diff options
author | Oliver Walsh <owalsh@redhat.com> | 2017-07-25 21:05:35 +0100 |
---|---|---|
committer | Emilien Macchi <emilien@redhat.com> | 2017-08-02 18:08:38 +0000 |
commit | 1b82fe40fe53572703854fcdbeda72cdf148e9c1 (patch) | |
tree | 31f48df7fe85839725406de81b4e1d2bd11a846b /spec | |
parent | 85f5cc23d41e0e0939425ffce3083d42d6d4187d (diff) |
Use normal socket file permissions instead of polkit
The default (on RHEL/CentOS) is to use polkit but this is only useful
for GUI support or for fine grained API access control. As we don't
require either we can achieve identical control using plain old unix
filesystem permissions.
I've merged Sven's changes from https://review.openstack.org/484979
and https://review.openstack.org/487150.
As we need to be careful with the libvirtd option quoting I think it's
best to do this in puppet-tripleo instead of t-h-t yaml.
The option to override the settings from t-h-t remains.
Co-Authored-By: Sven Anderson <sven@redhat.com>
Reverts I91be1f1eacf8eed9017bbfef393ee2d66771e8d6
Closes-bug: 1696504
Change-Id: I507bdd8e3a461091562177403a2a55fcaf6694d2
Depends-On: I17f6c9b5a6e2120a53bae296042ece492210597a
Diffstat (limited to 'spec')
-rw-r--r-- | spec/classes/tripleo_profile_base_docker_spec.rb | 79 | ||||
-rw-r--r-- | spec/classes/tripleo_profile_base_nova_libvirt_spec.rb | 45 |
2 files changed, 45 insertions, 79 deletions
diff --git a/spec/classes/tripleo_profile_base_docker_spec.rb b/spec/classes/tripleo_profile_base_docker_spec.rb index dc5efa7..e0947dc 100644 --- a/spec/classes/tripleo_profile_base_docker_spec.rb +++ b/spec/classes/tripleo_profile_base_docker_spec.rb @@ -121,85 +121,6 @@ describe 'tripleo::profile::base::docker' do } end - context 'with step 4 and configure_libvirt_polkit disabled' do - let(:params) { { - :step => 4, - :configure_libvirt_polkit => false - } } - it { - is_expected.to_not contain_group('docker_nova_group') - is_expected.to_not contain_user('docker_nova_user') - is_expected.to_not contain_package('polkit') - is_expected.to_not contain_file('/etc/polkit-1/rules.d/50-nova.rules') - } - end - - context 'with step 4 and configure_libvirt_polkit enabled' do - let(:params) { { - :step => 4, - :configure_libvirt_polkit => true - } } - it { - is_expected.to contain_group('docker_nova_group').with( - :name => 'docker_nova', - :gid => 42436 - ) - is_expected.to contain_user('docker_nova_user').with( - :name => 'docker_nova', - :uid => 42436, - :gid => 42436, - :shell => '/sbin/nologin', - :groups => ['nobody'] - ) - is_expected.to contain_package('polkit') - is_expected.to contain_file('/etc/polkit-1/rules.d/50-nova.rules') - } - end - - context 'with step 4 and nova_compute service installed' do - let(:params) { { - :step => 4, - :services_enabled => ['docker', 'nova_compute'] - } } - it { - is_expected.to contain_group('docker_nova_group').with( - :name => 'docker_nova', - :gid => 42436 - ) - is_expected.to contain_user('docker_nova_user').with( - :name => 'docker_nova', - :uid => 42436, - :gid => 42436, - :shell => '/sbin/nologin', - :groups => ['nobody'] - ) - is_expected.to contain_package('polkit') - is_expected.to contain_file('/etc/polkit-1/rules.d/50-nova.rules') - } - end - - context 'with step 4 and configure_libvirt_polkit enabled and docker_nova uid' do - let(:params) { { - :step => 4, - :configure_libvirt_polkit => true, - :docker_nova_uid => 12345 - } } - it { - is_expected.to contain_group('docker_nova_group').with( - :name => 'docker_nova', - :gid => 12345 - ) - is_expected.to contain_user('docker_nova_user').with( - :name => 'docker_nova', - :uid => 12345, - :gid => 12345, - :shell => '/sbin/nologin', - :groups => ['nobody'] - ) - is_expected.to contain_package('polkit') - is_expected.to contain_file('/etc/polkit-1/rules.d/50-nova.rules') - } - end end on_supported_os.each do |os, facts| diff --git a/spec/classes/tripleo_profile_base_nova_libvirt_spec.rb b/spec/classes/tripleo_profile_base_nova_libvirt_spec.rb index 0734a0f..65aa8c1 100644 --- a/spec/classes/tripleo_profile_base_nova_libvirt_spec.rb +++ b/spec/classes/tripleo_profile_base_nova_libvirt_spec.rb @@ -69,6 +69,51 @@ eos is_expected.to contain_file('/etc/libvirt/qemu/networks/autostart/default.xml').with_ensure('absent') is_expected.to contain_file('/etc/libvirt/qemu/networks/default.xml').with_ensure('absent') is_expected.to contain_exec('libvirt-default-net-destroy') + is_expected.to contain_class('nova::compute::libvirt::config').with_libvirtd_config({ + "unix_sock_group" => {"value" => '"libvirt"'}, + "auth_unix_ro" => {"value" => '"none"'}, + "auth_unix_rw" => {"value" => '"none"'}, + "unix_sock_ro_perms" => {"value" => '"0777"'}, + "unix_sock_rw_perms" => {"value" => '"0770"'} + }) + } + end + + context 'with step 4 and libvirtd_config' do + let(:pre_condition) do + <<-eos + class { '::tripleo::profile::base::nova': + step => #{params[:step]}, + oslomsg_rpc_hosts => [ '127.0.0.1' ], + } + class { '::tripleo::profile::base::nova::migration': + step => #{params[:step]} + } + class { '::tripleo::profile::base::nova::migration::client': + step => #{params[:step]} + } + class { '::tripleo::profile::base::nova::compute_libvirt_shared': + step => #{params[:step]} + } +eos + end + + let(:params) { { :step => 4, :libvirtd_config => { "unix_sock_group" => {"value" => '"foobar"'}} } } + + it { + is_expected.to contain_class('tripleo::profile::base::nova::libvirt') + is_expected.to contain_class('tripleo::profile::base::nova') + is_expected.to contain_class('nova::compute::libvirt::services') + is_expected.to contain_file('/etc/libvirt/qemu/networks/autostart/default.xml').with_ensure('absent') + is_expected.to contain_file('/etc/libvirt/qemu/networks/default.xml').with_ensure('absent') + is_expected.to contain_exec('libvirt-default-net-destroy') + is_expected.to contain_class('nova::compute::libvirt::config').with_libvirtd_config({ + "unix_sock_group" => {"value" => '"foobar"'}, + "auth_unix_ro" => {"value" => '"none"'}, + "auth_unix_rw" => {"value" => '"none"'}, + "unix_sock_ro_perms" => {"value" => '"0777"'}, + "unix_sock_rw_perms" => {"value" => '"0770"'} + }) } end end |