LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

December 2012

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS December 2012

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Does anyone have virt-manager working with sudo?
From:	David Sommerseth <[log in to unmask]>
Reply To:	[log in to unmask]
Date:	Wed, 19 Dec 2012 12:14:27 +0100
Content-Type:	text/plain
Parts/Attachments:	text/plain (76 lines)

On 19/12/12 04:38, Nico Kadel-Garcia wrote:
> I'd love to be able to use sudo with virt-manager, but it simply
> fails. It does work on Ubuntu, and I'd like to be able to use sudo for
> all access to my KVM servers, rather than direct root login.
> 
> Is anyone using sudo successfully with virt-manager on SL 6.3? Other X
> applications work just fine.

I do something similar to this, but slightly differently.  I'm running
virt-manager as my local user, but connecting to the TCP port,
authenticating using the SASL feature.  (I double checked the network
traffic, and even though not using SSL the password is not transferred
over the network in clear-text)

* In /etc/libvirt/libvirtd.conf I set the following parameters:

   listen_tls=0
   listen_tcp=1
   listen_address=x.x.x.x # optional
   auth_tcp = "sasl"

* Create the SASL database with the username/password I want to use

  Look up the "sasldb_path" in /etc/sasl2/libvirt.conf.  In my setup
  it was set to /etc/libvirt/passwd.db.  Then do:

  [root@host ~]# saslpasswd2 -f /etc/libvirt/passwd.db <USERNAME>

  The username can be completely virtual if you want.  saslpasswd2 will
  ask for the wanted password.  This username/password will only be
  used for libvirt.

  You can check the user database like this:

  [root@host ~]# sasldblistusers2 -f /etc/libvirt/passwd.db

* Make libvirtd listen to TCP sockets
  Edit /etc/sysconfig/libvirtd so that LIBVIRTD_ARGS have "--listen" set

  F.ex:
  LIBVIRTD_ARGS="--listen"

* Restart libvirtd

  [root@host ~]# service libvirtd restart

If you want to connect to another IP than localhost, you also need to
open up your firewall as well.  But at this point, it should be possible
to connect to libvirt over the network:

   [user@host ~]$ virsh -c qemu+tcp://localhost/system
   [user@host ~]$ virt-manager -c qemu+tcp://localhost/system

I'm primarily using this approach to manage a couple of KVM hosts over a
VPN connection, running virsh and virt-manager locally, connecting to
the IP which is accessible over the VPN.  Works pretty well, but I had
to do some changes in the guest configs so that SPICE or VNC consoles
also listened to an IP address available over the VPN.  Changing these
parameters requires cold-booting the virtual guests.

I have tried to use SSL/TLS mode as well, but when managing more
independent libvirt based servers, it gets quite annoying with how the
client certificates needs to be configured.  (Granted, it's a long time
ago I tried it, so it might have changed)  But I figured, as long as I
use SASL and does this over VPN connections with strict firewalls, the
setup is safe enough in my use cases.

kind regards,

David Sommerseth

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV