HP Integrity Virtual Machines Installation, Configuration, and Administration Version A.03.50
9.2 Creating Guest Administrators and Operators
Integrity VM provides secure access to guest machine consoles. When you create the virtual
machine, you can specify groups and user accounts that will have administration or operator
privileges on that guest. These users are allowed to log in to the VM Host under their own user
accounts and to use the hpvmconsole command to perform system administration tasks on the
guest virtual machine.
A captive virtual console account is a special-purpose user account created on the VM Host for each
guest administrator or operator. These types of user accounts use /opt/hpvm/bin/
hpvmconsole for a shell, and the desired guest's per-guest directory for a home directory. For
virtual console access, the account also requires a password, and access to its associated guest.
Before you create the virtual machine, use the useradd command to create user accounts for
virtual console access. For example, the following command adds the user account testme:
# useradd -r no -g users -s /opt/hpvm/bin/hpvmconsole \
-c "Console access to guest 'testme'" \
-d /var/opt/hpvm/guests/testme \
testme1
Do not use the hpvmsys group for user accounts. This group is used for security isolation between
components of Integrity VM.
These types of console users are specified as either admin (guest administrators) or oper (guest
operators). Guest operators can access to the virtual machine console, shut down and reboot the
guest, display system status, transfer control to another guest operator or administrator, and set
system identification. The guest administrator has all these capabilities, plus the ability to use
the virutal console say commands (restricted to use by HP field support specialists).
You can specify guest administrators and operators using the hpvmcreate, hpvmmodify,
hpvmmigrate, and hpvmclone commands. Include the -g option to assign administrator and
operator privileges to a user group. Use the -u option to assign administrator and operator
privileges to a specific user.
NOTE: Console users cannot use the su command to change from one privilege level to another.
Per-user checks are based on login account identifiers, not UUIDs.
The following command creates the virtual machine named testme with the adminstrator
named testme1:
# hpvmcreate -P testme -u testme1:admin
Guest operators and administrators need access to the hpvmconsole command to control the
virtual machine. If you do not want the same users to have access to the VM Host, you can restrict
use of the hpvmconsole command to guest console access only by creating a restricted account
for that purpose. To do so, follow these steps:
1. Using the useradd command, set up an /etc/passwd entry for each guest on the VM
Host. The user name of the account must be the same as the guest name and must have no
more than 8 characters. For example:
# useradd -d /var/opt/hpvm/guests/compass1 \
-c 'compass1 console' -s /opt/hpvm/bin/hpvmconsole guest1
This example uses the following options:
• The -d option specifies the home directory for the guest1 account.
• The -c option specifies a comment text string that describes the account.
• The -s option specifies the path for the shell of the new account.
2. Use the passwd command to set a password for the account. For example:
# passwd guest1
3. Use the hpvmmodify command to provide the user with guest administration privileges:
126 Managing Guests