nixos/libvirtd: add option to run qemu as non-root

New option virtualisation.libvirtd.qemuRunAsRoot (default: true). If false, qemu is run as non-privileged user qemu-libvirtd, reducing security risk
2018-03-18 00:22:53 +01:00 · 2018-03-18 00:22:53 +01:00 · 980505dc3b
parent 9c338630a9
commit 980505dc3b
2 changed files with 26 additions and 0 deletions
--- a/nixos/modules/misc/ids.nix
+++ b/nixos/modules/misc/ids.nix
@ -325,6 +325,7 @@
      hydron = 298;
      cfssl = 299;
      cassandra = 300;
+      qemu-libvirtd = 301;

      # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!

@ -610,6 +611,7 @@
      hydron = 298;
      cfssl = 299;
      cassandra = 300;
+      qemu-libvirtd = 301;

      # When adding a gid, make sure it doesn't match an existing
      # uid. Users and groups with the same name should have equal
--- a/nixos/modules/virtualisation/libvirtd.nix
+++ b/nixos/modules/virtualisation/libvirtd.nix
@ -17,6 +17,10 @@ let
    ${optionalString cfg.qemuOvmf ''
      nvram = ["/run/libvirt/nix-ovmf/OVMF_CODE.fd:/run/libvirt/nix-ovmf/OVMF_VARS.fd"]
    ''}
+    ${optionalString (!cfg.qemuRunAsRoot) ''
+      user = "qemu-libvirtd"
+      group = "qemu-libvirtd"
+    ''}
    ${cfg.qemuVerbatimConfig}
  '';

@ -56,6 +60,18 @@ in {
      '';
    };

+    virtualisation.libvirtd.qemuRunAsRoot = mkOption {
+      type = types.bool;
+      default = true;
+      description = ''
+        If true,  libvirtd runs qemu as root.
+        If false, libvirtd runs qemu as unprivileged user qemu-libvirtd.
+        Changing this option to false may cause file permission issues
+        for existing guests. To fix these, manually change ownership
+        of affected files in /var/lib/libvirt/qemu to qemu-libvirtd.
+      '';
+    };
+
    virtualisation.libvirtd.qemuVerbatimConfig = mkOption {
      type = types.lines;
      default = ''
@ -110,6 +126,14 @@ in {

    users.groups.libvirtd.gid = config.ids.gids.libvirtd;

+    # libvirtd runs qemu as this user and group by default
+    users.extraGroups.qemu-libvirtd.gid = config.ids.gids.qemu-libvirtd;
+    users.extraUsers.qemu-libvirtd = {
+      uid = config.ids.uids.qemu-libvirtd;
+      isNormalUser = false;
+      group = "qemu-libvirtd";
+    };
+
    systemd.packages = [ pkgs.libvirt ];

    systemd.services.libvirtd = {