Today I learned the difference between qemu:///system
and qemu:///session
.
qemu:///system
- The system libvirtd instance
qemu:///system
launches the vms using the unpriviliges useqemu
. And can grant the vm selective access to root owned resources. - Access to
qemu:///system
is mediated usingpolkit
and any user wanting to access it should provite the root password. - By default users in the
libvirt
group have access tolibvirtd
(the group can be changed in polkit config) - VMs are run as the default user
qemu
, and cannot access user files if the frontend application (virt-manager) is running another user.
qemu:///session
- The user daemon
qemu:///session
is auto-launched if it’s not already running. each user has his ownqemu:///session
seperated. - Most priviliges problems are related to networking use cases.
- The default networking mode is the usermode networking (SLIRP) (ip stack in the user space).
- Another option is to access bridged networking mode, through setuid script
qemu-bridge-helper
.