On Thu, Mar 2, 2017 at 3:10 PM, Gianluca Cecchi <gianluca.cecchi@gmail.com> wrote:
On Thu, Mar 2, 2017 at 12:49 PM, Koen Vanoppen <vanoppen.koen@gmail.com> wrote:
[root@mercury1 ~]# saslpasswd2 -a libvirt koen
Password:
Again (for verification):
[root@mercury1 ~]# virsh list --all
Please enter your authentication name: koen
Please enter your password:
error: failed to connect to the hypervisor
error: no valid connection
error: authentication failed: authentication failed


I can only say that I just tested on my environment, with plain CentOS 7.3 in oVirt 4.1 and it works.

In theory, your connection string should use unix domain sockets if I'm not wrong and should be the same as "-c qemu:///system" 
In fact, using that connection URI I get the same prompts as without anything (only thing I just get the login/pwd prompt before running any command).

Possibly there is something SELinux related? Is it enabled?

Strange enough I'm verifying in my 4.1 system that I can actually run this command below without any password..... 
(obviously all the caveat of running it out of oVirt are applicable...)

[root@ovmsrv05 ~]# virsh -c qemu://ovmsrv05.mydomain/system
Welcome to virsh, the virtualization interactive terminal.

Type:  'help' for help with commands
       'quit' to quit

virsh # list
 Id    Name                           State
----------------------------------------------------
 2     raclab1                        running
 10    c7testovn1                     running
 
virsh # 

This happens using the hostname used for the host when added to oVirt infra
Instead if I use localhost I get

[root@ovmsrv05 ~]# virsh -c qemu://localhost/system
2017-03-02 13:58:16.190+0000: 25221: info : libvirt version: 2.0.0, package: 10.el7_3.4 (CentOS BuildSystem <http://bugs.centos.org>, 2017-01-17-23:37:48, c1bm.rdu2.centos.org)
2017-03-02 13:58:16.190+0000: 25221: info : hostname: ovmsrv05.mydomain
2017-03-02 13:58:16.190+0000: 25221: warning : virNetTLSContextCheckCertificate:1125 : Certificate check failed Certificate [session] owner does not match the hostname localhost
error: failed to connect to the hypervisor
error: authentication failed: Failed to verify peer's certificate
[root@ovmsrv05 ~]# 

Does this command work for you too in 4.0?
Is it in general a bug or a feature? Or anything cached (I don't think so because I can execute the same on another host where I didn't run anything before and where I didn't use the saslpasswd2 command to add a local virsh user)?

It's a feature: we configure it for TLS/x509 authentication for the engine over TCP and SASL authentication for the local access overt the unix domain socket.

 

Gianluca




_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users