# virt-install --connect qemu:///system --virt-type kvm --name cards2 --ram 2048 --disk /var/kvm/cards2.qcow,size=3 --vcpus=8 --cdrom /var/kvm/debian-8.5.0-amd64-netinst.iso --vnc --os-type linux --network network=default
该图像具有权限:
# ls -l /var/kvm/cards2.qcow -rwxr-xr-x 1 libvirt-qemu libvirt-qemu 3221225472 Aug 17 18:49 /var/kvm/cards2.qcow
但是我注意到任何具有SSH访问权限的用户都可以通过执行以下命令来访问VM:
virt-viewer --connect qemu+ssh://username@hostname.example.com/system vmname
(注意,此命令是远程执行的,而不是在服务器上执行.它通过SSH隧道连接到具有连接URI qemu ssh://username@hostname.example.com的虚拟机管理程序)
用户用户名仅是用户名组的成员.使用用户名帐户进行SSH访问时,虚拟机列表显示为空:
$virsh list --all Id Name State ----------------------------------------------------
在通过SSH执行以下操作时,我也无法使用套接字进行连接:
$virsh --connect qemu:///system list --all error: Failed to connect socket to '/var/run/libvirt/libvirt-sock': Permission denied
我还尝试删除所有/usr/bin/vir *文件的权限给不在kvm组中的用户:
# chown root:kvm /usr/bin/vir* # chmod o-rx /usr/bin/vir* # ls /usr/bin/vir* -l -rwxr-x--- 1 root kvm 321120 Jul 1 04:46 /usr/bin/virsh -rwxr-x--- 1 root kvm 32184 Dec 7 2013 /usr/bin/virt-alignment-scan -rwxr-x--- 1 root kvm 28128 Dec 7 2013 /usr/bin/virt-cat -rwxr-x--- 1 root kvm 9774 Sep 29 2014 /usr/bin/virt-clone -rwxr-x--- 1 root kvm 10277 Sep 29 2014 /usr/bin/virt-convert -rwxr-x--- 1 root kvm 806 Dec 7 2013 /usr/bin/virt-copy-in -rwxr-x--- 1 root kvm 808 Dec 7 2013 /usr/bin/virt-copy-out -rwxr-x--- 1 root kvm 54584 Dec 7 2013 /usr/bin/virt-df -rwxr-x--- 1 root kvm 33312 Dec 7 2013 /usr/bin/virt-edit -rwxr-x--- 1 root kvm 54536 Dec 7 2013 /usr/bin/virt-filesystems -rwxr-x--- 1 root kvm 30112 Dec 7 2013 /usr/bin/virt-format -rwxr-x--- 1 root kvm 14656 Jul 1 04:46 /usr/bin/virt-host-validate -rwxr-x--- 1 root kvm 7944 Sep 29 2014 /usr/bin/virt-image -rwxr-x--- 1 root kvm 44696 Dec 7 2013 /usr/bin/virt-inspector -rwxr-x--- 1 root kvm 36992 Sep 29 2014 /usr/bin/virt-install -rwxr-x--- 1 root kvm 5338 Dec 7 2013 /usr/bin/virt-list-filesystems -rwxr-x--- 1 root kvm 6686 Dec 7 2013 /usr/bin/virt-list-partitions -rwxr-x--- 1 root kvm 53816 Dec 7 2013 /usr/bin/virt-ls -rwxr-x--- 1 root kvm 18641 Dec 7 2013 /usr/bin/virt-make-fs -rwxr-x--- 1 root kvm 9600 Jul 1 04:46 /usr/bin/virt-pki-validate -rwxr-x--- 1 root kvm 36264 Dec 7 2013 /usr/bin/virt-rescue -rwxr-x--- 1 root kvm 1322488 Dec 7 2013 /usr/bin/virt-resize -rwxr-x--- 1 root kvm 1231256 Dec 7 2013 /usr/bin/virt-sparsify -rwxr-x--- 1 root kvm 1289592 Dec 7 2013 /usr/bin/virt-sysprep -rwxr-x--- 1 root kvm 8949 Dec 7 2013 /usr/bin/virt-tar -rwxr-x--- 1 root kvm 804 Dec 7 2013 /usr/bin/virt-tar-in -rwxr-x--- 1 root kvm 806 Dec 7 2013 /usr/bin/virt-tar-out -rwxr-x--- 1 root kvm 55 Jul 12 2012 /usr/bin/virtualenv -rwxr-x--- 1 root kvm 132400 May 28 2012 /usr/bin/virt-viewer -rwxr-x--- 1 root kvm 23886 Dec 7 2013 /usr/bin/virt-win-reg -rwxr-x--- 1 root kvm 3531 Jul 1 04:46 /usr/bin/virt-xml-validate
即使现在我无法通过常规SSH连接访问任何这些命令,我仍然可以通过SSH隧道远程执行virt-viewer(如上所述)来启动VM.
那么,我该如何才能使特定用户帐户只能访问虚拟机?
编辑:
这是VM启动时在我的/var/log/libvirt/qemu/cards2.log中出现的内容,如果有任何指示:
LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin QEMU_AUdio_DRV=none /usr/bin/kvm -S -M pc-1.1 -enable-kvm -m 2048 -smp 8,sockets=8,cores=1,threads=1 -name cards2 -uuid 70905b35-9df3-71c9-d5e9-f804a2826055 -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/cards2.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc -no-shutdown -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/var/kvm/cards2.qcow,if=none,id=drive-ide0-0-0,format=raw -device ide-hd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=1 -drive if=none,id=drive-ide0-1-0,readonly=on,format=raw -device ide-cd,bus=ide.1,drive=drive-ide0-1-0,id=ide0-1-0 -netdev tap,fd=23,id=hostnet0 -device rtl8139,netdev=hostnet0,id=net0,mac=52:54:00:c6:14:68,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -vnc 127.0.0.1:3 -vga cirrus -device virtio-balloon-pci,id=balloon0,addr=0x4
编辑2:
另一方面,这似乎只是virt-viewer的一个问题,而不是virsh.
例如,以下是在远程客户端上执行的一些命令:
$virsh --connect qemu+ssh://unauthorized-user@server.com/system error: Failed to connect to the hypervisor error: End of file while reading data: nc: unix connect Failed: Permission denied: Input/output error $virsh --connect qemu+ssh://authorized-user@server.com/system Welcome to virsh,the virtualization interactive terminal. Type: 'help' for help with commands 'quit' to quit
解决方法
也许selinux这样做?
Linux: Allow/restrict IP bind permissions by user
因此,最简单的方法是设置VNC密码.您可以在SSH中执行限制转发和X11转发等操作,但这可能不是100%安全,也可能导致root问题.用户登录后仍可访问127.0.0.1/vnc.
更新
根据Mike(其他答案)和Michael Hampton(评论),您可以使用TLS与VNC进行通信而不是密码,因此如果密码不够好,您将获得相当不错的安全性.对他们两个人的道具,我都不知道.
http://wiki.libvirt.org/page/VNCTLSSetup
和
