[ovirt-users] Virsh

Simone Tiraboschi stirabos at redhat.com
Thu Mar 2 14:27:25 UTC 2017


On Thu, Mar 2, 2017 at 3:10 PM, Gianluca Cecchi <gianluca.cecchi at gmail.com>
wrote:

> On Thu, Mar 2, 2017 at 12:49 PM, Koen Vanoppen <vanoppen.koen at gmail.com>
> wrote:
>
>> [root at mercury1 ~]# saslpasswd2 -a libvirt koen
>> Password:
>> Again (for verification):
>> [root at mercury1 ~]# virsh list --all
>> Please enter your authentication name: koen
>> Please enter your password:
>> error: failed to connect to the hypervisor
>> error: no valid connection
>> error: authentication failed: authentication failed
>>
>>
> I can only say that I just tested on my environment, with plain CentOS 7.3
> in oVirt 4.1 and it works.
>
> In theory, your connection string should use unix domain sockets if I'm
> not wrong and should be the same as "-c qemu:///system"
> In fact, using that connection URI I get the same prompts as without
> anything (only thing I just get the login/pwd prompt before running any
> command).
>
> Possibly there is something SELinux related? Is it enabled?
>
> Strange enough I'm verifying in my 4.1 system that I can actually run this
> command below without any password.....
> (obviously all the caveat of running it out of oVirt are applicable...)
>
> [root at ovmsrv05 ~]# virsh -c qemu://ovmsrv05.mydomain/system
> Welcome to virsh, the virtualization interactive terminal.
>
> Type:  'help' for help with commands
>        'quit' to quit
>
> virsh # list
>  Id    Name                           State
> ----------------------------------------------------
>  2     raclab1                        running
>  10    c7testovn1                     running
>
> virsh #
>
> This happens using the hostname used for the host when added to oVirt infra
> Instead if I use localhost I get
>
> [root at ovmsrv05 ~]# virsh -c qemu://localhost/system
> 2017-03-02 13:58:16.190+0000: 25221: info : libvirt version: 2.0.0,
> package: 10.el7_3.4 (CentOS BuildSystem <http://bugs.centos.org>,
> 2017-01-17-23:37:48, c1bm.rdu2.centos.org)
> 2017-03-02 13:58:16.190+0000: 25221: info : hostname: ovmsrv05.mydomain
> 2017-03-02 13:58:16.190+0000: 25221: warning :
> virNetTLSContextCheckCertificate:1125 : Certificate check failed
> Certificate [session] owner does not match the hostname localhost
> error: failed to connect to the hypervisor
> error: authentication failed: Failed to verify peer's certificate
> [root at ovmsrv05 ~]#
>
> Does this command work for you too in 4.0?
> Is it in general a bug or a feature? Or anything cached (I don't think so
> because I can execute the same on another host where I didn't run anything
> before and where I didn't use the saslpasswd2 command to add a local virsh
> user)?
>

It's a feature: we configure it for TLS/x509 authentication for the engine
over TCP and SASL authentication for the local access overt the unix domain
socket.



>
> Gianluca
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20170302/7bd6a168/attachment.html>


More information about the Users mailing list