[libvirt-users] [libvirt] New wiki pages with libvirt SSH setup instructions

Zdenek Styblik stybla at turnovfree.net
Thu Oct 7 14:11:07 UTC 2010 

On 10/04/2010 09:36 AM, Justin Clift wrote:
> On 09/23/2010 08:08 PM, Zdenek Styblik wrote:
> <snip>
>> I've managed to create ACL by groups and it's working. However, to my
>> surprise, there is Slackware package for PolicyKit. Yet, I have never
>> used it nor tested it (I could though?).
> 
> Interesting. :)
> 
> Ubuntu also has PolicyKit compiled into the client libraries, even
> though by default the libvirt daemon (server side) doesn't use it for
> access control.
> 
> Suspecting it may be in order to allow connection to servers using
> PolityKit for access control.  When compiling the libvirt virsh client
> on MacOS X, there is no PolicyKit available.  Which somehow translates
> into qemu+ssh:// connections to PolicyKit enabled servers not working.
> (even though qemu+tcp:// and qemu+tls:// does).  Same thing happened
> on when I manually compiled virsh _without_ PolicyKit on Fedora 13.
> Couldn't then connect to a PolicyKit enabled libvirtd with qemu+ssh://.
> 

Well, client is on Debian (because of virt-manager package), server is
Slackware. I don't know if this makes difference/help. However, I have
compiled libvirt without PolicyKit present. That was more like a
statement about existence of such package ;) As I've said, I can try it
with PolicyKit too, however/probably inside another VM :P (and more like
"one day")

Hm, and thinking about it, they might be using libvirt without PolicyKit
too, as it works; unless it's MacOS X specific issue.

>>> Asking because if it's using one of those two, then it's extremely
>>> easy to add a new "Slackware" head and point people to the right bit.
>>>
>>
>> Probably both or it depends on whether PolicyKit is installed or not.
>> (T.B.D.?) Group ACL works for sure.
> 
> Cool.  We should document that as "group access configuration is known
> to work" (or something along those lines), for Slackware.
> 
> Heh, don't suppose you have a wiki user account, and feel like doing the
> edit?
> 

Nope, I don't have an wiki account, but that shouldn't be a problem,
should it? :) However, I won't do unless Sunday.

> (yes, I'm trying to encourage people to make updates directly. :>)
> 

Good approach, imho. And sooner means better [real life experience] ;)

[...]
>> I wanted to achieve something like that (= root-less qemu and libvirtd)
>> with 0.8.3, but it didn't work because libvirt/virt-manager claimed ACL
>> problem. I think it's time for re-test and eventual push into
>> "production" of mine :)
> 
> Ahhh, yeah.  I think I understand.  It looks like you're trying to have
> a running virtualisation system, without it using root for anything.
> 
> Sounds like a good idea, but not sure if it can be made to work
> that way yet. :>
> 
> If you do get it working, definitely let me know.... we should write
> it up if so. :)
> 
> Regards and best wishes,
> 
> Justin Clift

Haha, I've soon realized it's probably impossible, since libvirtd needs
access to many things eg. iptables, although ... may be some internal
hacking with duck tape and % sudo; and it could work.

I have achieved, in "production", to have qemu-kvm running as libvirt
and images owned by libvirt user/group. It's also possible to use
non-root user for VM management (hopefully, as I haven't fully tested
this one in "production"). Not exactly perfect, but I'm happy within limits.

Have a nice weekend,
Zdenek

-- 
Zdenek Styblik
Net/Linux admin
OS TurnovFree.net
email: stybla at turnovfree.net
jabber: stybla at jabber.turnovfree.net

More information about the libvirt-users mailing list