Multiseat in Guix

Multiseat in Guix

[Chris Marusich]

[-- Attachment #1: Type: text/plain, Size: 3640 bytes --]

Hi,

Guix does not seem to have multiseat support.  What would it take to add
it?  Is anyone on the list familiar with how multiseat is achieved in
other distros, such as Fedora?

Here is an example of a problem that happens because we don't have good
multiseat support:

When I launch virt-manager via "sudo -E virt-manager", I can connect a
USB device from the host to a running VM by clicking on the "Virtual
Machine > Redirect USB Device" menu entry.  However, if I launch
virt-manager normally (as the unprivileged user "marusich") and try
this, it fails due to insufficient permissions:

  spice-client-error-quark: Could not redirect [the device] at [the
  device's address]: Could not open usb device: Access denied
  (insufficient permissions) [-3] (0)

I can work around the issue without root privileges by giving myself
write permission on the device in question.  For example:

  sudo setfacl -m u:marusich:rw /dev/bus/usb/001/007

Alternatively, I could have just changed the file mode or ownership.

Here are the file mode, ownership, and ACLs after I did this:

  [0] marusich@garuda.local:~
  $ ls -l /dev/bus/usb/001/007
  crw-rw-r--+ 1 root root 189, 6 Oct 19 13:31 /dev/bus/usb/001/007
  [0] marusich@garuda.local:~
  $ getfacl /dev/bus/usb/001/007
  getfacl: Removing leading '/' from absolute path names
  # file: dev/bus/usb/001/007
  # owner: root
  # group: root
  user::rw-
  user:marusich:rw-
  group::rw-
  mask::rw-
  other::r--

My user is in these groups:

  $ id
  uid=1000(marusich) gid=998(users) groups=998(users),976(libvirt),977(tor),984(kvm),990(netdev),992(video),999(wheel),30001(plugdev)

I would like to be able to attach USB devices to VMs without running
virt-manager as root, and without manually granting access to device
files.  How can we achieve that in Guix?

Well, to do that we would need an automatic mechanism which grants
appropriate permissions on the relevant device nodes.  There are many
ways to accomplish that.  For example, Fedora automatically detects when
a device is connected to a user's seat (I'm not sure if that's the right
terminology) and grants them access (via ACLs, I believe).  Concretely,
Fedora accomplishes this by configuring systemd, udev rules, and perhaps
other parts of the system in specific ways.  This allows two different
users Alice and Bob to have access to their own hardware on their own
seats (e.g., in a shared computer lab situation), without allowing Alice
to access Bob's hardware on Bob's seat, or vice versa.  That's really
nice.  I'm not very familiar with all the mechanisms, but I think anyone
would want the result, which is called "multiseat":

  https://www.freedesktop.org/wiki/Software/systemd/multiseat/

For now, the immediate, course-grained, automatic solution for my
virt-manager problem is: I can add udev rules that will unconditionally
set the group of USB device nodes to a special group, maybe named "usb".
If I then add my user to the "usb" group, I will have access to all USB
devices without any extra effort.

However, this solution is too course-grained.  Alice and Bob would both
need to be in the "usb" group to access their own seat's devices, but
Alice will be able to access Bob's devices, and vice versa, which is not
good.  The multiseat solution seems nicer, but it seems complicated to
implement.  Since it seems to rely on systemd in some fashion, it may be
even more difficult to implement in Guix, as we only use extracted parts
of systemd (e.g., elogind).

What would it take to add multiseat support in Guix?

-- 
Chris

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: Multiseat in Guix

[Brendan Tildesley]

I don't know how to do this but I've always been fascinated by it, so I
just wanted to bump this and say that I think it's a really important
feature to get working (eventually), because for example schools can set
up a computer lab of 30 workstations using only 15 actual computers,
saving money and waste. I notice guix has a kmscons configuration for
the installer, but that project seems abandoned.

Re: Multiseat in Guix

[Chris Marusich]

[-- Attachment #1: Type: text/plain, Size: 648 bytes --]

Brendan Tildesley <mail@brendan.scot> writes:

> I don't know how to do this but I've always been fascinated by it, so I
> just wanted to bump this and say that I think it's a really important
> feature to get working (eventually), because for example schools can set
> up a computer lab of 30 workstations using only 15 actual computers,
> saving money and waste.

I'm in the same situation.  I know multiseat is a nice feature, but I
don't know much about how it's implemented.

If we have any multiseat gurus lurking on the list, and you've been
wondering how you can help Guix out...maybe this is your time to shine!

-- 
Chris

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]