libvirt users - Jan 2016 - libvirtd and polkit: internal error: No Unix Process ID

Hi all,

I want to use libvirtd and polkit to create simple access restricitions for
incoming TLS connections.

libvirtd.conf:
> ...
> auth_tls = "sasl"
> access_drivers = [ "polkit" ]
> ...
>
tls_no_verify_certificate = 1

SASL and TLS in combination is already working without any faults. After
activating access_drivers, the setup breaks, cause the access is denied.

without polkit:
> [root at inexor-test ~]# virsh --connect qemu+tls://vm0.host.b3be.de/system
> Please enter your authentication name: inexor at vm0
> Please enter your password:?
> Welcome to virsh, the virtualization interactive terminal.
> ...
with polkit:
> [root at inexor-test ~]# virsh --connect qemu+tls://vm0.host.b3be.de/system
> Please enter your authentication name:?inexor at vm0
> Please enter your password:?
> error: failed to connect to the hypervisor
> error: access denied
I deactivated any self-written polkit-rules and had been able to track down the
problem to communication with libvirtd and polkit (via pkttyagent).

For every incoming connection, libvirtd logs this:
> Jan 04 15:12:41 vm0 libvirtd[17075]: Unable to verify TLS peer: No
certificate
was found.
> Jan 04 15:12:41 vm0 libvirtd[17075]: Certificate check failed Unable to
verify
TLS peer: No certificate was found.
> Jan 04 15:12:45 vm0 libvirtd[17075]: internal error: No UNIX process ID
available
> Jan 04 15:12:45 vm0 libvirtd[17075]: access denied
> Jan 04 15:12:45 vm0 libvirtd[17075]: access denied
> Jan 04 15:12:45 vm0 libvirtd[17075]: Cannot recv data: Input/output error
> Jan 04 15:12:47 vm0 libvirtd[17075]: Unable to verify TLS peer: No
certificate
was found.

Additionally, what I found: After every libvirtd-restart the unit polkit.service
loggs an Registered and directly after an Unregsitered Auth Agent.
> Jan 04 15:28:29 vm0 polkitd[2670]: Registered Authentication Agent for
unix-
process:17225:3691193 (system bus name :1.97 [/usr/bin/pkttyagent --notify-fd 4
--fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale
C)
> Jan 04 15:28:30 vm0 polkitd[2670]: Unregistered Authentication Agent for
unix-
process:17225:3691193 (system bus name :1.97, object path
/org/freedesktop/PolicyKit1/AuthenticationAgent, locale C) (disconnected from
bus)
(Correct! In the first second it registers and shortly it unregisteres again)

Could someone please provide me a hint how to make libvirtd and polkit talk to
each other?

Sincerely,
Bene

polkit-version: 0.113
libvirt-version:?1.3.0
Running on Archlinux (init: systemd)

On Mon, Jan 04, 2016 at 03:44:10PM +0100, Benedikt Heine
wrote:
> Hi all,
> 
> I want to use libvirtd and polkit to create simple access restricitions for
> incoming TLS connections.
This is sadly not possible. polkit will only authenticate against unix
users. I filed an RFE long ago requesting for polkit to be generalized
so that we could use it against virtual (ie non-UNIX system) identities
but it was rejected.

So effectively the libvirt polkit access control driver is only useful
if you're connecting to libvirt over UNIX sockets :-(

I really ought to get around to writing a custom libvirt access control
driver that works in all cases.....

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

Hi Daniel,

On Fr, 2016-01-08 at 10:52 +0000, Daniel P. Berrange
wrote:
> This is sadly not possible. polkit will only authenticate against unix
> users.
> So effectively the libvirt polkit access control driver is only useful
> if you're connecting to libvirt over UNIX sockets :-(
This is really bad news for me.
> I really ought to get around to writing a custom libvirt access control
> driver that works in all cases.....
If you could do that, that'd be great.

At least it would be great adding documentation, clarifying, that the current
polkit driver has no support for external/SASL users and is therefore not usable
in combination with TLS.

An error message telling me, that the access driver is not capable of using this
connection type, would be great, too. Currently libvirt just throws out error
'access denied'.

Anyway, thanks for the answer.

Regards,
Benedikt