Bug 957300
| Summary: | Add polkit rules allowing users in a specific unix group to not require password | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | William Brown <william> |
| Component: | libvirt | Assignee: | Libvirt Maintainers <libvirt-maint> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 21 | CC: | berrange, clalancette, crobinso, gustavold, itamar, jforbes, jv+fedora, kparal, laine, lersek, libvirt-maint, mitr, mleitner, pahan, rharwood, sergio.pasra, veillard, virt-maint |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | libvirt-1.2.9.3-2.fc21 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-06-23 09:10:35 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Honestly I'd be happy with this too. Many many people install custom polkit rules to do effectively the same thing, but as a one off for their username of choice. My understanding is that Ubuntu does (or did at one time) do something similar with a 'kvm' group. I've floated the idea upstream: https://www.redhat.com/archives/libvir-list/2013-June/msg00503.html Allowing members of the 'qemu' group to access libvirt without a password would be a huge security whole. The 'qemu' group is running the QEMU/KVM processes for each VM. So such a polkit rule would allow a compromised QEMU process to access libvirt & thus compromise the entire host. I'm more interested in the general idea, the group could be named 'foobar' for all it matters. Perhaps the group could be called virtadm then? Similar to the "adm" admin group. Should probably just use 'libvirt' as a group name. Still relevant on F20 Any movement on this? Hi William, since you're the person with the most stake in this question, you should reopen discussion Cole started upstream on libvir-list and drive it to a conclusion. I can't predict how the community will react, but from the comments above and the response to Cole's mail, it sounds like the qemu group is not acceptable, but the libvirt group might be. Just my $.02. +1 on this one, as I've doing similar setup myself on my hosts for the same reasons. Clearing needinfo. I think this idea would be accepted but someone needs to submit a patch or start a discussion on libvir-list. I might get to it for F22 cycle but no guarantees I sent a patch upstream for this, using the group 'libvirt' : https://www.redhat.com/archives/libvir-list/2015-April/msg01484.html Upstream now:
commit e94979e901517af9fdde358d7b7c92cc055dd50c
Author: Cole Robinson <crobinso>
Date: Tue Apr 28 17:38:00 2015 -0400
polkit: Allow password-less access for 'libvirt' group
Many users, who admin their own machines, want to be able to access
system libvirtd via tools like virt-manager without having to enter
a root password. Just google 'virt-manager without password' and
you'll find many hits. I've read at least 5 blog posts over the years
describing slightly different ways of achieving this goal.
Let's finally add official support for this.
Install a polkit-1 rules file granting password-less auth for any user
in the new 'libvirt' group. Create the group on RPM install
https://bugzilla.redhat.com/show_bug.cgi?id=957300
Thank you for getting back to this and making it happen! Much appreciated. libvirt-1.2.9.3-2.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/libvirt-1.2.9.3-2.fc21 Package libvirt-1.2.9.3-2.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing libvirt-1.2.9.3-2.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-9594/libvirt-1.2.9.3-2.fc21 then log in and leave karma (feedback). This is great. Works. Thanks, folks. libvirt-1.2.9.3-2.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. Found out about this BZ via <http://blog.wikichoon.com/2016/01/polkit-password-less-access-for-libvirt.html> (federated on planet.virt-tools.org). I just checked, and this feature also made RHEL-7.2, through bug 1194593 (rebase to then-current upstream libvirt, 1.2.16, then to 1.2.17). Awesome, thanks a lot Cole! |
Description of problem: When running libvirt from virt-manager, or remotely via ssh, one must authenticate via policykit to be granted access. This however, over SSH, does not work without adding policykit rules (That are somewhat awkward to find in my experience) or for virt-manager, it creates needless virt-manager password prompts. To make it more accessible to users, a policykit rule allows members of the qemu group access should be added: such as polkit.addRule(function(action, subject) { if (action.id == "org.libvirt.unix.manage" && subject.isInGroup("qemu")) { return polkit.Result.YES; } }); This lowers the bar to using libvirt, increases accessibility and makes it easier to administer. People can choose to ignore the qemu group and continue to use the polkit authentication window - This just means that people who wish to locally or remotely manage machines need to be added to the qemu group.