Change the default libvirt remote user to libvirt-remote
Message ID | 1465404243-20148-1-git-send-email-jonatan.schlag@ipfire.org |
---|---|
State | Superseded |
Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (hedwig.ipfire.org [172.28.1.200]) by web02.ipfire.org (Postfix) with ESMTP id 9DF2E6154F for <patchwork@ipfire.org>; Wed, 8 Jun 2016 18:35:28 +0200 (CEST) Received: from mail01.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 146911CF1; Wed, 8 Jun 2016 18:35:28 +0200 (CEST) Received: from fangorn.local.familyschlag (dslb-088-073-198-103.088.073.pools.vodafone-ip.de [88.73.198.103]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 05BCF1774; Wed, 8 Jun 2016 18:35:25 +0200 (CEST) From: Jonatan Schlag <jonatan.schlag@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH] Change the default libvirt remote user to libvirt-remote Date: Wed, 8 Jun 2016 18:44:03 +0200 Message-Id: <1465404243-20148-1-git-send-email-jonatan.schlag@ipfire.org> X-Mailer: git-send-email 2.1.4 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <http://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <http://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Message
Jonatan Schlag
June 9, 2016, 2:44 a.m. UTC
It is possible to communicate per ssh via a socket with libvirt. It is
not a good idea to do this as root, so the remote user is now
libvirt-remote. Only this user or users in the group libvirt-remote can
communicate with the socket.
The user libvirt-remote is created with a random 64 characters long
password which can changed after the
installation.
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
---
lfs/libvirt | 3 +-
src/paks/libvirt/install.sh | 4 ++
...hange-options-in-libvirtd.conf-for-IPFire.patch | 43 ++++++++++++++++++++++
3 files changed, 49 insertions(+), 1 deletion(-)
create mode 100644 src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for-IPFire.patch
Comments
Hi, what is the reason that you are creating a password for that user? Generally that is not required. And this will be unknown to the user any ways. Is the user supposed to log in with this user? If so they can give that user a password themselves. Would this still work when logging in as the root user? You will need some bits in the install.sh script that detects if the user already exists (after install, uninstall, install). You get use getent for that. On Wed, 2016-06-08 at 18:44 +0200, Jonatan Schlag wrote: > It is possible to communicate per ssh via a socket with libvirt. It is > not a good idea to do this as root, so the remote user is now > libvirt-remote. Only this user or users in the group libvirt-remote can > communicate with the socket. > The user libvirt-remote is created with a random 64 characters long > password which can changed after the > installation. > > Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org> > --- > lfs/libvirt | 3 +- > src/paks/libvirt/install.sh | 4 ++ > ...hange-options-in-libvirtd.conf-for-IPFire.patch | 43 > ++++++++++++++++++++++ > 3 files changed, 49 insertions(+), 1 deletion(-) > create mode 100644 src/patches/libvirt/0002-Change-options-in-libvirtd.conf- > for-IPFire.patch > > diff --git a/lfs/libvirt b/lfs/libvirt > index b18364b..3c7413f 100644 > --- a/lfs/libvirt > +++ b/lfs/libvirt > @@ -33,7 +33,7 @@ DIR_APP = $(DIR_SRC)/$(THISAPP) > TARGET = $(DIR_INFO)/$(THISAPP) > SUP_ARCH = i586 x86_64 > PROG = libvirt > -PAK_VER = 1 > +PAK_VER = 2 > > DEPS = "libpciaccess libyajl ncat qemu" > > @@ -78,6 +78,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > @$(PREBUILD) > @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) > cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/libvirt/0001- > Change-default-behavior-of-libvirt-guests.sh-for-IPF.patch > + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/libvirt/0002- > Change-options-in-libvirtd.conf-for-IPFire.patch > cd $(DIR_APP) && ./configure --prefix=/usr --localstatedir=/var -- > sysconfdir=/etc \ > --with-openssl --without-sasl \ > --without-uml --without-vbox --without-lxc --without- > esx --without-vmware --without-openvz \ > diff --git a/src/paks/libvirt/install.sh b/src/paks/libvirt/install.sh > index 2832197..5eee5a3 100644 > --- a/src/paks/libvirt/install.sh > +++ b/src/paks/libvirt/install.sh > @@ -22,6 +22,10 @@ > ############################################################################ > # > . /opt/pakfire/lib/functions.sh > + > +# creates a new user called libvirt-remote with a random 64 characters long > password > +useradd -s /bin/bash -m -p $(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w > 64 | head -n 1) "libvirt-remote" > + > extract_files > start_service --delay 300 --background ${NAME} > ln -svf /etc/init.d/libvirtd /etc/rc.d/rc0.d/K20libvirtd > diff --git a/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for- > IPFire.patch b/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for- > IPFire.patch > new file mode 100644 > index 0000000..ed685e8 > --- /dev/null > +++ b/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for- > IPFire.patch > @@ -0,0 +1,43 @@ > +From 69d6e8ce6c636f78d1db0eebe7fb1cc02ae4fb9a Mon Sep 17 00:00:00 2001 > +From: Jonatan Schlag <jonatan.schlag@ipfire.org> > +Date: Mon, 6 Jun 2016 19:40:50 +0200 > +Subject: [PATCH 2/2] Change options in libvirtd.conf for IPFire > + > +Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org> > +--- > + daemon/libvirtd.conf | 6 +++--- > + 1 file changed, 3 insertions(+), 3 deletions(-) > + > +diff --git a/daemon/libvirtd.conf b/daemon/libvirtd.conf > +index ac06cdd..1a41914 100644 > +--- a/daemon/libvirtd.conf > ++++ b/daemon/libvirtd.conf > +@@ -87,14 +87,14 @@ > + # without becoming root. > + # > + # This is restricted to 'root' by default. > +-#unix_sock_group = "libvirt" > ++unix_sock_group = "libvirt-remote" This says group and not user... > + > + # Set the UNIX socket permissions for the R/O socket. This is used > + # for monitoring VM status only > + # > + # Default allows any user. If setting group ownership, you may want to > + # restrict this too. > +-#unix_sock_ro_perms = "0777" > ++unix_sock_ro_perms = "0770" > + > + # Set the UNIX socket permissions for the R/W socket. This is used > + # for full management of VMs > +@@ -104,7 +104,7 @@ > + # > + # If not using PolicyKit and setting group ownership for access > + # control, then you may want to relax this too. > +-#unix_sock_rw_perms = "0770" > ++unix_sock_rw_perms = "0770" > + > + # Set the UNIX socket permissions for the admin interface socket. > + # > +-- > +2.1.4 > + -Michael
Am Do, 9. Jun, 2016 um 3:44 schrieb Michael Tremer <michael.tremer@ipfire.org>: > Hi, > > what is the reason that you are creating a password for that user? > Generally > that is not required. And this will be unknown to the user any ways. This is indeed uneccessary. > > > Is the user supposed to log in with this user? > > If so they can give that user a password themselves. Yes the user is supposed to log in via ssh, so i will change this and we create just the user. > > > Would this still work when logging in as the root user? Yes this still work as root user. Root and all users in the group libvirt-remote can communicate with the socket. My thoughts were that the user of IPFire should not use the root user to communicate with the socket because it is completely unnecessary. A normal user like libvirt-remote would do it. So because I know that not everybody would create a user and add this user to the group libvirt-remote I thought that it would be better to create the user libvirt-remote automatically, so the user only has to change the password of this user and can then use this user to communicate with libvirt. The minimal variant would be to create the group libvirt-remote and change the options in libvirtd.conf and the user has to create the user (like libvirt-remote) by themselves. Just say what you would prefer :-). > > > You will need some bits in the install.sh script that detects if the > user > already exists (after install, uninstall, install). You get use > getent for that. Ok. > > > On Wed, 2016-06-08 at 18:44 +0200, Jonatan Schlag wrote: >> It is possible to communicate per ssh via a socket with libvirt. It >> is >> not a good idea to do this as root, so the remote user is now >> libvirt-remote. Only this user or users in the group libvirt-remote >> can >> communicate with the socket. >> The user libvirt-remote is created with a random 64 characters long >> password which can changed after the >> installation. >> >> Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org> >> --- >> lfs/libvirt | 3 +- >> src/paks/libvirt/install.sh | 4 ++ >> ...hange-options-in-libvirtd.conf-for-IPFire.patch | 43 >> ++++++++++++++++++++++ >> 3 files changed, 49 insertions(+), 1 deletion(-) >> create mode 100644 >> src/patches/libvirt/0002-Change-options-in-libvirtd.conf- >> for-IPFire.patch >> >> diff --git a/lfs/libvirt b/lfs/libvirt >> index b18364b..3c7413f 100644 >> --- a/lfs/libvirt >> +++ b/lfs/libvirt >> @@ -33,7 +33,7 @@ DIR_APP = $(DIR_SRC)/$(THISAPP) >> TARGET = $(DIR_INFO)/$(THISAPP) >> SUP_ARCH = i586 x86_64 >> PROG = libvirt >> -PAK_VER = 1 >> +PAK_VER = 2 >> >> DEPS = "libpciaccess libyajl ncat qemu" >> >> @@ -78,6 +78,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >> @$(PREBUILD) >> @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf >> $(DIR_DL)/$(DL_FILE) >> cd $(DIR_APP) && patch -Np1 -i >> $(DIR_SRC)/src/patches/libvirt/0001- >> Change-default-behavior-of-libvirt-guests.sh-for-IPF.patch >> + cd $(DIR_APP) && patch -Np1 -i >> $(DIR_SRC)/src/patches/libvirt/0002- >> Change-options-in-libvirtd.conf-for-IPFire.patch >> cd $(DIR_APP) && ./configure --prefix=/usr --localstatedir=/var -- >> sysconfdir=/etc \ >> --with-openssl --without-sasl \ >> --without-uml --without-vbox --without-lxc --without- >> esx --without-vmware --without-openvz \ >> diff --git a/src/paks/libvirt/install.sh >> b/src/paks/libvirt/install.sh >> index 2832197..5eee5a3 100644 >> --- a/src/paks/libvirt/install.sh >> +++ b/src/paks/libvirt/install.sh >> @@ -22,6 +22,10 @@ >> >> ############################################################################ >> # >> . /opt/pakfire/lib/functions.sh >> + >> +# creates a new user called libvirt-remote with a random 64 >> characters long >> password >> +useradd -s /bin/bash -m -p $(cat /dev/urandom | tr -dc >> 'a-zA-Z0-9' | fold -w >> 64 | head -n 1) "libvirt-remote" >> + >> extract_files >> start_service --delay 300 --background ${NAME} >> ln -svf /etc/init.d/libvirtd /etc/rc.d/rc0.d/K20libvirtd >> diff --git >> a/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for- >> IPFire.patch >> b/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for- >> IPFire.patch >> new file mode 100644 >> index 0000000..ed685e8 >> --- /dev/null >> +++ b/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for- >> IPFire.patch >> @@ -0,0 +1,43 @@ >> +From 69d6e8ce6c636f78d1db0eebe7fb1cc02ae4fb9a Mon Sep 17 00:00:00 >> 2001 >> +From: Jonatan Schlag <jonatan.schlag@ipfire.org> >> +Date: Mon, 6 Jun 2016 19:40:50 +0200 >> +Subject: [PATCH 2/2] Change options in libvirtd.conf for IPFire >> + >> +Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org> >> +--- >> + daemon/libvirtd.conf | 6 +++--- >> + 1 file changed, 3 insertions(+), 3 deletions(-) >> + >> +diff --git a/daemon/libvirtd.conf b/daemon/libvirtd.conf >> +index ac06cdd..1a41914 100644 >> +--- a/daemon/libvirtd.conf >> ++++ b/daemon/libvirtd.conf >> +@@ -87,14 +87,14 @@ >> + # without becoming root. >> + # >> + # This is restricted to 'root' by default. >> +-#unix_sock_group = "libvirt" >> ++unix_sock_group = "libvirt-remote" > > This says group and not user... Right, but this group is created with the user, see my explanation above it is also possible to create only the group and no user. > > >> + >> + # Set the UNIX socket permissions for the R/O socket. This is used >> + # for monitoring VM status only >> + # >> + # Default allows any user. If setting group ownership, you may >> want to >> + # restrict this too. >> +-#unix_sock_ro_perms = "0777" >> ++unix_sock_ro_perms = "0770" >> + >> + # Set the UNIX socket permissions for the R/W socket. This is used >> + # for full management of VMs >> +@@ -104,7 +104,7 @@ >> + # >> + # If not using PolicyKit and setting group ownership for access >> + # control, then you may want to relax this too. >> +-#unix_sock_rw_perms = "0770" >> ++unix_sock_rw_perms = "0770" >> + >> + # Set the UNIX socket permissions for the admin interface socket. >> + # >> +-- >> +2.1.4 >> + > > -Michael Regards Jonatan PS. Tommorow i hope
On Thu, 2016-06-09 at 20:29 +0200, Jonatan Schlag wrote: > > > Am Do, 9. Jun, 2016 um 3:44 schrieb Michael Tremer <michael.tremer@ipfire.org> > : > > Hi, > > > > what is the reason that you are creating a password for that user? Generally > > that is not required. And this will be unknown to the user any ways. > This is indeed uneccessary. > > > > > > Is the user supposed to log in with this user? > > > > If so they can give that user a password themselves. > Yes the user is supposed to log in via ssh, so i will change this and we > create just the user. > > > > > > Would this still work when logging in as the root user? > Yes this still work as root user. Root and all users in the group libvirt- > remote can communicate with the socket. > > My thoughts were that the user of IPFire should not use the root user to > communicate with the socket because it is completely unnecessary. A normal > user like libvirt-remote would do it. > So because I know that not everybody would create a user and add this user to > the group libvirt-remote I thought that it would be better to create the user > libvirt-remote automatically, so the user only has to change the password of > this user and can then use this user to communicate with libvirt. > > The minimal variant would be to create the group libvirt-remote and change the > options in libvirtd.conf and the user has to create the user (like libvirt- > remote) by themselves. Just say what you would prefer :-). I would prefer to create a group and a user. We won't give the user a password which must be set by the user in order to login with that user. If someone prefers, they can create their own users and add them to the group. A system group should be created with groupadd of course be checked if that group existed before. > > > > > > > You will need some bits in the install.sh script that detects if the user > > already exists (after install, uninstall, install). You get use getent for > > that. > Ok. > > > > > > On Wed, 2016-06-08 at 18:44 +0200, Jonatan Schlag wrote: > > It is possible to communicate per ssh via a socket with libvirt. It is > > not a good idea to do this as root, so the remote user is now > > libvirt-remote. Only this user or users in the group libvirt-remote can > > communicate with the socket. > > The user libvirt-remote is created with a random 64 characters long > > password which can changed after the > > installation. > > > > Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org> > > --- > > lfs/libvirt | 3 +- > > src/paks/libvirt/install.sh | 4 ++ > > ...hange-options-in-libvirtd.conf-for-IPFire.patch | 43 > > ++++++++++++++++++++++ > > 3 files changed, 49 insertions(+), 1 deletion(-) > > create mode 100644 src/patches/libvirt/0002-Change-options-in- > > libvirtd.conf- > > for-IPFire.patch > > > > diff --git a/lfs/libvirt b/lfs/libvirt > > index b18364b..3c7413f 100644 > > --- a/lfs/libvirt > > +++ b/lfs/libvirt > > @@ -33,7 +33,7 @@ DIR_APP = $(DIR_SRC)/$(THISAPP) > > TARGET = $(DIR_INFO)/$(THISAPP) > > SUP_ARCH = i586 x86_64 > > PROG = libvirt > > -PAK_VER = 1 > > +PAK_VER = 2 > > > > DEPS = "libpciaccess libyajl ncat qemu" > > > > @@ -78,6 +78,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > > @$(PREBUILD) > > @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf > > $(DIR_DL)/$(DL_FILE) > > cd $(DIR_APP) && patch -Np1 -i > > $(DIR_SRC)/src/patches/libvirt/0001- > > Change-default-behavior-of-libvirt-guests.sh-for-IPF.patch > > + cd $(DIR_APP) && patch -Np1 -i > > $(DIR_SRC)/src/patches/libvirt/0002- > > Change-options-in-libvirtd.conf-for-IPFire.patch > > cd $(DIR_APP) && ./configure --prefix=/usr --localstatedir=/var -- > > sysconfdir=/etc \ > > --with-openssl --without-sasl \ > > --without-uml --without-vbox --without-lxc -- > > without- > > esx --without-vmware --without-openvz \ > > diff --git a/src/paks/libvirt/install.sh b/src/paks/libvirt/install.sh > > index 2832197..5eee5a3 100644 > > --- a/src/paks/libvirt/install.sh > > +++ b/src/paks/libvirt/install.sh > > @@ -22,6 +22,10 @@ > > ########################################################################## > > ## > > # > > . /opt/pakfire/lib/functions.sh > > + > > +# creates a new user called libvirt-remote with a random 64 characters > > long > > password > > +useradd -s /bin/bash -m -p $(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold > > -w > > 64 | head -n 1) "libvirt-remote" > > + > > extract_files > > start_service --delay 300 --background ${NAME} > > ln -svf /etc/init.d/libvirtd /etc/rc.d/rc0.d/K20libvirtd > > diff --git a/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for- > > IPFire.patch b/src/patches/libvirt/0002-Change-options-in-libvirtd.conf- > > for- > > IPFire.patch > > new file mode 100644 > > index 0000000..ed685e8 > > --- /dev/null > > +++ b/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for- > > IPFire.patch > > @@ -0,0 +1,43 @@ > > +From 69d6e8ce6c636f78d1db0eebe7fb1cc02ae4fb9a Mon Sep 17 00:00:00 2001 > > +From: Jonatan Schlag <jonatan.schlag@ipfire.org> > > +Date: Mon, 6 Jun 2016 19:40:50 +0200 > > +Subject: [PATCH 2/2] Change options in libvirtd.conf for IPFire > > + > > +Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org> > > +--- > > + daemon/libvirtd.conf | 6 +++--- > > + 1 file changed, 3 insertions(+), 3 deletions(-) > > + > > +diff --git a/daemon/libvirtd.conf b/daemon/libvirtd.conf > > +index ac06cdd..1a41914 100644 > > +--- a/daemon/libvirtd.conf > > ++++ b/daemon/libvirtd.conf > > +@@ -87,14 +87,14 @@ > > + # without becoming root. > > + # > > + # This is restricted to 'root' by default. > > +-#unix_sock_group = "libvirt" > > ++unix_sock_group = "libvirt-remote" > > > > This says group and not user... > Right, but this group is created with the user, see my explanation above it is > also possible to create only the group and no user. > > > > > > + > > + # Set the UNIX socket permissions for the R/O socket. This is used > > + # for monitoring VM status only > > + # > > + # Default allows any user. If setting group ownership, you may want to > > + # restrict this too. > > +-#unix_sock_ro_perms = "0777" > > ++unix_sock_ro_perms = "0770" > > + > > + # Set the UNIX socket permissions for the R/W socket. This is used > > + # for full management of VMs > > +@@ -104,7 +104,7 @@ > > + # > > + # If not using PolicyKit and setting group ownership for access > > + # control, then you may want to relax this too. > > +-#unix_sock_rw_perms = "0770" > > ++unix_sock_rw_perms = "0770" > > + > > + # Set the UNIX socket permissions for the admin interface socket. > > + # > > +-- > > +2.1.4 > > + > > > > -Michael > Regards Jonatan > > PS. Tommorow i hope
Hi, Thank you for the fast answer. > I would prefer to create a group and a user. We won't give the user a > password > which must be set by the user in order to login with that user. > > If someone prefers, they can create their own users and add them to > the group. > > A system group should be created with groupadd of course be checked > if that > group existed before. I will send a new patch tomorrow, which the checks if the user and the group are existent and add the group extra. I will further send 2 patches which change the default qemu user to nobody when this 3 patch are merged libvirt could from my point of view pushed to the testing repo. Regards Jonatan
On Thu, 2016-06-09 at 20:45 +0200, Jonatan Schlag wrote: > Hi, > Thank you for the fast answer. > > > > I would prefer to create a group and a user. We won't give the user a > > password > > which must be set by the user in order to login with that user. > > > > If someone prefers, they can create their own users and add them to the > > group. > > > > A system group should be created with groupadd of course be checked if that > > group existed before. > I will send a new patch tomorrow, which the checks if the user and the group > are existent and add the group extra. > I will further send 2 patches which change the default qemu user to nobody > when this 3 patch are merged libvirt could from my point of view pushed to the > testing repo. I spoke with Arne that he can already upload this. So please just count up the release number and everyone will get an update (make sure that user and group will be created when updating, too)... -Michael > > Regards Jonatan >