From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] Change the default libvirt remote user to libvirt-remote Date: Thu, 09 Jun 2016 19:35:17 +0100 Message-ID: <1465497317.24121.146.camel@ipfire.org> In-Reply-To: <1465496975.1659.1@mail01.ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5204487095688830776==" List-Id: --===============5204487095688830776== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On Thu, 2016-06-09 at 20:29 +0200, Jonatan Schlag wrote: >=20 >=20 > Am Do, 9. Jun, 2016 um 3:44 schrieb Michael Tremer > : > > Hi, > >=20 > > what is the reason that you are creating a password for that user? Genera= lly > > that is not required. And this will be unknown to the user any ways. > This is indeed uneccessary.=C2=A0 > >=20 > >=20 > > Is the user supposed to log in with this user? > >=20 > > If so they can give that user a password themselves. > Yes the user is supposed to log in via ssh, so i will change this and we > create just the user.=C2=A0 > >=20 > >=20 > > Would this still work when logging in as the root user? > Yes this still work as root user. Root and all users =C2=A0in the group lib= virt- > remote can communicate with the socket. >=20 > My thoughts were that the user of IPFire should not use the root user to > communicate with the socket because it is completely unnecessary. A normal > user like libvirt-remote would do it. > So because I know that not everybody would create a user and add this user = to > the group libvirt-remote I thought that it would be better to create the us= er > libvirt-remote automatically, so the user only has =C2=A0to change the pass= word of > this user and can then use this user to communicate with libvirt.=C2=A0 >=20 > The minimal variant would be to create the group libvirt-remote and change = the > options in libvirtd.conf and the user has to create the user (like libvirt- > remote) by themselves. Just say what you would prefer :-). I would prefer to create a group and a user. We won't give the user a password which must be set by the user in order to login with that user. If someone prefers, they can create their own users and add them to the group. A system group should be created with groupadd of course be checked if that group existed before. >=20 > >=20 > >=20 > > You will need some bits in the install.sh script that detects if the user > > already exists (after install, uninstall, install). You get use getent for > > that. > Ok.=C2=A0 > >=20 > >=20 > > On Wed, 2016-06-08 at 18:44 +0200, Jonatan Schlag wrote: > > =C2=A0It is possible to communicate per ssh via a socket with libvirt. It= is > > =C2=A0not a good idea to do this as root, so the remote user is now > > =C2=A0libvirt-remote. Only this user or users in the group libvirt-remote= can > > =C2=A0communicate with the socket. > > =C2=A0The user libvirt-remote is created with a random 64 characters long > > =C2=A0password which can changed after the > > =C2=A0installation. > > =C2=A0 > > =C2=A0Signed-off-by: Jonatan Schlag > > =C2=A0--- > > =C2=A0=C2=A0lfs/libvirt=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0|=C2=A0=C2=A03 +- > > =C2=A0=C2=A0src/paks/libvirt/install.sh=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0|=C2=A0=C2=A04 ++ > > =C2=A0=C2=A0...hange-options-in-libvirtd.conf-for-IPFire.patch | 43 > > =C2=A0++++++++++++++++++++++ > > =C2=A0=C2=A03 files changed, 49 insertions(+), 1 deletion(-) > > =C2=A0=C2=A0create mode 100644 src/patches/libvirt/0002-Change-options-in- > > libvirtd.conf- > > =C2=A0for-IPFire.patch > > =C2=A0 > > =C2=A0diff --git a/lfs/libvirt b/lfs/libvirt > > =C2=A0index b18364b..3c7413f 100644 > > =C2=A0--- a/lfs/libvirt > > =C2=A0+++ b/lfs/libvirt > > =C2=A0@@ -33,7 +33,7 @@ DIR_APP=C2=A0=C2=A0=C2=A0=C2=A0=3D $(DIR_SRC)/$(T= HISAPP) > > =C2=A0=C2=A0TARGET=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=3D $(DIR_INFO)/$(THISAPP) > > =C2=A0=C2=A0SUP_ARCH=C2=A0=C2=A0=C2=A0=3D i586 x86_64 > > =C2=A0=C2=A0PROG=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=3D libvirt > > =C2=A0-PAK_VER=C2=A0=C2=A0=C2=A0=C2=A0=3D 1 > > =C2=A0+PAK_VER=C2=A0=C2=A0=C2=A0=C2=A0=3D 2 > > =C2=A0=C2=A0 > > =C2=A0=C2=A0DEPS=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=3D "libpciacce= ss libyajl ncat qemu" > > =C2=A0=C2=A0 > > =C2=A0@@ -78,6 +78,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > > =C2=A0=C2=A0 @$(PREBUILD) > > =C2=A0=C2=A0 @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf > > $(DIR_DL)/$(DL_FILE) > > =C2=A0=C2=A0 cd $(DIR_APP) && patch -Np1 -i > > $(DIR_SRC)/src/patches/libvirt/0001- > > =C2=A0Change-default-behavior-of-libvirt-guests.sh-for-IPF.patch > > =C2=A0+ cd $(DIR_APP) && patch -Np1 -i > > $(DIR_SRC)/src/patches/libvirt/0002- > > =C2=A0Change-options-in-libvirtd.conf-for-IPFire.patch > > =C2=A0=C2=A0 cd $(DIR_APP) && ./configure --prefix=3D/usr --localstatedir= =3D/var -- > > =C2=A0sysconfdir=3D/etc \ > > =C2=A0=C2=A0 --with-openssl --without-sasl \ > > =C2=A0=C2=A0 --without-uml --without-vbox --without-lxc -- > > without- > > =C2=A0esx --without-vmware --without-openvz \ > > =C2=A0diff --git a/src/paks/libvirt/install.sh b/src/paks/libvirt/install= .sh > > =C2=A0index 2832197..5eee5a3 100644 > > =C2=A0--- a/src/paks/libvirt/install.sh > > =C2=A0+++ b/src/paks/libvirt/install.sh > > =C2=A0@@ -22,6 +22,10 @@ > > =C2=A0=C2=A0#############################################################= ############# > > ## > > =C2=A0=C2=A0# > > =C2=A0=C2=A0. /opt/pakfire/lib/functions.sh > > =C2=A0+ > > =C2=A0+# creates a new user called libvirt-remote with a random 64 charac= ters > > long > > =C2=A0password > > =C2=A0+useradd -s /bin/bash -m=C2=A0=C2=A0-p $(cat /dev/urandom | tr -dc = 'a-zA-Z0-9' | fold > > -w > > =C2=A064 | head -n 1) "libvirt-remote" > > =C2=A0+ > > =C2=A0=C2=A0extract_files > > =C2=A0=C2=A0start_service --delay 300 --background ${NAME} > > =C2=A0=C2=A0ln -svf /etc/init.d/libvirtd /etc/rc.d/rc0.d/K20libvirtd > > =C2=A0diff --git a/src/patches/libvirt/0002-Change-options-in-libvirtd.co= nf-for- > > =C2=A0IPFire.patch b/src/patches/libvirt/0002-Change-options-in-libvirtd.= conf- > > for- > > =C2=A0IPFire.patch > > =C2=A0new file mode 100644 > > =C2=A0index 0000000..ed685e8 > > =C2=A0--- /dev/null > > =C2=A0+++ b/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for- > > =C2=A0IPFire.patch > > =C2=A0@@ -0,0 +1,43 @@ > > =C2=A0+From 69d6e8ce6c636f78d1db0eebe7fb1cc02ae4fb9a Mon Sep 17 00:00:00 = 2001 > > =C2=A0+From: Jonatan Schlag > > =C2=A0+Date: Mon, 6 Jun 2016 19:40:50 +0200 > > =C2=A0+Subject: [PATCH 2/2] Change options in libvirtd.conf for IPFire > > =C2=A0+ > > =C2=A0+Signed-off-by: Jonatan Schlag > > =C2=A0+--- > > =C2=A0+ daemon/libvirtd.conf | 6 +++--- > > =C2=A0+ 1 file changed, 3 insertions(+), 3 deletions(-) > > =C2=A0+ > > =C2=A0+diff --git a/daemon/libvirtd.conf b/daemon/libvirtd.conf > > =C2=A0+index ac06cdd..1a41914 100644 > > =C2=A0+--- a/daemon/libvirtd.conf > > =C2=A0++++ b/daemon/libvirtd.conf > > =C2=A0+@@ -87,14 +87,14 @@ > > =C2=A0+ # without becoming root. > > =C2=A0+ # > > =C2=A0+ # This is restricted to 'root' by default. > > =C2=A0+-#unix_sock_group =3D "libvirt" > > =C2=A0++unix_sock_group =3D "libvirt-remote" > >=20 > > This says group and not user...=C2=A0 > Right, but this group is created with the user, see my explanation above it= is > also possible to create only the group and no user. > >=20 > >=20 > > =C2=A0+=C2=A0 > > =C2=A0+ # Set the UNIX socket permissions for the R/O socket. This is used > > =C2=A0+ # for monitoring VM status only > > =C2=A0+ # > > =C2=A0+ # Default allows any user. If setting group ownership, you may wa= nt to > > =C2=A0+ # restrict this too. > > =C2=A0+-#unix_sock_ro_perms =3D "0777" > > =C2=A0++unix_sock_ro_perms =3D "0770" > > =C2=A0+=C2=A0 > > =C2=A0+ # Set the UNIX socket permissions for the R/W socket. This is used > > =C2=A0+ # for full management of VMs > > =C2=A0+@@ -104,7 +104,7 @@ > > =C2=A0+ # > > =C2=A0+ # If not using PolicyKit and setting group ownership for access > > =C2=A0+ # control, then you may want to relax this too. > > =C2=A0+-#unix_sock_rw_perms =3D "0770" > > =C2=A0++unix_sock_rw_perms =3D "0770" > > =C2=A0+=C2=A0 > > =C2=A0+ # Set the UNIX socket permissions for the admin interface socket. > > =C2=A0+ # > > =C2=A0+--=C2=A0 > > =C2=A0+2.1.4 > > =C2=A0+ > >=20 > > -Michael > Regards Jonatan >=20 > PS. Tommorow i hope=C2=A0 --===============5204487095688830776== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjIKCmlRSWNCQUFC Q2dBR0JRSlhXYmJtQUFvSkVJQjU4UDl2a0FrSGlDNFAvUnowTXp1RU5DZVdveW9XZnRxNTdoRTYK SzZtQzVyeGpiMEJRejlaMW8wUzZrdEFnbHlXOWR6RDZ1K3c5YXBCdm90SkMrQTkrRVQ2R21FUTFn SXpNR0pISgptMTNsYWZ6YUpuMjlnRGdJMlhhYnZacnBlZWpkMVQ3YUg5WnkxV01kU1l0RWFRVmF0 QUllUVlTaVNwTXk1aW9oCjVzNHUveHNXdmtaYThTOHIxVHpiQlprVy9HOFdSRHN6b0liZGY4Mzhk Z3ByT3hFYXRZalo3SC9WYTlkTGYzdlUKL1J2MzRMeGN6QzVlenNFUVN2dll3KzJtdVpnN3h4ci9Y QXlvZEN5SjcvYytTcHF2alMwbmNnakdkN05wd1NNVworSExERHE4ODQ2b01xdWNMZmVWclJ3ZVV5 aDQxcUZMVkZ1bW5YWWVBaHFBcHM0T2t1SGZHNk4rSnp0a3NGVklkCkdrb3RkdWoxdGN6L3dOSUNY NmJOLzhyblFpdzVkZ29qa2QxWndXUUcwZm4wbEJKWkJuWHpBYW5OakwrTEhSV1MKd1F5dWFzV3l1 MWMwVTUwY3dFeVJPdXFlWE9DQUNUMGdGQ0FLbmFUWTFPNEZHMGJ0eWk4SUFraEhHdFpyNmhObQp6 Q016eG1TTzZMQzBjaS9UZ003U3NMaWNqaUo1eWhKT1NjZFFOSG80TkVmRnhUSURadTErbSttUXVq NEtITExqCjhIbUh5SExNV0tKYm4wV3Foak5qYk14dGluNUZqS0ZNM3lJbm5qY3Z2b1Vkb1JiT2li S2l0NFdvY0o3UHRJK0IKZUp0ejRTd3Y5dW1NZFZ0QkhNb3U2S29KbXgwT3NxMHhENXFwSUdqKzlY MHhzbkJydW9RQURpVEE1dXBpbVNGYQp3MkN3R0phdmp5ZmpZZjU4bnVaTwo9TWcxMgotLS0tLUVO RCBQR1AgU0lHTkFUVVJFLS0tLS0K --===============5204487095688830776==--