openstack/devstack
Code Issues Proposed changes

Fix polkit configuration to allow usage of libvirt on openSUSE

Browse Source 
There is a buggy limitation with pkla files on openSUSE, that blocks
using 'unix-group:libvirtd' from working. A pkla with such a matching
identity will be overruled by the pkla generated by polkit-default-privs
containing 'unix-group:*' (which will match the other groups the user
belongs to, likely after matching libvirtd).

To work around this, explicitly allow the user instead.

Also, move the creation of the libvirtd group a bit later, to clarify
the code.

Change-Id: Ia3e4ae982accfc247a744eaa6d6aa4935e4f404c
This commit is contained in:
Vincent Untz 2012-12-05 17:59:04 +01:00
parent 63ea3185de
commit f1c094cbcd
1 changed files with 21 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
lib/nova
View File

@ -231,10 +231,13 @@ EOF
if is_ubuntu; then if is_ubuntu; then
LIBVIRT_DAEMON=libvirt-bin LIBVIRT_DAEMON=libvirt-bin
else else
# http://wiki.libvirt.org/page/SSHPolicyKitSetup LIBVIRT_DAEMON=libvirtd
if ! getent group libvirtd >/dev/null; then
sudo groupadd libvirtd
fi fi
# For distributions using polkit to authorize access to libvirt,
# configure polkit accordingly.
# Based on http://wiki.libvirt.org/page/SSHPolicyKitSetup
if is_fedora; then
sudo bash -c 'cat <<EOF >/etc/polkit-1/localauthority/50-local.d/50-libvirt-remote-access.pkla sudo bash -c 'cat <<EOF >/etc/polkit-1/localauthority/50-local.d/50-libvirt-remote-access.pkla
[libvirt Management Access] [libvirt Management Access]
Identity=unix-group:libvirtd Identity=unix-group:libvirtd
@ -243,11 +246,24 @@ ResultAny=yes
ResultInactive=yes ResultInactive=yes
ResultActive=yes ResultActive=yes
EOF' EOF'
LIBVIRT_DAEMON=libvirtd elif is_suse; then
# Work around the fact that polkit-default-privs overrules pklas
# with 'unix-group:$group'.
sudo bash -c "cat <<EOF >/etc/polkit-1/localauthority/50-local.d/50-libvirt-remote-access.pkla
[libvirt Management Access]
Identity=unix-user:$USER
Action=org.libvirt.unix.manage
ResultAny=yes
ResultInactive=yes
ResultActive=yes
EOF"
fi fi
# The user that nova runs as needs to be member of **libvirtd** group otherwise # The user that nova runs as needs to be member of **libvirtd** group otherwise
# nova-compute will be unable to use libvirt. # nova-compute will be unable to use libvirt.
if ! getent group libvirtd >/dev/null; then
sudo groupadd libvirtd
fi
add_user_to_group `whoami` libvirtd add_user_to_group `whoami` libvirtd
# libvirt detects various settings on startup, as we potentially changed # libvirt detects various settings on startup, as we potentially changed