[Pkg-libvirt-maintainers] Bug#956936: Bug#956936: libvirt-daemon: clients unable to connect to libvirt: CheckAuthorization: Action org.libvirt.unix.manage is not registered

Gabriel Filion gabster at lelutin.ca
Sun Apr 19 19:50:25 BST 2020 

Hi Guido,

thanks for your quick feedback! much appreciated.

On 2020-04-17 3:10 a.m., Guido Günther wrote:
> On Thu, Apr 16, 2020 at 06:42:32PM -0400, Gabriel Filion wrote:
>> my user is part of the libvirt and kvm groups so I should have access to the
>> local unix sockets. however when I try and connect to libvirt on localhost
>> (either with vagrant-libvirt or with virt-manager) I get an error message that
>> also appears in the service's log as:
>>
>> Apr 16 17:51:47 meevyl libvirtd[544743]: error from service: CheckAuthorization: Action org.libvirt.unix.manage is not registered
>> Apr 16 17:51:47 meevyl libvirtd[544743]: End of file while reading data: Input/output error
> 
> Is that qemu:///system ? 

yes exactly.

and vagrant shows it this way (also confirming that it's connecting to
qemu:///system:

Error while connecting to libvirt: Error making a connection to libvirt
URI qemu:///system?no_verify=1&keyfile=/home/gabster/.ssh/id_rsa:
Call to virConnectOpen failed: error from service: CheckAuthorization:
Action org.libvirt.unix.manage is not registered


>> From what I could vaguely understand, the first line seems to be related to
>> polkit but I don't quite understand how this thing is supposed to be working.
>>
>>
>> I do have polkit installed and runing:
>>
>> $ dpkg -l | grep polkit
>> ii  gir1.2-polkit-1.0                       0.105-26                               amd64        GObject introspection data for PolicyKit
>> ii  libpolkit-agent-1-0:amd64               0.105-26                               amd64        PolicyKit Authentication Agent API
>> ii  libpolkit-gobject-1-0:amd64             0.105-26                               amd64        PolicyKit Authorization API
>> $ ps aux|grep polkit
>> root      544473  0.0  0.0 235204 10120 ?        Ssl  17:49   0:00 /usr/lib/policykit-1/polkitd --no-debug
>> gabster   545750  0.0  0.0   8744   844 pts/8    S+   18:29   0:00 grep --color=auto polkit
> 
> You don't show the polkitd (package policykit-1) version

oh, right I missed this out in the original report:

$ dpkg -l | grep policykit
ii  policykit-1                             0.105-26
           amd64        framework for managing administrative policies
and privileges
ii  policykit-1-gnome                       0.105-7
           amd64        authentication agent for PolicyKit

> but if that's
> 0.105 as well can you check if things like
>    pkexec /bin/ls

> work

this asks me for my password, and then shows this output (it's not the
contents of the current directory so I'm not sure what it's listing
exactly):

$ pkexec /bin/ls
snap

> and check if
> /var/lib/polkit-1/localauthority/10-vendor.d/60-libvirt.pkla is present

I get file not found for the above.

> and there's no other libvirt related policies e.g. in /etc/polkit-1?

nothing that seems relevant to libvirt in both directories:

$ sudo tree /var/lib/polkit-1/localauthority/
/var/lib/polkit-1/localauthority/
├── 10-vendor.d
│   ├── fwupd.pkla
│   ├── geoclue-2.0.pkla
│   ├── gnome-control-center.pkla
│   ├── org.freedesktop.Flatpak.pkla
│   ├── org.freedesktop.NetworkManager.pkla
│   ├── org.freedesktop.packagekit.pkla
│   └── systemd-networkd.pkla
├── 20-org.d
├── 30-site.d
├── 50-local.d
└── 90-mandatory.d

5 directories, 7 files

$ sudo tree /etc/polkit-1/
/etc/polkit-1/
├── localauthority
│   ├── 10-vendor.d
│   ├── 20-org.d
│   ├── 30-site.d
│   ├── 50-local.d
│   └── 90-mandatory.d
├── localauthority.conf.d
│   ├── 50-localauthority.conf
│   └── 51-debian-sudo.conf
└── rules.d
    ├── 40-debian-sudo.rules
    └── 50-default.rules

8 directories, 4 files

since I use etckeeper, I've checked the history for /etc/polkit-1/ and
there was never a file with "libvirt" in its name in there.


oh! but I just searched on codesearch.d.n and found out that the polkit
file should be installed there by libvirt-daemon-system  and for some
reason this package was in state "rc" on my system.

I with version 6.0.0-6 of it with "apt install libvirt-daemon-system"
and now it's present on my system!

.... and I can connect to qemu:///system again!

I've also had to manually start the virtlogd.socket unit. but now with
those two details fixed I can manage VMs again on my laptop.


I'm not sure why libvirt-daemon-system had been left semi-removed on the
system though .. according to my dpkg log it was left removed during the
upgrade from 5.6.0-3 to 6.0.0-5

.. oh well I guess it's all fine for now. thanks, I was able to figure
it out thanks to your pointers!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-libvirt-maintainers/attachments/20200419/1ba257b7/attachment.sig>

More information about the Pkg-libvirt-maintainers mailing list