On Thu, 2016-06-09 at 20:29 +0200, Jonatan Schlag wrote: > > > Am Do, 9. Jun, 2016 um 3:44 schrieb Michael Tremer > : > > Hi, > > > > what is the reason that you are creating a password for that user? Generally > > that is not required. And this will be unknown to the user any ways. > This is indeed uneccessary.  > > > > > > Is the user supposed to log in with this user? > > > > If so they can give that user a password themselves. > Yes the user is supposed to log in via ssh, so i will change this and we > create just the user.  > > > > > > Would this still work when logging in as the root user? > Yes this still work as root user. Root and all users  in the group libvirt- > remote can communicate with the socket. > > My thoughts were that the user of IPFire should not use the root user to > communicate with the socket because it is completely unnecessary. A normal > user like libvirt-remote would do it. > So because I know that not everybody would create a user and add this user to > the group libvirt-remote I thought that it would be better to create the user > libvirt-remote automatically, so the user only has  to change the password of > this user and can then use this user to communicate with libvirt.  > > The minimal variant would be to create the group libvirt-remote and change the > options in libvirtd.conf and the user has to create the user (like libvirt- > remote) by themselves. Just say what you would prefer :-). I would prefer to create a group and a user. We won't give the user a password which must be set by the user in order to login with that user. If someone prefers, they can create their own users and add them to the group. A system group should be created with groupadd of course be checked if that group existed before. > > > > > > > You will need some bits in the install.sh script that detects if the user > > already exists (after install, uninstall, install). You get use getent for > > that. > Ok.  > > > > > > On Wed, 2016-06-08 at 18:44 +0200, Jonatan Schlag wrote: > >  It is possible to communicate per ssh via a socket with libvirt. It is > >  not a good idea to do this as root, so the remote user is now > >  libvirt-remote. Only this user or users in the group libvirt-remote can > >  communicate with the socket. > >  The user libvirt-remote is created with a random 64 characters long > >  password which can changed after the > >  installation. > >   > >  Signed-off-by: Jonatan Schlag > >  --- > >   lfs/libvirt                                        |  3 +- > >   src/paks/libvirt/install.sh                        |  4 ++ > >   ...hange-options-in-libvirtd.conf-for-IPFire.patch | 43 > >  ++++++++++++++++++++++ > >   3 files changed, 49 insertions(+), 1 deletion(-) > >   create mode 100644 src/patches/libvirt/0002-Change-options-in- > > libvirtd.conf- > >  for-IPFire.patch > >   > >  diff --git a/lfs/libvirt b/lfs/libvirt > >  index b18364b..3c7413f 100644 > >  --- a/lfs/libvirt > >  +++ b/lfs/libvirt > >  @@ -33,7 +33,7 @@ DIR_APP    = $(DIR_SRC)/$(THISAPP) > >   TARGET     = $(DIR_INFO)/$(THISAPP) > >   SUP_ARCH   = i586 x86_64 > >   PROG       = libvirt > >  -PAK_VER    = 1 > >  +PAK_VER    = 2 > >    > >   DEPS       = "libpciaccess libyajl ncat qemu" > >    > >  @@ -78,6 +78,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > >    @$(PREBUILD) > >    @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf > > $(DIR_DL)/$(DL_FILE) > >    cd $(DIR_APP) && patch -Np1 -i > > $(DIR_SRC)/src/patches/libvirt/0001- > >  Change-default-behavior-of-libvirt-guests.sh-for-IPF.patch > >  + cd $(DIR_APP) && patch -Np1 -i > > $(DIR_SRC)/src/patches/libvirt/0002- > >  Change-options-in-libvirtd.conf-for-IPFire.patch > >    cd $(DIR_APP) && ./configure --prefix=/usr --localstatedir=/var -- > >  sysconfdir=/etc \ > >    --with-openssl --without-sasl \ > >    --without-uml --without-vbox --without-lxc -- > > without- > >  esx --without-vmware --without-openvz \ > >  diff --git a/src/paks/libvirt/install.sh b/src/paks/libvirt/install.sh > >  index 2832197..5eee5a3 100644 > >  --- a/src/paks/libvirt/install.sh > >  +++ b/src/paks/libvirt/install.sh > >  @@ -22,6 +22,10 @@ > >   ########################################################################## > > ## > >   # > >   . /opt/pakfire/lib/functions.sh > >  + > >  +# creates a new user called libvirt-remote with a random 64 characters > > long > >  password > >  +useradd -s /bin/bash -m  -p $(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold > > -w > >  64 | head -n 1) "libvirt-remote" > >  + > >   extract_files > >   start_service --delay 300 --background ${NAME} > >   ln -svf /etc/init.d/libvirtd /etc/rc.d/rc0.d/K20libvirtd > >  diff --git a/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for- > >  IPFire.patch b/src/patches/libvirt/0002-Change-options-in-libvirtd.conf- > > for- > >  IPFire.patch > >  new file mode 100644 > >  index 0000000..ed685e8 > >  --- /dev/null > >  +++ b/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for- > >  IPFire.patch > >  @@ -0,0 +1,43 @@ > >  +From 69d6e8ce6c636f78d1db0eebe7fb1cc02ae4fb9a Mon Sep 17 00:00:00 2001 > >  +From: Jonatan Schlag > >  +Date: Mon, 6 Jun 2016 19:40:50 +0200 > >  +Subject: [PATCH 2/2] Change options in libvirtd.conf for IPFire > >  + > >  +Signed-off-by: Jonatan Schlag > >  +--- > >  + daemon/libvirtd.conf | 6 +++--- > >  + 1 file changed, 3 insertions(+), 3 deletions(-) > >  + > >  +diff --git a/daemon/libvirtd.conf b/daemon/libvirtd.conf > >  +index ac06cdd..1a41914 100644 > >  +--- a/daemon/libvirtd.conf > >  ++++ b/daemon/libvirtd.conf > >  +@@ -87,14 +87,14 @@ > >  + # without becoming root. > >  + # > >  + # This is restricted to 'root' by default. > >  +-#unix_sock_group = "libvirt" > >  ++unix_sock_group = "libvirt-remote" > > > > This says group and not user...  > Right, but this group is created with the user, see my explanation above it is > also possible to create only the group and no user. > > > > > >  +  > >  + # Set the UNIX socket permissions for the R/O socket. This is used > >  + # for monitoring VM status only > >  + # > >  + # Default allows any user. If setting group ownership, you may want to > >  + # restrict this too. > >  +-#unix_sock_ro_perms = "0777" > >  ++unix_sock_ro_perms = "0770" > >  +  > >  + # Set the UNIX socket permissions for the R/W socket. This is used > >  + # for full management of VMs > >  +@@ -104,7 +104,7 @@ > >  + # > >  + # If not using PolicyKit and setting group ownership for access > >  + # control, then you may want to relax this too. > >  +-#unix_sock_rw_perms = "0770" > >  ++unix_sock_rw_perms = "0770" > >  +  > >  + # Set the UNIX socket permissions for the admin interface socket. > >  + # > >  +--  > >  +2.1.4 > >  + > > > > -Michael > Regards Jonatan > > PS. Tommorow i hope