virsh rights voor normal users

[Natxo Asenjo]

On Thu, Oct 29, 2020 at 4:25 PM Daniel P. Berrange <dan at berrange.com> wrote:

> On Thu, Oct 29, 2020 at 04:13:45PM +0100, Natxo Asenjo wrote:
> > if I run virsh list --all I get an empty listing.
> >
> > So using cockpit I can manage the system vms, but I cannot use virsh.
> >
> > This is in a rhel 7.8 system. The host is joined to an Idm realm, and
> this
> > realm has a trust to an AD forest. The users are AD users mapped to an
> > external Idm group.
> >
> > Any ideas as to what we do wrong?
>
> There are two distinct instances of libvirt - system mode and session
> mode. I suspect cockpit is using a different instance than your
> virsh command
>
> https://libvirt.org/drvqemu.html#securitydriver
>
> virsh defaults to "session" mode if running non-root, "system" mode
> if running as root. You can use "-c URI" to override the default if
> running non-root.


ah, yes. I try this:

$ virsh -c qemu:///system

But it then I get a prompt:

==== AUTHENTICATING FOR org.libvirt.unix.manage =============
System policy prevents management of local virtualized systems
Authenticating as:  sudo_user_not_disclosed
Password:
Password:
polikit-agent-helper-1: pam_authenticate failed: Authentication failure

Our allowed groups in the /etc/dbus-1/system.d/org.libvirt.conf are no sudo
users (this can change, but not as of now). It is a bit strange that the
get the password prompt for a local sudo user we have in place for as
systems have no working sssd connection to the idm realm (break glass user)

My user can use the system bus in cockpit without a password.

The dbus policy looks like this:

<policy group="groupname">
    < allow send_destination="org.libvirt"/>
</policy>
<policy group="other_groupname">
    < allow send_destination="org.libvirt"/>
</policy>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20201029/4fa0a46e/attachment.htm>