For security reasons, libxl tries to pass a non-root username to QEMU as
argument. During initialization QEMU calls setuid and setgid with the
user ID and the group ID of the user passed as argument.
Libxl looks for the following users in this order:

1) a user named "xen-qemuuser-domid$domid",
Where $domid is the domid of the domain being created.
This requires the reservation of 65535 uids from xen-qemuuser-domid1
to xen-qemuuser-domid65535. To use this mechanism, you might want to
create a large number of users at installation time. For example:

for ((i=1; i<65536; i++))
do
    adduser --no-create-home --system xen-qemuuser-domid$i
done

You might want to consider passing --group to adduser to create a new
group for each new user.


2) a user named "xen-qemuuser-shared"
As a fall back if both 1) fails, libxl will use a single user for
all QEMU instances. The user is named xen-qemuuser-shared. This is
less secure but still better than running QEMU as root. Using this is as
simple as creating just one more user on your host:

adduser --no-create-home --system xen-qemuuser-shared


3) root
As a last resort, libxl will start QEMU as root.


Please note that running QEMU as non-root causes several features like
migration and PCI passthrough to not work properly and may prevent the guest
from booting.
