On Thu, Oct 29, 2020 at 11:34:09PM +0100, Natxo Asenjo
wrote:> On Thu, Oct 29, 2020 at 8:39 PM Michal Privoznik
<mprivozn@redhat.com>
> wrote:
>
> > On 10/29/20 4:47 PM, Natxo Asenjo wrote:
> > > ah, yes. I try this:
> > >
> > > $ virsh -c qemu:///system
> > >
> > > But it then I get a prompt:
> > >
> > > ==== AUTHENTICATING FOR org.libvirt.unix.manage ============>
> > System policy prevents management of local virtualized systems
> > > Authenticating as: sudo_user_not_disclosed
> > > Password:
> > > Password:
> > > polikit-agent-helper-1: pam_authenticate failed: Authentication
failure
> > >
> > > Our allowed groups in the /etc/dbus-1/system.d/org.libvirt.conf
are no
> > > sudo users (this can change, but not as of now). It is a bit
strange
> > > that the get the password prompt for a local sudo user we have in
place
> > > for as systems have no working sssd connection to the idm realm
(break
> > > glass user)
> > >
> > > My user can use the system bus in cockpit without a password.
> > >
> > > The dbus policy looks like this:
> > >
> > > <policy group="groupname">
> > > < allow send_destination="org.libvirt"/>
> > > </policy>
> > > <policy group="other_groupname">
> > > < allow send_destination="org.libvirt"/>
> > > </policy>
> >
> > This is expected. qemu:///system uses an unix socket to talk to
libvirtd
> > and not dbus. I don't know what credentials does cockpit set
there.
> > But I'm not sure it's safe to go behind cockpit's back and
talk to
> > libvirt directly. If you'd change a configuration of a VM it may
not be
> > reflected in cockpit.
It is safe to do everything to the system what cockpit does as cockpit
is stateless and can users can jump between terminal and the cockpit UI.
> to be honest, I found about the dbus system connection policies in the
> cockpit documentation, the have a link to the libvirt dbus snippet page:
>
> https://cockpit-project.org/guide/latest/feature-virtualmachines
>
> So is it not possible (taking cockpit out of the equation) to allow virsh
> to run as a normal user to connect to the local system connection?
It is possible to allow virsh to connect to system connection by
default, you just need to create a new file:
$HOME/.config/libvirt/libvirt.conf
with this single line in it:
uri_default="qemu:///system"
for more details see [1].
Pavel
[1] <https://libvirt.org/uri.html#URI_default>