How to configure fine grained control of Virtual Machines in Cockpit

Environment

• Red Hat Enterprise Linux 8.x
• cockpit-machines-238.2-1.el8.noarch
• libvirt-6.0.0-35.module+el8.4.0+10230+7a9b21e4.x86_64
• libvirt-dbus-1.3.0-2.module+el8.3.0+6423+e4cb6418.x86_64

Issue

• We want to allow some administrative actions on VMs to users connecting through Cockpit.

Resolution

For example, to allow the members of the group powerusers all VM actions except Shutdown and Power off, create the following DBUS policy file /etc/dbus-1/system.d/org.libvirt.conf:

<?xml version="1.0"?>
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">

<busconfig>

  <policy group="powerusers">
    <allow send_destination="org.libvirt"></allow>
    <deny send_destination="org.libvirt" send_interface="org.libvirt.Domain" send_member="Destroy"></deny>
    <deny send_destination="org.libvirt" send_interface="org.libvirt.Domain" send_member="Shutdown"></deny>
  </policy>

</busconfig>

Root Cause

• All actions performed by Cockpit are calls to libvirt's DBUS API.
• The default DBUS policy is defined in /usr/share/dbus-1/system.d/org.libvirt.conf and only allows access to root, the libvirt group and the libvirtdbus user (the helper program that exposes the DBUS API).

Diagnostic Steps

Use this command to monitor what DBUS calls Cockpit does:

# dbus-monitor --system destination='org.libvirt'

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.