[libvirt] problems with remote authentication with policykit

Jim Paris jim at jtan.com
Wed Jun 17 22:36:16 UTC 2009 

Daniel P. Berrange wrote:
> On Wed, Jun 17, 2009 at 05:51:27PM -0400, Jim Paris wrote:
> > Daniel P. Berrange wrote:
> > 17:34:59.360: debug : call:6947 : Doing call 70 (nil)
> > 17:34:59.360: debug : call:7017 : We have the buck 70 0xbccef0 0xbccef0
> > 17:34:59.433: debug : processCallRecvLen:6605 : Got length, now need 128 total (124 more)
> > 17:34:59.434: debug : processCalls:6873 : Giving up the buck 70 0xbccef0 (nil)
> > 17:34:59.434: debug : call:7048 : All done with our call 70 (nil) 0xbccef0
> > 17:34:59.434: error : server_error:7231 : authentication failed
> > 17:35:13.585: debug : do_open:999 : driver 4 remote returned ERROR
> > 17:35:13.585: debug : virUnrefConnect:232 : unref connection 0xbc6a60 1
> > 17:35:13.585: debug : virReleaseConnect:191 : release connection 0xbc6a60
> > 
> > If I kill the libvirtd process on the server, the client then finally prints:
> > 
> > error: authentication failed
> > error: failed to connect to the hypervisor
> > 
> > and the client then exits.
> 
> Ok, this bit definitely sounds like a server side bug, unless
> perhaps there is some buffering taking place in ssh or nc
> causing the errore reply packet to not be send back promptly

I'll try to get some better traces of what's going on here.


> > The hang aside, it seems libvirtd should be using
> > org.libvirt.unix.monitor for the readonly connection?
> 
> In this case the problem is that the remote client end is using
> netcat on the wrong UNIX socket. 

Thanks, that's it.  With the attached patch on the client side,
virsh --readonly and virt-viewer work fine over qemu+ssh://.

-jim

--- libvirt-0.6.4-orig/src/remote_internal.c	2009-05-29 10:55:26.000000000 -0400
+++ libvirt-0.6.4/src/remote_internal.c	2009-06-17 18:21:34.000000000 -0400
@@ -700,7 +700,10 @@
         cmd_argv[j++] = strdup (priv->hostname);
         cmd_argv[j++] = strdup (netcat ? netcat : "nc");
         cmd_argv[j++] = strdup ("-U");
-        cmd_argv[j++] = strdup (sockname ? sockname : LIBVIRTD_PRIV_UNIX_SOCKET);
+	cmd_argv[j++] = strdup (sockname ? sockname :
+				(flags & VIR_CONNECT_RO 
+				 ? LIBVIRTD_PRIV_UNIX_SOCKET_RO
+				 : LIBVIRTD_PRIV_UNIX_SOCKET));
         cmd_argv[j++] = 0;
         assert (j == nr_args);
         for (j = 0; j < (nr_args-1); j++)

More information about the libvir-list mailing list