It is possible to communicate per ssh via a socket with libvirt. It is not a good idea to do this as root, so the remote user is now libvirt-remote. Only this user or users in the group libvirt-remote can communicate with the socket. The user libvirt-remote is created without a password. The users have to set a password for this user after installation.
Signed-off-by: Jonatan Schlag jonatan.schlag@ipfire.org --- lfs/libvirt | 3 +- src/paks/libvirt/install.sh | 6 +++ ...hange-options-in-libvirtd.conf-for-IPFire.patch | 43 ++++++++++++++++++++++ 3 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for-IPFire.patch
diff --git a/lfs/libvirt b/lfs/libvirt index b18364b..3c7413f 100644 --- a/lfs/libvirt +++ b/lfs/libvirt @@ -33,7 +33,7 @@ DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) SUP_ARCH = i586 x86_64 PROG = libvirt -PAK_VER = 1 +PAK_VER = 2
DEPS = "libpciaccess libyajl ncat qemu"
@@ -78,6 +78,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/libvirt/0001-Change-default-behavior-of-libvirt-guests.sh-for-IPF.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for-IPFire.patch cd $(DIR_APP) && ./configure --prefix=/usr --localstatedir=/var --sysconfdir=/etc \ --with-openssl --without-sasl \ --without-uml --without-vbox --without-lxc --without-esx --without-vmware --without-openvz \ diff --git a/src/paks/libvirt/install.sh b/src/paks/libvirt/install.sh index 2832197..2009b0e 100644 --- a/src/paks/libvirt/install.sh +++ b/src/paks/libvirt/install.sh @@ -22,6 +22,12 @@ ############################################################################ # . /opt/pakfire/lib/functions.sh + +# creates a new user and group called libvirt-remote if they not exist +getent group libvirt-remote >/dev/null || groupadd libvirt-remote +getent passwd libvirt-remote >/dev/null || \ +useradd -m -g libvirt-remote -s /bin/bash "libvirt-remote" + extract_files start_service --delay 300 --background ${NAME} ln -svf /etc/init.d/libvirtd /etc/rc.d/rc0.d/K20libvirtd diff --git a/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for-IPFire.patch b/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for-IPFire.patch new file mode 100644 index 0000000..ed685e8 --- /dev/null +++ b/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for-IPFire.patch @@ -0,0 +1,43 @@ +From 69d6e8ce6c636f78d1db0eebe7fb1cc02ae4fb9a Mon Sep 17 00:00:00 2001 +From: Jonatan Schlag jonatan.schlag@ipfire.org +Date: Mon, 6 Jun 2016 19:40:50 +0200 +Subject: [PATCH 2/2] Change options in libvirtd.conf for IPFire + +Signed-off-by: Jonatan Schlag jonatan.schlag@ipfire.org +--- + daemon/libvirtd.conf | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/daemon/libvirtd.conf b/daemon/libvirtd.conf +index ac06cdd..1a41914 100644 +--- a/daemon/libvirtd.conf ++++ b/daemon/libvirtd.conf +@@ -87,14 +87,14 @@ + # without becoming root. + # + # This is restricted to 'root' by default. +-#unix_sock_group = "libvirt" ++unix_sock_group = "libvirt-remote" + + # Set the UNIX socket permissions for the R/O socket. This is used + # for monitoring VM status only + # + # Default allows any user. If setting group ownership, you may want to + # restrict this too. +-#unix_sock_ro_perms = "0777" ++unix_sock_ro_perms = "0770" + + # Set the UNIX socket permissions for the R/W socket. This is used + # for full management of VMs +@@ -104,7 +104,7 @@ + # + # If not using PolicyKit and setting group ownership for access + # control, then you may want to relax this too. +-#unix_sock_rw_perms = "0770" ++unix_sock_rw_perms = "0770" + + # Set the UNIX socket permissions for the admin interface socket. + # +-- +2.1.4 +