On 09/23/2010 08:08 PM, Zdenek Styblik wrote:
<snip>
I've managed to create ACL by groups and it's working.
However, to my
surprise, there is Slackware package for PolicyKit. Yet, I have never
used it nor tested it (I could though?).
Interesting. :)
Ubuntu also has PolicyKit compiled into the client libraries, even
though by default the libvirt daemon (server side) doesn't use it for
access control.
Suspecting it may be in order to allow connection to servers using
PolityKit for access control. When compiling the libvirt virsh client
on MacOS X, there is no PolicyKit available. Which somehow translates
into qemu+ssh:// connections to PolicyKit enabled servers not working.
(even though qemu+tcp:// and qemu+tls:// does). Same thing happened
on when I manually compiled virsh _without_ PolicyKit on Fedora 13.
Couldn't then connect to a PolicyKit enabled libvirtd with qemu+ssh://.
At some point, we should look at that. It just doesn't seem like
how it's supposed to be. ;>
> Asking because if it's using one of those two, then it's
extremely
> easy to add a new "Slackware" head and point people to the right bit.
>
Probably both or it depends on whether PolicyKit is installed or not.
(T.B.D.?) Group ACL works for sure.
Cool. We should document that as "group access configuration is known
to work" (or something along those lines), for Slackware.
Heh, don't suppose you have a wiki user account, and feel like doing the
edit?
(yes, I'm trying to encourage people to make updates directly. :>)
First things first. I've messed up version number - 0.8.3 (0.8.4
is
virt-manager, now at 0.8.5). So now, it's tested with libvirt-0.8.4 for
sure.
This works. Non-root user - VM management, creating images, VNC.
Now, here comes part which is hard to describe.
qemu-kvm - running as libvirt - great!
libvirtd - running as root - bad?
I wanted to achieve something like that (= root-less qemu and libvirtd)
with 0.8.3, but it didn't work because libvirt/virt-manager claimed ACL
problem. I think it's time for re-test and eventual push into
"production" of mine :)
Ahhh, yeah. I think I understand. It looks like you're trying to have
a running virtualisation system, without it using root for anything.
Sounds like a good idea, but not sure if it can be made to work
that way yet. :>
If you do get it working, definitely let me know.... we should write
it up if so. :)
Regards and best wishes,
Justin Clift