|
 |
3e5111 |
From 3ffd39767ed4dec1233f91744184c518396acc8c Mon Sep 17 00:00:00 2001
|
|
|
3e5111 |
Message-Id: <3ffd39767ed4dec1233f91744184c518396acc8c@dist-git>
|
|
|
3e5111 |
From: John Ferlan <jferlan@redhat.com>
|
|
|
3e5111 |
Date: Thu, 25 May 2017 12:59:12 -0400
|
|
|
3e5111 |
Subject: [PATCH] virsh: Track when create pkttyagent
|
|
|
3e5111 |
|
|
|
3e5111 |
https://bugzilla.redhat.com/show_bug.cgi?id=1374126
|
|
|
3e5111 |
|
|
|
3e5111 |
Due to how the processing for authentication using polkit works, the
|
|
|
3e5111 |
virshConnect code must first "attempt" an virConnectOpenAuth and then
|
|
|
3e5111 |
check for a "special" return error code VIR_ERR_AUTH_UNAVAILABLE in
|
|
|
3e5111 |
order to attempt to "retry" the authentication after performing a creation
|
|
|
3e5111 |
of a pkttyagent to handle the challenge/response for the client.
|
|
|
3e5111 |
|
|
|
3e5111 |
However, if pkttyagent creation is not possible for the authentication
|
|
|
3e5111 |
being attempted (such as perhaps a "qemu+ssh://someuser@localhost/system"),
|
|
|
3e5111 |
then the same failure pattern would be returned and another attempt to
|
|
|
3e5111 |
create a pkttyagent would be done. This would continue "forever" until
|
|
|
3e5111 |
someone forced quit (e.g. ctrl-c) from virsh as the 'authfail' was not
|
|
|
3e5111 |
incremented when creating the pkttyagent.
|
|
|
3e5111 |
|
|
|
3e5111 |
So add a 'agentCreated' boolean to track if we've attempted to create the
|
|
|
3e5111 |
agent at least once and force a failure if that creation returned the same
|
|
|
3e5111 |
error pattern.
|
|
|
3e5111 |
|
|
|
3e5111 |
This resolves a possible never ending loop and will generate an error:
|
|
|
3e5111 |
|
|
|
3e5111 |
error: failed to connect to the hypervisor
|
|
|
3e5111 |
error: authentication unavailable: no polkit agent available to authenticate action 'org.libvirt.unix.manage'
|
|
|
3e5111 |
|
|
|
3e5111 |
NB: If the authentication was for a sufficiently privileged client, such as
|
|
|
3e5111 |
qemu+ssh://root@localhost/system, then the remoteDispatchAuthList "allows"
|
|
|
3e5111 |
the authentication to use libvirt since @callerUid would be 0.
|
|
|
3e5111 |
|
|
|
3e5111 |
(cherry picked from commit 2453501fc82d3b247affb6c9054dc65bf2f669b3)
|
|
|
3e5111 |
Signed-off-by: John Ferlan <jferlan@redhat.com>
|
|
|
3e5111 |
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
|
|
|
3e5111 |
---
|
|
|
3e5111 |
tools/virsh.c | 5 ++++-
|
|
|
3e5111 |
1 file changed, 4 insertions(+), 1 deletion(-)
|
|
|
3e5111 |
|
|
|
3e5111 |
diff --git a/tools/virsh.c b/tools/virsh.c
|
|
|
3e5111 |
index 7eb51ab7d..0b4365b0f 100644
|
|
|
3e5111 |
--- a/tools/virsh.c
|
|
|
3e5111 |
+++ b/tools/virsh.c
|
|
|
3e5111 |
@@ -145,6 +145,7 @@ virshConnect(vshControl *ctl, const char *uri, bool readonly)
|
|
|
3e5111 |
bool keepalive_forced = false;
|
|
|
3e5111 |
virPolkitAgentPtr pkagent = NULL;
|
|
|
3e5111 |
int authfail = 0;
|
|
|
3e5111 |
+ bool agentCreated = false;
|
|
|
3e5111 |
|
|
|
3e5111 |
if (ctl->keepalive_interval >= 0) {
|
|
|
3e5111 |
interval = ctl->keepalive_interval;
|
|
|
3e5111 |
@@ -166,10 +167,12 @@ virshConnect(vshControl *ctl, const char *uri, bool readonly)
|
|
|
3e5111 |
goto cleanup;
|
|
|
3e5111 |
|
|
|
3e5111 |
err = virGetLastError();
|
|
|
3e5111 |
- if (err && err->domain == VIR_FROM_POLKIT &&
|
|
|
3e5111 |
+ if (!agentCreated &&
|
|
|
3e5111 |
+ err && err->domain == VIR_FROM_POLKIT &&
|
|
|
3e5111 |
err->code == VIR_ERR_AUTH_UNAVAILABLE) {
|
|
|
3e5111 |
if (!pkagent && !(pkagent = virPolkitAgentCreate()))
|
|
|
3e5111 |
goto cleanup;
|
|
|
3e5111 |
+ agentCreated = true;
|
|
|
3e5111 |
} else if (err && err->domain == VIR_FROM_POLKIT &&
|
|
|
3e5111 |
err->code == VIR_ERR_AUTH_FAILED) {
|
|
|
3e5111 |
authfail++;
|
|
|
3e5111 |
--
|
|
|
3e5111 |
2.13.0
|
|
|
3e5111 |
|