Bug 1437933 - Virt-manager fails to connect to system QEMU/KVM
Summary: Virt-manager fails to connect to system QEMU/KVM
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Fedora
Classification: Fedora
Component: virt-manager
Version: 30
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Cole Robinson
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-03-31 13:20 UTC by František Zatloukal
Modified: 2019-04-24 14:28 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-04-24 14:28:02 UTC
Type: Bug


Attachments (Terms of Use)
journal excerpt (10.87 KB, text/plain)
2019-04-20 23:39 UTC, Chris Murphy
no flags Details

Description František Zatloukal 2017-03-31 13:20:43 UTC
Description of problem:
When I try to connect to the system QEMU/KVM session, virt-manager reports this:

authentication unavailable: no polkit agent available to authenticate action 'org.libvirt.unix.manage'

Libvirt URI is: qemu:///system

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/connection.py", line 1000, in _do_open
    self._backend.open(self._do_creds_password)
  File "/usr/share/virt-manager/virtinst/connection.py", line 149, in open
    open_flags)
  File "/usr/lib64/python2.7/site-packages/libvirt.py", line 105, in openAuth
    if ret is None:raise libvirtError('virConnectOpenAuth() failed')
libvirtError: authentication unavailable: no polkit agent available to authenticate action 'org.libvirt.unix.manage'


Version-Release number of selected component (if applicable):
virt-manager-1.4.1-2.fc25

How reproducible:
Always

Steps to Reproduce:
1. Run virt-manager
2. Try to open connection to System QEMU/KVM (User session works just fine)

Comment 1 Cole Robinson 2017-03-31 16:41:06 UTC
What desktop environment are you using? Typically a polkit agent is provided by eg gnome-shell.

But you can avoid the need for a password prompt by addding your user to the libvirt group:

http://blog.wikichoon.com/2016/01/polkit-password-less-access-for-libvirt.html

Comment 2 František Zatloukal 2017-04-03 08:34:24 UTC
I am using gnome-shell. Shouldn't I see some window where i can type my password in case it's needed?

usermod --append --groups libvirt `whoami`
fixed the issue, thanks!

Comment 3 Cole Robinson 2017-04-03 22:55:26 UTC
Hmm that's weird that you are using gnome-shell but the polkit agent isn't working.

Does another polkit using tool like the system-config-printer 'unlock' button launch a password prompt as expected?

Comment 4 František Zatloukal 2017-04-05 11:12:26 UTC
Yes, unlock button in system-config-printer shows pop-up asking for password.

Comment 5 Cole Robinson 2017-04-05 17:04:49 UTC
Okay well since the groups change fixed things for you, not gonna both undoing it to try and narrow what went wrong, maybe some temporary breakage. But i'll reopen this if I hear other reports

Comment 6 Richard W.M. Jones 2017-06-26 12:51:38 UTC
I can report the same thing happened here.  I was running virt-manager
over a remote X11 connection, and the popup as described happened.
Even better, running the usermod command fixed it.

Comment 7 Richard W.M. Jones 2017-06-26 12:51:52 UTC
That is with virt-manager-1.4.1-2.fc25.noarch

Comment 8 Mo Battah 2017-11-12 02:02:21 UTC
Same circumstance as Richard Jones - 

Was SSH'd into a headless server, running virt-manager with regular user prompted the issue. Resolved by adding user to libvirt group. 

Due to linkrot, I'll repost the resolution - 

$ usermod --append --groups libvirt `whoami`

Comment 9 Chris Murphy 2019-04-20 23:36:38 UTC
This is still a bug on Fedora 30 Workstation, clean installed from Fedora-Workstation-Live-x86_64-30-20190415.n.0.iso and updated to current u-t.


libvirt-daemon-5.1.0-4.fc30.x86_64
virt-manager-2.1.0-2.fc30.noarch
gnome-shell-3.32.1-1.fc30.x86_64

Details shows:
Unable to connect to libvirt qemu+ssh://chris@fmac.local/system.

authentication unavailable: no polkit agent available to authenticate action 'org.libvirt.unix.manage'

Verify that the 'libvirtd' daemon is running on the remote host.

Libvirt URI is: qemu+ssh://chris@fmac.local/system

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/connection.py", line 1012, in _do_open
    self._backend.open(connectauth.creds_dialog, self)
  File "/usr/share/virt-manager/virtinst/connection.py", line 138, in open
    open_flags)
  File "/usr/lib64/python3.7/site-packages/libvirt.py", line 104, in openAuth
    if ret is None:raise libvirtError('virConnectOpenAuth() failed')
libvirt.libvirtError: authentication unavailable: no polkit agent available to authenticate action 'org.libvirt.unix.manage'



$ sudo systemctl status libvirtd
● libvirtd.service - Virtualization daemon
   Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; vendor preset: enabled)
   Active: active (running) since Sat 2019-04-20 17:03:19 MDT; 28min ago
     Docs: man:libvirtd(8)
           https://libvirt.org
 Main PID: 1062 (libvirtd)
    Tasks: 19 (limit: 32768)
   Memory: 56.1M
   CGroup: /system.slice/libvirtd.service
           ├─1062 /usr/sbin/libvirtd
           ├─1177 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper
           └─1178 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper

Apr 20 17:03:22 fmac.local dnsmasq[1177]: using nameserver 75.75.76.76#53
Apr 20 17:03:24 fmac.local dnsmasq[1177]: reading /etc/resolv.conf
Apr 20 17:03:24 fmac.local dnsmasq[1177]: using nameserver 75.75.75.75#53
Apr 20 17:03:24 fmac.local dnsmasq[1177]: using nameserver 75.75.76.76#53
Apr 20 17:03:24 fmac.local dnsmasq[1177]: using nameserver 2001:558:feed::1#53
Apr 20 17:03:24 fmac.local dnsmasq[1177]: using nameserver 2001:558:feed::2#53
Apr 20 17:24:24 fmac.local libvirtd[1062]: libvirt version: 5.1.0, package: 4.fc30 (Fedora Project, 2019-04-02-16:12:24, )
Apr 20 17:24:24 fmac.local libvirtd[1062]: hostname: fmac.local
Apr 20 17:24:24 fmac.local libvirtd[1062]: authentication unavailable: no polkit agent available to authenticate action 'org.libvirt.unix.manage'
Apr 20 17:24:24 fmac.local libvirtd[1062]: End of file while reading data: Input/output error

Comment 10 Chris Murphy 2019-04-20 23:39:03 UTC
Created attachment 1556776 [details]
journal excerpt

This is what's reported in the journal from the time I double click on the connection, enter the ssh passphrase for the test machine, and the error message from client virt-manager which really looks like it's just reporting the remote host's error.

Comment 11 Chris Murphy 2019-04-20 23:46:10 UTC
I don't know what's going on because it fails with the same message even with a public key added to the host, and this definitely works on Fedora 29 Server because I use this exact setup all the time.

Comment 12 Chris Murphy 2019-04-20 23:51:03 UTC
Sorry, just to be clear: two laptops running Fedora 30 Workstation with the software versions listed above (they are the same). The fmac.local is the host that I want to run VM's on, that's where the errors actually occur and are recorded in the journal, and is the clean installed system. The local client I'm using virt-manager on is flap.local, is not clean installed, it was f29 upgraded to f30. And fnuc.local (not really part of this bug it's just a sanity test) is a Fedora 29 Server, to which I can successfully connect from flap.local.

So yeah, there's something wrong on the clean installed F30 Workstation "fmac.local" system. But I can't figure out what it is. The "Apr 20 17:24:24 fmac.local libvirtd[1062]: End of file while reading data: Input/output error" is suspicious, an EOF? OK what file? What path? I see no SElinux AVCs. Maybe the bug is the file doesn't exist but should?

Comment 13 Cole Robinson 2019-04-23 14:38:43 UTC
Chris, thanks for the report, but in general I think it's better to file a new bug and point to an older issue than to reopen a bug that's been closed for 2 years. If it's actually bug in the code there's a good chance it's in a completely different area after two years.

On fmac.local, is user 'chris' in the 'libvirt' group? Otherwise this isn't going to work, because the remote host wants to launch a polkit dialog, typically provided by desktop env like gnome-shell, but the ssh session doesn't have access to it. Try: usermod --append --groups libvirt `whoami`

More info here: https://blog.wikichoon.com/2016/01/polkit-password-less-access-for-libvirt.html

You may need to log out and log back in on the remote host.

If that doesn't help, from the local host try:

  virsh --connect qemu+ssh://chris@fmac.local/system

If that fails too then we can eliminate virt-manager from the equation

Comment 14 Chris Murphy 2019-04-23 22:19:49 UTC
>On fmac.local, is user 'chris' in the 'libvirt' group? 

Nope. Fixing that fixes the problem.


Note You need to log in before you can comment on or make changes to this bug.