virsh is the main command line tool to manage virtual guest domains on Linux. Several Linux distributions use polkit, a toolkit for handling unprivileged access to processes, to manage access to the libvirt virtualisation layer.
libvirt ships with a set of polkit actions defining operations that clients (example: virsh) can request from privileged processes (example: libvirtd). These action files are stored in /usr/share/polkit-1/actions and can be viewed with the pkactions command.
The polkit action we’re interested in is org.libvirt.unix.manage.
$ pkaction --verbose --action-id org.libvirt.unix.manage org.libvirt.unix.manage: description: Manage local virtualized systems message: System policy prevents management of local virtualized systems vendor: vendor_url: icon: implicit any: auth_admin_keep implicit inactive: auth_admin_keep implicit active: auth_admin_keep
polkit can be configured to allow clients that belong to a particular unix group to run an action of org.libvirt.unix.manage.
[libvirt Admin Access] Identity=unix-group:virt Action=org.libvirt.unix.manage ResultAny=yes ResultInactive=yes ResultActive=yes
Any invocations of this action are logged to /var/log/secure.
Now we need to add users to the virt group.
# usermod -a -G virt rene
virsh can connect to remote hypervisors running libvirtd. To configure virsh to connect to libvirtd running on a local server by default, we need to define the URI of qemu:///system as a environment variable.
if test -x `which virsh`; then export LIBVIRT_DEFAULT_URI=qemu:///system fi
Users within the virt group should now be able to run virsh commands without having to be root.