Self Service Option for VM Administration

From MyWiki

Contents 1 Self Service Option 1.1 User Information 1.2 Host System Configuration 1.2.1 VMX File Permissions 1.2.2 Private VMs 1.2.3 PAM Configuration

Self Service Option

This will allow users to directly administer their virtual machines, without requiring them to have root on the host systems.

User Information

• Download the VMware Server Console application from http://www.vmware.com/download/server/
  • Note: Navigate the site as if you're planning on downloading the VMware Server and accept the EULA. You will then be presented with platform choices and, most importantly, the option to download the "client package". This is what you want. The Server Console application is part of the client package.
• Install the Server Console application
• In the VMware Server Console application, connect to the correct pkirackXX.ncsa.uiuc.edu server.
• Use your NCSA kerberos id and password.

Host System Configuration

• A user's ability to manage a VM depends upon:
  1. The user's file permissions on the directory that hold the VM's files. Specially, the user needs to be able to create files in the VM's subdirectory.
  2. The user's file permissions on the VM's vmx file

VMX File Permissions

vmx Permissions	VM Management Rights
(none)	Cannot connect to the VM or do anything
r	Can only see the VM's power state
r x	Can power on/off, suspend/resume, and connect/disconnect removable devices
rw	Can add/remove virtual hardware
rwx	(it's a bit unclear what this means)

Additional information is in the VMware documentation, "Securing Virtual Machines and the Host" located at:
http://pubs.vmware.com/server1/admin/manage_secure_gsx.html

Private VMs

VMware supports the concept of a "private" virtual machine. This is represented by a checkbox on the configuration GUI. This merely regulates the visibility of a VM, i.e. a private virtual machine is visible only within the Server Console of the user who created it.

PAM Configuration

PAM (for the vmware service) has to be set up correctly. For our environment, this means kerberos authentication.

• Edit /etc/pam.d/vmware-authd

#%PAM-1.0

auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_krb5.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_krb5.so
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_krb5.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_krb5.so