Xen libvirt access for non-root user The 2019 Stack Overflow Developer Survey Results Are In ...
Are spiders unable to hurt humans, especially very small spiders?
Drawing vertical/oblique lines in Metrical tree (tikz-qtree, tipa)
How to support a colleague who finds meetings extremely tiring?
Do warforged have souls?
Store Dynamic-accessible hidden metadata in a cell
What's the point in a preamp?
Identify 80s or 90s comics with ripped creatures (not dwarves)
Can we generate random numbers using irrational numbers like π and e?
Windows 10: How to Lock (not sleep) laptop on lid close?
Can the Right Ascension and Argument of Perigee of a spacecraft's orbit keep varying by themselves with time?
Can each chord in a progression create its own key?
Was credit for the black hole image misappropriated?
Example of compact Riemannian manifold with only one geodesic.
How did passengers keep warm on sail ships?
One-dimensional Japanese puzzle
"is" operation returns false even though two objects have same id
Intergalactic human space ship encounters another ship, character gets shunted off beyond known universe, reality starts collapsing
"... to apply for a visa" or "... and applied for a visa"?
How did the crowd guess the pentatonic scale in Bobby McFerrin's presentation?
When did F become S? Why?
Huge performance difference of the command find with and without using %M option to show permissions
Button changing its text & action. Good or terrible?
Mortgage adviser recommends a longer term than necessary combined with overpayments
Why doesn't a hydraulic lever violate conservation of energy?
Xen libvirt access for non-root user
The 2019 Stack Overflow Developer Survey Results Are In
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)
2019 Community Moderator Election ResultsXen on openSUSE 11.4replace xen kernel with non xen kernelxen + libvirt share disks betwee VM on diferent hostslibvirt qemu cannot access image inside my home directory, even as root?Why does libvirt require root privileges by default?libvirt/debian: Restrict user/domain accessHow to allow a user to configure NetworkManager using Polkit with OpenRC init systemgnome-keyring usage without an x sessionlibvirt and virt-manager - Unable to complete install: 'internal error: unsupported input bus usb'How to enable networking for xen guest
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
I've installed Xen and libvirt on a CentOS 6.6 machine. All the tools (virt-manager, virsh etc) work perfectly as root (directly or via sudo) but I cannot allow another user to connect (failed to connect/DBus error).
My Configuration
I followed the procedure for allowing user access by creating a group and allowing this through polkit so I've:
groupadd virtadmin
usermod -a -G virtadmin davec
I also added myself to the KVM group (a suggestion found somewhere). The group is created and I'm in it as id outputs:
uid=500(davec) gid=500(davec) groups=500(davec),36(kvm),501(virtadmin)
To allow this in polkit I added the file /etc/polkit-1/localauthority/50-local.d/50-libvert-remote-access.pkla content:
Remote libvirt SSH access]
Identity:unix-group:virtadmin
Action:org.libvirt.unix.manage
ResultAny=yes
ResultInactive=yes
ResultActive=yes
After this didn't work some googling told me that newer polkit versions (yum tells me I have 0.96) use a rules-based approach so I've also created a folder /etc/polkit-1/rules.d and added the file 80-libvirt-manage.rules containing:
polkit.addRule(function(action, subject) {
if (action.id == "org.libvirt.unix.manage" &&
subject.local &&
subject.active &&
subject.isInGroup("virtadmin")) {
return polkit.Result.YES;
}
});
Now it may be that there is some problem with these but I can't find a log or any way it seems to test/verify/watch them.
So, according to the docs I've found, with that setup user davec should be able to access libvirt and run virsh or virt-manager.
The Error
[davec@polar rules.d]$ virsh -c xen:///
error: failed to connect to the hypervisor
error: internal error: DBus support not compiled into this binary
This is exactly the same error virt-manager gives when I try and connect.
Most of the online info about the DBus error refers to a problem with the hypervisor running/anyone connecting however root connects perfectly.
[davec@polar rules.d]$ sudo virsh -c xen:///
Welcome to virsh, the virtualization interactive terminal.
Exactly the same applies for SSH connections (which isn't surprising as SSH just tunnels I believe when you use a xen+ssh URI), root works non-root but group added user doesn't.
No doubt it's something simple and I'm being an idiot but... after a few days of Google not being my friend; any help truly appreciated.
The Answer
See below for c4f4t0r's correct (and accepted) answer which wins the bounty but just for info of anyone reading this it turns out to be nothing to do with polkit which doesn't appear to be configured/compiled/working with my libvirtd.
Was an in-built permissions (socket permissions) issue.
xen d-bus libvirtd polkit
asked Apr 27 '15 at 0:14
Dave CDave C
734314
add a comment |
I've installed Xen and libvirt on a CentOS 6.6 machine. All the tools (virt-manager, virsh etc) work perfectly as root (directly or via sudo) but I cannot allow another user to connect (failed to connect/DBus error).
My Configuration
I followed the procedure for allowing user access by creating a group and allowing this through polkit so I've:
groupadd virtadmin
usermod -a -G virtadmin davec
I also added myself to the KVM group (a suggestion found somewhere). The group is created and I'm in it as id outputs:
uid=500(davec) gid=500(davec) groups=500(davec),36(kvm),501(virtadmin)
To allow this in polkit I added the file /etc/polkit-1/localauthority/50-local.d/50-libvert-remote-access.pkla content:
Remote libvirt SSH access]
Identity:unix-group:virtadmin
Action:org.libvirt.unix.manage
ResultAny=yes
ResultInactive=yes
ResultActive=yes
After this didn't work some googling told me that newer polkit versions (yum tells me I have 0.96) use a rules-based approach so I've also created a folder /etc/polkit-1/rules.d and added the file 80-libvirt-manage.rules containing:
polkit.addRule(function(action, subject) {
if (action.id == "org.libvirt.unix.manage" &&
subject.local &&
subject.active &&
subject.isInGroup("virtadmin")) {
return polkit.Result.YES;
}
});
Now it may be that there is some problem with these but I can't find a log or any way it seems to test/verify/watch them.
So, according to the docs I've found, with that setup user davec should be able to access libvirt and run virsh or virt-manager.
The Error
[davec@polar rules.d]$ virsh -c xen:///
error: failed to connect to the hypervisor
error: internal error: DBus support not compiled into this binary
This is exactly the same error virt-manager gives when I try and connect.
Most of the online info about the DBus error refers to a problem with the hypervisor running/anyone connecting however root connects perfectly.
[davec@polar rules.d]$ sudo virsh -c xen:///
Welcome to virsh, the virtualization interactive terminal.
Exactly the same applies for SSH connections (which isn't surprising as SSH just tunnels I believe when you use a xen+ssh URI), root works non-root but group added user doesn't.
No doubt it's something simple and I'm being an idiot but... after a few days of Google not being my friend; any help truly appreciated.
The Answer
See below for c4f4t0r's correct (and accepted) answer which wins the bounty but just for info of anyone reading this it turns out to be nothing to do with polkit which doesn't appear to be configured/compiled/working with my libvirtd.
Was an in-built permissions (socket permissions) issue.
xen d-bus libvirtd polkit
asked Apr 27 '15 at 0:14
Dave CDave C
734314
add a comment |
I've installed Xen and libvirt on a CentOS 6.6 machine. All the tools (virt-manager, virsh etc) work perfectly as root (directly or via sudo) but I cannot allow another user to connect (failed to connect/DBus error).
My Configuration
I followed the procedure for allowing user access by creating a group and allowing this through polkit so I've:
groupadd virtadmin
usermod -a -G virtadmin davec
I also added myself to the KVM group (a suggestion found somewhere). The group is created and I'm in it as id outputs:
uid=500(davec) gid=500(davec) groups=500(davec),36(kvm),501(virtadmin)
To allow this in polkit I added the file /etc/polkit-1/localauthority/50-local.d/50-libvert-remote-access.pkla content:
Remote libvirt SSH access]
Identity:unix-group:virtadmin
Action:org.libvirt.unix.manage
ResultAny=yes
ResultInactive=yes
ResultActive=yes
After this didn't work some googling told me that newer polkit versions (yum tells me I have 0.96) use a rules-based approach so I've also created a folder /etc/polkit-1/rules.d and added the file 80-libvirt-manage.rules containing:
polkit.addRule(function(action, subject) {
if (action.id == "org.libvirt.unix.manage" &&
subject.local &&
subject.active &&
subject.isInGroup("virtadmin")) {
return polkit.Result.YES;
}
});
Now it may be that there is some problem with these but I can't find a log or any way it seems to test/verify/watch them.
So, according to the docs I've found, with that setup user davec should be able to access libvirt and run virsh or virt-manager.
The Error
[davec@polar rules.d]$ virsh -c xen:///
error: failed to connect to the hypervisor
error: internal error: DBus support not compiled into this binary
This is exactly the same error virt-manager gives when I try and connect.
Most of the online info about the DBus error refers to a problem with the hypervisor running/anyone connecting however root connects perfectly.
[davec@polar rules.d]$ sudo virsh -c xen:///
Welcome to virsh, the virtualization interactive terminal.
Exactly the same applies for SSH connections (which isn't surprising as SSH just tunnels I believe when you use a xen+ssh URI), root works non-root but group added user doesn't.
No doubt it's something simple and I'm being an idiot but... after a few days of Google not being my friend; any help truly appreciated.
The Answer
See below for c4f4t0r's correct (and accepted) answer which wins the bounty but just for info of anyone reading this it turns out to be nothing to do with polkit which doesn't appear to be configured/compiled/working with my libvirtd.
Was an in-built permissions (socket permissions) issue.
xen d-bus libvirtd polkit
asked Apr 27 '15 at 0:14
Dave CDave C
734314
I've installed Xen and libvirt on a CentOS 6.6 machine. All the tools (virt-manager, virsh etc) work perfectly as root (directly or via sudo) but I cannot allow another user to connect (failed to connect/DBus error).
My Configuration
I followed the procedure for allowing user access by creating a group and allowing this through polkit so I've:
groupadd virtadmin
usermod -a -G virtadmin davec
I also added myself to the KVM group (a suggestion found somewhere). The group is created and I'm in it as id outputs:
uid=500(davec) gid=500(davec) groups=500(davec),36(kvm),501(virtadmin)
To allow this in polkit I added the file /etc/polkit-1/localauthority/50-local.d/50-libvert-remote-access.pkla content:
Remote libvirt SSH access]
Identity:unix-group:virtadmin
Action:org.libvirt.unix.manage
ResultAny=yes
ResultInactive=yes
ResultActive=yes
After this didn't work some googling told me that newer polkit versions (yum tells me I have 0.96) use a rules-based approach so I've also created a folder /etc/polkit-1/rules.d and added the file 80-libvirt-manage.rules containing:
polkit.addRule(function(action, subject) {
if (action.id == "org.libvirt.unix.manage" &&
subject.local &&
subject.active &&
subject.isInGroup("virtadmin")) {
return polkit.Result.YES;
}
});
Now it may be that there is some problem with these but I can't find a log or any way it seems to test/verify/watch them.
So, according to the docs I've found, with that setup user davec should be able to access libvirt and run virsh or virt-manager.
The Error
[davec@polar rules.d]$ virsh -c xen:///
error: failed to connect to the hypervisor
error: internal error: DBus support not compiled into this binary
This is exactly the same error virt-manager gives when I try and connect.
Most of the online info about the DBus error refers to a problem with the hypervisor running/anyone connecting however root connects perfectly.
[davec@polar rules.d]$ sudo virsh -c xen:///
Welcome to virsh, the virtualization interactive terminal.
Exactly the same applies for SSH connections (which isn't surprising as SSH just tunnels I believe when you use a xen+ssh URI), root works non-root but group added user doesn't.
No doubt it's something simple and I'm being an idiot but... after a few days of Google not being my friend; any help truly appreciated.
The Answer
See below for c4f4t0r's correct (and accepted) answer which wins the bounty but just for info of anyone reading this it turns out to be nothing to do with polkit which doesn't appear to be configured/compiled/working with my libvirtd.
Was an in-built permissions (socket permissions) issue.
xen d-bus libvirtd polkit
xen d-bus libvirtd polkit
asked Apr 27 '15 at 0:14
Dave CDave C
734314
asked Apr 27 '15 at 0:14
Dave CDave C
734314
edited May 1 '15 at 14:04
Dave C
asked Apr 27 '15 at 0:14
Dave CDave C
734314
asked Apr 27 '15 at 0:14
Dave CDave C
734314
asked Apr 27 '15 at 0:14
Dave CDave C
734314
734314
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
I think you can do in this way:
in /etc/libvirt/libvirtd.conf
unix_sock_group = "libvirt"
unix_sock_rw_perms = "0770"
auth_unix_rw = "none"
After that restart the libvirtd daemon
edited 7 hours ago
GAD3R
28.1k1958114
answered May 1 '15 at 9:12
c4f4t0rc4f4t0r
51638
You know I thought I'd tried this! And I had apart from the auth_unix_rw line. Turns out that libvirt isn't using polkit at all to control access!! Collect your well-deserved bounty.
– Dave C
May 1 '15 at 14:00
add a comment |
This worked for me:
unix_sock_group = "libvirt"
unix_sock_rw_perms = "0770"
unix_sock_dir = "/var/run/libvirt"
auth_unix_rw = "none"
edited Jan 10 '18 at 10:20
dr01
16.3k115475
answered Jan 10 '18 at 9:25
sureshsuresh
1
1
Welcome to Unix & Linux! While this snippet may solve the question, including an explanation really helps to improve the quality of your post. Remember that you are answering the question for readers in the future, not just the person asking now! Please edit your answer to add explanation, and give an indication of what limitations and assumptions apply.
– Toby Speight
Jan 10 '18 at 11:09
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f198768%2fxen-libvirt-access-for-non-root-user%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
I think you can do in this way:
in /etc/libvirt/libvirtd.conf
unix_sock_group = "libvirt"
unix_sock_rw_perms = "0770"
auth_unix_rw = "none"
After that restart the libvirtd daemon
edited 7 hours ago
GAD3R
28.1k1958114
answered May 1 '15 at 9:12
c4f4t0rc4f4t0r
51638
You know I thought I'd tried this! And I had apart from the auth_unix_rw line. Turns out that libvirt isn't using polkit at all to control access!! Collect your well-deserved bounty.
– Dave C
May 1 '15 at 14:00
add a comment |
I think you can do in this way:
in /etc/libvirt/libvirtd.conf
unix_sock_group = "libvirt"
unix_sock_rw_perms = "0770"
auth_unix_rw = "none"
After that restart the libvirtd daemon
edited 7 hours ago
GAD3R
28.1k1958114
answered May 1 '15 at 9:12
c4f4t0rc4f4t0r
51638
You know I thought I'd tried this! And I had apart from the auth_unix_rw line. Turns out that libvirt isn't using polkit at all to control access!! Collect your well-deserved bounty.
– Dave C
May 1 '15 at 14:00
add a comment |
I think you can do in this way:
in /etc/libvirt/libvirtd.conf
unix_sock_group = "libvirt"
unix_sock_rw_perms = "0770"
auth_unix_rw = "none"
After that restart the libvirtd daemon
edited 7 hours ago
GAD3R
28.1k1958114
answered May 1 '15 at 9:12
c4f4t0rc4f4t0r
51638
I think you can do in this way:
in /etc/libvirt/libvirtd.conf
unix_sock_group = "libvirt"
unix_sock_rw_perms = "0770"
auth_unix_rw = "none"
After that restart the libvirtd daemon
edited 7 hours ago
GAD3R
28.1k1958114
answered May 1 '15 at 9:12
c4f4t0rc4f4t0r
51638
edited 7 hours ago
GAD3R
28.1k1958114
edited 7 hours ago
GAD3R
28.1k1958114
edited 7 hours ago
GAD3R
28.1k1958114
28.1k1958114
answered May 1 '15 at 9:12
c4f4t0rc4f4t0r
51638
answered May 1 '15 at 9:12
c4f4t0rc4f4t0r
51638
answered May 1 '15 at 9:12
c4f4t0rc4f4t0r
51638
51638
You know I thought I'd tried this! And I had apart from the auth_unix_rw line. Turns out that libvirt isn't using polkit at all to control access!! Collect your well-deserved bounty.
– Dave C
May 1 '15 at 14:00
add a comment |
You know I thought I'd tried this! And I had apart from the auth_unix_rw line. Turns out that libvirt isn't using polkit at all to control access!! Collect your well-deserved bounty.
– Dave C
May 1 '15 at 14:00
You know I thought I'd tried this! And I had apart from the auth_unix_rw line. Turns out that libvirt isn't using polkit at all to control access!! Collect your well-deserved bounty.
– Dave C
May 1 '15 at 14:00
You know I thought I'd tried this! And I had apart from the auth_unix_rw line. Turns out that libvirt isn't using polkit at all to control access!! Collect your well-deserved bounty.
– Dave C
May 1 '15 at 14:00
add a comment |
This worked for me:
unix_sock_group = "libvirt"
unix_sock_rw_perms = "0770"
unix_sock_dir = "/var/run/libvirt"
auth_unix_rw = "none"
edited Jan 10 '18 at 10:20
dr01
16.3k115475
answered Jan 10 '18 at 9:25
sureshsuresh
1
1
Welcome to Unix & Linux! While this snippet may solve the question, including an explanation really helps to improve the quality of your post. Remember that you are answering the question for readers in the future, not just the person asking now! Please edit your answer to add explanation, and give an indication of what limitations and assumptions apply.
– Toby Speight
Jan 10 '18 at 11:09
add a comment |
This worked for me:
unix_sock_group = "libvirt"
unix_sock_rw_perms = "0770"
unix_sock_dir = "/var/run/libvirt"
auth_unix_rw = "none"
edited Jan 10 '18 at 10:20
dr01
16.3k115475
answered Jan 10 '18 at 9:25
sureshsuresh
1
1
Welcome to Unix & Linux! While this snippet may solve the question, including an explanation really helps to improve the quality of your post. Remember that you are answering the question for readers in the future, not just the person asking now! Please edit your answer to add explanation, and give an indication of what limitations and assumptions apply.
– Toby Speight
Jan 10 '18 at 11:09
add a comment |
This worked for me:
unix_sock_group = "libvirt"
unix_sock_rw_perms = "0770"
unix_sock_dir = "/var/run/libvirt"
auth_unix_rw = "none"
edited Jan 10 '18 at 10:20
dr01
16.3k115475
answered Jan 10 '18 at 9:25
sureshsuresh
1
This worked for me:
unix_sock_group = "libvirt"
unix_sock_rw_perms = "0770"
unix_sock_dir = "/var/run/libvirt"
auth_unix_rw = "none"
edited Jan 10 '18 at 10:20
dr01
16.3k115475
answered Jan 10 '18 at 9:25
sureshsuresh
1
edited Jan 10 '18 at 10:20
dr01
16.3k115475
edited Jan 10 '18 at 10:20
dr01
16.3k115475
edited Jan 10 '18 at 10:20
dr01
16.3k115475
16.3k115475
answered Jan 10 '18 at 9:25
sureshsuresh
1
answered Jan 10 '18 at 9:25
sureshsuresh
1
answered Jan 10 '18 at 9:25
sureshsuresh
1
1
1
Welcome to Unix & Linux! While this snippet may solve the question, including an explanation really helps to improve the quality of your post. Remember that you are answering the question for readers in the future, not just the person asking now! Please edit your answer to add explanation, and give an indication of what limitations and assumptions apply.
– Toby Speight
Jan 10 '18 at 11:09
add a comment |
1
Welcome to Unix & Linux! While this snippet may solve the question, including an explanation really helps to improve the quality of your post. Remember that you are answering the question for readers in the future, not just the person asking now! Please edit your answer to add explanation, and give an indication of what limitations and assumptions apply.
– Toby Speight
Jan 10 '18 at 11:09
1
1
Welcome to Unix & Linux! While this snippet may solve the question, including an explanation really helps to improve the quality of your post. Remember that you are answering the question for readers in the future, not just the person asking now! Please edit your answer to add explanation, and give an indication of what limitations and assumptions apply.
– Toby Speight
Jan 10 '18 at 11:09
Welcome to Unix & Linux! While this snippet may solve the question, including an explanation really helps to improve the quality of your post. Remember that you are answering the question for readers in the future, not just the person asking now! Please edit your answer to add explanation, and give an indication of what limitations and assumptions apply.
– Toby Speight
Jan 10 '18 at 11:09
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f198768%2fxen-libvirt-access-for-non-root-user%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
