virsh rights voor normal users
Michal Privoznik
mprivozn at redhat.com
Thu Oct 29 19:38:54 UTC 2020
On 10/29/20 4:47 PM, Natxo Asenjo wrote:
> ah, yes. I try this:
>
> $ virsh -c qemu:///system
>
> But it then I get a prompt:
>
> ==== AUTHENTICATING FOR org.libvirt.unix.manage =============
> System policy prevents management of local virtualized systems
> Authenticating as: sudo_user_not_disclosed
> Password:
> Password:
> polikit-agent-helper-1: pam_authenticate failed: Authentication failure
>
> Our allowed groups in the /etc/dbus-1/system.d/org.libvirt.conf are no
> sudo users (this can change, but not as of now). It is a bit strange
> that the get the password prompt for a local sudo user we have in place
> for as systems have no working sssd connection to the idm realm (break
> glass user)
>
> My user can use the system bus in cockpit without a password.
>
> The dbus policy looks like this:
>
> <policy group="groupname">
> < allow send_destination="org.libvirt"/>
> </policy>
> <policy group="other_groupname">
> < allow send_destination="org.libvirt"/>
> </policy>
This is expected. qemu:///system uses an unix socket to talk to libvirtd
and not dbus. I don't know what credentials does cockpit set there.
But I'm not sure it's safe to go behind cockpit's back and talk to
libvirt directly. If you'd change a configuration of a VM it may not be
reflected in cockpit.
Michal
More information about the libvirt-users
mailing list