Bug 986365
Summary: | using polkit with virsh for non-root access does not work via ssh or locally | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | akotov | |
Component: | libvirt | Assignee: | John Ferlan <jferlan> | |
Status: | CLOSED ERRATA | QA Contact: | Virtualization Bugs <virt-bugs> | |
Severity: | medium | Docs Contact: | ||
Priority: | medium | |||
Version: | 7.0 | CC: | berrange, clalancette, dgibson, djschaap, dyuan, dzheng, fjin, itamar, jbuchta, jferlan, jforbes, laine, lhuang, libvirt-maint, mniranja, mzhan, rbalakri, rjones, tzheng, veillard, yafu, ydu | |
Target Milestone: | rc | |||
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | libvirt-1.3.3-1.el7 | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | ||
Clone Of: | 872166 | |||
: | 1374126 (view as bug list) | Environment: | ||
Last Closed: | 2016-11-03 18:06:05 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 872166 | |||
Bug Blocks: | 1205796 |
Description
akotov
2013-07-19 14:56:17 UTC
This was never a customer case, I reported it from my own observations, so that docspace does not apply. I think this needs to be closed and attention focused here[1], with higher priority.. as this been without movement for quite a time. [1] https://bugzilla.redhat.com/show_bug.cgi?id=872166 This bug was not selected to be addressed in Red Hat Enterprise Linux 6. We will look at it again within the Red Hat Enterprise Linux 7 product. This appears to be a duplicate of bug 957300 - still trying to triage through that, especially with respect to the documentation aspect of this. Used the upstream bz 872166 for "details", but this change has now been pushed upstream and should be in the next release of libvirt. v1.3.2-21-gea48397 commit ea48397b016683933104c5ce059a33443a79cdbb Author: John Ferlan <jferlan> Date: Tue Feb 9 14:08:42 2016 -0500 virsh: Add support for text based polkit authentication This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions Hi,John, I tried to verify the bug with libvirt-1.3.3-1.el7.x86_64 and found when using "ssh non-root@localhost" still failed with error "no polkit agent available to authenticate action 'org.libvirt.unix.manage'". Would you please help to check that? Thanks a lot. My test steps: 1.Test with "su non-root", polkit works well with virsh: #su non-root $virsh -c qemu:///system Show password prompt. Input root password can access virsh commands line correctly. 2.Test with "ssh non-root@localhost", failed with error: #ssh non-root@localhost $virsh -c qemu:///system 2016-04-13 05:02:59.447+0000: 5047: info : libvirt version: 1.3.3, package: 1.el7 (Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>, 2016-04-06-04:13:31, x86-034.build.eng.bos.redhat.com) 2016-04-13 05:02:59.447+0000: 5047: info : hostname: yafu-test 2016-04-13 05:02:59.447+0000: 5047: warning : virFileClose:95 : Tried to close invalid fd 7 error: failed to connect to the hypervisor error: authentication unavailable: no polkit agent available to authenticate action 'org.libvirt.unix.manage' 3.Test with "ssh -X non-root@localhost", failed with error: #ssh -X non-root@localhost $virsh -c qemu:///system 2016-04-13 05:08:28.600+0000: 5443: info : libvirt version: 1.3.3, package: 1.el7 (Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>, 2016-04-06-04:13:31, x86-034.build.eng.bos.redhat.com) 2016-04-13 05:08:28.600+0000: 5443: info : hostname: yafu-test 2016-04-13 05:08:28.600+0000: 5443: warning : virFileClose:95 : Tried to close invalid fd 7 error: failed to connect to the hypervisor error: authentication unavailable: no polkit agent available to authenticate action 'org.libvirt.unix.manage' Another libvirt QE and I also met this problem and find the problem seems come from commit 0b36b0e9, and the problem is: agent->cmd = cmd; <- cmd = NULL; <--- give cmd ptr to agent->cmd here virCommandAddArgFormat(cmd, "%lld", (long long int) getpid()); <----but still use cmd ptr here which is NULL now. ... if (virCommandRunAsync(cmd, NULL) < 0) <----- still use cmd, get failure goto error; And i had a try to fix it and found it works right now: $ ssh lhaung@localhost -X lhaung@localhost's password: Last login: Mon May 9 14:25:48 2016 from localhost [lhaung@lhuang ~]$ virsh -c qemu:///system ==== AUTHENTICATING FOR org.libvirt.unix.manage === System policy prevents management of local virtualized systems Authenticating as: root Password: ==== AUTHENTICATION COMPLETE === Welcome to virsh, the virtualization interactive terminal. Type: 'help' for help with commands 'quit' to quit virsh # Thanks for the persistence on this Luyao - I just haven't had the cycles to swing back and this. I have no idea what I was thinking with '0b36b0e9', although I see from the companion bug on this that Peter Krempa has submitted a patch: commit 4e8b81e5c4bbc5b26032e61a8006cda0b393ef8b Author: Peter Krempa <pkrempa> Date: Mon May 9 11:02:51 2016 +0200 util: polkit: Fix polkit agent startup Commit 0b36b0e9 broke polkit agent startup when attempting to fix a coverity warning. Refactor it properly so that we don't need the 'cmd' intermediate variable. (In reply to John Ferlan from comment #25) > Thanks for the persistence on this Luyao - I just haven't had the cycles to > swing back and this. I have no idea what I was thinking with '0b36b0e9', > although I see from the companion bug on this that Peter Krempa has > submitted a patch: > You are welcome, since my colleague hit this problem and i found some code looks wrong, then i added a comment in this bug and bug 872166 to double confirm about my thought with your developers. > commit 4e8b81e5c4bbc5b26032e61a8006cda0b393ef8b > Author: Peter Krempa <pkrempa> > Date: Mon May 9 11:02:51 2016 +0200 > > util: polkit: Fix polkit agent startup > > Commit 0b36b0e9 broke polkit agent startup when attempting to fix a > coverity warning. Refactor it properly so that we don't need the 'cmd' > intermediate variable. Nice to see a patch just after one night :) Hi John, I tested another scenario. What do you think of? Is it in your fix scope? 1. Edit /etc/libvirt/libvirtd.conf auth_unix_rw = "polkit" unix_sock_rw_perms = "0777" 2.Create test users and give password 'redhat' # useradd test2 # passwd test2 3.Config polkit auth to 'test2' as ro # cd /etc/polkit-1/localauthority/50-local.d/ # vim polkit.pkla [Allow test2 libvirt monitor permissions] Identity=unix-user:test2 Action=org.libvirt.unix.monitor ResultAny=yes ResultInactive=yes ResultActive=yes 4. # service libvirtd restart 5. # ssh root@localhost # su test2 -c 'virsh -c qemu:///system start guest' # ll /dev/tty crw-rw-rw-. 1 root tty 5, 0 Jun 12 14:40 /dev/tty Actual results: A looping error messages below are displayed for many lines. Error creating textual authentication agent: Error opening current controlling terminal for the process (`/dev/tty'): No such device or address (polkit-error-quark, 0) It's been so long this isn't in the front of what I'm thinking about now. IIRC though the scope of my changes had nothing to do with qemu.conf or whatever it is you did with polkit.pkla (whatever that is). What I adjusted was far more simplistic - before the patches, the only way to "get" the authentication prompt from polkit was via the GUI. There was no text input fallback when the session didn't have a graphical front end. Perhaps what you're hitting is setup related to: http://libvirt.org/aclpolkit.html or http://libvirt.org/auth.html Hi,John, when I did not input password longer than the timeout, the connection failed with error: error: failed to connect to the hypervisor error: error from service: CheckAuthorization: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken. And the terminal became not correct and not show the input character. Would you please help to check whether it related with the patch of the bug? steps: 1.ssh non-root: #ssh non-root.0.1 2.Connect to the qemu:///system and not input password longer than the timeout: $virsh -c qemu:///system ==== AUTHENTICATING FOR org.libvirt.unix.manage === System policy prevents management of local virtualized systems Authenticating as: yafu Password: polkit-agent-helper-1: pam_authenticate failed: Authentication failure error: failed to connect to the hypervisor error: error from service: CheckAuthorization: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken. 3.Check the terminal, the terminal does not work correct and not show the input character. Dan - I cannot even begin to imagine the complicated configuration you have generated. My advice keep it simple. Whether this works with avocado is a total unknown to me. While I realize that's "easier" from a testing perspective, the expected usage is manual and it requires a very specific setup to work properly. The underlying technology used by libvirt to allow a text based authentication uses "pkttyagent --process --notify-fd fd --fallback". There was some thoughts to make more direct calls, but there were issues with that (I have forgotten those details). Anyway w/r/t to the output you show above seems to prove that point with the two errors shown: 1. error: failed to connect to the hypervisor error: authentication unavailable: no polkit agent available to authenticate action 'org.libvirt.unix.manage' This indicates to me the environment isn't quite right - it is not the expected output from my perspective. 2. output: "Error creating textual authentication agent: Error opening current controlling terminal for the process (`/dev/tty'): No such device or address (polkit-error-quark, 0)\nError creating textual authentication agent: Error opening current controlling terminal for the process (`/dev/tty'): No such device or address (polkit-error-quark, 0)\nE This indicates to me that perhaps whatever configuration anomaly from comment 27 that's present is affecting the results. With respect to that - my configuration does not change /etc/libvirt/libvirtd.conf for auth_unix_rw and unix_sock_rw_perms and my /etc/polkit-1/localauthority/50-local.d/ is empty. There are multiple ways to configure things - it seems comment 27 is attempting to use the mechanism from http://libvirt.org/auth.html#ACL_server_polkit which is very different than the simplistic mechanism this bug was resolving. Additionally, my userid is not a member of the libvirt group which is the solution for/from bug 957300 Using the "latest" libvirt (what will be in the next release), I can still successfully use polkit text agent using the following steps on my laptop (keeping it very simple): 1. From a "root" account, make sure ssh/sshd can login locally via modifying /etc/hosts.allow and adding lines for "ssh:localhost:allow" and "sshd:localhost:allow" and of course restarting sshd 2. ssh jferlan@localhost jferlan@localhost's password: Last login: Wed Jun 29 06:23:39 2016 $ virsh -c qemu:///system list ==== AUTHENTICATING FOR org.libvirt.unix.manage === System policy prevents management of local virtualized systems Authenticating as: John Ferlan (jferlan) Password: ==== AUTHENTICATION COMPLETE === Id Name State ---------------------------------------------------- 1 f18 running $ virsh -c qemu:///system version ==== AUTHENTICATING FOR org.libvirt.unix.manage === System policy prevents management of local virtualized systems Authenticating as: John Ferlan (jferlan) Password: ==== AUTHENTICATION COMPLETE === Compiled against library: libvirt 2.0.0 Using library: libvirt 2.0.0 Using API: QEMU 2.0.0 Running hypervisor: QEMU 2.4.1 $ Which is the same results as running from root. Obviously I left out the password details. Also, without the ssh step, I would be presented with the GUI based authentication dialog box which is the "default" when a DISPLAY is available. The text based mechanism is meant for just that - simple, text based authentication using a "real" controlling terminal. So from my perspective this works in the simple case and I have to believe there is some configuration issue in the test environment or setup. Use of polkit has many options and I'm not sure it's "advisable" to attempt to mix them. yafu - what you see more than likely is a pkttyagent issue and how it sets the terminal settings in order to not display the password as you type it. When you timeout, the error path from pkttyagent probably doesn't reset back to an echo keystroke mode (perhaps an overly simplistic description). Using 'reset' will clear things. This isn't a libvirt issue per se. I've seen the same issue with other authentication mechanisms I test on build libvirt-2.0.0-1.el7.x86_64, and meet a problem: failed to connect to libvirt on a remote host with non-root user. [fjin@localhost ~]$ virsh -c qemu+ssh://10.66.4.152/system fjin.4.152's password: fjin.4.152's password: ** (pkttyagent:11910): WARNING **: Unable to register authentication agent: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: An authentication agent already exists for the given subject Error registering authentication agent: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: An authentication agent already exists for the given subject (polkit-error-quark, 0) Creating the ssh session first was the example I used - adding +ssh on the command line is a bit different. Consider what's being done - authenticate via ssh and then authenticate via libvirt. I believe that's why you geot *two* password prompts. I don't know "how" ssh performs it's authentication, but if it used the same pkttyagent mechanism, then I can certainly understand the message you got. There's some "interesting dynamics" in play when you add that +ssh with regard to how the session authentication works. Still I think perhaps a different issue. Go back to the originally reported issue - it's more about having an existing non-GUI, non-root based session established and then using virsh to list the /system output (or do anything for that matter). (In reply to John Ferlan from comment #34) > Creating the ssh session first was the example I used - adding +ssh on the > command line is a bit different. Consider what's being done - authenticate > via ssh and then authenticate via libvirt. I believe that's why you geot > *two* password prompts. I don't know "how" ssh performs it's authentication, > but if it used the same pkttyagent mechanism, then I can certainly > understand the message you got. There's some "interesting dynamics" in play > when you add that +ssh with regard to how the session authentication works. > > Still I think perhaps a different issue. Go back to the originally reported > issue - it's more about having an existing non-GUI, non-root based session > established and then using virsh to list the /system output (or do anything > for that matter). Hi John, I think the way libvirt create pkttyagent is not correct in some cases. I have checked what libvirt do when the user use virsh to connect to a remote machine (the same with comment 33). I will show the gdb debug info: $ /usr/bin/gdb virsh (gdb) br virshConnect Breakpoint 1 at 0x266a0: file virsh.c, line 141. (gdb) r -c qemu+ssh://lhuang@test1/system Breakpoint 1, virshConnect (ctl=0x7fffffffda70, uri=0x555555804a30 "qemu+ssh://lhuang@test1/system", readonly=false) at virsh.c:141 141 { (gdb) n 149 if (ctl->keepalive_interval >= 0) { (gdb) 141 { (gdb) 151 keepalive_forced = true; (gdb) 149 if (ctl->keepalive_interval >= 0) { (gdb) 145 bool keepalive_forced = false; (gdb) 143 int interval = 5; /* Default */ (gdb) 153 if (ctl->keepalive_count >= 0) { (gdb) 144 int count = 6; /* Default */ (gdb) 161 if ((c = virConnectOpenAuth(uri, virConnectAuthPtrDefault, (gdb) n Detaching after fork from child process 27954. lhuang@test1's password: [this is ssh authenticate, but target libvirtd close client connection since it is not pass authenticate, and i can get error like " virPolkitCheckAuth:133 : authentication unavailable: no polkit agent available to authenticate action 'org.libvirt.unix.manage' " in target libvirtd.log] 165 if (readonly) (gdb) n 168 err = virGetLastError(); (gdb) 169 if (err && err->domain == VIR_FROM_POLKIT && (gdb) 171 if (!(pkagent = virPolkitAgentCreate())) [here virsh create a pkttyagent on *source* machine and i think this doesn't make any sense] (gdb) Detaching after fork from child process 27959. 179 virResetLastError(); (gdb) 183 } while (authfail < 5); (gdb) p authfail $1 = 0 (gdb) n 161 if ((c = virConnectOpenAuth(uri, virConnectAuthPtrDefault, (gdb) Detaching after fork from child process 28110. lhuang@test1's password: [this is ssh authenticate again] 165 if (readonly) (gdb) n 168 err = virGetLastError(); (gdb) 169 if (err && err->domain == VIR_FROM_POLKIT && (gdb) 171 if (!(pkagent = virPolkitAgentCreate())) (gdb) Detaching after fork from child process 28134. [Here virsh create another pkttyagent again] ** (pkttyagent:28134): WARNING **: Unable to register authentication agent: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: An authentication agent already exists for the given subject Error registering authentication agent: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: An authentication agent already exists for the given subject (polkit-error-quark, 0) [This is why pkttyagent report we already create a pkttyagent for this process] 179 virResetLastError(); (gdb) n 183 } while (authfail < 5); (gdb) p authfail $2 = 0 [we won't add authfail, and this make us cannot jump out of this loop] (gdb) n 161 if ((c = virConnectOpenAuth(uri, virConnectAuthPtrDefault, (gdb) Detaching after fork from child process 28150. lhuang@test1's password: 165 if (readonly) (gdb) p authfail $3 = 0 (gdb) c Continuing. Detaching after fork from child process 1550. ** (pkttyagent:1550): WARNING **: Unable to register authentication agent: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: An authentication agent already exists for the given subject Error registering authentication agent: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: An authentication agent already exists for the given subject (polkit-error-quark, 0) Detaching after fork from child process 1553. lhuang@test1's password: And i can find many pkttyagent process in source machine before i kill the virsh client: # ps aux|grep pktty lhaung 14089 0.0 0.0 205184 3028 pts/12 Sl 09:09 0:00 /usr/bin/pkttyagent --process 14082 --notify-fd 7 --fallback lhaung 14814 0.0 0.0 205184 3028 pts/12 Sl+ 09:15 0:00 /usr/bin/pkttyagent --process 14809 --notify-fd 7 --fallback lhaung 14898 0.0 0.0 0 0 pts/12 Z+ 09:15 0:00 [pkttyagent] <defunct> root 15008 0.0 0.0 112648 956 pts/0 S+ 09:16 0:00 grep --color=auto pktty I think maybe libvirt should not create a pkttyagent when the url is a remote url. Hi,John, Is there any plan to fix the issue in comment 35 in this bug? Or I can verify the bug now and file a separate bug for the issue in comment 35? Just make a separate bug. Luyao did great providing details and a reproducible example. Unfortunately I just didn't have enough time to devote to research those details. Additionally adding +ssh is different than the base issue/problem where polkit authentication just wasn't working for the non-GUI session. (In reply to John Ferlan from comment #37) > Just make a separate bug. Luyao did great providing details and a > reproducible example. Unfortunately I just didn't have enough time to devote > to research those details. Additionally adding +ssh is different than the > base issue/problem where polkit authentication just wasn't working for the > non-GUI session. Thanks for your quick reply. A new bug filed for issues in comment 37: https://bugzilla.redhat.com/show_bug.cgi?id=1374126 Reproduced with libvirt-1.2.17-13.el7_2.5.x86_64. Test steps: 1.Test with "su non-root", failed with error: #su non-root $virsh -c qemu:///system error: failed to connect to the hypervisor error: authentication failed: no agent is available to authenticate 2.Test with "ssh non-root@localhost", failed with error: #ssh non-root@localhost $virsh -c qemu:///system error: failed to connect to the hypervisor error: authentication failed: no agent is available to authenticate 3.Test with "ssh -X non-root@localhost", failed with error: #ssh -X non-root@localhost $virsh -c qemu:///system error: failed to connect to the hypervisor error: authentication failed: no agent is available to authenticate Verify pass with libvirt-2.0.0-8.el7.x86_64. 1.Test with "su non-root", polkit works well with virsh: #su non-root $virsh -c qemu:///system ==== AUTHENTICATING FOR org.libvirt.unix.manage === System policy prevents management of local virtualized systems Authenticating as: root Password: ==== AUTHENTICATION COMPLETE === Welcome to virsh, the virtualization interactive terminal. Type: 'help' for help with commands 'quit' to quit virsh # 2.Test with "ssh non-root@localhost": #ssh non-root@localhost $virsh -c qemu:///system ==== AUTHENTICATING FOR org.libvirt.unix.manage === System policy prevents management of local virtualized systems Authenticating as: root Password: ==== AUTHENTICATION COMPLETE === Welcome to virsh, the virtualization interactive terminal. Type: 'help' for help with commands 'quit' to quit virsh # 3.Test with "ssh -X non-root@localhost": #ssh -X non-root@localhost $virsh -c qemu:///system ==== AUTHENTICATING FOR org.libvirt.unix.manage === System policy prevents management of local virtualized systems Authenticating as: root Password: ==== AUTHENTICATION COMPLETE === Welcome to virsh, the virtualization interactive terminal. Type: 'help' for help with commands 'quit' to quit virsh # Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-2577.html |