[PATCH] Change the default libvirt remote user to libvirt-remote

Jonatan Schlag jonatan.schlag at ipfire.org
Thu Jun 9 20:29:35 CEST 2016



Am Do, 9. Jun, 2016 um 3:44 schrieb Michael Tremer 
<michael.tremer at ipfire.org>:
> Hi,
> 
> what is the reason that you are creating a password for that user? 
> Generally
> that is not required. And this will be unknown to the user any ways.

This is indeed uneccessary.
> 
> 
> Is the user supposed to log in with this user?
> 
> If so they can give that user a password themselves.

Yes the user is supposed to log in via ssh, so i will change this and 
we create just the user.
> 
> 
> Would this still work when logging in as the root user?

Yes this still work as root user. Root and all users  in the group 
libvirt-remote can communicate with the socket.

My thoughts were that the user of IPFire should not use the root user 
to communicate with the socket because it is completely unnecessary. A 
normal user like libvirt-remote would do it.
So because I know that not everybody would create a user and add this 
user to the group libvirt-remote I thought that it would be better to 
create the user libvirt-remote automatically, so the user only has  to 
change the password of this user and can then use this user to 
communicate with libvirt.

The minimal variant would be to create the group libvirt-remote and 
change the options in libvirtd.conf and the user has to create the user 
(like libvirt-remote) by themselves. Just say what you would prefer :-).

> 
> 
> You will need some bits in the install.sh script that detects if the 
> user
> already exists (after install, uninstall, install). You get use 
> getent for that.

Ok.
> 
> 
> On Wed, 2016-06-08 at 18:44 +0200, Jonatan Schlag wrote:
>>  It is possible to communicate per ssh via a socket with libvirt. It 
>> is
>>  not a good idea to do this as root, so the remote user is now
>>  libvirt-remote. Only this user or users in the group libvirt-remote 
>> can
>>  communicate with the socket.
>>  The user libvirt-remote is created with a random 64 characters long
>>  password which can changed after the
>>  installation.
>> 
>>  Signed-off-by: Jonatan Schlag <jonatan.schlag at ipfire.org>
>>  ---
>>   lfs/libvirt                                        |  3 +-
>>   src/paks/libvirt/install.sh                        |  4 ++
>>   ...hange-options-in-libvirtd.conf-for-IPFire.patch | 43
>>  ++++++++++++++++++++++
>>   3 files changed, 49 insertions(+), 1 deletion(-)
>>   create mode 100644 
>> src/patches/libvirt/0002-Change-options-in-libvirtd.conf-
>>  for-IPFire.patch
>> 
>>  diff --git a/lfs/libvirt b/lfs/libvirt
>>  index b18364b..3c7413f 100644
>>  --- a/lfs/libvirt
>>  +++ b/lfs/libvirt
>>  @@ -33,7 +33,7 @@ DIR_APP    = $(DIR_SRC)/$(THISAPP)
>>   TARGET     = $(DIR_INFO)/$(THISAPP)
>>   SUP_ARCH   = i586 x86_64
>>   PROG       = libvirt
>>  -PAK_VER    = 1
>>  +PAK_VER    = 2
>> 
>>   DEPS       = "libpciaccess libyajl ncat qemu"
>> 
>>  @@ -78,6 +78,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>>   	@$(PREBUILD)
>>   	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf 
>> $(DIR_DL)/$(DL_FILE)
>>   	cd $(DIR_APP) && patch -Np1 -i 
>> $(DIR_SRC)/src/patches/libvirt/0001-
>>  Change-default-behavior-of-libvirt-guests.sh-for-IPF.patch
>>  +	cd $(DIR_APP) && patch -Np1 -i 
>> $(DIR_SRC)/src/patches/libvirt/0002-
>>  Change-options-in-libvirtd.conf-for-IPFire.patch
>>   	cd $(DIR_APP) && ./configure --prefix=/usr --localstatedir=/var --
>>  sysconfdir=/etc \
>>   			--with-openssl --without-sasl \
>>   			--without-uml --without-vbox --without-lxc --without-
>>  esx --without-vmware --without-openvz \
>>  diff --git a/src/paks/libvirt/install.sh 
>> b/src/paks/libvirt/install.sh
>>  index 2832197..5eee5a3 100644
>>  --- a/src/paks/libvirt/install.sh
>>  +++ b/src/paks/libvirt/install.sh
>>  @@ -22,6 +22,10 @@
>>   
>> ############################################################################
>>   #
>>   . /opt/pakfire/lib/functions.sh
>>  +
>>  +# creates a new user called libvirt-remote with a random 64 
>> characters long
>>  password
>>  +useradd -s /bin/bash -m  -p $(cat /dev/urandom | tr -dc 
>> 'a-zA-Z0-9' | fold -w
>>  64 | head -n 1) "libvirt-remote"
>>  +
>>   extract_files
>>   start_service --delay 300 --background ${NAME}
>>   ln -svf /etc/init.d/libvirtd /etc/rc.d/rc0.d/K20libvirtd
>>  diff --git 
>> a/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for-
>>  IPFire.patch 
>> b/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for-
>>  IPFire.patch
>>  new file mode 100644
>>  index 0000000..ed685e8
>>  --- /dev/null
>>  +++ b/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for-
>>  IPFire.patch
>>  @@ -0,0 +1,43 @@
>>  +From 69d6e8ce6c636f78d1db0eebe7fb1cc02ae4fb9a Mon Sep 17 00:00:00 
>> 2001
>>  +From: Jonatan Schlag <jonatan.schlag at ipfire.org>
>>  +Date: Mon, 6 Jun 2016 19:40:50 +0200
>>  +Subject: [PATCH 2/2] Change options in libvirtd.conf for IPFire
>>  +
>>  +Signed-off-by: Jonatan Schlag <jonatan.schlag at ipfire.org>
>>  +---
>>  + daemon/libvirtd.conf | 6 +++---
>>  + 1 file changed, 3 insertions(+), 3 deletions(-)
>>  +
>>  +diff --git a/daemon/libvirtd.conf b/daemon/libvirtd.conf
>>  +index ac06cdd..1a41914 100644
>>  +--- a/daemon/libvirtd.conf
>>  ++++ b/daemon/libvirtd.conf
>>  +@@ -87,14 +87,14 @@
>>  + # without becoming root.
>>  + #
>>  + # This is restricted to 'root' by default.
>>  +-#unix_sock_group = "libvirt"
>>  ++unix_sock_group = "libvirt-remote"
> 
> This says group and not user...

Right, but this group is created with the user, see my explanation 
above it is also possible to create only the group and no user.
> 
> 
>>  +
>>  + # Set the UNIX socket permissions for the R/O socket. This is used
>>  + # for monitoring VM status only
>>  + #
>>  + # Default allows any user. If setting group ownership, you may 
>> want to
>>  + # restrict this too.
>>  +-#unix_sock_ro_perms = "0777"
>>  ++unix_sock_ro_perms = "0770"
>>  +
>>  + # Set the UNIX socket permissions for the R/W socket. This is used
>>  + # for full management of VMs
>>  +@@ -104,7 +104,7 @@
>>  + #
>>  + # If not using PolicyKit and setting group ownership for access
>>  + # control, then you may want to relax this too.
>>  +-#unix_sock_rw_perms = "0770"
>>  ++unix_sock_rw_perms = "0770"
>>  +
>>  + # Set the UNIX socket permissions for the admin interface socket.
>>  + #
>>  +--
>>  +2.1.4
>>  +
> 
> -Michael

Regards Jonatan

PS. Tommorow i hope
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ipfire.org/pipermail/development/attachments/20160609/6d9bcb25/attachment.html>


More information about the Development mailing list