[libvirt] problems with remote authentication with policykit

Daniel P. Berrange berrange at redhat.com
Thu Jun 18 13:57:50 UTC 2009 

On Wed, Jun 17, 2009 at 06:36:16PM -0400, Jim Paris wrote:
> Daniel P. Berrange wrote:
> > On Wed, Jun 17, 2009 at 05:51:27PM -0400, Jim Paris wrote:
> > > Daniel P. Berrange wrote:
> > > 17:34:59.360: debug : call:6947 : Doing call 70 (nil)
> > > 17:34:59.360: debug : call:7017 : We have the buck 70 0xbccef0 0xbccef0
> > > 17:34:59.433: debug : processCallRecvLen:6605 : Got length, now need 128 total (124 more)
> > > 17:34:59.434: debug : processCalls:6873 : Giving up the buck 70 0xbccef0 (nil)
> > > 17:34:59.434: debug : call:7048 : All done with our call 70 (nil) 0xbccef0
> > > 17:34:59.434: error : server_error:7231 : authentication failed
> > > 17:35:13.585: debug : do_open:999 : driver 4 remote returned ERROR
> > > 17:35:13.585: debug : virUnrefConnect:232 : unref connection 0xbc6a60 1
> > > 17:35:13.585: debug : virReleaseConnect:191 : release connection 0xbc6a60
> > > 
> > > If I kill the libvirtd process on the server, the client then finally prints:
> > > 
> > > error: authentication failed
> > > error: failed to connect to the hypervisor
> > > 
> > > and the client then exits.
> > 
> > Ok, this bit definitely sounds like a server side bug, unless
> > perhaps there is some buffering taking place in ssh or nc
> > causing the errore reply packet to not be send back promptly
> 
> I'll try to get some better traces of what's going on here.
> 
> 
> > > The hang aside, it seems libvirtd should be using
> > > org.libvirt.unix.monitor for the readonly connection?
> > 
> > In this case the problem is that the remote client end is using
> > netcat on the wrong UNIX socket. 
> 
> Thanks, that's it.  With the attached patch on the client side,
> virsh --readonly and virt-viewer work fine over qemu+ssh://.
> 
> -jim
> 
> --- libvirt-0.6.4-orig/src/remote_internal.c	2009-05-29 10:55:26.000000000 -0400
> +++ libvirt-0.6.4/src/remote_internal.c	2009-06-17 18:21:34.000000000 -0400
> @@ -700,7 +700,10 @@
>          cmd_argv[j++] = strdup (priv->hostname);
>          cmd_argv[j++] = strdup (netcat ? netcat : "nc");
>          cmd_argv[j++] = strdup ("-U");
> -        cmd_argv[j++] = strdup (sockname ? sockname : LIBVIRTD_PRIV_UNIX_SOCKET);
> +	cmd_argv[j++] = strdup (sockname ? sockname :
> +				(flags & VIR_CONNECT_RO 
> +				 ? LIBVIRTD_PRIV_UNIX_SOCKET_RO
> +				 : LIBVIRTD_PRIV_UNIX_SOCKET));
>          cmd_argv[j++] = 0;
>          assert (j == nr_args);
>          for (j = 0; j < (nr_args-1); j++)

Ok, I've committed this change

Daniel
-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

More information about the libvir-list mailing list