[Libguestfs] [PATCH] launch: show hint to resolve authentication failure from libvirt
Olaf Hering
olaf at aepfle.de
Wed Oct 10 15:33:39 UTC 2012
On Wed, Oct 10, Daniel P. Berrange wrote:
> On Wed, Oct 10, 2012 at 05:06:37PM +0200, Olaf Hering wrote:
> > + if (err->code == VIR_ERR_AUTH_FAILED)
> > + error (g, _("Possible fix: 'polkit-auth --user <username> --grant org.libvirt.unix.manage'"));
>
> Hmm, libguestfs is using the qemu://session instance of libvirt, of which
> one is launched per user. This should not require any authentication at
> all, since it is only accessible to the current user. PolicyKit is only
> relevant if connecting to the qemu:///system instance of libvirtd which
> runs privileged and this is not something libguestfs would be using,
> unless it was run as root. But if libguestfs ran as root, it would
> already have permission to connect via policykit.
You are right, yesterday I was trying alot to get this working as
non-root. The last version, before I came across polkit-auth, was
virt-inspector -c qemu+ssh://localhost -v -d 6326ad4e-5805-2ab4-1338-d1dad8c76162
which gives the "authentication failed" error.
But 'virsh list --all' returns an empty list, and every virt-* command
just returns "Domain not found:" on my sles11sp2 system, which is not
very helpful. Now I dont see a clean way how to catch that, other than
putting it into some README.
Are you saying that on Fedora or RHEL a user can launch libvirt domains
without doing polkit-auth first?
Olaf
More information about the Libguestfs
mailing list