Dan Ryder (daryder)
2014-Nov-04 18:47 UTC
[Libguestfs] libguestfs-tools with libvirt SASL authentication
Hello, I'm running into an issue using the 'virt-df' command when SASL is enabled in libvirt. I'm running version 1.26.5 of libguestfs on an Ubuntu 14.04 OS. I'm running 'virt-df' for all guests at one time, not specifying a domain or image to use. I was expecting a SASL authentication prompt but to no avail. Below is a sample run: root@all-in-one:~# virt-df -P 15 libvirt: XML-RPC error : authentication failed: Failed to start SASL negotiation: -4 (SASL(-4): no mechanism available: No worthy mechs found) virt-df: could not connect to libvirt (code 45, domain 7): authentication failed: Failed to start SASL negotiation: -4 (SASL(-4): no mechanism available: No worthy mechs found) However, if I do specify a domain to run on, I am prompted for SASL authentication: root@all-in-one:~# virt-df -d instance-0000004d libvirt needs authentication to connect to libvirt URI NULL (see also: http://libvirt.org/auth.html http://libvirt.org/uri.html) Please enter your authentication name: nova@all-in-one Please enter your password: Filesystem 1K-blocks Used Available Use% instance-0000004d:/dev/sdb 458 458 0 100% instance-0000004d:/dev/sda1 22773 12223 9322 54% Is there any way to successfully run 'virt-df' for all instances at once while SASL is enabled in libvirt? Thanks, Dan Ryder
Richard W.M. Jones
2014-Nov-05 13:45 UTC
Re: [Libguestfs] libguestfs-tools with libvirt SASL authentication
On Tue, Nov 04, 2014 at 06:47:04PM +0000, Dan Ryder (daryder) wrote:> Hello, > > I'm running into an issue using the 'virt-df' command when SASL is enabled in libvirt. I'm running version 1.26.5 of libguestfs on an Ubuntu 14.04 OS. > > I'm running 'virt-df' for all guests at one time, not specifying a domain or image to use. I was expecting a SASL authentication prompt but to no avail. Below is a sample run: > > root@all-in-one:~# virt-df -P 15 > libvirt: XML-RPC error : authentication failed: Failed to start SASL negotiation: -4 (SASL(-4): no mechanism available: No worthy mechs found) > virt-df: could not connect to libvirt (code 45, domain 7): authentication failed: Failed to start SASL negotiation: -4 (SASL(-4): no mechanism available: No worthy mechs found) > > However, if I do specify a domain to run on, I am prompted for SASL authentication: > > root@all-in-one:~# virt-df -d instance-0000004d > libvirt needs authentication to connect to libvirt URI NULL > (see also: http://libvirt.org/auth.html http://libvirt.org/uri.html) > Please enter your authentication name: nova@all-in-one > Please enter your password: > Filesystem 1K-blocks Used Available Use% > instance-0000004d:/dev/sdb 458 458 0 100% > instance-0000004d:/dev/sda1 22773 12223 9322 54% > > Is there any way to successfully run 'virt-df' for all instances at once while SASL is enabled in libvirt?I think this may be a bug. virt-df has potentially 3(!) places where it can make a libvirt connection, although only 2 of them are being used on Ubuntu. (1) If you don't supply a list of domain names on the command line, then virt-df will call libvirt to get them. That happens in df/domains.c:get_all_libvirt_domains: https://github.com/libguestfs/libguestfs/blob/master/df/domains.c#L72 If you supply a domain name, then this is not used. (2) Secondly, virt-df calls into libguestfs (the C library) call guestfs_add_domain() with a domain name parameter as a literal string, either one fetched from (1) or one you passed on the command line. Libguestfs then looks that up with libvirt to check it exists and to get the list of disks. That happens in src/libvirt-auth.c:guestfs___open_libvirt_connection: https://github.com/libguestfs/libguestfs/blob/master/src/libvirt-auth.c#L192 (3) Finally if you are using the libvirt backend (which you are not on Ubuntu) then there would be a third connection to run the appliance, although it uses the same code as (2). I believe the problem here is that (1) does not pass an auth handler. ie. it calls virConnectOpenReadonly, not virConnectOpenAuth. It's my understanding that virConnectOpenReadonly bypasses the policy kit and SASL stuff, but Dan Berrange (CC'd) will be able to tell me if I'm correct about that. If that was the case then you would see an error when virt-df tries to get a list of domains. Anyway, if it turns out to be a bug, please file it using the method outlined on the front page of the website (or submit a patch!) Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-top is 'top' for virtual machines. Tiny program with many powerful monitoring features, net stats, disk stats, logging, etc. http://people.redhat.com/~rjones/virt-top
Dan Ryder (daryder)
2014-Nov-07 14:37 UTC
Re: [Libguestfs] libguestfs-tools with libvirt SASL authentication
Thanks for the info, Richard. Hi Dan, Any additional information on this? Thanks, Dan Ryder -----Original Message----- From: Richard W.M. Jones [mailto:rjones@redhat.com] Sent: Wednesday, November 05, 2014 8:46 AM To: Dan Ryder (daryder); berrange@redhat.com Cc: libguestfs@redhat.com Subject: Re: [Libguestfs] libguestfs-tools with libvirt SASL authentication On Tue, Nov 04, 2014 at 06:47:04PM +0000, Dan Ryder (daryder) wrote:> Hello, > > I'm running into an issue using the 'virt-df' command when SASL is enabled in libvirt. I'm running version 1.26.5 of libguestfs on an Ubuntu 14.04 OS. > > I'm running 'virt-df' for all guests at one time, not specifying a domain or image to use. I was expecting a SASL authentication prompt but to no avail. Below is a sample run: > > root@all-in-one:~# virt-df -P 15 > libvirt: XML-RPC error : authentication failed: Failed to start SASL > negotiation: -4 (SASL(-4): no mechanism available: No worthy mechs > found) > virt-df: could not connect to libvirt (code 45, domain 7): > authentication failed: Failed to start SASL negotiation: -4 (SASL(-4): > no mechanism available: No worthy mechs found) > > However, if I do specify a domain to run on, I am prompted for SASL authentication: > > root@all-in-one:~# virt-df -d instance-0000004d libvirt needs > authentication to connect to libvirt URI NULL (see also: > http://libvirt.org/auth.html http://libvirt.org/uri.html) Please enter > your authentication name: nova@all-in-one Please enter your password: > Filesystem 1K-blocks Used Available Use% > instance-0000004d:/dev/sdb 458 458 0 100% > instance-0000004d:/dev/sda1 22773 12223 9322 54% > > Is there any way to successfully run 'virt-df' for all instances at once while SASL is enabled in libvirt?I think this may be a bug. virt-df has potentially 3(!) places where it can make a libvirt connection, although only 2 of them are being used on Ubuntu. (1) If you don't supply a list of domain names on the command line, then virt-df will call libvirt to get them. That happens in df/domains.c:get_all_libvirt_domains: https://github.com/libguestfs/libguestfs/blob/master/df/domains.c#L72 If you supply a domain name, then this is not used. (2) Secondly, virt-df calls into libguestfs (the C library) call guestfs_add_domain() with a domain name parameter as a literal string, either one fetched from (1) or one you passed on the command line. Libguestfs then looks that up with libvirt to check it exists and to get the list of disks. That happens in src/libvirt-auth.c:guestfs___open_libvirt_connection: https://github.com/libguestfs/libguestfs/blob/master/src/libvirt-auth.c#L192 (3) Finally if you are using the libvirt backend (which you are not on Ubuntu) then there would be a third connection to run the appliance, although it uses the same code as (2). I believe the problem here is that (1) does not pass an auth handler. ie. it calls virConnectOpenReadonly, not virConnectOpenAuth. It's my understanding that virConnectOpenReadonly bypasses the policy kit and SASL stuff, but Dan Berrange (CC'd) will be able to tell me if I'm correct about that. If that was the case then you would see an error when virt-df tries to get a list of domains. Anyway, if it turns out to be a bug, please file it using the method outlined on the front page of the website (or submit a patch!) Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-top is 'top' for virtual machines. Tiny program with many powerful monitoring features, net stats, disk stats, logging, etc. http://people.redhat.com/~rjones/virt-top