On 10/04/2010 09:36 AM, Justin Clift wrote: > On 09/23/2010 08:08 PM, Zdenek Styblik wrote: > <snip> >> I've managed to create ACL by groups and it's working. However, to my >> surprise, there is Slackware package for PolicyKit. Yet, I have never >> used it nor tested it (I could though?). > > Interesting. :) > > Ubuntu also has PolicyKit compiled into the client libraries, even > though by default the libvirt daemon (server side) doesn't use it for > access control. > > Suspecting it may be in order to allow connection to servers using > PolityKit for access control. When compiling the libvirt virsh client > on MacOS X, there is no PolicyKit available. Which somehow translates > into qemu+ssh:// connections to PolicyKit enabled servers not working. > (even though qemu+tcp:// and qemu+tls:// does). Same thing happened > on when I manually compiled virsh _without_ PolicyKit on Fedora 13. > Couldn't then connect to a PolicyKit enabled libvirtd with qemu+ssh://. > Well, client is on Debian (because of virt-manager package), server is Slackware. I don't know if this makes difference/help. However, I have compiled libvirt without PolicyKit present. That was more like a statement about existence of such package ;) As I've said, I can try it with PolicyKit too, however/probably inside another VM :P (and more like "one day") Hm, and thinking about it, they might be using libvirt without PolicyKit too, as it works; unless it's MacOS X specific issue. >>> Asking because if it's using one of those two, then it's extremely >>> easy to add a new "Slackware" head and point people to the right bit. >>> >> >> Probably both or it depends on whether PolicyKit is installed or not. >> (T.B.D.?) Group ACL works for sure. > > Cool. We should document that as "group access configuration is known > to work" (or something along those lines), for Slackware. > > Heh, don't suppose you have a wiki user account, and feel like doing the > edit? > Nope, I don't have an wiki account, but that shouldn't be a problem, should it? :) However, I won't do unless Sunday. > (yes, I'm trying to encourage people to make updates directly. :>) > Good approach, imho. And sooner means better [real life experience] ;) [...] >> I wanted to achieve something like that (= root-less qemu and libvirtd) >> with 0.8.3, but it didn't work because libvirt/virt-manager claimed ACL >> problem. I think it's time for re-test and eventual push into >> "production" of mine :) > > Ahhh, yeah. I think I understand. It looks like you're trying to have > a running virtualisation system, without it using root for anything. > > Sounds like a good idea, but not sure if it can be made to work > that way yet. :> > > If you do get it working, definitely let me know.... we should write > it up if so. :) > > Regards and best wishes, > > Justin Clift Haha, I've soon realized it's probably impossible, since libvirtd needs access to many things eg. iptables, although ... may be some internal hacking with duck tape and % sudo; and it could work. I have achieved, in "production", to have qemu-kvm running as libvirt and images owned by libvirt user/group. It's also possible to use non-root user for VM management (hopefully, as I haven't fully tested this one in "production"). Not exactly perfect, but I'm happy within limits. Have a nice weekend, Zdenek -- Zdenek Styblik Net/Linux admin OS TurnovFree.net email: stybla@xxxxxxxxxxxxxx jabber: stybla@xxxxxxxxxxxxxxxxxxxxx
