Bug 1011404 - Fail to connect the libvirtd server with the tls while enable the access_driver
Fail to connect the libvirtd server with the tls while enable the access_driver
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libvirt (Show other bugs)
7.0
x86_64 Linux
medium Severity medium
: rc
: ---
Assigned To: Daniel Berrange
Virtualization Bugs
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-24 04:21 EDT by zhenfeng wang
Modified: 2014-04-24 05:00 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-09-27 10:34:42 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description zhenfeng wang 2013-09-24 04:21:10 EDT
Description of problem:
Fail to connect the libvirtd server with the tls while enable the access_driver in libvirtd.conf

Version-Release number of selected component (if applicable):
qemu-kvm-1.5.3-4.el7.x86_64
kernel-3.10.0-14.el7.x86_64
libvirt-1.1.1-6.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Prepare the tls evironment
you can see the attachment which named tls_configuration.txt

2.connect the libvirtd service with the tls while didn't enable the access_driver in libvirtd.conf

# virsh -c qemu+tls://zhwang7/system
Welcome to virsh, the virtualization interactive terminal.

Type:  'help' for help with commands
       'quit' to quit

virsh # list --all
 Id    Name                           State
----------------------------------------------------
 -     rhel7                          shut off
 -     rhel73                         shut off
 -     rhel7qcow2                     shut off

3.connect the libvirtd service with the tls while enable the access_driver in libvirtd.conf
cat /etc/libvirt/libvirtd.conf
#access_drivers = [ "polkit" ]
access_drivers = [ "polkit" ]

# virsh -c qemu+tls://zhwang7/system
error: failed to connect to the hypervisor
error: access denied

Check the log info in libvirtd.log
2013-09-23 07:29:55.659+0000: 5752: error : virAccessDriverPolkitFormatProcess:97 : internal error: No UNIX process ID available
2013-09-23 07:29:55.659+0000: 5752: error : virAccessManagerSanitizeError:203 : access denied
2013-09-23 07:29:55.659+0000: 5752: error : virAccessManagerSanitizeError:203 : access denied
2013-09-23 07:29:55.659+0000: 5744: error : virNetSocketReadWire:1369 : Cannot recv data: Input/output error

Actual results:
Fail to connect the libvirtd server with the tls 

Expected results:
should connect the libvirt with the tls successfully while enalbe the access_driver in libvirtd.conf

Additional info:
Comment 2 Jiri Denemark 2013-09-27 10:14:51 EDT
Hmm, looks like a result of fixing the pkcheck CVE. Daniel, how do we handle this with tls or tcp transports?
Comment 3 Daniel Berrange 2013-09-27 10:20:27 EDT
The polkit access control driver will only work for UNIX domain sockets. If you wish to use TCP sockets, then you must disable the access control driver.
Comment 4 zhenfeng wang 2014-03-31 03:39:49 EDT
Hi DB
I just re-check this bug and have new doubt about this bug. As we know, the polkit access control driver was designed for the nonprivileged user, and it shouldn't affect the root user's function. so i think the root user should connnect the libvirt with tls successfully while we enable the access control driver as comment0's description. I saw your comment3's explanation, i think this explanation should only work for the nonprivileged user, shouldn't limite the root user. Maybe we have necessary to re-open this bug, what's your opinion ? can you help me have a look? thanks
Comment 5 Daniel Berrange 2014-04-24 05:00:44 EDT
When a client connects over TCP sockets, there is no way of knowing that the user at the other end of the socket is "root". This is precisely why the access control mechanism only works for UNIX sockets.

Note You need to log in before you can comment on or make changes to this bug.