Unable to parse subnets XML

Problem:
I’m trying to provision Libvirt virtual guests using TFTP boot managed by foreman-proxy. I have a Libvirt virtual network with working DHCP for the subnet 10.0.0.0/16. I can create guests on this network using Virsh, and its DHCP works fine. I can create virtual guests from the Foreman web interface using another subnet with DHCP from my physical router just fine. But when I try to create a host with an interface on this subnet I get this:

Failed to fetch a free IP from proxy foreman.example.com (https://foreman.example.com:8443): ERF12-8202 [ProxyAPI::ProxyException]: Unable to retrieve unused IP ([RestClient::BadRequest]: 400 Bad Request) for proxy https://foreman.example.com:8443/dhcp

This error message appears when trying to suggest a new IPv4 address from this subnet or create a host with a manually entered IP address. The Foreman-Proxy logs just record an error, “Unable to parse subnets XML.”

Expected outcome:
Foreman should be able to get an unused IP address from the Libvirt DHCP service.

Foreman and Proxy versions:
Foreman: 1.22
Foreman-Proxy: 1.22

Other relevant data:
Libvirt network config:

<network>
  <name>default</name>
  <uuid>78ca881e-8cf5-4042-8526-e2a856a885ff</uuid>
  <forward mode='nat'>
    <nat>
      <port start='1024' end='65535'/>
    </nat>
  </forward>
  <bridge name='virbr0' stp='on' delay='0'/>
  <mac address='52:54:00:ae:31:0b'/>
  <domain name='virtnet'/>
  <ip address='10.0.0.1' netmask='255.255.0.0'>
    <tftp root='/var/lib/tftpboot'/>
    <dhcp>
      <range start='10.0.0.2' end='10.0.254.254'/>
      <bootp file='pxelinux.0'/>
    </dhcp>
  </ip>
</network>

Foreman-Proxy logs:
Message: Unable to parse subnets XML
Backtrace:

/usr/share/foreman-proxy/modules/libvirt_common/libvirt_network.rb:16:in `open'
/usr/share/foreman-proxy/modules/libvirt_common/libvirt_network.rb:16:in `connection'
/usr/share/foreman-proxy/modules/libvirt_common/libvirt_network.rb:25:in `find_network'
/usr/share/foreman-proxy/modules/libvirt_common/libvirt_network.rb:21:in `dump_xml'
/usr/share/foreman-proxy/modules/dhcp_libvirt/subnet_service_initializer.rb:22:in `parse_config_for_subnets'
/usr/share/foreman-proxy/modules/dhcp_libvirt/subnet_service_initializer.rb:15:in `initialized_subnet_service'
/usr/share/foreman-proxy/modules/dhcp_libvirt/configuration_loader.rb:14:in `block in load_dependency_injection_wirings'
/usr/share/foreman-proxy/lib/proxy/dependency_injection.rb:10:in `call'
/usr/share/foreman-proxy/lib/proxy/dependency_injection.rb:10:in `instance'
/usr/share/foreman-proxy/lib/proxy/dependency_injection.rb:59:in `get_dependency'
/usr/share/foreman-proxy/modules/dhcp_libvirt/configuration_loader.rb:19:in `block in load_dependency_injection_wirings'
/usr/share/foreman-proxy/lib/proxy/dependency_injection.rb:10:in `call'
/usr/share/foreman-proxy/lib/proxy/dependency_injection.rb:10:in `instance'
/usr/share/foreman-proxy/lib/proxy/dependency_injection.rb:59:in `get_dependency'
/usr/share/foreman-proxy/lib/proxy/dependency_injection.rb:76:in `block in inject_attr'
/usr/share/foreman-proxy/modules/dhcp/dhcp_api.rb:34:in `block in <class:DhcpApi>'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1611:in `call'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1611:in `block in compile!'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:975:in `[]'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:975:in `block (3 levels) in route!'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:994:in `route_eval'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:975:in `block (2 levels) in route!'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1015:in `block in process_route'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1013:in `catch'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1013:in `process_route'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:973:in `block in route!'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:972:in `each'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:972:in `route!'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1085:in `block in dispatch!'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1067:in `block in invoke'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1067:in `catch'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1067:in `invoke'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1082:in `dispatch!'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:907:in `block in call!'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1067:in `block in invoke'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1067:in `catch'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1067:in `invoke'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:907:in `call!'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:895:in `call'
/usr/share/gems/gems/rack-1.6.4/lib/rack/methodoverride.rb:22:in `call'
/usr/share/foreman-proxy/lib/proxy/log.rb:86:in `call'
/usr/share/foreman-proxy/lib/proxy/request_id_middleware.rb:14:in `call'
/usr/share/gems/gems/rack-protection-1.5.3/lib/rack/protection/xss_header.rb:18:in `call'
/usr/share/gems/gems/rack-protection-1.5.3/lib/rack/protection/path_traversal.rb:16:in `call'
/usr/share/gems/gems/rack-protection-1.5.3/lib/rack/protection/json_csrf.rb:18:in `call'
/usr/share/gems/gems/rack-protection-1.5.3/lib/rack/protection/base.rb:49:in `call'
/usr/share/gems/gems/rack-protection-1.5.3/lib/rack/protection/base.rb:49:in `call'
/usr/share/gems/gems/rack-protection-1.5.3/lib/rack/protection/frame_options.rb:31:in `call'
/usr/share/gems/gems/rack-1.6.4/lib/rack/nulllogger.rb:9:in `call'
/usr/share/gems/gems/rack-1.6.4/lib/rack/head.rb:13:in `call'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/show_exceptions.rb:25:in `call'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:182:in `call'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:2013:in `call'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1487:in `block in call'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1787:in `synchronize'
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1487:in `call'
/usr/share/gems/gems/rack-1.6.4/lib/rack/urlmap.rb:66:in `block in call'
/usr/share/gems/gems/rack-1.6.4/lib/rack/urlmap.rb:50:in `each'
/usr/share/gems/gems/rack-1.6.4/lib/rack/urlmap.rb:50:in `call'
/usr/share/gems/gems/rack-1.6.4/lib/rack/builder.rb:153:in `call'
/usr/share/gems/gems/rack-1.6.4/lib/rack/handler/webrick.rb:88:in `service'
/usr/share/ruby/webrick/httpserver.rb:138:in `service'
/usr/share/ruby/webrick/httpserver.rb:94:in `run'
/usr/share/ruby/webrick/server.rb:295:in `block in start_thread'
/usr/share/gems/gems/logging-2.2.2/lib/logging/diagnostic_context.rb:474:in `call'
/usr/share/gems/gems/logging-2.2.2/lib/logging/diagnostic_context.rb:474:in `block in create_with_logging_context'

Hey, apply this patch, enable foreman-proxy debug level, try again and then pastebin logging of the whole request.

The error was “Call to virConnectOpen failed: authentication unavailable: no polkit agent available to authenticate action ‘org.libvirt.unix.manage’”, which I managed to fix by adding foreman-proxy to the libvirt group.

Thanks for your help!