Heretofore, VCL SSH's to a hypervisor when it wants to cause some change (ie: provision or deprovision a VM). The VCL uses pre-shared SSH keys between VCL and the hypervisor to allow the SSHing the authenticate. This works for VMware server and regular ESX because they are configurable to accept SSH keys. ESX 3i isn't configurable to accept an SSH logon, and can only be communicated with through a web service which requires a valid hypervisor username and password.

So I'd like to propose that we add a hypervisor username and password in the VCL database associated. As far as I can tell, there are two places to add this information.

1) Extend the 'vmhost' table to include a username field and a password field. This would allow each individual hypervisor to have its own user/pass. However, if all the hypervisors use the same user/ pass then we've just duplicated a lot of data, and it is very hard to change this system wide password later.

2) Extend the 'vmprofile' table to include a username field and a password. In this case a group of hypervisors (linked through the same vmprofile) would share a single user/pass. This would make password changes easier since it only has to be updated in one place, but requires hypervisors to have a consistant username/password across them. Because of the de-duplication of data, and easyness of password changes, I favor of this second option.

Whichever table it goes in, here are the lines to be added to the vcl.sql file:

 `username` varchar(8) NOT NULL default ''
`password` varchar(40) NOT NULL default ''

Could someone tell us a bit about how to get that username and password out of the database and into our module as a variable?


Brian Bouterse
Secure Open Systems Initiative

Reply via email to