Benedikt Heine
2016-Jan-04  14:44 UTC
[libvirt-users] libvirtd and polkit: internal error: No Unix Process ID
Hi all, I want to use libvirtd and polkit to create simple access restricitions for incoming TLS connections. libvirtd.conf:> ... > auth_tls = "sasl" > access_drivers = [ "polkit" ] > ... >tls_no_verify_certificate = 1 SASL and TLS in combination is already working without any faults. After activating access_drivers, the setup breaks, cause the access is denied. without polkit:> [root at inexor-test ~]# virsh --connect qemu+tls://vm0.host.b3be.de/system > Please enter your authentication name: inexor at vm0 > Please enter your password:? > Welcome to virsh, the virtualization interactive terminal. > ...with polkit:> [root at inexor-test ~]# virsh --connect qemu+tls://vm0.host.b3be.de/system > Please enter your authentication name:?inexor at vm0 > Please enter your password:? > error: failed to connect to the hypervisor > error: access deniedI deactivated any self-written polkit-rules and had been able to track down the problem to communication with libvirtd and polkit (via pkttyagent). For every incoming connection, libvirtd logs this:> Jan 04 15:12:41 vm0 libvirtd[17075]: Unable to verify TLS peer: No certificatewas found.> Jan 04 15:12:41 vm0 libvirtd[17075]: Certificate check failed Unable to verifyTLS peer: No certificate was found.> Jan 04 15:12:45 vm0 libvirtd[17075]: internal error: No UNIX process IDavailable> Jan 04 15:12:45 vm0 libvirtd[17075]: access denied > Jan 04 15:12:45 vm0 libvirtd[17075]: access denied > Jan 04 15:12:45 vm0 libvirtd[17075]: Cannot recv data: Input/output error > Jan 04 15:12:47 vm0 libvirtd[17075]: Unable to verify TLS peer: No certificatewas found. Additionally, what I found: After every libvirtd-restart the unit polkit.service loggs an Registered and directly after an Unregsitered Auth Agent.> Jan 04 15:28:29 vm0 polkitd[2670]: Registered Authentication Agent for unix-process:17225:3691193 (system bus name :1.97 [/usr/bin/pkttyagent --notify-fd 4 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale C)> Jan 04 15:28:30 vm0 polkitd[2670]: Unregistered Authentication Agent for unix-process:17225:3691193 (system bus name :1.97, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale C) (disconnected from bus) (Correct! In the first second it registers and shortly it unregisteres again) Could someone please provide me a hint how to make libvirtd and polkit talk to each other? Sincerely, Bene polkit-version: 0.113 libvirt-version:?1.3.0 Running on Archlinux (init: systemd)
Daniel P. Berrange
2016-Jan-08  10:52 UTC
Re: [libvirt-users] libvirtd and polkit: internal error: No Unix Process ID
On Mon, Jan 04, 2016 at 03:44:10PM +0100, Benedikt Heine wrote:> Hi all, > > I want to use libvirtd and polkit to create simple access restricitions for > incoming TLS connections.This is sadly not possible. polkit will only authenticate against unix users. I filed an RFE long ago requesting for polkit to be generalized so that we could use it against virtual (ie non-UNIX system) identities but it was rejected. So effectively the libvirt polkit access control driver is only useful if you're connecting to libvirt over UNIX sockets :-( I really ought to get around to writing a custom libvirt access control driver that works in all cases..... Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
Benedikt Heine
2016-Jan-09  22:58 UTC
Re: [libvirt-users] libvirtd and polkit: internal error: No Unix Process ID
Hi Daniel, On Fr, 2016-01-08 at 10:52 +0000, Daniel P. Berrange wrote:> This is sadly not possible. polkit will only authenticate against unix > users.> So effectively the libvirt polkit access control driver is only useful > if you're connecting to libvirt over UNIX sockets :-(This is really bad news for me.> I really ought to get around to writing a custom libvirt access control > driver that works in all cases.....If you could do that, that'd be great. At least it would be great adding documentation, clarifying, that the current polkit driver has no support for external/SASL users and is therefore not usable in combination with TLS. An error message telling me, that the access driver is not capable of using this connection type, would be great, too. Currently libvirt just throws out error 'access denied'. Anyway, thanks for the answer. Regards, Benedikt
Possibly Parallel Threads
- PolKit rule and API matchaccess_drivers = [ "polkit" ]
- CESA-2019:0230 Important CentOS 7 polkit Security Update
- polkit helper timeout and defunct pkla-check-authorization processes on CentOS 7.3
- Re: libvirtd and polkit: internal error: No Unix Process ID
- CEBA-2017:0392 CentOS 7 polkit BugFix Update