XEN-Console: Control your domU via SSH
When running a XEN domain (domU) for others, one might want to give them the possibility to stop and start their domain as well as access its console. To achieve this however, root access is needed on the dom0 system - this might be a security risk when coupled with a complex system like a web interface.
XEN-Console is a simple bash script that acts as a login shell for users assigned to the domU: Simply create a normal user account for each domU owner. After logging in, a simple menu interface allows the control of the domain.
- display the domU status
- stop the domain
- (re)start the domain
- access the system console
- change the user password
To facilitate these things, the script elevates its privileges through the use of sudo.
How to set it up
At first, copy the script itself to your system, e.g. to /usr/local/sbin. The script derives the name of the domU to be controlled either from a command line argument or its own filename, so create a symlink:
ln -s /usr/local/sbin/xen-console.sh /usr/local/sbin/xc-dombox
Executing the program using the symlink will instruct it to take control of the domU called
dombox, so we can use it as a login shell for our user we are now about to create.
After creating the account (e.g. called
dom), set its login shell to our symlink:
chsh -s /usr/local/sbin/xc-dombox dom
The user should now be able to login via SSH and get to the menu system; but he has still not the privileges to change anything about his domU. This is why we have to add a few lines to /etc/sudoers. Use
visudo whenever possible since that commands does some syntax checks before enabling the new configuration.
# request status information dom dom0server.example.com = /usr/sbin/xm list # access console dom dom0server.example.com = /usr/sbin/xm console dombox # start domU dom dom0server.example.com = /usr/sbin/xm create dombox.cfg # stop domU dom dom0server.example.com = /usr/sbin/xm shutdown dombox