In prior versions of Integrity VM, only admin console access is available, and only one such account per guest
is allowed. The administrator account name must match the guest name.
The new version of Integrity VM provides proper access controls and
individual accountability for these accounts.
A captive virtual console account is a special-purpose user
account created on the VM Host for each guest administrator. These
types of user accounts use /opt/hpvm/bin/hpvmconsole for a shell, and the desired guest's per-guest directory for
a home directory. For virtual console access, the account also requires
a password, and access to its associated guest. You create this account
with the hpvmcreate, hpvmclone, or hpvmmodify command. You can establish group
membership of the account using the -g option to
those commands, or user membership, using the -u option
to those commands.
 |
| |
|
 | NOTE: Do not use the hpvmsys group
for user accounts. This group is used for security isolation between
components of Integrity VM. |
|
| |
|
The HP-UX useradd command might not work
as expected. To create user accounts for virtual console access, use
the useradd command before you create the virtual
machine. Alternatively, specify the user account directory completely
in the /etc/passwd file, ensuring the entry is
unique.
In the following example, the useradd command
is used to create three user accounts on the VM Host system (testme1, testme2, and testme3):
# useradd -r no -g users -s /opt/hpvm/bin/hpvmconsole \
-c "Console access to guest 'testme'" \
-d /var/opt/hpvm/guests/testme \
testme1
# useradd -r no -g users -s /opt/hpvm/bin/hpvmconsole \
-c "Console access to guest 'testme'" \> -d /var/opt/hpvm/guests/testme \
testme2
# useradd -r no -g users -s /opt/hpvm/bin/hpvmconsole \
-c "Console access to guest 'testme'" \
-d /var/opt/hpvm/guests/testme \
testme3 |
The following command creates the virtual machine named testme:
# hpvmcreate -P testme -u testme1:admin -u testme2 -u testme3:oper |
At this point, users testme2 and testme3 both have oper level access to the virtual console, and user testme1 has admin level access. In order to make these accounts usable, set passwords
for them, as follows:
# passwd testme1
...
# passwd testme2
...
# passwd testme3
... |
Because of the way the useradd command works,
an attempt to create an additional account might result in an error.
For example, the following command attempts and fails to add the testme4 user account:
# useradd -r no -g users -s /opt/hpvm/bin/hpvmconsole \
> -c "Console access to guest 'testme'" \
> -d /var/opt/hpvm/guests/testme \
> testme4
'/var/opt/hpvm/guests/testme' is not a valid directory |
To enter the command correctly, include the entire directory
path. For example:
# useradd -r no -g users -s /opt/hpvm/bin/hpvmconsole \
> -c "Console access to guest 'testme'" \
> -d /var/opt/hpvm/guests/testme/. \
> testme4
# hpvmmodify -P testme -u testme4
# passwd testme4 |
Note the addition of the /. to the end of the argument to the —d option,
which ensures there is no confusion with HP-UX shared home directories.
Printable version
