Hi,
what is the reason that you are creating a password for that user? Generally that is not required. And this will be unknown to the user any ways.
Is the user supposed to log in with this user?
If so they can give that user a password themselves.
Would this still work when logging in as the root user?
You will need some bits in the install.sh script that detects if the user already exists (after install, uninstall, install). You get use getent for that.
On Wed, 2016-06-08 at 18:44 +0200, Jonatan Schlag wrote:
It is possible to communicate per ssh via a socket with libvirt. It is not a good idea to do this as root, so the remote user is now libvirt-remote. Only this user or users in the group libvirt-remote can communicate with the socket. The user libvirt-remote is created with a random 64 characters long password which can changed after the installation.
Signed-off-by: Jonatan Schlag jonatan.schlag@ipfire.org
lfs/libvirt | 3 +- src/paks/libvirt/install.sh | 4 ++ ...hange-options-in-libvirtd.conf-for-IPFire.patch | 43 ++++++++++++++++++++++ 3 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 src/patches/libvirt/0002-Change-options-in-libvirtd.conf- for-IPFire.patch
diff --git a/lfs/libvirt b/lfs/libvirt index b18364b..3c7413f 100644 --- a/lfs/libvirt +++ b/lfs/libvirt @@ -33,7 +33,7 @@ DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) SUP_ARCH = i586 x86_64 PROG = libvirt -PAK_VER = 1 +PAK_VER = 2 DEPS = "libpciaccess libyajl ncat qemu" @@ -78,6 +78,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/libvirt/0001- Change-default-behavior-of-libvirt-guests.sh-for-IPF.patch
- cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/libvirt/0002-
Change-options-in-libvirtd.conf-for-IPFire.patch cd $(DIR_APP) && ./configure --prefix=/usr --localstatedir=/var -- sysconfdir=/etc \ --with-openssl --without-sasl \ --without-uml --without-vbox --without-lxc --without- esx --without-vmware --without-openvz \ diff --git a/src/paks/libvirt/install.sh b/src/paks/libvirt/install.sh index 2832197..5eee5a3 100644 --- a/src/paks/libvirt/install.sh +++ b/src/paks/libvirt/install.sh @@ -22,6 +22,10 @@ ############################################################################ # . /opt/pakfire/lib/functions.sh
+# creates a new user called libvirt-remote with a random 64 characters long password +useradd -s /bin/bash -m -p $(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 64 | head -n 1) "libvirt-remote"
extract_files start_service --delay 300 --background ${NAME} ln -svf /etc/init.d/libvirtd /etc/rc.d/rc0.d/K20libvirtd diff --git a/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for- IPFire.patch b/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for- IPFire.patch new file mode 100644 index 0000000..ed685e8 --- /dev/null +++ b/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for- IPFire.patch @@ -0,0 +1,43 @@ +From 69d6e8ce6c636f78d1db0eebe7fb1cc02ae4fb9a Mon Sep 17 00:00:00 2001 +From: Jonatan Schlag jonatan.schlag@ipfire.org +Date: Mon, 6 Jun 2016 19:40:50 +0200 +Subject: [PATCH 2/2] Change options in libvirtd.conf for IPFire
+Signed-off-by: Jonatan Schlag jonatan.schlag@ipfire.org +---
- daemon/libvirtd.conf | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
+diff --git a/daemon/libvirtd.conf b/daemon/libvirtd.conf +index ac06cdd..1a41914 100644 +--- a/daemon/libvirtd.conf ++++ b/daemon/libvirtd.conf +@@ -87,14 +87,14 @@
- # without becoming root.
- #
- # This is restricted to 'root' by default.
+-#unix_sock_group = "libvirt" ++unix_sock_group = "libvirt-remote"
This says group and not user...
+
- # Set the UNIX socket permissions for the R/O socket. This is used
- # for monitoring VM status only
- #
- # Default allows any user. If setting group ownership, you may want to
- # restrict this too.
+-#unix_sock_ro_perms = "0777" ++unix_sock_ro_perms = "0770" +
- # Set the UNIX socket permissions for the R/W socket. This is used
- # for full management of VMs
+@@ -104,7 +104,7 @@
- #
- # If not using PolicyKit and setting group ownership for access
- # control, then you may want to relax this too.
+-#unix_sock_rw_perms = "0770" ++unix_sock_rw_perms = "0770" +
- # Set the UNIX socket permissions for the admin interface socket.
- #
+-- +2.1.4
-Michael