Arch Linux

morgothsauron

Member

Registered: 2014-03-28

Posts: 32

[SOLVED] libvirtd - incorrect permission on socket files

Hi,
This is my first post, so excuse me if I didn't post in the right category.

I'm trying to configure libvirtd to use authentication with file-based permissions using the Wiki instructions. I verified that the group exist.

/etc/libvirt/libvirtd.conf:

unix_sock_group = "libvirt"
unix_sock_ro_perms = "0770"
unix_sock_rw_perms = "0770"
unix_sock_dir = "/var/run/libvirt/"
auth_unix_ro = "none"
auth_unix_rw = "none"

However the permissions on the socket are not correct after restart:

srw-------  1 root root   0 Jun  2 20:46 libvirt-admin-sock
srw-rw-rw-  1 root root   0 Jun  2 20:45 libvirt-sock
srw-rw-rw-  1 root root   0 Jun  2 20:46 libvirt-sock-ro

I already used this procedure with success in the past on Fedora on multiple occasions. The file permissions were like this:

srwxrwx---. 1 root libvirt  0 Sep  6 19:02 libvirt-sock
srwxrwx---. 1 root libvirt  0 Sep  6 19:02 libvirt-sock-ro

I tried to force the system to recreate the files with no luck. To recreate them I stopped all libvirt services (libvirtd, libvirtd-ro.socket, libvirtd.socket, libvirtd-admin.socket), deleted the files and restarted the services.

It's clear I must be missing something, but my search did not return anything

Edit: Solved by configuring SocketMode and SocketGroup for the libvirt socket using systemd drop-in files

Last edited by morgothsauron (2020-06-03 19:20:12)

Slithery

Administrator

From: Norfolk, UK

Registered: 2013-12-01

Posts: 5,776

Re: [SOLVED] libvirtd - incorrect permission on socket files

Are the permissions being set by /usr/lib/tmpfiles.d/libvirt.conf?

---

No, it didn't "fix" anything. It just shifted the brokeness one space to the right. - jasonwryan
Closing -- for deletion; Banning -- for muppetry. - jasonwryan

aur - dotfiles

morgothsauron

Member

Registered: 2014-03-28

Posts: 32

Re: [SOLVED] libvirtd - incorrect permission on socket files

There is a single entry in that file:

$ cat /usr/lib/tmpfiles.d/libvirt.conf
z /var/lib/libvirt/qemu 0751
$

loqs

Member

Registered: 2014-03-06

Posts: 17,377

Re: [SOLVED] libvirtd - incorrect permission on socket files

How is libvirtd started?  If you change

unix_sock_dir = "/var/run/libvirt/"

to

unix_sock_dir = "/run/libvirt"

Does that make a difference?

morgothsauron

Member

Registered: 2014-03-28

Posts: 32

Re: [SOLVED] libvirtd - incorrect permission on socket files

I use systemctl to manage the services.

I changed unix_sock_dir to /run/libvirt but the permissions are still incorrect after restarting all services.

loqs

Member

Registered: 2014-03-06

Posts: 17,377

Re: [SOLVED] libvirtd - incorrect permission on socket files

Which libvirt units are active?  The package supplies numerous ones:

libvirtd-admin.socket
libvirtd-ro.socket
libvirtd.service
libvirtd.socket
libvirtd-tcp.socket
libvirtd-tls.socket
libvirt-guests.service
virt-guest-shutdown.target
virtinterfaced-admin.socket
virtinterfaced-ro.socket
virtinterfaced.service
virtinterfaced.socket
virtlockd-admin.socket
virtlockd.service
virtlockd.socket
virtlogd-admin.socket
virtlogd.service
virtlogd.socket
virtlxcd-admin.socket
virtlxcd-ro.socket
virtlxcd.service
virtlxcd.socket
virtnetworkd-admin.socket
virtnetworkd-ro.socket
virtnetworkd.service
virtnetworkd.socket
virtnodedevd-admin.socket
virtnodedevd-ro.socket
virtnodedevd.service
virtnodedevd.socket
virtnwfilterd-admin.socket
virtnwfilterd-ro.socket
virtnwfilterd.service
virtnwfilterd.socket
virtproxyd-admin.socket
virtproxyd-ro.socket
virtproxyd.service
virtproxyd.socket
virtproxyd-tcp.socket
virtproxyd-tls.socket
virtqemud-admin.socket
virtqemud-ro.socket
virtqemud.service
virtqemud.socket
virtsecretd-admin.socket
virtsecretd-ro.socket
virtsecretd.service
virtsecretd.socket
virtstoraged-admin.socket
virtstoraged-ro.socket
virtstoraged.service
virtstoraged.socket
virtvboxd-admin.socket
virtvboxd-ro.socket
virtvboxd.service
virtvboxd.socket

morgothsauron

Member

Registered: 2014-03-28

Posts: 32

Re: [SOLVED] libvirtd - incorrect permission on socket files

I installed the following packages: libvirt qemu dmidecode dnsmasq virt-manager

I only have the following units (systemctl list-units *virt*)

  libvirtd.service                                    loaded active running   Virtualization daemon                                                                                  
  virtlogd.service                                    loaded active running   Virtual machine log manager                                                                            
  libvirtd-admin.socket                               loaded active running   Libvirt admin socket                                                                                   
  libvirtd-ro.socket                                  loaded active running   Libvirt local read-only socket                                                                         
  libvirtd.socket                                     loaded active running   Libvirt local socket                                                                                   
  virtlockd.socket                                    loaded active listening Virtual machine lock manager socket                                                                    
  virtlogd-admin.socket                               loaded active running   Virtual machine log manager socket                                                                     
  virtlogd.socket                                     loaded active running   Virtual machine log manager socket 

In itself libvirt seems to work fine. I was able to import existing VM and use them.

loqs

Member

Registered: 2014-03-06

Posts: 17,377

Re: [SOLVED] libvirtd - incorrect permission on socket files

/etc/libvirt/libvirtd.conf has the following comments by default

#################################################################
#
# UNIX socket access controls
#

# Set the UNIX domain socket group ownership. This can be used to
# allow a 'trusted' set of users access to management capabilities
# without becoming root.
#
# This setting is not required or honoured if using systemd socket
# activation.
#
# This is restricted to 'root' by default.
#unix_sock_group = "libvirt"

# Set the UNIX socket permissions for the R/O socket. This is used
# for monitoring VM status only
#
# This setting is not required or honoured if using systemd socket
# activation.
#
# Default allows any user. If setting group ownership, you may want to
# restrict this too.
#unix_sock_ro_perms = "0777"

# Set the UNIX socket permissions for the R/W socket. This is used
# for full management of VMs
#
# This setting is not required or honoured if using systemd socket
# activation.
#
# Default allows only root. If PolicyKit is enabled on the socket,
# the default will change to allow everyone (eg, 0777)
#
# If not using PolicyKit and setting group ownership for access
# control, then you may want to relax this too.
#unix_sock_rw_perms = "0770"

# Set the UNIX socket permissions for the admin interface socket.
#
# This setting is not required or honoured if using systemd socket
# activation.
#
# Default allows only owner (root), do not change it unless you are
# sure to whom you are exposing the access to.
#unix_sock_admin_perms = "0700"

# Set the name of the directory in which sockets will be found/created.
#
# This setting is not required or honoured if using systemd socket
# activation with systemd version >= 227
#
#unix_sock_dir = "/run/libvirt"

Which indicate if you are using systemd sockets activation no settings in the above section will be honored.
Edit:
You could create Systemd#Drop-in_files for the socket units specifying the SocketGroup e.t.c. see systemd.socket

Last edited by loqs (2020-06-02 21:10:49)

morgothsauron

Member

Registered: 2014-03-28

Posts: 32

Re: [SOLVED] libvirtd - incorrect permission on socket files

I was so used with this procedure on Fedora that I missed the comment about systemd So basically this part of the Wiki describing these settings is not applicable when systemd is used.

There must be a way to change the socket permission. I was thinking about using Polkit as an alternative, bit it does not make sense. The default socket permission allow read and write access to everyone. That's not very secure.

loqs

Member

Registered: 2014-03-06

Posts: 17,377

Re: [SOLVED] libvirtd - incorrect permission on socket files

Have you tried creating a drop in file for the socket units as I suggested in my edit to post #8?

Last edited by loqs (2020-06-02 21:34:30)

morgothsauron

Member

Registered: 2014-03-28

Posts: 32

Re: [SOLVED] libvirtd - incorrect permission on socket files

Oh, I missed that edit I will have a look at it tomorrow.

Before you replied In I looked at the unit file. It shows that the socket permission (SocketMode) is set there:

[Unit]
Description=Libvirt local socket
Before=libvirtd.service


[Socket]
# The directory must match the /etc/libvirt/libvirtd.conf unix_sock_dir setting
# when using systemd version < 227
ListenStream=/run/libvirt/libvirt-sock
Service=libvirtd.service
SocketMode=0666

[Install]
WantedBy=sockets.target

Combining this (SocketMode) and your comment about drop in conf (SocketGroup), I think I have something to work with. With the correct drop in I should be able to change both the mode and the group for the socket.

I'll post back when I have update on this tomorrow.

morgothsauron

Member

Registered: 2014-03-28

Posts: 32

Re: [SOLVED] libvirtd - incorrect permission on socket files

I was able to get the correct permissions using systemd drop-in files.

To create new drop-in for socket service libvirtd.socket and libvirtd-ro.socket:

systemctl edit unit libvirtd.socket
systemctl edit unit libvirtd-ro.socket

Override or set the SocketMode and SocketGroup for each service

#
[Socket]
SocketMode=0660
SocketGroup=libvirt
#

The new permissions are set when the services are restarted.

srw-rw----  1 root libvirt   0 Jun  3 18:56 libvirt-sock
srw-rw----  1 root libvirt   0 Jun  3 18:56 libvirt-sock-ro