On 09/23/2010 08:08 PM, Zdenek Styblik wrote: <snip>
I've managed to create ACL by groups and it's working. However, to my surprise, there is Slackware package for PolicyKit. Yet, I have never used it nor tested it (I could though?).
Interesting. :) Ubuntu also has PolicyKit compiled into the client libraries, even though by default the libvirt daemon (server side) doesn't use it for access control. Suspecting it may be in order to allow connection to servers using PolityKit for access control. When compiling the libvirt virsh client on MacOS X, there is no PolicyKit available. Which somehow translates into qemu+ssh:// connections to PolicyKit enabled servers not working. (even though qemu+tcp:// and qemu+tls:// does). Same thing happened on when I manually compiled virsh _without_ PolicyKit on Fedora 13. Couldn't then connect to a PolicyKit enabled libvirtd with qemu+ssh://. At some point, we should look at that. It just doesn't seem like how it's supposed to be. ;>
Asking because if it's using one of those two, then it's extremely easy to add a new "Slackware" head and point people to the right bit.
Probably both or it depends on whether PolicyKit is installed or not. (T.B.D.?) Group ACL works for sure.
Cool. We should document that as "group access configuration is known to work" (or something along those lines), for Slackware. Heh, don't suppose you have a wiki user account, and feel like doing the edit? (yes, I'm trying to encourage people to make updates directly. :>)
First things first. I've messed up version number - 0.8.3 (0.8.4 is virt-manager, now at 0.8.5). So now, it's tested with libvirt-0.8.4 for sure.
This works. Non-root user - VM management, creating images, VNC.
Now, here comes part which is hard to describe.
qemu-kvm - running as libvirt - great! libvirtd - running as root - bad?
I wanted to achieve something like that (= root-less qemu and libvirtd) with 0.8.3, but it didn't work because libvirt/virt-manager claimed ACL problem. I think it's time for re-test and eventual push into "production" of mine :)
Ahhh, yeah. I think I understand. It looks like you're trying to have a running virtualisation system, without it using root for anything. Sounds like a good idea, but not sure if it can be made to work that way yet. :> If you do get it working, definitely let me know.... we should write it up if so. :) Regards and best wishes, Justin Clift