[xen-tools] Re: Various potential modifications

[C.J. Adams-Collier]

Sorry for chiming in late here.  I'd like to share my solution to the
following concern:

On 10/1/07, Jeff Forcier <jeff at bitprophet.org> wrote:
> Hi all, hi Steve, thanks as always :)
> 1. domU user accounts: an issue I mentioned to Steve a few weeks ago,
> which sparked the multiple-roles change (which is working fine,
> incidentally - thanks again for that) is the desire to specify system
> users at image create time. E.g. when creating a new domU, I might
> want to create N user accounts - using --accounts won't work as these
> accounts are unique per domU, and I'm not using xen-shell so I don't
> think --admins is applicable.

Creating these users for every domain is infeasible.  The way folks
handle the complexity of synchronizing many users on many systems
outside of Xen is to use a network authentication mechanism.  The one
I've found most suitable is a combination of LDAP and Kerberos.
Debian's distribution of the heimdal kerberos server has support for
storing principals (authentication tokens) in OpenLDAP.

I have not completed a role script for this yet, but maybe I offer it
as an example once I get things straightened out.

I'll sketch a basic idea.

Before creating the first domU, maybe during the installation of
xen-tools, the user would be prompted to configure some light-weight,
administrative virts with small footprints.  These virts would include
an LDAP/Kerberos server, a DNS server, an NFS server, and a firewall.
If these services already exist remotely, their hostnames could be
entered instead.

Rather than creating users on each virt individually, only an
administrative account would need to be configured.  A new step would
need to be added to the xen image creation pipeline, ie, adding the
new host to the kerberos server's principal list.

This is all a special case, however, and should probably not go into
the core of xen-tools.

Thoughts?

C.J.


-- 
moo.