9:11 a.m.
On 10/04/2010 09:36 AM, Justin Clift wrote:
On 09/23/2010 08:08 PM, Zdenek Styblik wrote:
<snip>
> I've managed to create ACL by groups and it's working. However, to my
> surprise, there is Slackware package for PolicyKit. Yet, I have never
> used it nor tested it (I could though?).
Interesting. :)
Ubuntu also has PolicyKit compiled into the client libraries, even
though by default the libvirt daemon (server side) doesn't use it for
access control.
Suspecting it may be in order to allow connection to servers using
PolityKit for access control. When compiling the libvirt virsh client
on MacOS X, there is no PolicyKit available. Which somehow translates
into qemu+ssh:// connections to PolicyKit enabled servers not working.
(even though qemu+tcp:// and qemu+tls:// does). Same thing happened
on when I manually compiled virsh _without_ PolicyKit on Fedora 13.
Couldn't then connect to a PolicyKit enabled libvirtd with qemu+ssh://.
Well, client is on Debian (because of virt-manager package), server is
Slackware. I don't know if this makes difference/help. However, I have
compiled libvirt without PolicyKit present. That was more like a
statement about existence of such package ;) As I've said, I can try it
with PolicyKit too, however/probably inside another VM :P (and more like
"one day")
Hm, and thinking about it, they might be using libvirt without PolicyKit
too, as it works; unless it's MacOS X specific issue.
>> Asking because if it's using one of those two, then
it's extremely
>> easy to add a new "Slackware" head and point people to the right bit.
>>
>
> Probably both or it depends on whether PolicyKit is installed or not.
> (T.B.D.?) Group ACL works for sure.
Cool. We should document that as "group access configuration is known
to work" (or something along those lines), for Slackware.
Heh, don't suppose you have a wiki user account, and feel like doing the
edit?
Nope, I don't have an wiki account, but that shouldn't be a problem,
should it? :) However, I won't do unless Sunday.
(yes, I'm trying to encourage people to make updates directly.
:>)
Good approach, imho. And sooner means better [real life experience] ;)
[...]
> I wanted to achieve something like that (= root-less qemu and
libvirtd)
> with 0.8.3, but it didn't work because libvirt/virt-manager claimed ACL
> problem. I think it's time for re-test and eventual push into
> "production" of mine :)
Ahhh, yeah. I think I understand. It looks like you're trying to have
a running virtualisation system, without it using root for anything.
Sounds like a good idea, but not sure if it can be made to work
that way yet. :>
If you do get it working, definitely let me know.... we should write
it up if so. :)
Regards and best wishes,
Justin Clift
Haha, I've soon realized it's probably impossible, since libvirtd needs
access to many things eg. iptables, although ... may be some internal
hacking with duck tape and % sudo; and it could work.
I have achieved, in "production", to have qemu-kvm running as libvirt
and images owned by libvirt user/group. It's also possible to use
non-root user for VM management (hopefully, as I haven't fully tested
this one in "production"). Not exactly perfect, but I'm happy within
limits.
Have a nice weekend,
Zdenek
--
Zdenek Styblik
Net/Linux admin
OS TurnovFree.net
email: stybla(a)turnovfree.net
jabber: stybla(a)jabber.turnovfree.net