Hi, We have been using xen virtualization for some time now on our gLite certification test bed, and have stumbled upon an issue which requires some clever tricks. We have X number of users for our test bed, and for the moment we have kept their SSH keys in the /root/.ssh/authorized_keys file on the images. Now we would like to restrict access to the user who deployed the virtual machine. I am wondering if it''s possible to pass some kind of shell script or another username parameter in the xen configuration file to execute when the image boots up. Any ideas? Thanks for your help! Regards Omer -- ---------------------------------------------------------- CERN – European Organization for Nuclear Research, IT Department, CH-1211 Geneva 23, Switzerland Phone: +41 (0) 22 767 2224 Fax: +41 (0) 22 766 8683 E-mail : Omer.Khalid@cern.ch Homepage: http://cern.ch/Omer.Khalid _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Christian Horn
2007-Oct-10 14:20 UTC
Re: [Xen-users] Username Parameter in the Xen Config File
On Wed, Oct 10, 2007 at 04:11:47PM +0200, Omer Khalid wrote:> > We have X number of users for our test bed, and for the moment we have kept > their SSH keys in the /root/.ssh/authorized_keys file on the images. Now we > would like to restrict access to the user who deployed the virtual machine. > I am wondering if it''s possible to pass some kind of shell script or another > username parameter in the xen configuration file to execute when the image > boots up.Sounds like a job for xen-shell: http://www.xen-tools.org/software/xen-shell/ Christian _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Stefan de Konink
2007-Oct-10 19:21 UTC
Re: [Xen-users] Username Parameter in the Xen Config File
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Christian Horn schreef:> On Wed, Oct 10, 2007 at 04:11:47PM +0200, Omer Khalid wrote: >> We have X number of users for our test bed, and for the moment we have kept >> their SSH keys in the /root/.ssh/authorized_keys file on the images. Now we >> would like to restrict access to the user who deployed the virtual machine. >> I am wondering if it''s possible to pass some kind of shell script or another >> username parameter in the xen configuration file to execute when the image >> boots up. > > Sounds like a job for xen-shell: http://www.xen-tools.org/software/xen-shell/That idea is nice, but isn''t it strange Xen has no native support for this. So a form of limits per allowed user? Stefan -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHDSY0YH1+F2Rqwn0RClrxAJwOxVwnO0ArVquiI6NJgseDpTHVoACfX+B1 RJ+k8opaneZ4lC3vtjhlczo=vtoW -----END PGP SIGNATURE----- _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Christian Horn
2007-Oct-10 19:53 UTC
Re: [Xen-users] Username Parameter in the Xen Config File
On Wed, Oct 10, 2007 at 09:21:24PM +0200, Stefan de Konink wrote:> Christian Horn schreef: > > On Wed, Oct 10, 2007 at 04:11:47PM +0200, Omer Khalid wrote: > >> We have X number of users for our test bed, and for the moment we have kept > >> their SSH keys in the /root/.ssh/authorized_keys file on the images. Now we > >> would like to restrict access to the user who deployed the virtual machine. > >> I am wondering if it''s possible to pass some kind of shell script or another > >> username parameter in the xen configuration file to execute when the image > >> boots up. > > > > Sounds like a job for xen-shell: http://www.xen-tools.org/software/xen-shell/ > > That idea is nice, but isn''t it strange Xen has no native support for > this. So a form of limits per allowed user?Maybe what you want could be done by adding the parameter ''extra'' with some value to your usual call of ''xm create <xen-config>''. That could later get evaluated by a bootscript in the domU, the ''value'' from above will come up in /proc/cmdline there. Christian _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users