A.11. VDSM Hook Execution
before_vm_startscripts can edit the domain XML in order to change VDSM's definition of a virtual machine before it reaches libvirt. Caution must be exercised in doing so. Hook scripts have the potential to disrupt the operation of VDSM, and buggy scripts can result in outages to the Red Hat Virtualization environment. In particular, ensure you never change the UUID of the domain, and do not attempt to remove a device from the domain without sufficient background knowledge.
after_vdsm_stophook scripts are run as the
rootuser. Other hook scripts that require
rootaccess to the system must be written to use the
sudocommand for privilege escalation. To support this the
/etc/sudoersmust be updated to allow the
vdsmuser to use
sudowithout reentering a password. This is required as hook scripts are executed non-interactively.
Example A.4. Configuring
sudo for VDSM Hooks
In this example the
sudocommand will be configured to allow the
vdsmuser to run the
- Log into the virtualization host as
- Open the
/etc/sudoersfile in a text editor.
- Add this line to the file:
vdsm ALL=(ALL) NOPASSWD: /bin/chownThis specifies that the
vdsmuser has the ability to run the
/bin/chowncommand as the
NOPASSWDparameter indicates that the user will not be prompted to enter their password when calling
Once this configuration change has been made VDSM hooks are able to use the
sudocommand to run
root. This Python code uses
rooton the file
retcode = subprocess.call( ["/usr/bin/sudo", "/bin/chown", "root", "/my_file"] )
The standard error stream of hook scripts is collected in VDSM's log. This information is used to debug hook scripts.