libvirt users - Jan 2016 - executing libvirt commands as a different user

I am using the libvirt API to manage VMs on the system, using a python
wrapper to execute commands.
I need to allow a webserver to access these commands and mostly read
information about the VMs. The problem is that when using the web interface
you use are basically running the commands as different user. Since
libvirtd is run as root by default you get permission errors.

Is there any way of getting around this without using polkit?

Thanks,
Andrei

-- 
 

The information transmitted is intended only for the person or entity to 
which it is addressed and may contain confidential and/or privileged 
material. Any review, retransmission, dissemination or other use of or 
taking of any action in reliance upon this information by persons or 
entities other than the intended recipient is prohibited. If you receive 
this in error please contact the sender and delete the material from any 
computer immediately. It is the policy of Klas  Limited to disavow the 
sending of offensive material and should you consider that the material 
contained in the message is offensive you should contact the sender 
immediately and also your I.T. Manager.

Klas Telecom Inc., a Virginia Corporation with offices at 1101 30th St. NW, 
Washington, DC 20007.

Klas Limited (Company Number 163303) trading as Klas Telecom, an Irish 
Limited Liability Company, with its registered office at Fourth Floor, One 
Kilmainham Square, Inchicore Road, Kilmainham, Dublin 8, Ireland.

On Thu, Jan 21, 2016 at 01:41:28PM +0000, Andrei Perietanu
wrote:
> I am using the libvirt API to manage VMs on the system, using a python
> wrapper to execute commands.
> I need to allow a webserver to access these commands and mostly read
> information about the VMs. The problem is that when using the web interface
> you use are basically running the commands as different user. Since
> libvirtd is run as root by default you get permission errors.
> 
> Is there any way of getting around this without using polkit?
Even without polkit, libvirt provides full read-only access to any
local user, providing you request read-only mode when connecting.

If you want read-write mode, polkit is recommended, but if you really
don't want it, then edit /etc/libvirt/linbvirtd.conf and set a suitable
group owner for the socket and put your web server user in that group.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

On 2016-01-21 14:41, Andrei Perietanu wrote:
> 
> I am using the libvirt API to manage VMs on the system, using a python
> wrapper to execute commands. 
> I need to allow a webserver to access these commands and mostly read
> information about the VMs. The problem is that when using the web
> interface you use are basically running the commands as different user.
> Since libvirtd is run as root by default you get permission errors.
> 
> Is there any way of getting around this without using polkit?
• You can use libvirt over TCP, using SASL/TLS/both auth
• You can configure a user group allowed to use the unix socket and add
the web server's user to it

cf. libvirtd.conf
> 
> Thanks,
> Andrei
> 
> 
> 
> The information transmitted is intended only for the person or entity to
> which it is addressed and may contain confidential and/or privileged
> material. Any review, retransmission, dissemination or other use of or
> taking of any action in reliance upon this information by persons or
> entities other than the intended recipient is prohibited. If you receive
> this in error please contact the sender and delete the material from any
> computer immediately. It is the policy of Klas  Limited to disavow the
> sending of offensive material and should you consider that the material
> contained in the message is offensive you should contact the sender
> immediately and also your I.T. Manager.
> 
> Klas Telecom Inc., a Virginia Corporation with offices at 1101 30th St.
> NW, Washington, DC 20007.
> 
> Klas Limited (Company Number 163303) trading as Klas Telecom, an Irish
> Limited Liability Company, with its registered office at Fourth Floor,
> One Kilmainham Square, Inchicore Road, Kilmainham, Dublin 8, Ireland.
> 
> 
> 
> _______________________________________________
> libvirt-users mailing list
> libvirt-users@redhat.com
> https://www.redhat.com/mailman/listinfo/libvirt-users
> 
-- 
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas
Systemadministrator
TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz
Mail/XMPP: sven.schwedas@tao.at | +43 (0)680 301 7167
http://software.tao.at