|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] ACL for DomUs
On Wednesday 02 May 2007 08:56:11 Reinhard Brandstädter wrote: > On Monday 30 April 2007 12:39:31 Steve Kemp wrote: > > On Mon, Apr 30, 2007 at 10:02:15AM +0200, Reinhard Brandst?dter wrote: > > > I'd need some basic features like allowing a certain user group to > > > start/stop/pause/unpause a domain (without giving them root access to > > > the dom0). Maybe also permissions to create new domains (within limits > > > or based on templates)... > > > > I wrote a simple console-based shell to allow users to do that, and > > also gain access to the serial console: > > > > http://xen-tools.org/software/xen-shell > > This looks pretty promising and of course I had to try it immediately. > If I understand the documentation right you have to add an > xen_shell="username" to the domU configuration to allow a user to control > this domU. > > I did so and then launched xen-shell (or xen-login-shell) however the shell > gives me some errors (doesn't understand most of the commands): > > xen-shell v1.1.80 - type 'help' for help. > xen-shell> help > xen-shell v1.1.80 > > The following commands are available within this shell: > > boot - Boot the Xen guest. > console - Gain access to a Xen guest via the serial console. > exit - Exit the shell. > help - Show general, or command-specific, help information. > passwd - Change the password used to access this host. > quit - Exit this shell. > reboot - Reboot the Xen guest. > serial - Gain access to the Xen guest via the serial console. > shutdown - Shutdown the Xen guest. > status - Show the status of the Xen guest. > top - Show system resource usage. > uptime - Show the uptime information of your guest system and this > host. version - Show the version of this shell, and of Xen. > > For command-specific help run "help command". > > xen-shell> list > Unknown command: 'list' - type 'help' for help. The reason for this behavior was that the user using the xen-shell didn't have rights to read the /etc/xen directory. with the right permissions xen-shell shows the available machines. However there is a problem with machines which names are created dynamically with parameters. e.g. I'm using a DomU config script that contains: /etc/xen/apache name = "apache-%d" %vmid and can be used to create multiple DomUs with a commandline parameter to xm: 'xm create apache vmid=1' the resulting VMs is named 'apache-1'. So xen-shell won't find that a user has access to those machines. I see two ways to solve this problem: 1.) either make xen-shell aware of wildcards. If a domU 'name=' contains any %d in the xen config, all VMs that match are added to the user's access list. 2.) everytime a domain is created and its name is based on a wildcard create a 'dummy' xen config file that only contains the resulting domain name and the xen_shell attribute. e.g. for me that would be: /etc/xen/apache-1 name = "apache-1" xen_shell = 'apacheadm' Any other ideas? Reinhard _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |