You are not logged in.
Hi,
This is my first post, so excuse me if I didn't post in the right category.
I'm trying to configure libvirtd to use authentication with file-based permissions using the Wiki instructions. I verified that the group exist.
/etc/libvirt/libvirtd.conf:
unix_sock_group = "libvirt"
unix_sock_ro_perms = "0770"
unix_sock_rw_perms = "0770"
unix_sock_dir = "/var/run/libvirt/"
auth_unix_ro = "none"
auth_unix_rw = "none"
However the permissions on the socket are not correct after restart:
srw------- 1 root root 0 Jun 2 20:46 libvirt-admin-sock
srw-rw-rw- 1 root root 0 Jun 2 20:45 libvirt-sock
srw-rw-rw- 1 root root 0 Jun 2 20:46 libvirt-sock-ro
I already used this procedure with success in the past on Fedora on multiple occasions. The file permissions were like this:
srwxrwx---. 1 root libvirt 0 Sep 6 19:02 libvirt-sock
srwxrwx---. 1 root libvirt 0 Sep 6 19:02 libvirt-sock-ro
I tried to force the system to recreate the files with no luck. To recreate them I stopped all libvirt services (libvirtd, libvirtd-ro.socket, libvirtd.socket, libvirtd-admin.socket), deleted the files and restarted the services.
It's clear I must be missing something, but my search did not return anything
Edit: Solved by configuring SocketMode and SocketGroup for the libvirt socket using systemd drop-in files
Last edited by morgothsauron (2020-06-03 19:20:12)
Offline
Are the permissions being set by /usr/lib/tmpfiles.d/libvirt.conf?
Offline
There is a single entry in that file:
$ cat /usr/lib/tmpfiles.d/libvirt.conf
z /var/lib/libvirt/qemu 0751
$
Offline
How is libvirtd started? If you change
unix_sock_dir = "/var/run/libvirt/"
to
unix_sock_dir = "/run/libvirt"
Does that make a difference?
Offline
I use systemctl to manage the services.
I changed unix_sock_dir to /run/libvirt but the permissions are still incorrect after restarting all services.
Offline
Which libvirt units are active? The package supplies numerous ones:
libvirtd-admin.socket
libvirtd-ro.socket
libvirtd.service
libvirtd.socket
libvirtd-tcp.socket
libvirtd-tls.socket
libvirt-guests.service
virt-guest-shutdown.target
virtinterfaced-admin.socket
virtinterfaced-ro.socket
virtinterfaced.service
virtinterfaced.socket
virtlockd-admin.socket
virtlockd.service
virtlockd.socket
virtlogd-admin.socket
virtlogd.service
virtlogd.socket
virtlxcd-admin.socket
virtlxcd-ro.socket
virtlxcd.service
virtlxcd.socket
virtnetworkd-admin.socket
virtnetworkd-ro.socket
virtnetworkd.service
virtnetworkd.socket
virtnodedevd-admin.socket
virtnodedevd-ro.socket
virtnodedevd.service
virtnodedevd.socket
virtnwfilterd-admin.socket
virtnwfilterd-ro.socket
virtnwfilterd.service
virtnwfilterd.socket
virtproxyd-admin.socket
virtproxyd-ro.socket
virtproxyd.service
virtproxyd.socket
virtproxyd-tcp.socket
virtproxyd-tls.socket
virtqemud-admin.socket
virtqemud-ro.socket
virtqemud.service
virtqemud.socket
virtsecretd-admin.socket
virtsecretd-ro.socket
virtsecretd.service
virtsecretd.socket
virtstoraged-admin.socket
virtstoraged-ro.socket
virtstoraged.service
virtstoraged.socket
virtvboxd-admin.socket
virtvboxd-ro.socket
virtvboxd.service
virtvboxd.socket
Offline
I installed the following packages: libvirt qemu dmidecode dnsmasq virt-manager
I only have the following units (systemctl list-units *virt*)
libvirtd.service loaded active running Virtualization daemon
virtlogd.service loaded active running Virtual machine log manager
libvirtd-admin.socket loaded active running Libvirt admin socket
libvirtd-ro.socket loaded active running Libvirt local read-only socket
libvirtd.socket loaded active running Libvirt local socket
virtlockd.socket loaded active listening Virtual machine lock manager socket
virtlogd-admin.socket loaded active running Virtual machine log manager socket
virtlogd.socket loaded active running Virtual machine log manager socket
In itself libvirt seems to work fine. I was able to import existing VM and use them.
Offline
/etc/libvirt/libvirtd.conf has the following comments by default
#################################################################
#
# UNIX socket access controls
#
# Set the UNIX domain socket group ownership. This can be used to
# allow a 'trusted' set of users access to management capabilities
# without becoming root.
#
# This setting is not required or honoured if using systemd socket
# activation.
#
# This is restricted to 'root' by default.
#unix_sock_group = "libvirt"
# Set the UNIX socket permissions for the R/O socket. This is used
# for monitoring VM status only
#
# This setting is not required or honoured if using systemd socket
# activation.
#
# Default allows any user. If setting group ownership, you may want to
# restrict this too.
#unix_sock_ro_perms = "0777"
# Set the UNIX socket permissions for the R/W socket. This is used
# for full management of VMs
#
# This setting is not required or honoured if using systemd socket
# activation.
#
# Default allows only root. If PolicyKit is enabled on the socket,
# the default will change to allow everyone (eg, 0777)
#
# If not using PolicyKit and setting group ownership for access
# control, then you may want to relax this too.
#unix_sock_rw_perms = "0770"
# Set the UNIX socket permissions for the admin interface socket.
#
# This setting is not required or honoured if using systemd socket
# activation.
#
# Default allows only owner (root), do not change it unless you are
# sure to whom you are exposing the access to.
#unix_sock_admin_perms = "0700"
# Set the name of the directory in which sockets will be found/created.
#
# This setting is not required or honoured if using systemd socket
# activation with systemd version >= 227
#
#unix_sock_dir = "/run/libvirt"
Which indicate if you are using systemd sockets activation no settings in the above section will be honored.
Edit:
You could create Systemd#Drop-in_files for the socket units specifying the SocketGroup e.t.c. see systemd.socket
Last edited by loqs (2020-06-02 21:10:49)
Offline
I was so used with this procedure on Fedora that I missed the comment about systemd So basically this part of the Wiki describing these settings is not applicable when systemd is used.
There must be a way to change the socket permission. I was thinking about using Polkit as an alternative, bit it does not make sense. The default socket permission allow read and write access to everyone. That's not very secure.
Offline
Have you tried creating a drop in file for the socket units as I suggested in my edit to post #8?
Last edited by loqs (2020-06-02 21:34:30)
Offline
Oh, I missed that edit I will have a look at it tomorrow.
Before you replied In I looked at the unit file. It shows that the socket permission (SocketMode) is set there:
[Unit]
Description=Libvirt local socket
Before=libvirtd.service
[Socket]
# The directory must match the /etc/libvirt/libvirtd.conf unix_sock_dir setting
# when using systemd version < 227
ListenStream=/run/libvirt/libvirt-sock
Service=libvirtd.service
SocketMode=0666
[Install]
WantedBy=sockets.target
Combining this (SocketMode) and your comment about drop in conf (SocketGroup), I think I have something to work with. With the correct drop in I should be able to change both the mode and the group for the socket.
I'll post back when I have update on this tomorrow.
Offline
I was able to get the correct permissions using systemd drop-in files.
To create new drop-in for socket service libvirtd.socket and libvirtd-ro.socket:
systemctl edit unit libvirtd.socket
systemctl edit unit libvirtd-ro.socket
Override or set the SocketMode and SocketGroup for each service
#
[Socket]
SocketMode=0660
SocketGroup=libvirt
#
The new permissions are set when the services are restarted.
srw-rw---- 1 root libvirt 0 Jun 3 18:56 libvirt-sock
srw-rw---- 1 root libvirt 0 Jun 3 18:56 libvirt-sock-ro
Offline