[libvirt] problems with remote authentication with policykit

Daniel P. Berrange berrange at redhat.com
Fri Jun 12 10:10:34 UTC 2009


On Thu, Jun 11, 2009 at 05:47:29PM -0400, Jim Paris wrote:
> Hi,
> 
> I have libvirt 0.6.4 running kvm instances on a headless server.
> I'm using virt-manager 0.7.0 to manage them.  In the past, I would SSH
> in and run virt-manager as root.  Since running GTK apps as root is no
> good, I've switched to policykit authentication.  By default, the 
> libvirt policy only allows management if the user is in the active
> host session, which isn't the case with my SSH logins.  Therefore
> I've added an override in /etc/PolicyKit/PolicyKit.conf:
> 
>   <match action="org.libvirt.unix.manage">
>     <return result="auth_admin_keep_session"/>
>   </match>
> 
> Now things generally work fine when SSHed in:
> - as root, virsh gives ro and rw access with no password
> - as jim, virsh gives ro access with no password, but requests a password for rw
> - as jim, virsh asks for a password for rw access
> 
> But when accessing remotely, I get no useful error, and a hang:
> 
> $ virsh -c qemu+ssh://jim@server/system
> libvir: Remote error : authentication failed
> <process hangs here>
> 
> $ virsh --readonly -c qemu+ssh://jim@server/system
> libvir: Remote error : authentication failed
> <process hangs here>
> 
> Furthermore, on the server, this leaves "nc" processes running,
> and eventually there are enough that libvirtd stops accepting new
> connections.

The hang is really odd. That suggests something is not closing the 
socket connection properly. If you had been yusing 0.6.1/.2/.3 I
would have said it was one of the libvirtd bugs, but 0.6.4 has all
event handling bugs fixed.  Perhaps the libvirtd client is not
killing the SSH session / process when it closes the connection
after auth failure.

> I was also getting strange errors including:
>   polkit-grant-helper: given auth type (8 -> yes) is bogus
> but now I can't reproduce that for the life of me, I have no idea what
> changed.  
> 
> Is policykit authentication supposed to work over qemu+ssh?

Yes, but only if you ssh as root such that policykit is a no-op.

The problem you are seeing is becaue you SSH as non-root. PolicyKit
relies on ConsoleKit to determine who is authorized, and SSH does not
register ConsoleKit Sessions. 

> I was hoping it would at least not break the --readonly case.

That all said --readonly is intended to work at all times. Our default
policy file includes a rule <allow_any>yes</allow_any>  which is telling
policykit to allow access even if the client is not associatied with
any ConsoleKit session.  So this should have allowed it to work for
you with --readonly.


Daniel
-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|




More information about the libvir-list mailing list