Skip to main content

Connecting to oVirt hypervisor with virt-manager

·1 min

oVirt installation changes the default authentication for libvirtd daemon on hypervisor side from none to SASL:

[root@hypervisor-1 ~]# grep auth_unix_rw /etc/libvirt/libvirtd.conf
#auth_unix_rw = "none"
auth_unix_rw="sasl"

The chosen mechanism to perform the authentication is scram-sha-256:

[root@hypervisor-1 ~]# cat /etc/sasl2/libvirt.conf
## start vdsm-4.50.0 configuration
mech_list: scram-sha-256
sasldb_path: /etc/libvirt/passwd.db

This makes virt-manager to fail with the following error when trying to connect to the hypervisor:

Unable to connect to libvirt qemu+ssh://root@hypervisor-1.example.com/system.

authentication failed: Failed to start SASL negotiation: -4 (SASL(-4):
no mechanism available: No worthy mechs found)

Verify that the 'libvirtd' daemon is running on the remote host.

Libvirt URI is: qemu+ssh://root@hypervisor-1.example.com/system

The reason is the scram-sha-256 SASL mechanism not being available in the local system. In Fedora we need to install an additional package to provide the mentioned mechanism:

[user@client ~]$ sudo dnf install cyrus-sasl-scram

After installing the package we must stop virt-manager and start it again. Now, we will be asked for the SASL username and password, when trying to connect to the oVirt hypervisor.

If you don’t want to enter the username and password each time, you can create the ~/.config/libvirt/auth.conf file with the following content.

[credentials-vdsm]
authname=vdsm@ovirt
password=shibboleth

[auth-libvirt-hypervisor-1.example.com]
credentials=vdsm

[auth-libvirt-hypervisor-2.example.com]
credentials=vdsm

[auth-libvirt-hypervisor-3.example.com]
credentials=vdsm

For more information please see the Connection authentication official documentation