Re: [PATCH] Change the default libvirt remote user to libvirt-remote

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 5064 bytes --]

Hi,

what is the reason that you are creating a password for that user? Generally
that is not required. And this will be unknown to the user any ways.

Is the user supposed to log in with this user?

If so they can give that user a password themselves.

Would this still work when logging in as the root user?

You will need some bits in the install.sh script that detects if the user
already exists (after install, uninstall, install). You get use getent for that.

On Wed, 2016-06-08 at 18:44 +0200, Jonatan Schlag wrote:
> It is possible to communicate per ssh via a socket with libvirt. It is
> not a good idea to do this as root, so the remote user is now
> libvirt-remote. Only this user or users in the group libvirt-remote can
> communicate with the socket.
> The user libvirt-remote is created with a random 64 characters long
> password which can changed after the
> installation.
> 
> Signed-off-by: Jonatan Schlag <jonatan.schlag(a)ipfire.org>
> ---
>  lfs/libvirt                                        |  3 +-
>  src/paks/libvirt/install.sh                        |  4 ++
>  ...hange-options-in-libvirtd.conf-for-IPFire.patch | 43
> ++++++++++++++++++++++
>  3 files changed, 49 insertions(+), 1 deletion(-)
>  create mode 100644 src/patches/libvirt/0002-Change-options-in-libvirtd.conf-
> for-IPFire.patch
> 
> diff --git a/lfs/libvirt b/lfs/libvirt
> index b18364b..3c7413f 100644
> --- a/lfs/libvirt
> +++ b/lfs/libvirt
> @@ -33,7 +33,7 @@ DIR_APP    = $(DIR_SRC)/$(THISAPP)
>  TARGET     = $(DIR_INFO)/$(THISAPP)
>  SUP_ARCH   = i586 x86_64
>  PROG       = libvirt
> -PAK_VER    = 1
> +PAK_VER    = 2
>  
>  DEPS       = "libpciaccess libyajl ncat qemu"
>  
> @@ -78,6 +78,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>  	@$(PREBUILD)
>  	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
>  	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/libvirt/0001-
> Change-default-behavior-of-libvirt-guests.sh-for-IPF.patch
> +	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/libvirt/0002-
> Change-options-in-libvirtd.conf-for-IPFire.patch
>  	cd $(DIR_APP) && ./configure --prefix=/usr --localstatedir=/var --
> sysconfdir=/etc \
>  			--with-openssl --without-sasl \
>  			--without-uml --without-vbox --without-lxc --without-
> esx --without-vmware --without-openvz \
> diff --git a/src/paks/libvirt/install.sh b/src/paks/libvirt/install.sh
> index 2832197..5eee5a3 100644
> --- a/src/paks/libvirt/install.sh
> +++ b/src/paks/libvirt/install.sh
> @@ -22,6 +22,10 @@
>  ############################################################################
>  #
>  . /opt/pakfire/lib/functions.sh
> +
> +# creates a new user called libvirt-remote with a random 64 characters long
> password
> +useradd -s /bin/bash -m  -p $(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w
> 64 | head -n 1) "libvirt-remote"
> +
>  extract_files
>  start_service --delay 300 --background ${NAME}
>  ln -svf /etc/init.d/libvirtd /etc/rc.d/rc0.d/K20libvirtd
> diff --git a/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for-
> IPFire.patch b/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for-
> IPFire.patch
> new file mode 100644
> index 0000000..ed685e8
> --- /dev/null
> +++ b/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for-
> IPFire.patch
> @@ -0,0 +1,43 @@
> +From 69d6e8ce6c636f78d1db0eebe7fb1cc02ae4fb9a Mon Sep 17 00:00:00 2001
> +From: Jonatan Schlag <jonatan.schlag(a)ipfire.org>
> +Date: Mon, 6 Jun 2016 19:40:50 +0200
> +Subject: [PATCH 2/2] Change options in libvirtd.conf for IPFire
> +
> +Signed-off-by: Jonatan Schlag <jonatan.schlag(a)ipfire.org>
> +---
> + daemon/libvirtd.conf | 6 +++---
> + 1 file changed, 3 insertions(+), 3 deletions(-)
> +
> +diff --git a/daemon/libvirtd.conf b/daemon/libvirtd.conf
> +index ac06cdd..1a41914 100644
> +--- a/daemon/libvirtd.conf
> ++++ b/daemon/libvirtd.conf
> +@@ -87,14 +87,14 @@
> + # without becoming root.
> + #
> + # This is restricted to 'root' by default.
> +-#unix_sock_group = "libvirt"
> ++unix_sock_group = "libvirt-remote"

This says group and not user...

> + 
> + # Set the UNIX socket permissions for the R/O socket. This is used
> + # for monitoring VM status only
> + #
> + # Default allows any user. If setting group ownership, you may want to
> + # restrict this too.
> +-#unix_sock_ro_perms = "0777"
> ++unix_sock_ro_perms = "0770"
> + 
> + # Set the UNIX socket permissions for the R/W socket. This is used
> + # for full management of VMs
> +@@ -104,7 +104,7 @@
> + #
> + # If not using PolicyKit and setting group ownership for access
> + # control, then you may want to relax this too.
> +-#unix_sock_rw_perms = "0770"
> ++unix_sock_rw_perms = "0770"
> + 
> + # Set the UNIX socket permissions for the admin interface socket.
> + #
> +-- 
> +2.1.4
> +

-Michael

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]