[one-users] Help with VM launch

Héctor Sanjuán hsanjuan at opennebula.org
Thu Jun 9 12:04:10 PDT 2011 

Now it is seems a different problem: a policyKit - libvirt permissions
problem.

The answers are here:

http://libvirt.org/auth.html
http://wiki.libvirt.org/page/SSHPolicyKitSetup

Personally, on an OpenSuse 11.3 machine I have a file:
/var/lib/polkit-1/localauthority/10-vendor.d/org.libvirt.unix.manage.pkla

with the contents:

[org.libvirt.unix.manage]
Identity=unix-user:*
Action=org.libvirt.unix.manage
ResultAny=auth_admin_keep
ResultInactive=auth_admin_keep
ResultActive=auth_admin_keep


but that's a bit relaxed security as It seems I allow every unix user to
manage via libvirt.

Hope it helps,

Hector




El 09/06/11 20:32, Robert Schweikert escribió:
> 
> 
> On 06/09/2011 12:40 PM, Héctor Sanjuán wrote:
>> Hi,
>>
>> I think the deployment is failing because the host is en error state.
>>
>> It seems that when ONE is trying to monitor it, the 192.168.1.5 host
>> closes the connection.
>>
>> You should make sure that you are running OpenNebula commands with the
>> 'oneadmin' user and that this user has passwordless ssh access to the
>> host. You can assign a password to the oneadmin unix user with 'passwd
>> oneadmin' as root. Then you should be able to login with it and test if
>> 'ssh 192.168.1.5' is working well.
> 
> OK, I created a password for the oneadmin user and was able to use ssh
> interactively to get to the 192.168.1.5 host without using a password.
> It was a bit slow but it worked.
> 
> I also played around with the onehost command, deleting the previously
> added host and using
> 
> # onehost create 192.168.1.5 im_kvm vmm_kvm tm_nfs
> 
> used this when logged in as oneadmin and with "sudo -u oneadmin" prefix
> when logged in as root. With both approaches I get the same result,
> initially when I create the host the state shown by onehost list is
> "on". But after a while it changes to "err"
> 
> Monitoring the log I found the following message:
> 
> Thu Jun  9 14:18:05 2011 [InM][I]: Command execution fail: 'if [ -x
> "/var/tmp/one/im/run_probes" ]; then /var/tmp/one/im/run_probes kvm
> 192.168.1.5; else                              exit 42; fi'
> Thu Jun  9 14:18:05 2011 [InM][I]: STDERR follows.
> Thu Jun  9 14:18:05 2011 [InM][I]: error: authentication failed
> Thu Jun  9 14:18:05 2011 [InM][I]: error: failed to connect to the
> hypervisor
> Thu Jun  9 14:18:05 2011 [InM][I]: Error executing kvm.rb
> Thu Jun  9 14:18:05 2011 [InM][I]: ExitCode: 255
> Thu Jun  9 14:18:05 2011 [InM][E]: Error monitoring host 4 : MONITOR
> FAILURE 4 Could not monitor host 192.168.1.5.
> 
> And on the cloud node in the system log I get:
> 
> Jun 10 22:18:03 node1 sshd[4387]: Accepted publickey for oneadmin from
> 192.168.1.2 port 60835 ssh2
> Jun 10 22:18:03 node1 sshd[4389]: Received disconnect from 192.168.1.2:
> 11: disconnected by user
> Jun 10 22:18:13 node1 sshd[4413]: Accepted publickey for oneadmin from
> 192.168.1.2 port 60836 ssh2
> Jun 10 22:18:13 node1 libvirtd: 22:18:13.366: error :
> remoteDispatchAuthPolkit:3797 : Policy kit denied action
> org.libvirt.unix.manage from pid 4453, uid 1000, result: 512
> 
> 
> Thus I'd say my issue is on the cloud node side. The passwordless ssh
> connection is clearly working, based on the "Accepted" message, but then
> it looks like policykit get in the way.
> 
> The oneadmin user is part of the kvm and the root group on the cloud
> node (libvirtd runs as root on SUSE).
> 
> Any ideas what I need to do to beat policy kit into submission?
> 
> Thanks,
> Robert
> 
> 


-- 
Héctor Sanjuán
OpenNebula Sunstone Developer

More information about the Users mailing list