HP Integrity Virtual Machines 4.2: Installation, Configuration, and Administration
9.3 Creating Guest Administrators and Operators
Integrity VM provides secure access to guest machine consoles. When you create the virtual
machine, you can specify groups and user accounts to have administration or operator privileges
on that guest. These users are allowed to log in to the VM Host under their own user accounts
and to use the hpvmconsole command to perform system administration tasks on the guest
virtual machine.
A captive virtual console account is a special-purpose user account created on the VM Host for each
guest administrator or operator. These types of user accounts use the /opt/hpvm/bin/
hpvmconsole directory for a shell, and the desired guest's per-guest directory for a home
directory. For virtual console access, the account also requires a password, and access to its
associated guest.
Before you create the virtual machine, use the useradd command to create user accounts for
virtual console access. For example, the following command adds the user account testme:
# useradd -r no -g users -s /opt/hpvm/bin/hpvmconsole \
-c "Console access to guest 'testme'" \
-d /var/opt/hpvm/guests/testme \
testme1
Do not use the hpvmsys group for user accounts. This group is used for security isolation between
components of Integrity VM.
These types of console users are specified as either admin (guest administrators) or oper (guest
operators). Guest operators can access to the virtual machine console, shut down and reboot the
guest, display system status, transfer control to another guest operator or administrator, and set
system identification. The guest administrator has all these capabilities, as well as the ability to
use the virutal console say commands (restricted to use by HP field support specialists).
You can specify guest administrators and operators using the hpvmcreate, hpvmmodify,
hpvmmigrate, and hpvmclone commands. To assign administrator and operator privileges to
a user group, include the -g option. To assign administrator and operator privileges to a specific
user, use the -u option.
NOTE: Console users cannot use the su command to change from one privilege level to another.
Per-user checks are based on login account identifiers, not on UUIDs.
The following command creates the virtual machine named testme with the adminstrator
named testme1:
# hpvmcreate -P testme -u testme1:admin
Guest operators and administrators need access to the hpvmconsole command to control the
virtual machine. If you do not want the same users to have access to the VM Host, you can restrict
use of the hpvmconsole command to guest console access only by creating a restricted account
for that purpose. To do so, follow these steps:
1. Using the useradd command, set up an /etc/passwd entry for each guest on the VM
Host. The user name of the account must be the same as the guest name and must have no
more than 8 characters. For example:
# useradd -d /var/opt/hpvm/guests/host1 \
-c 'host1 console' -s /opt/hpvm/bin/hpvmconsole host1
This example uses the following options:
• The -d option specifies the home directory for the host1 account.
• The -c option specifies a comment text string that describes the account.
• The -s option specifies the path for the shell of the new account.
2. Use the passwd command to set a password for the account. For example:
9.3 Creating Guest Administrators and Operators 147