Red Hat Bugzilla – Full Text Bug Listing
|Summary:||Can't start domains as non-root any more|
|Product:||[Fedora] Fedora||Reporter:||Mogens Kjaer <mk>|
|Component:||libvirt||Assignee:||Daniel Veillard <veillard>|
|Status:||CLOSED NEXTRELEASE||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Version:||9||CC:||berrange, evillagr, mk, surakshan, veillard|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2008-10-20 18:17:45 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Mogens Kjaer 2008-09-26 02:36:26 EDT
Description of problem: After the latest update of libvirt I can't start a virtual machine in virt-manager as a non-root user. I've enabled active console access to manage local virtualized systems in System | Preferences | System | Authorizations and it used to work. Version-Release number of selected component (if applicable): It worked before these updates: Sep 25 15:44:35 Updated: libvirt-0.4.5-2.fc9.x86_64 Sep 25 15:45:27 Updated: libvirt-python-0.4.5-2.fc9.x86_64 How reproducible: Every time Steps to Reproduce: 1. Start virt-manager 2. Open virtual machine 3. Click on run Actual results: Error starting domain: operation virDomainCreate forbidden for read only access Details: Traceback (most recent call last): File "/usr/share/virt-manager/virtManager/engine.py", line 472, in run_domain vm.startup() File "/usr/share/virt-manager/virtManager/domain.py", line 379, in startup self.vm.create() File "/usr/lib64/python2.5/site-packages/libvirt.py", line 262, in create if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self) libvirtError: operation virDomainCreate forbidden for read only access Expected results: Domain starting Additional info:
Comment 1 S.Mendis 2008-09-27 08:55:10 EDT
I can confirm this. 1. In policykit, org.libvirt.unix.mangage has my user granted under explicit permissions 2. When virt-manager is run, I select 'Run as Unprivileged' 3. With the latest updates mentioned by OP, I cannot start the VM, nor create one. I have sort of proved that libvirt has policy support by doing the following 1. In policykit org.libvirt.unix.monitor (note MONITOR) I've BLOCKED access to my user 2. When virt-manager is run, I select 'Run as unprivilegded' 3. When I try connect to local host, it doesn't connect, which makes sense. 4. When I remove the blocked user, it works. Basically I cannot 'manage' a vm's even if I tell Policykit that I can
Comment 2 Eduardo Villagrán Morales 2008-09-29 22:19:32 EDT
I have the same problem. I'am using x86 kernel with kvm. When I try startup a VM as non-root user I get: libvirtError: operation virDomainCreate forbidden for read only access If I do net-list on virsh as non-root user, it show none virtual network. If I do net-list on virsh as root, it show default virtual network.
Comment 3 Daniel Berrange 2008-09-30 05:42:31 EDT
Please provide the output of the following command LIBVIRT_DEBUG=1 virsh net-list when run as root, and also when run as non-root
Comment 4 Mogens Kjaer 2008-09-30 06:02:13 EDT
Created attachment 318053 [details] debug output, non-root
Comment 5 Mogens Kjaer 2008-09-30 06:02:39 EDT
Created attachment 318054 [details] Debug output, root
Comment 6 Eduardo Villagrán Morales 2008-09-30 10:09:03 EDT
Created attachment 318077 [details] Debug output as non-root user Bebug output on x86
Comment 7 Eduardo Villagrán Morales 2008-09-30 10:10:20 EDT
Created attachment 318078 [details] Debug output as root Debug output on x86.
Comment 8 Eduardo Villagrán Morales 2008-09-30 10:11:22 EDT
Created attachment 318079 [details] virsh net-list without debug as root On the same x86 machine.
Comment 9 S.Mendis 2008-10-02 07:35:11 EDT
Issue remains after upgrading to the following packages libvirt-0.4.6-2.fc9.i386 virt-manager-0.5.4-4.fc9.i386
Comment 10 Daniel Berrange 2008-10-02 07:43:23 EDT
WRT to comment #2 > I have the same problem. I'am using x86 kernel with kvm. When I try startup a > VM as non-root user I get: > libvirtError: operation virDomainCreate forbidden for read only access > > If I do net-list on virsh as non-root user, it show none virtual network. > If I do net-list on virsh as root, it show default virtual network. This is not a bug. You are not supplying any hypervisor URI to libvirt, so as non-root, it is connecting to 'qemu:///session' a per-User unprivileged connection which has no virtual networking. As root it will connect to 'qemu:///system' which does support networking. If you want to see the networks as non-root, you need to explicitly specify the hypervisor URI, eg virsh net-list --connect qemu:///system net-list This is not related to the original bug report here against virt manager, so if you have any further issues with this please open a separate bug.
Comment 11 Daniel Berrange 2008-10-02 07:45:28 EDT
WRT the original reporter: Mogens Kjaer Are you running virt-manager privileged as root, or unprivileged as non-root ? In Fedora virt-manager is setup to prompt for root auth when it first starts. So, anyway, if virt-manager is running as root can you attach the file /root/.virt-manager/virt-manager.log While, if you are running it unprivileged, can you provide $HOME/.virt-manager/virt-manager.log
Comment 12 Daniel Berrange 2008-10-02 07:56:14 EDT
Actually no need for that info - I've found the problem & will prepare a patch
Comment 13 Mogens Kjaer 2008-10-02 08:04:12 EDT
I've given non-root permissions to manage the virtual sessions using System | Preferences | System | Authorizations, so I run it "privileged as non-root", I guess. Looking forward to the patch, thanks!
Comment 14 Fedora Update System 2008-10-02 08:06:09 EDT
virt-manager-0.5.4-5.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/virt-manager-0.5.4-5.fc9
Comment 15 Daniel Berrange 2008-10-02 08:06:27 EDT
Fix built into F9 for updates in virt-manager-0.5.4-5.fc9
Comment 16 Mogens Kjaer 2008-10-02 08:24:15 EDT
It works! Thanks again.
Comment 17 S.Mendis 2008-10-02 19:29:11 EDT
(In reply to comment #15) > Fix built into F9 for updates in virt-manager-0.5.4-5.fc9 Good work. What was the original issue? Cheers
Comment 18 Fedora Update System 2008-10-03 18:32:43 EDT
virt-manager-0.5.4-5.fc9 has been pushed to the Fedora 9 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update virt-manager'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-8588
Comment 19 S.Mendis 2008-10-12 06:03:56 EDT
I've tested virt-manager-0.5.4-5.fc9 thoroughly and confirm it works
Comment 20 Fedora Update System 2008-10-20 18:17:42 EDT
virt-manager-0.5.4-5.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.