It is possible to communicate per ssh via a socket with libvirt. It is not a good idea to do this as root, so the remote user is now libvirt-remote. Only this user or users in the group libvirt-remote can communicate with the socket. The user libvirt-remote is created with a random 64 characters long password which can changed after the installation.
Signed-off-by: Jonatan Schlag jonatan.schlag@ipfire.org --- lfs/libvirt | 3 +- src/paks/libvirt/install.sh | 4 ++ ...hange-options-in-libvirtd.conf-for-IPFire.patch | 43 ++++++++++++++++++++++ 3 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for-IPFire.patch
diff --git a/lfs/libvirt b/lfs/libvirt index b18364b..3c7413f 100644 --- a/lfs/libvirt +++ b/lfs/libvirt @@ -33,7 +33,7 @@ DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) SUP_ARCH = i586 x86_64 PROG = libvirt -PAK_VER = 1 +PAK_VER = 2
DEPS = "libpciaccess libyajl ncat qemu"
@@ -78,6 +78,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/libvirt/0001-Change-default-behavior-of-libvirt-guests.sh-for-IPF.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for-IPFire.patch cd $(DIR_APP) && ./configure --prefix=/usr --localstatedir=/var --sysconfdir=/etc \ --with-openssl --without-sasl \ --without-uml --without-vbox --without-lxc --without-esx --without-vmware --without-openvz \ diff --git a/src/paks/libvirt/install.sh b/src/paks/libvirt/install.sh index 2832197..5eee5a3 100644 --- a/src/paks/libvirt/install.sh +++ b/src/paks/libvirt/install.sh @@ -22,6 +22,10 @@ ############################################################################ # . /opt/pakfire/lib/functions.sh + +# creates a new user called libvirt-remote with a random 64 characters long password +useradd -s /bin/bash -m -p $(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 64 | head -n 1) "libvirt-remote" + extract_files start_service --delay 300 --background ${NAME} ln -svf /etc/init.d/libvirtd /etc/rc.d/rc0.d/K20libvirtd diff --git a/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for-IPFire.patch b/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for-IPFire.patch new file mode 100644 index 0000000..ed685e8 --- /dev/null +++ b/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for-IPFire.patch @@ -0,0 +1,43 @@ +From 69d6e8ce6c636f78d1db0eebe7fb1cc02ae4fb9a Mon Sep 17 00:00:00 2001 +From: Jonatan Schlag jonatan.schlag@ipfire.org +Date: Mon, 6 Jun 2016 19:40:50 +0200 +Subject: [PATCH 2/2] Change options in libvirtd.conf for IPFire + +Signed-off-by: Jonatan Schlag jonatan.schlag@ipfire.org +--- + daemon/libvirtd.conf | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/daemon/libvirtd.conf b/daemon/libvirtd.conf +index ac06cdd..1a41914 100644 +--- a/daemon/libvirtd.conf ++++ b/daemon/libvirtd.conf +@@ -87,14 +87,14 @@ + # without becoming root. + # + # This is restricted to 'root' by default. +-#unix_sock_group = "libvirt" ++unix_sock_group = "libvirt-remote" + + # Set the UNIX socket permissions for the R/O socket. This is used + # for monitoring VM status only + # + # Default allows any user. If setting group ownership, you may want to + # restrict this too. +-#unix_sock_ro_perms = "0777" ++unix_sock_ro_perms = "0770" + + # Set the UNIX socket permissions for the R/W socket. This is used + # for full management of VMs +@@ -104,7 +104,7 @@ + # + # If not using PolicyKit and setting group ownership for access + # control, then you may want to relax this too. +-#unix_sock_rw_perms = "0770" ++unix_sock_rw_perms = "0770" + + # Set the UNIX socket permissions for the admin interface socket. + # +-- +2.1.4 +
Hi,
what is the reason that you are creating a password for that user? Generally that is not required. And this will be unknown to the user any ways.
Is the user supposed to log in with this user?
If so they can give that user a password themselves.
Would this still work when logging in as the root user?
You will need some bits in the install.sh script that detects if the user already exists (after install, uninstall, install). You get use getent for that.
On Wed, 2016-06-08 at 18:44 +0200, Jonatan Schlag wrote:
It is possible to communicate per ssh via a socket with libvirt. It is not a good idea to do this as root, so the remote user is now libvirt-remote. Only this user or users in the group libvirt-remote can communicate with the socket. The user libvirt-remote is created with a random 64 characters long password which can changed after the installation.
Signed-off-by: Jonatan Schlag jonatan.schlag@ipfire.org
lfs/libvirt | 3 +- src/paks/libvirt/install.sh | 4 ++ ...hange-options-in-libvirtd.conf-for-IPFire.patch | 43 ++++++++++++++++++++++ 3 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 src/patches/libvirt/0002-Change-options-in-libvirtd.conf- for-IPFire.patch
diff --git a/lfs/libvirt b/lfs/libvirt index b18364b..3c7413f 100644 --- a/lfs/libvirt +++ b/lfs/libvirt @@ -33,7 +33,7 @@ DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) SUP_ARCH = i586 x86_64 PROG = libvirt -PAK_VER = 1 +PAK_VER = 2 DEPS = "libpciaccess libyajl ncat qemu" @@ -78,6 +78,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/libvirt/0001- Change-default-behavior-of-libvirt-guests.sh-for-IPF.patch
- cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/libvirt/0002-
Change-options-in-libvirtd.conf-for-IPFire.patch cd $(DIR_APP) && ./configure --prefix=/usr --localstatedir=/var -- sysconfdir=/etc \ --with-openssl --without-sasl \ --without-uml --without-vbox --without-lxc --without- esx --without-vmware --without-openvz \ diff --git a/src/paks/libvirt/install.sh b/src/paks/libvirt/install.sh index 2832197..5eee5a3 100644 --- a/src/paks/libvirt/install.sh +++ b/src/paks/libvirt/install.sh @@ -22,6 +22,10 @@ ############################################################################ # . /opt/pakfire/lib/functions.sh
+# creates a new user called libvirt-remote with a random 64 characters long password +useradd -s /bin/bash -m -p $(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 64 | head -n 1) "libvirt-remote"
extract_files start_service --delay 300 --background ${NAME} ln -svf /etc/init.d/libvirtd /etc/rc.d/rc0.d/K20libvirtd diff --git a/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for- IPFire.patch b/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for- IPFire.patch new file mode 100644 index 0000000..ed685e8 --- /dev/null +++ b/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for- IPFire.patch @@ -0,0 +1,43 @@ +From 69d6e8ce6c636f78d1db0eebe7fb1cc02ae4fb9a Mon Sep 17 00:00:00 2001 +From: Jonatan Schlag jonatan.schlag@ipfire.org +Date: Mon, 6 Jun 2016 19:40:50 +0200 +Subject: [PATCH 2/2] Change options in libvirtd.conf for IPFire
+Signed-off-by: Jonatan Schlag jonatan.schlag@ipfire.org +---
- daemon/libvirtd.conf | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
+diff --git a/daemon/libvirtd.conf b/daemon/libvirtd.conf +index ac06cdd..1a41914 100644 +--- a/daemon/libvirtd.conf ++++ b/daemon/libvirtd.conf +@@ -87,14 +87,14 @@
- # without becoming root.
- #
- # This is restricted to 'root' by default.
+-#unix_sock_group = "libvirt" ++unix_sock_group = "libvirt-remote"
This says group and not user...
+
- # Set the UNIX socket permissions for the R/O socket. This is used
- # for monitoring VM status only
- #
- # Default allows any user. If setting group ownership, you may want to
- # restrict this too.
+-#unix_sock_ro_perms = "0777" ++unix_sock_ro_perms = "0770" +
- # Set the UNIX socket permissions for the R/W socket. This is used
- # for full management of VMs
+@@ -104,7 +104,7 @@
- #
- # If not using PolicyKit and setting group ownership for access
- # control, then you may want to relax this too.
+-#unix_sock_rw_perms = "0770" ++unix_sock_rw_perms = "0770" +
- # Set the UNIX socket permissions for the admin interface socket.
- #
+-- +2.1.4
-Michael
Am Do, 9. Jun, 2016 um 3:44 schrieb Michael Tremer michael.tremer@ipfire.org:
Hi,
what is the reason that you are creating a password for that user? Generally that is not required. And this will be unknown to the user any ways.
This is indeed uneccessary.
Is the user supposed to log in with this user?
If so they can give that user a password themselves.
Yes the user is supposed to log in via ssh, so i will change this and we create just the user.
Would this still work when logging in as the root user?
Yes this still work as root user. Root and all users in the group libvirt-remote can communicate with the socket.
My thoughts were that the user of IPFire should not use the root user to communicate with the socket because it is completely unnecessary. A normal user like libvirt-remote would do it. So because I know that not everybody would create a user and add this user to the group libvirt-remote I thought that it would be better to create the user libvirt-remote automatically, so the user only has to change the password of this user and can then use this user to communicate with libvirt.
The minimal variant would be to create the group libvirt-remote and change the options in libvirtd.conf and the user has to create the user (like libvirt-remote) by themselves. Just say what you would prefer :-).
You will need some bits in the install.sh script that detects if the user already exists (after install, uninstall, install). You get use getent for that.
Ok.
On Wed, 2016-06-08 at 18:44 +0200, Jonatan Schlag wrote:
It is possible to communicate per ssh via a socket with libvirt. It is not a good idea to do this as root, so the remote user is now libvirt-remote. Only this user or users in the group libvirt-remote can communicate with the socket. The user libvirt-remote is created with a random 64 characters long password which can changed after the installation.
Signed-off-by: Jonatan Schlag jonatan.schlag@ipfire.org
lfs/libvirt | 3 +- src/paks/libvirt/install.sh | 4 ++ ...hange-options-in-libvirtd.conf-for-IPFire.patch | 43 ++++++++++++++++++++++ 3 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 src/patches/libvirt/0002-Change-options-in-libvirtd.conf- for-IPFire.patch
diff --git a/lfs/libvirt b/lfs/libvirt index b18364b..3c7413f 100644 --- a/lfs/libvirt +++ b/lfs/libvirt @@ -33,7 +33,7 @@ DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) SUP_ARCH = i586 x86_64 PROG = libvirt -PAK_VER = 1 +PAK_VER = 2
DEPS = "libpciaccess libyajl ncat qemu"
@@ -78,6 +78,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/libvirt/0001- Change-default-behavior-of-libvirt-guests.sh-for-IPF.patch
- cd $(DIR_APP) && patch -Np1 -i
$(DIR_SRC)/src/patches/libvirt/0002- Change-options-in-libvirtd.conf-for-IPFire.patch cd $(DIR_APP) && ./configure --prefix=/usr --localstatedir=/var -- sysconfdir=/etc \ --with-openssl --without-sasl \ --without-uml --without-vbox --without-lxc --without- esx --without-vmware --without-openvz \ diff --git a/src/paks/libvirt/install.sh b/src/paks/libvirt/install.sh index 2832197..5eee5a3 100644 --- a/src/paks/libvirt/install.sh +++ b/src/paks/libvirt/install.sh @@ -22,6 +22,10 @@
############################################################################ # . /opt/pakfire/lib/functions.sh
+# creates a new user called libvirt-remote with a random 64 characters long password +useradd -s /bin/bash -m -p $(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 64 | head -n 1) "libvirt-remote"
extract_files start_service --delay 300 --background ${NAME} ln -svf /etc/init.d/libvirtd /etc/rc.d/rc0.d/K20libvirtd diff --git a/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for- IPFire.patch b/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for- IPFire.patch new file mode 100644 index 0000000..ed685e8 --- /dev/null +++ b/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for- IPFire.patch @@ -0,0 +1,43 @@ +From 69d6e8ce6c636f78d1db0eebe7fb1cc02ae4fb9a Mon Sep 17 00:00:00 2001 +From: Jonatan Schlag jonatan.schlag@ipfire.org +Date: Mon, 6 Jun 2016 19:40:50 +0200 +Subject: [PATCH 2/2] Change options in libvirtd.conf for IPFire
+Signed-off-by: Jonatan Schlag jonatan.schlag@ipfire.org +---
- daemon/libvirtd.conf | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
+diff --git a/daemon/libvirtd.conf b/daemon/libvirtd.conf +index ac06cdd..1a41914 100644 +--- a/daemon/libvirtd.conf ++++ b/daemon/libvirtd.conf +@@ -87,14 +87,14 @@
- # without becoming root.
- #
- # This is restricted to 'root' by default.
+-#unix_sock_group = "libvirt" ++unix_sock_group = "libvirt-remote"
This says group and not user...
Right, but this group is created with the user, see my explanation above it is also possible to create only the group and no user.
- # Set the UNIX socket permissions for the R/O socket. This is used
- # for monitoring VM status only
- #
- # Default allows any user. If setting group ownership, you may
want to
- # restrict this too.
+-#unix_sock_ro_perms = "0777" ++unix_sock_ro_perms = "0770"
- # Set the UNIX socket permissions for the R/W socket. This is used
- # for full management of VMs
+@@ -104,7 +104,7 @@
- #
- # If not using PolicyKit and setting group ownership for access
- # control, then you may want to relax this too.
+-#unix_sock_rw_perms = "0770" ++unix_sock_rw_perms = "0770"
- # Set the UNIX socket permissions for the admin interface socket.
- #
+-- +2.1.4
-Michael
Regards Jonatan
PS. Tommorow i hope
On Thu, 2016-06-09 at 20:29 +0200, Jonatan Schlag wrote:
Am Do, 9. Jun, 2016 um 3:44 schrieb Michael Tremer michael.tremer@ipfire.org :
Hi,
what is the reason that you are creating a password for that user? Generally that is not required. And this will be unknown to the user any ways.
This is indeed uneccessary.
Is the user supposed to log in with this user?
If so they can give that user a password themselves.
Yes the user is supposed to log in via ssh, so i will change this and we create just the user.
Would this still work when logging in as the root user?
Yes this still work as root user. Root and all users in the group libvirt- remote can communicate with the socket.
My thoughts were that the user of IPFire should not use the root user to communicate with the socket because it is completely unnecessary. A normal user like libvirt-remote would do it. So because I know that not everybody would create a user and add this user to the group libvirt-remote I thought that it would be better to create the user libvirt-remote automatically, so the user only has to change the password of this user and can then use this user to communicate with libvirt.
The minimal variant would be to create the group libvirt-remote and change the options in libvirtd.conf and the user has to create the user (like libvirt- remote) by themselves. Just say what you would prefer :-).
I would prefer to create a group and a user. We won't give the user a password which must be set by the user in order to login with that user.
If someone prefers, they can create their own users and add them to the group.
A system group should be created with groupadd of course be checked if that group existed before.
You will need some bits in the install.sh script that detects if the user already exists (after install, uninstall, install). You get use getent for that.
Ok.
On Wed, 2016-06-08 at 18:44 +0200, Jonatan Schlag wrote: It is possible to communicate per ssh via a socket with libvirt. It is not a good idea to do this as root, so the remote user is now libvirt-remote. Only this user or users in the group libvirt-remote can communicate with the socket. The user libvirt-remote is created with a random 64 characters long password which can changed after the installation. Signed-off-by: Jonatan Schlag jonatan.schlag@ipfire.org --- lfs/libvirt | 3 +- src/paks/libvirt/install.sh | 4 ++ ...hange-options-in-libvirtd.conf-for-IPFire.patch | 43 ++++++++++++++++++++++ 3 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 src/patches/libvirt/0002-Change-options-in- libvirtd.conf- for-IPFire.patch diff --git a/lfs/libvirt b/lfs/libvirt index b18364b..3c7413f 100644 --- a/lfs/libvirt +++ b/lfs/libvirt @@ -33,7 +33,7 @@ DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) SUP_ARCH = i586 x86_64 PROG = libvirt -PAK_VER = 1 +PAK_VER = 2 DEPS = "libpciaccess libyajl ncat qemu" @@ -78,6 +78,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/libvirt/0001- Change-default-behavior-of-libvirt-guests.sh-for-IPF.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/libvirt/0002- Change-options-in-libvirtd.conf-for-IPFire.patch cd $(DIR_APP) && ./configure --prefix=/usr --localstatedir=/var -- sysconfdir=/etc \ --with-openssl --without-sasl \ --without-uml --without-vbox --without-lxc -- without- esx --without-vmware --without-openvz \ diff --git a/src/paks/libvirt/install.sh b/src/paks/libvirt/install.sh index 2832197..5eee5a3 100644 --- a/src/paks/libvirt/install.sh +++ b/src/paks/libvirt/install.sh @@ -22,6 +22,10 @@ ########################################################################## ## # . /opt/pakfire/lib/functions.sh + +# creates a new user called libvirt-remote with a random 64 characters long password +useradd -s /bin/bash -m -p $(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 64 | head -n 1) "libvirt-remote" + extract_files start_service --delay 300 --background ${NAME} ln -svf /etc/init.d/libvirtd /etc/rc.d/rc0.d/K20libvirtd diff --git a/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for- IPFire.patch b/src/patches/libvirt/0002-Change-options-in-libvirtd.conf- for- IPFire.patch new file mode 100644 index 0000000..ed685e8 --- /dev/null +++ b/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for- IPFire.patch @@ -0,0 +1,43 @@ +From 69d6e8ce6c636f78d1db0eebe7fb1cc02ae4fb9a Mon Sep 17 00:00:00 2001 +From: Jonatan Schlag jonatan.schlag@ipfire.org +Date: Mon, 6 Jun 2016 19:40:50 +0200 +Subject: [PATCH 2/2] Change options in libvirtd.conf for IPFire + +Signed-off-by: Jonatan Schlag jonatan.schlag@ipfire.org +--- + daemon/libvirtd.conf | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/daemon/libvirtd.conf b/daemon/libvirtd.conf +index ac06cdd..1a41914 100644 +--- a/daemon/libvirtd.conf ++++ b/daemon/libvirtd.conf +@@ -87,14 +87,14 @@ + # without becoming root. + # + # This is restricted to 'root' by default. +-#unix_sock_group = "libvirt" ++unix_sock_group = "libvirt-remote"
This says group and not user...
Right, but this group is created with the user, see my explanation above it is also possible to create only the group and no user.
+ + # Set the UNIX socket permissions for the R/O socket. This is used + # for monitoring VM status only + # + # Default allows any user. If setting group ownership, you may want to + # restrict this too. +-#unix_sock_ro_perms = "0777" ++unix_sock_ro_perms = "0770" + + # Set the UNIX socket permissions for the R/W socket. This is used + # for full management of VMs +@@ -104,7 +104,7 @@ + # + # If not using PolicyKit and setting group ownership for access + # control, then you may want to relax this too. +-#unix_sock_rw_perms = "0770" ++unix_sock_rw_perms = "0770" + + # Set the UNIX socket permissions for the admin interface socket. + # +-- +2.1.4 +
-Michael
Regards Jonatan
PS. Tommorow i hope
Hi, Thank you for the fast answer.
I would prefer to create a group and a user. We won't give the user a password which must be set by the user in order to login with that user.
If someone prefers, they can create their own users and add them to the group.
A system group should be created with groupadd of course be checked if that group existed before.
I will send a new patch tomorrow, which the checks if the user and the group are existent and add the group extra. I will further send 2 patches which change the default qemu user to nobody when this 3 patch are merged libvirt could from my point of view pushed to the testing repo.
Regards Jonatan
On Thu, 2016-06-09 at 20:45 +0200, Jonatan Schlag wrote:
Hi, Thank you for the fast answer.
I would prefer to create a group and a user. We won't give the user a password which must be set by the user in order to login with that user.
If someone prefers, they can create their own users and add them to the group.
A system group should be created with groupadd of course be checked if that group existed before.
I will send a new patch tomorrow, which the checks if the user and the group are existent and add the group extra. I will further send 2 patches which change the default qemu user to nobody when this 3 patch are merged libvirt could from my point of view pushed to the testing repo.
I spoke with Arne that he can already upload this.
So please just count up the release number and everyone will get an update (make sure that user and group will be created when updating, too)...
-Michael
Regards Jonatan
-
Jonatan Schlag -
Michael Tremer