Bug 464069 - Can't start domains as non-root any more
Can't start domains as non-root any more
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: libvirt (Show other bugs)
9
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Veillard
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-09-26 02:36 EDT by Mogens Kjaer
Modified: 2008-10-20 18:17 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-10-20 18:17:45 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
debug output, non-root (2.05 KB, text/plain)
2008-09-30 06:02 EDT, Mogens Kjaer
no flags Details
Debug output, root (2.56 KB, text/plain)
2008-09-30 06:02 EDT, Mogens Kjaer
no flags Details
Debug output as non-root user (3.14 KB, text/plain)
2008-09-30 10:09 EDT, Eduardo Villagrán Morales
no flags Details
Debug output as root (2.56 KB, text/plain)
2008-09-30 10:10 EDT, Eduardo Villagrán Morales
no flags Details
virsh net-list without debug as root (124 bytes, text/plain)
2008-09-30 10:11 EDT, Eduardo Villagrán Morales
no flags Details

  None (edit)
Description Mogens Kjaer 2008-09-26 02:36:26 EDT
Description of problem:

After the latest update of libvirt I can't start a virtual machine
in virt-manager as a non-root user.

I've enabled active console access to manage local
virtualized systems in System | Preferences | System | Authorizations
and it used to work.

Version-Release number of selected component (if applicable):

It worked before these updates:

Sep 25 15:44:35 Updated: libvirt-0.4.5-2.fc9.x86_64
Sep 25 15:45:27 Updated: libvirt-python-0.4.5-2.fc9.x86_64

How reproducible:

Every time

Steps to Reproduce:
1. Start virt-manager
2. Open virtual machine
3. Click on run
  
Actual results:

Error starting domain: operation virDomainCreate forbidden for read only access

Details:

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/engine.py", line 472, in run_domain
    vm.startup()
  File "/usr/share/virt-manager/virtManager/domain.py", line 379, in startup
    self.vm.create()
  File "/usr/lib64/python2.5/site-packages/libvirt.py", line 262, in create
    if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self)
libvirtError: operation virDomainCreate forbidden for read only access


Expected results:

Domain starting

Additional info:
Comment 1 S.Mendis 2008-09-27 08:55:10 EDT
I can confirm this.

1. In policykit, org.libvirt.unix.mangage has my user granted under explicit permissions
2. When virt-manager is run, I select 'Run as Unprivileged'
3. With the latest updates mentioned by OP, I cannot start the VM, nor create one.

I have sort of proved that libvirt has policy support by doing the following
1. In policykit org.libvirt.unix.monitor (note MONITOR) I've BLOCKED access to my user
2. When virt-manager is run, I select 'Run as unprivilegded'
3. When I try connect to local host, it doesn't connect, which makes sense. 
4. When I remove the blocked user, it works.

Basically I cannot 'manage' a vm's even if I tell Policykit that I can
Comment 2 Eduardo Villagrán Morales 2008-09-29 22:19:32 EDT
I have the same problem. I'am using x86 kernel with kvm. When I try startup a VM as non-root user I get:
libvirtError: operation virDomainCreate forbidden for read only access

If I do net-list on virsh as non-root user, it show none virtual network.
If I do net-list on virsh as root, it show default virtual network.
Comment 3 Daniel Berrange 2008-09-30 05:42:31 EDT
Please provide the output of the following command


LIBVIRT_DEBUG=1  virsh net-list


when run as root, and also when run as non-root
Comment 4 Mogens Kjaer 2008-09-30 06:02:13 EDT
Created attachment 318053 [details]
debug output, non-root
Comment 5 Mogens Kjaer 2008-09-30 06:02:39 EDT
Created attachment 318054 [details]
Debug output, root
Comment 6 Eduardo Villagrán Morales 2008-09-30 10:09:03 EDT
Created attachment 318077 [details]
Debug output as non-root user

Bebug output on x86
Comment 7 Eduardo Villagrán Morales 2008-09-30 10:10:20 EDT
Created attachment 318078 [details]
Debug output as root

Debug output on x86.
Comment 8 Eduardo Villagrán Morales 2008-09-30 10:11:22 EDT
Created attachment 318079 [details]
virsh net-list without debug as root

On the same x86 machine.
Comment 9 S.Mendis 2008-10-02 07:35:11 EDT
Issue remains after upgrading to the following packages

libvirt-0.4.6-2.fc9.i386
virt-manager-0.5.4-4.fc9.i386
Comment 10 Daniel Berrange 2008-10-02 07:43:23 EDT
WRT to comment #2


> I have the same problem. I'am using x86 kernel with kvm. When I try startup a
> VM as non-root user I get:
> libvirtError: operation virDomainCreate forbidden for read only access
>
> If I do net-list on virsh as non-root user, it show none virtual network.
> If I do net-list on virsh as root, it show default virtual network.

This is not a bug. You are not supplying any hypervisor URI to libvirt, so as non-root, it is connecting to 'qemu:///session' a per-User unprivileged connection which has no virtual networking. As root it will connect to 'qemu:///system' which does support networking. If you want to see the networks as non-root, you need to explicitly specify the hypervisor URI, eg

  virsh net-list --connect qemu:///system net-list

This is not related to the original bug report here against virt manager, so if you have any further issues with this please open a separate bug.
Comment 11 Daniel Berrange 2008-10-02 07:45:28 EDT
WRT the original reporter:  Mogens Kjaer 

Are you running virt-manager privileged as root, or unprivileged as non-root ?  In Fedora virt-manager is setup to prompt for root auth when it first starts. 

So, anyway, if virt-manager is running as root can you attach the file

 /root/.virt-manager/virt-manager.log

While, if you are running it unprivileged, can you provide

  $HOME/.virt-manager/virt-manager.log
Comment 12 Daniel Berrange 2008-10-02 07:56:14 EDT
Actually no need for that info - I've found the problem & will prepare a patch
Comment 13 Mogens Kjaer 2008-10-02 08:04:12 EDT
I've given non-root permissions to manage the virtual sessions using
System | Preferences | System | Authorizations,
so I run it "privileged as non-root", I guess.

Looking forward to the patch, thanks!
Comment 14 Fedora Update System 2008-10-02 08:06:09 EDT
virt-manager-0.5.4-5.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/virt-manager-0.5.4-5.fc9
Comment 15 Daniel Berrange 2008-10-02 08:06:27 EDT
Fix built into F9 for updates in virt-manager-0.5.4-5.fc9
Comment 16 Mogens Kjaer 2008-10-02 08:24:15 EDT
It works! Thanks again.
Comment 17 S.Mendis 2008-10-02 19:29:11 EDT
(In reply to comment #15)
> Fix built into F9 for updates in virt-manager-0.5.4-5.fc9

Good work. What was the original issue?

Cheers
Comment 18 Fedora Update System 2008-10-03 18:32:43 EDT
virt-manager-0.5.4-5.fc9 has been pushed to the Fedora 9 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update virt-manager'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-8588
Comment 19 S.Mendis 2008-10-12 06:03:56 EDT
I've tested virt-manager-0.5.4-5.fc9 thoroughly and confirm it works
Comment 20 Fedora Update System 2008-10-20 18:17:42 EDT
virt-manager-0.5.4-5.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.