In prior versions of Integrity VM, only admin console access is available, and only one
such account per guest is allowed. The administrator account name
must match the guest name. The new version of Integrity VM provides
proper access controls and individual accountability for these accounts.
A captive virtual console account is a special-purpose
user account created on the VM Host for each guest administrator.
These types of user accounts use /opt/hpvm/bin/hpvmconsole for a shell, and the desired guest's per-guest directory for
a home directory. For virtual console access, the account also requires
a password, and access to its associated guest. You create this account
with the hpvmcreate, hpvmclone, or hpvmmodify command. You can establish group
membership of the account using the -g option to
those commands, or user membership, using the -u option
to those commands.
 |
| |
|
 | NOTE: Do not use the hpvmsys group for user accounts. This group is used for security isolation
between components of Integrity VM. |
|
| |
|
The HP-UX useradd command might
not work as expected. To create user accounts for virtual console
access, use the useradd command before you create
the virtual machine. Alternatively, specify the user account directory
completely in the /etc/passwd file, ensuring
the entry is unique.
In the following example, the useradd command is used to create three user accounts on the VM Host system
(testme1, testme2, and testme3):
# useradd -r no -g users -s /opt/hpvm/bin/hpvmconsole \
-c "Console access to guest 'testme'" \
-d /var/opt/hpvm/guests/testme \
testme1
# useradd -r no -g users -s /opt/hpvm/bin/hpvmconsole \
-c "Console access to guest 'testme'" \> -d /var/opt/hpvm/guests/testme \
testme2
# useradd -r no -g users -s /opt/hpvm/bin/hpvmconsole \
-c "Console access to guest 'testme'" \
-d /var/opt/hpvm/guests/testme \
testme3 |
The following command creates the virtual machine
named testme:
# hpvmcreate -P testme -u testme1:admin -u testme2 -u testme3:oper |
At this point, users testme2 and testme3 both have oper level access to the virtual console, and user testme1 has admin level access. In order to make these accounts usable, set passwords
for them, as follows:
# passwd testme1
...
# passwd testme2
...
# passwd testme3
... |
Because of the way the useradd command works, an attempt to create an additional account might
result in an error. For example, the following command attempts and
fails to add the testme4 user account:
# useradd -r no -g users -s /opt/hpvm/bin/hpvmconsole \
> -c "Console access to guest 'testme'" \
> -d /var/opt/hpvm/guests/testme \
> testme4
'/var/opt/hpvm/guests/testme' is not a valid directory |
To enter the command correctly, include the entire
directory path. For example:
# useradd -r no -g users -s /opt/hpvm/bin/hpvmconsole \
> -c "Console access to guest 'testme'" \
> -d /var/opt/hpvm/guests/testme/. \
> testme4
# hpvmmodify -P testme -u testme4
# passwd testme4 |
Note the addition of the /. to the end of the argument to the —d option,
which ensures there is no confusion with HP-UX shared home directories.
Printable version
