]> git.ipfire.org Git - ipfire-2.x.git/commitdiff
projects / ipfire-2.x.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6c2720c)
Change the default libvirt remote user to libvirt-remote
authorJonatan Schlag <jonatan.schlag@ipfire.org>
Fri, 10 Jun 2016 08:57:13 +0000 (10:57 +0200)
committerMichael Tremer <michael.tremer@ipfire.org>
Thu, 16 Jun 2016 08:32:49 +0000 (09:32 +0100)
It is possible to communicate per ssh via a socket with libvirt. It is
not a good idea to do this as root, so the remote user is now
libvirt-remote. Only this user or users in the group libvirt-remote can
communicate with the socket.
The user libvirt-remote is created without a password. The users have to
set a password for this user after installation.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
lfs/libvirt patch | blob | blame | history
src/paks/libvirt/install.sh patch | blob | blame | history
src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for-IPFire.patch [new file with mode: 0644] patch | blob

diff --git a/lfs/libvirt b/lfs/libvirt
index b18364bee5e6aab65cf6b2e4eca5f4d6f6ff6b14..3c7413f0c25da1eda5f05ddebb839a1ed505ceef 100644 (file)
--- a/lfs/libvirt
+++ b/lfs/libvirt
@@ -33,7 +33,7 @@ DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 SUP_ARCH   = i586 x86_64
 PROG       = libvirt
 TARGET     = $(DIR_INFO)/$(THISAPP)
 SUP_ARCH   = i586 x86_64
 PROG       = libvirt
-PAK_VER    = 1
+PAK_VER    = 2
 
 DEPS       = "libpciaccess libyajl ncat qemu"
 
 
 DEPS       = "libpciaccess libyajl ncat qemu"
 
@@ -78,6 +78,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
        @$(PREBUILD)
        @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
        cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/libvirt/0001-Change-default-behavior-of-libvirt-guests.sh-for-IPF.patch
        @$(PREBUILD)
        @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
        cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/libvirt/0001-Change-default-behavior-of-libvirt-guests.sh-for-IPF.patch
+       cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for-IPFire.patch
        cd $(DIR_APP) && ./configure --prefix=/usr --localstatedir=/var --sysconfdir=/etc \
                        --with-openssl --without-sasl \
                        --without-uml --without-vbox --without-lxc --without-esx --without-vmware --without-openvz \
        cd $(DIR_APP) && ./configure --prefix=/usr --localstatedir=/var --sysconfdir=/etc \
                        --with-openssl --without-sasl \
                        --without-uml --without-vbox --without-lxc --without-esx --without-vmware --without-openvz \
diff --git a/src/paks/libvirt/install.sh b/src/paks/libvirt/install.sh
index 2832197c264018360f15e061e622ad834ee32b01..2009b0ea9391f2faf3b0eac9ee35707249e2dfb1 100644 (file)
--- a/src/paks/libvirt/install.sh
+++ b/src/paks/libvirt/install.sh
@@ -22,6 +22,12 @@
 ############################################################################
 #
 . /opt/pakfire/lib/functions.sh
 ############################################################################
 #
 . /opt/pakfire/lib/functions.sh
+
+# creates a new user and group called libvirt-remote if they not exist
+getent group libvirt-remote >/dev/null || groupadd  libvirt-remote
+getent passwd libvirt-remote >/dev/null || \
+useradd -m -g libvirt-remote -s /bin/bash "libvirt-remote"
+
 extract_files
 start_service --delay 300 --background ${NAME}
 ln -svf /etc/init.d/libvirtd /etc/rc.d/rc0.d/K20libvirtd
 extract_files
 start_service --delay 300 --background ${NAME}
 ln -svf /etc/init.d/libvirtd /etc/rc.d/rc0.d/K20libvirtd
diff --git a/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for-IPFire.patch b/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for-IPFire.patch
new file mode 100644 (file)
index 0000000..ed685e8
--- /dev/null
+++ b/src/patches/libvirt/0002-Change-options-in-libvirtd.conf-for-IPFire.patch
@@ -0,0 +1,43 @@
+From 69d6e8ce6c636f78d1db0eebe7fb1cc02ae4fb9a Mon Sep 17 00:00:00 2001
+From: Jonatan Schlag <jonatan.schlag@ipfire.org>
+Date: Mon, 6 Jun 2016 19:40:50 +0200
+Subject: [PATCH 2/2] Change options in libvirtd.conf for IPFire
+
+Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
+---
+ daemon/libvirtd.conf | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/daemon/libvirtd.conf b/daemon/libvirtd.conf
+index ac06cdd..1a41914 100644
+--- a/daemon/libvirtd.conf
++++ b/daemon/libvirtd.conf
+@@ -87,14 +87,14 @@
+ # without becoming root.
+ #
+ # This is restricted to 'root' by default.
+-#unix_sock_group = "libvirt"
++unix_sock_group = "libvirt-remote"
+ # Set the UNIX socket permissions for the R/O socket. This is used
+ # for monitoring VM status only
+ #
+ # Default allows any user. If setting group ownership, you may want to
+ # restrict this too.
+-#unix_sock_ro_perms = "0777"
++unix_sock_ro_perms = "0770"
+ # Set the UNIX socket permissions for the R/W socket. This is used
+ # for full management of VMs
+@@ -104,7 +104,7 @@
+ #
+ # If not using PolicyKit and setting group ownership for access
+ # control, then you may want to relax this too.
+-#unix_sock_rw_perms = "0770"
++unix_sock_rw_perms = "0770"
+ # Set the UNIX socket permissions for the admin interface socket.
+ #
+-- 
+2.1.4
+
IPFire 2.x development tree