PolicyKit and libvirt integration

Posted: January 11th, 2008 | Filed under: libvirt, Virt Tools | 3 Comments »

For Fedora 9 one of the new feature’s we’ve got pending for virtualization is integration with PolicyKit. This will allow virt-manager to manage local hypervisor connections without having to run as root via consolehelper. Although the virt-manager part of this won’t be ready for a while yet, the libvirt bits were made available in libvirt 0.4.0 just before christmas. As a sneak preview this is now in updates-testing and already gives you the ability to run virsh as non root.

For example, currently if you run virsh as non-root you’l lsee something like

$ virsh --connect qemu:///system
libvir: Remote error : authentication failed
error: failed to connect to the hypervisor

Now with PolicyKit support you can use ‘polkit-grant’ to authenticate and then you’ll be able to run virsh without issue!

$ polkit-grant --gain org.libvirt.unix.manage
Attempting to gain the privilege for org.libvirt.unix.manage.
Authentication is required.
Password:
Keep this privilege for the session? [no/session]?
session
Successfully gained the privilege for org.libvirt.unix.manage.
$ virsh --connect qemu:///system
Welcome to virsh, the virtualization interactive terminal.

Type:  'help' for help with commands
       'quit' to quit

virsh #  start VirtTest
virsh # list
 Id Name                 State
----------------------------------
  1 VirtTest             running

In other news, Rich Jones has created a Mozilla Plugin for GTK-VNC so there’s at last a less-sucky replacement for the terrible Java VNC plugins out there

3 Responses to “PolicyKit and libvirt integration”

  1. Jef Spaleta says:

    how do we know what which argument to give polkit-grant –gain ?
    The authorization error message doesn’t say ‘org.libvirt.unix.manage’ explicitly, nor does it indicate that polkit-grant is the correct avenue for corrective action.

  2. davidz says:

    In 0.7 I’ve added some convenience API in form of the polkit-auth-obtain() function that virsh can use.

    It even brings up a UI dialog for the authentication if you are running X (if not, it spawns polkit-grant). In addition, it has the advantage that you don’t need to retain the authorization for the session; you can choose to keep it only for the invocation of virsh.

    (I think this might even work for ssh logins (e.g. where we don’t have XDG_SESSION_COOKIE); if it doesn’t please let me know and I’ll fix that.)

  3. davidz says:

    Oh, and 0.7 is only available on Rawhide. And polkit-grant was renamed to polkit-auth.

    Also with 0.7 you can put additional stuff such as vendor, vendor_url and icon_name in the .policy file, see here, and these are used in both the auth dialog and the new polkit-gnome-authorization tool.

Leave a Reply





Spam protection: Sum of f0ur plus s3ven ?: