Bug 986365

This was never a customer case, I reported it from my own observations, so that docspace does not apply.

I think this needs to be closed and attention focused here[1], with higher priority.. as this been without movement for quite a time.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=872166

This bug was not selected to be addressed in Red Hat Enterprise Linux 6. We will look at it again within the Red Hat Enterprise Linux 7 product.

This appears to be a duplicate of bug 957300 - still trying to triage through that, especially with respect to the documentation aspect of this.

Used the upstream bz 872166 for "details", but this change has now been pushed upstream and should be in the next release of libvirt.

v1.3.2-21-gea48397

commit ea48397b016683933104c5ce059a33443a79cdbb
Author: John Ferlan <jferlan>
Date:   Tue Feb 9 14:08:42 2016 -0500

    virsh: Add support for text based polkit authentication

This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions

Hi,John, I tried to verify the bug with libvirt-1.3.3-1.el7.x86_64 and found when using "ssh non-root@localhost" still failed with error "no polkit agent available to authenticate action 'org.libvirt.unix.manage'". Would you please help to check that? Thanks a lot.

My test steps:
1.Test with "su non-root", polkit works well with virsh:
  #su non-root
  $virsh -c qemu:///system
  Show password prompt. Input root password can access virsh commands line   correctly.


2.Test with "ssh non-root@localhost", failed with error:
  #ssh non-root@localhost
  $virsh -c qemu:///system
   2016-04-13 05:02:59.447+0000: 5047: info : libvirt version: 1.3.3, package: 1.el7 (Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>, 2016-04-06-04:13:31, x86-034.build.eng.bos.redhat.com)
2016-04-13 05:02:59.447+0000: 5047: info : hostname: yafu-test
2016-04-13 05:02:59.447+0000: 5047: warning : virFileClose:95 : Tried to close invalid fd 7
error: failed to connect to the hypervisor
error: authentication unavailable: no polkit agent available to authenticate action 'org.libvirt.unix.manage'

3.Test with "ssh -X non-root@localhost", failed with error:
 #ssh -X non-root@localhost
 $virsh -c qemu:///system
  2016-04-13 05:08:28.600+0000: 5443: info : libvirt version: 1.3.3, package: 1.el7 (Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>, 2016-04-06-04:13:31, x86-034.build.eng.bos.redhat.com)
2016-04-13 05:08:28.600+0000: 5443: info : hostname: yafu-test
2016-04-13 05:08:28.600+0000: 5443: warning : virFileClose:95 : Tried to close invalid fd 7
error: failed to connect to the hypervisor
error: authentication unavailable: no polkit agent available to authenticate action 'org.libvirt.unix.manage'

Another libvirt QE and I also met this problem and find the problem seems come from commit 0b36b0e9, and the problem is:

    agent->cmd = cmd;                    <-
    cmd = NULL;                          <--- give cmd ptr to agent->cmd here

    virCommandAddArgFormat(cmd, "%lld", (long long int) getpid());  <----but still use cmd ptr here which is NULL now.

    ... 
    if (virCommandRunAsync(cmd, NULL) < 0)  <----- still use cmd, get failure
        goto error;

And i had a try to fix it and found it works right now:

$ ssh lhaung@localhost -X
lhaung@localhost's password: 
Last login: Mon May  9 14:25:48 2016 from localhost
[lhaung@lhuang ~]$ virsh -c qemu:///system
==== AUTHENTICATING FOR org.libvirt.unix.manage ===
System policy prevents management of local virtualized systems
Authenticating as: root
Password: 
==== AUTHENTICATION COMPLETE ===
Welcome to virsh, the virtualization interactive terminal.

Type:  'help' for help with commands
       'quit' to quit

virsh #

Thanks for the persistence on this Luyao - I just haven't had the cycles to swing back and this.  I have no idea what I was thinking with '0b36b0e9', although I see from the companion bug on this that Peter Krempa has submitted a patch:

commit 4e8b81e5c4bbc5b26032e61a8006cda0b393ef8b
Author: Peter Krempa <pkrempa>
Date:   Mon May 9 11:02:51 2016 +0200

    util: polkit: Fix polkit agent startup

    Commit 0b36b0e9 broke polkit agent startup when attempting to fix a
    coverity warning. Refactor it properly so that we don't need the 'cmd'
    intermediate variable.

(In reply to John Ferlan from comment #25)
> Thanks for the persistence on this Luyao - I just haven't had the cycles to
> swing back and this.  I have no idea what I was thinking with '0b36b0e9',
> although I see from the companion bug on this that Peter Krempa has
> submitted a patch:
> 

You are welcome, since my colleague hit this problem and i found some code looks wrong, then i added a comment in this bug and bug 872166 to double confirm about my thought with your developers.

> commit 4e8b81e5c4bbc5b26032e61a8006cda0b393ef8b
> Author: Peter Krempa <pkrempa>
> Date:   Mon May 9 11:02:51 2016 +0200
> 
>     util: polkit: Fix polkit agent startup
> 
>     Commit 0b36b0e9 broke polkit agent startup when attempting to fix a
>     coverity warning. Refactor it properly so that we don't need the 'cmd'
>     intermediate variable.

Nice to see a patch just after one night :)

Hi John,
I tested another scenario. What do you think of? Is it in your fix scope?

1. Edit /etc/libvirt/libvirtd.conf
auth_unix_rw = "polkit"
unix_sock_rw_perms = "0777"

2.Create test users and give password 'redhat'
# useradd test2
# passwd test2

3.Config polkit auth to 'test2' as ro
# cd /etc/polkit-1/localauthority/50-local.d/
# vim polkit.pkla
[Allow test2 libvirt monitor permissions]
Identity=unix-user:test2
Action=org.libvirt.unix.monitor
ResultAny=yes
ResultInactive=yes
ResultActive=yes

4. # service libvirtd restart
5. # ssh root@localhost
   # su test2 -c 'virsh -c qemu:///system start guest'
   # ll /dev/tty
   crw-rw-rw-. 1 root tty 5, 0 Jun 12 14:40 /dev/tty

Actual results:
A looping error messages below are displayed for many lines.
Error creating textual authentication agent: Error opening current controlling terminal for the process (`/dev/tty'): No such device or address (polkit-error-quark, 0)

It's been so long this isn't in the front of what I'm thinking about now.  IIRC though the scope of my changes had nothing to do with qemu.conf or whatever it is you did with polkit.pkla (whatever that is).

What I adjusted was far more simplistic - before the patches, the only way to "get" the authentication prompt from polkit was via the GUI. There was no text input fallback when the session didn't have a graphical front end.

Perhaps what you're hitting is setup related to:

http://libvirt.org/aclpolkit.html or
http://libvirt.org/auth.html

Hi,John,
when I did not input password longer than the timeout, the connection failed with error:
error: failed to connect to the hypervisor
error: error from service: CheckAuthorization: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.

And the terminal became not correct and not show the input character.
Would you please help to check whether it related with the patch of the bug?

steps:
1.ssh non-root:
#ssh non-root.0.1

2.Connect to the qemu:///system and not input password longer than the timeout:
$virsh -c qemu:///system
==== AUTHENTICATING FOR org.libvirt.unix.manage ===
System policy prevents management of local virtualized systems
Authenticating as: yafu
Password: polkit-agent-helper-1: pam_authenticate failed: Authentication failure
error: failed to connect to the hypervisor
error: error from service: CheckAuthorization: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.

3.Check the terminal, the terminal does not work correct and not show the input character.

Dan - I cannot even begin to imagine the complicated configuration you have generated. My advice keep it simple. Whether this works with avocado is a total unknown to me. While I realize that's "easier" from a testing perspective, the expected usage is manual and it requires a very specific setup to work properly. The underlying technology used by libvirt to allow a text based authentication uses "pkttyagent --process --notify-fd fd --fallback". There was some thoughts to make more direct calls, but there were issues with that (I have forgotten those details).

Anyway w/r/t to the output you show above seems to prove that point with the two errors shown:

1.
error: failed to connect to the hypervisor
error: authentication unavailable: no polkit agent available to authenticate action 'org.libvirt.unix.manage'

This indicates to me the environment isn't quite right - it is not the expected output from my perspective.

2.
 output: "Error creating textual authentication agent: Error opening current controlling terminal for the process (`/dev/tty'): No such device or address (polkit-error-quark, 0)\nError creating textual authentication agent: Error opening current controlling terminal for the process (`/dev/tty'): No such device or address (polkit-error-quark, 0)\nE

This indicates to me that perhaps whatever configuration anomaly from comment 27 that's present is affecting the results.

With respect to that - my configuration does not change /etc/libvirt/libvirtd.conf for auth_unix_rw and unix_sock_rw_perms and my /etc/polkit-1/localauthority/50-local.d/ is empty. 

There are multiple ways to configure things - it seems comment 27 is attempting to use the mechanism from http://libvirt.org/auth.html#ACL_server_polkit which is very different than the simplistic mechanism this bug was resolving.

Additionally, my userid is not a member of the libvirt group which is the solution for/from bug 957300


Using the "latest" libvirt (what will be in the next release), I can still successfully use polkit text agent using the following steps on my laptop (keeping it very simple):

1. From a "root" account, make sure ssh/sshd can login locally via modifying /etc/hosts.allow and adding lines for "ssh:localhost:allow" and "sshd:localhost:allow" and of course restarting sshd

2. ssh jferlan@localhost
jferlan@localhost's password: 
Last login: Wed Jun 29 06:23:39 2016
$ virsh -c qemu:///system list
==== AUTHENTICATING FOR org.libvirt.unix.manage ===
System policy prevents management of local virtualized systems
Authenticating as: John Ferlan (jferlan)
Password: 
==== AUTHENTICATION COMPLETE ===
 Id    Name                           State
----------------------------------------------------
 1     f18                            running

$ virsh -c qemu:///system version
==== AUTHENTICATING FOR org.libvirt.unix.manage ===
System policy prevents management of local virtualized systems
Authenticating as: John Ferlan (jferlan)
Password: 
==== AUTHENTICATION COMPLETE ===
Compiled against library: libvirt 2.0.0
Using library: libvirt 2.0.0
Using API: QEMU 2.0.0
Running hypervisor: QEMU 2.4.1

$

Which is the same results as running from root.  Obviously I left out the password details. Also, without the ssh step, I would be presented with the GUI based authentication dialog box which is the "default" when a DISPLAY is available. The text based mechanism is meant for just that - simple, text based authentication using a "real" controlling terminal.

So from my perspective this works in the simple case and I have to believe there is some configuration issue in the test environment or setup. Use of polkit has many options and I'm not sure it's "advisable" to attempt to mix them.

yafu -

what you see more than likely is a pkttyagent issue and how it sets the terminal settings in order to not display the password as you type it.  When you timeout, the error path from pkttyagent probably doesn't reset back to an echo keystroke mode (perhaps an overly simplistic description).

Using 'reset' will clear things.  

This isn't a libvirt issue per se. I've seen the same issue with other authentication mechanisms

I test on build libvirt-2.0.0-1.el7.x86_64, and meet a problem: failed to connect to libvirt on a remote host with non-root user.

[fjin@localhost ~]$ virsh -c qemu+ssh://10.66.4.152/system
fjin.4.152's password: 
fjin.4.152's password: 

** (pkttyagent:11910): WARNING **: Unable to register authentication agent: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: An authentication agent already exists for the given subject
Error registering authentication agent: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: An authentication agent already exists for the given subject (polkit-error-quark, 0)

Creating the ssh session first was the example I used - adding +ssh on the command line is a bit different. Consider what's being done - authenticate via ssh and then authenticate via libvirt. I believe that's why you geot *two* password prompts. I don't know "how" ssh performs it's authentication, but if it used the same pkttyagent mechanism, then I can certainly understand the message you got. There's some "interesting dynamics" in play when you add that +ssh with regard to how the session authentication works.

Still I think perhaps a different issue. Go back to the originally reported issue - it's more about having an existing non-GUI, non-root based session established and then using virsh to list the /system output (or do anything for that matter).

(In reply to John Ferlan from comment #34)
> Creating the ssh session first was the example I used - adding +ssh on the
> command line is a bit different. Consider what's being done - authenticate
> via ssh and then authenticate via libvirt. I believe that's why you geot
> *two* password prompts. I don't know "how" ssh performs it's authentication,
> but if it used the same pkttyagent mechanism, then I can certainly
> understand the message you got. There's some "interesting dynamics" in play
> when you add that +ssh with regard to how the session authentication works.
> 
> Still I think perhaps a different issue. Go back to the originally reported
> issue - it's more about having an existing non-GUI, non-root based session
> established and then using virsh to list the /system output (or do anything
> for that matter).

Hi John,

I think the way libvirt create pkttyagent is not correct in some cases. I have checked what libvirt do when the user use virsh to connect to a remote machine (the same with comment 33). I will show the gdb debug info:

$ /usr/bin/gdb virsh

(gdb) br virshConnect
Breakpoint 1 at 0x266a0: file virsh.c, line 141.
(gdb) r -c qemu+ssh://lhuang@test1/system

Breakpoint 1, virshConnect (ctl=0x7fffffffda70, uri=0x555555804a30 "qemu+ssh://lhuang@test1/system", readonly=false) at virsh.c:141
141	{

(gdb) n
149	    if (ctl->keepalive_interval >= 0) {
(gdb) 
141	{
(gdb) 
151	        keepalive_forced = true;
(gdb) 
149	    if (ctl->keepalive_interval >= 0) {
(gdb) 
145	    bool keepalive_forced = false;
(gdb) 
143	    int interval = 5; /* Default */
(gdb) 
153	    if (ctl->keepalive_count >= 0) {
(gdb) 
144	    int count = 6;    /* Default */
(gdb) 
161	        if ((c = virConnectOpenAuth(uri, virConnectAuthPtrDefault,
(gdb) n
Detaching after fork from child process 27954.
lhuang@test1's password: 

[this is ssh authenticate, but target libvirtd close client connection since it is not pass authenticate, and i can get error like " virPolkitCheckAuth:133 : authentication unavailable: no polkit agent available to authenticate action 'org.libvirt.unix.manage' " in target libvirtd.log]

165	        if (readonly)
(gdb) n
168	        err = virGetLastError();
(gdb) 
169	        if (err && err->domain == VIR_FROM_POLKIT &&
(gdb) 
171	            if (!(pkagent = virPolkitAgentCreate()))

[here virsh create a pkttyagent on *source* machine and i think this doesn't make any sense]

(gdb) 
Detaching after fork from child process 27959.
179	        virResetLastError();
(gdb) 
183	    } while (authfail < 5);
(gdb) p authfail
$1 = 0
(gdb) n
161	        if ((c = virConnectOpenAuth(uri, virConnectAuthPtrDefault,
(gdb) 
Detaching after fork from child process 28110.
lhuang@test1's password: 

[this is ssh authenticate again]

165	        if (readonly)
(gdb) n
168	        err = virGetLastError();
(gdb) 
169	        if (err && err->domain == VIR_FROM_POLKIT &&
(gdb) 
171	            if (!(pkagent = virPolkitAgentCreate()))
(gdb) 
Detaching after fork from child process 28134.

[Here virsh create another pkttyagent again]

** (pkttyagent:28134): WARNING **: Unable to register authentication agent: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: An authentication agent already exists for the given subject
Error registering authentication agent: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: An authentication agent already exists for the given subject (polkit-error-quark, 0)

[This is why pkttyagent report we already create a pkttyagent for this process]

179	        virResetLastError();
(gdb) n
183	    } while (authfail < 5);
(gdb) p authfail
$2 = 0

[we won't add authfail, and this make us cannot jump out of this loop]

(gdb) n
161	        if ((c = virConnectOpenAuth(uri, virConnectAuthPtrDefault,
(gdb) 
Detaching after fork from child process 28150.
lhuang@test1's password: 
165	        if (readonly)
(gdb) p authfail
$3 = 0
(gdb) c
Continuing.
Detaching after fork from child process 1550.

** (pkttyagent:1550): WARNING **: Unable to register authentication agent: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: An authentication agent already exists for the given subject
Error registering authentication agent: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: An authentication agent already exists for the given subject (polkit-error-quark, 0)
Detaching after fork from child process 1553.
lhuang@test1's password: 


And i can find many pkttyagent process in source machine before i kill the virsh client:

# ps aux|grep pktty
lhaung   14089  0.0  0.0 205184  3028 pts/12   Sl   09:09   0:00 /usr/bin/pkttyagent --process 14082 --notify-fd 7 --fallback
lhaung   14814  0.0  0.0 205184  3028 pts/12   Sl+  09:15   0:00 /usr/bin/pkttyagent --process 14809 --notify-fd 7 --fallback
lhaung   14898  0.0  0.0      0     0 pts/12   Z+   09:15   0:00 [pkttyagent] <defunct>
root     15008  0.0  0.0 112648   956 pts/0    S+   09:16   0:00 grep --color=auto pktty


I think maybe libvirt should not create a pkttyagent when the url is a remote
url.

Hi,John,

Is there any plan to fix the issue in comment 35 in this bug? Or I can verify the bug now and file a separate bug for the issue in comment 35？

Just make a separate bug.  Luyao did great providing details and a reproducible example. Unfortunately I just didn't have enough time to devote to research those details. Additionally adding +ssh is different than the base issue/problem where polkit authentication just wasn't working for the non-GUI session.

(In reply to John Ferlan from comment #37)
> Just make a separate bug.  Luyao did great providing details and a
> reproducible example. Unfortunately I just didn't have enough time to devote
> to research those details. Additionally adding +ssh is different than the
> base issue/problem where polkit authentication just wasn't working for the
> non-GUI session.

Thanks for your quick reply. A new bug filed for issues in comment 37:
https://bugzilla.redhat.com/show_bug.cgi?id=1374126

Reproduced with libvirt-1.2.17-13.el7_2.5.x86_64.
Test steps:
1.Test with "su non-root", failed with error:
  #su non-root
  $virsh -c qemu:///system
 error: failed to connect to the hypervisor
 error: authentication failed: no agent is available to authenticate

2.Test with "ssh non-root@localhost", failed with error:
  #ssh non-root@localhost
  $virsh -c qemu:///system
 error: failed to connect to the hypervisor
 error: authentication failed: no agent is available to authenticate

3.Test with "ssh -X non-root@localhost", failed with error:
 #ssh -X non-root@localhost
 $virsh -c qemu:///system
 error: failed to connect to the hypervisor
 error: authentication failed: no agent is available to authenticate

Verify pass with libvirt-2.0.0-8.el7.x86_64.
1.Test with "su non-root", polkit works well with virsh:
  #su non-root
  $virsh -c qemu:///system
 ==== AUTHENTICATING FOR org.libvirt.unix.manage ===
System policy prevents management of local virtualized systems
Authenticating as: root
Password: 
==== AUTHENTICATION COMPLETE ===
Welcome to virsh, the virtualization interactive terminal.

Type:  'help' for help with commands
       'quit' to quit

virsh # 


2.Test with "ssh non-root@localhost":
  #ssh non-root@localhost
  $virsh -c qemu:///system
 ==== AUTHENTICATING FOR org.libvirt.unix.manage ===
System policy prevents management of local virtualized systems
Authenticating as: root
Password: 
==== AUTHENTICATION COMPLETE ===
Welcome to virsh, the virtualization interactive terminal.

Type:  'help' for help with commands
       'quit' to quit

virsh # 


3.Test with "ssh -X non-root@localhost":
 #ssh -X non-root@localhost
 $virsh -c qemu:///system
==== AUTHENTICATING FOR org.libvirt.unix.manage ===
System policy prevents management of local virtualized systems
Authenticating as: root
Password: 
==== AUTHENTICATION COMPLETE ===
Welcome to virsh, the virtualization interactive terminal.

Type:  'help' for help with commands
       'quit' to quit

virsh #

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2577.html