3

I would like to give my friend a VM on my dedicated server, and I want him to be able to restart the VM or change the iso - so basically I would like the same features as a VM hosting provider, e.g. Linode. I guess the easiest solution would be to give him a shell account, but how to restrict the shell? Is it possible to restrict libvirt for my use case?

user1320304
  • 115
  • 1
  • 1
  • 4

4 Answers4

1

I don't know of any way to do this directly, though you can install a control panel like Proxmox and give him access through that.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
1

libvirt doesn't have any user access control over individual VMs, so your best option is probably to write a series of wrapper scripts around virsh (one to reboot the VM, one to stop it, one to start it, one to change the ISO image, and whatever else you need), and then give your friend sudo access to those scripts from his login account.

The wrapper scripts should be written with hard-coded values (e.g. for the VM name) and careful checking of any user-supplied data. e.g. make sure that if he provides an ISO image filename that it is actually an ISO image and that he has read access to it.

e.g. if the VM is called "FriendVM" then a reboot script might look like this:

#! /bin/sh
# Script Name: Reboot-FriendVM.sh

virsh reboot FriendVM

Giving him sudo access to that script will allow him to reboot ONLY that particular VM. He would run it like so: sudo Reboot-FriendVM.sh

Similar wrapper scripts around 'virsh start', 'virsh destroy' are easy to extrapolate from that. A script to change the ISO image would be a little more complicated and is left as an exercise for the reader :)

Another variation of this idea if you don't want to write lots of little scripts is to write a single script with a restricted subset of virsh capabilities that work only on his VM and give him sudo access to that. e.g. call it rvirsh.

That's the simple, minimalist way, just enough to get the job done with no frills.

If you have more time to spend, you may also want to look into virtualisation management software like openstack, google's ganeti, opennebula, and others. They do a LOT more than just adding user access control though, and learning them will require a significant amount of time and effort.

cas
  • 6,653
  • 31
  • 34
  • 1
    BTW, just in case it's not obvious - you almost certainly don't want to give your friend complete sudo access to everything, just to a defined set of scripts. You'll need to look up the documentation for sudo and especially /etc/sudoers. and search here on serverfault for 'sudoers'. – cas Jul 23 '12 at 23:35
0

Most unfortunately there is no way which is stable, "clean" and update-secure to do that - besides using a web-interface or writing your own one.

PythonLearner
  • 1,022
  • 2
  • 12
  • 29
0

If you're already using libvirt, and following the Web Panel suggestion made by others, you may find Karesansui interesting: http://karesansui-project.info

Proxmox is AFAIK the easiest_and_featureful virtualization environment management solution.

Ganeti+Ganeti Web Manager (currently studying it) seem also very nice and powerfull.

Silopolis
  • 440
  • 2
  • 7