Re: [debops-users] Using libvirt without sudo rights

Hello Maciej, On 2019-06-27 1:53 p.m., Maciej Delmanowski wrote: Yes, it is. It failed: ``` gitlab-runner@ci:~$ id uid=998(gitlab-runner) gid=995(gitlab-runner) groups=995(gitlab-runner),112(kvm),1001(libvirtd) gitlab-runner@ci:~$ virsh -c qemu:///system sysinfo ** (process:13177): CRITICAL **: polkit_unix_process_set_property: assertion 'val != -1' failed ==== AUTHENTICATING FOR org.libvirt.unix.manage === System policy prevents management of local virtualized systems Authenticating as: Debian (debian) Password: ``` Running with sudo will ask a password. If I use: ``` sudo virsh -c qemu:///system sysinfo ``` with my "ansible admin" user (also a libvirtd__admins), it works. I try to use a Polkit rule [0] with the `libvirtd` group without success. According to [1], if I create following file under /etc/polkit-1/localauthority/50-local.d/gitlab-runner.pkla: ``` [Allow gitlab-runner libvirt management permissions] Identity=unix-user:gitlab-runner Action=org.libvirt.unix.manage ResultAny=yes ResultInactive=yes ResultActive=yes ``` then restart `polkit` and `libvirtd`, I'm able to run `virsh -c qemu:///system sysinfo` as gitlab-runner user without password. Maciej, I supposed you don't use Polkit on your CI infrastructure. 1. Which configuration do you use ? 2. According to [1], I supposed libvirtd comes with PolKit support in Debian Stretch. IMO, we should adapt debops.libvirtd defaults to have a ready to use setup with a gitlab-runner. Thanks for your answer. [0] https://major.io/2015/04/11/run-virsh-and-access-libvirt-as-a-regular-user/ [1] https://libvirt.org/auth.html#ACL_server_polkit -- Nicolas Quiniou-Briand Jabber/XMPP : nqb(a)azyx.fr