On Thu, Mar 2, 2017 at 3:10 PM, Gianluca Cecchi <gianluca.cec...@gmail.com> wrote:
> On Thu, Mar 2, 2017 at 12:49 PM, Koen Vanoppen <vanoppen.k...@gmail.com> > wrote: > >> [root@mercury1 ~]# saslpasswd2 -a libvirt koen >> Password: >> Again (for verification): >> [root@mercury1 ~]# virsh list --all >> Please enter your authentication name: koen >> Please enter your password: >> error: failed to connect to the hypervisor >> error: no valid connection >> error: authentication failed: authentication failed >> >> > I can only say that I just tested on my environment, with plain CentOS 7.3 > in oVirt 4.1 and it works. > > In theory, your connection string should use unix domain sockets if I'm > not wrong and should be the same as "-c qemu:///system" > In fact, using that connection URI I get the same prompts as without > anything (only thing I just get the login/pwd prompt before running any > command). > > Possibly there is something SELinux related? Is it enabled? > > Strange enough I'm verifying in my 4.1 system that I can actually run this > command below without any password..... > (obviously all the caveat of running it out of oVirt are applicable...) > > [root@ovmsrv05 ~]# virsh -c qemu://ovmsrv05.mydomain/system > Welcome to virsh, the virtualization interactive terminal. > > Type: 'help' for help with commands > 'quit' to quit > > virsh # list > Id Name State > ---------------------------------------------------- > 2 raclab1 running > 10 c7testovn1 running > > virsh # > > This happens using the hostname used for the host when added to oVirt infra > Instead if I use localhost I get > > [root@ovmsrv05 ~]# virsh -c qemu://localhost/system > 2017-03-02 13:58:16.190+0000: 25221: info : libvirt version: 2.0.0, > package: 10.el7_3.4 (CentOS BuildSystem <http://bugs.centos.org>, > 2017-01-17-23:37:48, c1bm.rdu2.centos.org) > 2017-03-02 13:58:16.190+0000: 25221: info : hostname: ovmsrv05.mydomain > 2017-03-02 13:58:16.190+0000: 25221: warning : > virNetTLSContextCheckCertificate:1125 : Certificate check failed > Certificate [session] owner does not match the hostname localhost > error: failed to connect to the hypervisor > error: authentication failed: Failed to verify peer's certificate > [root@ovmsrv05 ~]# > > Does this command work for you too in 4.0? > Is it in general a bug or a feature? Or anything cached (I don't think so > because I can execute the same on another host where I didn't run anything > before and where I didn't use the saslpasswd2 command to add a local virsh > user)? > It's a feature: we configure it for TLS/x509 authentication for the engine over TCP and SASL authentication for the local access overt the unix domain socket. > > Gianluca > > > > > _______________________________________________ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > >
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users