[libvirt] [PATCH 0/6] NSS module for libvirt

Daniel P. Berrange berrange at redhat.com
Tue Feb 16 16:59:28 UTC 2016


On Mon, Feb 15, 2016 at 05:38:37PM +0100, Michal Privoznik wrote:
> Are you tired of remembering IP addresses for your domains?  Do
> you have enough of configuring static IPs so that you can add
> them to your hosts file? Then libvirt NSS module is exactly what
> you need!
> 
> NSS does a lot in a Linux host. These patches aim at translating
> domain names into IP addresses. All you need to do, is install
> libnss_libvirt.so.2 (e.g. via 'make install' ran from source
> dir), enable the module in nsswitch.conf:
> 
>     $ grep libvirt /etc/nsswitch.conf
>     hosts:       files dns libvirt
> 
> and you're all set. Now you can just:
> 
>     $ ping $mydomain
>     $ ssh user@$mydomain
> 
> or anything you'd like. The only limitation is that it has to be
> libvirt who has assigned the domain IP address. The limitation
> comes from implementation in which
> '/var/lib/libvirt/dnsmasq/*.status' files are parsed when looking
> up a hostname.

So the 'nss' modules are loaded by any process on the host
which does dns lookups. This in turns implies that any process
has to have permission to read the dnsmasq lease files directly.
I don't think this is very desirable, particularly from an
SELinux POV - I'm not convinced we want to grant every process
perm to read the virt_var_lib_t.

I'm wondering if we shouldn't have a separate file(s) recording
the hostname/IP address mappings for the NSS module to read,
that we place somewhere dedicated to this purpose, so we can
grant permission to just the data NSS needs.


Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|




More information about the libvir-list mailing list