HP-UX vPars and Integrity VM V6.1.5 Administrator Guide (5900-2295, April 2013)

ManualsBrandsHP ManualsSoftwareHP-UX 11i v3 Integrity Virtual Machines Host Per Core License LTU

171

172

173

174

175

176

177

178

179

180

11.5 Creating guest administrators and operators

Integrity VM provides secure access to guest machine consoles. When you create the virtual

machine, you can specify groups and user accounts to have administration or operator privileges

on that guest. These users are allowed to log in to the VSP under their own user accounts and to

use the hpvmconsole command to perform system administration tasks on the guest virtual

machine.

A captive virtual console account is a special-purpose user account created on the VSP for each

guest administrator or operator. These types of user accounts use the /opt/hpvm/bin/

hpvmconsole directory for a shell, and the desired guest's per-guest directory for a home directory.

For virtual console access, the account also requires a password, and access to its associated

guest.

Before you create the virtual machine, use the useradd command to create user accounts for

virtual console access. For example, the following command adds the user account testme1:

# useradd -r no -g users -s /opt/hpvm/bin/hpvmconsole \

-c "Console access to guest 'testme'" \

-d /var/opt/hpvm/guests/testme \

testme1

Do not use the hpvmsys group for user accounts. This group is used for security isolation between

components of Integrity VM.

These types of console users are specified as either admin (guest administrators) or oper (guest

operators). Guest operators can access to the virtual machine console, shut down and reboot the

guest, display system status, transfer control to another guest operator or administrator, and set

system identification. The guest administrator has all these capabilities, as well as the ability to use

the virutal console say commands (restricted to use by HP field support specialists).

You can specify guest administrators and operators using the hpvmcreate, hpvmmodify,

hpvmmigrate, and hpvmclone commands. To assign administrator and operator privileges to

a user group, include the -g option. To assign administrator and operator privileges to a specific

user, use the -u option.

NOTE: Console users cannot use the su command to change from one privilege level to another.

Per-user checks are based on login account identifiers, not on UUIDs.

The following command creates the virtual machine named testme with the adminstrator named

testme1:

# hpvmcreate -P testme -u testme1:admin

Guest operators and administrators need access to the hpvmconsole command to control the

virtual machine. If you do not want the same users to have access to the VSP, you can restrict use

of the hpvmconsole command to guest console access only by creating a restricted account for

that purpose. To do so, follow these steps:

1. Using the useradd command, set up an /etc/passwd entry for each guest on the VSP. The

user name of the account must be the same as the guest name and must have no more than

8 characters. For example:

# useradd -d /var/opt/hpvm/guests/host1 \

-c 'host1 console' -s /opt/hpvm/bin/hpvmconsole host1

This example uses the following options:

• The -d option specifies the home directory for the host1 account.

• The -c option specifies a comment text string that describes the account.

• The -s option specifies the path for the shell of the new account.

2. Use the passwd command to set a password for the account. For example:

178 Managing vPars/VMs