qemu_use_session triggers polkit action to acquire access to qemu:///system

[dev-zero]

When setting qemu_use_session = true I get an error about polkit being unavailable (on a minimal headless machine) to acquire root privileges to access qemu:///system.

Checking the driver it comes from this part of the code:

vagrant-libvirt/lib/vagrant-libvirt/driver.rb

Lines 200 to 206 in a94ce0d

	def list_all_networks
	client = if @machine.provider_config.qemu_use_session
	system_connection
	else
	connection.client
	end

In fact, switching the lines as per

         client = if @machine.provider_config.qemu_use_session
-                   system_connection
-                else
                   connection.client
+                else
+                   system_connection
                 end

makes the machine come up as an unprivileged user with networking working.

A Vagrantfile to reproduce the issue:

Vagrant.configure("2") do |config|
  config.vm.define :test_vm do |test_vm|
    test_vm.vm.box = "opensuse/MicroOS.x86_64"
    test_vm.vm.synced_folder ".", "/vagrant", disabled: true
  end

  config.vm.provider :libvirt do |libvirt|
    libvirt.cpus = 2
    libvirt.qemu_use_session = true
  end
end

Full disclosure, afterwards vagrant kills the machine again due to this:

==> test_vm: Waiting for machine to boot. This may take a few minutes...




==> test_vm: Removing domain...
==> test_vm: Deleting the machine folder
Timed out while waiting for the machine to boot. This means that
Vagrant was unable to communicate with the guest machine within
the configured ("config.vm.boot_timeout" value) time period.

If you look above, you should be able to see the error(s) that
Vagrant had when attempting to connect to the machine. These errors
are usually good hints as to what may be wrong.

If you're using a custom box, make sure that networking is properly
working and you're able to connect to the machine. It is a common
problem that networking isn't setup properly in these boxes.
Verify that authentication configurations are also setup properly,
as well.

If the box appears to be booting properly, you may want to increase
the timeout ("config.vm.boot_timeout") value.

But I was able to connect to the VM via VNC and check the network.

[dev-zero]

Follow up on the virtual machine bring-up: it seems that get_ipaddress_from_system_domain is not working either.
Simply commenting out the following helped in getting a machine up with qemu_use_session = true:

vagrant-libvirt/lib/vagrant-libvirt/driver.rb

Line 89 in a94ce0d

return get_ipaddress_from_system domain.mac if @machine.provider_config.qemu_use_session

[dev-zero]

This is with libvirt-10 on openSUSE Leap 15.5 (with a fix for https://bugzilla.opensuse.org/show_bug.cgi?id=1219986 applied). Will soon try with libvirt-9.

[electrofelix]

It should be possible to get read-only access to the system connection to read network information as a user. This sounds more like opensuse polkit is broken, as removing the opening of read-only system connection to read the network when session is used will simply break for all other distros.

[dev-zero]

@electrofelix unfortunately not, polkit is working:

muellert@o184i163:~> virsh -r -c qemu:///system iface-list
==== AUTHENTICATING FOR org.libvirt.unix.monitor ====
System policy prevents monitoring of local virtualized systems
Authenticating as: root
Password:

If the user is not a member of libvirt, the system is asking for root permissions to access the system-wide libvirt socket, whether in read-only mode or not (see above the -r).
In particular, as soon as polkit gets involved, we are not in user-session mode anymore.
I will see whether I can test the change on other distros.