Browse code
Fix polkit configuration to allow usage of libvirt on openSUSE
There is a buggy limitation with pkla files on openSUSE, that blocks
using 'unix-group:libvirtd' from working. A pkla with such a matching
identity will be overruled by the pkla generated by polkit-default-privs
containing 'unix-group:*' (which will match the other groups the user
belongs to, likely after matching libvirtd).
To work around this, explicitly allow the user instead.
Also, move the creation of the libvirtd group a bit later, to clarify
the code.
Change-Id: Ia3e4ae982accfc247a744eaa6d6aa4935e4f404c
Vincent Untz authored on 2012/12/06 01:59:04Showing 1 changed files
| ... | ... |
@@ -231,10 +231,13 @@ EOF |
| 231 | 231 |
if is_ubuntu; then |
| 232 | 232 |
LIBVIRT_DAEMON=libvirt-bin |
| 233 | 233 |
else |
| 234 |
- # http://wiki.libvirt.org/page/SSHPolicyKitSetup |
|
| 235 |
- if ! getent group libvirtd >/dev/null; then |
|
| 236 |
- sudo groupadd libvirtd |
|
| 237 |
- fi |
|
| 234 |
+ LIBVIRT_DAEMON=libvirtd |
|
| 235 |
+ fi |
|
| 236 |
+ |
|
| 237 |
+ # For distributions using polkit to authorize access to libvirt, |
|
| 238 |
+ # configure polkit accordingly. |
|
| 239 |
+ # Based on http://wiki.libvirt.org/page/SSHPolicyKitSetup |
|
| 240 |
+ if is_fedora; then |
|
| 238 | 241 |
sudo bash -c 'cat <<EOF >/etc/polkit-1/localauthority/50-local.d/50-libvirt-remote-access.pkla |
| 239 | 242 |
[libvirt Management Access] |
| 240 | 243 |
Identity=unix-group:libvirtd |
| ... | ... |
@@ -243,11 +246,24 @@ ResultAny=yes |
| 243 | 243 |
ResultInactive=yes |
| 244 | 244 |
ResultActive=yes |
| 245 | 245 |
EOF' |
| 246 |
- LIBVIRT_DAEMON=libvirtd |
|
| 246 |
+ elif is_suse; then |
|
| 247 |
+ # Work around the fact that polkit-default-privs overrules pklas |
|
| 248 |
+ # with 'unix-group:$group'. |
|
| 249 |
+ sudo bash -c "cat <<EOF >/etc/polkit-1/localauthority/50-local.d/50-libvirt-remote-access.pkla |
|
| 250 |
+[libvirt Management Access] |
|
| 251 |
+Identity=unix-user:$USER |
|
| 252 |
+Action=org.libvirt.unix.manage |
|
| 253 |
+ResultAny=yes |
|
| 254 |
+ResultInactive=yes |
|
| 255 |
+ResultActive=yes |
|
| 256 |
+EOF" |
|
| 247 | 257 |
fi |
| 248 | 258 |
|
| 249 | 259 |
# The user that nova runs as needs to be member of **libvirtd** group otherwise |
| 250 | 260 |
# nova-compute will be unable to use libvirt. |
| 261 |
+ if ! getent group libvirtd >/dev/null; then |
|
| 262 |
+ sudo groupadd libvirtd |
|
| 263 |
+ fi |
|
| 251 | 264 |
add_user_to_group `whoami` libvirtd |
| 252 | 265 |
|
| 253 | 266 |
# libvirt detects various settings on startup, as we potentially changed |