Re: [Xen-users] ACL for DomUs
On Wednesday 02 May 2007 08:56:11 Reinhard Brandstädter wrote:
> On Monday 30 April 2007 12:39:31 Steve Kemp wrote:
> > On Mon, Apr 30, 2007 at 10:02:15AM +0200, Reinhard Brandst?dter wrote:
> > > I'd need some basic features like allowing a certain user group to
> > > start/stop/pause/unpause a domain (without giving them root access to
> > > the dom0). Maybe also permissions to create new domains (within limits
> > > or based on templates)...
> > I wrote a simple console-based shell to allow users to do that, and
> > also gain access to the serial console:
> > http://xen-tools.org/software/xen-shell
> This looks pretty promising and of course I had to try it immediately.
> If I understand the documentation right you have to add an
> xen_shell="username" to the domU configuration to allow a user to control
> this domU.
> I did so and then launched xen-shell (or xen-login-shell) however the shell
> gives me some errors (doesn't understand most of the commands):
> xen-shell v1.1.80 - type 'help' for help.
> xen-shell> help
> xen-shell v1.1.80
> The following commands are available within this shell:
> boot - Boot the Xen guest.
> console - Gain access to a Xen guest via the serial console.
> exit - Exit the shell.
> help - Show general, or command-specific, help information.
> passwd - Change the password used to access this host.
> quit - Exit this shell.
> reboot - Reboot the Xen guest.
> serial - Gain access to the Xen guest via the serial console.
> shutdown - Shutdown the Xen guest.
> status - Show the status of the Xen guest.
> top - Show system resource usage.
> uptime - Show the uptime information of your guest system and this
> host. version - Show the version of this shell, and of Xen.
> For command-specific help run "help command".
> xen-shell> list
> Unknown command: 'list' - type 'help' for help.
The reason for this behavior was that the user using the xen-shell didn't have
rights to read the /etc/xen directory. with the right permissions xen-shell
shows the available machines.
However there is a problem with machines which names are created dynamically
with parameters. e.g. I'm using a DomU config script that contains:
name = "apache-%d" %vmid
and can be used to create multiple DomUs with a commandline parameter to xm:
'xm create apache vmid=1'
the resulting VMs is named 'apache-1'. So xen-shell won't find that a user has
access to those machines.
I see two ways to solve this problem:
1.) either make xen-shell aware of wildcards. If a domU 'name=' contains
any %d in the xen config, all VMs that match are added to the user's access
2.) everytime a domain is created and its name is based on a wildcard create
a 'dummy' xen config file that only contains the resulting domain name and
the xen_shell attribute. e.g. for me that would be:
name = "apache-1"
xen_shell = 'apacheadm'
Any other ideas?
Xen-users mailing list