vmtui


Namevmtui JSON
Version 0.9.5 PyPI version JSON
download
home_pagehttps://github.com/cgruhl/vmtui
SummaryA text user interface (TUI) to control virtual machines on a per user basis
upload_time2024-09-27 13:38:39
maintainerNone
docs_urlNone
authorChristian Gruhl
requires_pythonNone
licenseNone
keywords libvirt kvm vm
VCS
bugtrack_url
requirements No requirements were recorded.
Travis-CI No Travis.
coveralls test coverage No coveralls.
            # VMTUI

*a text user interface to control libvirt VMs on a per user basis.*

## libvirt polkit configuration

`VMTUI` is intended as a simple interface to allow unprivileged user accounts to control (i.e. (re)start, shutdown, install) their personal virtual machines.
To make use of this, libvirt must be configured to use polkit. The package provides a helper script `gen_libvirt_polkit_acl` that allows the generation of an ACL policy based on a yaml database.

The `libvirtd.conf` file must be modified [src](https://fedoraproject.org/wiki/QA:Testcase_Virt_ACLs) and `virtqemud.conf` as well:

`/etc/libvirt/libvirtd.conf` and `/etc/libvirt/virtqemud.conf`:

~~~conf
access_drivers = [ "polkit" ]
~~~

In this example, a user account must belong to the `adm_vmhost` group to get full priviliges.
User accounts with personal VMs must belong to the `user_vm` group.

`/etc/polkit-1/rules.d/100-libvirt-acl.rules`:

~~~javascript
polkit.addRule(function(action, subject) {
    if (
        subject.isInGroup("adm_vmhost") ||

        false // makes generation easier
       ) {
        if (action.id == "org.libvirt.unix.manage" || action.id.startsWith("org.libvirt.api")) {
            return polkit.Result.YES;
        }

        } else if ( subject.isInGroup("user_vm") ) {
            if (action.id == "org.libvirt.unix.manage" || action.id.startsWith("org.libvirt.api.connect")) {
                return polkit.Result.YES;
            } else if (action.id.startsWith("org.libvirt.api.domain") && action.lookup("connect_driver")=="QEMU") {
                var dom = action.lookup("domain_name");
                if((subject.user == "alice" && dom == "rocky9-2") ||
                   (subject.user == "bob" && dom == "rocky9-3") || // these are the "entry types that must be read from a file, either to grant access to a user or a group
                   false // makes generation easier
                ) {
                    return polkit.Result.YES;
                    } else {
                    return polkit.Result.NO;
                }
            } else if ( action.id.startsWith("org.libvirt.api.network") ) {
                if ( action.id.endsWith("getattr") ||
                     action.id.endsWith("read") ||
                     action.id.endsWith("create")
                    ) {
                    return polkit.Result.YES;
                } else {
                    return polkit.Result.NO;
                }
            }
    }
        return polkit.Result.NO;
}
);

~~~

> The example grants the user `alice` access to the domain `rocky9-2`, while `bob` is allowed to manage `rocky9-3`.

To simplify the generation of the polkit ACL use the `s` script and provide a `user_acl.yaml`:

~~~yaml
libvirt_acl:
  admin_groups: # configure groups that have full access
    - adm_vmhost
  domains: # domain specific ACL
    rocky9: # grant users alice and bob and members of the group mod_vmhost access to 'rocky9''
      users:
        - alice
        - bob
      groups:
        - mod_vmhost
    rocky9-2: # grant alice access to rocky9-2 
      users:
        - alice
    rocky9-3: # grant bob access to rocky9-3
      users:
        - bob
~~~

To generate the ACL (as root):

~~~bash
gen_libvirt_polkit_acl --acl /etc/libvirt_acl.yaml 
~~~

It might be necessary to restart libvirt and polkit.

~~~bash
systemctl restart polkit # usually automatically reloads files
systemctl restart libvirtd
~~~

## SSH configuration for vmtui

You can limit ssh access to vmtui with the following configuration (limits members of the `user_vm` group to `vmtui`).
It is recommended to use a virtual environment (here `/opt/vmtui`).

`/etc/ssh/sshd_config.d/10-vmtui-conf`

~~~conf
Match Group user_vm
    ForceCommand /opt/vmtui/bin/vmtui
~~~


            

Raw data

            {
    "_id": null,
    "home_page": "https://github.com/cgruhl/vmtui",
    "name": "vmtui",
    "maintainer": null,
    "docs_url": null,
    "requires_python": null,
    "maintainer_email": null,
    "keywords": "libvirt, KVM, VM",
    "author": "Christian Gruhl",
    "author_email": "cgruhl@uni-kassel.de",
    "download_url": "https://files.pythonhosted.org/packages/eb/21/44d82728aeb5c292def4d0fcd0e55ee34c4b014510ed0050014935e117a1/vmtui-0.9.5.tar.gz",
    "platform": null,
    "description": "# VMTUI\n\n*a text user interface to control libvirt VMs on a per user basis.*\n\n## libvirt polkit configuration\n\n`VMTUI` is intended as a simple interface to allow unprivileged user accounts to control (i.e. (re)start, shutdown, install) their personal virtual machines.\nTo make use of this, libvirt must be configured to use polkit. The package provides a helper script `gen_libvirt_polkit_acl` that allows the generation of an ACL policy based on a yaml database.\n\nThe `libvirtd.conf` file must be modified [src](https://fedoraproject.org/wiki/QA:Testcase_Virt_ACLs) and `virtqemud.conf` as well:\n\n`/etc/libvirt/libvirtd.conf` and `/etc/libvirt/virtqemud.conf`:\n\n~~~conf\naccess_drivers = [ \"polkit\" ]\n~~~\n\nIn this example, a user account must belong to the `adm_vmhost` group to get full priviliges.\nUser accounts with personal VMs must belong to the `user_vm` group.\n\n`/etc/polkit-1/rules.d/100-libvirt-acl.rules`:\n\n~~~javascript\npolkit.addRule(function(action, subject) {\n    if (\n        subject.isInGroup(\"adm_vmhost\") ||\n\n        false // makes generation easier\n       ) {\n        if (action.id == \"org.libvirt.unix.manage\" || action.id.startsWith(\"org.libvirt.api\")) {\n            return polkit.Result.YES;\n        }\n\n        } else if ( subject.isInGroup(\"user_vm\") ) {\n            if (action.id == \"org.libvirt.unix.manage\" || action.id.startsWith(\"org.libvirt.api.connect\")) {\n                return polkit.Result.YES;\n            } else if (action.id.startsWith(\"org.libvirt.api.domain\") && action.lookup(\"connect_driver\")==\"QEMU\") {\n                var dom = action.lookup(\"domain_name\");\n                if((subject.user == \"alice\" && dom == \"rocky9-2\") ||\n                   (subject.user == \"bob\" && dom == \"rocky9-3\") || // these are the \"entry types that must be read from a file, either to grant access to a user or a group\n                   false // makes generation easier\n                ) {\n                    return polkit.Result.YES;\n                    } else {\n                    return polkit.Result.NO;\n                }\n            } else if ( action.id.startsWith(\"org.libvirt.api.network\") ) {\n                if ( action.id.endsWith(\"getattr\") ||\n                     action.id.endsWith(\"read\") ||\n                     action.id.endsWith(\"create\")\n                    ) {\n                    return polkit.Result.YES;\n                } else {\n                    return polkit.Result.NO;\n                }\n            }\n    }\n        return polkit.Result.NO;\n}\n);\n\n~~~\n\n> The example grants the user `alice` access to the domain `rocky9-2`, while `bob` is allowed to manage `rocky9-3`.\n\nTo simplify the generation of the polkit ACL use the `s` script and provide a `user_acl.yaml`:\n\n~~~yaml\nlibvirt_acl:\n  admin_groups: # configure groups that have full access\n    - adm_vmhost\n  domains: # domain specific ACL\n    rocky9: # grant users alice and bob and members of the group mod_vmhost access to 'rocky9''\n      users:\n        - alice\n        - bob\n      groups:\n        - mod_vmhost\n    rocky9-2: # grant alice access to rocky9-2 \n      users:\n        - alice\n    rocky9-3: # grant bob access to rocky9-3\n      users:\n        - bob\n~~~\n\nTo generate the ACL (as root):\n\n~~~bash\ngen_libvirt_polkit_acl --acl /etc/libvirt_acl.yaml \n~~~\n\nIt might be necessary to restart libvirt and polkit.\n\n~~~bash\nsystemctl restart polkit # usually automatically reloads files\nsystemctl restart libvirtd\n~~~\n\n## SSH configuration for vmtui\n\nYou can limit ssh access to vmtui with the following configuration (limits members of the `user_vm` group to `vmtui`).\nIt is recommended to use a virtual environment (here `/opt/vmtui`).\n\n`/etc/ssh/sshd_config.d/10-vmtui-conf`\n\n~~~conf\nMatch Group user_vm\n    ForceCommand /opt/vmtui/bin/vmtui\n~~~\n\n",
    "bugtrack_url": null,
    "license": null,
    "summary": "A text user interface (TUI) to control virtual machines on a per user basis",
    "version": "0.9.5",
    "project_urls": {
        "Homepage": "https://github.com/cgruhl/vmtui"
    },
    "split_keywords": [
        "libvirt",
        " kvm",
        " vm"
    ],
    "urls": [
        {
            "comment_text": "",
            "digests": {
                "blake2b_256": "060e6ee6cae5eaa1bead38310e42260bee70836f3f97a57f6a00733287a265a3",
                "md5": "8eb3c635bee6420d1629e6aa1eb2e351",
                "sha256": "a49c31daa5250151f0d371a1846c3f2c96a543fd969cef9eef926e58dfe09fa7"
            },
            "downloads": -1,
            "filename": "vmtui-0.9.5-py3-none-any.whl",
            "has_sig": false,
            "md5_digest": "8eb3c635bee6420d1629e6aa1eb2e351",
            "packagetype": "bdist_wheel",
            "python_version": "py3",
            "requires_python": null,
            "size": 11054,
            "upload_time": "2024-09-27T13:38:36",
            "upload_time_iso_8601": "2024-09-27T13:38:36.405369Z",
            "url": "https://files.pythonhosted.org/packages/06/0e/6ee6cae5eaa1bead38310e42260bee70836f3f97a57f6a00733287a265a3/vmtui-0.9.5-py3-none-any.whl",
            "yanked": false,
            "yanked_reason": null
        },
        {
            "comment_text": "",
            "digests": {
                "blake2b_256": "eb2144d82728aeb5c292def4d0fcd0e55ee34c4b014510ed0050014935e117a1",
                "md5": "7328ce7b73bfa322c1bf58021d4534cc",
                "sha256": "e92d7dcb061f72ff7d63be7846b32afb6cec44834b53b6d80446e0b2493fb95e"
            },
            "downloads": -1,
            "filename": "vmtui-0.9.5.tar.gz",
            "has_sig": false,
            "md5_digest": "7328ce7b73bfa322c1bf58021d4534cc",
            "packagetype": "sdist",
            "python_version": "source",
            "requires_python": null,
            "size": 11743,
            "upload_time": "2024-09-27T13:38:39",
            "upload_time_iso_8601": "2024-09-27T13:38:39.983591Z",
            "url": "https://files.pythonhosted.org/packages/eb/21/44d82728aeb5c292def4d0fcd0e55ee34c4b014510ed0050014935e117a1/vmtui-0.9.5.tar.gz",
            "yanked": false,
            "yanked_reason": null
        }
    ],
    "upload_time": "2024-09-27 13:38:39",
    "github": true,
    "gitlab": false,
    "bitbucket": false,
    "codeberg": false,
    "github_user": "cgruhl",
    "github_project": "vmtui",
    "github_not_found": true,
    "lcname": "vmtui"
}
        
Elapsed time: 0.32807s