[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Libguestfs] [PATCH] launch: show hint to resolve authentication failure from libvirt



On Wed, Oct 10, 2012 at 04:38:19PM +0100, Richard W.M. Jones wrote:
> On Wed, Oct 10, 2012 at 04:16:21PM +0100, Daniel P. Berrange wrote:
> > On Wed, Oct 10, 2012 at 05:06:37PM +0200, Olaf Hering wrote:
> > > Signed-off-by: Olaf Hering <olaf aepfle de>
> > > ---
> > > 
> > > Switching from attach-method "appliance" to "libvirt" has surprising
> > > side effects, so show a hint how to resolve the "authentication failed"
> > > error from libvirt.
> > > Patch is not compile tested.
> > > 
> > >  src/libvirtdomain.c | 2 ++
> > >  1 file changed, 2 insertions(+)
> > > 
> > > diff --git a/src/libvirtdomain.c b/src/libvirtdomain.c
> > > index eecea26..110ee86 100644
> > > --- a/src/libvirtdomain.c
> > > +++ b/src/libvirtdomain.c
> > > @@ -104,6 +104,8 @@ guestfs__add_domain (guestfs_h *g, const char *domain_name,
> > >      err = virGetLastError ();
> > >      error (g, _("could not connect to libvirt (code %d, domain %d): %s"),
> > >             err->code, err->domain, err->message);
> > > +    if (err->code == VIR_ERR_AUTH_FAILED)
> > > +      error (g, _("Possible fix: 'polkit-auth --user <username> --grant org.libvirt.unix.manage'"));
> > 
> > Hmm, libguestfs is using the qemu://session instance of libvirt, of which
> > one is launched per user. This should not require any authentication at
> > all, since it is only accessible to the current user. PolicyKit is only
> > relevant if connecting to the qemu:///system instance of libvirtd which
> > runs privileged and this is not something libguestfs would be using,
> > unless it was run as root. But if libguestfs ran as root, it would
> > already have permission to connect via policykit.
> 
> I don't think this is true.
> 
> libguestfs use of libvirt is a bit of a mess at the moment, since we
> end up opening two connections if you use the -d option ... this is
> something I'm intending to fix.
> 
> Nevertheless, it should be using NULL everywhere, so depending on
> whether you run it as root or not, it will use qemu:///system
> or qemu:///session.

But in neither of those scenarios would policykit auth be required.

The qemu:///session instance will never need auth.

The qemu:///system uses polkit by default, but since you're root
in this usage, it will not need any more polkit rules.

The only time you'd need auth is if the system instance had been
configured to use SASL, and there was a username/password set,
in which case the proposed error message won't be relevant.

> It's somewhere on the to-do list to:
> 
>   (1) Fix the utilities so they only need to open one connection
>       (this will matter in the remote case).
> 
>   (2) Support authentication in libvirt by mapping libvirt auth
>       callbacks to libguestfs events.

Makes sense, but I think that's unrelated to what's going in this
proposed patch.


Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]