[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Libguestfs] [PATCH] launch: show hint to resolve authentication failure from libvirt



On Wed, Oct 10, Daniel P. Berrange wrote:

> On Wed, Oct 10, 2012 at 05:06:37PM +0200, Olaf Hering wrote:
> > +    if (err->code == VIR_ERR_AUTH_FAILED)
> > +      error (g, _("Possible fix: 'polkit-auth --user <username> --grant org.libvirt.unix.manage'"));
> 
> Hmm, libguestfs is using the qemu://session instance of libvirt, of which
> one is launched per user. This should not require any authentication at
> all, since it is only accessible to the current user. PolicyKit is only
> relevant if connecting to the qemu:///system instance of libvirtd which
> runs privileged and this is not something libguestfs would be using,
> unless it was run as root. But if libguestfs ran as root, it would
> already have permission to connect via policykit.

You are right, yesterday I was trying alot to get this working as
non-root. The last version, before I came across polkit-auth, was 
virt-inspector -c qemu+ssh://localhost -v -d 6326ad4e-5805-2ab4-1338-d1dad8c76162
which gives the "authentication failed" error.

But 'virsh list --all' returns an empty list, and every virt-* command
just returns "Domain not found:" on my sles11sp2 system, which is not
very helpful. Now I dont see a clean way how to catch that, other than
putting it into some README.

Are you saying that on Fedora or RHEL a user can launch libvirt domains
without doing polkit-auth first?

Olaf


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]