store vmimages in /lmn/vm and mount media in /lmn/media

roles/lmn_mount/files/lmn-linkhome.sh

@@ -1,4 +1,4 @@
 if [[ "${UID}" -gt 60000 ]]; then
-  [[ -L "/media/${USER}/share" ]] || ln -s .default-school/share "/media/${USER}/share"
+  [[ -L "/lmn/media/${USER}/share" ]] || ln -s .default-school/share "/lmn/media/${USER}/share"
-  [[ -L "/media/${USER}/home" ]]  || ln -s ".default-school/${HOME##/srv/samba/schools/default-school/}" "/media/${USER}/home"
+  [[ -L "/lmn/media/${USER}/home" ]]  || ln -s ".default-school/${HOME##/srv/samba/schools/default-school/}" "/lmn/media/${USER}/home"
 fi

roles/lmn_mount/tasks/main.yml

@@ -26,15 +26,15 @@
         fstype="cifs"
         server="{{ smb_server }}"
         path="{{ smb_share }}"
-        mountpoint="/media/%(USER)/.default-school"
+        mountpoint="/lmn/media/%(USER)/.default-school"
         options="sec=krb5i,cruid=%(USERUID),user=%(USER),gid=1010,file_mode=0770,dir_mode=0770,mfsymlinks,nobrl"
         ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user><user>virti</user></or></not>
       </volume>
       <volume
         fstype="davfs"
         path="https://nc.steinbeis.schule/remote.php/dav/files/%(USER)"
-        mountpoint="/media/%(USER)/nextcloud"
+        mountpoint="/lmn/media/%(USER)/nextcloud"
-        options="username=%(USER),nosuid,nodev,uid=%(USER),gid=1010,file_mode=0770,dir_mode=0770"
+        options="username=%(USER),nosuid,nodev,uid=%(USER),gid=1010,grpid,file_mode=0770,dir_mode=0770,forceuid,forcegid"
         ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user><user>virti</user></or></not>
       </volume>
     insertafter: "<!-- Volume definitions -->"
@@ -78,12 +78,20 @@
     line: KillUserProcesses=yes
     insertafter: '#KillUserProcesses=no'
 
-- name: Deploy script to generate links in /media/$USER/
+- name: Deploy script to generate links in /lmn/media/$USER/
   copy:
     src: lmn-linkhome.sh
     dest: /etc/profile.d/
     mode: '0644'
 
+- name: Bind mount lmn/media with nosuid directory
+  ansible.posix.mount:
+    src: /lmn/media
+    path: /lmn/nosuidmedia
+    opts: nosuid,bind
+    state: present
+    fstype: none
+
 - name: Mount NFSv4 home directory
   ansible.posix.mount:
     src: server:/default-school

roles/lmn_vm/files/create-clone.sh

@@ -11,19 +11,19 @@ if [[ $# -ne 1 ]]; then
 fi
 
 # change to image-directory
-cd /var/lib/libvirt/images
+cd /lmn/vm
 
 VM_NAME=$1
-VM_DIR="/tmp/${UID}/vmimages"
+VM_DIR="/tmp/${UID}/vm"
-VM_XML="${VM_DIR}/xml/${VM_NAME}-clone.xml"
+VM_XML="${VM_DIR}/${VM_NAME}-clone.xml"
 
-if ! [[ -f "xml/${VM_NAME}.xml" && -f "${VM_NAME}.qcow2" ]] && ! [[ -f "${VM_DIR}/xml/${VM_NAME}.xml" && -f "${VM_DIR}/${VM_NAME}.qcow2" ]]; then
+if ! [[ -f "${VM_NAME}.xml" && -f "${VM_NAME}.qcow2" ]] && ! [[ -f "${VM_DIR}/${VM_NAME}.xml" && -f "${VM_DIR}/${VM_NAME}.qcow2" ]]; then
     echo "xml or qcow2 File does not exists." >&2
     exit 1
 fi
 
 # Create User-VM-Dir and link system VM-Images
-[[ -d "${VM_DIR}/xml" ]] || mkdir -p "${VM_DIR}/xml"
+[[ -d "${VM_DIR}" ]] || mkdir -p "${VM_DIR}"
 sudo /usr/local/bin/link-images.sh
 
 # Create backing file
@@ -31,7 +31,7 @@ cd "${VM_DIR}"
 qemu-img create -f qcow2 -F qcow2 -b "${VM_NAME}.qcow2" "${VM_NAME}-clone.qcow2"
 
 # Create machine-definition-file
-cp "${VM_DIR}/xml/${VM_NAME}.xml" "${VM_XML}"
+cp "${VM_DIR}/${VM_NAME}.xml" "${VM_XML}"
 
 # set VM_DIR:
 sed -i "s:VMIMAGEDIR:${VM_DIR}:" "${VM_XML}"

roles/lmn_vm/files/linbo-torrent

@@ -30,4 +30,4 @@ MAXUP=""
 TIMEOUT="300"
 
 # user to run ctorrent (server only)
-CTUSER="nobody"
+CTUSER="lmnsynci"

roles/lmn_vm/files/linbo-torrenthelper.sh

@@ -12,7 +12,6 @@ torrent="$1"
 
 # get ctorrent options from file
 [ -e /etc/default/linbo-torrent ] && source /etc/default/linbo-torrent
-[ -e /home/raphael/git/fvsclient/etc/default/linbo-torrent ] && source /home/raphael/git/fvsclient/etc/default/linbo-torrent
 
 [ -n "$SEEDHOURS" ] &&  OPTIONS="$OPTIONS -e $SEEDHOURS"
 [ -n "$MAXPEERS" ] &&  OPTIONS="$OPTIONS -M $MAXPEERS"
@@ -25,7 +24,8 @@ OPTIONS="$OPTIONS $torrent"
 [ -n "$CTUSER" ] && SUDO="/usr/bin/sudo -u $CTUSER"
 
 while true; do
- $SUDO /usr/bin/ctorrent $OPTIONS || exit 1
+ #$SUDO /usr/bin/ctorrent $OPTIONS || exit 1
+ /usr/bin/ctorrent $OPTIONS || exit 1
  # hash check only on initial start, add -f parameter
  echo "$OPTIONS" | grep -q ^"-f " || OPTIONS="-f $OPTIONS"
 done

roles/lmn_vm/files/link-images.sh

@@ -4,19 +4,16 @@
 set -eu
 
 # change to image-directory
-cd /var/lib/libvirt/images
+cd /lmn/vm
 
-VM_DIR="/tmp/${SUDO_UID}/vmimages"
+VM_DIR="/tmp/${SUDO_UID}/vm"
 
 # link system-VM-Images to User VM Directory
 for i in *.qcow2; do
   [[ -f "${VM_DIR}/${i}" ]] || ln "${i}" "${VM_DIR}/${i}"
 done
 
-# change to image-directory
-cd /var/lib/libvirt/images/xml
-
 # link system-VM-Machine-Definitions to User VM Directory
 for i in *.xml; do
-  [[ -f "${VM_DIR}/xml/${i}" ]] || ln "${i}" "${VM_DIR}/xml/${i}"
+  [[ -f "${VM_DIR}/xml/${i}" ]] || ln "${i}" "${VM_DIR}/${i}"
 done

roles/lmn_vm/files/lmn-sync-vm

@@ -1,3 +1,3 @@
-%role-teacher ALL=(root) NOPASSWD: /usr/local/bin/sync-vm.sh
+%role-teacher ALL=(lmnsynci) NOPASSWD: /usr/local/bin/sync-vm.sh
-%role-student ALL=(root) NOPASSWD: /usr/local/bin/sync-vm.sh
+%role-student ALL=(lmnsynci) NOPASSWD: /usr/local/bin/sync-vm.sh
-%examusers ALL=(root) NOPASSWD: /usr/local/bin/sync-vm.sh
+%examusers ALL=(lmnsynci) NOPASSWD: /usr/local/bin/sync-vm.sh

roles/lmn_vm/files/mounthome.sh

@@ -14,7 +14,7 @@ exit_script() {
 
 if [[ "$#" -gt 0 ]] && [[ "$1" = '-u' ]]; then
     findmnt "/media/${SUDO_USER}/home"    && umount "/media/${SUDO_USER}/home"    && rmdir "/media/${SUDO_USER}/home"
-    findmnt "/media/${SUDO_USER}/share"   && umount "/media/${SUDO_USER}/share"   && rmdir "/media/${SUDO_USER}/share"
+    #findmnt "/media/${SUDO_USER}/share"   && umount "/media/${SUDO_USER}/share"   && rmdir "/media/${SUDO_USER}/share"
     findmnt "/media/${SUDO_USER}/oldhome" && umount "/media/${SUDO_USER}/oldhome" && rmdir "/media/${SUDO_USER}/oldhome"
     findmnt "/media/${SUDO_USER}/linuxhome" && umount "/media/${SUDO_USER}/linuxhome" && rmdir "/media/${SUDO_USER}/linuxhome"
 elif [ "$#" -gt 0 ] && [ "$1" = '-o' ]; then
@@ -51,13 +51,14 @@ elif [ "$#" -gt 0 ] && [ "$1" = '-l' ]; then
     trap exit_script SIGHUP SIGINT SIGTERM
     sleep infinity 
 else
-    mkdir -p "/media/${SUDO_USER}"
+    #mkdir -p "/media/${SUDO_USER}"
-    chown "${SUDO_USER}:1010" "/media/${SUDO_USER}"
+    #chown "${SUDO_USER}:1010" "/media/${SUDO_USER}"
-    chmod 0770 "/media/${SUDO_USER}"
+    chgrp 1010 "/lmn/media/${SUDO_USER}"
-    mkdir -p "/media/${SUDO_USER}/home"
+    chmod 0770 "/lmn/media/${SUDO_USER}"
-    mkdir -p "/media/${SUDO_USER}/share"
+    #mkdir -p "/media/${SUDO_USER}/home"
-    mount -t cifs -o "sec=krb5i,cruid=${SUDO_UID},user=${SUDO_USER},uid=${SUDO_UID},gid=1010,file_mode=0770,dir_mode=0770,mfsymlinks" \
+    #mkdir -p "/media/${SUDO_USER}/share"
-           "//server/default-school/${home}" "/media/${SUDO_USER}/home"
+    #mount -t cifs -o "sec=krb5i,cruid=${SUDO_UID},user=${SUDO_USER},uid=${SUDO_UID},gid=1010,file_mode=0770,dir_mode=0770,mfsymlinks" \
-    mount -t cifs -o "sec=krb5i,cruid=${SUDO_UID},user=${SUDO_USER},uid=${SUDO_UID},gid=1010,file_mode=0770,dir_mode=0770,mfsymlinks" \
+    #       "//server/default-school/${home}" "/media/${SUDO_USER}/home"
-           "//server/default-school/share" "/media/${SUDO_USER}/share"
+    #mount -t cifs -o "sec=krb5i,cruid=${SUDO_UID},user=${SUDO_USER},uid=${SUDO_UID},gid=1010,file_mode=0770,dir_mode=0770,mfsymlinks" \
+    #       "//server/default-school/share" "/media/${SUDO_USER}/share"
 fi

roles/lmn_vm/files/run-vm.sh

@@ -8,7 +8,7 @@ show_help() {
 Usage: $(basename "$0") [-n] vmname"
 Create a new clone, start the vm (if not yet running) and run virt-viewer.
 Squid-Proxy will be started too.
-User Home will be mounted on /media/USERNAME/home
+### remove, old ### User Home will be mounted on /media/USERNAME/home
     -n   new clone will be created, even if exists
     -s   qemu:///system instead of default qemu:///session
 EOF
@@ -48,63 +48,82 @@ if [[  $# -ne 1 ]] ; then
     exit 1
 fi
 
-# sync vm-torrents and machine definition file
-sudo /usr/local/bin/sync-vm.sh -t
-
 VM_NAME=$1
-VM_DIR="/tmp/${UID}/vmimages"
+VM_DIR="/tmp/${UID}/vm"
 
+check_images() {
+   # sync vm-torrents and machine definition file
+   sudo -u lmnsynci /usr/local/bin/sync-vm.sh -t
 
-if [[ ! -f "/var/lib/libvirt/images/${VM_NAME}.qcow2" && ! -f "${VM_DIR}/${VM_NAME}.qcow2" ]]; then
+   BACKINGARRAY=()
-    if [[ ! -f "/var/lib/libvirt/images/${VM_NAME}.qcow2.torrent" ]]; then
+   imgfile="/lmn/vm/${VM_NAME}.qcow2" && [[ -f "${VM_DIR}/${VM_NAME}.qcow2" ]] && imgfile="${VM_DIR}/${VM_NAME}.qcow2"
+   BACKINGARRAY+=("${imgfile}")
+   echo "Imgfile=$imgfile"
+   if [[ ! -f "${imgfile}" ]] || ! qemu-img info -U "${imgfile}" | grep "file format: qcow2"; then
+       if [[ ! -f "/lmn/vm/${VM_NAME}.qcow2.torrent" ]]; then
            echo "no base VM disk '${VM_NAME}.qcow2' found and/or ${VM_NAME} not found on server" >&2
            exit 1
        fi
        # sync vm-disk image by torrent
-    sudo /usr/local/bin/sync-vm.sh "${VM_NAME}"
+       echo "Try to sync VM ${VM_NAME} by torrent"
-    echo "sudo /usr/local/bin/sync-vm.sh ${VM_NAME}"
+       sudo -u lmnsynci /usr/local/bin/sync-vm.sh "${VM_NAME}"
    fi
 
-echo "qcow2 seems to be available"
-
-imgfile="/var/lib/libvirt/images/${VM_NAME}.qcow2" && [[ -f "${VM_DIR}/${VM_NAME}.qcow2" ]] && imgfile="${VM_DIR}/${VM_NAME}.qcow2"
-#backingfile=$(qemu-img info -U "${imgfile}" | grep ^image: | cut -d' ' -f2)
-
    backingfile=$(qemu-img info -U "${imgfile}" | grep "^backing file:" | cut -d ' ' -f 3)
    while [[ ! -z "${backingfile}" ]]; do
-    echo $backingfile
+       echo "Backingfile required: ${backingfile}"
-    if [[ ! -f "/var/lib/libvirt/images/${backingfile}" && ! -f "${VM_DIR}/${backingfile}" ]]; then
+       imgfile="/lmn/vm/${backingfile}" && [[ -f "${VM_DIR}/${backingfile}" ]] && imgfile="${VM_DIR}/${backingfile}"
+       BACKINGARRAY+=("${imgfile}")
+       if [[ ! -f "${imgfile}" ]] || ! qemu-img info -U "${imgfile}" | grep "file format: qcow2"; then
            # sync vm-disk image by torrent
-	sudo /usr/local/bin/sync-vm.sh "${backingfile//.qcow2/}"
+           echo "Try to sync backingfile ${backingfile} by torrent"
-	echo "sudo /usr/local/bin/sync-vm.sh ${backingfile//.qcow2/}"
+           sudo -u lmnsynci /usr/local/bin/sync-vm.sh "${backingfile%.qcow2}"
        fi
-    imgfile="/var/lib/libvirt/images/${backingfile}" && [[ -f "${VM_DIR}/${backingfile}" ]] && imgfile="${VM_DIR}/${backingfile}"
        backingfile=$(qemu-img info -U "${imgfile}" | grep "^backing file:" | cut -d ' ' -f 3)
    done
 
+   echo "VM-Image and required backingfiles available"
+   echo "Now, let's check the images."
+
+   # Check VM-Images in reverse order
+   for ((i=${#BACKINGARRAY[@]}-1; i>=0; i--))
+   do
+       echo "Checking ${BACKINGARRAY[$i]}"
+       if ! qemu-img check -U "${BACKINGARRAY[$i]}" 2>/dev/null; then
+           echo "check failed!"
+           echo "sync ${BACKINGARRAY[$i]} again"
+           sudo -u lmnsynci /usr/local/bin/sync-vm.sh $(basename "${BACKINGARRAY[$i]}" .qcow2)
+       fi
+   done
+
+   echo "VM-Image and required backingfiles available and checked"
+}
+
 # check, if we have to start squid
 if ! killall -s 0 squid; then
     echo "starting squid."
     /usr/sbin/squid -f /etc/squid/squid-usermode.conf
 fi
 
-# check, if we have to mount home
+## check, if we have to mount home
-if ! findmnt "/media/${USER}/home"; then
+#if ! findmnt "/media/${USER}/home"; then
-    echo "mounting home."
+#    echo "mounting home."
     sudo mounthome.sh
-fi
+#fi
 
+# because virsh has problems with long pathnames, using diffent configdir
 export XDG_CONFIG_HOME="/tmp/${UID}/.config"
 
 if  ! virsh --connect="${QEMU}" list | grep "${VM_NAME}-clone"; then
-    echo "VM not yet running. Try to clone and start."
+    echo "VM not yet running."
+    check_images
     if [[ "${NEWCLONE}" = 1 ]] || [[ ! -f "${VM_DIR}/${VM_NAME}-clone.qcow2" ]]; then
         create-clone.sh "${VM_NAME}"
     fi
     # delete the old vm
     virsh --connect=qemu:///session undefine "${VM_NAME}-clone" || echo "${VM_NAME}-clone did not exist"
     # finally, create the new vm
-    virsh --connect=qemu:///session define "${VM_DIR}/xml/${VM_NAME}-clone.xml"
+    virsh --connect=qemu:///session define "${VM_DIR}/${VM_NAME}-clone.xml"
     trap exit_script SIGHUP SIGINT SIGTERM
     [[ "${QEMU}" = 'qemu:///session' ]] && sudo /usr/local/bin/start-virtiofsd.sh "${VM_NAME}"
     virsh --connect="${QEMU}" start "${VM_NAME}-clone"

roles/lmn_vm/files/start-virtiofsd.sh

@@ -19,7 +19,7 @@ fi
 [[ -S "${XDG_RUNTIME_DIR}/virtiofs/${VM_NAME}-clone.sock" ]] && /usr/bin/rm "${XDG_RUNTIME_DIR}/virtiofs/${VM_NAME}-clone.sock"
 #sudo /usr/lib/qemu/virtiofsd --socket-path="${XDG_RUNTIME_DIR}/virtiofs/${VM_NAME}-clone.sock" --socket-group="${SUDO_USER}" --announce-submounts -o source="/media/${USER}" -o sandbox=chroot > /dev/null &
 #sudo /usr/lib/qemu/virtiofsd --socket-path="${XDG_RUNTIME_DIR}/virtiofs/${VM_NAME}-clone.sock" --socket-group="${SUDO_USER}" -o source="/media/${USER}" -o sandbox=chroot > /dev/null &
-/usr/lib/qemu/virtiofsd --socket-path="${XDG_RUNTIME_DIR}/virtiofs/${VM_NAME}-clone.sock" -o source="/media/${SUDO_USER}" -o sandbox=chroot > /dev/null &
+/usr/lib/qemu/virtiofsd --socket-path="${XDG_RUNTIME_DIR}/virtiofs/${VM_NAME}-clone.sock" -o source="/lmn/nosuidmedia/${SUDO_USER}" -o sandbox=chroot > /dev/null &
 # Wait until socket-File exists and chown to user
 until [[ -S "${XDG_RUNTIME_DIR}/virtiofs/${VM_NAME}-clone.sock" ]]; do
    echo "waiting for ${XDG_RUNTIME_DIR}/virtiofs/${VM_NAME}-clone.sock"

roles/lmn_vm/files/sync-vm.sh

@@ -13,21 +13,18 @@ EOF
 }
 
 download_image() {
-    rsync -av --password-file=/etc/rsync.secret \
+    rsync -av "rsync://server:/vmimages-download/${VM_NAME}.qcow2" \
-       "rsync://vmuser@server:/vmimages-download/${VM_NAME}.qcow2" \
+       /lmn/vm/
-       /var/lib/libvirt/images/
+    rsync -av "rsync://server:/vmimages-download/${VM_NAME}.xml" \
-    rsync -av --password-file=/etc/rsync.secret \
+       /lmn/vm/
-       "rsync://vmuser@server:/vmimages-download/xml/${VM_NAME}.xml" \
+    rsync -av "rsync://server:/vmimages-download/${VM_NAME}.qcow2.torrent" \
-       /var/lib/libvirt/images/xml/
+       /lmn/vm/
-    rsync -av --password-file=/etc/rsync.secret \
-       "rsync://vmuser@server:/vmimages-download/${VM_NAME}.qcow2.torrent" \
-       /var/lib/libvirt/images/
     /usr/local/bin/vmimage-torrent restart "${VM_NAME}.qcow2"
 }
 
 torrent_image() {
-    if [[ -f "/var/lib/libvirt/images/${VM_NAME}.qcow2.torrent" ]]; then
+    if [[ -f "/lmn/vm/${VM_NAME}.qcow2.torrent" ]]; then
-      cd /var/lib/libvirt/images
+      cd /lmn/vm
       ctorrent -e 0 "${VM_NAME}.qcow2.torrent"
       /usr/local/bin/vmimage-torrent restart "${VM_NAME}.qcow2"
     else
@@ -37,16 +34,16 @@ torrent_image() {
 }
 
 sync_all_images() {
-    rsync -av --password-file=/etc/rsync.secret --files-from=/var/lib/libvirt/images/images.list \
+    rsync -av --files-from=/lmn/vm/images.list \
-	  rsync://vmuser@server:/vmimages-download/ /var/lib/libvirt/images/
+	  rsync://server:/vmimages-download/ /lmn/vm/
-    rsync -av --password-file=/etc/rsync.secret rsync://vmuser@server:/vmimages-download/xml \
+    rsync -av rsync://server:/vmimages-download/*.xml \
-	  /var/lib/libvirt/images/
+	  /lmn/vm/
 }
 
 sync_all_torrents() {
-    rsync -ai rsync://vmuser@server:/vmimages-download/*.torrent /var/lib/libvirt/images/
+    rsync -ai rsync://server:/vmimages-download/*.torrent /lmn/vm/
-    rsync -ai rsync://vmuser@server:/vmimages-download/xml /var/lib/libvirt/images/
+    rsync -ai rsync://server:/vmimages-download/*.xml /lmn/vm/
-    RSYNC_COMMAND=$(rsync -ai --delete rsync://vmuser@server:/vmimages-download/desktop/*.desktop /usr/local/share/applications/)
+    RSYNC_COMMAND=$(rsync -ai --delete rsync://server:/vmimages-download/desktop/*.desktop /usr/local/share/applications/)
     if [[ $? -eq 0 ]] && [[ -n "${RSYNC_COMMAND}" ]]; then
         echo "${RSYNC_COMMAND}"
         update-desktop-database /usr/local/share/applications
@@ -74,6 +71,12 @@ EOF
     fi
 }
 
+if [[ "$(id -nu)" != "lmnsynci" ]]; then
+    echo "$(basename "$0") must be run as lmnsynci user"
+    show_help
+    exit 1
+fi
+
 while getopts ':dat' OPTION; do
     case "$OPTION" in
         d)

roles/lmn_vm/files/vmimage-torrent

@@ -11,7 +11,7 @@
 THELPER=linbo-torrenthelper.sh
 #. $LINBOSHAREDIR/helperfunctions.sh || exit 1
 LINBOIMGEXT="qcow2 qdiff"
-LINBOIMGDIR="/var/lib/libvirt/images"
+LINBOIMGDIR="/lmn/vm"
 serverip="10.190.1.1"
 
 # start of functions

roles/lmn_vm/files/vmimage-torrent.service

@@ -5,6 +5,8 @@ After=network.target
 [Service]
 Type=oneshot
 RemainAfterExit=yes
+User=lmnsynci
+Group=lmnsynci
 ExecStart=/usr/local/bin/vmimage-torrent start
 ExecStop=/usr/local/bin/vmimage-torrent stop
 ExecReload=/usr/local/bin/vmimage-torrent reload

roles/lmn_vm/tasks/main.yml

@@ -18,12 +18,12 @@
     autoremove: true
   when: ansible_distribution_release == 'bookworm'
 
-- name: allow all users to use VMs
+    #- name: allow all users to use VMs
-  lineinfile:
+    #  lineinfile:
-    dest: /etc/libvirt/libvirtd.conf
+    #    dest: /etc/libvirt/libvirtd.conf
-    line: 'auth_unix_rw = "none"'
+    #    line: 'auth_unix_rw = "none"'
-    insertafter: '#auth_unix_rw = "polkit"'
+    #    insertafter: '#auth_unix_rw = "polkit"'
-  notify: reload libvirtd
+    #  notify: reload libvirtd
 
 - name: autostart default network for VMs
   file:
@@ -31,6 +31,20 @@
     dest: /etc/libvirt/qemu/networks/autostart/default.xml
     state: link
 
+- name: create system-user syncing VM-files and others
+  ansible.builtin.user:
+    name: lmnsynci
+    comment: lmn sync user
+    system: true
+
+- name: create vm directory
+  file:
+    path: /lmn/vm
+    state: directory
+    owner: lmnsynci
+    group: lmnsynci
+    mode: 0755
+
 - name: install squid
   apt:
     name:
@@ -136,6 +150,12 @@
     - /usr/local/share/desktop-directories
   notify: Run update-desktop-database
 
+- name: set owner lmnsynci for menu entry directory
+  file:
+    path: /usr/local/share/applications
+    state: directory
+    owner: lmnsynci
+
 - name: Copy fvs.directory
   ansible.builtin.copy:
     src: fvs.directory
@@ -150,6 +170,8 @@
 
 - name: sync .torrent, .xml and .desktop files and run update-desktop-database
   command: /usr/local/bin/sync-vm.sh -t
+  become: true
+  become_user: lmnsynci
   register: result
   changed_when: result.stdout | length > 0
 
@@ -164,6 +186,8 @@
   command: >
     rsync -a --itemize-changes
     rsync://server:/vmimages-download/xml /var/lib/libvirt/images/
+  become: true
+  become_user: lmnsynci
   register: result
   changed_when: result.stdout | length > 0
   when: not run_in_installer | default(false) | bool
@@ -172,6 +196,8 @@
   command: >
     rsync -a -i --files-from=/var/lib/libvirt/images/images.list
     rsync://server:/vmimages-download/ /var/lib/libvirt/images/
+  become: true
+  become_user: lmnsynci
   register: result
   changed_when: result.stdout | length > 0
   when: >