[libvirt-users] libvirtd and polkit: internal error: No Unix Process ID
Hi all, I want to use libvirtd and polkit to create simple access restricitions for incoming TLS connections. libvirtd.conf:
... auth_tls = "sasl" access_drivers = [ "polkit" ] ...
tls_no_verify_certificate = 1 SASL and TLS in combination is already working without any faults. After activating access_drivers, the setup breaks, cause the access is denied. without polkit:
[root@inexor-test ~]# virsh --connect qemu+tls://vm0.host.b3be.de/system Please enter your authentication name: inexor@vm0 Please enter your password: Welcome to virsh, the virtualization interactive terminal. ...
with polkit:
[root@inexor-test ~]# virsh --connect qemu+tls://vm0.host.b3be.de/system Please enter your authentication name: inexor@vm0 Please enter your password: error: failed to connect to the hypervisor error: access denied
I deactivated any self-written polkit-rules and had been able to track down the problem to communication with libvirtd and polkit (via pkttyagent). For every incoming connection, libvirtd logs this:
Jan 04 15:12:41 vm0 libvirtd[17075]: Unable to verify TLS peer: No certificate was found. Jan 04 15:12:41 vm0 libvirtd[17075]: Certificate check failed Unable to verify TLS peer: No certificate was found. Jan 04 15:12:45 vm0 libvirtd[17075]: internal error: No UNIX process ID available Jan 04 15:12:45 vm0 libvirtd[17075]: access denied Jan 04 15:12:45 vm0 libvirtd[17075]: access denied Jan 04 15:12:45 vm0 libvirtd[17075]: Cannot recv data: Input/output error Jan 04 15:12:47 vm0 libvirtd[17075]: Unable to verify TLS peer: No certificate was found.
Jan 04 15:28:29 vm0 polkitd[2670]: Registered Authentication Agent for unix-
Jan 04 15:28:30 vm0 polkitd[2670]: Unregistered Authentication Agent for unix-
Additionally, what I found: After every libvirtd-restart the unit polkit.service loggs an Registered and directly after an Unregsitered Auth Agent. process:17225:3691193 (system bus name :1.97 [/usr/bin/pkttyagent --notify-fd 4 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale C) process:17225:3691193 (system bus name :1.97, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale C) (disconnected from bus) (Correct! In the first second it registers and shortly it unregisteres again) Could someone please provide me a hint how to make libvirtd and polkit talk to each other? Sincerely, Bene polkit-version: 0.113 libvirt-version: 1.3.0 Running on Archlinux (init: systemd)
On Mon, Jan 04, 2016 at 03:44:10PM +0100, Benedikt Heine wrote:
Hi all,
I want to use libvirtd and polkit to create simple access restricitions for incoming TLS connections.
This is sadly not possible. polkit will only authenticate against unix users. I filed an RFE long ago requesting for polkit to be generalized so that we could use it against virtual (ie non-UNIX system) identities but it was rejected. So effectively the libvirt polkit access control driver is only useful if you're connecting to libvirt over UNIX sockets :-( I really ought to get around to writing a custom libvirt access control driver that works in all cases..... Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
Hi Daniel, On Fr, 2016-01-08 at 10:52 +0000, Daniel P. Berrange wrote:
This is sadly not possible. polkit will only authenticate against unix users.
So effectively the libvirt polkit access control driver is only useful if you're connecting to libvirt over UNIX sockets :-(
This is really bad news for me.
I really ought to get around to writing a custom libvirt access control driver that works in all cases.....
If you could do that, that'd be great. At least it would be great adding documentation, clarifying, that the current polkit driver has no support for external/SASL users and is therefore not usable in combination with TLS. An error message telling me, that the access driver is not capable of using this connection type, would be great, too. Currently libvirt just throws out error 'access denied'. Anyway, thanks for the answer. Regards, Benedikt
participants (2)
-
Benedikt Heine -
Daniel P. Berrange