[libvirt] [PATCH v2] polkit: Allow password-less access for 'libvirtadm' group
Many users, who admin their own machines, want to be able to access system libvirtd via tools like virt-manager without having to enter a root password. Just google 'virt-manager without password' and you'll find many hits. I've read at least 5 blog posts over the years describing slightly different ways of achieving this goal. Let's finally add official support for this. Install a polkit-1 rules file granting password-less auth for any user in the new 'libvirtadm' group. Create the group on RPM install https://bugzilla.redhat.com/show_bug.cgi?id=957300 --- v2: - Name the group libvirtadm (danpb) - Name the source file libvirt.rules and rename on install (eblake) daemon/Makefile.am | 13 +++++++++++++ daemon/libvirt.rules | 9 +++++++++ libvirt.spec.in | 15 +++++++++++++-- 3 files changed, 35 insertions(+), 2 deletions(-) create mode 100644 daemon/libvirt.rules diff --git a/daemon/Makefile.am b/daemon/Makefile.am index 300b9a5..974feed 100644 --- a/daemon/Makefile.am +++ b/daemon/Makefile.am @@ -53,6 +53,7 @@ EXTRA_DIST = \ libvirtd.init.in \ libvirtd.upstart \ libvirtd.policy.in \ + libvirt.rules \ libvirtd.sasl \ libvirtd.service.in \ libvirtd.socket.in \ @@ -233,6 +234,8 @@ policyauth = auth_admin_keep_session else ! WITH_POLKIT0 policydir = $(datadir)/polkit-1/actions policyauth = auth_admin_keep +rulesdir = $(datadir)/polkit-1/rules.d +rulesfile = libvirt.rules endif ! WITH_POLKIT0 endif WITH_POLKIT @@ -263,9 +266,19 @@ if WITH_POLKIT install-data-polkit:: $(MKDIR_P) $(DESTDIR)$(policydir) $(INSTALL_DATA) libvirtd.policy $(DESTDIR)$(policydir)/org.libvirt.unix.policy +if ! WITH_POLKIT0 + $(MKDIR_P) $(DESTDIR)$(rulesdir) + $(INSTALL_DATA) $(srcdir)/$(rulesfile) $(DESTDIR)$(rulesdir)/50-libvirt.rules +endif ! WITH_POLKIT0 + uninstall-data-polkit:: rm -f $(DESTDIR)$(policydir)/org.libvirt.unix.policy rmdir $(DESTDIR)$(policydir) || : +if ! WITH_POLKIT0 + rm -f $(DESTDIR)$(rulesdir)/50-libvirt.rules + rmdir $(DESTDIR)$(rulesdir) || : +endif ! WITH_POLKIT0 + else ! WITH_POLKIT install-data-polkit:: uninstall-data-polkit:: diff --git a/daemon/libvirt.rules b/daemon/libvirt.rules new file mode 100644 index 0000000..e70c09b --- /dev/null +++ b/daemon/libvirt.rules @@ -0,0 +1,9 @@ +// Allow any user in the 'libvirtadm' group to connect to system libvirtd +// without entering a password. + +polkit.addRule(function(action, subject) { + if (action.id == "org.libvirt.unix.manage" && + subject.isInGroup("libvirtadm")) { + return polkit.Result.YES; + } +}); diff --git a/libvirt.spec.in b/libvirt.spec.in index 20af502..10a28a2 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -1645,9 +1645,9 @@ then fi %if %{with_libvirtd} +%pre daemon %if ! %{with_driver_modules} %if %{with_qemu} -%pre daemon %if 0%{?fedora} || 0%{?rhel} >= 6 # We want soft static allocation of well-known ids, as disk images # are commonly shared across NFS mounts by id rather than name; see @@ -1661,11 +1661,21 @@ if ! getent passwd qemu >/dev/null; then useradd -r -g qemu -G kvm -d / -s /sbin/nologin -c "qemu user" qemu fi fi -exit 0 %endif %endif %endif + %if %{with_polkit} + %if 0%{?fedora} || 0%{?rhel} >= 6 +# 'libvirtadm' group is just to allow password-less polkit access to +# libvirtd. The uid number is irrelevant, so we use dynamic allocation +# described at the above link. +getent group libvirtadm >/dev/null || groupadd -r libvirtadm + %endif + %endif + +exit 0 + %post daemon %if %{with_systemd} @@ -1939,6 +1949,7 @@ exit 0 %if 0%{?fedora} || 0%{?rhel} >= 6 %{_datadir}/polkit-1/actions/org.libvirt.unix.policy %{_datadir}/polkit-1/actions/org.libvirt.api.policy +%{_datadir}/polkit-1/rules.d/50-libvirt.rules %else %{_datadir}/PolicyKit/policy/org.libvirt.unix.policy %endif -- 2.3.6
On Wed, Apr 29, 2015 at 11:04:42AM -0400, Cole Robinson wrote:
Many users, who admin their own machines, want to be able to access system libvirtd via tools like virt-manager without having to enter a root password. Just google 'virt-manager without password' and you'll find many hits. I've read at least 5 blog posts over the years describing slightly different ways of achieving this goal.
Let's finally add official support for this.
Install a polkit-1 rules file granting password-less auth for any user in the new 'libvirtadm' group. Create the group on RPM install
https://bugzilla.redhat.com/show_bug.cgi?id=957300 --- v2: - Name the group libvirtadm (danpb) - Name the source file libvirt.rules and rename on install (eblake)
daemon/Makefile.am | 13 +++++++++++++ daemon/libvirt.rules | 9 +++++++++ libvirt.spec.in | 15 +++++++++++++-- 3 files changed, 35 insertions(+), 2 deletions(-) create mode 100644 daemon/libvirt.rules
diff --git a/daemon/Makefile.am b/daemon/Makefile.am index 300b9a5..974feed 100644 --- a/daemon/Makefile.am +++ b/daemon/Makefile.am @@ -53,6 +53,7 @@ EXTRA_DIST = \ libvirtd.init.in \ libvirtd.upstart \ libvirtd.policy.in \ + libvirt.rules \ libvirtd.sasl \ libvirtd.service.in \ libvirtd.socket.in \ @@ -233,6 +234,8 @@ policyauth = auth_admin_keep_session else ! WITH_POLKIT0 policydir = $(datadir)/polkit-1/actions policyauth = auth_admin_keep +rulesdir = $(datadir)/polkit-1/rules.d +rulesfile = libvirt.rules endif ! WITH_POLKIT0 endif WITH_POLKIT
@@ -263,9 +266,19 @@ if WITH_POLKIT install-data-polkit:: $(MKDIR_P) $(DESTDIR)$(policydir) $(INSTALL_DATA) libvirtd.policy $(DESTDIR)$(policydir)/org.libvirt.unix.policy +if ! WITH_POLKIT0 + $(MKDIR_P) $(DESTDIR)$(rulesdir) + $(INSTALL_DATA) $(srcdir)/$(rulesfile) $(DESTDIR)$(rulesdir)/50-libvirt.rules +endif ! WITH_POLKIT0 + uninstall-data-polkit:: rm -f $(DESTDIR)$(policydir)/org.libvirt.unix.policy rmdir $(DESTDIR)$(policydir) || : +if ! WITH_POLKIT0 + rm -f $(DESTDIR)$(rulesdir)/50-libvirt.rules + rmdir $(DESTDIR)$(rulesdir) || : +endif ! WITH_POLKIT0 + else ! WITH_POLKIT install-data-polkit:: uninstall-data-polkit:: diff --git a/daemon/libvirt.rules b/daemon/libvirt.rules new file mode 100644 index 0000000..e70c09b --- /dev/null +++ b/daemon/libvirt.rules @@ -0,0 +1,9 @@ +// Allow any user in the 'libvirtadm' group to connect to system libvirtd +// without entering a password. + +polkit.addRule(function(action, subject) { + if (action.id == "org.libvirt.unix.manage" && + subject.isInGroup("libvirtadm")) { + return polkit.Result.YES; + } +}); diff --git a/libvirt.spec.in b/libvirt.spec.in index 20af502..10a28a2 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -1645,9 +1645,9 @@ then fi
%if %{with_libvirtd} +%pre daemon %if ! %{with_driver_modules} %if %{with_qemu} -%pre daemon %if 0%{?fedora} || 0%{?rhel} >= 6 # We want soft static allocation of well-known ids, as disk images # are commonly shared across NFS mounts by id rather than name; see @@ -1661,11 +1661,21 @@ if ! getent passwd qemu >/dev/null; then useradd -r -g qemu -G kvm -d / -s /sbin/nologin -c "qemu user" qemu fi fi -exit 0 %endif %endif %endif
+ %if %{with_polkit} + %if 0%{?fedora} || 0%{?rhel} >= 6 +# 'libvirtadm' group is just to allow password-less polkit access to +# libvirtd. The uid number is irrelevant, so we use dynamic allocation +# described at the above link. +getent group libvirtadm >/dev/null || groupadd -r libvirtadm
Hmm, you know I think we should probably file a bug against the 'setup' RPM in Fedora to request allocation of a group ID value for this, so we can default to using a fixed group ID, as we do for other users/groups we create Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
On 04/29/2015 11:28 AM, Daniel P. Berrange wrote:
On Wed, Apr 29, 2015 at 11:04:42AM -0400, Cole Robinson wrote:
Many users, who admin their own machines, want to be able to access system libvirtd via tools like virt-manager without having to enter a root password. Just google 'virt-manager without password' and you'll find many hits. I've read at least 5 blog posts over the years describing slightly different ways of achieving this goal.
Let's finally add official support for this.
Install a polkit-1 rules file granting password-less auth for any user in the new 'libvirtadm' group. Create the group on RPM install
https://bugzilla.redhat.com/show_bug.cgi?id=957300 --- v2: - Name the group libvirtadm (danpb) - Name the source file libvirt.rules and rename on install (eblake)
daemon/Makefile.am | 13 +++++++++++++ daemon/libvirt.rules | 9 +++++++++ libvirt.spec.in | 15 +++++++++++++-- 3 files changed, 35 insertions(+), 2 deletions(-) create mode 100644 daemon/libvirt.rules
diff --git a/daemon/Makefile.am b/daemon/Makefile.am index 300b9a5..974feed 100644 --- a/daemon/Makefile.am +++ b/daemon/Makefile.am @@ -53,6 +53,7 @@ EXTRA_DIST = \ libvirtd.init.in \ libvirtd.upstart \ libvirtd.policy.in \ + libvirt.rules \ libvirtd.sasl \ libvirtd.service.in \ libvirtd.socket.in \ @@ -233,6 +234,8 @@ policyauth = auth_admin_keep_session else ! WITH_POLKIT0 policydir = $(datadir)/polkit-1/actions policyauth = auth_admin_keep +rulesdir = $(datadir)/polkit-1/rules.d +rulesfile = libvirt.rules endif ! WITH_POLKIT0 endif WITH_POLKIT
@@ -263,9 +266,19 @@ if WITH_POLKIT install-data-polkit:: $(MKDIR_P) $(DESTDIR)$(policydir) $(INSTALL_DATA) libvirtd.policy $(DESTDIR)$(policydir)/org.libvirt.unix.policy +if ! WITH_POLKIT0 + $(MKDIR_P) $(DESTDIR)$(rulesdir) + $(INSTALL_DATA) $(srcdir)/$(rulesfile) $(DESTDIR)$(rulesdir)/50-libvirt.rules +endif ! WITH_POLKIT0 + uninstall-data-polkit:: rm -f $(DESTDIR)$(policydir)/org.libvirt.unix.policy rmdir $(DESTDIR)$(policydir) || : +if ! WITH_POLKIT0 + rm -f $(DESTDIR)$(rulesdir)/50-libvirt.rules + rmdir $(DESTDIR)$(rulesdir) || : +endif ! WITH_POLKIT0 + else ! WITH_POLKIT install-data-polkit:: uninstall-data-polkit:: diff --git a/daemon/libvirt.rules b/daemon/libvirt.rules new file mode 100644 index 0000000..e70c09b --- /dev/null +++ b/daemon/libvirt.rules @@ -0,0 +1,9 @@ +// Allow any user in the 'libvirtadm' group to connect to system libvirtd +// without entering a password. + +polkit.addRule(function(action, subject) { + if (action.id == "org.libvirt.unix.manage" && + subject.isInGroup("libvirtadm")) { + return polkit.Result.YES; + } +}); diff --git a/libvirt.spec.in b/libvirt.spec.in index 20af502..10a28a2 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -1645,9 +1645,9 @@ then fi
%if %{with_libvirtd} +%pre daemon %if ! %{with_driver_modules} %if %{with_qemu} -%pre daemon %if 0%{?fedora} || 0%{?rhel} >= 6 # We want soft static allocation of well-known ids, as disk images # are commonly shared across NFS mounts by id rather than name; see @@ -1661,11 +1661,21 @@ if ! getent passwd qemu >/dev/null; then useradd -r -g qemu -G kvm -d / -s /sbin/nologin -c "qemu user" qemu fi fi -exit 0 %endif %endif %endif
+ %if %{with_polkit} + %if 0%{?fedora} || 0%{?rhel} >= 6 +# 'libvirtadm' group is just to allow password-less polkit access to +# libvirtd. The uid number is irrelevant, so we use dynamic allocation +# described at the above link. +getent group libvirtadm >/dev/null || groupadd -r libvirtadm
Hmm, you know I think we should probably file a bug against the 'setup' RPM in Fedora to request allocation of a group ID value for this, so we can default to using a fixed group ID, as we do for other users/groups we create
The recommendations don't seem to suggest that: https://fedoraproject.org/wiki/Packaging:UsersAndGroups?rd=Packaging/UsersAn... Quote: Soft static allocation is only appropriate for packages where the UID or GID values are shared between computers I can't think of a good case when we would need that for libvirtadm... cetainly no files need to be owned by it - Cole
On Wed, Apr 29, 2015 at 11:35:35AM -0400, Cole Robinson wrote:
On 04/29/2015 11:28 AM, Daniel P. Berrange wrote:
On Wed, Apr 29, 2015 at 11:04:42AM -0400, Cole Robinson wrote:
Many users, who admin their own machines, want to be able to access system libvirtd via tools like virt-manager without having to enter a root password. Just google 'virt-manager without password' and you'll find many hits. I've read at least 5 blog posts over the years describing slightly different ways of achieving this goal.
Let's finally add official support for this.
Install a polkit-1 rules file granting password-less auth for any user in the new 'libvirtadm' group. Create the group on RPM install
https://bugzilla.redhat.com/show_bug.cgi?id=957300 --- v2: - Name the group libvirtadm (danpb) - Name the source file libvirt.rules and rename on install (eblake)
daemon/Makefile.am | 13 +++++++++++++ daemon/libvirt.rules | 9 +++++++++ libvirt.spec.in | 15 +++++++++++++-- 3 files changed, 35 insertions(+), 2 deletions(-) create mode 100644 daemon/libvirt.rules
diff --git a/daemon/Makefile.am b/daemon/Makefile.am index 300b9a5..974feed 100644 --- a/daemon/Makefile.am +++ b/daemon/Makefile.am @@ -53,6 +53,7 @@ EXTRA_DIST = \ libvirtd.init.in \ libvirtd.upstart \ libvirtd.policy.in \ + libvirt.rules \ libvirtd.sasl \ libvirtd.service.in \ libvirtd.socket.in \ @@ -233,6 +234,8 @@ policyauth = auth_admin_keep_session else ! WITH_POLKIT0 policydir = $(datadir)/polkit-1/actions policyauth = auth_admin_keep +rulesdir = $(datadir)/polkit-1/rules.d +rulesfile = libvirt.rules endif ! WITH_POLKIT0 endif WITH_POLKIT
@@ -263,9 +266,19 @@ if WITH_POLKIT install-data-polkit:: $(MKDIR_P) $(DESTDIR)$(policydir) $(INSTALL_DATA) libvirtd.policy $(DESTDIR)$(policydir)/org.libvirt.unix.policy +if ! WITH_POLKIT0 + $(MKDIR_P) $(DESTDIR)$(rulesdir) + $(INSTALL_DATA) $(srcdir)/$(rulesfile) $(DESTDIR)$(rulesdir)/50-libvirt.rules +endif ! WITH_POLKIT0 + uninstall-data-polkit:: rm -f $(DESTDIR)$(policydir)/org.libvirt.unix.policy rmdir $(DESTDIR)$(policydir) || : +if ! WITH_POLKIT0 + rm -f $(DESTDIR)$(rulesdir)/50-libvirt.rules + rmdir $(DESTDIR)$(rulesdir) || : +endif ! WITH_POLKIT0 + else ! WITH_POLKIT install-data-polkit:: uninstall-data-polkit:: diff --git a/daemon/libvirt.rules b/daemon/libvirt.rules new file mode 100644 index 0000000..e70c09b --- /dev/null +++ b/daemon/libvirt.rules @@ -0,0 +1,9 @@ +// Allow any user in the 'libvirtadm' group to connect to system libvirtd +// without entering a password. + +polkit.addRule(function(action, subject) { + if (action.id == "org.libvirt.unix.manage" && + subject.isInGroup("libvirtadm")) { + return polkit.Result.YES; + } +}); diff --git a/libvirt.spec.in b/libvirt.spec.in index 20af502..10a28a2 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -1645,9 +1645,9 @@ then fi
%if %{with_libvirtd} +%pre daemon %if ! %{with_driver_modules} %if %{with_qemu} -%pre daemon %if 0%{?fedora} || 0%{?rhel} >= 6 # We want soft static allocation of well-known ids, as disk images # are commonly shared across NFS mounts by id rather than name; see @@ -1661,11 +1661,21 @@ if ! getent passwd qemu >/dev/null; then useradd -r -g qemu -G kvm -d / -s /sbin/nologin -c "qemu user" qemu fi fi -exit 0 %endif %endif %endif
+ %if %{with_polkit} + %if 0%{?fedora} || 0%{?rhel} >= 6 +# 'libvirtadm' group is just to allow password-less polkit access to +# libvirtd. The uid number is irrelevant, so we use dynamic allocation +# described at the above link. +getent group libvirtadm >/dev/null || groupadd -r libvirtadm
Hmm, you know I think we should probably file a bug against the 'setup' RPM in Fedora to request allocation of a group ID value for this, so we can default to using a fixed group ID, as we do for other users/groups we create
The recommendations don't seem to suggest that:
https://fedoraproject.org/wiki/Packaging:UsersAndGroups?rd=Packaging/UsersAn...
Quote: Soft static allocation is only appropriate for packages where the UID or GID values are shared between computers
I can't think of a good case when we would need that for libvirtadm... cetainly no files need to be owned by it
Ah, ok then. ACK Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
On 04/29/2015 11:36 AM, Daniel P. Berrange wrote:
On Wed, Apr 29, 2015 at 11:35:35AM -0400, Cole Robinson wrote:
On 04/29/2015 11:28 AM, Daniel P. Berrange wrote:
On Wed, Apr 29, 2015 at 11:04:42AM -0400, Cole Robinson wrote:
Many users, who admin their own machines, want to be able to access system libvirtd via tools like virt-manager without having to enter a root password. Just google 'virt-manager without password' and you'll find many hits. I've read at least 5 blog posts over the years describing slightly different ways of achieving this goal.
Let's finally add official support for this.
Install a polkit-1 rules file granting password-less auth for any user in the new 'libvirtadm' group. Create the group on RPM install
https://bugzilla.redhat.com/show_bug.cgi?id=957300 --- v2: - Name the group libvirtadm (danpb) - Name the source file libvirt.rules and rename on install (eblake)
daemon/Makefile.am | 13 +++++++++++++ daemon/libvirt.rules | 9 +++++++++ libvirt.spec.in | 15 +++++++++++++-- 3 files changed, 35 insertions(+), 2 deletions(-) create mode 100644 daemon/libvirt.rules
diff --git a/daemon/Makefile.am b/daemon/Makefile.am index 300b9a5..974feed 100644 --- a/daemon/Makefile.am +++ b/daemon/Makefile.am @@ -53,6 +53,7 @@ EXTRA_DIST = \ libvirtd.init.in \ libvirtd.upstart \ libvirtd.policy.in \ + libvirt.rules \ libvirtd.sasl \ libvirtd.service.in \ libvirtd.socket.in \ @@ -233,6 +234,8 @@ policyauth = auth_admin_keep_session else ! WITH_POLKIT0 policydir = $(datadir)/polkit-1/actions policyauth = auth_admin_keep +rulesdir = $(datadir)/polkit-1/rules.d +rulesfile = libvirt.rules endif ! WITH_POLKIT0 endif WITH_POLKIT
@@ -263,9 +266,19 @@ if WITH_POLKIT install-data-polkit:: $(MKDIR_P) $(DESTDIR)$(policydir) $(INSTALL_DATA) libvirtd.policy $(DESTDIR)$(policydir)/org.libvirt.unix.policy +if ! WITH_POLKIT0 + $(MKDIR_P) $(DESTDIR)$(rulesdir) + $(INSTALL_DATA) $(srcdir)/$(rulesfile) $(DESTDIR)$(rulesdir)/50-libvirt.rules +endif ! WITH_POLKIT0 + uninstall-data-polkit:: rm -f $(DESTDIR)$(policydir)/org.libvirt.unix.policy rmdir $(DESTDIR)$(policydir) || : +if ! WITH_POLKIT0 + rm -f $(DESTDIR)$(rulesdir)/50-libvirt.rules + rmdir $(DESTDIR)$(rulesdir) || : +endif ! WITH_POLKIT0 + else ! WITH_POLKIT install-data-polkit:: uninstall-data-polkit:: diff --git a/daemon/libvirt.rules b/daemon/libvirt.rules new file mode 100644 index 0000000..e70c09b --- /dev/null +++ b/daemon/libvirt.rules @@ -0,0 +1,9 @@ +// Allow any user in the 'libvirtadm' group to connect to system libvirtd +// without entering a password. + +polkit.addRule(function(action, subject) { + if (action.id == "org.libvirt.unix.manage" && + subject.isInGroup("libvirtadm")) { + return polkit.Result.YES; + } +}); diff --git a/libvirt.spec.in b/libvirt.spec.in index 20af502..10a28a2 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -1645,9 +1645,9 @@ then fi
%if %{with_libvirtd} +%pre daemon %if ! %{with_driver_modules} %if %{with_qemu} -%pre daemon %if 0%{?fedora} || 0%{?rhel} >= 6 # We want soft static allocation of well-known ids, as disk images # are commonly shared across NFS mounts by id rather than name; see @@ -1661,11 +1661,21 @@ if ! getent passwd qemu >/dev/null; then useradd -r -g qemu -G kvm -d / -s /sbin/nologin -c "qemu user" qemu fi fi -exit 0 %endif %endif %endif
+ %if %{with_polkit} + %if 0%{?fedora} || 0%{?rhel} >= 6 +# 'libvirtadm' group is just to allow password-less polkit access to +# libvirtd. The uid number is irrelevant, so we use dynamic allocation +# described at the above link. +getent group libvirtadm >/dev/null || groupadd -r libvirtadm
Hmm, you know I think we should probably file a bug against the 'setup' RPM in Fedora to request allocation of a group ID value for this, so we can default to using a fixed group ID, as we do for other users/groups we create
The recommendations don't seem to suggest that:
https://fedoraproject.org/wiki/Packaging:UsersAndGroups?rd=Packaging/UsersAn...
Quote: Soft static allocation is only appropriate for packages where the UID or GID values are shared between computers
I can't think of a good case when we would need that for libvirtadm... cetainly no files need to be owned by it
Ah, ok then. ACK
Thanks, I'll push after the release - Cole
On Wed, Apr 29, 2015 at 11:04:42AM -0400, Cole Robinson wrote:
Many users, who admin their own machines, want to be able to access system libvirtd via tools like virt-manager without having to enter a root password. Just google 'virt-manager without password' and you'll find many hits. I've read at least 5 blog posts over the years describing slightly different ways of achieving this goal.
Let's finally add official support for this.
Install a polkit-1 rules file granting password-less auth for any user in the new 'libvirtadm' group. Create the group on RPM install
Debian calls the group 'libvirt', just in case we want to be consistent. libvirtadm doesn't sound like a perfect match either since starting/stopping machines often isn't considered "administration" by those users who look for solutions to the problem you describe above. But I won't nitpick here, we can trivially patch this downstream. Cheers, -- Guido
participants (3)
-
Cole Robinson -
Daniel P. Berrange -
Guido Günther