Bug 464069

Summary: Can't start domains as non-root any more
Product: [Fedora] Fedora Reporter: Mogens Kjaer <mk>
Component: libvirtAssignee: Daniel Veillard <veillard>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 9CC: berrange, evillagr, mk, surakshan, veillard
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-10-20 18:17:45 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Attachments:
Description Flags
debug output, non-root
none
Debug output, root
none
Debug output as non-root user
none
Debug output as root
none
virsh net-list without debug as root none

Description Mogens Kjaer 2008-09-26 02:36:26 EDT
Description of problem:

After the latest update of libvirt I can't start a virtual machine
in virt-manager as a non-root user.

I've enabled active console access to manage local
virtualized systems in System | Preferences | System | Authorizations
and it used to work.

Version-Release number of selected component (if applicable):

It worked before these updates:

Sep 25 15:44:35 Updated: libvirt-0.4.5-2.fc9.x86_64
Sep 25 15:45:27 Updated: libvirt-python-0.4.5-2.fc9.x86_64

How reproducible:

Every time

Steps to Reproduce:
1. Start virt-manager
2. Open virtual machine
3. Click on run
  
Actual results:

Error starting domain: operation virDomainCreate forbidden for read only access

Details:

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/engine.py", line 472, in run_domain
    vm.startup()
  File "/usr/share/virt-manager/virtManager/domain.py", line 379, in startup
    self.vm.create()
  File "/usr/lib64/python2.5/site-packages/libvirt.py", line 262, in create
    if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self)
libvirtError: operation virDomainCreate forbidden for read only access


Expected results:

Domain starting

Additional info:
Comment 1 S.Mendis 2008-09-27 08:55:10 EDT
I can confirm this.

1. In policykit, org.libvirt.unix.mangage has my user granted under explicit permissions
2. When virt-manager is run, I select 'Run as Unprivileged'
3. With the latest updates mentioned by OP, I cannot start the VM, nor create one.

I have sort of proved that libvirt has policy support by doing the following
1. In policykit org.libvirt.unix.monitor (note MONITOR) I've BLOCKED access to my user
2. When virt-manager is run, I select 'Run as unprivilegded'
3. When I try connect to local host, it doesn't connect, which makes sense. 
4. When I remove the blocked user, it works.

Basically I cannot 'manage' a vm's even if I tell Policykit that I can
Comment 2 Eduardo Villagrán Morales 2008-09-29 22:19:32 EDT
I have the same problem. I'am using x86 kernel with kvm. When I try startup a VM as non-root user I get:
libvirtError: operation virDomainCreate forbidden for read only access

If I do net-list on virsh as non-root user, it show none virtual network.
If I do net-list on virsh as root, it show default virtual network.
Comment 3 Daniel Berrange 2008-09-30 05:42:31 EDT
Please provide the output of the following command


LIBVIRT_DEBUG=1  virsh net-list


when run as root, and also when run as non-root
Comment 4 Mogens Kjaer 2008-09-30 06:02:13 EDT
Created attachment 318053 [details]
debug output, non-root
Comment 5 Mogens Kjaer 2008-09-30 06:02:39 EDT
Created attachment 318054 [details]
Debug output, root
Comment 6 Eduardo Villagrán Morales 2008-09-30 10:09:03 EDT
Created attachment 318077 [details]
Debug output as non-root user

Bebug output on x86
Comment 7 Eduardo Villagrán Morales 2008-09-30 10:10:20 EDT
Created attachment 318078 [details]
Debug output as root

Debug output on x86.
Comment 8 Eduardo Villagrán Morales 2008-09-30 10:11:22 EDT
Created attachment 318079 [details]
virsh net-list without debug as root

On the same x86 machine.
Comment 9 S.Mendis 2008-10-02 07:35:11 EDT
Issue remains after upgrading to the following packages

libvirt-0.4.6-2.fc9.i386
virt-manager-0.5.4-4.fc9.i386
Comment 10 Daniel Berrange 2008-10-02 07:43:23 EDT
WRT to comment #2


> I have the same problem. I'am using x86 kernel with kvm. When I try startup a
> VM as non-root user I get:
> libvirtError: operation virDomainCreate forbidden for read only access
>
> If I do net-list on virsh as non-root user, it show none virtual network.
> If I do net-list on virsh as root, it show default virtual network.

This is not a bug. You are not supplying any hypervisor URI to libvirt, so as non-root, it is connecting to 'qemu:///session' a per-User unprivileged connection which has no virtual networking. As root it will connect to 'qemu:///system' which does support networking. If you want to see the networks as non-root, you need to explicitly specify the hypervisor URI, eg

  virsh net-list --connect qemu:///system net-list

This is not related to the original bug report here against virt manager, so if you have any further issues with this please open a separate bug.
Comment 11 Daniel Berrange 2008-10-02 07:45:28 EDT
WRT the original reporter:  Mogens Kjaer 

Are you running virt-manager privileged as root, or unprivileged as non-root ?  In Fedora virt-manager is setup to prompt for root auth when it first starts. 

So, anyway, if virt-manager is running as root can you attach the file

 /root/.virt-manager/virt-manager.log

While, if you are running it unprivileged, can you provide

  $HOME/.virt-manager/virt-manager.log
Comment 12 Daniel Berrange 2008-10-02 07:56:14 EDT
Actually no need for that info - I've found the problem & will prepare a patch
Comment 13 Mogens Kjaer 2008-10-02 08:04:12 EDT
I've given non-root permissions to manage the virtual sessions using
System | Preferences | System | Authorizations,
so I run it "privileged as non-root", I guess.

Looking forward to the patch, thanks!
Comment 14 Fedora Update System 2008-10-02 08:06:09 EDT
virt-manager-0.5.4-5.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/virt-manager-0.5.4-5.fc9
Comment 15 Daniel Berrange 2008-10-02 08:06:27 EDT
Fix built into F9 for updates in virt-manager-0.5.4-5.fc9
Comment 16 Mogens Kjaer 2008-10-02 08:24:15 EDT
It works! Thanks again.
Comment 17 S.Mendis 2008-10-02 19:29:11 EDT
(In reply to comment #15)
> Fix built into F9 for updates in virt-manager-0.5.4-5.fc9

Good work. What was the original issue?

Cheers
Comment 18 Fedora Update System 2008-10-03 18:32:43 EDT
virt-manager-0.5.4-5.fc9 has been pushed to the Fedora 9 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update virt-manager'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-8588
Comment 19 S.Mendis 2008-10-12 06:03:56 EDT
I've tested virt-manager-0.5.4-5.fc9 thoroughly and confirm it works
Comment 20 Fedora Update System 2008-10-20 18:17:42 EDT
virt-manager-0.5.4-5.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.