On Tue, Nov 22, 2011 at 03:29:41PM -0600, Adam Litke wrote:
> Hi guys,
> 
> I've got MOM up and running as a vdsm thread but I've hit two small problems.
> I'll bounce them around on the list to see if people have some ideas.
> 
> 1.) Libvirt SASL authentication
> 
> I was able to easily modify MOM to connect to libvirt by hardcoding the vdsm
> credentials.  Obviously this is not an acceptable long-term solution.  What is
> the best way to share the vdsm libvirt password with MOM in a way that does 
> not
> compromise security?  Whatever method we choose should not involve 
> vdsm-specific
> changes to MOM.  For starters I think I will just place the username and
> password in the mom.conf file.  We could make this file readable only by the
> vdsm user.  Thoughts?

If you are part of the vdsm process, you can import libvirtconnection
and use its get() function to obtain a libvirt connection.

If running as a separate process, you can either still Vdsm's password,
or add another user to libvirt's sasl db.

Note that this SASL auth that we are using cannot really be called a
"security measure". If mom.conf is read only, I don't see a problem with
it.

> 
> 2.) Permissions
> 
> The first error I noticed was MOM failing to adjust KSM via sysfs:
> 
> 2011-11-22 10:13:48,313 - mom.Controllers.KSM - WARNING - KSM: Failed to write
> /sys/kernel/mm/ksm/run: Permission denied
> 
> MOM is used to running as root so that it can adjust these settings.  I would
> prefer not to complicate the MOM architecture by having a separate process 
> that
> receives instructions from the main MOM thread and then applies the requested
> changes as root.
> 
> Another solution would be to allow MOM to run as a completely separate daemon
> (as it has been originally doing).  In this scenario, vdsm would reconfigure 
> MOM
> by replacing the default configuration file and policy.  vdsm could then
> interact with the running momd via the existing xmlrpc interface.

This would be the simplest integration, I believe.
Note that currently, Vdsm has a thin interaction with ksmtuned which
ships with qemu-kvm. This should probably be turned off or redirected to
momd interaction.

Dan.
_______________________________________________
vdsm-devel mailing list
vdsm-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/vdsm-devel

Reply via email to