XenServer Disable Root
-
@johnhooks said in XenServer Disable Root:
@travisdh1 said in XenServer Disable Root:
Why is the management interface even on the standard network instead of on a VLAN or dedicated management network?
Well it's on our server VLAN, but as I don't control the network I can't see what has access to what. Plus even if that's considered local console access, users created on the system have root access through that console. So if I log in as jhooks through XenCenter, I'm given the root console. So I can't hand off any access to anyone else to just control the VMs.
This seems weird to me. You're saying that XC gives any XS user full root if they are using XC, just because it's XC?
That would be like saying, let me hook up this TTY terminal to a serial port on the server, and then any user who logs into it has root, regardless of what username/password combo they use.
What am I missing/misunderstanding?
-
And we are back.
-
@Dashrender said in XenServer Disable Root:
This seems weird to me. You're saying that XC gives any XS user full root if they are using XC, just because it's XC?
Basically, yes. XC gives blanket console access. Console access = physical access FAIAP and physical access = root access. So, by extension.
-
@Dashrender said in XenServer Disable Root:
That would be like saying, let me hook up this TTY terminal to a serial port on the server, and then any user who logs into it has root, regardless of what username/password combo they use.
What am I missing/misunderstanding?
That if you do this they essentially can always root your box. But it is more than just the serial connection, it is ALSO the power switch, DVD drive, boot priorities, BIOS settings, etc.
-
Plus the ability to clone, copy, etc.
-
Sure I understand it's like standing in front of the box - though I'm not sure why EVERY SINGLE USER in XC gets that level of access - it is truly remote access after all, so why aren't there levels of granted access?
I do understand someone physically standing in front of a server can own it, can root it via booting into other tools, but assuming they can't boot to other tools, aren't allowed to boot it period - how do they get around the logon prompt to get root access?
If I have a linux box in front of me, assuming I'm not allowed to reboot it, how do I get root? all I have is my own personal non root logon name.. now what? Does console access itself somehow grant me some extra permission?
-
@Dashrender said in XenServer Disable Root:
Sure I understand it's like standing in front of the box - though I'm not sure why EVERY SINGLE USER in XC gets that level of access - it is truly remote access after all, so why aren't there levels of granted access?
Because it isn't a cloud platform. It's not meant for multiple users.
-
@Dashrender said in XenServer Disable Root:
If I have a linux box in front of me, assuming I'm not allowed to reboot it, how do I get root? all I have is my own personal non root logon name.. now what? Does console access itself somehow grant me some extra permission?
You can't. but with XC, you can reboot.
-
@scottalanmiller said in XenServer Disable Root:
@Dashrender said in XenServer Disable Root:
If I have a linux box in front of me, assuming I'm not allowed to reboot it, how do I get root? all I have is my own personal non root logon name.. now what? Does console access itself somehow grant me some extra permission?
You can't. but with XC, you can reboot.
So what I'm asking - why can't you take rebooting away from an XC user? That seems like a highly short sited implementation.
-
@Dashrender said in XenServer Disable Root:
So what I'm asking - why can't you take rebooting away from an XC user? That seems like a highly short sited implementation.
Because XC doesn't have a user permissions system, plain and simple. XC isn't for that. XO is, OpenStack is. If you want that and you have XC, you've selected the wrong tool for the job,
-
@scottalanmiller said in XenServer Disable Root:
@Dashrender said in XenServer Disable Root:
So what I'm asking - why can't you take rebooting away from an XC user? That seems like a highly short sited implementation.
Because XC doesn't have a user permissions system, plain and simple. XC isn't for that. XO is, OpenStack is. If you want that and you have XC, you've selected the wrong tool for the job,
AWWW - now the knowledge is coming forth.
So, pre XO, how were non admins suppose to be able to manage VMs on XS? or were they not?
I'm not really sure what John wanted these non admin to be able to do that they wouldn't have root in the first place.
-
@Dashrender said in XenServer Disable Root:
@scottalanmiller said in XenServer Disable Root:
@Dashrender said in XenServer Disable Root:
So what I'm asking - why can't you take rebooting away from an XC user? That seems like a highly short sited implementation.
Because XC doesn't have a user permissions system, plain and simple. XC isn't for that. XO is, OpenStack is. If you want that and you have XC, you've selected the wrong tool for the job,
AWWW - now the knowledge is coming forth.
So, pre XO, how were non admins suppose to be able to manage VMs on XS? or were they not?
They were not. Why would non-admins be using a system like this? If you wanted something like that why not run a cloud?
-
@scottalanmiller said in XenServer Disable Root:
@Dashrender said in XenServer Disable Root:
@scottalanmiller said in XenServer Disable Root:
@Dashrender said in XenServer Disable Root:
So what I'm asking - why can't you take rebooting away from an XC user? That seems like a highly short sited implementation.
Because XC doesn't have a user permissions system, plain and simple. XC isn't for that. XO is, OpenStack is. If you want that and you have XC, you've selected the wrong tool for the job,
AWWW - now the knowledge is coming forth.
So, pre XO, how were non admins suppose to be able to manage VMs on XS? or were they not?
They were not. Why would non-admins be using a system like this? If you wanted something like that why not run a cloud?
I'm not exactly sure what you mean by a cloud? You mean a real cloud like AWS? growing and shrinking as needed dynamically? or do you mean something like DO?
-
@scottalanmiller said in XenServer Disable Root:
@Dashrender said in XenServer Disable Root:
@scottalanmiller said in XenServer Disable Root:
@Dashrender said in XenServer Disable Root:
So what I'm asking - why can't you take rebooting away from an XC user? That seems like a highly short sited implementation.
Because XC doesn't have a user permissions system, plain and simple. XC isn't for that. XO is, OpenStack is. If you want that and you have XC, you've selected the wrong tool for the job,
AWWW - now the knowledge is coming forth.
So, pre XO, how were non admins suppose to be able to manage VMs on XS? or were they not?
They were not. Why would non-admins be using a system like this? If you wanted something like that why not run a cloud?
Not that I ever tried, but I thought VMWare with Vsphere could allow these types of users, who could admin VMs, but not change the host itself, etc.
-
@Dashrender said in XenServer Disable Root:
@scottalanmiller said in XenServer Disable Root:
@Dashrender said in XenServer Disable Root:
@scottalanmiller said in XenServer Disable Root:
@Dashrender said in XenServer Disable Root:
So what I'm asking - why can't you take rebooting away from an XC user? That seems like a highly short sited implementation.
Because XC doesn't have a user permissions system, plain and simple. XC isn't for that. XO is, OpenStack is. If you want that and you have XC, you've selected the wrong tool for the job,
AWWW - now the knowledge is coming forth.
So, pre XO, how were non admins suppose to be able to manage VMs on XS? or were they not?
They were not. Why would non-admins be using a system like this? If you wanted something like that why not run a cloud?
I'm not exactly sure what you mean by a cloud? You mean a real cloud like AWS? growing and shrinking as needed dynamically? or do you mean something like DO?
Both and neither. Those are hosted clouds and both do the same thing, more or less. So both are cloud and yes that's what I mean because they both do user provisioning as that is part of cloud. Neither grow or shrink really, so not sure what you mean there.
OpenStack is the obvious choice, bolts right on to Xen.
-
@Dashrender said in XenServer Disable Root:
@scottalanmiller said in XenServer Disable Root:
@Dashrender said in XenServer Disable Root:
@scottalanmiller said in XenServer Disable Root:
@Dashrender said in XenServer Disable Root:
So what I'm asking - why can't you take rebooting away from an XC user? That seems like a highly short sited implementation.
Because XC doesn't have a user permissions system, plain and simple. XC isn't for that. XO is, OpenStack is. If you want that and you have XC, you've selected the wrong tool for the job,
AWWW - now the knowledge is coming forth.
So, pre XO, how were non admins suppose to be able to manage VMs on XS? or were they not?
They were not. Why would non-admins be using a system like this? If you wanted something like that why not run a cloud?
Not that I ever tried, but I thought VMWare with Vsphere could allow these types of users, who could admin VMs, but not change the host itself, etc.
They do, that's a feature there. But one that XO brings, too.
-
@scottalanmiller said in XenServer Disable Root:
@Dashrender said in XenServer Disable Root:
@scottalanmiller said in XenServer Disable Root:
@Dashrender said in XenServer Disable Root:
@scottalanmiller said in XenServer Disable Root:
@Dashrender said in XenServer Disable Root:
So what I'm asking - why can't you take rebooting away from an XC user? That seems like a highly short sited implementation.
Because XC doesn't have a user permissions system, plain and simple. XC isn't for that. XO is, OpenStack is. If you want that and you have XC, you've selected the wrong tool for the job,
AWWW - now the knowledge is coming forth.
So, pre XO, how were non admins suppose to be able to manage VMs on XS? or were they not?
They were not. Why would non-admins be using a system like this? If you wanted something like that why not run a cloud?
I'm not exactly sure what you mean by a cloud? You mean a real cloud like AWS? growing and shrinking as needed dynamically? or do you mean something like DO?
Both and neither. Those are hosted clouds and both do the same thing, more or less. So both are cloud and yes that's what I mean because they both do user provisioning as that is part of cloud. Neither grow or shrink really, so not sure what you mean there.
OpenStack is the obvious choice, bolts right on to Xen.
Yeah something like OpenStack (that's a real cloud computing, right?) the auto grow/shrink platform?
-
@Dashrender said in XenServer Disable Root:
@scottalanmiller said in XenServer Disable Root:
@Dashrender said in XenServer Disable Root:
@scottalanmiller said in XenServer Disable Root:
@Dashrender said in XenServer Disable Root:
So what I'm asking - why can't you take rebooting away from an XC user? That seems like a highly short sited implementation.
Because XC doesn't have a user permissions system, plain and simple. XC isn't for that. XO is, OpenStack is. If you want that and you have XC, you've selected the wrong tool for the job,
AWWW - now the knowledge is coming forth.
So, pre XO, how were non admins suppose to be able to manage VMs on XS? or were they not?
They were not. Why would non-admins be using a system like this? If you wanted something like that why not run a cloud?
I'm not exactly sure what you mean by a cloud? You mean a real cloud like AWS? growing and shrinking as needed dynamically? or do you mean something like DO?
Just for general reference, I always mean the same thing when I say cloud
A cloud is a specific architectural design and I always mean it literally like that. That architecture requires user management to function. so while auto-provisioning isn't needed here, it just comes along for the ride. -
@Dashrender said in XenServer Disable Root:
@scottalanmiller said in XenServer Disable Root:
@Dashrender said in XenServer Disable Root:
@scottalanmiller said in XenServer Disable Root:
@Dashrender said in XenServer Disable Root:
@scottalanmiller said in XenServer Disable Root:
@Dashrender said in XenServer Disable Root:
So what I'm asking - why can't you take rebooting away from an XC user? That seems like a highly short sited implementation.
Because XC doesn't have a user permissions system, plain and simple. XC isn't for that. XO is, OpenStack is. If you want that and you have XC, you've selected the wrong tool for the job,
AWWW - now the knowledge is coming forth.
So, pre XO, how were non admins suppose to be able to manage VMs on XS? or were they not?
They were not. Why would non-admins be using a system like this? If you wanted something like that why not run a cloud?
I'm not exactly sure what you mean by a cloud? You mean a real cloud like AWS? growing and shrinking as needed dynamically? or do you mean something like DO?
Both and neither. Those are hosted clouds and both do the same thing, more or less. So both are cloud and yes that's what I mean because they both do user provisioning as that is part of cloud. Neither grow or shrink really, so not sure what you mean there.
OpenStack is the obvious choice, bolts right on to Xen.
Yeah something like OpenStack (that's a real cloud computing, right?) the auto grow/shrink platform?
As real as it gets! But doesn't grow or shrink.
-
@scottalanmiller said in XenServer Disable Root:
@Dashrender said in XenServer Disable Root:
@scottalanmiller said in XenServer Disable Root:
@Dashrender said in XenServer Disable Root:
@scottalanmiller said in XenServer Disable Root:
@Dashrender said in XenServer Disable Root:
@scottalanmiller said in XenServer Disable Root:
@Dashrender said in XenServer Disable Root:
So what I'm asking - why can't you take rebooting away from an XC user? That seems like a highly short sited implementation.
Because XC doesn't have a user permissions system, plain and simple. XC isn't for that. XO is, OpenStack is. If you want that and you have XC, you've selected the wrong tool for the job,
AWWW - now the knowledge is coming forth.
So, pre XO, how were non admins suppose to be able to manage VMs on XS? or were they not?
They were not. Why would non-admins be using a system like this? If you wanted something like that why not run a cloud?
I'm not exactly sure what you mean by a cloud? You mean a real cloud like AWS? growing and shrinking as needed dynamically? or do you mean something like DO?
Both and neither. Those are hosted clouds and both do the same thing, more or less. So both are cloud and yes that's what I mean because they both do user provisioning as that is part of cloud. Neither grow or shrink really, so not sure what you mean there.
OpenStack is the obvious choice, bolts right on to Xen.
Yeah something like OpenStack (that's a real cloud computing, right?) the auto grow/shrink platform?
As real as it gets! But doesn't grow or shrink.
I thought that was one of the main gains in cloud computing - the ability to bring more resources online as needed, and then turn them off (stop paying for them) when you don't?
