David Ashley
2016-Jan-19 20:36 UTC
[libvirt-users] UserID Permissions: Virtual Machine Manager vs virsh and Python
I have added a user to the libvirt group on my CentOS 7.2 server and that user can successfully access the Virtual Machine Manager without authenticating as expected. This allows the user to perform all functions in the VMS as if they were root. This is acceptable as this is a private server with no outside access so security is not a real issue. But when that same user tries to perform functions with virsh or using a Python script that uses the libvirt module, the connection is just read-only. Why are the permissions different for these environments and what must I do to give the user r/w access in virsh or the Python script? David Ashley
Martin Kletzander
2016-Jan-20 10:47 UTC
Re: [libvirt-users] UserID Permissions: Virtual Machine Manager vs virsh and Python
On Tue, Jan 19, 2016 at 02:36:02PM -0600, David Ashley wrote:>I have added a user to the libvirt group on my CentOS 7.2 server and >that user can successfully access the Virtual Machine Manager without >authenticating as expected. This allows the user to perform all >functions in the VMS as if they were root. This is acceptable as this is >a private server with no outside access so security is not a real issue. > >But when that same user tries to perform functions with virsh or using a >Python script that uses the libvirt module, the connection is just >read-only. > >Why are the permissions different for these environments and what must I >do to give the user r/w access in virsh or the Python script? >I'm guessing (really just guessing), that virt-manager tries connecting to qemu:///system, but you are connecting to your default uri which is qemu:///session for non-root users. You can try connecting to qemu:///system and that should work. If you don't want to modify the code, you can change the default uri in ~/.config/libvirt/libvirt.conf or in environment variable LIBVIRT_DEFAULT_URI (hand-typed, please re-check). Martin>David Ashley > >_______________________________________________ >libvirt-users mailing list >libvirt-users@redhat.com >https://www.redhat.com/mailman/listinfo/libvirt-users
David Ashley
2016-Jan-20 14:09 UTC
Re: [libvirt-users] UserID Permissions: Virtual Machine Manager vs virsh and Python
On 01/20/2016 04:47 AM, Martin Kletzander wrote:> On Tue, Jan 19, 2016 at 02:36:02PM -0600, David Ashley wrote: >> I have added a user to the libvirt group on my CentOS 7.2 server and >> that user can successfully access the Virtual Machine Manager without >> authenticating as expected. This allows the user to perform all >> functions in the VMS as if they were root. This is acceptable as this is >> a private server with no outside access so security is not a real issue. >> >> But when that same user tries to perform functions with virsh or using a >> Python script that uses the libvirt module, the connection is just >> read-only. >> >> Why are the permissions different for these environments and what must I >> do to give the user r/w access in virsh or the Python script? >> > > I'm guessing (really just guessing), that virt-manager tries connecting > to qemu:///system, but you are connecting to your default uri which is > qemu:///session for non-root users. You can try connecting to > qemu:///system and that should work. If you don't want to modify the > code, you can change the default uri in ~/.config/libvirt/libvirt.conf > or in environment variable LIBVIRT_DEFAULT_URI (hand-typed, please > re-check). > > Martin > >> David Ashley >> >> _______________________________________________ >> libvirt-users mailing list >> libvirt-users@redhat.com >> https://www.redhat.com/mailman/listinfo/libvirt-usersThanks, that was the problem. Connecting with qemu:///system works. David Ashley
All - I just published a new blog that provides a solution for running commands on multiple domains. This will enable you to perform the same or different commands on multiple domains using automation. The solution uses Python and its libvirt module. The blog is located at http://www.holmes4.com/wda/blogs/index.html. I hope to present more of these examples of how to use the libvirt interface to perform meaningful tasks in the future. W. David Ashley