Bug#956936: libvirt-daemon: clients unable to connect to libvirt: CheckAuthorization: Action org.libvirt.unix.manage is not registered

Discussion:

(too old to reply)

Gabriel Filion

2020-04-16 23:00:01 UTC

Permalink

Package: libvirt-daemon
Version: 6.0.0-6
Severity: important

Hello,

I've been unable to use libvirt for a while and I haven't yet found a
workaround or a fix..

This started happening the last time I ran package upgrades. However, since I
don't run them very often I'm not sure with which versions of packages it
started happening. If it seems relevant to do so, I can test rolling back to
older packages to figure out when things started to break down.

I've been using libvirt with qemu-kvm for a while.

my user is part of the libvirt and kvm groups so I should have access to the
local unix sockets. however when I try and connect to libvirt on localhost
(either with vagrant-libvirt or with virt-manager) I get an error message that
also appears in the service's log as:

Apr 16 17:51:47 meevyl libvirtd[544743]: error from service: CheckAuthorization: Action org.libvirt.unix.manage is not registered
Apr 16 17:51:47 meevyl libvirtd[544743]: End of file while reading data: Input/output error

From what I could vaguely understand, the first line seems to be related to
polkit but I don't quite understand how this thing is supposed to be working.

I do have polkit installed and runing:

$ dpkg -l | grep polkit
ii gir1.2-polkit-1.0 0.105-26 amd64 GObject introspection data for PolicyKit
ii libpolkit-agent-1-0:amd64 0.105-26 amd64 PolicyKit Authentication Agent API
ii libpolkit-gobject-1-0:amd64 0.105-26 amd64 PolicyKit Authorization API
$ ps aux|grep polkit
root 544473 0.0 0.0 235204 10120 ? Ssl 17:49 0:00 /usr/lib/policykit-1/polkitd --no-debug
gabster 545750 0.0 0.0 8744 844 pts/8 S+ 18:29 0:00 grep --color=auto polkit

-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.4.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_CA.utf8, LC_CTYPE=en_CA.utf8 (charmap=UTF-8) (ignored: LC_ALL set to en_CA.utf8), LANGUAGE=en_CA.utf8 (charmap=UTF-8) (ignored: LC_ALL set to en_CA.utf8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libvirt-daemon depends on:
ii libblkid1 2.34-0.1
ii libc6 2.30-4
ii libcap-ng0 0.7.9-2.1+b2
ii libdbus-1-3 1.12.16-2
ii libdevmapper1.02.1 2:1.02.167-1+b1
ii libfuse2 2.9.9-3
ii libgcc-s1 10-20200411-1
ii libglib2.0-0 2.64.2-1
ii libnetcf1 1:0.2.8-1+b3
ii libparted2 3.3-4
ii libpcap0.8 1.9.1-3
ii libpciaccess0 0.14-1
ii libselinux1 3.0-1+b3
ii libudev1 245.4-4
ii libvirt-daemon-driver-qemu 6.0.0-6
ii libvirt0 6.0.0-6
ii libxml2 2.9.10+dfsg-5

Versions of packages libvirt-daemon recommends:
ii libvirt-daemon-driver-lxc 6.0.0-6
ii libvirt-daemon-driver-vbox 6.0.0-6
ii libvirt-daemon-driver-xen 6.0.0-6
ii libxml2-utils 2.9.10+dfsg-5
ii netcat-openbsd 1.206-1
ii qemu 1:4.2-6
ii qemu-kvm 1:4.2-6

Versions of packages libvirt-daemon suggests:
pn libvirt-daemon-driver-storage-gluster <none>
pn libvirt-daemon-driver-storage-rbd <none>
pn libvirt-daemon-driver-storage-zfs <none>
pn libvirt-daemon-system <none>
pn numad <none>

-- no debconf information

Guido Günther

2020-04-17 07:20:01 UTC

Permalink

Hi,

Post by Gabriel Filion
Package: libvirt-daemon
Version: 6.0.0-6
Severity: important
Hello,
I've been unable to use libvirt for a while and I haven't yet found a
workaround or a fix..
This started happening the last time I ran package upgrades. However, since I
don't run them very often I'm not sure with which versions of packages it
started happening. If it seems relevant to do so, I can test rolling back to
older packages to figure out when things started to break down.
I've been using libvirt with qemu-kvm for a while.
my user is part of the libvirt and kvm groups so I should have access to the
local unix sockets. however when I try and connect to libvirt on localhost
(either with vagrant-libvirt or with virt-manager) I get an error message that
Apr 16 17:51:47 meevyl libvirtd[544743]: error from service: CheckAuthorization: Action org.libvirt.unix.manage is not registered
Apr 16 17:51:47 meevyl libvirtd[544743]: End of file while reading data: Input/output error

Is that qemu:///system ?

Post by Gabriel Filion
From what I could vaguely understand, the first line seems to be related to
polkit but I don't quite understand how this thing is supposed to be working.
$ dpkg -l | grep polkit
ii gir1.2-polkit-1.0 0.105-26 amd64 GObject introspection data for PolicyKit
ii libpolkit-agent-1-0:amd64 0.105-26 amd64 PolicyKit Authentication Agent API
ii libpolkit-gobject-1-0:amd64 0.105-26 amd64 PolicyKit Authorization API
$ ps aux|grep polkit
root 544473 0.0 0.0 235204 10120 ? Ssl 17:49 0:00 /usr/lib/policykit-1/polkitd --no-debug
gabster 545750 0.0 0.0 8744 844 pts/8 S+ 18:29 0:00 grep --color=auto polkit

You don't show the polkitd (package policykit-1) version but if that's
0.105 as well can you check if things like

pkexec /bin/ls

work and and check if
/var/lib/polkit-1/localauthority/10-vendor.d/60-libvirt.pkla is present
and there's no other libvirt related policies e.g. in /etc/polkit-1?
-- Guido

Post by Gabriel Filion
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.4.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_CA.utf8, LC_CTYPE=en_CA.utf8 (charmap=UTF-8) (ignored: LC_ALL set to en_CA.utf8), LANGUAGE=en_CA.utf8 (charmap=UTF-8) (ignored: LC_ALL set to en_CA.utf8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
ii libblkid1 2.34-0.1
ii libc6 2.30-4
ii libcap-ng0 0.7.9-2.1+b2
ii libdbus-1-3 1.12.16-2
ii libdevmapper1.02.1 2:1.02.167-1+b1
ii libfuse2 2.9.9-3
ii libgcc-s1 10-20200411-1
ii libglib2.0-0 2.64.2-1
ii libnetcf1 1:0.2.8-1+b3
ii libparted2 3.3-4
ii libpcap0.8 1.9.1-3
ii libpciaccess0 0.14-1
ii libselinux1 3.0-1+b3
ii libudev1 245.4-4
ii libvirt-daemon-driver-qemu 6.0.0-6
ii libvirt0 6.0.0-6
ii libxml2 2.9.10+dfsg-5
ii libvirt-daemon-driver-lxc 6.0.0-6
ii libvirt-daemon-driver-vbox 6.0.0-6
ii libvirt-daemon-driver-xen 6.0.0-6
ii libxml2-utils 2.9.10+dfsg-5
ii netcat-openbsd 1.206-1
ii qemu 1:4.2-6
ii qemu-kvm 1:4.2-6
pn libvirt-daemon-driver-storage-gluster <none>
pn libvirt-daemon-driver-storage-rbd <none>
pn libvirt-daemon-driver-storage-zfs <none>
pn libvirt-daemon-system <none>
pn numad <none>
-- no debconf information
_______________________________________________
Pkg-libvirt-maintainers mailing list
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-libvirt-maintainers

Joel Johnson

2020-08-31 21:10:02 UTC

Permalink

Version: 5.0.0-4+deb10u1

I ran into this same issue on a buster system, with additional
buster-backports packages installed. After digging through it appears
that during a recent update the libvirt-daemon-system package was
uninstalled without me noticing. Reinstalling the package also resolved
the issue for me.

Joel

Bernd Schatz

2021-01-26 13:10:01 UTC

Permalink

Hi,

Post by Joel Johnson
Version: 5.0.0-4+deb10u1
I ran into this same issue on a buster system, with additional
buster-backports packages installed. After digging through it appears
that during a recent update the libvirt-daemon-system package was
uninstalled without me noticing. Reinstalling the package also resolved
the issue for me.

Because of an other problem with a vagrant box and debian buster
i tried to reproduce that issue on a newly installed debian bullseye.

Now i run into this issue.

sudo debsums --config | grep -v OK
/etc/sudoers FAILED

id
uid=1004(beschat) gid=1004(beschat)
Gruppen=1004(beschat),1005(libvirtd),64055(libvirt-qemu)

$ echo $VAGRANT_DEFAULT_PROVIDER
libvirt

Bringing machine 'default' up with 'libvirt' provider...
Error while connecting to Libvirt: Error making a connection to libvirt
URI qemu:///system?no_verify=1&keyfile=/home/beschat/.ssh/id_rsa:
Call to virConnectOpen failed: authentication unavailable: no polkit
agent available to authenticate action 'org.libvirt.unix.manage'

dpkg -l | grep polkit
ii gir1.2-polkit-1.0 0.105-29
amd64 GObject introspection data for PolicyKit
ii libpolkit-agent-1-0:amd64 0.105-29
amd64 PolicyKit Authentication Agent API
ii libpolkit-gobject-1-0:amd64 0.105-29
amd64 PolicyKit Authorization API
ii libpolkit-qt5-1-1:amd64 0.113.0-1
amd64 PolicyKit-qt5-1 library

sudo cat /var/lib/polkit-1/localauthority/10-vendor.d/60-libvirt.pkla
[Allow group libvirt management permissions]
Identity=unix-group:libvirt
Action=org.libvirt.unix.manage
ResultAny=yes
ResultInactive=yes
ResultActive=yes

--
Bernd

Bernd Schatz

2021-01-26 13:30:02 UTC

Permalink

Hi,

Post by Bernd Schatz
Now i run into this issue.
sudo debsums --config | grep -v OK
/etc/sudoers FAILED
id
uid=1004(beschat) gid=1004(beschat)
Gruppen=1004(beschat),1005(libvirtd),64055(libvirt-qemu)

Sorry, just after sending the mail i saw that i added the wrong
group, after:

sudo usermod -a -G libvirt beschat

the box starts, now i ran into this:

$ vagrant up
Bringing machine 'default' up with 'libvirt' provider...
==> default: Checking if box 'debian/testing64' version '20210124.1' is
up to date...
==> default: Starting domain.
There was an error talking to Libvirt. The error message is shown
below:

Call to virDomainCreateWithFlags failed: can't connect to virtlogd:
Socket-Erstellung zu '/r

But this seems to be another issue ...

--
Bernd