Fix polkit configuration to allow usage of libvirt on openSUSE
There is a buggy limitation with pkla files on openSUSE, that blocks using 'unix-group:libvirtd' from working. A pkla with such a matching identity will be overruled by the pkla generated by polkit-default-privs containing 'unix-group:*' (which will match the other groups the user belongs to, likely after matching libvirtd). To work around this, explicitly allow the user instead. Also, move the creation of the libvirtd group a bit later, to clarify the code. Change-Id: Ia3e4ae982accfc247a744eaa6d6aa4935e4f404c
This commit is contained in:
parent
63ea3185de
commit
f1c094cbcd
26
lib/nova
26
lib/nova
@ -231,10 +231,13 @@ EOF
|
|||||||
if is_ubuntu; then
|
if is_ubuntu; then
|
||||||
LIBVIRT_DAEMON=libvirt-bin
|
LIBVIRT_DAEMON=libvirt-bin
|
||||||
else
|
else
|
||||||
# http://wiki.libvirt.org/page/SSHPolicyKitSetup
|
LIBVIRT_DAEMON=libvirtd
|
||||||
if ! getent group libvirtd >/dev/null; then
|
fi
|
||||||
sudo groupadd libvirtd
|
|
||||||
fi
|
# For distributions using polkit to authorize access to libvirt,
|
||||||
|
# configure polkit accordingly.
|
||||||
|
# Based on http://wiki.libvirt.org/page/SSHPolicyKitSetup
|
||||||
|
if is_fedora; then
|
||||||
sudo bash -c 'cat <<EOF >/etc/polkit-1/localauthority/50-local.d/50-libvirt-remote-access.pkla
|
sudo bash -c 'cat <<EOF >/etc/polkit-1/localauthority/50-local.d/50-libvirt-remote-access.pkla
|
||||||
[libvirt Management Access]
|
[libvirt Management Access]
|
||||||
Identity=unix-group:libvirtd
|
Identity=unix-group:libvirtd
|
||||||
@ -243,11 +246,24 @@ ResultAny=yes
|
|||||||
ResultInactive=yes
|
ResultInactive=yes
|
||||||
ResultActive=yes
|
ResultActive=yes
|
||||||
EOF'
|
EOF'
|
||||||
LIBVIRT_DAEMON=libvirtd
|
elif is_suse; then
|
||||||
|
# Work around the fact that polkit-default-privs overrules pklas
|
||||||
|
# with 'unix-group:$group'.
|
||||||
|
sudo bash -c "cat <<EOF >/etc/polkit-1/localauthority/50-local.d/50-libvirt-remote-access.pkla
|
||||||
|
[libvirt Management Access]
|
||||||
|
Identity=unix-user:$USER
|
||||||
|
Action=org.libvirt.unix.manage
|
||||||
|
ResultAny=yes
|
||||||
|
ResultInactive=yes
|
||||||
|
ResultActive=yes
|
||||||
|
EOF"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# The user that nova runs as needs to be member of **libvirtd** group otherwise
|
# The user that nova runs as needs to be member of **libvirtd** group otherwise
|
||||||
# nova-compute will be unable to use libvirt.
|
# nova-compute will be unable to use libvirt.
|
||||||
|
if ! getent group libvirtd >/dev/null; then
|
||||||
|
sudo groupadd libvirtd
|
||||||
|
fi
|
||||||
add_user_to_group `whoami` libvirtd
|
add_user_to_group `whoami` libvirtd
|
||||||
|
|
||||||
# libvirt detects various settings on startup, as we potentially changed
|
# libvirt detects various settings on startup, as we potentially changed
|
||||||
|
Loading…
Reference in New Issue
Block a user