Accessing libvirt as an unprivileged user

The virtual infrastructure provisioned by tripleo-quickstart is created using an unprivileged account (by default the stack user). This means that logging into your virthost as root and running virsh list will result in empty output, which can be confusing to someone not familiar with libvirt’s unprivileged mode.

Where are my guests?

The easiest way to interact with the unprivileged libvirt instance used by tripleo-quickstart is to log in as the stack user using the generated ssh key in your quickstart directory:

$ ssh -i $HOME/.quickstart/id_rsa_virt_host stack@virthost
[stack@virthost ~]$ virsh list
 Id    Name                           State
----------------------------------------------------
 2     undercloud                     running
 5     compute_0                      running
 6     control_0                      running

You can also log in to the virthost as root and then su - stack to access the unprivileged user account. While this won’t normally work “out of the box” because of this issue, the quickstart ensures that the XDG_RUNTIME_DIR variable is set correctly.

To console into the guests you’ll have to add -c qemu:///session. For example:

$ virsh -c qemu:///session console undercloud

To set the password for the undercloud and overcloud root user you can set the overcloud_full_root_pwd variable.

quickstart.sh <snip> -e overcloud_full_root_pwd=password <snip> virthost

Where are my networks?

While most libvirt operations can be performed as an unprivileged user, creating bridge devices requires root privileges. We create the networks used by the quickstart as root, so as root on your virthost you can run:

# virsh net-list

And see:

Name                 State      Autostart     Persistent
--------------------------------------------------------
default              active     yes           yes
external             active     yes           yes
overcloud            active     yes           yes

In order to expose these networks to the unprivileged stack user, we whitelist them in /etc/qemu/bridge.conf (this file is used by the qemu bridge helper to proxy unprivileged access to privileged operations):

# cat /etc/qemu-kvm/bridge.conf
allow virbr0
allow brext
allow brovc

The guests created by the stack user connect to these bridges by name; the relevant domain XML ends up looking something like:

[stack@virthost ~]$ virsh dumpxml undercloud | xmllint --xpath //interface -
<interface type="bridge">
  <mac address="00:12:b3:cf:2d:cb"/>
  <source bridge="brext"/>
  <target dev="tap0"/>
  <model type="virtio"/>
  <alias name="net0"/>
</interface>
<interface type="bridge">
  <mac address="00:12:b3:cf:2d:cd"/>
  <source bridge="brovc"/>
  <target dev="tap1"/>
  <model type="virtio"/>
  <alias name="net1"/>
</interface>

What if I want privileged mode instead?

Unprivileged mode is sometimes inconvenient, for example as a developer working as a single user on local hardware, it may be preferable to use privileged mode so that quickstart VMs can survive a host reboot and also so that it’s easier to access host tools such as virt-manager (which is particularly useful for diagnosing boot issues via the primary console).

To enable this mode you can select the following environment:

quickstart.sh -E config/environments/dev_privileged_libvirt.yml $VIRTHOST