Xen libvirt access for non-root user The 2019 Stack Overflow Developer Survey Results Are In Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) 2019 Community Moderator Election ResultsXen on openSUSE 11.4replace xen kernel with non xen kernelxen + libvirt share disks betwee VM on diferent hostslibvirt qemu cannot access image inside my home directory, even as root?Why does libvirt require root privileges by default?libvirt/debian: Restrict user/domain accessHow to allow a user to configure NetworkManager using Polkit with OpenRC init systemgnome-keyring usage without an x sessionlibvirt and virt-manager - Unable to complete install: 'internal error: unsupported input bus usb'How to enable networking for xen guest
Can the DM override racial traits?
How can I define good in a religion that claims no moral authority?
How do you keep chess fun when your opponent constantly beats you?
Is it ok to offer lower paid work as a trial period before negotiating for a full-time job?
What are these Gizmos at Izaña Atmospheric Research Center in Spain?
If the empty set is a subset of every set, why write ... ∪ ∅?
Did the new image of black hole confirm the general theory of relativity?
Can the prologue be the backstory of your main character?
What is this lever in Argentinian toilets?
Finding the path in a graph from A to B then back to A with a minimum of shared edges
system() function string length limit
How to pronounce 1ターン?
Does Parliament need to approve the new Brexit delay to 31 October 2019?
how can a perfect fourth interval be considered either consonant or dissonant?
I could not break this equation. Please help me
Are spiders unable to hurt humans, especially very small spiders?
What's the point in a preamp?
Can undead you have reanimated wait inside a portable hole?
Do warforged have souls?
Is it ethical to upload a automatically generated paper to a non peer-reviewed site as part of a larger research?
Problems with Ubuntu mount /tmp
Why can't devices on different VLANs, but on the same subnet, communicate?
Who or what is the being for whom Being is a question for Heidegger?
Python - Fishing Simulator
Xen libvirt access for non-root user
The 2019 Stack Overflow Developer Survey Results Are In
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)
2019 Community Moderator Election ResultsXen on openSUSE 11.4replace xen kernel with non xen kernelxen + libvirt share disks betwee VM on diferent hostslibvirt qemu cannot access image inside my home directory, even as root?Why does libvirt require root privileges by default?libvirt/debian: Restrict user/domain accessHow to allow a user to configure NetworkManager using Polkit with OpenRC init systemgnome-keyring usage without an x sessionlibvirt and virt-manager - Unable to complete install: 'internal error: unsupported input bus usb'How to enable networking for xen guest
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I've installed Xen and libvirt on a CentOS 6.6 machine. All the tools (virt-manager, virsh etc) work perfectly as root (directly or via sudo) but I cannot allow another user to connect (failed to connect/DBus error).
My Configuration
I followed the procedure for allowing user access by creating a group and allowing this through polkit so I've:
groupadd virtadmin
usermod -a -G virtadmin davec
I also added myself to the KVM group (a suggestion found somewhere). The group is created and I'm in it as id outputs:
uid=500(davec) gid=500(davec) groups=500(davec),36(kvm),501(virtadmin)
To allow this in polkit I added the file /etc/polkit-1/localauthority/50-local.d/50-libvert-remote-access.pkla content:
Remote libvirt SSH access]
Identity:unix-group:virtadmin
Action:org.libvirt.unix.manage
ResultAny=yes
ResultInactive=yes
ResultActive=yes
After this didn't work some googling told me that newer polkit versions (yum tells me I have 0.96) use a rules-based approach so I've also created a folder /etc/polkit-1/rules.d and added the file 80-libvirt-manage.rules containing:
polkit.addRule(function(action, subject)
if (action.id == "org.libvirt.unix.manage" &&
subject.local &&
subject.active &&
subject.isInGroup("virtadmin"))
return polkit.Result.YES;
);
Now it may be that there is some problem with these but I can't find a log or any way it seems to test/verify/watch them.
So, according to the docs I've found, with that setup user davec should be able to access libvirt and run virsh or virt-manager.
The Error
[davec@polar rules.d]$ virsh -c xen:///
error: failed to connect to the hypervisor
error: internal error: DBus support not compiled into this binary
This is exactly the same error virt-manager gives when I try and connect.
Most of the online info about the DBus error refers to a problem with the hypervisor running/anyone connecting however root connects perfectly.
[davec@polar rules.d]$ sudo virsh -c xen:///
Welcome to virsh, the virtualization interactive terminal.
Exactly the same applies for SSH connections (which isn't surprising as SSH just tunnels I believe when you use a xen+ssh URI), root works non-root but group added user doesn't.
No doubt it's something simple and I'm being an idiot but... after a few days of Google not being my friend; any help truly appreciated.
The Answer
See below for c4f4t0r's correct (and accepted) answer which wins the bounty but just for info of anyone reading this it turns out to be nothing to do with polkit which doesn't appear to be configured/compiled/working with my libvirtd.
Was an in-built permissions (socket permissions) issue.
xen d-bus libvirtd polkit
asked Apr 27 '15 at 0:14
Dave CDave C
734314
add a comment |
I've installed Xen and libvirt on a CentOS 6.6 machine. All the tools (virt-manager, virsh etc) work perfectly as root (directly or via sudo) but I cannot allow another user to connect (failed to connect/DBus error).
My Configuration
I followed the procedure for allowing user access by creating a group and allowing this through polkit so I've:
groupadd virtadmin
usermod -a -G virtadmin davec
I also added myself to the KVM group (a suggestion found somewhere). The group is created and I'm in it as id outputs:
uid=500(davec) gid=500(davec) groups=500(davec),36(kvm),501(virtadmin)
To allow this in polkit I added the file /etc/polkit-1/localauthority/50-local.d/50-libvert-remote-access.pkla content:
Remote libvirt SSH access]
Identity:unix-group:virtadmin
Action:org.libvirt.unix.manage
ResultAny=yes
ResultInactive=yes
ResultActive=yes
After this didn't work some googling told me that newer polkit versions (yum tells me I have 0.96) use a rules-based approach so I've also created a folder /etc/polkit-1/rules.d and added the file 80-libvirt-manage.rules containing:
polkit.addRule(function(action, subject)
if (action.id == "org.libvirt.unix.manage" &&
subject.local &&
subject.active &&
subject.isInGroup("virtadmin"))
return polkit.Result.YES;
);
Now it may be that there is some problem with these but I can't find a log or any way it seems to test/verify/watch them.
So, according to the docs I've found, with that setup user davec should be able to access libvirt and run virsh or virt-manager.
The Error
[davec@polar rules.d]$ virsh -c xen:///
error: failed to connect to the hypervisor
error: internal error: DBus support not compiled into this binary
This is exactly the same error virt-manager gives when I try and connect.
Most of the online info about the DBus error refers to a problem with the hypervisor running/anyone connecting however root connects perfectly.
[davec@polar rules.d]$ sudo virsh -c xen:///
Welcome to virsh, the virtualization interactive terminal.
Exactly the same applies for SSH connections (which isn't surprising as SSH just tunnels I believe when you use a xen+ssh URI), root works non-root but group added user doesn't.
No doubt it's something simple and I'm being an idiot but... after a few days of Google not being my friend; any help truly appreciated.
The Answer
See below for c4f4t0r's correct (and accepted) answer which wins the bounty but just for info of anyone reading this it turns out to be nothing to do with polkit which doesn't appear to be configured/compiled/working with my libvirtd.
Was an in-built permissions (socket permissions) issue.
xen d-bus libvirtd polkit
asked Apr 27 '15 at 0:14
Dave CDave C
734314
add a comment |
I've installed Xen and libvirt on a CentOS 6.6 machine. All the tools (virt-manager, virsh etc) work perfectly as root (directly or via sudo) but I cannot allow another user to connect (failed to connect/DBus error).
My Configuration
I followed the procedure for allowing user access by creating a group and allowing this through polkit so I've:
groupadd virtadmin
usermod -a -G virtadmin davec
I also added myself to the KVM group (a suggestion found somewhere). The group is created and I'm in it as id outputs:
uid=500(davec) gid=500(davec) groups=500(davec),36(kvm),501(virtadmin)
To allow this in polkit I added the file /etc/polkit-1/localauthority/50-local.d/50-libvert-remote-access.pkla content:
Remote libvirt SSH access]
Identity:unix-group:virtadmin
Action:org.libvirt.unix.manage
ResultAny=yes
ResultInactive=yes
ResultActive=yes
After this didn't work some googling told me that newer polkit versions (yum tells me I have 0.96) use a rules-based approach so I've also created a folder /etc/polkit-1/rules.d and added the file 80-libvirt-manage.rules containing:
polkit.addRule(function(action, subject)
if (action.id == "org.libvirt.unix.manage" &&
subject.local &&
subject.active &&
subject.isInGroup("virtadmin"))
return polkit.Result.YES;
);
Now it may be that there is some problem with these but I can't find a log or any way it seems to test/verify/watch them.
So, according to the docs I've found, with that setup user davec should be able to access libvirt and run virsh or virt-manager.
The Error
[davec@polar rules.d]$ virsh -c xen:///
error: failed to connect to the hypervisor
error: internal error: DBus support not compiled into this binary
This is exactly the same error virt-manager gives when I try and connect.
Most of the online info about the DBus error refers to a problem with the hypervisor running/anyone connecting however root connects perfectly.
[davec@polar rules.d]$ sudo virsh -c xen:///
Welcome to virsh, the virtualization interactive terminal.
Exactly the same applies for SSH connections (which isn't surprising as SSH just tunnels I believe when you use a xen+ssh URI), root works non-root but group added user doesn't.
No doubt it's something simple and I'm being an idiot but... after a few days of Google not being my friend; any help truly appreciated.
The Answer
See below for c4f4t0r's correct (and accepted) answer which wins the bounty but just for info of anyone reading this it turns out to be nothing to do with polkit which doesn't appear to be configured/compiled/working with my libvirtd.
Was an in-built permissions (socket permissions) issue.
xen d-bus libvirtd polkit
asked Apr 27 '15 at 0:14
Dave CDave C
734314
I've installed Xen and libvirt on a CentOS 6.6 machine. All the tools (virt-manager, virsh etc) work perfectly as root (directly or via sudo) but I cannot allow another user to connect (failed to connect/DBus error).
My Configuration
I followed the procedure for allowing user access by creating a group and allowing this through polkit so I've:
groupadd virtadmin
usermod -a -G virtadmin davec
I also added myself to the KVM group (a suggestion found somewhere). The group is created and I'm in it as id outputs:
uid=500(davec) gid=500(davec) groups=500(davec),36(kvm),501(virtadmin)
To allow this in polkit I added the file /etc/polkit-1/localauthority/50-local.d/50-libvert-remote-access.pkla content:
Remote libvirt SSH access]
Identity:unix-group:virtadmin
Action:org.libvirt.unix.manage
ResultAny=yes
ResultInactive=yes
ResultActive=yes
After this didn't work some googling told me that newer polkit versions (yum tells me I have 0.96) use a rules-based approach so I've also created a folder /etc/polkit-1/rules.d and added the file 80-libvirt-manage.rules containing:
polkit.addRule(function(action, subject)
if (action.id == "org.libvirt.unix.manage" &&
subject.local &&
subject.active &&
subject.isInGroup("virtadmin"))
return polkit.Result.YES;
);
Now it may be that there is some problem with these but I can't find a log or any way it seems to test/verify/watch them.
So, according to the docs I've found, with that setup user davec should be able to access libvirt and run virsh or virt-manager.
The Error
[davec@polar rules.d]$ virsh -c xen:///
error: failed to connect to the hypervisor
error: internal error: DBus support not compiled into this binary
This is exactly the same error virt-manager gives when I try and connect.
Most of the online info about the DBus error refers to a problem with the hypervisor running/anyone connecting however root connects perfectly.
[davec@polar rules.d]$ sudo virsh -c xen:///
Welcome to virsh, the virtualization interactive terminal.
Exactly the same applies for SSH connections (which isn't surprising as SSH just tunnels I believe when you use a xen+ssh URI), root works non-root but group added user doesn't.
No doubt it's something simple and I'm being an idiot but... after a few days of Google not being my friend; any help truly appreciated.
The Answer
See below for c4f4t0r's correct (and accepted) answer which wins the bounty but just for info of anyone reading this it turns out to be nothing to do with polkit which doesn't appear to be configured/compiled/working with my libvirtd.
Was an in-built permissions (socket permissions) issue.
xen d-bus libvirtd polkit
xen d-bus libvirtd polkit
asked Apr 27 '15 at 0:14
Dave CDave C
734314
asked Apr 27 '15 at 0:14
Dave CDave C
734314
edited May 1 '15 at 14:04
Dave C
asked Apr 27 '15 at 0:14
Dave CDave C
734314
asked Apr 27 '15 at 0:14
Dave CDave C
734314
asked Apr 27 '15 at 0:14
Dave CDave C
734314
734314
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
I think you can do in this way:
in /etc/libvirt/libvirtd.conf
unix_sock_group = "libvirt"
unix_sock_rw_perms = "0770"
auth_unix_rw = "none"
After that restart the libvirtd daemon
edited yesterday
GAD3R
28.2k1958114
answered May 1 '15 at 9:12
c4f4t0rc4f4t0r
51638
You know I thought I'd tried this! And I had apart from the auth_unix_rw line. Turns out that libvirt isn't using polkit at all to control access!! Collect your well-deserved bounty.
– Dave C
May 1 '15 at 14:00
add a comment |
This worked for me:
unix_sock_group = "libvirt"
unix_sock_rw_perms = "0770"
unix_sock_dir = "/var/run/libvirt"
auth_unix_rw = "none"
edited Jan 10 '18 at 10:20
dr01
16.3k115475
answered Jan 10 '18 at 9:25
sureshsuresh
1
1
Welcome to Unix & Linux! While this snippet may solve the question, including an explanation really helps to improve the quality of your post. Remember that you are answering the question for readers in the future, not just the person asking now! Please edit your answer to add explanation, and give an indication of what limitations and assumptions apply.
– Toby Speight
Jan 10 '18 at 11:09
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f198768%2fxen-libvirt-access-for-non-root-user%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
I think you can do in this way:
in /etc/libvirt/libvirtd.conf
unix_sock_group = "libvirt"
unix_sock_rw_perms = "0770"
auth_unix_rw = "none"
After that restart the libvirtd daemon
edited yesterday
GAD3R
28.2k1958114
answered May 1 '15 at 9:12
c4f4t0rc4f4t0r
51638
You know I thought I'd tried this! And I had apart from the auth_unix_rw line. Turns out that libvirt isn't using polkit at all to control access!! Collect your well-deserved bounty.
– Dave C
May 1 '15 at 14:00
add a comment |
I think you can do in this way:
in /etc/libvirt/libvirtd.conf
unix_sock_group = "libvirt"
unix_sock_rw_perms = "0770"
auth_unix_rw = "none"
After that restart the libvirtd daemon
edited yesterday
GAD3R
28.2k1958114
answered May 1 '15 at 9:12
c4f4t0rc4f4t0r
51638
You know I thought I'd tried this! And I had apart from the auth_unix_rw line. Turns out that libvirt isn't using polkit at all to control access!! Collect your well-deserved bounty.
– Dave C
May 1 '15 at 14:00
add a comment |
I think you can do in this way:
in /etc/libvirt/libvirtd.conf
unix_sock_group = "libvirt"
unix_sock_rw_perms = "0770"
auth_unix_rw = "none"
After that restart the libvirtd daemon
edited yesterday
GAD3R
28.2k1958114
answered May 1 '15 at 9:12
c4f4t0rc4f4t0r
51638
I think you can do in this way:
in /etc/libvirt/libvirtd.conf
unix_sock_group = "libvirt"
unix_sock_rw_perms = "0770"
auth_unix_rw = "none"
After that restart the libvirtd daemon
edited yesterday
GAD3R
28.2k1958114
answered May 1 '15 at 9:12
c4f4t0rc4f4t0r
51638
edited yesterday
GAD3R
28.2k1958114
edited yesterday
GAD3R
28.2k1958114
edited yesterday
GAD3R
28.2k1958114
28.2k1958114
answered May 1 '15 at 9:12
c4f4t0rc4f4t0r
51638
answered May 1 '15 at 9:12
c4f4t0rc4f4t0r
51638
answered May 1 '15 at 9:12
c4f4t0rc4f4t0r
51638
51638
You know I thought I'd tried this! And I had apart from the auth_unix_rw line. Turns out that libvirt isn't using polkit at all to control access!! Collect your well-deserved bounty.
– Dave C
May 1 '15 at 14:00
add a comment |
You know I thought I'd tried this! And I had apart from the auth_unix_rw line. Turns out that libvirt isn't using polkit at all to control access!! Collect your well-deserved bounty.
– Dave C
May 1 '15 at 14:00
You know I thought I'd tried this! And I had apart from the auth_unix_rw line. Turns out that libvirt isn't using polkit at all to control access!! Collect your well-deserved bounty.
– Dave C
May 1 '15 at 14:00
You know I thought I'd tried this! And I had apart from the auth_unix_rw line. Turns out that libvirt isn't using polkit at all to control access!! Collect your well-deserved bounty.
– Dave C
May 1 '15 at 14:00
add a comment |
This worked for me:
unix_sock_group = "libvirt"
unix_sock_rw_perms = "0770"
unix_sock_dir = "/var/run/libvirt"
auth_unix_rw = "none"
edited Jan 10 '18 at 10:20
dr01
16.3k115475
answered Jan 10 '18 at 9:25
sureshsuresh
1
1
Welcome to Unix & Linux! While this snippet may solve the question, including an explanation really helps to improve the quality of your post. Remember that you are answering the question for readers in the future, not just the person asking now! Please edit your answer to add explanation, and give an indication of what limitations and assumptions apply.
– Toby Speight
Jan 10 '18 at 11:09
add a comment |
This worked for me:
unix_sock_group = "libvirt"
unix_sock_rw_perms = "0770"
unix_sock_dir = "/var/run/libvirt"
auth_unix_rw = "none"
edited Jan 10 '18 at 10:20
dr01
16.3k115475
answered Jan 10 '18 at 9:25
sureshsuresh
1
1
Welcome to Unix & Linux! While this snippet may solve the question, including an explanation really helps to improve the quality of your post. Remember that you are answering the question for readers in the future, not just the person asking now! Please edit your answer to add explanation, and give an indication of what limitations and assumptions apply.
– Toby Speight
Jan 10 '18 at 11:09
add a comment |
This worked for me:
unix_sock_group = "libvirt"
unix_sock_rw_perms = "0770"
unix_sock_dir = "/var/run/libvirt"
auth_unix_rw = "none"
edited Jan 10 '18 at 10:20
dr01
16.3k115475
answered Jan 10 '18 at 9:25
sureshsuresh
1
This worked for me:
unix_sock_group = "libvirt"
unix_sock_rw_perms = "0770"
unix_sock_dir = "/var/run/libvirt"
auth_unix_rw = "none"
edited Jan 10 '18 at 10:20
dr01
16.3k115475
answered Jan 10 '18 at 9:25
sureshsuresh
1
edited Jan 10 '18 at 10:20
dr01
16.3k115475
edited Jan 10 '18 at 10:20
dr01
16.3k115475
edited Jan 10 '18 at 10:20
dr01
16.3k115475
16.3k115475
answered Jan 10 '18 at 9:25
sureshsuresh
1
answered Jan 10 '18 at 9:25
sureshsuresh
1
answered Jan 10 '18 at 9:25
sureshsuresh
1
1
1
Welcome to Unix & Linux! While this snippet may solve the question, including an explanation really helps to improve the quality of your post. Remember that you are answering the question for readers in the future, not just the person asking now! Please edit your answer to add explanation, and give an indication of what limitations and assumptions apply.
– Toby Speight
Jan 10 '18 at 11:09
add a comment |
1
Welcome to Unix & Linux! While this snippet may solve the question, including an explanation really helps to improve the quality of your post. Remember that you are answering the question for readers in the future, not just the person asking now! Please edit your answer to add explanation, and give an indication of what limitations and assumptions apply.
– Toby Speight
Jan 10 '18 at 11:09
1
1
Welcome to Unix & Linux! While this snippet may solve the question, including an explanation really helps to improve the quality of your post. Remember that you are answering the question for readers in the future, not just the person asking now! Please edit your answer to add explanation, and give an indication of what limitations and assumptions apply.
– Toby Speight
Jan 10 '18 at 11:09
Welcome to Unix & Linux! While this snippet may solve the question, including an explanation really helps to improve the quality of your post. Remember that you are answering the question for readers in the future, not just the person asking now! Please edit your answer to add explanation, and give an indication of what limitations and assumptions apply.
– Toby Speight
Jan 10 '18 at 11:09
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f198768%2fxen-libvirt-access-for-non-root-user%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
-d-bus, libvirtd, polkit, xen
