[libvirt] [PATCH 0/6] NSS module for libvirt
Michal Privoznik
mprivozn at redhat.com
Wed Feb 17 15:42:40 UTC 2016
On 16.02.2016 17:59, Daniel P. Berrange wrote:
> On Mon, Feb 15, 2016 at 05:38:37PM +0100, Michal Privoznik wrote:
>> Are you tired of remembering IP addresses for your domains? Do
>> you have enough of configuring static IPs so that you can add
>> them to your hosts file? Then libvirt NSS module is exactly what
>> you need!
>>
>> NSS does a lot in a Linux host. These patches aim at translating
>> domain names into IP addresses. All you need to do, is install
>> libnss_libvirt.so.2 (e.g. via 'make install' ran from source
>> dir), enable the module in nsswitch.conf:
>>
>> $ grep libvirt /etc/nsswitch.conf
>> hosts: files dns libvirt
>>
>> and you're all set. Now you can just:
>>
>> $ ping $mydomain
>> $ ssh user@$mydomain
>>
>> or anything you'd like. The only limitation is that it has to be
>> libvirt who has assigned the domain IP address. The limitation
>> comes from implementation in which
>> '/var/lib/libvirt/dnsmasq/*.status' files are parsed when looking
>> up a hostname.
>
> So the 'nss' modules are loaded by any process on the host
> which does dns lookups. This in turns implies that any process
> has to have permission to read the dnsmasq lease files directly.
> I don't think this is very desirable, particularly from an
> SELinux POV - I'm not convinced we want to grant every process
> perm to read the virt_var_lib_t.
Okay, I haven't thought of that. What if, *.status file under
/var/lib/libvirt/dnsmasq would have virt_nss_var_lib_t and we have new
selinux boolean. Anybody who could read virt_var_lib_t could read
virt_nss_var_lib_t too. Moreover, if the boolean would be set, everybody
else, who would be denied on virt_var_lib_t would be granted access on
virt_nss_var_lib_t.
>
> I'm wondering if we shouldn't have a separate file(s) recording
> the hostname/IP address mappings for the NSS module to read,
> that we place somewhere dedicated to this purpose, so we can
> grant permission to just the data NSS needs.
I'd like to avoid that if possible.
Michal
More information about the libvir-list
mailing list