For security reasons, libxl tries to pass a non-root username to QEMU as argument. During initialization QEMU calls setuid and setgid with the user ID and the group ID of the user passed as argument. Libxl looks for the following users in this order: 1) a user named "xen-qemuuser-domid$domid", Where $domid is the domid of the domain being created. This requires the reservation of 65535 uids from xen-qemuuser-domid1 to xen-qemuuser-domid65535. To use this mechanism, you might want to create a large number of users at installation time. For example: for ((i=1; i<65536; i++)) do adduser --no-create-home --system xen-qemuuser-domid$i done You might want to consider passing --group to adduser to create a new group for each new user. 2) a user named "xen-qemuuser-shared" As a fall back if both 1) fails, libxl will use a single user for all QEMU instances. The user is named xen-qemuuser-shared. This is less secure but still better than running QEMU as root. Using this is as simple as creating just one more user on your host: adduser --no-create-home --system xen-qemuuser-shared 3) root As a last resort, libxl will start QEMU as root. Please note that running QEMU as non-root causes several features like migration and PCI passthrough to not work properly and may prevent the guest from booting.