Xen provision/script. not enough permissions

splastunov · Sun Mar 03, 2024 5:38 pm

Hello!

I'm trying to automate provisioning of CHR running on VDS (host based on xcp-ng XEN).
From the documentation https://wiki.mikrotik.com/wiki/Manual:CHR#XenI realized that I can use xenstore to pass some script to the virtual machine via path ('vm-data/provision/script').
I tried to pass this simple script to change the default admin password

user/set admin password=SuperDuperPass

and got the error "not enough permissions (9)".

I can't find any information on how to overcome this error or get permissions for this "provisioning" scenario.

Any ideas?

miku · Mon Mar 04, 2024 9:57 am

Hi,

From mikrotik RoutrerOS documentation (https://help.mikrotik.com/docs/display/ROS/User):

Config Policies:

reboot - policy that allows rebooting the router
read - policy that grants read access to the router's configuration. All console commands that do not alter router's configuration are allowed. Doesn't affect FTP
write - policy that grants write access to the router's configuration, except for user management. This policy does not allow to read the configuration, so make sure to enable read policy as well
policy - policy that grants user management rights. Should be used together with the write policy. Allows also to see global variables created by other users (requires also 'test' policy).
test - policy that grants rights to run ping, traceroute, bandwidth-test, wireless scan, snooper, fetch, email and other test commands
sensitive - grants rights to change "hide sensitive" option, if this policy is disabled sensitive information is not displayed.
sniff - policy that grants rights to use packet sniffer tool.

So, you should set: write, policy for your script

splastunov · Mon Mar 04, 2024 3:10 pm

@miku, thank you.
I know that for "stored" scripts I can put some privileges, but! as you can see from my post I do not store this script, I'm passing it via xenstore.
So virtual machine get and run it on fly without storing on hdd.
That is the problem.
I do not know from which user it starts and how to change privileges for it.

miku · Tue Mar 05, 2024 12:30 am

@splastunov,
Unfortunately I don't know xenstore. Maybe you'll find something in the logs after all. Failed script execution should be in the log.

splastunov · Tue Mar 05, 2024 2:30 pm

Nothing in logs, no information in documentation how does "start up" script working.

Because of that I'm asking here...

splastunov · Sun Mar 10, 2024 2:00 pm

Any ideas from @mikrotik team?

splastunov · Thu Mar 14, 2024 12:00 am

up up

Thu Mar 14, 2024 1:54 am

This forum is a user-to-user channel. If you want a direct-to-MikroTik support channel, it's here.

Xen provision/script. not enough permissions

Xen provision/script. not enough permissions

Re: Xen provision/script. not enough permissions

Re: Xen provision/script. not enough permissions

Re: Xen provision/script. not enough permissions

Re: Xen provision/script. not enough permissions

Re: Xen provision/script. not enough permissions

Re: Xen provision/script. not enough permissions

Re: Xen provision/script. not enough permissions

Who is online