On Thu, Jun 11, 2009 at 05:47:29PM -0400, Jim Paris wrote: > Hi, > > I have libvirt 0.6.4 running kvm instances on a headless server. > I'm using virt-manager 0.7.0 to manage them. In the past, I would SSH > in and run virt-manager as root. Since running GTK apps as root is no > good, I've switched to policykit authentication. By default, the > libvirt policy only allows management if the user is in the active > host session, which isn't the case with my SSH logins. Therefore > I've added an override in /etc/PolicyKit/PolicyKit.conf: > > <match action="org.libvirt.unix.manage"> > <return result="auth_admin_keep_session"/> > </match> > > Now things generally work fine when SSHed in: > - as root, virsh gives ro and rw access with no password > - as jim, virsh gives ro access with no password, but requests a password for rw > - as jim, virsh asks for a password for rw access > > But when accessing remotely, I get no useful error, and a hang: > > $ virsh -c qemu+ssh://jim@server/system > libvir: Remote error : authentication failed > <process hangs here> > > $ virsh --readonly -c qemu+ssh://jim@server/system > libvir: Remote error : authentication failed > <process hangs here> > > Furthermore, on the server, this leaves "nc" processes running, > and eventually there are enough that libvirtd stops accepting new > connections. The hang is really odd. That suggests something is not closing the socket connection properly. If you had been yusing 0.6.1/.2/.3 I would have said it was one of the libvirtd bugs, but 0.6.4 has all event handling bugs fixed. Perhaps the libvirtd client is not killing the SSH session / process when it closes the connection after auth failure. > I was also getting strange errors including: > polkit-grant-helper: given auth type (8 -> yes) is bogus > but now I can't reproduce that for the life of me, I have no idea what > changed. > > Is policykit authentication supposed to work over qemu+ssh? Yes, but only if you ssh as root such that policykit is a no-op. The problem you are seeing is becaue you SSH as non-root. PolicyKit relies on ConsoleKit to determine who is authorized, and SSH does not register ConsoleKit Sessions. > I was hoping it would at least not break the --readonly case. That all said --readonly is intended to work at all times. Our default policy file includes a rule <allow_any>yes</allow_any> which is telling policykit to allow access even if the client is not associatied with any ConsoleKit session. So this should have allowed it to work for you with --readonly. Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :| -- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list