On Thu, Oct 29, 2020 at 11:34:09PM +0100, Natxo Asenjo wrote: > On Thu, Oct 29, 2020 at 8:39 PM Michal Privoznik <mprivozn@xxxxxxxxxx> > wrote: > > > On 10/29/20 4:47 PM, Natxo Asenjo wrote: > > > ah, yes. I try this: > > > > > > $ virsh -c qemu:///system > > > > > > But it then I get a prompt: > > > > > > ==== AUTHENTICATING FOR org.libvirt.unix.manage ============= > > > System policy prevents management of local virtualized systems > > > Authenticating as: sudo_user_not_disclosed > > > Password: > > > Password: > > > polikit-agent-helper-1: pam_authenticate failed: Authentication failure > > > > > > Our allowed groups in the /etc/dbus-1/system.d/org.libvirt.conf are no > > > sudo users (this can change, but not as of now). It is a bit strange > > > that the get the password prompt for a local sudo user we have in place > > > for as systems have no working sssd connection to the idm realm (break > > > glass user) > > > > > > My user can use the system bus in cockpit without a password. > > > > > > The dbus policy looks like this: > > > > > > <policy group="groupname"> > > > < allow send_destination="org.libvirt"/> > > > </policy> > > > <policy group="other_groupname"> > > > < allow send_destination="org.libvirt"/> > > > </policy> > > > > This is expected. qemu:///system uses an unix socket to talk to libvirtd > > and not dbus. I don't know what credentials does cockpit set there. > > But I'm not sure it's safe to go behind cockpit's back and talk to > > libvirt directly. If you'd change a configuration of a VM it may not be > > reflected in cockpit. It is safe to do everything to the system what cockpit does as cockpit is stateless and can users can jump between terminal and the cockpit UI. > to be honest, I found about the dbus system connection policies in the > cockpit documentation, the have a link to the libvirt dbus snippet page: > > https://cockpit-project.org/guide/latest/feature-virtualmachines > > So is it not possible (taking cockpit out of the equation) to allow virsh > to run as a normal user to connect to the local system connection? It is possible to allow virsh to connect to system connection by default, you just need to create a new file: $HOME/.config/libvirt/libvirt.conf with this single line in it: uri_default="qemu:///system" for more details see [1]. Pavel [1] <https://libvirt.org/uri.html#URI_default>
Attachment:
signature.asc
Description: PGP signature