First Last Prev Next    This bug is not in your last search results.
Bug 42622 - libvirtd: Configure 'unix_sock_group' through UCR
libvirtd: Configure 'unix_sock_group' through UCR
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Virtualization - UVMM
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.1-3-errata
Assigned To: Philipp Hahn
Erik Damrose
:
Depends on:
Blocks: 32656
  Show dependency treegraph
 
Reported: 2016-10-11 09:37 CEST by Philipp Hahn
Modified: 2016-10-20 12:40 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2016-10-11 09:37:54 CEST 
+++ This bug was initially created as a clone of Bug #32656 +++
"sudo virsh" is unsafe in spite of the white-list (fork an editor as root), unneeded (libvirtd runs as root, virsh is only the dumb frontend not doing any file access) and complicates some work flows (not all wanted commands are white-listed, e.g. pool-refresh, screenshot, ...).

Instead /var/run/libvirt/libvirt-sock should be configured to allow access for "Tech":
@ /etc/univention/templates/files/etc/libvirt/libvirtd.conf:83
-unix_sock_group = "libvirt"
+unix_sock_group = "Tech"
Comment 1 Philipp Hahn univentionstaff 2016-10-11 10:03:18 CEST 
r73071 | Bug #42622 libvirt: New UCRV libvirt/group for unix_socket_group
r73072 | Bug #42622 libvirt: New UCRV libvirt/group for unix_socket_group

Package: univention-virtual-machine-manager-node
Version: 4.0.1-5.97.201610110950
Branch: ucs_4.1-0
Scope: errata4.1-3

r73073 | Bug #42622 libvirt: New UCRV libvirt/group for unix_socket_group YAML
 univention-virtual-machine-manager-node.yaml
Comment 2 Erik Damrose univentionstaff 2016-10-18 15:14:04 CEST 
Reopen: The change itself is fine, but for this to work we had to export VIRSH_DEFAULT_CONNECT_URI=qemu:///system into users ENV if users wanted to use and benefit from this change.

I think we should at least document this in the UCRv description

OK: configureable libvirtd.conf, UCR libvirt/group
OK: Merge to UCS 4.2, yaml.
Comment 3 Philipp Hahn univentionstaff 2016-10-18 16:05:47 CEST 
(In reply to Erik Damrose from comment #2)
> Reopen: The change itself is fine, but for this to work we had to export
> VIRSH_DEFAULT_CONNECT_URI=qemu:///system into users ENV if users wanted to
> use and benefit from this change.
> 
> I think we should at least document this in the UCRv description

FYI: The system libvirtd is responsible for more than qemu://system, e.g. xen:///, lxc:///, test:///, parallels:///.

r73337 | Bug #42622 uvmm: More UCRV libvirt/group documentation
r73339 | Bug #42622 uvmm: More UCRV libvirt/group documentation

Package: univention-virtual-machine-manager-node
Version: 4.0.1-6.98.201610181603
Branch: ucs_4.1-0
Scope: errata4.1-3

r73338 | Bug #42622 uvmm: More UCRV libvirt/group documentation YAML
Comment 4 Erik Damrose univentionstaff 2016-10-19 10:47:33 CEST 
OK: updated UCRv description
OK: YAML
OK: Merge to ucs4.2
-> Verified
Comment 5 Janek Walkenhorst univentionstaff 2016-10-20 12:40:54 CEST 
<http://errata.software-univention.de/ucs/4.1/310.html>
First Last Prev Next    This bug is not in your last search results.