Eucalyptus

graziano obertelli graziano at eucalyptus.com
Mon Feb 22 19:45:57 UTC 2010 

Thanks for replying!

On Thu, Feb 18, 2010 at 02:42:51PM -0500, Matthew Miller wrote:
> On Tue, Feb 16, 2010 at 05:07:16PM -0800, graziano obertelli wrote:
> > In this regards I have few questions: we depend on libvirt to run
> > instances, and we are running into some problems. The first one is: how do
> > we give permission to the user eucalyptus to run instances? I think you
> > are using policykit, so how do we configure it correctly?
> 
> This is untested and should be vetted for correct policy usage in addition
> to actually functionally, but a file called
> /etc/polkit-1/localauthority/10-vendor.d/10-libvirt-allow-eucalyptus-user 
> with these contents:
> 
> [AllowEucalyptusUser]
> Identity=unix-user:eucalyptus
> Action=org.libvirt.unix.manage
> ResultAny=yes
> 
> Should do it.

I'm still having problem: I get

Feb 22 11:41:22 localhost libvirtd: 11:41:22.973: error :
remoteDispatchAuthPolkit:3168 : Policy kit denied action
org.libvirt.unix.manage from pid 1820, uid 501, result: 256#012

and 

[root at fedora-64 eucalyptus]# pkcheck --action-id org.libvirt.unix.manage --process 1820
Not authorized.

I also tried to create another user, and add the rules for it too, but
virsh connect qemu:///system is still failing with the same error (root of
course can connect).

Am I doing soemthing wrong?

> > %global is_suse %(test -e /etc/SuSE-release && echo 1 || echo 0)
> > %global is_centos %(grep CentOS /etc/redhat-release > /dev/null && echo 1 || echo 0)
> > %global is_fedora %(grep Fedora /etc/redhat-release > /dev/null && echo 1 || echo 0)
> 
> 
> All of this stuff is kinda scary. I'd rather see a eucalyptus.spec.in that
> gets pre-processed into distro-specific spec files.
> 
> There's quite a bit of other cleanup that needs to happen to make it match
> the fedora packaging guidelines, too -- and since that stuff may not mesh
> well with Suse, etc., guidelines, trying to keep it all in one shared file
> gets more and more difficult.

Ok, this is a good point. For now we'll keep a single spec file becasue
it's easier for us to handle it, but we'll keep this in mind! 

cheers
graziano

> 
> -- 
> Matthew Miller <mattdm at mattdm.org>
> Senior Systems Architect -- Instructional & Research Computing Services
> Computing & Information Technology 
> Harvard School of Engineering & Applied Sciences
> _______________________________________________
> cloud mailing list
> cloud at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/cloud

-- 
Graziano Obertelli
Eucalyptus Systems, Inc.

130 Castilian St. Goleta, CA 93117
Office: 805-845-8000
www.eucalyptus.com

More information about the cloud mailing list