HP vPars and Integrity Virtual Machines V6.1 Administrator Guide

ManualsBrandsHP ManualsSoftwareHP Integrity Virtual Machines and Online VM Migration Software

131

132

133

134

135

136

137

138

139

140

9.3.1.2 Creating vPar/VM administrator and operator accounts

In prior versions of Integrity VM, admin console access is available, and one such account per

guest is allowed. The administrator account name must match the guest name. The new version of

vPars and Integrity VM provides proper access controls and individual accountability for these

accounts.

A captive virtual console account is a special-purpose user account created on the VSP for each

guest administrator. These types of user accounts use /opt/hpvm/bin/hpvmconsole for a

shell, and the desired guest's per-guest directory for a home directory. For virtual console access,

the account also requires a password, and access to its associated guest. You create this account

with the hpvmcreate, hpvmclone, or hpvmmodify command. You can establish group

membership of the account using the -g option to those commands, or user membership, using

the -u option to those commands.

NOTE: Do not use the hpvmsys group for user accounts. This group is used for security isolation

between components of vPars and Integrity VM.

The HP-UX useradd command might not work as expected. To create user accounts for virtual

console access, use the useradd command before you create the virtual machine. Alternatively,

specify the user account directory completely in the /etc/passwd file, ensuring the entry is unique.

In the following example, the useradd command is used to create three user accounts on the VSP

system (testme1, testme2, and testme3):

# useradd -r no -g users -s /opt/hpvm/bin/hpvmconsole \

-c "Console access to guest 'testme'" \

-d /var/opt/hpvm/guests/testme \

testme1

# useradd -r no -g users -s /opt/hpvm/bin/hpvmconsole \

-c "Console access to guest 'testme'" \> -d /var/opt/hpvm/guests/testme \

testme2

# useradd -r no -g users -s /opt/hpvm/bin/hpvmconsole \

-c "Console access to guest 'testme'" \

-d /var/opt/hpvm/guests/testme \

testme3

The following command creates the virtual machine named testme:

# hpvmcreate -P testme -u testme1:admin -u testme2 -u testme3:oper

At this point, users testme2 and testme3 both have oper level access to the virtual console,

and user testme1 has admin level access. In order to make these accounts usable, set passwords

for them, as follows:

# passwd testme1

...

# passwd testme2

...

# passwd testme3

...

Because of the way the useradd command works, an attempt to create an additional account

might result in an error. For example, the following command attempts and fails to add the testme4

user account:

# useradd -r no -g users -s /opt/hpvm/bin/hpvmconsole \

> -c "Console access to guest 'testme'" \

> -d /var/opt/hpvm/guests/testme \

> testme4

'/var/opt/hpvm/guests/testme' is not a valid directory

To enter the command correctly, include the entire directory path. For example:

# useradd -r no -g users -s /opt/hpvm/bin/hpvmconsole \

> -c "Console access to guest 'testme'" \

> -d /var/opt/hpvm/guests/testme/. \

134 Creating virtual storage devices