| Summary: | Fail to connect the libvirtd server with the tls while enable the access_driver | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | zhenfeng wang <zhwang> |
| Component: | libvirt | Assignee: | Daniel Berrangé <berrange> |
| Status: | CLOSED NOTABUG | QA Contact: | Virtualization Bugs <virt-bugs> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.0 | CC: | acathrow, berrange, dyuan, gsun, jdenemar, lsu, mzhan, ydu |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-09-27 14:34:42 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Hmm, looks like a result of fixing the pkcheck CVE. Daniel, how do we handle this with tls or tcp transports? The polkit access control driver will only work for UNIX domain sockets. If you wish to use TCP sockets, then you must disable the access control driver. Hi DB I just re-check this bug and have new doubt about this bug. As we know, the polkit access control driver was designed for the nonprivileged user, and it shouldn't affect the root user's function. so i think the root user should connnect the libvirt with tls successfully while we enable the access control driver as comment0's description. I saw your comment3's explanation, i think this explanation should only work for the nonprivileged user, shouldn't limite the root user. Maybe we have necessary to re-open this bug, what's your opinion ? can you help me have a look? thanks When a client connects over TCP sockets, there is no way of knowing that the user at the other end of the socket is "root". This is precisely why the access control mechanism only works for UNIX sockets. |
Description of problem: Fail to connect the libvirtd server with the tls while enable the access_driver in libvirtd.conf Version-Release number of selected component (if applicable): qemu-kvm-1.5.3-4.el7.x86_64 kernel-3.10.0-14.el7.x86_64 libvirt-1.1.1-6.el7.x86_64 How reproducible: 100% Steps to Reproduce: 1. Prepare the tls evironment you can see the attachment which named tls_configuration.txt 2.connect the libvirtd service with the tls while didn't enable the access_driver in libvirtd.conf # virsh -c qemu+tls://zhwang7/system Welcome to virsh, the virtualization interactive terminal. Type: 'help' for help with commands 'quit' to quit virsh # list --all Id Name State ---------------------------------------------------- - rhel7 shut off - rhel73 shut off - rhel7qcow2 shut off 3.connect the libvirtd service with the tls while enable the access_driver in libvirtd.conf cat /etc/libvirt/libvirtd.conf #access_drivers = [ "polkit" ] access_drivers = [ "polkit" ] # virsh -c qemu+tls://zhwang7/system error: failed to connect to the hypervisor error: access denied Check the log info in libvirtd.log 2013-09-23 07:29:55.659+0000: 5752: error : virAccessDriverPolkitFormatProcess:97 : internal error: No UNIX process ID available 2013-09-23 07:29:55.659+0000: 5752: error : virAccessManagerSanitizeError:203 : access denied 2013-09-23 07:29:55.659+0000: 5752: error : virAccessManagerSanitizeError:203 : access denied 2013-09-23 07:29:55.659+0000: 5744: error : virNetSocketReadWire:1369 : Cannot recv data: Input/output error Actual results: Fail to connect the libvirtd server with the tls Expected results: should connect the libvirt with the tls successfully while enalbe the access_driver in libvirtd.conf Additional info: