Computernewb Wiki

UserVM Handbook: Difference between revisions

Page Discussion

UserVM Handbook (view source)

Revision as of 13:56, 2 November 2024

797 bytes added ,  2 November
update to add hardening to systemd + new cvmts updates
VisualWikitext
No edit summary
(update to add hardening to systemd + new cvmts updates)
qemuArgs = "qemu-system-x86_64 -M q35,usb=on,acpi=on,hpet=off -cpu host -accel whpx -m 2G -smp cores=2 -device usb-tablet -nic none -hda /srv/collabvm/images/vm1.qcow2"
</nowiki>}}
 
<!-- expansion on this is tbd -->
Additionally, it is possible to use [https://github.com/modeco80/lilyvm LilyVM] to help with building more complex VM configurations.
 
== Running your VM ==
 
[Service]
Restart=always
Type=simple
User=collabvm
Group=collabvm
 
Restart=always
RestartSec=5
 
# Make sure to change the following two lines according to where you put your server.
# If you have multiple VMs, youit's canpossible changeto WorkingDirectorymake toyour service file a differenttemplate directoryunit file (by making the file name, for eachexample, VM"[email protected]"), and leaveuse ExecStart%i thein same,WorkingDirectory
# to automatically set WorkingDirectory to a different directory for each VM, allowing you to use the same server for all your VMs.
WorkingDirectory=/srv/collabvm/collabvm-1.2.ts/
ExecStart=/bin/node /srv/collabvm/collabvm-1.2.ts/cvmts/dist/index.js
 
# Tell systemd that we manage our own cgroup hierarchy, and delegate
# all controllers that are either implicitly or explicitly enabled.
#
# This is used for resource limits (in your VM's config.toml).
# Can be omitted if you are not using it. (It's probably a good idea to however!)
Delegate=yes
 
# Hardening
PrivateTmp=yes
NoNewPrivileges=true
RestrictNamespaces=uts ipc pid user cgroup
 
ProtectKernelTunables=yes
ProtectKernelModules=yes
PrivateDevices=no
RestrictSUIDSGID=true
 
[Install]
Retrieved from "https://computernewb.com/wiki/Special:MobileDiff/4465"