This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] ACL for DomUs

On Wednesday 02 May 2007 08:56:11 Reinhard Brandstädter wrote:
> On Monday 30 April 2007 12:39:31 Steve Kemp wrote:
> > On Mon, Apr 30, 2007 at 10:02:15AM +0200, Reinhard Brandst?dter wrote:
> > > I'd need some basic features like allowing a certain user group to
> > > start/stop/pause/unpause a domain (without giving them root access to
> > > the dom0). Maybe also permissions to create new domains (within limits
> > > or based on templates)...
> >
> >   I wrote a simple console-based shell to allow users to do that, and
> >  also gain access to the serial console:
> >
> >     http://xen-tools.org/software/xen-shell
> This looks pretty promising and of course I had to try it immediately.
> If I understand the documentation right you have to add an
> xen_shell="username" to the domU configuration to allow a user to control
> this domU.
> I did so and then launched xen-shell (or xen-login-shell) however the shell
> gives me some errors (doesn't understand most of the commands):
> xen-shell v1.1.80 - type 'help' for help.
> xen-shell> help
> xen-shell v1.1.80
> The following commands are available within this shell:
>       boot - Boot the Xen guest.
>    console - Gain access to a Xen guest via the serial console.
>       exit - Exit the shell.
>       help - Show general, or command-specific, help information.
>     passwd - Change the password used to access this host.
>       quit - Exit this shell.
>     reboot - Reboot the Xen guest.
>     serial - Gain access to the Xen guest via the serial console.
>   shutdown - Shutdown the Xen guest.
>     status - Show the status of the Xen guest.
>        top - Show system resource usage.
>     uptime - Show the uptime information of your guest system and this
> host. version - Show the version of this shell, and of Xen.
> For command-specific help run "help command".
> xen-shell> list
> Unknown command: 'list' - type 'help' for help.

The reason for this behavior was that the user using the xen-shell didn't have 
rights to read the /etc/xen directory. with the right permissions xen-shell 
shows the available machines.

However there is a problem with machines which names are created dynamically 
with parameters. e.g. I'm using a DomU config script that contains:

name = "apache-%d" %vmid

and can be used to create multiple DomUs with a commandline parameter to xm:

'xm create apache vmid=1'

the resulting VMs is named 'apache-1'. So xen-shell won't find that a user has 
access to those machines.
I see two ways to solve this problem:
1.) either make xen-shell aware of wildcards. If a domU 'name=' contains 
any %d in the xen config, all VMs that match are added to the user's access 

2.) everytime a domain is created and its name is based on a wildcard create 
a 'dummy' xen config file that only contains the resulting domain name and 
the xen_shell attribute. e.g. for me that would be:

name = "apache-1"
xen_shell = 'apacheadm'

Any other ideas?


Xen-users mailing list

<Prev in Thread] Current Thread [Next in Thread>