[libvirt-users] libvirtd and polkit: internal error: No Unix Process ID

Discussion:

Benedikt Heine

2016-01-04 14:44:10 UTC

Hi all,

I want to use libvirtd and polkit to create simple access restricitions for
incoming TLS connections.

...
auth_tls = "sasl"
access_drivers = [ "polkit" ]
...

tls_no_verify_certificate = 1

SASL and TLS in combination is already working without any faults. After
activating access_drivers, the setup breaks, cause the access is denied.

Please enter your password:
Welcome to virsh, the virtualization interactive terminal.
...
Please enter your password:
error: failed to connect to the hypervisor
error: access denied

I deactivated any self-written polkit-rules and had been able to track down the
problem to communication with libvirtd and polkit (via pkttyagent).

Jan 04 15:12:41 vm0 libvirtd[17075]: Unable to verify TLS peer: No certificate

was found.

Jan 04 15:12:41 vm0 libvirtd[17075]: Certificate check failed Unable to verify

TLS peer: No certificate was found.

Jan 04 15:12:45 vm0 libvirtd[17075]: internal error: No UNIX process ID

available

Jan 04 15:12:45 vm0 libvirtd[17075]: access denied
Jan 04 15:12:45 vm0 libvirtd[17075]: access denied
Jan 04 15:12:45 vm0 libvirtd[17075]: Cannot recv data: Input/output error
Jan 04 15:12:47 vm0 libvirtd[17075]: Unable to verify TLS peer: No certificate

was found.

Additionally, what I found: After every libvirtd-restart the unit polkit.service
loggs an Registered and directly after an Unregsitered Auth Agent.

Jan 04 15:28:29 vm0 polkitd[2670]: Registered Authentication Agent for unix-

process:17225:3691193 (system bus name :1.97 [/usr/bin/pkttyagent --notify-fd 4
--fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale
C)

Jan 04 15:28:30 vm0 polkitd[2670]: Unregistered Authentication Agent for unix-

process:17225:3691193 (system bus name :1.97, object path
/org/freedesktop/PolicyKit1/AuthenticationAgent, locale C) (disconnected from
bus)
(Correct! In the first second it registers and shortly it unregisteres again)

Could someone please provide me a hint how to make libvirtd and polkit talk to
each other?

Sincerely,
Bene

polkit-version: 0.113
libvirt-version: 1.3.0
Running on Archlinux (init: systemd)

Daniel P. Berrange

2016-01-08 10:52:39 UTC

Permalink

Post by Benedikt Heine
Hi all,
I want to use libvirtd and polkit to create simple access restricitions for
incoming TLS connections.

This is sadly not possible. polkit will only authenticate against unix
users. I filed an RFE long ago requesting for polkit to be generalized
so that we could use it against virtual (ie non-UNIX system) identities
but it was rejected.

So effectively the libvirt polkit access control driver is only useful
if you're connecting to libvirt over UNIX sockets :-(

I really ought to get around to writing a custom libvirt access control
driver that works in all cases.....

Regards,
Daniel

--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|

Benedikt Heine

2016-01-09 22:58:47 UTC

Permalink

Hi Daniel,

Post by Daniel P. Berrange
This is sadly not possible. polkit will only authenticate against unix
users.
So effectively the libvirt polkit access control driver is only useful
if you're connecting to libvirt over UNIX sockets :-(

This is really bad news for me.

Post by Daniel P. Berrange
I really ought to get around to writing a custom libvirt access control
driver that works in all cases.....

If you could do that, that'd be great.

At least it would be great adding documentation, clarifying, that the current
polkit driver has no support for external/SASL users and is therefore not usable
in combination with TLS.

An error message telling me, that the access driver is not capable of using this
connection type, would be great, too. Currently libvirt just throws out error
'access denied'.

Anyway, thanks for the answer.

Regards,
Benedikt