[ovirt-users] Ip spoofing

Punit Dambiwal hypunit at gmail.com
Fri Jun 27 09:07:56 UTC 2014


Hi Dan,

Still the same....VM can spoof the ip address...attached is the VM domain
xml file....


On Thu, Jun 26, 2014 at 5:30 PM, Punit Dambiwal <hypunit at gmail.com> wrote:

> Hi Sven,
>
> I already give the sudo user permission to VDSM user...
>
> Yes..after VDSM restart i can see this hook in host tab....I will test it
> again and udpate you guys if still not solve....
>
>
> On Thu, Jun 26, 2014 at 4:03 PM, Antoni Segura Puimedon <
> asegurap at redhat.com> wrote:
>
>>
>>
>> ----- Original Message -----
>> > From: "Sven Kieske" <S.Kieske at mittwald.de>
>> > To: users at ovirt.org
>> > Sent: Thursday, June 26, 2014 9:12:31 AM
>> > Subject: Re: [ovirt-users] Ip spoofing
>> >
>> > Well this is strange, and this should not be the reason
>> > but can you attach a ".py" ending to the file names (maybe vdsm performs
>> > some strange checks)?
>>
>> We do not ;-)
>>
>> > your permissions look good.
>> > the only other thing I can think of are selinux
>> > restrictions, can you check them with:
>> > #this gives you the actual used selinux security level:
>> > getenforce
>>
>> That could be it
>>
>> > :this gives you the selinux attributes for the folder:
>> > ls -lZ /usr/libexec/vdsm/hooks/before_device_create
>> >
>> > I first thought it might be related to vdsms sudoers
>> > rights but a plain python script should be executed
>> > without modification to the sudoers config.
>> >
>> > HTH
>> >
>> > Am 26.06.2014 06:22, schrieb Punit Dambiwal:
>> > > Hi Dan,
>> > >
>> > > The permission looks ok...
>> > >
>> > >
>> > > [root at gfs1 ~]# su - vdsm -s
>> > > /bin/bash
>> > > -bash-4.1$ ls -l /usr/libexec/vdsm/hooks/before_device_create
>> > > total 8
>> > > -rwxr-xr-x. 1 root root 1702 Jun 10 05:25 50_macspoof
>> > > -rwxr-xr-x. 1 root root 2490 Jun 23 17:47 50_noipspoof
>> > > -bash-4.1$ exit
>> > > logout
>> > > [root at gfs1 ~]#
>> > >
>> > > But the strange thing is noipspoof hook not display in the host hooks
>> > > windows....
>> >
>> > --
>> > Mit freundlichen Grüßen / Regards
>> >
>> > Sven Kieske
>> >
>> > Systemadministrator
>> > Mittwald CM Service GmbH & Co. KG
>> > Königsberger Straße 6
>> > 32339 Espelkamp
>> > T: +49-5772-293-100
>> > F: +49-5772-293-333
>> > https://www.mittwald.de
>> > Geschäftsführer: Robert Meyer
>> > St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad
>> Oeynhausen
>> > Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad
>> Oeynhausen
>> > _______________________________________________
>> > Users mailing list
>> > Users at ovirt.org
>> > http://lists.ovirt.org/mailman/listinfo/users
>> >
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20140627/63464b4f/attachment-0001.html>
-------------- next part --------------
[root at gfs1 ~]# virsh -r dumpxml vm11
<domain type='kvm' id='23'>
  <name>vm11</name>
  <uuid>2cb5db55-5d20-4cd6-8a5b-d25654a1bfec</uuid>
  <memory unit='KiB'>1048576</memory>
  <currentMemory unit='KiB'>1048576</currentMemory>
  <memtune>
    <min_guarantee unit='KiB'>1048576</min_guarantee>
  </memtune>
  <vcpu placement='static' current='1'>160</vcpu>
  <cputune>
    <shares>1020</shares>
  </cputune>
  <sysinfo type='smbios'>
    <system>
      <entry name='manufacturer'>oVirt</entry>
      <entry name='product'>oVirt Node</entry>
      <entry name='version'>6-5.el6.centos.11.1</entry>
      <entry name='serial'>44454C4C-3500-104B-8051-B6C04F504E31</entry>
      <entry name='uuid'>2cb5db55-5d20-4cd6-8a5b-d25654a1bfec</entry>
    </system>
  </sysinfo>
  <os>
    <type arch='x86_64' machine='rhel6.5.0'>hvm</type>
    <boot dev='hd'/>
    <smbios mode='sysinfo'/>
  </os>
  <features>
    <acpi/>
  </features>
  <cpu mode='custom' match='exact'>
    <model fallback='allow'>Nehalem</model>
    <topology sockets='160' cores='1' threads='1'/>
  </cpu>
  <clock offset='variable' adjustment='0' basis='utc'>
    <timer name='rtc' tickpolicy='catchup'/>
  </clock>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>destroy</on_crash>
  <devices>
    <emulator>/usr/libexec/qemu-kvm</emulator>
    <disk type='file' device='cdrom'>
      <driver name='qemu' type='raw'/>
      <source startupPolicy='optional'/>
      <target dev='hdc' bus='ide'/>
      <readonly/>
      <serial></serial>
      <alias name='ide0-1-0'/>
      <address type='drive' controller='0' bus='1' target='0' unit='0'/>
    </disk>
    <disk type='file' device='cdrom'>
      <driver name='qemu' type='raw'/>
      <source file='/var/run/vdsm/payload/2cb5db55-5d20-4cd6-8a5b-d25654a1bfec.960e223e38b6c8931f2a8f1c2277e7f0.img' startupPolicy='optional'/>
      <target dev='hdd' bus='ide'/>
      <readonly/>
      <serial></serial>
      <alias name='ide0-1-1'/>
      <address type='drive' controller='0' bus='1' target='0' unit='1'/>
    </disk>
    <disk type='file' device='disk' snapshot='no'>
      <driver name='qemu' type='raw' cache='none' error_policy='stop' io='threads'/>
      <source file='/rhev/data-center/mnt/glusterSD/117.18.79.174:_vol2/e9180a4c-74e3-496a-b472-baa3c50d2cd2/images/ed8978ba-9c92-4b8a-b93f-3d66a9c0e7c9/fbc0a9a0-a92b-42e7-b80d-c4f645054a40'>
        <seclabel model='selinux' relabel='no'/>
      </source>
      <target dev='vda' bus='virtio'/>
      <serial>ed8978ba-9c92-4b8a-b93f-3d66a9c0e7c9</serial>
      <alias name='virtio-disk0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
    </disk>
    <controller type='usb' index='0'>
      <alias name='usb0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
    </controller>
    <controller type='ide' index='0'>
      <alias name='ide0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
    </controller>
    <controller type='virtio-serial' index='0'>
      <alias name='virtio-serial0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
    </controller>
    <interface type='bridge'>
      <mac address='00:1a:4a:81:80:01'/>
      <source bridge='private'/>
      <target dev='vnet0'/>
      <model type='virtio'/>
      <filterref filter='vdsm-no-mac-spoofing'/>
      <link state='up'/>
      <alias name='net0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
    </interface>
    <channel type='unix'>
      <source mode='bind' path='/var/lib/libvirt/qemu/channels/2cb5db55-5d20-4cd6-8a5b-d25654a1bfec.com.redhat.rhevm.vdsm'/>
      <target type='virtio' name='com.redhat.rhevm.vdsm'/>
      <alias name='channel0'/>
      <address type='virtio-serial' controller='0' bus='0' port='1'/>
    </channel>
    <channel type='unix'>
      <source mode='bind' path='/var/lib/libvirt/qemu/channels/2cb5db55-5d20-4cd6-8a5b-d25654a1bfec.org.qemu.guest_agent.0'/>
      <target type='virtio' name='org.qemu.guest_agent.0'/>
      <alias name='channel1'/>
      <address type='virtio-serial' controller='0' bus='0' port='2'/>
    </channel>
    <input type='tablet' bus='usb'>
      <alias name='input0'/>
    </input>
    <input type='mouse' bus='ps2'/>
    <graphics type='vnc' port='5900' autoport='yes' listen='0' keymap='en-us' passwdValidTo='2014-06-27T08:53:22'>
      <listen type='address' address='0'/>
    </graphics>
    <video>
      <model type='cirrus' vram='32768' heads='1'/>
      <alias name='video0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
    </video>
    <memballoon model='none'>
      <alias name='balloon0'/>
    </memballoon>
  </devices>
  <seclabel type='dynamic' model='selinux' relabel='yes'>
    <label>system_u:system_r:svirt_t:s0:c189,c389</label>
    <imagelabel>system_u:object_r:svirt_image_t:s0:c189,c389</imagelabel>
  </seclabel>
</domain>

[root at gfs1 ~]#


More information about the Users mailing list