Bug 737557 - org.libvirt.manage policy kit denial
Summary: org.libvirt.manage policy kit denial
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: libvirt
Version: 6.1
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Laine Stump
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On: 524732
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-09-12 14:43 UTC by Mike Jang
Modified: 2012-08-01 18:49 UTC (History)
16 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 524732
Environment:
Last Closed: 2012-08-01 18:49:13 UTC


Attachments (Terms of Use)

Description Mike Jang 2011-09-12 14:43:21 UTC
+++ This bug was initially created as a clone of Bug #524732 +++

Description of problem:
On RHEL 6, when I run virt-manager, and try to connect to a hypervisor, it asks me for the root password, resulting in the following message:

Unable to open connection to hypervisor URI 'qemu:///system':
authentication failed
Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/connection.py", line 456, in _try_open
    None], flags)
  File "/usr/lib64/python2.6/site-packages/libvirt.py", line 102, in openAuth
    if ret is None:raise libvirtError('virConnectOpenAuth() failed')
libvirtError: authentication failed


Version-Release number of selected component (if applicable):
virt-manager-0.8.0-4.fc12.noarch
polkit-gnome-0.96-3.el6.x86_64

How reproducible:
every time

Steps to Reproduce:
1.see above
2.
3.
  
Actual results:
Tells me it can't connect to libvirtd

Expected results:
Asks for authentication, then connects

Additional info:
virt-manager worked before a previous update.

Based on the cloned bug, I also tried 

  $> virsh -c qemu:///system list --all

with a similar error message. The libvirt wiki suggests a workaround that solves the problem for me, ref http://wiki.libvirt.org/page/SSHPolicyKitSetup

I created the following file
 /etc/polkit-1/localauthority/50-local.d/50-org.example-libvirt-remote-access.pkla

with the following contents (slightly modified from the Wiki)

 [Remote libvirt VM access]
 Identity=unix-user:justme
 Action=org.libvirt.unix.manage
 ResultAny=yes
 ResultInactive=yes
 ResultActive=yes

Comment 2 RHEL Product and Program Management 2011-09-12 15:08:53 UTC
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.

Comment 3 David Zeuthen 2011-09-12 15:17:05 UTC
Sorry, but you are filing this against the wrong component. Reassigning.

Comment 4 Cole Robinson 2011-09-27 00:51:45 UTC
Moving to libvirt since that is the component which does polkit auth

Comment 5 Dave Allan 2011-09-27 01:19:26 UTC
What version of libvirt?

Comment 6 Mike Jang 2011-09-27 01:27:19 UTC
$ rpm -q libvirt

libvirt-0.8.7-18.el6_1.1.x86_64

Comment 7 Dave Allan 2011-09-27 01:56:50 UTC
How did you install virt-manager?  It says it's the Fedora 12 version of virt-manager, which I'm guessing is the problem.

Comment 8 Mike Jang 2011-09-27 02:09:41 UTC
I installed it the normal way from RHEL 6 repos. 

When I searched the error message associated with the problem, I found the Fedora 12 bug, which almost perfectly described the issue. I therefore cloned the bug. 

I probably made an error in cloning, as I should have noted that the version number of virt-manager is from RHEL 6. I think you should be able to confirm that from my comment 6, which confirms with the "el6" that it is a RHEL 6 package.

Comment 9 Dave Allan 2011-09-27 02:55:37 UTC
Ok, then can you provide the correct version of virt-manager?  We really need to know exactly what packages you're using so we can try to reproduce what you're seeing.  Also, if you have a support contract, you should open a ticket with RH support.

Comment 10 Mike Jang 2011-09-27 03:14:25 UTC
I have just an "academic subscription," so I don't think I'm allowed to open a support ticket. 

$ rpm -q virt-manager
virt-manager-0.8.6-4.el6.noarch

In addition, the KVM system worked quite well for me at the release of RHEL 6, back in the Nov '10 - May '11 timeframe I had up to four VMs going simultaneously. (I had no need for KVM between June - Sept '11; as I don't know the history of your updates, I don't know whether there are multiple revs in question.)

I only encountered the problem described with the update that I did just before I filed this bug. 

FWIW, it's not urgent for me personally, as the workaround I noted in the description, with the code I added to the following file: 

/etc/polkit-1/localauthority/50-local.d/50-org.example-libvirt-remote-access.pkla 

It makes KVM work fine for the OS testing that I do.

Comment 11 Dave Allan 2011-09-27 03:24:15 UTC
Ok, thanks for the info, we'll try to reproduce it.

Comment 12 Laine Stump 2011-11-21 18:51:00 UTC
Note that this problem does not appear on my RHEL6.2 beta system which is using libvirt-0.9.4-22.el6.x86_64

Mike - can you update your system as far as possible and check this again (it's a bit problematic for me to downgrade my test system that far). I actually think it's more likely you've got a problem in policykit rather than libvirt, but it would be best if we could both test with the same libvirt version.

Comment 13 Mike Jang 2011-11-21 19:16:27 UTC
Just tried with libvirt-0.8.7-18.el6_1.4.x86_64, without the "workaround" listed in comment 1, and I get the same error. 

I don't see your version of libvirt; each beta channel that I checked seem to have "0" packages. If you can show me how to get access to your 6.2 beta version, I'm willing to test it.

Comment 14 Laine Stump 2012-05-16 19:08:54 UTC
Mike - can you confirm this is still a problem? (There should be a public beta of RHEL6.3 available somewhere, although looking from the inside, I'm not sure where it is).

If it is still a problem, can you tell me if other desktop applications using policykit also fail? (e.g. "system-config-firewall").

Comment 16 Laine Stump 2012-07-18 03:32:12 UTC
I'm marking this as CondNAK Reproducer. Mike, if you can upgrade to RHEL6.3 and see if this is still a problem, report it here as soon as possible. Since we are unable to reproduce, we'll otherwise have to close the bug as WORKSFORME

Comment 17 Laine Stump 2012-08-01 18:49:13 UTC
Closing since we can't reproduce it. It the bug re-occurs with the current release of RHEL, please re-open with updated details.


Note You need to log in before you can comment on or make changes to this bug.