From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jonatan Schlag To: development@lists.ipfire.org Subject: [PATCH v2] Change the default libvirt remote user to libvirt-remote Date: Fri, 10 Jun 2016 10:57:13 +0200 Message-ID: <1465549033-652-1-git-send-email-jonatan.schlag@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3826818307225452498==" List-Id: --===============3826818307225452498== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable It is possible to communicate per ssh via a socket with libvirt. It is not a good idea to do this as root, so the remote user is now libvirt-remote. Only this user or users in the group libvirt-remote can communicate with the socket. The user libvirt-remote is created without a password. The users have to set a password for this user after installation. Signed-off-by: Jonatan Schlag --- lfs/libvirt | 3 +- src/paks/libvirt/install.sh | 6 +++ ...hange-options-in-libvirtd.conf-for-IPFire.patch | 43 ++++++++++++++++++++= ++ 3 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 src/patches/libvirt/0002-Change-options-in-libvirtd.conf-= for-IPFire.patch diff --git a/lfs/libvirt b/lfs/libvirt index b18364b..3c7413f 100644 --- a/lfs/libvirt +++ b/lfs/libvirt @@ -33,7 +33,7 @@ DIR_APP =3D $(DIR_SRC)/$(THISAPP) TARGET =3D $(DIR_INFO)/$(THISAPP) SUP_ARCH =3D i586 x86_64 PROG =3D libvirt -PAK_VER =3D 1 +PAK_VER =3D 2 =20 DEPS =3D "libpciaccess libyajl ncat qemu" =20 @@ -78,6 +78,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/libvirt/0001-Change-d= efault-behavior-of-libvirt-guests.sh-for-IPF.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/libvirt/0002-Change-o= ptions-in-libvirtd.conf-for-IPFire.patch cd $(DIR_APP) && ./configure --prefix=3D/usr --localstatedir=3D/var --sysco= nfdir=3D/etc \ --with-openssl --without-sasl \ --without-uml --without-vbox --without-lxc --without-esx --without-vmware= --without-openvz \ diff --git a/src/paks/libvirt/install.sh b/src/paks/libvirt/install.sh index 2832197..2009b0e 100644 --- a/src/paks/libvirt/install.sh +++ b/src/paks/libvirt/install.sh @@ -22,6 +22,12 @@ ############################################################################ # . /opt/pakfire/lib/functions.sh + +# creates a new user and group called libvirt-remote if they not exist +getent group libvirt-remote >/dev/null || groupadd libvirt-remote +getent passwd libvirt-remote >/dev/null || \ +useradd -m -g libvirt-remote -s /bin/bash "libvirt-remote" + extract_files start_service --delay 300 --background ${NAME} ln -svf /etc/init.d/libvirtd /etc/rc.d/rc0.d/K20libvirtd diff --git a/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for-IPF= ire.patch b/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for-IPFi= re.patch new file mode 100644 index 0000000..ed685e8 --- /dev/null +++ b/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for-IPFire.pat= ch @@ -0,0 +1,43 @@ +From 69d6e8ce6c636f78d1db0eebe7fb1cc02ae4fb9a Mon Sep 17 00:00:00 2001 +From: Jonatan Schlag +Date: Mon, 6 Jun 2016 19:40:50 +0200 +Subject: [PATCH 2/2] Change options in libvirtd.conf for IPFire + +Signed-off-by: Jonatan Schlag +--- + daemon/libvirtd.conf | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/daemon/libvirtd.conf b/daemon/libvirtd.conf +index ac06cdd..1a41914 100644 +--- a/daemon/libvirtd.conf ++++ b/daemon/libvirtd.conf +@@ -87,14 +87,14 @@ + # without becoming root. + # + # This is restricted to 'root' by default. +-#unix_sock_group =3D "libvirt" ++unix_sock_group =3D "libvirt-remote" +=20 + # Set the UNIX socket permissions for the R/O socket. This is used + # for monitoring VM status only + # + # Default allows any user. If setting group ownership, you may want to + # restrict this too. +-#unix_sock_ro_perms =3D "0777" ++unix_sock_ro_perms =3D "0770" +=20 + # Set the UNIX socket permissions for the R/W socket. This is used + # for full management of VMs +@@ -104,7 +104,7 @@ + # + # If not using PolicyKit and setting group ownership for access + # control, then you may want to relax this too. +-#unix_sock_rw_perms =3D "0770" ++unix_sock_rw_perms =3D "0770" +=20 + # Set the UNIX socket permissions for the admin interface socket. + # +--=20 +2.1.4 + --=20 2.1.4 --===============3826818307225452498==--