[Bug 544579] New: libvirtd does accept connections from virt-manager
http://bugzilla.novell.com/show_bug.cgi?id=544579 User rhafer@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=544579#c012 Summary: libvirtd does accept connections from virt-manager Classification: openSUSE Product: openSUSE 11.2 Version: Milestone 8 Platform: Other OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: Other AssignedTo: agraf@novell.com ReportedBy: rhafer@novell.com QAContact: qa@suse.de Found By: --- Created an attachment (id=321210) --> (http://bugzilla.novell.com/attachment.cgi?id=321210) Patch to link libvirt against old policykit API Every time I launch virt-manager on 11.2M8 I get this error message: ------------------------------- Unable to open a connection to the libvirt management daemon. Libvirt URI is: qemu:///system Verify that: - The 'libvirtd' daemon has been started ------------------------------- And in the "Details" section: ------------------------------ Unable to open connection to hypervisor URI 'qemu:///system': authentication failed Traceback (most recent call last): File "/usr/share/virt-manager/virtManager/connection.py", line 456, in _try_open None], flags) File "/usr/lib64/python2.6/site-packages/libvirt.py", line 102, in openAuth if ret is None:raise libvirtError('virConnectOpenAuth() failed') libvirtError: authentication failed ------------------------------ libvirtd is running and /var/log/messages says: Oct 6 10:47:59 bronsted libvirtd: 10:47:59.170: error : remoteDispatchAuthPolkit:3168 : Policy kit denied action org.libvirt.unix.manage from pid 1220, uid 10178, result: 512#012 even though I had given the respective user the needed privilege in the past. But since M8 I am not even able to give this privilege to the user again (using polkit-auth or polkit-kde-authorization.) Looking that the libvirt changelog revealed that it has recently been updated to use a newer PolicyKit (1.0) API. So I tried rebuilding it with the old PolicyKit API (patch attached) and that package seems to work for me now. (Though it probably better to fix the real problem with the new API, whatever it is.) -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=544579
http://bugzilla.novell.com/show_bug.cgi?id=544579#c1
Alexander Graf
http://bugzilla.novell.com/show_bug.cgi?id=544579
http://bugzilla.novell.com/show_bug.cgi?id=544579#c2
James Fehlig
http://bugzilla.novell.com/show_bug.cgi?id=544579
http://bugzilla.novell.com/show_bug.cgi?id=544579#c3
Ralf Haferkamp
http://bugzilla.novell.com/show_bug.cgi?id=544579
http://bugzilla.novell.com/show_bug.cgi?id=544579#c4
--- Comment #4 from James Fehlig
It doesn't however store the authorization so I have to reenter the root password on every startup.
Yes, this is the problem (noted in comment #2) that I was trying to overcome. I don't think this is any fault of libvirt though - rather a configuration of polkit or pam or ??? Authentication of a user on unix domain socket is possible without prompting for passwd, so I'm not sure why that is happening. Modifying the config files as described in #2 configures authorization - and that seems to be working. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=544579
http://bugzilla.novell.com/show_bug.cgi?id=544579#c
Ihno Krumreich
https://bugzilla.novell.com/show_bug.cgi?id=544579
https://bugzilla.novell.com/show_bug.cgi?id=544579#c5
--- Comment #5 from Justin Clift
https://bugzilla.novell.com/show_bug.cgi?id=544579
https://bugzilla.novell.com/show_bug.cgi?id=544579#c6
David Zeuthen
1. Editing /etc/polkit-default-privs.local then running /sbin/set_polkit_default_privs
xen24:~ # cat /etc/polkit-default-privs.local org.libvirt.unix.manage no:no:auth_admin_keep
Note: /sbin/set_polkit_default_privs and /etc/polkit-default-privs.local are SUSE specific files. They do not belong in upstream. I guess that these files generate .pkla files and I suppose the reason why unix-group is not working is because you generate .pkla files that override e.g. /etc/polkit-1/localauthority/50-local.d/50-org.example-libvirt-remote-access.pkla as defined in http://wiki.libvirt.org/page/SSHPolicyKitSetup Either way, please attach a tarball generated this way # tar cfv polkit-pkla-files.tar /etc/polkit-1/localauthority/ /var/lib/polkit-1/localauthority/ on a SUSE system exhibiting these problems. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=544579
https://bugzilla.novell.com/show_bug.cgi?id=544579#c7
--- Comment #7 from Justin Clift
https://bugzilla.novell.com/show_bug.cgi?id=544579
https://bugzilla.novell.com/show_bug.cgi?id=544579#c
Justin Clift
https://bugzilla.novell.com/show_bug.cgi?id=544579
https://bugzilla.novell.com/show_bug.cgi?id=544579#c8
--- Comment #8 from Justin Clift
https://bugzilla.novell.com/show_bug.cgi?id=544579
https://bugzilla.novell.com/show_bug.cgi?id=544579#c9
--- Comment #9 from Justin Clift
https://bugzilla.novell.com/show_bug.cgi?id=544579
https://bugzilla.novell.com/show_bug.cgi?id=544579#c10
--- Comment #10 from Justin Clift
https://bugzilla.novell.com/show_bug.cgi?id=544579
https://bugzilla.novell.com/show_bug.cgi?id=544579#c
Justin Clift
https://bugzilla.novell.com/show_bug.cgi?id=544579
https://bugzilla.novell.com/show_bug.cgi?id=544579#c
Justin Clift
https://bugzilla.novell.com/show_bug.cgi?id=544579
https://bugzilla.novell.com/show_bug.cgi?id=544579#c
Justin Clift
https://bugzilla.novell.com/show_bug.cgi?id=544579
https://bugzilla.novell.com/show_bug.cgi?id=544579#c
Justin Clift
https://bugzilla.novell.com/show_bug.cgi?id=544579
https://bugzilla.novell.com/show_bug.cgi?id=544579#c11
--- Comment #11 from Justin Clift
https://bugzilla.novell.com/show_bug.cgi?id=544579
https://bugzilla.novell.com/show_bug.cgi?id=544579#c12
--- Comment #12 from Justin Clift
https://bugzilla.novell.com/show_bug.cgi?id=544579
https://bugzilla.novell.com/show_bug.cgi?id=544579#c13
--- Comment #13 from Justin Clift
https://bugzilla.novell.com/show_bug.cgi?id=544579
https://bugzilla.novell.com/show_bug.cgi?id=544579#c14
David Zeuthen
https://bugzilla.novell.com/show_bug.cgi?id=544579
https://bugzilla.novell.com/show_bug.cgi?id=544579#c15
James Fehlig
https://bugzilla.novell.com/show_bug.cgi?id=544579
https://bugzilla.novell.com/show_bug.cgi?id=544579#c16
Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=544579
https://bugzilla.novell.com/show_bug.cgi?id=544579#c17
--- Comment #17 from Justin Clift
https://bugzilla.novell.com/show_bug.cgi?id=544579
https://bugzilla.novell.com/show_bug.cgi?id=544579#c18
--- Comment #18 from Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=544579
https://bugzilla.novell.com/show_bug.cgi?id=544579#c19
--- Comment #19 from Justin Clift
https://bugzilla.novell.com/show_bug.cgi?id=544579
https://bugzilla.novell.com/show_bug.cgi?id=544579#c23
Ludwig Nussel
I'm not sure what to do with this bug. IMO, it is polkit configuration issue that, once addressed, solves the reported problem. Do you agree? Do you think any changes should be made to the default polkit configuration? Thanks.
If upstream changes the evaluation order the issue will resolve in Factory eventually. I could also simply change set_polkit_default_privs to use "Identity=unix-group:*" instead of "Identity=unix-user:*". We could also release a maintenance update with this change. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=544579
https://bugzilla.novell.com/show_bug.cgi?id=544579#c24
James Fehlig
https://bugzilla.novell.com/show_bug.cgi?id=544579
https://bugzilla.novell.com/show_bug.cgi?id=544579#c25
Ludwig Nussel
http://bugzilla.novell.com/show_bug.cgi?id=544579
http://bugzilla.novell.com/show_bug.cgi?id=544579#c26
--- Comment #26 from Bernhard Wiedemann
participants (1)
-
bugzilla_noreply@novell.com