Re: [libvirt] [PATCH 0/6] NSS module for libvirt
On Mon, Feb 15, 2016 at 05:38:37PM +0100, Michal Privoznik wrote:
Are you tired of remembering IP addresses for your domains? Do
you have enough of configuring static IPs so that you can add
them to your hosts file? Then libvirt NSS module is exactly what
you need!
NSS does a lot in a Linux host. These patches aim at translating
domain names into IP addresses. All you need to do, is install
libnss_libvirt.so.2 (e.g. via 'make install' ran from source
dir), enable the module in nsswitch.conf:
$ grep libvirt /etc/nsswitch.conf
hosts: files dns libvirt
and you're all set. Now you can just:
$ ping $mydomain
$ ssh user@$mydomain
or anything you'd like. The only limitation is that it has to be
libvirt who has assigned the domain IP address. The limitation
comes from implementation in which
'/var/lib/libvirt/dnsmasq/*.status' files are parsed when looking
up a hostname.
So the 'nss' modules are loaded by any process on the host
which does dns lookups. This in turns implies that any process
has to have permission to read the dnsmasq lease files directly.
I don't think this is very desirable, particularly from an
SELinux POV - I'm not convinced we want to grant every process
perm to read the virt_var_lib_t.
I'm wondering if we shouldn't have a separate file(s) recording
the hostname/IP address mappings for the NSS module to read,
that we place somewhere dedicated to this purpose, so we can
grant permission to just the data NSS needs.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|