Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP Integrity Virtual Machines Version 4.0 Installation, Configuration, and Administration > Chapter 9 Managing Guests

Creating Guest Administrators and Operators
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

Integrity VM provides secure access to guest machine consoles. When you create the virtual machine, you can specify groups and user accounts to have administration or operator privileges on that guest. These users are allowed to log in to the VM Host under their own user accounts and to use the hpvmconsole command to perform system administration tasks on the guest virtual machine.

A captive virtual console account is a special-purpose user account created on the VM Host for each guest administrator or operator. These types of user accounts use the /opt/hpvm/bin/hpvmconsole directory for a shell, and the desired guest's per-guest directory for a home directory. For virtual console access, the account also requires a password, and access to its associated guest.

Before you create the virtual machine, use the useradd command to create user accounts for virtual console access. For example, the following command adds the user account testme:

# useradd -r no -g users -s /opt/hpvm/bin/hpvmconsole \ -c "Console access to guest 'testme'" \ -d /var/opt/hpvm/guests/testme \ testme1

Do not use the hpvmsys group for user accounts. This group is used for security isolation between components of Integrity VM.

These types of console users are specified as either admin (guest administrators) or oper (guest operators). Guest operators can access to the virtual machine console, shut down and reboot the guest, display system status, transfer control to another guest operator or administrator, and set system identification. The guest administrator has all these capabilities, as well as the ability to use the virutal console say commands (restricted to use by HP field support specialists).

You can specify guest administrators and operators using the hpvmcreate, hpvmmodify, hpvmmigrate, and hpvmclone commands. To assign administrator and operator privileges to a user group, include the -g option. To assign administrator and operator privileges to a specific user, use the -u option.

NOTE: Console users cannot use the su command to change from one privilege level to another. Per-user checks are based on login account identifiers, not on UUIDs.

The following command creates the virtual machine named testme with the adminstrator named testme1:

# hpvmcreate -P testme -u testme1:admin

Guest operators and administrators need access to the hpvmconsole command to control the virtual machine. If you do not want the same users to have access to the VM Host, you can restrict use of the hpvmconsole command to guest console access only by creating a restricted account for that purpose. To do so, follow these steps:

  1. Using the useradd command, set up an /etc/passwd entry for each guest on the VM Host. The user name of the account must be the same as the guest name and must have no more than 8 characters. For example:

    # useradd -d /var/opt/hpvm/guests/compass1 \ -c 'compass1 console' -s /opt/hpvm/bin/hpvmconsole compass1

    This example uses the following options:

    • The -d option specifies the home directory for the compass1 account.

    • The -c option specifies a comment text string that describes the account.

    • The -s option specifies the path for the shell of the new account.

  2. Use the passwd command to set a password for the account. For example:

    # passwd compass1

  3. Use the hpvmmodify command to provide the user with guest administration privileges:

    #hpvmmodify -P winguest1 -u compass1:admin

A guest administrator can now access the compass1 virtual console by using the ssh command or telnet command on the VM Host and logging in to the compass1 account. The guest administrator cannot use the su command.

NOTE: For security reasons, HP strongly recommends that you do not include /opt/hpvm/bin/hpvmconsole, the virtual console image, in /etc/shells. Doing so opens two security vulnerabilities:

  • It allows ftp access to the account.

  • It allows a general user to select the image with the chsh command.

The following is an example session of remote access to the compass1 virtual console on the VM Host myhost:

# telnet compass1 Trying 16.xx.yy.zz... Connected to compass1.rose.com. Escape character is '^]'. HP-UX compass B.11.23 U ia64 (ta) login: guest1 Password: Please wait...checking for disk quotas MP MAIN MENU CO: Console CM: Command Menu CL: Console Log SL: Show Event Logs VM: Virtual Machine Menu HE: Main Help Menu X: Exit Connection [compass1] vMP>

The virtual console interface displays raw characters for the CL and CO commands, including the guest's attempts to query the console terminal for its type and characteristics. As a result, the terminal answers those queries, which can cause the terminal setup communication to interfere with the virtual console commands. Interactive users can clear the screen. However, this situation can be a problem for noninteractive or scripted use of the console.



Monitoring Guests
  		 


Installing the Guest Management Software  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2008 Hewlett-Packard Development Company, L.P.