Bug 570594 - RFE: libvirt to block shutdown on desktops
RFE: libvirt to block shutdown on desktops
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: systemd (Show other bugs)
rawhide
All Linux
low Severity medium
: ---
: ---
Assigned To: systemd-maint
Fedora Extras Quality Assurance
:
Depends On:
Blocks: systemd-RFE
  Show dependency treegraph
 
Reported: 2010-03-04 14:58 EST by Simo Sorce
Modified: 2016-03-23 18:10 EDT (History)
16 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 826044 (view as bug list)
Environment:
Last Closed: 2012-05-29 06:34:26 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Simo Sorce 2010-03-04 14:58:52 EST
It would be useful if libvrit or virt-manager could block shutdown when virtual machines are actually active to avoid killing them badly if the user forgts they are running and tries to shutdown/reboot the machine.
Just like you are prevented form shutting down if there are other users logged in on other consoles (override through root password).
Comment 1 Fedora Admin XMLRPC Client 2011-09-22 13:49:54 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 2 Fedora Admin XMLRPC Client 2011-09-22 13:52:50 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 3 Fedora Admin XMLRPC Client 2011-09-22 13:58:10 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 4 Fedora Admin XMLRPC Client 2011-11-30 14:30:36 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 5 Fedora Admin XMLRPC Client 2011-11-30 14:34:18 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 6 Fedora Admin XMLRPC Client 2011-11-30 14:40:40 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 7 Fedora Admin XMLRPC Client 2011-11-30 14:51:50 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 8 Eric Blake 2011-11-30 19:48:16 EST
(In reply to comment #0)
> It would be useful if libvrit or virt-manager could block shutdown when virtual
> machines are actually active to avoid killing them badly if the user forgts
> they are running and tries to shutdown/reboot the machine.
> Just like you are prevented form shutting down if there are other users logged
> in on other consoles (override through root password).

The libvirt-guests init script was added after this original request was made, which currently lets the user control whether all guests should first be saved (and auto-restored on guest boot), or gracefully shutdown.  Is this sufficient for your needs, or do we still need another mode where the existence of a guest blocks shutdown?
Comment 9 Eric Blake 2011-11-30 19:56:12 EST
These days, /sbin/shutdown is a symlink to /bin/systemctl.  I'm reassigning this to the systemd package for help in determining how best to make systemctl prevent shutdown without root authorization if the libvirtd service says a guest is running.  Feel free to assign it back to libvirt if it needs to be done in libvirtd's init script.
Comment 10 Simo Sorce 2011-11-30 21:35:50 EST
(In reply to comment #8)
> (In reply to comment #0)
> > It would be useful if libvrit or virt-manager could block shutdown when virtual
> > machines are actually active to avoid killing them badly if the user forgts
> > they are running and tries to shutdown/reboot the machine.
> > Just like you are prevented form shutting down if there are other users logged
> > in on other consoles (override through root password).
> 
> The libvirt-guests init script was added after this original request was made,
> which currently lets the user control whether all guests should first be saved
> (and auto-restored on guest boot), or gracefully shutdown.  Is this sufficient
> for your needs, or do we still need another mode where the existence of a guest
> blocks shutdown?

Yes, it is working just great on my F16 machine, and saved my guests more than once lately.
Thank you very much for this one, it is a great feature!
Comment 11 Michal Schmidt 2011-12-01 08:19:54 EST
(In reply to comment #9)
> These days, /sbin/shutdown is a symlink to /bin/systemctl.  I'm reassigning
> this to the systemd package for help in determining how best to make systemctl
> prevent shutdown without root authorization if the libvirtd service says a
> guest is running.

I must be missing something. /sbin/shutdown (-> /bin/systemctl) does not allow non-root users to do anything:

$ shutdown -h
Must be root.
Comment 12 Eric Blake 2011-12-01 10:12:39 EST
But /usr/bin/reboot (In reply to comment #11)
> (In reply to comment #9)
> > These days, /sbin/shutdown is a symlink to /bin/systemctl.  I'm reassigning
> > this to the systemd package for help in determining how best to make systemctl
> > prevent shutdown without root authorization if the libvirtd service says a
> > guest is running.
> 
> I must be missing something. /sbin/shutdown (-> /bin/systemctl) does not allow
> non-root users to do anything:
> 
> $ shutdown -h
> Must be root.

But /usr/bin/reboot allows non-root to reboot the machine, and at the moment, that even happens even if there are other users logged on at the time.  'man reboot' also points to systemd, but rpm -qf says /usr/bin/reboot points to usermode.  Do we need to make usermode smarter?

I tried:

boot
ctrl-alt-f2
login as root
ctrl-alt-f3
login as non-root
$ reboot

and the system rebooted, even though it took out a logged-in root session.
Comment 13 Kay Sievers 2011-12-01 11:47:12 EST
(In reply to comment #12)
> Do we need to make usermode smarter?

The usermode hack is a really broken concept at many levels, it should just be
removed from the system. There are open features/bugs for it already.

We have pkexec and sudo for these kind ofoperations. (In)transparently
providing tools with root privileges just asks for troubles like this.
Comment 14 Jóhann B. Guðmundsson 2012-02-27 05:33:37 EST
Ping what's the current status of this?
Comment 15 Lennart Poettering 2012-03-12 22:45:31 EDT
Hmm, so we now have hooked up "systemctl poweroff" with policykit, and have two different authroizations for it, one if more than one user is logged in, and one if only one user is logged in. We probably could add another one, that is used whenver some service wants to block shutdown.

Shutdown blocking kinda reminds me of the hole suspend blockers discussion. Maybe it should be solved the same way?
Comment 16 Lennart Poettering 2012-04-16 15:17:07 EDT
We now have shutdown inhibitors in systemd git. As soon as this hits F18 libvirt could start making use of this.

The scheme is very simple: just invoke the call org.freedesktop.login1.Manager.Inhibit() on the /org/freedesktop/login1 object on the org.freedesktop.login1 service. It takes three string arguments: "what", "who" and "why".

what = what to inhibit, can be one or more of "shutdown", "suspend", "idle", separated by ":". For libvirt only "shutdown" should be relevant.

who = some user-readable application identifier (e.g: "Virtualization Manager")

why = some user-readable reason for the lock (e.g: "A VM is still running")

this call returns only a single fd. That fd encapsulates the lock and should be kept around as long as needed. As soon as it is closed the lock goes away.

The effect of taking an inhibitor lock like this is that shutdowns will only be available to privileged clients or those which have a PolicyKit privilege for overriding these inhibits.
Comment 17 Fedora Update System 2012-05-18 19:38:38 EDT
systemd-44-9.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/systemd-44-9.fc17
Comment 18 Fedora Update System 2012-05-19 14:33:53 EDT
Package systemd-44-9.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing systemd-44-9.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-8127/systemd-44-9.fc17
then log in and leave karma (feedback).
Comment 19 Fedora Update System 2012-05-21 12:55:24 EDT
Package systemd-44-10.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing systemd-44-10.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-8127/systemd-44-10.fc17
then log in and leave karma (feedback).
Comment 20 Fedora Update System 2012-05-22 11:55:07 EDT
Package systemd-44-12.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing systemd-44-12.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-8127/systemd-44-12.fc17
then log in and leave karma (feedback).
Comment 21 Fedora Update System 2012-05-29 06:34:26 EDT
systemd-44-12.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.