[libvirt] Enforce libvirt UIDs/GIDs to not collide with LDAP UIDs/GIDs

author: Manuel Bentele 2021-06-25 12:36:25 +0200
committer: Manuel Bentele 2021-06-25 12:36:25 +0200
commit: b70886d3df3a93daa7aab2285ecc1a80867690f5 (patch)
tree: e7841c369c8f762ba76c5b9832e84318a9d7273f
parent: [libvirt] Remove build support for MiniLinux (diff)
download: mltk-b70886d3df3a93daa7aab2285ecc1a80867690f5.tar.gz
mltk-b70886d3df3a93daa7aab2285ecc1a80867690f5.tar.xz
mltk-b70886d3df3a93daa7aab2285ecc1a80867690f5.zip
5 files changed, 53 insertions, 77 deletions
diff --git a/core/modules/libvirt-users/module.build b/core/modules/libvirt-users/module.build
new file mode 100644
index 00000000..cab41b98
--- /dev/null
+++ b/core/modules/libvirt-users/module.build
@@ -0,0 +1,43 @@
+#!/bin/bash
+fetch_source() {
+	:
+}
+
+build() {
+	:
+}
+
+post_copy() {
+	# Create libvirt users before installing libvirt packages since the
+	# libvirt DEB package hook script will create system users with an
+	# UID/GID greater or equal than 1000. Those default libvirt UIDs/GIDs
+	# are not allowed since they will collide with LDAP UIDs/GIDs.
+
+	# add system groups to run libvirt
+	if ! getent group libvirt-qemu >/dev/null; then
+		addgroup --quiet --system libvirt-qemu
+	fi
+
+	if ! getent group kvm >/dev/null; then
+		addgroup --quiet --system kvm
+	fi
+
+	# add system user libvirt runs qemu/kvm instances with
+	if ! getent passwd libvirt-qemu >/dev/null; then
+		adduser --quiet \
+			--system \
+			--ingroup kvm \
+			--quiet \
+			--disabled-login \
+			--disabled-password \
+			--home /var/lib/libvirt \
+			--no-create-home \
+			--gecos "Libvirt Qemu" \
+			libvirt-qemu
+	fi
+
+	# add libvirt system user to the libvirt system group
+	if ! getent group libvirt-qemu >/dev/null; then
+		adduser --quiet libvirt-qemu libvirt-qemu
+	fi
+}
diff --git a/core/modules/libvirt-users/module.conf b/core/modules/libvirt-users/module.conf
new file mode 100644
index 00000000..668ddf88
--- /dev/null
+++ b/core/modules/libvirt-users/module.conf
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+REQUIRED_BINARIES=""
+REQUIRED_LIBRARIES=""
+REQUIRED_DIRECTORIES=""
diff --git a/core/modules/libvirt/data/addon-init b/core/modules/libvirt/data/addon-init
index 49c9b7b0..131a03f7 100755
--- a/core/modules/libvirt/data/addon-init
+++ b/core/modules/libvirt/data/addon-init
@@ -1,83 +1,6 @@
 #!/bin/ash
 
-#
-# allocated UID and GID for libvirt-qemu
-#
-LIBVIRT_QEMU_UID=64055
-LIBVIRT_QEMU_GID=64055
-
-#
-# add groups to run libvirt
-#
-if ! getent group libvirt >/dev/null; then
-	addgroup --quiet --system libvirt
-fi
-
-if ! getent group kvm >/dev/null; then
-	addgroup --quiet --system kvm
-fi
-
-#
-# add user and group libvirt runs qemu/kvm instances with
-#
-if ! getent passwd libvirt-qemu >/dev/null; then
-
-	# set uid if available (expected); don't fail otherwise.
-	PARAMETER_UID=''
-	if ! getent passwd $LIBVIRT_QEMU_UID >/dev/null; then
-		PARAMETER_UID="--uid $LIBVIRT_QEMU_UID"
-	fi
-
-	adduser --quiet \
-			--system \
-			--ingroup kvm \
-			--quiet \
-			--disabled-login \
-			--disabled-password \
-			--home /var/lib/libvirt \
-			--no-create-home \
-			--gecos "Libvirt Qemu" \
-			$PARAMETER_UID \
-			libvirt-qemu
-fi
-
-if ! getent group libvirt-qemu >/dev/null; then
-
-	# set gid if available (expected); don't fail otherwise.
-	PARAMETER_GID=''
-	if ! getent group $LIBVIRT_QEMU_GID >/dev/null; then
-		PARAMETER_GID="--gid $LIBVIRT_QEMU_GID"
-	fi
-
-	addgroup --quiet --system $PARAMETER_GID libvirt-qemu
-	adduser --quiet libvirt-qemu libvirt-qemu
-fi
-
-#
-# add each sudo user to the libvirt group
-#
-for u in $(getent group sudo | sed -e "s/^.*://" -e "s/,/ /g"); do
-	adduser "$u" libvirt >/dev/null || true
-done
-
-if ! getent group libvirt-dnsmasq >/dev/null; then
-	addgroup --quiet --system libvirt-dnsmasq
-fi
-if ! getent passwd libvirt-dnsmasq >/dev/null; then
-	adduser --quiet \
-			--system \
-			--ingroup libvirt-dnsmasq \
-			--disabled-login \
-			--disabled-password \
-			--home /var/lib/libvirt/dnsmasq \
-			--no-create-home \
-			--gecos "Libvirt Dnsmasq" \
-			libvirt-dnsmasq
-fi
-
-#
 # register and start libvirt services
-#
 systemctl daemon-reload
 systemctl start libvirtd.service
 systemctl start libvirt-guests.service
diff --git a/core/modules/libvirt/module.conf b/core/modules/libvirt/module.conf
index 668ddf88..d67344f7 100644
--- a/core/modules/libvirt/module.conf
+++ b/core/modules/libvirt/module.conf
@@ -1,5 +1,9 @@
 #!/bin/bash
 
+REQUIRED_MODULES="
+        libvirt-users
+"
+
 REQUIRED_BINARIES=""
 REQUIRED_LIBRARIES=""
 REQUIRED_DIRECTORIES=""
diff --git a/core/targets/qemu/libvirt-users b/core/targets/qemu/libvirt-users
new file mode 120000
index 00000000..6f799d72
--- /dev/null
+++ b/core/targets/qemu/libvirt-users
@@ -0,0 +1 @@
+../../modules/libvirt-users
+\ No newline at end of file
author	Manuel Bentele	2021-06-25 12:36:25 +0200
committer	Manuel Bentele	2021-06-25 12:36:25 +0200
commit	b70886d3df3a93daa7aab2285ecc1a80867690f5 (patch)
tree	e7841c369c8f762ba76c5b9832e84318a9d7273f
parent	[libvirt] Remove build support for MiniLinux (diff)
download	mltk-b70886d3df3a93daa7aab2285ecc1a80867690f5.tar.gz mltk-b70886d3df3a93daa7aab2285ecc1a80867690f5.tar.xz mltk-b70886d3df3a93daa7aab2285ecc1a80867690f5.zip