On Tue, Nov 22, 2011 at 03:29:41PM -0600, Adam Litke wrote:
> Hi guys,
> I've got MOM up and running as a vdsm thread but I've hit two small problems.
> I'll bounce them around on the list to see if people have some ideas.
> 1.) Libvirt SASL authentication
> I was able to easily modify MOM to connect to libvirt by hardcoding the vdsm
> credentials. Obviously this is not an acceptable long-term solution. What is
> the best way to share the vdsm libvirt password with MOM in a way that does
> compromise security? Whatever method we choose should not involve
> changes to MOM. For starters I think I will just place the username and
> password in the mom.conf file. We could make this file readable only by the
> vdsm user. Thoughts?
If you are part of the vdsm process, you can import libvirtconnection
and use its get() function to obtain a libvirt connection.
If running as a separate process, you can either still Vdsm's password,
or add another user to libvirt's sasl db.
Note that this SASL auth that we are using cannot really be called a
"security measure". If mom.conf is read only, I don't see a problem with
> 2.) Permissions
> The first error I noticed was MOM failing to adjust KSM via sysfs:
> 2011-11-22 10:13:48,313 - mom.Controllers.KSM - WARNING - KSM: Failed to write
> /sys/kernel/mm/ksm/run: Permission denied
> MOM is used to running as root so that it can adjust these settings. I would
> prefer not to complicate the MOM architecture by having a separate process
> receives instructions from the main MOM thread and then applies the requested
> changes as root.
> Another solution would be to allow MOM to run as a completely separate daemon
> (as it has been originally doing). In this scenario, vdsm would reconfigure
> by replacing the default configuration file and policy. vdsm could then
> interact with the running momd via the existing xmlrpc interface.
This would be the simplest integration, I believe.
Note that currently, Vdsm has a thin interaction with ksmtuned which
ships with qemu-kvm. This should probably be turned off or redirected to
vdsm-devel mailing list