10:04 a.m.
Many users, who admin their own machines, want to be able to access
system libvirtd via tools like virt-manager without having to enter
a root password. Just google 'virt-manager without password' and
you'll find many hits. I've read at least 5 blog posts over the years
describing slightly different ways of achieving this goal.
Let's finally add official support for this.
Install a polkit-1 rules file granting password-less auth for any user
in the new 'libvirtadm' group. Create the group on RPM install
https://bugzilla.redhat.com/show_bug.cgi?id=957300
---
v2:
- Name the group libvirtadm (danpb)
- Name the source file libvirt.rules and rename on install (eblake)
daemon/Makefile.am | 13 +++++++++++++
daemon/libvirt.rules | 9 +++++++++
libvirt.spec.in | 15 +++++++++++++--
3 files changed, 35 insertions(+), 2 deletions(-)
create mode 100644 daemon/libvirt.rules
diff --git a/daemon/Makefile.am b/daemon/Makefile.am
index 300b9a5..974feed 100644
--- a/daemon/Makefile.am
+++ b/daemon/Makefile.am
@@ -53,6 +53,7 @@ EXTRA_DIST = \
libvirtd.init.in \
libvirtd.upstart \
libvirtd.policy.in \
+ libvirt.rules \
libvirtd.sasl \
libvirtd.service.in \
libvirtd.socket.in \
@@ -233,6 +234,8 @@ policyauth = auth_admin_keep_session
else ! WITH_POLKIT0
policydir = $(datadir)/polkit-1/actions
policyauth = auth_admin_keep
+rulesdir = $(datadir)/polkit-1/rules.d
+rulesfile = libvirt.rules
endif ! WITH_POLKIT0
endif WITH_POLKIT
@@ -263,9 +266,19 @@ if WITH_POLKIT
install-data-polkit::
$(MKDIR_P) $(DESTDIR)$(policydir)
$(INSTALL_DATA) libvirtd.policy $(DESTDIR)$(policydir)/org.libvirt.unix.policy
+if ! WITH_POLKIT0
+ $(MKDIR_P) $(DESTDIR)$(rulesdir)
+ $(INSTALL_DATA) $(srcdir)/$(rulesfile) $(DESTDIR)$(rulesdir)/50-libvirt.rules
+endif ! WITH_POLKIT0
+
uninstall-data-polkit::
rm -f $(DESTDIR)$(policydir)/org.libvirt.unix.policy
rmdir $(DESTDIR)$(policydir) || :
+if ! WITH_POLKIT0
+ rm -f $(DESTDIR)$(rulesdir)/50-libvirt.rules
+ rmdir $(DESTDIR)$(rulesdir) || :
+endif ! WITH_POLKIT0
+
else ! WITH_POLKIT
install-data-polkit::
uninstall-data-polkit::
diff --git a/daemon/libvirt.rules b/daemon/libvirt.rules
new file mode 100644
index 0000000..e70c09b
--- /dev/null
+++ b/daemon/libvirt.rules
@@ -0,0 +1,9 @@
+// Allow any user in the 'libvirtadm' group to connect to system libvirtd
+// without entering a password.
+
+polkit.addRule(function(action, subject) {
+ if (action.id == "org.libvirt.unix.manage" &&
+ subject.isInGroup("libvirtadm")) {
+ return polkit.Result.YES;
+ }
+});
diff --git a/libvirt.spec.in b/libvirt.spec.in
index 20af502..10a28a2 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -1645,9 +1645,9 @@ then
fi
%if %{with_libvirtd}
+%pre daemon
%if ! %{with_driver_modules}
%if %{with_qemu}
-%pre daemon
%if 0%{?fedora} || 0%{?rhel} >= 6
# We want soft static allocation of well-known ids, as disk images
# are commonly shared across NFS mounts by id rather than name; see
@@ -1661,11 +1661,21 @@ if ! getent passwd qemu >/dev/null; then
useradd -r -g qemu -G kvm -d / -s /sbin/nologin -c "qemu user" qemu
fi
fi
-exit 0
%endif
%endif
%endif
+ %if %{with_polkit}
+ %if 0%{?fedora} || 0%{?rhel} >= 6
+# 'libvirtadm' group is just to allow password-less polkit access to
+# libvirtd. The uid number is irrelevant, so we use dynamic allocation
+# described at the above link.
+getent group libvirtadm >/dev/null || groupadd -r libvirtadm
+ %endif
+ %endif
+
+exit 0
+
%post daemon
%if %{with_systemd}
@@ -1939,6 +1949,7 @@ exit 0
%if 0%{?fedora} || 0%{?rhel} >= 6
%{_datadir}/polkit-1/actions/org.libvirt.unix.policy
%{_datadir}/polkit-1/actions/org.libvirt.api.policy
+%{_datadir}/polkit-1/rules.d/50-libvirt.rules
%else
%{_datadir}/PolicyKit/policy/org.libvirt.unix.policy
%endif
--
2.3.6
10:28 a.m.
On Wed, Apr 29, 2015 at 11:04:42AM -0400, Cole Robinson wrote:
Many users, who admin their own machines, want to be able to access
system libvirtd via tools like virt-manager without having to enter
a root password. Just google 'virt-manager without password' and
you'll find many hits. I've read at least 5 blog posts over the years
describing slightly different ways of achieving this goal.
Let's finally add official support for this.
Install a polkit-1 rules file granting password-less auth for any user
in the new 'libvirtadm' group. Create the group on RPM install
https://bugzilla.redhat.com/show_bug.cgi?id=957300
---
v2:
- Name the group libvirtadm (danpb)
- Name the source file libvirt.rules and rename on install (eblake)
daemon/Makefile.am | 13 +++++++++++++
daemon/libvirt.rules | 9 +++++++++
libvirt.spec.in | 15 +++++++++++++--
3 files changed, 35 insertions(+), 2 deletions(-)
create mode 100644 daemon/libvirt.rules
diff --git a/daemon/Makefile.am b/daemon/Makefile.am
index 300b9a5..974feed 100644
--- a/daemon/Makefile.am
+++ b/daemon/Makefile.am
@@ -53,6 +53,7 @@ EXTRA_DIST = \
libvirtd.init.in \
libvirtd.upstart \
libvirtd.policy.in \
+ libvirt.rules \
libvirtd.sasl \
libvirtd.service.in \
libvirtd.socket.in \
@@ -233,6 +234,8 @@ policyauth = auth_admin_keep_session
else ! WITH_POLKIT0
policydir = $(datadir)/polkit-1/actions
policyauth = auth_admin_keep
+rulesdir = $(datadir)/polkit-1/rules.d
+rulesfile = libvirt.rules
endif ! WITH_POLKIT0
endif WITH_POLKIT
@@ -263,9 +266,19 @@ if WITH_POLKIT
install-data-polkit::
$(MKDIR_P) $(DESTDIR)$(policydir)
$(INSTALL_DATA) libvirtd.policy $(DESTDIR)$(policydir)/org.libvirt.unix.policy
+if ! WITH_POLKIT0
+ $(MKDIR_P) $(DESTDIR)$(rulesdir)
+ $(INSTALL_DATA) $(srcdir)/$(rulesfile) $(DESTDIR)$(rulesdir)/50-libvirt.rules
+endif ! WITH_POLKIT0
+
uninstall-data-polkit::
rm -f $(DESTDIR)$(policydir)/org.libvirt.unix.policy
rmdir $(DESTDIR)$(policydir) || :
+if ! WITH_POLKIT0
+ rm -f $(DESTDIR)$(rulesdir)/50-libvirt.rules
+ rmdir $(DESTDIR)$(rulesdir) || :
+endif ! WITH_POLKIT0
+
else ! WITH_POLKIT
install-data-polkit::
uninstall-data-polkit::
diff --git a/daemon/libvirt.rules b/daemon/libvirt.rules
new file mode 100644
index 0000000..e70c09b
--- /dev/null
+++ b/daemon/libvirt.rules
@@ -0,0 +1,9 @@
+// Allow any user in the 'libvirtadm' group to connect to system libvirtd
+// without entering a password.
+
+polkit.addRule(function(action, subject) {
+ if (action.id == "org.libvirt.unix.manage" &&
+ subject.isInGroup("libvirtadm")) {
+ return polkit.Result.YES;
+ }
+});
diff --git a/libvirt.spec.in b/libvirt.spec.in
index 20af502..10a28a2 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -1645,9 +1645,9 @@ then
fi
%if %{with_libvirtd}
+%pre daemon
%if ! %{with_driver_modules}
%if %{with_qemu}
-%pre daemon
%if 0%{?fedora} || 0%{?rhel} >= 6
# We want soft static allocation of well-known ids, as disk images
# are commonly shared across NFS mounts by id rather than name; see
@@ -1661,11 +1661,21 @@ if ! getent passwd qemu >/dev/null; then
useradd -r -g qemu -G kvm -d / -s /sbin/nologin -c "qemu user" qemu
fi
fi
-exit 0
%endif
%endif
%endif
+ %if %{with_polkit}
+ %if 0%{?fedora} || 0%{?rhel} >= 6
+# 'libvirtadm' group is just to allow password-less polkit access to
+# libvirtd. The uid number is irrelevant, so we use dynamic allocation
+# described at the above link.
+getent group libvirtadm >/dev/null || groupadd -r libvirtadm
Hmm, you know I think we should probably file a bug against the
'setup' RPM in Fedora to request allocation of a group ID value
for this, so we can default to using a fixed group ID, as we do
for other users/groups we create
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
10:35 a.m.
On 04/29/2015 11:28 AM, Daniel P. Berrange wrote:
On Wed, Apr 29, 2015 at 11:04:42AM -0400, Cole Robinson wrote:
> Many users, who admin their own machines, want to be able to access
> system libvirtd via tools like virt-manager without having to enter
> a root password. Just google 'virt-manager without password' and
> you'll find many hits. I've read at least 5 blog posts over the years
> describing slightly different ways of achieving this goal.
>
> Let's finally add official support for this.
>
> Install a polkit-1 rules file granting password-less auth for any user
> in the new 'libvirtadm' group. Create the group on RPM install
>
> https://bugzilla.redhat.com/show_bug.cgi?id=957300
> ---
> v2:
> - Name the group libvirtadm (danpb)
> - Name the source file libvirt.rules and rename on install (eblake)
>
> daemon/Makefile.am | 13 +++++++++++++
> daemon/libvirt.rules | 9 +++++++++
> libvirt.spec.in | 15 +++++++++++++--
> 3 files changed, 35 insertions(+), 2 deletions(-)
> create mode 100644 daemon/libvirt.rules
>
> diff --git a/daemon/Makefile.am b/daemon/Makefile.am
> index 300b9a5..974feed 100644
> --- a/daemon/Makefile.am
> +++ b/daemon/Makefile.am
> @@ -53,6 +53,7 @@ EXTRA_DIST = \
> libvirtd.init.in \
> libvirtd.upstart \
> libvirtd.policy.in \
> + libvirt.rules \
> libvirtd.sasl \
> libvirtd.service.in \
> libvirtd.socket.in \
> @@ -233,6 +234,8 @@ policyauth = auth_admin_keep_session
> else ! WITH_POLKIT0
> policydir = $(datadir)/polkit-1/actions
> policyauth = auth_admin_keep
> +rulesdir = $(datadir)/polkit-1/rules.d
> +rulesfile = libvirt.rules
> endif ! WITH_POLKIT0
> endif WITH_POLKIT
>
> @@ -263,9 +266,19 @@ if WITH_POLKIT
> install-data-polkit::
> $(MKDIR_P) $(DESTDIR)$(policydir)
> $(INSTALL_DATA) libvirtd.policy $(DESTDIR)$(policydir)/org.libvirt.unix.policy
> +if ! WITH_POLKIT0
> + $(MKDIR_P) $(DESTDIR)$(rulesdir)
> + $(INSTALL_DATA) $(srcdir)/$(rulesfile) $(DESTDIR)$(rulesdir)/50-libvirt.rules
> +endif ! WITH_POLKIT0
> +
> uninstall-data-polkit::
> rm -f $(DESTDIR)$(policydir)/org.libvirt.unix.policy
> rmdir $(DESTDIR)$(policydir) || :
> +if ! WITH_POLKIT0
> + rm -f $(DESTDIR)$(rulesdir)/50-libvirt.rules
> + rmdir $(DESTDIR)$(rulesdir) || :
> +endif ! WITH_POLKIT0
> +
> else ! WITH_POLKIT
> install-data-polkit::
> uninstall-data-polkit::
> diff --git a/daemon/libvirt.rules b/daemon/libvirt.rules
> new file mode 100644
> index 0000000..e70c09b
> --- /dev/null
> +++ b/daemon/libvirt.rules
> @@ -0,0 +1,9 @@
> +// Allow any user in the 'libvirtadm' group to connect to system libvirtd
> +// without entering a password.
> +
> +polkit.addRule(function(action, subject) {
> + if (action.id == "org.libvirt.unix.manage" &&
> + subject.isInGroup("libvirtadm")) {
> + return polkit.Result.YES;
> + }
> +});
> diff --git a/libvirt.spec.in b/libvirt.spec.in
> index 20af502..10a28a2 100644
> --- a/libvirt.spec.in
> +++ b/libvirt.spec.in
> @@ -1645,9 +1645,9 @@ then
> fi
>
> %if %{with_libvirtd}
> +%pre daemon
> %if ! %{with_driver_modules}
> %if %{with_qemu}
> -%pre daemon
> %if 0%{?fedora} || 0%{?rhel} >= 6
> # We want soft static allocation of well-known ids, as disk images
> # are commonly shared across NFS mounts by id rather than name; see
> @@ -1661,11 +1661,21 @@ if ! getent passwd qemu >/dev/null; then
> useradd -r -g qemu -G kvm -d / -s /sbin/nologin -c "qemu user" qemu
> fi
> fi
> -exit 0
> %endif
> %endif
> %endif
>
> + %if %{with_polkit}
> + %if 0%{?fedora} || 0%{?rhel} >= 6
> +# 'libvirtadm' group is just to allow password-less polkit access to
> +# libvirtd. The uid number is irrelevant, so we use dynamic allocation
> +# described at the above link.
> +getent group libvirtadm >/dev/null || groupadd -r libvirtadm
Hmm, you know I think we should probably file a bug against the
'setup' RPM in Fedora to request allocation of a group ID value
for this, so we can default to using a fixed group ID, as we do
for other users/groups we create
The recommendations don't seem to suggest that:
https://fedoraproject.org/wiki/Packaging:UsersAndGroups?rd=Packaging/User...
Quote: Soft static allocation is only appropriate for packages where the UID
or GID values are shared between computers
I can't think of a good case when we would need that for libvirtadm...
cetainly no files need to be owned by it
- Cole
10:36 a.m.
On Wed, Apr 29, 2015 at 11:35:35AM -0400, Cole Robinson wrote:
On 04/29/2015 11:28 AM, Daniel P. Berrange wrote:
> On Wed, Apr 29, 2015 at 11:04:42AM -0400, Cole Robinson wrote:
>> Many users, who admin their own machines, want to be able to access
>> system libvirtd via tools like virt-manager without having to enter
>> a root password. Just google 'virt-manager without password' and
>> you'll find many hits. I've read at least 5 blog posts over the years
>> describing slightly different ways of achieving this goal.
>>
>> Let's finally add official support for this.
>>
>> Install a polkit-1 rules file granting password-less auth for any user
>> in the new 'libvirtadm' group. Create the group on RPM install
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=957300
>> ---
>> v2:
>> - Name the group libvirtadm (danpb)
>> - Name the source file libvirt.rules and rename on install (eblake)
>>
>> daemon/Makefile.am | 13 +++++++++++++
>> daemon/libvirt.rules | 9 +++++++++
>> libvirt.spec.in | 15 +++++++++++++--
>> 3 files changed, 35 insertions(+), 2 deletions(-)
>> create mode 100644 daemon/libvirt.rules
>>
>> diff --git a/daemon/Makefile.am b/daemon/Makefile.am
>> index 300b9a5..974feed 100644
>> --- a/daemon/Makefile.am
>> +++ b/daemon/Makefile.am
>> @@ -53,6 +53,7 @@ EXTRA_DIST = \
>> libvirtd.init.in \
>> libvirtd.upstart \
>> libvirtd.policy.in \
>> + libvirt.rules \
>> libvirtd.sasl \
>> libvirtd.service.in \
>> libvirtd.socket.in \
>> @@ -233,6 +234,8 @@ policyauth = auth_admin_keep_session
>> else ! WITH_POLKIT0
>> policydir = $(datadir)/polkit-1/actions
>> policyauth = auth_admin_keep
>> +rulesdir = $(datadir)/polkit-1/rules.d
>> +rulesfile = libvirt.rules
>> endif ! WITH_POLKIT0
>> endif WITH_POLKIT
>>
>> @@ -263,9 +266,19 @@ if WITH_POLKIT
>> install-data-polkit::
>> $(MKDIR_P) $(DESTDIR)$(policydir)
>> $(INSTALL_DATA) libvirtd.policy
$(DESTDIR)$(policydir)/org.libvirt.unix.policy
>> +if ! WITH_POLKIT0
>> + $(MKDIR_P) $(DESTDIR)$(rulesdir)
>> + $(INSTALL_DATA) $(srcdir)/$(rulesfile) $(DESTDIR)$(rulesdir)/50-libvirt.rules
>> +endif ! WITH_POLKIT0
>> +
>> uninstall-data-polkit::
>> rm -f $(DESTDIR)$(policydir)/org.libvirt.unix.policy
>> rmdir $(DESTDIR)$(policydir) || :
>> +if ! WITH_POLKIT0
>> + rm -f $(DESTDIR)$(rulesdir)/50-libvirt.rules
>> + rmdir $(DESTDIR)$(rulesdir) || :
>> +endif ! WITH_POLKIT0
>> +
>> else ! WITH_POLKIT
>> install-data-polkit::
>> uninstall-data-polkit::
>> diff --git a/daemon/libvirt.rules b/daemon/libvirt.rules
>> new file mode 100644
>> index 0000000..e70c09b
>> --- /dev/null
>> +++ b/daemon/libvirt.rules
>> @@ -0,0 +1,9 @@
>> +// Allow any user in the 'libvirtadm' group to connect to system
libvirtd
>> +// without entering a password.
>> +
>> +polkit.addRule(function(action, subject) {
>> + if (action.id == "org.libvirt.unix.manage" &&
>> + subject.isInGroup("libvirtadm")) {
>> + return polkit.Result.YES;
>> + }
>> +});
>> diff --git a/libvirt.spec.in b/libvirt.spec.in
>> index 20af502..10a28a2 100644
>> --- a/libvirt.spec.in
>> +++ b/libvirt.spec.in
>> @@ -1645,9 +1645,9 @@ then
>> fi
>>
>> %if %{with_libvirtd}
>> +%pre daemon
>> %if ! %{with_driver_modules}
>> %if %{with_qemu}
>> -%pre daemon
>> %if 0%{?fedora} || 0%{?rhel} >= 6
>> # We want soft static allocation of well-known ids, as disk images
>> # are commonly shared across NFS mounts by id rather than name; see
>> @@ -1661,11 +1661,21 @@ if ! getent passwd qemu >/dev/null; then
>> useradd -r -g qemu -G kvm -d / -s /sbin/nologin -c "qemu user"
qemu
>> fi
>> fi
>> -exit 0
>> %endif
>> %endif
>> %endif
>>
>> + %if %{with_polkit}
>> + %if 0%{?fedora} || 0%{?rhel} >= 6
>> +# 'libvirtadm' group is just to allow password-less polkit access to
>> +# libvirtd. The uid number is irrelevant, so we use dynamic allocation
>> +# described at the above link.
>> +getent group libvirtadm >/dev/null || groupadd -r libvirtadm
>
> Hmm, you know I think we should probably file a bug against the
> 'setup' RPM in Fedora to request allocation of a group ID value
> for this, so we can default to using a fixed group ID, as we do
> for other users/groups we create
>
The recommendations don't seem to suggest that:
https://fedoraproject.org/wiki/Packaging:UsersAndGroups?rd=Packaging/User...
Quote: Soft static allocation is only appropriate for packages where the UID
or GID values are shared between computers
I can't think of a good case when we would need that for libvirtadm...
cetainly no files need to be owned by it
Ah, ok then. ACK
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
10:37 a.m.
On 04/29/2015 11:36 AM, Daniel P. Berrange wrote:
On Wed, Apr 29, 2015 at 11:35:35AM -0400, Cole Robinson wrote:
> On 04/29/2015 11:28 AM, Daniel P. Berrange wrote:
>> On Wed, Apr 29, 2015 at 11:04:42AM -0400, Cole Robinson wrote:
>>> Many users, who admin their own machines, want to be able to access
>>> system libvirtd via tools like virt-manager without having to enter
>>> a root password. Just google 'virt-manager without password' and
>>> you'll find many hits. I've read at least 5 blog posts over the
years
>>> describing slightly different ways of achieving this goal.
>>>
>>> Let's finally add official support for this.
>>>
>>> Install a polkit-1 rules file granting password-less auth for any user
>>> in the new 'libvirtadm' group. Create the group on RPM install
>>>
>>> https://bugzilla.redhat.com/show_bug.cgi?id=957300
>>> ---
>>> v2:
>>> - Name the group libvirtadm (danpb)
>>> - Name the source file libvirt.rules and rename on install (eblake)
>>>
>>> daemon/Makefile.am | 13 +++++++++++++
>>> daemon/libvirt.rules | 9 +++++++++
>>> libvirt.spec.in | 15 +++++++++++++--
>>> 3 files changed, 35 insertions(+), 2 deletions(-)
>>> create mode 100644 daemon/libvirt.rules
>>>
>>> diff --git a/daemon/Makefile.am b/daemon/Makefile.am
>>> index 300b9a5..974feed 100644
>>> --- a/daemon/Makefile.am
>>> +++ b/daemon/Makefile.am
>>> @@ -53,6 +53,7 @@ EXTRA_DIST = \
>>> libvirtd.init.in \
>>> libvirtd.upstart \
>>> libvirtd.policy.in \
>>> + libvirt.rules \
>>> libvirtd.sasl \
>>> libvirtd.service.in \
>>> libvirtd.socket.in \
>>> @@ -233,6 +234,8 @@ policyauth = auth_admin_keep_session
>>> else ! WITH_POLKIT0
>>> policydir = $(datadir)/polkit-1/actions
>>> policyauth = auth_admin_keep
>>> +rulesdir = $(datadir)/polkit-1/rules.d
>>> +rulesfile = libvirt.rules
>>> endif ! WITH_POLKIT0
>>> endif WITH_POLKIT
>>>
>>> @@ -263,9 +266,19 @@ if WITH_POLKIT
>>> install-data-polkit::
>>> $(MKDIR_P) $(DESTDIR)$(policydir)
>>> $(INSTALL_DATA) libvirtd.policy
$(DESTDIR)$(policydir)/org.libvirt.unix.policy
>>> +if ! WITH_POLKIT0
>>> + $(MKDIR_P) $(DESTDIR)$(rulesdir)
>>> + $(INSTALL_DATA) $(srcdir)/$(rulesfile)
$(DESTDIR)$(rulesdir)/50-libvirt.rules
>>> +endif ! WITH_POLKIT0
>>> +
>>> uninstall-data-polkit::
>>> rm -f $(DESTDIR)$(policydir)/org.libvirt.unix.policy
>>> rmdir $(DESTDIR)$(policydir) || :
>>> +if ! WITH_POLKIT0
>>> + rm -f $(DESTDIR)$(rulesdir)/50-libvirt.rules
>>> + rmdir $(DESTDIR)$(rulesdir) || :
>>> +endif ! WITH_POLKIT0
>>> +
>>> else ! WITH_POLKIT
>>> install-data-polkit::
>>> uninstall-data-polkit::
>>> diff --git a/daemon/libvirt.rules b/daemon/libvirt.rules
>>> new file mode 100644
>>> index 0000000..e70c09b
>>> --- /dev/null
>>> +++ b/daemon/libvirt.rules
>>> @@ -0,0 +1,9 @@
>>> +// Allow any user in the 'libvirtadm' group to connect to system
libvirtd
>>> +// without entering a password.
>>> +
>>> +polkit.addRule(function(action, subject) {
>>> + if (action.id == "org.libvirt.unix.manage" &&
>>> + subject.isInGroup("libvirtadm")) {
>>> + return polkit.Result.YES;
>>> + }
>>> +});
>>> diff --git a/libvirt.spec.in b/libvirt.spec.in
>>> index 20af502..10a28a2 100644
>>> --- a/libvirt.spec.in
>>> +++ b/libvirt.spec.in
>>> @@ -1645,9 +1645,9 @@ then
>>> fi
>>>
>>> %if %{with_libvirtd}
>>> +%pre daemon
>>> %if ! %{with_driver_modules}
>>> %if %{with_qemu}
>>> -%pre daemon
>>> %if 0%{?fedora} || 0%{?rhel} >= 6
>>> # We want soft static allocation of well-known ids, as disk images
>>> # are commonly shared across NFS mounts by id rather than name; see
>>> @@ -1661,11 +1661,21 @@ if ! getent passwd qemu >/dev/null; then
>>> useradd -r -g qemu -G kvm -d / -s /sbin/nologin -c "qemu user"
qemu
>>> fi
>>> fi
>>> -exit 0
>>> %endif
>>> %endif
>>> %endif
>>>
>>> + %if %{with_polkit}
>>> + %if 0%{?fedora} || 0%{?rhel} >= 6
>>> +# 'libvirtadm' group is just to allow password-less polkit access
to
>>> +# libvirtd. The uid number is irrelevant, so we use dynamic allocation
>>> +# described at the above link.
>>> +getent group libvirtadm >/dev/null || groupadd -r libvirtadm
>>
>> Hmm, you know I think we should probably file a bug against the
>> 'setup' RPM in Fedora to request allocation of a group ID value
>> for this, so we can default to using a fixed group ID, as we do
>> for other users/groups we create
>>
>
> The recommendations don't seem to suggest that:
>
>
https://fedoraproject.org/wiki/Packaging:UsersAndGroups?rd=Packaging/User...
>
> Quote: Soft static allocation is only appropriate for packages where the UID
> or GID values are shared between computers
>
> I can't think of a good case when we would need that for libvirtadm...
> cetainly no files need to be owned by it
Ah, ok then. ACK
Thanks, I'll push after the release
- Cole
2:45 p.m.
On Wed, Apr 29, 2015 at 11:04:42AM -0400, Cole Robinson wrote:
Many users, who admin their own machines, want to be able to access
system libvirtd via tools like virt-manager without having to enter
a root password. Just google 'virt-manager without password' and
you'll find many hits. I've read at least 5 blog posts over the years
describing slightly different ways of achieving this goal.
Let's finally add official support for this.
Install a polkit-1 rules file granting password-less auth for any user
in the new 'libvirtadm' group. Create the group on RPM install
Debian calls the group 'libvirt', just in case we want to be
consistent. libvirtadm doesn't sound like a perfect match either since
starting/stopping machines often isn't considered "administration" by
those users who look for solutions to the problem you describe above.
But I won't nitpick here, we can trivially patch this downstream.
Cheers,
-- Guido
3495
days inactive
3495
days old
5 comments
3 participants
participants (3)
-
Cole Robinson -
Daniel P. Berrange -
Guido Günther