[Nix-dev] packaging virt-manager for nixos

Joachim Schiele js at lastlog.de
Thu Jun 7 17:38:20 CEST 2012 

hello,

virt-manager works on my system (as root for libvirt on localhost/as 
normal user i get an error but virt-manager can be used to connect to 
remote hosts), however i do have some problems which i like to address 
before i commit my changes:

but first a status:
- i've been using virt-manager as root and i've installed ubuntu with 
it. libvirt itself seems to be working great on nixos AFAIK
  - using the virt-manager gui i added a new virtual machine 
configuration and used to gui dialog to add an iso image to boot from
- currently one cannot pass arguments to 'virt-manager' as the wrapper 
script discussed in '''problem 3''' does not pass any arguments right now

a list of files i've changed:
        pkgs/development/libraries/libvirt/default.nix
        pkgs/applications/virtualization/virt-manager/default.nix
        pkgs/applications/virtualization/virt-manager/custom_runner.py
        pkgs/applications/virtualization/virtinst/default.nix
        pkgs/desktops/gnome-2/bindings/gnome-python/default.nix
        pkgs/top-level/all-packages.nix
        pkgs/top-level/python-packages.nix (added urlgrabber-3.9.1), 
other changes are upstream already

note: i would like to use git/github which would illustrate my changes 
much better but for this integration i stick to svn
note: all changed files can be found in: 
http://lastlog.de/misc/nixpkgs.tar.xz

=== here is a sequence of commands to get the files mentioned above: ===
cd /tmp
mkdir nixpkgs-of-qknight
cd nixpkgs-of-qknight
wget http://lastlog.de/misc/nixpkgs.tar.xz
nix-env -i xz
xz -d nixpkgs.tar.xz
tar xf nixpkgs.tar
cd nixpkgs
ls -la

note: just copy and paste all the commands into a shell (for the brave!)

===== problem 1 =====
if i want to run
  - kate
  - virt-manager
from a root shell (logged in as normal user, then 'su') i get a dbus 
error message:
QDBusConnection: session D-Bus connection created before 
QCoreApplication. Application may misbehave.
kate(7207)/kdeui (kdelibs): Session bus not found
To circumvent this problem try the following command (with Linux and bash)
export $(dbus-launch)
KCrash: Application 'kate' crashing...
KCrash: Attempting to start 
/var/run/current-system/sw/lib/kde4/libexec/drkonqi from kdeinit
sock_file=/root/.kde/socket-nixus/kdeinit4__0
zsh: suspended (signal)  kate

if i execute:
   export $(dbus-launch)
i can then run both applications

QQQ: what should i do about that? should a root user first execute this 
'export $(dbus-launch)' everytime?

===== problem 2 =====
my ./nixpkgs/pkgs/desktops/gnome-2/bindings/gnome-python/default.nix 
creates a wrong python path, as it won't add
gtk-2.0 to it:
   
/nix/store/2qd635sqnph00mn4k144vrfbdj8qs29f-gnome-python-2.28.1/lib/python2.7/site-packages/
instead of
   
/nix/store/2qd635sqnph00mn4k144vrfbdj8qs29f-gnome-python-2.28.1/lib/python2.7/site-packages/gtk-2.0

QQQ: what would be the best way to fix this

===== problem 3 =====
security:
./nixpkgs/pkgs/applications/virtualization/virt-manager/custom_runner.py

i'm using a custom python based runner to run the virt-manager python 
program, it contains this warning:
# Warning Invoking the system shell with shell=True can be a security 
hazard if combined with untrusted input. See the warning under 
Frequently Used Arguments for details.

QQQ: i've not used a bash or sh script to start the python program as i 
can conveniently use wrapPythonPrograms by using a python runner
QQQ: security wise: is there anything wrong here?

===== problem 4 =====
not a real problem but mere a requirement to be able to run virt-manager 
at all:

in configuration.nix one needs this lines:
   virtualisation.libvirtd.enable = true;
   virtualisation.libvirtd.enableKVM = true;

   # see 
https://nixos.org/wiki/Solve_GConf_errors_when_running_GNOME_applications why 
we need pkgs.gnome.GConf
   services.dbus = {
     enable = true;
     packages = [ pkgs.gnome.GConf ];
  };

   boot.initrd.kernelModules = [
       "tun" "virtio" "kvm-intel"
   ];

QQQ: IMHO it seems stupid to start a GConf service manually just to be 
able to run GNOME applications but for now it seems to be the only way

===== problem 5 =====
running virt-manager as a normal users usually produces an error:
""
   Unable to connect to libvirt:

   Failed to connect socket to '/var/run/libvirt/libvirt-sock': 
Permission denied

   Verify that:
    - The 'libvirtd' daemon has been started
"";

this error is explained here in detail:
   
http://wiki.libvirt.org/page/Failed_to_connect_to_the_hypervisor#Permission_denied

QQQ: how should we address this? why is there a default localhost 
configuration at all? i don't see a way to remove this configuration. 
say a normal user wants to use virt-manager to manage remote servers, 
why should he bother about a localhost configuration?

===== problem 6 =====
i've added: "-fno-stack-protector" to 
pkgs/development/libraries/libvirt/default.nix

   NIX_CFLAGS_COMPILE = "-fno-stack-protector";

QQQ: is this a security problem?

----------------------------------------------------
<rgds>
joachim

More information about the nix-dev mailing list