console access to non root xen 3.0

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

console access to non root xen 3.0

Szalai Ferenc
Hi,

Is there any regular way to give console access to specified domU to not
root user?
How xen domain providers can solve this problem with xen 3.x?

--

Regards
Ferenc


_______________________________________________
Xen-users mailing list
[hidden email]
http://lists.xensource.com/xen-users
Reply | Threaded
Open this post in threaded view
|

Re: console access to non root xen 3.0

Andrew Thompson-3
On Wed, Apr 05, 2006 at 09:09:30AM +0200, Szalai Ferenc wrote:
> Hi,
>
> Is there any regular way to give console access to specified domU to not
> root user?
> How xen domain providers can solve this problem with xen 3.x?

Unixshell provides console access to their customers via ssh on an alternate port(not 22). I know it can be done, I'm just not sure how they're doing it.

For my personal use, I use xm console as root. A couple of times I've tried to figure out xencons, but didn't get any further than:

xen ~ # man xencons
No manual entry for xencons
xen ~ # xencons --help
/usr/bin/xencons <host> <port>

--
Andrew Thompson
http://aktzero.com/

_______________________________________________
Xen-users mailing list
[hidden email]
http://lists.xensource.com/xen-users
Reply | Threaded
Open this post in threaded view
|

RE: console access to non root xen 3.0

Steve Brueckner
In reply to this post by Szalai Ferenc
Andrew Thompson wrote:

> On Wed, Apr 05, 2006 at 09:09:30AM +0200, Szalai Ferenc wrote:
>> Hi,
>>
>> Is there any regular way to give console access to specified domU to
>> not root user? How xen domain providers can solve this problem with
>> xen 3.x?
>
> Unixshell provides console access to their customers via ssh on an
> alternate port(not 22). I know it can be done, I'm just not sure how
> they're doing it.  
>
> For my personal use, I use xm console as root. A couple of times I've
> tried to figure out xencons, but didn't get any further than:
>
> xen ~ # man xencons
> No manual entry for xencons
> xen ~ # xencons --help
> /usr/bin/xencons <host> <port>

If you mean local access (not via the network) then you can use sudo to give
the user permission to execute 'xm console'.  For access to a specific domU
you'd also need to use a separate domU config file for that domain, and give
the user additional sudo access to execute 'xm list.'  Then you can write a
little script the user can execute (but not write!) that will list running
domU's, grep the results for the custom config file name, and awk the output
line for that domain's Id.  Finally, the script would call 'xm console
<id>'.

Kind of roundabout I know, but we work with the tools we have.

 - Steve Brueckner, ATC-NY

_______________________________________________
Xen-users mailing list
[hidden email]
http://lists.xensource.com/xen-users
Reply | Threaded
Open this post in threaded view
|

Re: console access to non root xen 3.0

jmdh
On Wed, Apr 05, 2006 at 10:19:11AM -0400, Steve Brueckner wrote:

> the user permission to execute 'xm console'.  For access to a specific domU
> you'd also need to use a separate domU config file for that domain, and give
> the user additional sudo access to execute 'xm list.'  Then you can write a
> little script the user can execute (but not write!) that will list running
> domU's, grep the results for the custom config file name, and awk the output
> line for that domain's Id.  Finally, the script would call 'xm console
> <id>'.

Ick! No.

Just give them sudo access to run /usr/sbin/xm console <their name>.
There's no need to parse the output of xm list.

As part of my domain setup script I have

echo "$1 ALL=NOPASSWD:/usr/sbin/xm console $1, /usr/sbin/xm create -c /etc/xen/hosted/$1, /usr/sbin/xm destroy $1, /usr/sbin/reimage-dom $1 ?" >> /etc/sudoers

where reimage-dom is a script that unpacks a fresh tarball onto their
filesytem. Their shell is then set to a custom shell script which
provides a menu interface to let them run these commands, and these
only.

Don't ever let users onto a dom0 machine unless you want them to have
effective root onto all machines. The stakes are too high.

Cheers,

Dominic.

--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

_______________________________________________
Xen-users mailing list
[hidden email]
http://lists.xensource.com/xen-users
Reply | Threaded
Open this post in threaded view
|

Re: console access to non root xen 3.0

Szalai Ferenc
In reply to this post by Steve Brueckner
Steve Brueckner wrote:

>Andrew Thompson wrote:
>  
>
>>On Wed, Apr 05, 2006 at 09:09:30AM +0200, Szalai Ferenc wrote:
>>    
>>
>>>Hi,
>>>
>>>Is there any regular way to give console access to specified domU to
>>>not root user? How xen domain providers can solve this problem with
>>>xen 3.x?
>>>      
>>>
>>Unixshell provides console access to their customers via ssh on an
>>alternate port(not 22). I know it can be done, I'm just not sure how
>>they're doing it.  
>>
>>For my personal use, I use xm console as root. A couple of times I've
>>tried to figure out xencons, but didn't get any further than:
>>
>>xen ~ # man xencons
>>No manual entry for xencons
>>xen ~ # xencons --help
>>/usr/bin/xencons <host> <port>
>>    
>>
>
>If you mean local access (not via the network) then you can use sudo to give
>the user permission to execute 'xm console'.  For access to a specific domU
>you'd also need to use a separate domU config file for that domain, and give
>the user additional sudo access to execute 'xm list.'  Then you can write a
>little script the user can execute (but not write!) that will list running
>domU's, grep the results for the custom config file name, and awk the output
>line for that domain's Id.  Finally, the script would call 'xm console
><id>'.
>  
>
Yes, the sudo based solutions can be used but I would be very happy if I
should not give any kind of direct acces to my dom0 to my useres. So I
very intrested for other solution when the console privider application
(xencons, xm list etc.) runs in different host than dom0.

--

Regards,
Ferenc


_______________________________________________
Xen-users mailing list
[hidden email]
http://lists.xensource.com/xen-users