[ClusterLabs] Antwort: Re: VirtualDomain as non-root / encrypted

philipp.achmueller at arz.at philipp.achmueller at arz.at
Wed Mar 8 10:27:29 EST 2017


Ken Gaillot <kgaillot at redhat.com> schrieb am 08.03.2017 15:50:57:

> Von: Ken Gaillot <kgaillot at redhat.com>
> An: users at clusterlabs.org
> Datum: 08.03.2017 15:56
> Betreff: Re: [ClusterLabs] VirtualDomain as non-root / encrypted
> 
> On 03/08/2017 04:19 AM, philipp.achmueller at arz.at wrote:
> > hi,
> > 
> > Any ideas how to run VirtualDomain Resource as non-root user with
> > encrypted transport to remote hypervisor(ssh)?
> > 
> > i'm able to start/stop/migrate vm via libvirt as non-root, but it
> > doesn't work with pacemaker - pacemaker runs VirtualDomain as root, 
also
> > there is no option to pass user via parameter
> > 
> > thank you!
> 
> There's no way to do this within Pacemaker currently. The closest
> workaround would be to copy the VirtualDomain agent, and edit it to
> switch users before doing anything.
> 

thank you, we will give that a try!

> Since we added the alerts feature, we've been keeping a future
> enhancement in mind to allow selecting the user that alert agents run as
> (currently, it's always hacluster). If we do that, the same mechanism
> will likely work with resource agents as well. There is a lot of
> high-priority work ahead of that, though.
> 
> Keep in mind that some agents maintain state data somewhere like
> /var/run, and they may break even if they can otherwise run as a
> different user. If they offer the state location as an option, that's an
> easy workaround.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clusterlabs.org/pipermail/users/attachments/20170308/8af78ec3/attachment-0003.html>


More information about the Users mailing list