On Wed, Apr 29, 2015 at 11:35:35AM -0400, Cole Robinson wrote:
On 04/29/2015 11:28 AM, Daniel P. Berrange wrote:
On Wed, Apr 29, 2015 at 11:04:42AM -0400, Cole Robinson wrote:
Many users, who admin their own machines, want to be able to access system libvirtd via tools like virt-manager without having to enter a root password. Just google 'virt-manager without password' and you'll find many hits. I've read at least 5 blog posts over the years describing slightly different ways of achieving this goal.
Let's finally add official support for this.
Install a polkit-1 rules file granting password-less auth for any user in the new 'libvirtadm' group. Create the group on RPM install
https://bugzilla.redhat.com/show_bug.cgi?id=957300 --- v2: - Name the group libvirtadm (danpb) - Name the source file libvirt.rules and rename on install (eblake)
daemon/Makefile.am | 13 +++++++++++++ daemon/libvirt.rules | 9 +++++++++ libvirt.spec.in | 15 +++++++++++++-- 3 files changed, 35 insertions(+), 2 deletions(-) create mode 100644 daemon/libvirt.rules
diff --git a/daemon/Makefile.am b/daemon/Makefile.am index 300b9a5..974feed 100644 --- a/daemon/Makefile.am +++ b/daemon/Makefile.am @@ -53,6 +53,7 @@ EXTRA_DIST = \ libvirtd.init.in \ libvirtd.upstart \ libvirtd.policy.in \ + libvirt.rules \ libvirtd.sasl \ libvirtd.service.in \ libvirtd.socket.in \ @@ -233,6 +234,8 @@ policyauth = auth_admin_keep_session else ! WITH_POLKIT0 policydir = $(datadir)/polkit-1/actions policyauth = auth_admin_keep +rulesdir = $(datadir)/polkit-1/rules.d +rulesfile = libvirt.rules endif ! WITH_POLKIT0 endif WITH_POLKIT
@@ -263,9 +266,19 @@ if WITH_POLKIT install-data-polkit:: $(MKDIR_P) $(DESTDIR)$(policydir) $(INSTALL_DATA) libvirtd.policy $(DESTDIR)$(policydir)/org.libvirt.unix.policy +if ! WITH_POLKIT0 + $(MKDIR_P) $(DESTDIR)$(rulesdir) + $(INSTALL_DATA) $(srcdir)/$(rulesfile) $(DESTDIR)$(rulesdir)/50-libvirt.rules +endif ! WITH_POLKIT0 + uninstall-data-polkit:: rm -f $(DESTDIR)$(policydir)/org.libvirt.unix.policy rmdir $(DESTDIR)$(policydir) || : +if ! WITH_POLKIT0 + rm -f $(DESTDIR)$(rulesdir)/50-libvirt.rules + rmdir $(DESTDIR)$(rulesdir) || : +endif ! WITH_POLKIT0 + else ! WITH_POLKIT install-data-polkit:: uninstall-data-polkit:: diff --git a/daemon/libvirt.rules b/daemon/libvirt.rules new file mode 100644 index 0000000..e70c09b --- /dev/null +++ b/daemon/libvirt.rules @@ -0,0 +1,9 @@ +// Allow any user in the 'libvirtadm' group to connect to system libvirtd +// without entering a password. + +polkit.addRule(function(action, subject) { + if (action.id == "org.libvirt.unix.manage" && + subject.isInGroup("libvirtadm")) { + return polkit.Result.YES; + } +}); diff --git a/libvirt.spec.in b/libvirt.spec.in index 20af502..10a28a2 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -1645,9 +1645,9 @@ then fi
%if %{with_libvirtd} +%pre daemon %if ! %{with_driver_modules} %if %{with_qemu} -%pre daemon %if 0%{?fedora} || 0%{?rhel} >= 6 # We want soft static allocation of well-known ids, as disk images # are commonly shared across NFS mounts by id rather than name; see @@ -1661,11 +1661,21 @@ if ! getent passwd qemu >/dev/null; then useradd -r -g qemu -G kvm -d / -s /sbin/nologin -c "qemu user" qemu fi fi -exit 0 %endif %endif %endif
+ %if %{with_polkit} + %if 0%{?fedora} || 0%{?rhel} >= 6 +# 'libvirtadm' group is just to allow password-less polkit access to +# libvirtd. The uid number is irrelevant, so we use dynamic allocation +# described at the above link. +getent group libvirtadm >/dev/null || groupadd -r libvirtadm
Hmm, you know I think we should probably file a bug against the 'setup' RPM in Fedora to request allocation of a group ID value for this, so we can default to using a fixed group ID, as we do for other users/groups we create
The recommendations don't seem to suggest that:
https://fedoraproject.org/wiki/Packaging:UsersAndGroups?rd=Packaging/UsersAn...
Quote: Soft static allocation is only appropriate for packages where the UID or GID values are shared between computers
I can't think of a good case when we would need that for libvirtadm... cetainly no files need to be owned by it
Ah, ok then. ACK Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|