[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Libguestfs] [PATCH] launch: show hint to resolve authentication failure from libvirt



On Wed, Oct 10, 2012 at 04:16:21PM +0100, Daniel P. Berrange wrote:
> On Wed, Oct 10, 2012 at 05:06:37PM +0200, Olaf Hering wrote:
> > Signed-off-by: Olaf Hering <olaf aepfle de>
> > ---
> > 
> > Switching from attach-method "appliance" to "libvirt" has surprising
> > side effects, so show a hint how to resolve the "authentication failed"
> > error from libvirt.
> > Patch is not compile tested.
> > 
> >  src/libvirtdomain.c | 2 ++
> >  1 file changed, 2 insertions(+)
> > 
> > diff --git a/src/libvirtdomain.c b/src/libvirtdomain.c
> > index eecea26..110ee86 100644
> > --- a/src/libvirtdomain.c
> > +++ b/src/libvirtdomain.c
> > @@ -104,6 +104,8 @@ guestfs__add_domain (guestfs_h *g, const char *domain_name,
> >      err = virGetLastError ();
> >      error (g, _("could not connect to libvirt (code %d, domain %d): %s"),
> >             err->code, err->domain, err->message);
> > +    if (err->code == VIR_ERR_AUTH_FAILED)
> > +      error (g, _("Possible fix: 'polkit-auth --user <username> --grant org.libvirt.unix.manage'"));
> 
> Hmm, libguestfs is using the qemu://session instance of libvirt, of which
> one is launched per user. This should not require any authentication at
> all, since it is only accessible to the current user. PolicyKit is only
> relevant if connecting to the qemu:///system instance of libvirtd which
> runs privileged and this is not something libguestfs would be using,
> unless it was run as root. But if libguestfs ran as root, it would
> already have permission to connect via policykit.

I don't think this is true.

libguestfs use of libvirt is a bit of a mess at the moment, since we
end up opening two connections if you use the -d option ... this is
something I'm intending to fix.

Nevertheless, it should be using NULL everywhere, so depending on
whether you run it as root or not, it will use qemu:///system
or qemu:///session.

It's somewhere on the to-do list to:

  (1) Fix the utilities so they only need to open one connection
      (this will matter in the remote case).

  (2) Support authentication in libvirt by mapping libvirt auth
      callbacks to libguestfs events.

Rich.

> So I'm not really clear why you want this addition
> 
> Daniel
> -- 
> |: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
> |: http://libvirt.org              -o-             http://virt-manager.org :|
> |: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
> |: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|
> 
> _______________________________________________
> Libguestfs mailing list
> Libguestfs redhat com
> https://www.redhat.com/mailman/listinfo/libguestfs

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
libguestfs lets you edit virtual machines.  Supports shell scripting,
bindings from many languages.  http://libguestfs.org


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]