WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] ACL for DomUs

from [Reinhard Brandstädter] [Permanent Link][Original]
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] ACL for DomUs
From: Reinhard Brandstädter <reinhard.brandstaedter@xxxxxx>
Date: Wed, 2 May 2007 10:46:37 +0200
Delivery-date: Wed, 02 May 2007 01:45:17 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <200705020856.11665.reinhard.brandstaedter@xxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <200704301002.15852.reinhard.brandstaedter@xxxxxx> <20070430103931.GA26169@xxxxxxxxxxxx> <200705020856.11665.reinhard.brandstaedter@xxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: KMail/1.9.6 
On Wednesday 02 May 2007 08:56:11 Reinhard Brandstädter wrote:
> On Monday 30 April 2007 12:39:31 Steve Kemp wrote:
> > On Mon, Apr 30, 2007 at 10:02:15AM +0200, Reinhard Brandst?dter wrote:
> > > I'd need some basic features like allowing a certain user group to
> > > start/stop/pause/unpause a domain (without giving them root access to
> > > the dom0). Maybe also permissions to create new domains (within limits
> > > or based on templates)...
> >
> >   I wrote a simple console-based shell to allow users to do that, and
> >  also gain access to the serial console:
> >
> >     http://xen-tools.org/software/xen-shell
>
> This looks pretty promising and of course I had to try it immediately.
> If I understand the documentation right you have to add an
> xen_shell="username" to the domU configuration to allow a user to control
> this domU.
>
> I did so and then launched xen-shell (or xen-login-shell) however the shell
> gives me some errors (doesn't understand most of the commands):
>
> xen-shell v1.1.80 - type 'help' for help.
> xen-shell> help
> xen-shell v1.1.80
>
> The following commands are available within this shell:
>
>       boot - Boot the Xen guest.
>    console - Gain access to a Xen guest via the serial console.
>       exit - Exit the shell.
>       help - Show general, or command-specific, help information.
>     passwd - Change the password used to access this host.
>       quit - Exit this shell.
>     reboot - Reboot the Xen guest.
>     serial - Gain access to the Xen guest via the serial console.
>   shutdown - Shutdown the Xen guest.
>     status - Show the status of the Xen guest.
>        top - Show system resource usage.
>     uptime - Show the uptime information of your guest system and this
> host. version - Show the version of this shell, and of Xen.
>
> For command-specific help run "help command".
>
> xen-shell> list
> Unknown command: 'list' - type 'help' for help.

The reason for this behavior was that the user using the xen-shell didn't have 
rights to read the /etc/xen directory. with the right permissions xen-shell 
shows the available machines.

However there is a problem with machines which names are created dynamically 
with parameters. e.g. I'm using a DomU config script that contains:

/etc/xen/apache
name = "apache-%d" %vmid

and can be used to create multiple DomUs with a commandline parameter to xm:

'xm create apache vmid=1'

the resulting VMs is named 'apache-1'. So xen-shell won't find that a user has 
access to those machines.
I see two ways to solve this problem:
1.) either make xen-shell aware of wildcards. If a domU 'name=' contains 
any %d in the xen config, all VMs that match are added to the user's access 
list.

2.) everytime a domain is created and its name is based on a wildcard create 
a 'dummy' xen config file that only contains the resulting domain name and 
the xen_shell attribute. e.g. for me that would be:

/etc/xen/apache-1
name = "apache-1"
xen_shell = 'apacheadm'

Any other ideas?

Reinhard

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-users] Using lvm for domUs, Michael T. Babcock
Next by Date:  [Xen-users] CentOS 4 and CentOS 5 DomU on CentOS 5 Dom0: problems with hand-built OS and LVM, Nico Kadel-Garcia
Previous by Thread:  Re: [Xen-users] ACL for DomUs, Reinhard Brandstädter
Next by Thread:  Re: [Xen-users] ACL for DomUs, Steve Kemp
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy