Re: [PATCH] Change the default libvirt remote user to libvirt-remote

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 7364 bytes --]

On Thu, 2016-06-09 at 20:29 +0200, Jonatan Schlag wrote:
> 
> 
> Am Do, 9. Jun, 2016 um 3:44 schrieb Michael Tremer <michael.tremer(a)ipfire.org>
> :
> > Hi,
> > 
> > what is the reason that you are creating a password for that user? Generally
> > that is not required. And this will be unknown to the user any ways.
> This is indeed uneccessary. 
> > 
> > 
> > Is the user supposed to log in with this user?
> > 
> > If so they can give that user a password themselves.
> Yes the user is supposed to log in via ssh, so i will change this and we
> create just the user. 
> > 
> > 
> > Would this still work when logging in as the root user?
> Yes this still work as root user. Root and all users  in the group libvirt-
> remote can communicate with the socket.
> 
> My thoughts were that the user of IPFire should not use the root user to
> communicate with the socket because it is completely unnecessary. A normal
> user like libvirt-remote would do it.
> So because I know that not everybody would create a user and add this user to
> the group libvirt-remote I thought that it would be better to create the user
> libvirt-remote automatically, so the user only has  to change the password of
> this user and can then use this user to communicate with libvirt. 
> 
> The minimal variant would be to create the group libvirt-remote and change the
> options in libvirtd.conf and the user has to create the user (like libvirt-
> remote) by themselves. Just say what you would prefer :-).

I would prefer to create a group and a user. We won't give the user a password
which must be set by the user in order to login with that user.

If someone prefers, they can create their own users and add them to the group.

A system group should be created with groupadd of course be checked if that
group existed before.

> 
> > 
> > 
> > You will need some bits in the install.sh script that detects if the user
> > already exists (after install, uninstall, install). You get use getent for
> > that.
> Ok. 
> > 
> > 
> > On Wed, 2016-06-08 at 18:44 +0200, Jonatan Schlag wrote:
> >  It is possible to communicate per ssh via a socket with libvirt. It is
> >  not a good idea to do this as root, so the remote user is now
> >  libvirt-remote. Only this user or users in the group libvirt-remote can
> >  communicate with the socket.
> >  The user libvirt-remote is created with a random 64 characters long
> >  password which can changed after the
> >  installation.
> >  
> >  Signed-off-by: Jonatan Schlag <jonatan.schlag(a)ipfire.org>
> >  ---
> >   lfs/libvirt                                        |  3 +-
> >   src/paks/libvirt/install.sh                        |  4 ++
> >   ...hange-options-in-libvirtd.conf-for-IPFire.patch | 43
> >  ++++++++++++++++++++++
> >   3 files changed, 49 insertions(+), 1 deletion(-)
> >   create mode 100644 src/patches/libvirt/0002-Change-options-in-
> > libvirtd.conf-
> >  for-IPFire.patch
> >  
> >  diff --git a/lfs/libvirt b/lfs/libvirt
> >  index b18364b..3c7413f 100644
> >  --- a/lfs/libvirt
> >  +++ b/lfs/libvirt
> >  @@ -33,7 +33,7 @@ DIR_APP    = $(DIR_SRC)/$(THISAPP)
> >   TARGET     = $(DIR_INFO)/$(THISAPP)
> >   SUP_ARCH   = i586 x86_64
> >   PROG       = libvirt
> >  -PAK_VER    = 1
> >  +PAK_VER    = 2
> >   
> >   DEPS       = "libpciaccess libyajl ncat qemu"
> >   
> >  @@ -78,6 +78,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> >   	@$(PREBUILD)
> >   	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf
> > $(DIR_DL)/$(DL_FILE)
> >   	cd $(DIR_APP) && patch -Np1 -i
> > $(DIR_SRC)/src/patches/libvirt/0001-
> >  Change-default-behavior-of-libvirt-guests.sh-for-IPF.patch
> >  +	cd $(DIR_APP) && patch -Np1 -i
> > $(DIR_SRC)/src/patches/libvirt/0002-
> >  Change-options-in-libvirtd.conf-for-IPFire.patch
> >   	cd $(DIR_APP) && ./configure --prefix=/usr --localstatedir=/var --
> >  sysconfdir=/etc \
> >   			--with-openssl --without-sasl \
> >   			--without-uml --without-vbox --without-lxc --
> > without-
> >  esx --without-vmware --without-openvz \
> >  diff --git a/src/paks/libvirt/install.sh b/src/paks/libvirt/install.sh
> >  index 2832197..5eee5a3 100644
> >  --- a/src/paks/libvirt/install.sh
> >  +++ b/src/paks/libvirt/install.sh
> >  @@ -22,6 +22,10 @@
> >   ##########################################################################
> > ##
> >   #
> >   . /opt/pakfire/lib/functions.sh
> >  +
> >  +# creates a new user called libvirt-remote with a random 64 characters
> > long
> >  password
> >  +useradd -s /bin/bash -m  -p $(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold
> > -w
> >  64 | head -n 1) "libvirt-remote"
> >  +
> >   extract_files
> >   start_service --delay 300 --background ${NAME}
> >   ln -svf /etc/init.d/libvirtd /etc/rc.d/rc0.d/K20libvirtd
> >  diff --git a/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for-
> >  IPFire.patch b/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-
> > for-
> >  IPFire.patch
> >  new file mode 100644
> >  index 0000000..ed685e8
> >  --- /dev/null
> >  +++ b/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for-
> >  IPFire.patch
> >  @@ -0,0 +1,43 @@
> >  +From 69d6e8ce6c636f78d1db0eebe7fb1cc02ae4fb9a Mon Sep 17 00:00:00 2001
> >  +From: Jonatan Schlag <jonatan.schlag(a)ipfire.org>
> >  +Date: Mon, 6 Jun 2016 19:40:50 +0200
> >  +Subject: [PATCH 2/2] Change options in libvirtd.conf for IPFire
> >  +
> >  +Signed-off-by: Jonatan Schlag <jonatan.schlag(a)ipfire.org>
> >  +---
> >  + daemon/libvirtd.conf | 6 +++---
> >  + 1 file changed, 3 insertions(+), 3 deletions(-)
> >  +
> >  +diff --git a/daemon/libvirtd.conf b/daemon/libvirtd.conf
> >  +index ac06cdd..1a41914 100644
> >  +--- a/daemon/libvirtd.conf
> >  ++++ b/daemon/libvirtd.conf
> >  +@@ -87,14 +87,14 @@
> >  + # without becoming root.
> >  + #
> >  + # This is restricted to 'root' by default.
> >  +-#unix_sock_group = "libvirt"
> >  ++unix_sock_group = "libvirt-remote"
> > 
> > This says group and not user... 
> Right, but this group is created with the user, see my explanation above it is
> also possible to create only the group and no user.
> > 
> > 
> >  + 
> >  + # Set the UNIX socket permissions for the R/O socket. This is used
> >  + # for monitoring VM status only
> >  + #
> >  + # Default allows any user. If setting group ownership, you may want to
> >  + # restrict this too.
> >  +-#unix_sock_ro_perms = "0777"
> >  ++unix_sock_ro_perms = "0770"
> >  + 
> >  + # Set the UNIX socket permissions for the R/W socket. This is used
> >  + # for full management of VMs
> >  +@@ -104,7 +104,7 @@
> >  + #
> >  + # If not using PolicyKit and setting group ownership for access
> >  + # control, then you may want to relax this too.
> >  +-#unix_sock_rw_perms = "0770"
> >  ++unix_sock_rw_perms = "0770"
> >  + 
> >  + # Set the UNIX socket permissions for the admin interface socket.
> >  + #
> >  +-- 
> >  +2.1.4
> >  +
> > 
> > -Michael
> Regards Jonatan
> 
> PS. Tommorow i hope 

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]