summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJenkins <jenkins@review.openstack.org>2017-06-08 09:49:49 +0000
committerGerrit Code Review <review@openstack.org>2017-06-08 09:49:49 +0000
commit5b8fd71be2cb5888de43b7ce61ce3ed5538db898 (patch)
treeffa0fa92df4ff3621d09adf4f8ff2ef04d05891a
parent782ffcba1e5657370df8e88b71cfa7dfa48c445a (diff)
parent016cef3ea729e1e3aed948ff3d07d650a5d92884 (diff)
Merge "Add polkit rule to allow kolla nova user access to libvirtd socket on docker host"
-rw-r--r--manifests/profile/base/docker.pp59
-rw-r--r--spec/classes/tripleo_profile_base_docker_spec.rb79
2 files changed, 138 insertions, 0 deletions
diff --git a/manifests/profile/base/docker.pp b/manifests/profile/base/docker.pp
index 29f8b75..67fbd71 100644
--- a/manifests/profile/base/docker.pp
+++ b/manifests/profile/base/docker.pp
@@ -47,6 +47,18 @@
# [*step*]
# step defaults to hiera('step')
#
+# [*configure_libvirt_polkit*]
+# Configures libvirt polkit to grant the kolla nova user access to the libvirtd unix domain socket on the host.
+# Defaults to true when nova_compute service is enabled, false when nova_compute is disabled
+#
+# [*docker_nova_uid*]
+# When configure_libvirt_polkit = true, the uid/gid of the nova user within the docker container.
+# Defaults to 42436
+#
+# [*services_enabled*]
+# List of TripleO services enabled on the role.
+# Defaults to hiera('services_names')
+#
class tripleo::profile::base::docker (
$docker_namespace = undef,
$insecure_registry = false,
@@ -55,7 +67,17 @@ class tripleo::profile::base::docker (
$configure_storage = true,
$storage_options = '-s overlay2',
$step = hiera('step'),
+ $configure_libvirt_polkit = undef,
+ $docker_nova_uid = 42436,
+ $services_enabled = hiera('service_names', [])
) {
+
+ if $configure_libvirt_polkit == undef {
+ $configure_libvirt_polkit_real = 'nova_compute' in $services_enabled
+ } else {
+ $configure_libvirt_polkit_real = $configure_libvirt_polkit
+ }
+
if $step >= 1 {
package {'docker':
ensure => installed,
@@ -130,4 +152,41 @@ class tripleo::profile::base::docker (
}
}
+ if ($step >= 4 and $configure_libvirt_polkit_real) {
+ # Workaround for polkit authorization for libvirtd socket on host
+ #
+ # This creates a local user with the kolla nova uid, and sets the polkit rule to
+ # allow both it and the nova user from the nova rpms, should it exist (uid 162).
+
+ group { 'docker_nova_group':
+ name => 'docker_nova',
+ gid => $docker_nova_uid
+ } ->
+ user { 'docker_nova_user':
+ name => 'docker_nova',
+ uid => $docker_nova_uid,
+ gid => $docker_nova_uid,
+ shell => '/sbin/nologin',
+ comment => 'OpenStack Nova Daemons',
+ groups => ['nobody']
+ }
+
+ # Similar to the polkit rule in the openstack-nova rpm spec
+ # but allow both the 'docker_nova' and 'nova' user
+ $docker_nova_polkit_rule = '// openstack-nova libvirt management permissions
+polkit.addRule(function(action, subject) {
+ if (action.id == "org.libvirt.unix.manage" &&
+ /^(docker_)?nova$/.test(subject.user)) {
+ return polkit.Result.YES;
+ }
+});
+'
+ package {'polkit':
+ ensure => installed,
+ } ->
+ file {'/etc/polkit-1/rules.d/50-nova.rules':
+ content => $docker_nova_polkit_rule,
+ mode => '0644'
+ }
+ }
}
diff --git a/spec/classes/tripleo_profile_base_docker_spec.rb b/spec/classes/tripleo_profile_base_docker_spec.rb
index 0b988f6..bb21055 100644
--- a/spec/classes/tripleo_profile_base_docker_spec.rb
+++ b/spec/classes/tripleo_profile_base_docker_spec.rb
@@ -124,6 +124,85 @@ describe 'tripleo::profile::base::docker' do
}
end
+ context 'with step 4 and configure_libvirt_polkit disabled' do
+ let(:params) { {
+ :step => 4,
+ :configure_libvirt_polkit => false
+ } }
+ it {
+ is_expected.to_not contain_group('docker_nova_group')
+ is_expected.to_not contain_user('docker_nova_user')
+ is_expected.to_not contain_package('polkit')
+ is_expected.to_not contain_file('/etc/polkit-1/rules.d/50-nova.rules')
+ }
+ end
+
+ context 'with step 4 and configure_libvirt_polkit enabled' do
+ let(:params) { {
+ :step => 4,
+ :configure_libvirt_polkit => true
+ } }
+ it {
+ is_expected.to contain_group('docker_nova_group').with(
+ :name => 'docker_nova',
+ :gid => 42436
+ )
+ is_expected.to contain_user('docker_nova_user').with(
+ :name => 'docker_nova',
+ :uid => 42436,
+ :gid => 42436,
+ :shell => '/sbin/nologin',
+ :groups => ['nobody']
+ )
+ is_expected.to contain_package('polkit')
+ is_expected.to contain_file('/etc/polkit-1/rules.d/50-nova.rules')
+ }
+ end
+
+ context 'with step 4 and nova_compute service installed' do
+ let(:params) { {
+ :step => 4,
+ :services_enabled => ['docker', 'nova_compute']
+ } }
+ it {
+ is_expected.to contain_group('docker_nova_group').with(
+ :name => 'docker_nova',
+ :gid => 42436
+ )
+ is_expected.to contain_user('docker_nova_user').with(
+ :name => 'docker_nova',
+ :uid => 42436,
+ :gid => 42436,
+ :shell => '/sbin/nologin',
+ :groups => ['nobody']
+ )
+ is_expected.to contain_package('polkit')
+ is_expected.to contain_file('/etc/polkit-1/rules.d/50-nova.rules')
+ }
+ end
+
+ context 'with step 4 and configure_libvirt_polkit enabled and docker_nova uid' do
+ let(:params) { {
+ :step => 4,
+ :configure_libvirt_polkit => true,
+ :docker_nova_uid => 12345
+ } }
+ it {
+ is_expected.to contain_group('docker_nova_group').with(
+ :name => 'docker_nova',
+ :gid => 12345
+ )
+ is_expected.to contain_user('docker_nova_user').with(
+ :name => 'docker_nova',
+ :uid => 12345,
+ :gid => 12345,
+ :shell => '/sbin/nologin',
+ :groups => ['nobody']
+ )
+ is_expected.to contain_package('polkit')
+ is_expected.to contain_file('/etc/polkit-1/rules.d/50-nova.rules')
+ }
+ end
end
on_supported_os.each do |os, facts|