aboutsummaryrefslogtreecommitdiffstats
path: root/spec
diff options
context:
space:
mode:
authorOliver Walsh <owalsh@redhat.com>2017-07-25 21:05:35 +0100
committerEmilien Macchi <emilien@redhat.com>2017-08-02 18:08:38 +0000
commit1b82fe40fe53572703854fcdbeda72cdf148e9c1 (patch)
tree31f48df7fe85839725406de81b4e1d2bd11a846b /spec
parent85f5cc23d41e0e0939425ffce3083d42d6d4187d (diff)
Use normal socket file permissions instead of polkit
The default (on RHEL/CentOS) is to use polkit but this is only useful for GUI support or for fine grained API access control. As we don't require either we can achieve identical control using plain old unix filesystem permissions. I've merged Sven's changes from https://review.openstack.org/484979 and https://review.openstack.org/487150. As we need to be careful with the libvirtd option quoting I think it's best to do this in puppet-tripleo instead of t-h-t yaml. The option to override the settings from t-h-t remains. Co-Authored-By: Sven Anderson <sven@redhat.com> Reverts I91be1f1eacf8eed9017bbfef393ee2d66771e8d6 Closes-bug: 1696504 Change-Id: I507bdd8e3a461091562177403a2a55fcaf6694d2 Depends-On: I17f6c9b5a6e2120a53bae296042ece492210597a
Diffstat (limited to 'spec')
-rw-r--r--spec/classes/tripleo_profile_base_docker_spec.rb79
-rw-r--r--spec/classes/tripleo_profile_base_nova_libvirt_spec.rb45
2 files changed, 45 insertions, 79 deletions
diff --git a/spec/classes/tripleo_profile_base_docker_spec.rb b/spec/classes/tripleo_profile_base_docker_spec.rb
index dc5efa7..e0947dc 100644
--- a/spec/classes/tripleo_profile_base_docker_spec.rb
+++ b/spec/classes/tripleo_profile_base_docker_spec.rb
@@ -121,85 +121,6 @@ describe 'tripleo::profile::base::docker' do
}
end
- context 'with step 4 and configure_libvirt_polkit disabled' do
- let(:params) { {
- :step => 4,
- :configure_libvirt_polkit => false
- } }
- it {
- is_expected.to_not contain_group('docker_nova_group')
- is_expected.to_not contain_user('docker_nova_user')
- is_expected.to_not contain_package('polkit')
- is_expected.to_not contain_file('/etc/polkit-1/rules.d/50-nova.rules')
- }
- end
-
- context 'with step 4 and configure_libvirt_polkit enabled' do
- let(:params) { {
- :step => 4,
- :configure_libvirt_polkit => true
- } }
- it {
- is_expected.to contain_group('docker_nova_group').with(
- :name => 'docker_nova',
- :gid => 42436
- )
- is_expected.to contain_user('docker_nova_user').with(
- :name => 'docker_nova',
- :uid => 42436,
- :gid => 42436,
- :shell => '/sbin/nologin',
- :groups => ['nobody']
- )
- is_expected.to contain_package('polkit')
- is_expected.to contain_file('/etc/polkit-1/rules.d/50-nova.rules')
- }
- end
-
- context 'with step 4 and nova_compute service installed' do
- let(:params) { {
- :step => 4,
- :services_enabled => ['docker', 'nova_compute']
- } }
- it {
- is_expected.to contain_group('docker_nova_group').with(
- :name => 'docker_nova',
- :gid => 42436
- )
- is_expected.to contain_user('docker_nova_user').with(
- :name => 'docker_nova',
- :uid => 42436,
- :gid => 42436,
- :shell => '/sbin/nologin',
- :groups => ['nobody']
- )
- is_expected.to contain_package('polkit')
- is_expected.to contain_file('/etc/polkit-1/rules.d/50-nova.rules')
- }
- end
-
- context 'with step 4 and configure_libvirt_polkit enabled and docker_nova uid' do
- let(:params) { {
- :step => 4,
- :configure_libvirt_polkit => true,
- :docker_nova_uid => 12345
- } }
- it {
- is_expected.to contain_group('docker_nova_group').with(
- :name => 'docker_nova',
- :gid => 12345
- )
- is_expected.to contain_user('docker_nova_user').with(
- :name => 'docker_nova',
- :uid => 12345,
- :gid => 12345,
- :shell => '/sbin/nologin',
- :groups => ['nobody']
- )
- is_expected.to contain_package('polkit')
- is_expected.to contain_file('/etc/polkit-1/rules.d/50-nova.rules')
- }
- end
end
on_supported_os.each do |os, facts|
diff --git a/spec/classes/tripleo_profile_base_nova_libvirt_spec.rb b/spec/classes/tripleo_profile_base_nova_libvirt_spec.rb
index 0734a0f..65aa8c1 100644
--- a/spec/classes/tripleo_profile_base_nova_libvirt_spec.rb
+++ b/spec/classes/tripleo_profile_base_nova_libvirt_spec.rb
@@ -69,6 +69,51 @@ eos
is_expected.to contain_file('/etc/libvirt/qemu/networks/autostart/default.xml').with_ensure('absent')
is_expected.to contain_file('/etc/libvirt/qemu/networks/default.xml').with_ensure('absent')
is_expected.to contain_exec('libvirt-default-net-destroy')
+ is_expected.to contain_class('nova::compute::libvirt::config').with_libvirtd_config({
+ "unix_sock_group" => {"value" => '"libvirt"'},
+ "auth_unix_ro" => {"value" => '"none"'},
+ "auth_unix_rw" => {"value" => '"none"'},
+ "unix_sock_ro_perms" => {"value" => '"0777"'},
+ "unix_sock_rw_perms" => {"value" => '"0770"'}
+ })
+ }
+ end
+
+ context 'with step 4 and libvirtd_config' do
+ let(:pre_condition) do
+ <<-eos
+ class { '::tripleo::profile::base::nova':
+ step => #{params[:step]},
+ oslomsg_rpc_hosts => [ '127.0.0.1' ],
+ }
+ class { '::tripleo::profile::base::nova::migration':
+ step => #{params[:step]}
+ }
+ class { '::tripleo::profile::base::nova::migration::client':
+ step => #{params[:step]}
+ }
+ class { '::tripleo::profile::base::nova::compute_libvirt_shared':
+ step => #{params[:step]}
+ }
+eos
+ end
+
+ let(:params) { { :step => 4, :libvirtd_config => { "unix_sock_group" => {"value" => '"foobar"'}} } }
+
+ it {
+ is_expected.to contain_class('tripleo::profile::base::nova::libvirt')
+ is_expected.to contain_class('tripleo::profile::base::nova')
+ is_expected.to contain_class('nova::compute::libvirt::services')
+ is_expected.to contain_file('/etc/libvirt/qemu/networks/autostart/default.xml').with_ensure('absent')
+ is_expected.to contain_file('/etc/libvirt/qemu/networks/default.xml').with_ensure('absent')
+ is_expected.to contain_exec('libvirt-default-net-destroy')
+ is_expected.to contain_class('nova::compute::libvirt::config').with_libvirtd_config({
+ "unix_sock_group" => {"value" => '"foobar"'},
+ "auth_unix_ro" => {"value" => '"none"'},
+ "auth_unix_rw" => {"value" => '"none"'},
+ "unix_sock_ro_perms" => {"value" => '"0777"'},
+ "unix_sock_rw_perms" => {"value" => '"0770"'}
+ })
}
end
end