Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 835950 - app-emulation/virt-manager does not have acct-group/libvirt as a dependency
Summary: app-emulation/virt-manager does not have acct-group/libvirt as a dependency
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Virtualization Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-03-24 18:28 UTC by max
Modified: 2023-08-31 17:51 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description max 2022-03-24 18:28:51 UTC
Title says it all
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-03-24 18:40:48 UTC
The title doesn't really say it all.

This is a complicated one:
1. virt-manager can be used remotely
2. libvirt itself only even uses the group with USE=polkit
Comment 2 max 2022-03-27 10:45:19 UTC
Sorry for the late reply :(
Could it be displayed in the info after you install a package so people know about it if they need it?
Comment 3 Michal Privoznik 2022-04-07 20:15:03 UTC
So would it make sense to require libvirt with the same state of policykit USE flag as libvirt? I mean, IIUC the problem is virt-manager was built with policykit but libvirt wasn't.

And while it's true that virt-manger can be used remotely there's no way to guarantee that on ebuild level. I mean, libvirt.so (to which virt-manager ultimately links to) is not in a separate package. Unless we want to fine tune the dependency (libvirt built without libvirtd/lxc/qemu/virtualbox/... USE flags). And even then, libvirt has these "local" drivers (like virtualbox) where it's just a very thin layer that translates hypervisor APIs onto libvirt APIs (virtualbox is perfect example). But then again, policykit would be a problem iff libvirt was built with policykit.

If we agree I can post a fix.
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-04-07 20:19:34 UTC
(In reply to Michal Privoznik from comment #3)
> So would it make sense to require libvirt with the same state of policykit
> USE flag as libvirt? I mean, IIUC the problem is virt-manager was built with
> policykit but libvirt wasn't.
> 
> And while it's true that virt-manger can be used remotely there's no way to
> guarantee that on ebuild level. I mean, libvirt.so (to which virt-manager
> ultimately links to) is not in a separate package. Unless we want to fine
> tune the dependency (libvirt built without libvirtd/lxc/qemu/virtualbox/...
> USE flags). And even then, libvirt has these "local" drivers (like
> virtualbox) where it's just a very thin layer that translates hypervisor
> APIs onto libvirt APIs (virtualbox is perfect example). But then again,
> policykit would be a problem iff libvirt was built with policykit.
> 
> If we agree I can post a fix.

I think a policykit= dep on libvirt would work. Interestingly virt-manager isn't even depending on libvirt at all (directly) right now, but AFAIK it *does* need libvirt to do the remote connection, right?
Comment 5 Conrad Kostecki gentoo-dev 2022-07-09 22:19:26 UTC
@Michal: There is a question from Sam open :-)
Comment 6 Michal Prívozník 2022-10-14 04:35:45 UTC
(In reply to Sam James from comment #4)
> I think a policykit= dep on libvirt would work. Interestingly virt-manager
> isn't even depending on libvirt at all (directly) right now, but AFAIK it
> *does* need libvirt to do the remote connection, right?

Yeah. virt-manager depends on libvirt-python (which is a python bindings to libvirt), because virt-manager is written in python. However, libvirt-python does depend on libvirt, because as I said, the python bidings are really just a very thin layer that exposes C functions into python (via cpython).

But now that I think about this even more, I'm failing to understand why virt-manager would require libvirt with polkit. After debugging this for a bit, the real problem here is that when libvirt's build without polkit, the socket it creates (for user to connect to, including virt-manager), is owned by root:root and has perms 0700 whereas with polkit it has perms of 0777. That's what's denying virt-manager connection.

Looking further into the code, libvirt's built in defaults are so that with polkit the socket perms are 0777 and without it are 0700. But these can be changed in /etc/libvirt/libvirtd.conf (or virtWHATEVER.conf when using the split daemon), bu changing unix_sock_rw_perms knob.

After all, virt-manager can work even without libvirt group, but not out of the box. The user most friendly thing here, IMO, would be just to have app-emulation/libvirt[policykit] as a runtime dependency for virt-manager. This does not really bring any new dependency, because virt-manager already requires libvirt, transitively.

The other option would be a postinst message (elog).
Comment 7 senoraraton 2023-04-02 17:23:30 UTC
Having a slightly different, but tangential bug.  

When the /var/run/libvirt/libvirt-sock is created its permissions are root:root which means that the traditional steps of adding your user to the libvirt group fail, because they don't have permissions for the socket.  

I can only assume that this is related to the non-inclusion of the libvirt group.  I'm also not using the polkit use flag.
Comment 8 Nathan Zachary 2023-08-31 16:32:26 UTC
I ran into this same problem as well.  It would at least be helpful to indicate to the user (maybe via ewarn?) that the 'policykit' USE flag is needed for libvirt in order to create the group.  If not via ewarn, maybe at least in the documentation for libvirt or virt-manager?

Cheers,
Nathan Zachary