[libvirt] problems with remote authentication with policykit
Daniel P. Berrange
berrange at redhat.com
Fri Jun 12 10:10:34 UTC 2009
On Thu, Jun 11, 2009 at 05:47:29PM -0400, Jim Paris wrote:
> Hi,
>
> I have libvirt 0.6.4 running kvm instances on a headless server.
> I'm using virt-manager 0.7.0 to manage them. In the past, I would SSH
> in and run virt-manager as root. Since running GTK apps as root is no
> good, I've switched to policykit authentication. By default, the
> libvirt policy only allows management if the user is in the active
> host session, which isn't the case with my SSH logins. Therefore
> I've added an override in /etc/PolicyKit/PolicyKit.conf:
>
> <match action="org.libvirt.unix.manage">
> <return result="auth_admin_keep_session"/>
> </match>
>
> Now things generally work fine when SSHed in:
> - as root, virsh gives ro and rw access with no password
> - as jim, virsh gives ro access with no password, but requests a password for rw
> - as jim, virsh asks for a password for rw access
>
> But when accessing remotely, I get no useful error, and a hang:
>
> $ virsh -c qemu+ssh://jim@server/system
> libvir: Remote error : authentication failed
> <process hangs here>
>
> $ virsh --readonly -c qemu+ssh://jim@server/system
> libvir: Remote error : authentication failed
> <process hangs here>
>
> Furthermore, on the server, this leaves "nc" processes running,
> and eventually there are enough that libvirtd stops accepting new
> connections.
The hang is really odd. That suggests something is not closing the
socket connection properly. If you had been yusing 0.6.1/.2/.3 I
would have said it was one of the libvirtd bugs, but 0.6.4 has all
event handling bugs fixed. Perhaps the libvirtd client is not
killing the SSH session / process when it closes the connection
after auth failure.
> I was also getting strange errors including:
> polkit-grant-helper: given auth type (8 -> yes) is bogus
> but now I can't reproduce that for the life of me, I have no idea what
> changed.
>
> Is policykit authentication supposed to work over qemu+ssh?
Yes, but only if you ssh as root such that policykit is a no-op.
The problem you are seeing is becaue you SSH as non-root. PolicyKit
relies on ConsoleKit to determine who is authorized, and SSH does not
register ConsoleKit Sessions.
> I was hoping it would at least not break the --readonly case.
That all said --readonly is intended to work at all times. Our default
policy file includes a rule <allow_any>yes</allow_any> which is telling
policykit to allow access even if the client is not associatied with
any ConsoleKit session. So this should have allowed it to work for
you with --readonly.
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
More information about the libvir-list
mailing list