Alice
to access Bob's hardware on Bob's seat, or vice versa. That's really
nice. I'm not very familiar with all the mechanisms, but I think anyone
would want the result, which is called "multiseat":
https://www.freedesktop.org/wiki/Software/systemd/multiseat/
For now, the immediate, course-grained, automatic solution for my
virt-manager problem is: I can add udev rules that will unconditionally
set the group of USB device nodes to a special group, maybe named "usb".
If I then add my user to the "usb" group, I will have access to all USB
devices without any extra effort.
However, this solution is too course-grained. Alice and Bob would both
need to be in the "usb" group to access their own seat's devices, but
Alice will be able to access Bob's devices, and vice versa, which is not
good. The multiseat solution seems nicer, but it seems complicated to
implement. Since it seems to rely on systemd in some fashion, it may be
even more difficult to implement in Guix, as we only use extracted parts
of systemd (e.g., elogind).
What would it take to add multiseat support in Guix?
--
Chris
signature.asc
Description: PGP signature
- Multiseat in Guix,
Chris Marusich <=