svirt介绍:
「 sVirt 项目是一项社区工作,尝试集成强制访问控制 (MAC) 安全和基于 Linux 的虚拟化 (KVM)。」
「它构建于 SELinux 之上,提供一个基础架构来使管理员能够定义虚拟机隔离策略。
sVirt 可以开箱即用地确保一个虚拟机资源无法供任何其他进程(或虚拟机)访问,
这可由 sysadmin 扩展来定义细粒度的权限,例如将虚拟机分组到一起以共享资源。」
「 Svirt 确保一台虚机出现问题的虚拟机不会影响到主机操作系统。」
「 sVirt= SELinuxpolicy + libvirtdriver」
sVirt在系统上的试用:
在开启selinux的状态下进行测试使用:
[root@localhost ceph]# getenforce Enforcing [root@svirt img]# ll -aZ drwxr-xr-x. root root unconfined_u:object_r:usr_t:s0 . drwxr-xr-x. root root system_u:object_r:usr_t:s0 .. -rw-r--r--. root root system_u:object_r:usr_t:s0 testforsvirt.img -rw-r--r--. root root unconfined_u:object_r:usr_t:s0 testforsvirt_rbd.xml -rw-r--r--. root root unconfined_u:object_r:usr_t:s0 testforsvirt.xml
启动虚机:
[root@svirt img]# virsh start TestForSVirt Domain TestForSVirt started
testforsvirt.img安全上下文已经发生变化:
[root@svirt img]# ll -aZ drwxr-xr-x. root root unconfined_u:object_r:usr_t:s0 . drwxr-xr-x. root root system_u:object_r:usr_t:s0 .. -rw-r--r--. root root unconfined_u:object_r:usr_t:s0 1 -rw-r--r--. qemu qemu system_u:object_r:svirt_image_t:s0:c49,c668 testforsvirt.img -rw-r--r--. root root unconfined_u:object_r:usr_t:s0 testforsvirt_rbd.xml -rw-r--r--. root root unconfined_u:object_r:usr_t:s0 testforsvirt.xml [root@svirt img]# ps -eZ |grep qemu-kvm system_u:system_r:svirt_t:s0:c49,c668 25074 ? 00:00:11 qemu-kvm [root@svirt img]# ps -eZ |grep libvirt system_u:system_r:virtd_t:s0-s0:c0.c1023 24402 ? 00:00:00 libvirtd
sVirt libvirt在ceph的rbd上进行尝试:
[root@localhost ceph]# getenforce
Enforcing
[root@localhost ceph]# service ceph -a start
=== mon.a ===
Starting ceph mon.a on svirt...
=== mds.a ===
Starting ceph mds.a on svirt...
starting mds.a at :/0
=== osd.0 ===
Mounting xfs on svirt:/data/osd.0
create-or-move updated item id 0 name 'osd.0' weight 1.82 at location {host=svirt,root=default} to crush map
Starting ceph osd.0 on svirt...
starting osd.0 at :/0 osd_data /data/osd.0 /data/osd.0/journal
=== osd.1 ===
Mounting xfs on svirt:/data/osd.1
create-or-move updated item id 1 name 'osd.1' weight 1.82 at location {host=svirt,root=default} to crush map
Starting ceph osd.1 on svirt...
starting osd.1 at :/0 osd_data /data/osd.1 /data/osd.1/journal
=== osd.2 ===
Mounting xfs on svirt:/data/osd.2
create-or-move updated item id 2 name 'osd.2' weight 1.82 at location {host=svirt,root=default} to crush map
Starting ceph osd.2 on svirt...
starting osd.2 at :/0 osd_data /data/osd.2 /data/osd.2/journal
[root@localhost ceph]# ceph osd tree
# id weight type name up/down reweight
-1 3 root default
-3 3 rack unknownrack
-2 3 host svirt
0 1 osd.0 up 1
1 1 osd.1 up 1
2 1 osd.2 up 1
使用ceph rbd块存储进行测试:
[root@localhost ceph]# rbd import /opt/img/testforsvirt.img [root@localhost img]# rbd ls testforsvirt.img
出现以下错误:
[root@localhost audit]# virsh start TestForSVirt_RBD error: Failed to start domain TestForSVirt_RBD error: internal error Process exited while reading console log output: char device redirected to /dev/pts/6 qemu-kvm: -drive file=rbd:rbd/testforsvirt.img:auth_supported=none,if=none,id=drive-ide0-0-0,format=raw,cache=writeback: could not open disk image rbd:rbd/testforsvirt.img:auth_supported=none: No such file or directory
这个时候需要对libvirt进行认证设置
设置访问ceph的用户:
[root@svirt img]# ceph auth get-or-create client.libvirt mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool=rbd'
[client.libvirt]
key = AQDiZDFTQCv4ABAAw9JIhjomuDaDnciDvb4hmA==
得到libvirt的key;
ceph auth list
client.libvirt
key: AQDiZDFTQCv4ABAAw9JIhjomuDaDnciDvb4hmA==
caps: [mon] allow r
caps: [osd] allow class-read object_prefix rbd_children, allow rwx pool=rbd
写入type等于’ceph’到secret.xml
[root@svirt img]# cat secret.xml
<secret ephemeral='no' private='no'>
<usage type='ceph'>
<name>client.libvirt secret</name>
</usage>
</secret>
生成secret文件的uuid。
[root@svirt img]# virsh secret-define --file secret.xml Secret 9a9126ef-1402-7708-2931-91bbf8218a38 created
将libvirt的密钥写入文件secret.xml
[root@svirt img]# cat client.libvirt.key AQDiZDFTQCv4ABAAw9JIhjomuDaDnciDvb4hmA==
使用virsh设置密钥。
[root@svirt img]# virsh secret-set-value --secret 9a9126ef-1402-7708-2931-91bbf8218a38 --base64 $(cat client.libvirt.key) && rm client.libvirt.key secret.xml Secret value set rm: remove regular file `client.libvirt.key'? y rm: remove regular file `secret.xml'? y
在testforsvirt_rbd.xml文件中写入以下设置;
<auth username='libvirt'>
<secret type='ceph' uuid='9a9126ef-1402-7708-2931-91bbf8218a38'/>
</auth>
[root@svirt img]# virsh start TestForSVirt_RBD
Domain TestForSVirt_RBD started
查看安全上下文:
[root@svirt img]# ps -eZ |grep qemu-kvm system_u:system_r:svirt_t:s0:c394,c871 12668 ? 00:00:25 qemu-kvm system_u:system_r:svirt_t:s0:c49,c668 25074 ? 00:00:28 qemu-kvm [root@svirt img]# ps -eZf |grep qemu-kvm system_u:system_r:svirt_t:s0:c394,c871 qemu 12668 1 99 07:34 ? 00:00:35 /usr/libexec/qemu-kvm -name TestForSVirt_RBD -S -M rhel5.4.0 -enable-kvm -m 1024 -realtime mlock=off -smp 3,sockets=3,cores=1,threads=1 -uuid 866a86ea-4a0c-9537-c51a-897ecf7724dc -nodefconfig -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/TestForSVirt_RBD.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc -no-shutdown -no-acpi -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=rbd:rbd/testforsvirt.img:id=libvirt:key=AQDiZDFTQCv4ABAAw9JIhjomuDaDnciDvb4hmA==:auth_supported=cephx\;none:mon_host=192.168.8.39\:6789,if=none,id=drive-ide0-0-0,format=raw,cache=writeback -device ide-drive,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=1 -netdev tap,fd=27,id=hostnet0 -device rtl8139,netdev=hostnet0,id=net0,mac=54:52:00:aa:8a:f1,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -vnc 0.0.0.0:2,password -k en-us -vga cirrus -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x4 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 12747 9520 0 07:35 pts/0 00:00:00 grep qemu-kvm system_u:system_r:svirt_t:s0:c49,c668 qemu 25074 1 0 05:04 ? 00:00:28 /usr/libexec/qemu-kvm -name TestForSVirt -S -M rhel5.4.0 -enable-kvm -m 1024 -realtime mlock=off -smp 3,sockets=3,cores=1,threads=1 -uuid 281f8d42-ecef-f890-919c-2534ef54ea96 -nodefconfig -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/TestForSVirt.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc -no-shutdown -no-acpi -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/opt/img/testforsvirt.img,if=none,id=drive-ide0-0-0,format=raw -device ide-drive,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=1 -netdev tap,fd=23,id=hostnet0 -device rtl8139,netdev=hostnet0,id=net0,mac=54:52:00:aa:8a:f1,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -vnc 0.0.0.0:0,password -k en-us -vga cirrus -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x4
审计日志:
type=AVC msg=audit(1395737328.996:439): avc: denied { setsched } for pid=6168 comm="qemu-kvm"
type=SYSCALL msg=audit(1395737328.996:439): comm=“qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=unconfined_u:system_r:svirt_t:s0:c378,c802
type=SYSCALL msg=audit(1395737329.011:440): comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=unconfined_u:system_r:svirt_t:s0:c378,c802
type=VIRT_RESOURCE msg=audit(1395737329.122:441): user pid=6957 uid=0 auid=0 ses=2 subj=unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=disk reason=start vm="TestForSVirt_RBD" uuid=faf9d80e-0758-fd97-e4c7-24a06c611c9b
…
old-disk="?" new-disk="rbd/testforsvirt.img" exe="/usr/sbin/libvirtd“
old-net=? new-net=54:52:00:AA:8A:F1 exe="/usr/sbin/libvirtd"
old-mem=0 new-mem=1048576 exe="/usr/sbin/libvirtd“
old-vcpu=0 new-vcpu=3 exe="/usr/sbin/libvirtd"
vm-pid=-1 exe="/usr/sbin/libvirtd"
