Re: [Libguestfs] libguestfs-tools with libvirt SASL authentication

[Richard W.M. Jones]

On Fri, Nov 07, 2014 at 02:37:06PM +0000, Dan Ryder (daryder) wrote:
> Thanks for the info, Richard.
>
> Hi Dan,
> 
> Any additional information on this?

I don't know if Dan B wants to chime in here, but can you try
out the following patch?

diff --git a/df/domains.c b/df/domains.c
index b2d9537..6cbc0f9 100644
--- a/df/domains.c
+++ b/df/domains.c
@@ -77,7 +77,8 @@ get_all_libvirt_domains (const char *libvirt_uri)
   size_t i;
 
   /* Get the list of all domains. */
-  conn = virConnectOpenReadOnly (libvirt_uri);
+  conn = virConnectOpenAuth (libvirt_uri, virConnectAuthPtrDefault,
+                             VIR_CONNECT_RO);
   if (!conn) {
     err = virGetLastError ();
     fprintf (stderr,

Rich.

> 
> -----Original Message-----
> From: Richard W.M. Jones [mailto:rjo...@redhat.com] 
> Sent: Wednesday, November 05, 2014 8:46 AM
> To: Dan Ryder (daryder); berra...@redhat.com
> Cc: libguestfs@redhat.com
> Subject: Re: [Libguestfs] libguestfs-tools with libvirt SASL authentication
> 
> On Tue, Nov 04, 2014 at 06:47:04PM +0000, Dan Ryder (daryder) wrote:
> > Hello,
> > 
> > I'm running into an issue using the 'virt-df' command when SASL is enabled 
> > in libvirt. I'm running version 1.26.5 of libguestfs on an Ubuntu 14.04 OS.
> > 
> > I'm running 'virt-df' for all guests at one time, not specifying a domain 
> > or image to use. I was expecting a SASL authentication prompt but to no 
> > avail. Below is a sample run:
> > 
> > root@all-in-one:~# virt-df -P 15
> > libvirt: XML-RPC error : authentication failed: Failed to start SASL 
> > negotiation: -4 (SASL(-4): no mechanism available: No worthy mechs 
> > found)
> > virt-df: could not connect to libvirt (code 45, domain 7): 
> > authentication failed: Failed to start SASL negotiation: -4 (SASL(-4): 
> > no mechanism available: No worthy mechs found)
> > 
> > However, if I do specify a domain to run on, I am prompted for SASL 
> > authentication:
> > 
> > root@all-in-one:~# virt-df -d instance-0000004d libvirt needs 
> > authentication to connect to libvirt URI NULL (see also: 
> > http://libvirt.org/auth.html http://libvirt.org/uri.html) Please enter 
> > your authentication name: nova@all-in-one Please enter your password:
> > Filesystem                           1K-blocks       Used  Available  Use%
> > instance-0000004d:/dev/sdb                 458        458          0  100%
> > instance-0000004d:/dev/sda1              22773      12223       9322   54%
> > 
> > Is there any way to successfully run 'virt-df' for all instances at once 
> > while SASL is enabled in libvirt?
> 
> I think this may be a bug.
> 
> virt-df has potentially 3(!) places where it can make a libvirt connection, 
> although only 2 of them are being used on Ubuntu.
> 
> (1) If you don't supply a list of domain names on the command line, then 
> virt-df will call libvirt to get them.  That happens in
> df/domains.c:get_all_libvirt_domains:
> 
>   https://github.com/libguestfs/libguestfs/blob/master/df/domains.c#L72
> 
> If you supply a domain name, then this is not used.
> 
> (2) Secondly, virt-df calls into libguestfs (the C library) call
> guestfs_add_domain() with a domain name parameter as a literal string, either 
> one fetched from (1) or one you passed on the command line.
> Libguestfs then looks that up with libvirt to check it exists and to get the 
> list of disks.  That happens in
> src/libvirt-auth.c:guestfs___open_libvirt_connection:
> 
>   https://github.com/libguestfs/libguestfs/blob/master/src/libvirt-auth.c#L192
> 
> (3) Finally if you are using the libvirt backend (which you are not on
> Ubuntu) then there would be a third connection to run the appliance, although 
> it uses the same code as (2).
> 
> I believe the problem here is that (1) does not pass an auth handler.
> ie. it calls virConnectOpenReadonly, not virConnectOpenAuth.  It's my 
> understanding that virConnectOpenReadonly bypasses the policy kit and SASL 
> stuff, but Dan Berrange (CC'd) will be able to tell me if I'm correct about 
> that.
> 
> If that was the case then you would see an error when virt-df tries to get a 
> list of domains.
> 
> Anyway, if it turns out to be a bug, please file it using the method outlined 
> on the front page of the website (or submit a patch!)
> 
> Rich.
> 
> --
> Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones 
> Read my programming and virtualization blog: http://rwmj.wordpress.com 
> virt-top is 'top' for virtual machines.  Tiny program with many powerful 
> monitoring features, net stats, disk stats, logging, etc.
> http://people.redhat.com/~rjones/virt-top

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-top is 'top' for virtual machines.  Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://people.redhat.com/~rjones/virt-top

_______________________________________________
Libguestfs mailing list
Libguestfs@redhat.com
https://www.redhat.com/mailman/listinfo/libguestfs