Re: [libvirt] [PATCH 0/6] NSS module for libvirt

On Mon, Feb 15, 2016 at 05:38:37PM +0100, Michal Privoznik wrote: > Are you tired of remembering IP addresses for your domains? Do > you have enough of configuring static IPs so that you can add > them to your hosts file? Then libvirt NSS module is exactly what > you need! > > NSS does a lot in a Linux host. These patches aim at translating > domain names into IP addresses. All you need to do, is install > libnss_libvirt.so.2 (e.g. via 'make install' ran from source > dir), enable the module in nsswitch.conf: > > $ grep libvirt /etc/nsswitch.conf > hosts: files dns libvirt > > and you're all set. Now you can just: > > $ ping $mydomain > $ ssh user@$mydomain > > or anything you'd like. The only limitation is that it has to be > libvirt who has assigned the domain IP address. The limitation > comes from implementation in which > '/var/lib/libvirt/dnsmasq/*.status' files are parsed when looking > up a hostname. So the 'nss' modules are loaded by any process on the host which does dns lookups. This in turns implies that any process has to have permission to read the dnsmasq lease files directly. I don't think this is very desirable, particularly from an SELinux POV - I'm not convinced we want to grant every process perm to read the virt_var_lib_t.

I'm wondering if we shouldn't have a separate file(s) recording the hostname/IP address mappings for the NSS module to read, that we place somewhere dedicated to this purpose, so we can grant permission to just the data NSS needs.