[Libguestfs] [PATCH] launch: show hint to resolve authentication failure from libvirt

Daniel P. Berrange berrange at redhat.com
Wed Oct 10 15:48:08 UTC 2012 

On Wed, Oct 10, 2012 at 05:33:39PM +0200, Olaf Hering wrote:
> On Wed, Oct 10, Daniel P. Berrange wrote:
> 
> > On Wed, Oct 10, 2012 at 05:06:37PM +0200, Olaf Hering wrote:
> > > +    if (err->code == VIR_ERR_AUTH_FAILED)
> > > +      error (g, _("Possible fix: 'polkit-auth --user <username> --grant org.libvirt.unix.manage'"));
> > 
> > Hmm, libguestfs is using the qemu://session instance of libvirt, of which
> > one is launched per user. This should not require any authentication at
> > all, since it is only accessible to the current user. PolicyKit is only
> > relevant if connecting to the qemu:///system instance of libvirtd which
> > runs privileged and this is not something libguestfs would be using,
> > unless it was run as root. But if libguestfs ran as root, it would
> > already have permission to connect via policykit.
> 
> You are right, yesterday I was trying alot to get this working as
> non-root. The last version, before I came across polkit-auth, was 
> virt-inspector -c qemu+ssh://localhost -v -d 6326ad4e-5805-2ab4-1338-d1dad8c76162
> which gives the "authentication failed" error.

Because you used  qemu+ssh here it will be trying & failing todo SSH
authentication here. In addition your URI is invalid, so even if it
got past the SSH auth, the connection would still fail.

> But 'virsh list --all' returns an empty list, and every virt-* command
> just returns "Domain not found:" on my sles11sp2 system, which is not
> very helpful. Now I dont see a clean way how to catch that, other than
> putting it into some README.
>
> Are you saying that on Fedora or RHEL a user can launch libvirt domains
> without doing polkit-auth first?

It depends on what instance of libvirtd you are connecting to.

 - The system instance, runs as root and requirs non-root users
   to auth with policykit

 - The session instance, runs as the same user id as the client
   app and does not require auth.

Since libguestfs passes NULL for the URI, it will be connecting
to the session instance if libguestfs is non-root and thus not
require any auth. If libguestfs is run as root it will connect
to the system instance which requires polkit auth, but root already
has that granted.

The only case where non-root needs polkit auth is if non-root is
connecting to the system instance of libvirtd, but libguestfs
choice of NULL uri means that should not happen.


Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the Libguestfs mailing list