XCAT zVM Security
From xcat
(→No Root Login) |
(→No Root Login) |
||
| Line 86: | Line 86: | ||
updatenode zhcp -P sudoer | updatenode zhcp -P sudoer | ||
</pre> | </pre> | ||
| + | The default username and password contained in the sudoer script can be modified to suit your needs. Otherwise, the default user name is <i>xcat</i> and default password is <i>rootpw</i>. | ||
</li> | </li> | ||
Revision as of 15:30, 11 March 2013
Document Abstract
This document provides a guide to security for xCAT on z/VM and Linux on System z. For technical support, please post your question(s) on the mailing-list.
User Access Control
This section provides details on how to add users to xCAT and limit their privileges.
-
Create an entry in the policy table
# chtab priority=6.1 policy.name=fred policy.rule=allow
The policy table controls access for a specific user. Each priority number should be unique. Verify that the priority number you selected is not in use. In the example above, a user named fred is added to xCAT with a priority number of 6.1.
-
By default, all commands are allowed for a user. To restrict the user to certain commands, you have to set their policy.commands attribute. Select the command from the list of xCAT Commands that are appropriate for the user.
# chtab priority=6.1 policy.commands="rpower;mkvm;rmvm;lsvm;chvm;mkdef;lsdef;rscan;rinv;nodeadd"
Multiple commands can be specified. Each command is separated by a semi-colon. Be sure to use the correct priority number when setting the commands.
-
Generate an encrypted password
# perl -e "print crypt('rootpw', rand(12345678))" 48aVyK0x4vqCcThe password being encrypted is rootpw. It uses the perl crypt routine with a random number between 0 and 12345678 as a seed.
-
Create an entry in the passwd table using the encrypted password created above
# chtab username=fred passwd.key=xcat passwd.password=48aVyK0x4vqCc
More information can be found by going to Granting Users xCAT Privileges.
No Root Login
This section provides details on how to setup no root login for xCAT and virtual machines provisioned by xCAT.
-
Create a non-root user (xcat) on the xCAT MN
# /usr/sbin/userdel xcat # /usr/sbin/useradd -p rootpw -m xCAT
-
Add the user to the sudoers list
# echo "xcat ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
The sudoer can be customized to run only a small set of commands.
If you are running RHEL, an extra line must be added to the sudoers file.
# echo "Defaults:xcat !requiretty" >> /etc/sudoers
-
xCAT runs as root, but users can log into xCAT using the sudoer. Add the sudoer to the policy and passwd tables.
# chtab priority=1.3 policy.name=xcat policy.rule=allow policy.comments="privilege:root;" # perl -e "print crypt('rootpw', rand(12345678))" 48aVyK0x4vqCc # chtab username=xcat passwd.key=xcat passwd.password=48aVyK0x4vqCcIn order for the user xcat to access the xCAT UI, you must add "privilege:root;" into the policy.comments.
-
To manage other virtual machines (including the zHCP) by a sudoer, you have to create a non-root user (xcat) on the virtual machine
and add the user to the sudoers list (as above). There is a script on the xCAT MN, /install/postscripts/sudoer, that can be run to create the sudoer.
updatenode zhcp -P sudoer
The default username and password contained in the sudoer script can be modified to suit your needs. Otherwise, the default user name is xcat and default password is rootpw.
-
To create a sudoer for each virtual machine provisioned by xCAT, you have to add the sudoers postscripts to the postscripts table
# chtab node=all postscripts.postscripts+=sudoer
-
Add an entry into the xCAT passwd table to force xCAT to access and manage virtual machines by the sudoer, instead of root.
chtab username=sudoer passwd.key=xcat
If a sudoer entry is found in the passwd table, then xCAT will use the username when accessing any virtual machine.
