[one-users] Centos 6.3 foibles and fragile runtime assumptions

[Matthew Patton]

On Mon, 10 Sep 2012 08:14:02 -0400, Valentin Bud  
<valentin at hackaserver.com> wrote:

> I have managed to get OpenNebula running on a CentOS 6.3 host.
...
> I have configure polkit.

I went the other way and recompiled Libvirt from source and disabled  
polkit and a number of other recent "enhancements"  as well as forcibly  
turned ON vmware and xen support. I'm no expert on the rpmbuild process  
but I had to actually hand-edit the section where it invokes 'configure'  
because setting the variables in the build file (which I thought should  
have worked) didn't.

> Also qemu is configured to run under oneadmin user and group
>
> # cat /etc/libvirt/qemu.conf | egrep "^user|^group"
> user = "oneadmin"
> group = "oneadmin"

I think this is a BAD or at least not good thing to do. All libvirt  
operations should always run as the system's QEMU user. It should be that  
anything oneadmin wants to run be via 'sudo -u qemu <cmd>'. This also  
means that ONE needs to support a way to specify the "connect-as" when  
invoking SSH. Currently the assumption is 'oneadmin' is available  
everywhere. This problem also breaks VMWare support since the 'oneadmin'  
and/or it's key will not persist. For every host (and/or cluster)  
definition there needs to be an optional attribute (eg. SSH_AS) that is  
merged into all connection strings.

Similarly there needs to be a "command prefix" which would often equal  
"sudo -u <qemu user>"

-- 
Cloud Services Architect, Senior System Administrator
InfoRelay Online Systems (www.inforelay.com)