[ovirt-users] Ip spoofing
Punit Dambiwal
hypunit at gmail.com
Fri Jun 27 09:07:56 UTC 2014
Hi Dan,
Still the same....VM can spoof the ip address...attached is the VM domain
xml file....
On Thu, Jun 26, 2014 at 5:30 PM, Punit Dambiwal <hypunit at gmail.com> wrote:
> Hi Sven,
>
> I already give the sudo user permission to VDSM user...
>
> Yes..after VDSM restart i can see this hook in host tab....I will test it
> again and udpate you guys if still not solve....
>
>
> On Thu, Jun 26, 2014 at 4:03 PM, Antoni Segura Puimedon <
> asegurap at redhat.com> wrote:
>
>>
>>
>> ----- Original Message -----
>> > From: "Sven Kieske" <S.Kieske at mittwald.de>
>> > To: users at ovirt.org
>> > Sent: Thursday, June 26, 2014 9:12:31 AM
>> > Subject: Re: [ovirt-users] Ip spoofing
>> >
>> > Well this is strange, and this should not be the reason
>> > but can you attach a ".py" ending to the file names (maybe vdsm performs
>> > some strange checks)?
>>
>> We do not ;-)
>>
>> > your permissions look good.
>> > the only other thing I can think of are selinux
>> > restrictions, can you check them with:
>> > #this gives you the actual used selinux security level:
>> > getenforce
>>
>> That could be it
>>
>> > :this gives you the selinux attributes for the folder:
>> > ls -lZ /usr/libexec/vdsm/hooks/before_device_create
>> >
>> > I first thought it might be related to vdsms sudoers
>> > rights but a plain python script should be executed
>> > without modification to the sudoers config.
>> >
>> > HTH
>> >
>> > Am 26.06.2014 06:22, schrieb Punit Dambiwal:
>> > > Hi Dan,
>> > >
>> > > The permission looks ok...
>> > >
>> > >
>> > > [root at gfs1 ~]# su - vdsm -s
>> > > /bin/bash
>> > > -bash-4.1$ ls -l /usr/libexec/vdsm/hooks/before_device_create
>> > > total 8
>> > > -rwxr-xr-x. 1 root root 1702 Jun 10 05:25 50_macspoof
>> > > -rwxr-xr-x. 1 root root 2490 Jun 23 17:47 50_noipspoof
>> > > -bash-4.1$ exit
>> > > logout
>> > > [root at gfs1 ~]#
>> > >
>> > > But the strange thing is noipspoof hook not display in the host hooks
>> > > windows....
>> >
>> > --
>> > Mit freundlichen Grüßen / Regards
>> >
>> > Sven Kieske
>> >
>> > Systemadministrator
>> > Mittwald CM Service GmbH & Co. KG
>> > Königsberger Straße 6
>> > 32339 Espelkamp
>> > T: +49-5772-293-100
>> > F: +49-5772-293-333
>> > https://www.mittwald.de
>> > Geschäftsführer: Robert Meyer
>> > St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad
>> Oeynhausen
>> > Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad
>> Oeynhausen
>> > _______________________________________________
>> > Users mailing list
>> > Users at ovirt.org
>> > http://lists.ovirt.org/mailman/listinfo/users
>> >
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20140627/63464b4f/attachment-0001.html>
-------------- next part --------------
[root at gfs1 ~]# virsh -r dumpxml vm11
<domain type='kvm' id='23'>
<name>vm11</name>
<uuid>2cb5db55-5d20-4cd6-8a5b-d25654a1bfec</uuid>
<memory unit='KiB'>1048576</memory>
<currentMemory unit='KiB'>1048576</currentMemory>
<memtune>
<min_guarantee unit='KiB'>1048576</min_guarantee>
</memtune>
<vcpu placement='static' current='1'>160</vcpu>
<cputune>
<shares>1020</shares>
</cputune>
<sysinfo type='smbios'>
<system>
<entry name='manufacturer'>oVirt</entry>
<entry name='product'>oVirt Node</entry>
<entry name='version'>6-5.el6.centos.11.1</entry>
<entry name='serial'>44454C4C-3500-104B-8051-B6C04F504E31</entry>
<entry name='uuid'>2cb5db55-5d20-4cd6-8a5b-d25654a1bfec</entry>
</system>
</sysinfo>
<os>
<type arch='x86_64' machine='rhel6.5.0'>hvm</type>
<boot dev='hd'/>
<smbios mode='sysinfo'/>
</os>
<features>
<acpi/>
</features>
<cpu mode='custom' match='exact'>
<model fallback='allow'>Nehalem</model>
<topology sockets='160' cores='1' threads='1'/>
</cpu>
<clock offset='variable' adjustment='0' basis='utc'>
<timer name='rtc' tickpolicy='catchup'/>
</clock>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>destroy</on_crash>
<devices>
<emulator>/usr/libexec/qemu-kvm</emulator>
<disk type='file' device='cdrom'>
<driver name='qemu' type='raw'/>
<source startupPolicy='optional'/>
<target dev='hdc' bus='ide'/>
<readonly/>
<serial></serial>
<alias name='ide0-1-0'/>
<address type='drive' controller='0' bus='1' target='0' unit='0'/>
</disk>
<disk type='file' device='cdrom'>
<driver name='qemu' type='raw'/>
<source file='/var/run/vdsm/payload/2cb5db55-5d20-4cd6-8a5b-d25654a1bfec.960e223e38b6c8931f2a8f1c2277e7f0.img' startupPolicy='optional'/>
<target dev='hdd' bus='ide'/>
<readonly/>
<serial></serial>
<alias name='ide0-1-1'/>
<address type='drive' controller='0' bus='1' target='0' unit='1'/>
</disk>
<disk type='file' device='disk' snapshot='no'>
<driver name='qemu' type='raw' cache='none' error_policy='stop' io='threads'/>
<source file='/rhev/data-center/mnt/glusterSD/117.18.79.174:_vol2/e9180a4c-74e3-496a-b472-baa3c50d2cd2/images/ed8978ba-9c92-4b8a-b93f-3d66a9c0e7c9/fbc0a9a0-a92b-42e7-b80d-c4f645054a40'>
<seclabel model='selinux' relabel='no'/>
</source>
<target dev='vda' bus='virtio'/>
<serial>ed8978ba-9c92-4b8a-b93f-3d66a9c0e7c9</serial>
<alias name='virtio-disk0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
</disk>
<controller type='usb' index='0'>
<alias name='usb0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
</controller>
<controller type='ide' index='0'>
<alias name='ide0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
</controller>
<controller type='virtio-serial' index='0'>
<alias name='virtio-serial0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
</controller>
<interface type='bridge'>
<mac address='00:1a:4a:81:80:01'/>
<source bridge='private'/>
<target dev='vnet0'/>
<model type='virtio'/>
<filterref filter='vdsm-no-mac-spoofing'/>
<link state='up'/>
<alias name='net0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
<channel type='unix'>
<source mode='bind' path='/var/lib/libvirt/qemu/channels/2cb5db55-5d20-4cd6-8a5b-d25654a1bfec.com.redhat.rhevm.vdsm'/>
<target type='virtio' name='com.redhat.rhevm.vdsm'/>
<alias name='channel0'/>
<address type='virtio-serial' controller='0' bus='0' port='1'/>
</channel>
<channel type='unix'>
<source mode='bind' path='/var/lib/libvirt/qemu/channels/2cb5db55-5d20-4cd6-8a5b-d25654a1bfec.org.qemu.guest_agent.0'/>
<target type='virtio' name='org.qemu.guest_agent.0'/>
<alias name='channel1'/>
<address type='virtio-serial' controller='0' bus='0' port='2'/>
</channel>
<input type='tablet' bus='usb'>
<alias name='input0'/>
</input>
<input type='mouse' bus='ps2'/>
<graphics type='vnc' port='5900' autoport='yes' listen='0' keymap='en-us' passwdValidTo='2014-06-27T08:53:22'>
<listen type='address' address='0'/>
</graphics>
<video>
<model type='cirrus' vram='32768' heads='1'/>
<alias name='video0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
</video>
<memballoon model='none'>
<alias name='balloon0'/>
</memballoon>
</devices>
<seclabel type='dynamic' model='selinux' relabel='yes'>
<label>system_u:system_r:svirt_t:s0:c189,c389</label>
<imagelabel>system_u:object_r:svirt_image_t:s0:c189,c389</imagelabel>
</seclabel>
</domain>
[root at gfs1 ~]#
More information about the Users
mailing list