Re: virsh rights voor normal users
On 10/29/20 4:47 PM, Natxo Asenjo wrote:
ah, yes. I try this:
$ virsh -c qemu:///system
But it then I get a prompt:
==== AUTHENTICATING FOR org.libvirt.unix.manage =============
System policy prevents management of local virtualized systems
Authenticating as: sudo_user_not_disclosed
Password:
Password:
polikit-agent-helper-1: pam_authenticate failed: Authentication failure
Our allowed groups in the /etc/dbus-1/system.d/org.libvirt.conf are no
sudo users (this can change, but not as of now). It is a bit strange
that the get the password prompt for a local sudo user we have in place
for as systems have no working sssd connection to the idm realm (break
glass user)
My user can use the system bus in cockpit without a password.
The dbus policy looks like this:
<policy group="groupname">
< allow send_destination="org.libvirt"/>
</policy>
<policy group="other_groupname">
< allow send_destination="org.libvirt"/>
</policy>
This is expected. qemu:///system uses an unix socket to talk to libvirtd
and not dbus. I don't know what credentials does cockpit set there.
But I'm not sure it's safe to go behind cockpit's back and talk to
libvirt directly. If you'd change a configuration of a VM it may not be
reflected in cockpit.
Michal