On 10/04/2010 09:36 AM, Justin Clift wrote:
On 09/23/2010 08:08 PM, Zdenek Styblik wrote: <snip>
I've managed to create ACL by groups and it's working. However, to my surprise, there is Slackware package for PolicyKit. Yet, I have never used it nor tested it (I could though?).
Interesting. :)
Ubuntu also has PolicyKit compiled into the client libraries, even though by default the libvirt daemon (server side) doesn't use it for access control.
Suspecting it may be in order to allow connection to servers using PolityKit for access control. When compiling the libvirt virsh client on MacOS X, there is no PolicyKit available. Which somehow translates into qemu+ssh:// connections to PolicyKit enabled servers not working. (even though qemu+tcp:// and qemu+tls:// does). Same thing happened on when I manually compiled virsh _without_ PolicyKit on Fedora 13. Couldn't then connect to a PolicyKit enabled libvirtd with qemu+ssh://.
Well, client is on Debian (because of virt-manager package), server is Slackware. I don't know if this makes difference/help. However, I have compiled libvirt without PolicyKit present. That was more like a statement about existence of such package ;) As I've said, I can try it with PolicyKit too, however/probably inside another VM :P (and more like "one day") Hm, and thinking about it, they might be using libvirt without PolicyKit too, as it works; unless it's MacOS X specific issue.
Asking because if it's using one of those two, then it's extremely easy to add a new "Slackware" head and point people to the right bit.
Probably both or it depends on whether PolicyKit is installed or not. (T.B.D.?) Group ACL works for sure.
Cool. We should document that as "group access configuration is known to work" (or something along those lines), for Slackware.
Heh, don't suppose you have a wiki user account, and feel like doing the edit?
Nope, I don't have an wiki account, but that shouldn't be a problem, should it? :) However, I won't do unless Sunday.
(yes, I'm trying to encourage people to make updates directly. :>)
Good approach, imho. And sooner means better [real life experience] ;) [...]
I wanted to achieve something like that (= root-less qemu and libvirtd) with 0.8.3, but it didn't work because libvirt/virt-manager claimed ACL problem. I think it's time for re-test and eventual push into "production" of mine :)
Ahhh, yeah. I think I understand. It looks like you're trying to have a running virtualisation system, without it using root for anything.
Sounds like a good idea, but not sure if it can be made to work that way yet. :>
If you do get it working, definitely let me know.... we should write it up if so. :)
Regards and best wishes,
Justin Clift
Haha, I've soon realized it's probably impossible, since libvirtd needs access to many things eg. iptables, although ... may be some internal hacking with duck tape and % sudo; and it could work. I have achieved, in "production", to have qemu-kvm running as libvirt and images owned by libvirt user/group. It's also possible to use non-root user for VM management (hopefully, as I haven't fully tested this one in "production"). Not exactly perfect, but I'm happy within limits. Have a nice weekend, Zdenek -- Zdenek Styblik Net/Linux admin OS TurnovFree.net email: stybla@turnovfree.net jabber: stybla@jabber.turnovfree.net