go-dromaius
is a tool that wraps commands from libvirt's virsh
. It allows a hypervisor administrator to
give users access to their virtual machine(s) without giving full access to all virtual machines.
Usually, a hypervisor administrator can use polkit(8)
to restrict access to users. See for example
this answer to a
Serverfault question on restricting access to KVM virtual machines. Unfortunately, all examples assume a polkit
version >= 0.106,
whereas this version is still not available in Ubuntu 19.04 (disco) nor
Debian 10 (Buster). The restrictions available in polkit
< 0.106 are
not fine-grained enough to restrict access to one virtual machine. See also
these
posts.
go-dromaius
supports the following commands:
start
reboot
shutdown
destroy
reset
console
cd cmd/dromaius && go build
- Create a user, e.g.:
# adduser --system --disabled-password --shell /bin/bash --ingroup nogroup --home /var/lib/dromaius dromaius
- Prepare the
.ssh/
directory:
# mkdir -p /var/lib/dromaius/.ssh
# touch /var/lib/dromaius/.ssh/authorized_keys
# chown dromaius:nogroup /var/lib/dromaius/.ssh/
# chmod 700 /var/lib/dromaius/.ssh/
# chmod 600 /var/lib/dromaius/.ssh/authorized_keys
- By default (in Debian), the
libvirt-sock
UNIX socket has mode 777, allowing read/write access to all. If your configuration is different, make sure thedromaius
user is in the correct group, and the socket has the correct user/group/mode settings - Per supplied SSH key, add the following line to
/var/lib/dromaius/.ssh/authorized_keys
:
command="/var/lib/dromaius/dromaius -cmd interactive -host <full hostname of the VM>",no-agent-forwarding,no-port-forwarding,no-X11-forwarding <ssh-key>
- Set the allowed hosts in
/var/lib/dromaius/dromaius.json
(seedromaius.json.example
) - Let the user use
ssh dromaius@vm-host
to access the interactive console.