On Thu, Mar 10, 2016 at 12:37:31PM +0000, Daniel P. Berrange wrote:
On Wed, Mar 09, 2016 at 01:01:40PM -0500, Lars Kellogg-Stedman wrote:
I ran into an odd problem today. I wanted to share it here in the hopes of maybe saving someone else some lost time.
When you run libvirtd as an unprivileged user (e.g., if you target qemu:///session from a non-root account), then libvirt will open a unix domain socket in one of two places:
- If XDG_RUNTIME_DIR is defined, then inside $XDG_RUNTIME_DIR/libvirt/libvirt-sock
- If XDG_RUNTIME_DIR is *not* defined, then inside $HOME/.cache/libvirt/libvirt-sock
With a CentOS 7 system, at least, if you ssh directly into an account, XDG_RUNTIME_DIR is set. But! If you `su -` to the account from root, e.g:
# su - stack
Then XDG_RUNTIME_DIR is *not* set. The problem is a little subtle, because most operations you will perform will work just fine in both cases: you can query for defined but not active guests, storagep pools, volumes, and so forth without a problem and you'll get the same answer.
IMHO this is a bug in the pam config. We really expect to see the same environment setup no matter how you login text console vs su vs ssh vs GDM. If that's not happening, its always going to cause bad behaviour across many apps, not only libvirt.
Talking to Alexander Bokovoy (of FreeIPA, CCed) on IRC on this topic, he says: 'su -' does initialize environment to start a shell as a login shell. It clears out everything but TERM from the old environment and sets a new one. If your shell for $user does not set XDG_RUNTIME_DIR, then that's the issue, not PAM XDG_RUNTIME_DIR is set by pam_systemd after logind created a session for that user, but only in the case if user who authenticated is the same as the original user of the session when you do 'su - $user' as root, you'd get this [error message is manually wrapped for this email]: su[9188]: pam_systemd(su-l:session): pam-systemd initializing su[9188]: pam_systemd(su-l:session): Asking logind to create session: uid=1792600000 pid=9188 service=su-l type=tty class=user desktop= seat= vtnr=0 tty=pts/1 display= remote=no remote_user=root remote_host= su[9188]: pam_systemd(su-l:session): Cannot create session: Already running in a session [NOTE: you need to add 'debug' option to pam_systemd.so, /etc/pam.d/system-auth] `su -` isn't a best tool, specifically under systemd -- it may be more efficient to use systemd tools to create sessions and activate/switch them -- /kashyap