Silverblue: virt-manager authentication

Hello,

I’m new to Silverblue and wanted to prevent the system from asking for authentication every time I launch virt-manager.

I installed the non-optional packages from the virtualization group in dnf:

rpm-ostree install virt-install qemu-kvm virt-manager virt-viewer
 libvirt-daemon-config-network libvirt-daemon-kvm

Then I followed relevant Fedora documentation by also entering:

sudo systemctl start libvirtd
sudo systemctl enable libvirtd

The answer given by @alciregi in a different post, was to add your user to the libvirt group with:

sudo usermod -a -G libvirt $USER

However, that doesn’t seem to be applicable in Silverblue. Can someone please explain what I did wrong or what I must change to remove the need for authentication?

Note: I’m not knowledgeable about virt-manager, but my understanding was that removing the request for authentication here doesn’t harm OS security.

Before the group is enabled for the user (after adding) the user must log out and back in. Then the groups command should show that group in the list the user is a member of. If that group does not show with groups, log out and back in then rerun the groups command.

Basically what @computersavvy said; whenever you modify a users groups, it doesn’t take effect until the user logs out and back in. In this case, adding the user to the libvirt group is correct.

I restarted the computer before and after using that command to add my user to the group, but the groupscommand doesn’t show libvirt there. I also repeated these steps after your message but sadly the result is the same.

I just saw this post. Is it possible that libvirt still doesn’t function as expected in Silverblue?

1 Like

You would use id ${USER} to see what groups a user is a member of.

I get:

uid=1000(brown) gid=1000(brown) groups=1000(brown),10(wheel)

(where my username is brown)

Try the sudo usermod -a -G libvirt brown command again.
Then run grep brown /etc/group so see what is shown there. It should show something like this, with a line for each group where your user is a member

$ grep brown /etc/group
wheel:x:10:brown
libvirt:x:983:brown
brown:x:1000:

Note that the libvirt group must exist before users can successfully be added, and if it does not appear in that listing then run grep libvirt /etc/group to confirm that group actually exists. If the group does not exist that is a different problem.

Does this mean there is no libvirt group in the /etc/group file?
What is the output of cat /etc/group command?

Sorry, but I get:

wheel:x:10:brown
brown:x:1000:

Could there be an issue with how I installed the relevant packages? A conflict maybe?

Yeah, I think that’s the problem. I get:

root:x:0:
wheel:x:10:brown
brown:x:1000:

I tried to follow the Fedora documentation but maybe it was outdated or inapplicable for Atomic desktops?

If that is the entire content of /etc/group then it is definitely different than on the normal (non-atomic) spins. I get this on my /etc/group on workstation.

$ wc -l /etc/group
92 /etc/group

showing 92 entry lines in that file.

Could you please share the output of the rpm-ostree status command?

Sure. Here is the output for rpm-ostree status:

State: idle
Deployments:
● fedora:fedora/40/x86_64/silverblue
                  Version: 40.20240812.0 (2024-08-12T00:43:59Z)
               BaseCommit: e31...
             GPGSignature: Valid signature by 115...
          LayeredPackages: libvirt-daemon-config-network libvirt-daemon-kvm qemu-kvm
                           virt-install virt-manager virt-viewer
                   Pinned: yes

  fedora:fedora/40/x86_64/silverblue
                  Version: 40.20240812.0 (2024-08-12T00:43:59Z)
                   Commit: e31...
             GPGSignature: Valid signature by 115...
                   Pinned: yes

Yes it is.
Here a good explanation How does /etc/{passwd,group} relate to /usr/lib/{passwd,group} in Silverblue? - #2 by guiltydoggy

1 Like

I think this is the issue I was having on Kinoite when I installed the Virtualization stuff too. It might be a bug that needs to be addressed.

To add yourself to the libvirt and qemu groups you should first do:

grep --extended-regexp --regexp='^libvirt:' --regexp='^qemu:' /usr/lib/group | sudo tee --append /etc/group

3 Likes

For reference:

and https://docs.fedoraproject.org/en-US/fedora-silverblue/troubleshooting/#_unable_to_add_user_to_group

4 Likes

A different solution would be running qemu as user session, which does not need escalated privileges

1 Like

Thank you very much. I somehow missed that one.

Sometimes I’m not sure whether my issue is due to something I did or a difference of Silverblue. I sincerely appreciate the kind and clear answers from everyone in this thread.

To my understanding, at that point, we may as well fallback to Gnome Boxes :sweat_smile: