[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] problems with remote authentication with policykit



On Thu, Jun 18, 2009 at 12:20:40PM -0400, Jim Paris wrote:
> Daniel P. Berrange wrote:
> > We close the socket to the 'nc' process here so in theory it should
> > be getting a HUP event from poll or EOF from read, etc and then
> > exiting. Ominously though I see several patches to Fedora's 'nc'
> > RPM at least one of which is related to nc hanging forever after 
> > getting HUP fback from poll(). What distro are you using ? 
> > 
> >   http://cvs.fedoraproject.org/viewvc/rpms/nc/F-11/
> 
> I'm using Debian.  I've already had to switch from the
> "netcat-traditional" package to the "netcat-openbsd" package.
> Debian does already include that patch, but what a mess...

I know the reason why it gets stuck on the server end too - after an
auth failure, the server won't kick off the client. The connection
just remains in an unauthenticated state. This allows the client to
(in theory) retry the authentication step, and gives us a little more
flexibility for any future protocol changes we might need to make.

I think the best way to solve the problem of 'nc' potentially not
quitting promptly, is to simply have the remote client kill() the
SSH client pid, rather than simply closing the socket & doing
waitpid() on the SSH client. This would ensure the waitpid promptly
cleans up.

> Since already know libvirtd is installed on the remote host,
> would it make sense to just add a new set of options:
>       libvirtd --socket-connect
>       libvirtd --socket-connect-ro
> that do the same thing as "nc -U" on the appropriate socket?
> Then we know it would work everywhere, and have the added 
> benefit that the client wouldn't need to know the location of the
> socket.

If we'd thought of this originally, I would certainly have done it
this way, but if we did this now, it would break compatability. ie
new libvirt clients would be trying to run a binary that does not
exist with old server deployments.

Regards,
Daniel
-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]