PolicyKit and libvirt integration
For Fedora 9 one of the new feature’s we’ve got pending for virtualization is integration with PolicyKit. This will allow virt-manager to manage local hypervisor connections without having to run as root via consolehelper. Although the virt-manager part of this won’t be ready for a while yet, the libvirt bits were made available in libvirt 0.4.0 just before christmas. As a sneak preview this is now in updates-testing and already gives you the ability to run virsh as non root.
For example, currently if you run virsh as non-root you’l lsee something like
$ virsh --connect qemu:///system libvir: Remote error : authentication failed error: failed to connect to the hypervisor
Now with PolicyKit support you can use ‘polkit-grant’ to authenticate and then you’ll be able to run virsh without issue!
$ polkit-grant --gain org.libvirt.unix.manage
Attempting to gain the privilege for org.libvirt.unix.manage.
Authentication is required.
Password:
Keep this privilege for the session? [no/session]?
session
Successfully gained the privilege for org.libvirt.unix.manage.
$ virsh --connect qemu:///system
Welcome to virsh, the virtualization interactive terminal.
Type: 'help' for help with commands
'quit' to quit
virsh # start VirtTest
virsh # list
Id Name State
----------------------------------
1 VirtTest running
In other news, Rich Jones has created a Mozilla Plugin for GTK-VNC so there’s at last a less-sucky replacement for the terrible Java VNC plugins out there
how do we know what which argument to give polkit-grant –gain ?
The authorization error message doesn’t say ‘org.libvirt.unix.manage’ explicitly, nor does it indicate that polkit-grant is the correct avenue for corrective action.
In 0.7 I’ve added some convenience API in form of the polkit-auth-obtain() function that virsh can use.
It even brings up a UI dialog for the authentication if you are running X (if not, it spawns polkit-grant). In addition, it has the advantage that you don’t need to retain the authorization for the session; you can choose to keep it only for the invocation of virsh.
(I think this might even work for ssh logins (e.g. where we don’t have XDG_SESSION_COOKIE); if it doesn’t please let me know and I’ll fix that.)
Oh, and 0.7 is only available on Rawhide. And polkit-grant was renamed to polkit-auth.
Also with 0.7 you can put additional stuff such as vendor, vendor_url and icon_name in the .policy file, see here, and these are used in both the auth dialog and the new polkit-gnome-authorization tool.