CentOS7: KVM: error: Cannot create user runtime directory '/run/user/0/libvirt': Permission denied

rwfitzy asked:

Been trying to resolve an issue I found by having our Nagios installation use a plugin for KVM, check_kvm, I found. I think my problem boils down to a permissions issue with the nagios/nrpe user. After installing nrpe and plugins, I do not have any issues with other standard plugins like check_disk or check_load, etc. Basically, the kvm plugin is using virsh to check status, so I enabled login for nrpe (also tried the nagios user, but it appears the service is running under nrpe user) and tried the following:

[root@vhost3 ~]# su nrpe
sh-4.2$ virsh list --all
error: failed to connect to the hypervisor
error: no valid connection
error: Cannot create user runtime directory '/run/user/0/libvirt': Permission denied

But no problem with this command as root of course and the plugin executes well when trying locally:

[root@vhost3 ~]# virsh list --all
 Id    Name                           State
----------------------------------------------------
 2     www                            running
[root@vhost3 ~]# /usr/lib64/nagios/plugins/check_kvm
hosts:1 OK:1 WARN:0 CRIT:0 - www:running

I’ve tried adding the nrpe user, and nagios for that matter, to the kvm and qemu groups, I don’t find a libvirtd group. One weird thing is I get a different error on another machine, perhaps I did something different on that server, but I get this instead:

[root@vhost1 ~]# su nrpe
sh-4.2$ virsh list --all
error: failed to connect to the hypervisor
error: no valid connection
error: Failed to connect socket to '/run/user/0/libvirt/libvirt-sock': Permission denied

Other weird thing about the error above, that /run/user/0/libvirt directory does not exist. On this CentOS7 host, the correct directory is /var/run/libvirt where the libvirt-sock exists. Can someone suggest what my problem is?

My answer:


By default non-root users cannot access libvirtd directly, unless explicitly granted authorization.

I’ve done this using PolicyKit:

# cat /etc/polkit-1/rules.d/50-org.libvirt.unix.manage.rules
polkit.addRule(function(action, subject) {
        if (action.id == "org.libvirt.unix.manage" &&
            subject.user == "nrpe") {
                return polkit.Result.YES;
                polkit.log("action=" + action);
                polkit.log("subject=" + subject);
        }
});

This will let user nrpe do whatever they want to do with libvirtd without requiring a password.

Second, non-root users need to specify the connection URL explicitly in order to access the system libvirtd.

virsh --connect qemu:///system list --all

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.