VM-RBAC manual
This document describes the installation and usage of the VM-RBAC modules.
VM-RBAC is an additional access control scheme for virtual machine based on Xen-VM.
Project URL: http://sourceforge.net/projects/vm-rbac/
1. Abstract
VM-RBAC program module is an additional programs for VM (Virtual Machine) to be available an access control.
RPM module is initially delivered for RHEL 5.1 (Redhat Enterprise Linux) Virtualization (based on Xen virtualization).
This program module is released under the GPL.
2. System requirements
This package is for Redhat Enterprise Linux (RHEL) 5.1 x86_64.
Resource access control is available only for the disk device now. Please prepare a disk device for each guest domain.
3. File structures
-+- kernel-xen-2.6.18.8-19711.x86_64.rpm
| => Install package of kernel-xen.
|
+- xen-3.4.1-19711.x86_64.rpm
| => Install package of xen.
|
+- xen-libs-3.4.1-19711.x86_64.rpm
| => Install package of xen libraries.
|
+- libxenrbac-2.0.0-1.x86_64.rpm
| => Install package of VM-RBAC libraries.
|
+- libxenrbac-python-2.0.0-1.x86_64.rpm
| => Install package to use VM-RBAC libraries by python.
|
+- xenrbac-policy-2.0.0-1.noarch.rpm
| => Definition files for VM-RBAC program.
|
+- xenrbac-xm-2.0.0-1.x86_64.rpm
| => Install package of xm command interface libraries.
|
+- xenrbac-tool-2.0.0-1.x86_64.rpm
| => Install package of vm-rbac command interface libraries.
|
+- libvirt-0.4.0-1.x86_64.rpm
| => Install package of libvirt libraries to control virtual machine.
|
+- libvirt-python-0.4.0-1.x86_64.rpm
| => Install package to use the libvirtAPI by python.
|
+- virt-manager-0.5.3-1.x86_64.rpm
| => Install package of a tool to use virtual machine by GUI.
|
+- xenrbac-package.sh
| => Scripts to install or to uninstall above packages.
|
+- xenrbac-setting.sh
=> Scripts to set an initial condition of vm-rbac.
4. How to install / uninstall
This section describes how to install or uninstall the vm-rbac software.
These operations are needed to operate on 'root' account.
If you cancel the install operation in the middle of the procedure, you must re-install using rpm command with '--force' option.
4.1 How to install
Un-compress the install package files.
# tar xvzf rbac-limit.tar.gz
Move to the execution directory.
# cd rbac-limit/exe/
Make install the xen package. This operation is added bridge-util.
# ./xenrbac-package.sh install-xen
To be enable http communication, edit /etc/xen/xend-config.sxp file like below:
before: #(xend-http-server no)
after: (xend-http-server yes)
To be enabling unix communication, edit /etc/xen/xend-config.sxp file like below:
before: #(xend-unix-server no)
after: (xend-unix-server yes)
To be enable migration, edit /etc/xen/xend-config.sxp file like below:
before: (xend-relocation-hosts-allow '^localhost$ ^localhost\\.localdomain$')
after: #(xend-relocation-hosts-allow '^localhost$ ^localhost\\.localdomain$')
If you use grub, edit the /etc/grub.conf file to start Xen on reboot operation.
If you set the Xen configuration on the first part of the grub.conf file, it is considered default number (defaunlt=0).
Please set 'cpuidle=0' parameter and 'loop.max_loop=nn' parameter.
An example of /etc/grub.conf file is below:
</etc/grub.conf>
===============================================================================
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title Red Hat Enterprise Linux Server (2.6.18.8-19711xen)
root (hd0,0)
kernel /xen.gz-2.6.18.8-19711 cpuidle=0
module /vmlinuz-2.6.18.8-19711xen ro root=/dev/VolGroup00/LogVol00 rhgb quiet loop.max_loop=256
module /initrd-2.6.18.8-19711xen.img
title Red Hat Enterprise Linux Server (2.6.18-53.el5)
root (hd0,0)
kernel /vmlinuz-2.6.18-53.el5 ro root=/dev/VolGroup00/LogVol00 rhgb quiet
initrd /initrd-2.6.18-53.el5.img
===============================================================================
Reboot Linux OS.
# reboot
Un-install sysklogd package temporary.
# rpm -e sysklogd --nodeps
Change the current directory on this package.
# cd rbac-limit/exe/
Execute a shell program to install another packages and modules.
# ./xenrbac-package.sh install
Execute a shell program to set a initial condition.
# ./xenrbac-setting.sh set-rbac
Start the libvirtd deamon.
# /etc/init.d/libvirtd start
4.2 How to uninstall
Un-install procedure has two steps: first rebooting to Linux except Xen, second uninstalling the related packages.
First, edit the /etc/grub.conf file to start Linux. It is done by changing default parameter from 0 to 1 for example:
</etc/grub.conf>
===============================================================================
default=1
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title Red Hat Enterprise Linux Server (2.6.18.8-19711xen)
root (hd0,0)
kernel /xen.gz-2.6.18.8-19711 cpuidle=0
module /vmlinuz-2.6.18.8-19711xen ro root=/dev/VolGroup00/LogVol00 rhgb quiet loop.max_loop=256
module /initrd-2.6.18.8-19711xen.img
title Red Hat Enterprise Linux Server (2.6.18-53.el5)
root (hd0,0)
kernel /vmlinuz-2.6.18-53.el5 ro root=/dev/VolGroup00/LogVol00 rhgb quiet
initrd /initrd-2.6.18-53.el5.img
===============================================================================
Reboot the Xen.
# reboot
After starting Linux completely, move to a directory to execute.
# cd rbac-limit/exe/
Using shell script, un-install the vm-abac packages.
# ./xenrbac-package.sh uninstall
Caution:
Packages listed below are not un-installed because they might be used the other packages:
cyrus-sasl-md5
rsyslog-2.0.6-1
dnsmasq-2.39-2
gtk-vnc-0.3.8-1
gtk-vnc-python-0.3.8-1
virt-viewer-0.0.2-2
If you do not use them, please delete them independently for example:
# rpm -e cyrus-sasl-md5 dnsmasq rsyslog gtk-vnc virt-viewer
Execute a shell program to delete setting for vm-rbac.
# ./xenrbac-setting.sh unset-rbac
Un-install the Xen package.
# ./xenrbac-package.sh uninstall-xen
'bridge-util' package is not deleted above operation. If you do not use it, please delete it independently.
# rpm -e bridge-util
5. Configuration files and editing
This section describes the definition files of vm-rbac.
The effect of the definition files are below:
[1] User definition file
Effect: setting the relationship between user account and role.
Referenced command: xen-role
Owner: User Administrator.
[2] Policy definition file
Effect: setting the access policy for each role.
Referenced command: xen-role
Owner: Policy Administrator.
[3] Resource distribution definition file
Effect: setting the distribution policy (vm) for each resource.
Referenced command: xen-resource
Owner: Resource Administrator.
[4] Resource definition file
Effect: setting the real resources for each vm.
Referenced command: xen-resource
Owner: Resource Administrator.
6. Initial conditions
This section describes initial conditions on initializing vm-rbac installation packages.
After executing the installer shell program, initial status of this vm-rbac is below:
+---+-----------------------+---------------+--------------+
| |Administrator |Account |role |
|No +-----------------------+---------------+--------------+
| |Authorized |
+---+-----------------------+---------------+--------------+
| |User Administrator |user-admin |UserAdmin |
| 1 +-----------------------+---------------+--------------+
| |Right to edit the relation with user account and role.|
+---+-----------------------+---------------+--------------+
| |Policy Administrator |policy-admin |PolicyAdmin |
| 2 +-----------------------+---------------+--------------+
| |Right to edit the access policy. |
+---+-----------------------+---------------+--------------+
| |Resource Administrator |res-admin |ResourceAdmin |
| 3 +-----------------------+---------------+--------------+
| |Right to edit the resource definitions. |
+---+-----------------------+---------------+--------------+
| |Host OS Administrator | root |HostOSManager |
| 4 +-----------------------+---------------+--------------+
| |Right to operate the host OS. |
+---+-----------------------+---------------+--------------+
7. Definitions to use resource capping capability
Vm-rbac has a resource capping capability. This section describes a definition of the resource distribution with an example.
Resource capping capability is defined by the commands below:
+---------------------+---------------------------------------------------+
|xen-resource command | effect |
+---------------------+---------------------------------------------------+
|define-resgroup | defines the resource to assign a 'resource group' |
+---------------------+---------------------------------------------------+
|distribute-resgroup | defines the VM belonging to a 'resource group' |
+---------------------+---------------------------------------------------+
Now, we assume these resource groups below:
+----------+-----+----------+------+-------+-------+--------+--------+
|Resource- |VM |Disk |Memory|CPU |Network interface|
|group name|name | | |Pysical|Virtual|Physical|Virtual |
| | | | | id |number |name |number |
+----------+-----+----------+------+-------+-------+--------+--------+
|resource1 | vm1 |/dev/sda5 |600(M)| 0 | 2 | eth0 | 2 |
| | vm2 |/dev/sda6 | | 1 | | eth1 | |
+----------+-----+----------+------+-------+-------+--------+--------+
7.1 Editing a definitions of resource-group
This section describes how to define the resource-group definition.
After logging in the 'Resource Administrator', execute xen-resource command to define resources for the resource-group.
[res-admin]$ xen-resource define-resgroup resource1
Then define the resources belonging to the resource-group.
[res-admin]$ xen-resource add-resource resource1 --diskname=/dev/sda5 --diskname=/dev/sda6
[res-admin]$ xen-resource add-resource resource1 --memsize=600
[res-admin]$ xen-resource add-resource resource1 --cpuid=0
[res-admin]$ xen-resource add-resource resource1 --cpuid=1
[res-admin]$ xen-resource add-resource resource1 --cpunum=2
[res-admin]$ xen-resource add-resource resource1 --nicname=eth0
[res-admin]$ xen-resource add-resource resource1 --nicname=eth1
[res-admin]$ xen-resource add-resource resource1 --nicnum=2
Then confirm these resources defined on the resource-group.
[res-admin]$ xen-resource resgroup-info resource1
7.2 Editing a resource distribution for the resource-group
This section describes how to define a resource distribution for the resource-group.
After logging in the 'Resource Administrator', execute the xen-resource command to define a resource distribution for the resource-group.
[res-admin]$ xen-resource distribute-resgroup resource1 vm1
[res-admin]$ xen-resource distribute-resgroup resource1 vm2
Then confirm a VM definition to be distributed.
[res-admin]$ xen-resource resgroup-list
8 Definition of access rights for Administrators
This section describes the relationship of role and users.
To allow the rights to execute a xen command, you must define a role and user.
We describe how to define these relationships with some example.
Now, we assume these roles:
+---------------------------+------------------------+------------------------+
|Role name |User account | allowed VM & resources | Administrator |
+---------------------------+------------------------+------------------------+
|RES_MANAGER1 |res-mgr1 | all VMs | Virtual resource Admin.|
+---------------------------+------------------------+------------------------+
|GST_MANAGER1 |gst-mgr1 | resource1(*1) | Guest VM Admin. |
+---------------------------+------------------------+------------------------+
|GST_MANAGER2 |gst-mgr2 | resource1(*1) | Guest VM Admin. |
+---------------------------+------------------------+------------------------+
*1: You can control either VM or resource-group defining the target of access control method.
8.1 Definition of roles for the administrator
After logging in the 'Policy Administrator', create a 'Virtual resource Administrator'.
[policy-admin ]$ xen-role define-role RES_MANAGER1 --all --template=Resource
Then create some 'Guest VM Administrators'.
[policy-admin ]$ xen-role define-role GST_MANAGER1 --type=resource resource1 --template=Guest
[policy-admin ]$ xen-role define-role GST_MANAGER2 --type=resource resource1 --template=Guest
8.2 Make the relationship of role and user account
After logging in the 'User Administrator', make the relationship between 'Virtual resource Administrator' role and user account.
[user-admin ]$ xen-role assign-role res-mgr1 RES_MANAGER1
Then make the relationship between 'Guest VM Administrators' roles and user account.
[user-admin ]$ xen-role assign-role gst-mgr1 GST_MANAGER1
[user-admin ]$ xen-role assign-role gst-mgr2 GST_MANAGER2
It is available to assign relationship between a role and a user account even if the role is not created.
8.3 Create the user account
After logging in the root account, create the user accounts to use the role definition.
[root ]# adduser res-mgr1
[root ]# adduser gst-mgr1
[root ]# adduser gst-mgr2
Then set password for each accounts.
[root ]# passwd res-mgr1
[root ]# passwd gst-mgr1
[root ]# passwd gst-mgr2
9. Create a guest VM
The way to create the guest VM is the same as the procedure of normal Xen.
In this section, we describe some point to be aware of making a guest VM.
'Virt-install' or 'Virt-manager' are useful tools to manage a guest VM.
If you create a guest VM for 'RES_MANSGER1' role, you must make an installation on the user account relating to the role.
In addition, the guest VM is not installed when the VM resource is exceeded the limit of 'resource1'.
After logging in the 'Virtual Resource Administrator' account, create a guest VM using virt-install or virt-manager tool.
An example of virt-install command is below:
[res-mgr1 ]$ virt-install --paravirt --name=vm1 --vcpu=1 --cpuset=0 --ram=300 --file=/dev/sda5 --vnc
--vncport=5910 --bridge=eth0 --location=ftp://"IP Address"/rhel54/x86_64/ --keymap=ja
[res-mgr1 ]$ virt-install --paravirt --name=vm2 --vcpu=1 --cpuset=1 --ram=300 --file=/dev/sda6 --vnc
--vncport=5920 --bridge=eth0 --location=ftp://"IP Address"/rhel54/x86_64/ --keymap=ja
10. How to start the guest VM
Guest VMs are available to start on the 'Guest VM Administrator' in the limit of the 'resource1' definition.
After logging in the 'Guest VM Administrator' for vm1, start the vm1 guest.
[gst-mgr1 ]$ virsh start vm1
After logging in the 'Guest VM Administrator' for vm2, start the vm2 guest.
[gst-mgr2 ]$ virsh start vm2
11. Co-operation with other policy manager
VM-rbac is enabling to co-operate some policy managers using the shell command (xen-role & xen-resource commands).
To operate the guest VM, you must create some administration accounts and roles described so far.
ChangeLog:
Version 1.0 2009/10/26
Copyright (C) 2010 Fujitsu Limited.
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
