4 files changed, 62 insertions, 137 deletions

diff --git a/manifests/profile/base/docker.pp b/manifests/profile/base/docker.pp
index e042947..5f6d97c 100644
--- a/manifests/profile/base/docker.pp
+++ b/manifests/profile/base/docker.pp
@@ -43,18 +43,6 @@
 # [*step*]
 #   step defaults to hiera('step')
 #
-# [*configure_libvirt_polkit*]
-#   Configures libvirt polkit to grant the kolla nova user access to the libvirtd unix domain socket on the host.
-#   Defaults to true when nova_compute service is enabled, false when nova_compute is disabled
-#
-# [*docker_nova_uid*]
-#   When configure_libvirt_polkit = true, the uid/gid of the nova user within the docker container.
-#   Defaults to 42436
-#
-# [*services_enabled*]
-#   List of TripleO services enabled on the role.
-#   Defaults to hiera('services_names')
-#
 # DEPRECATED PARAMETERS
 #
 # [*docker_namespace*]
@@ -73,20 +61,11 @@ class tripleo::profile::base::docker (
   $configure_storage = true,
   $storage_options = '-s overlay2',
   $step = Integer(hiera('step')),
-  $configure_libvirt_polkit = undef,
-  $docker_nova_uid = 42436,
-  $services_enabled = hiera('service_names', []),
   # DEPRECATED PARAMETERS
   $docker_namespace = undef,
   $insecure_registry = false,
 ) {
 
-  if $configure_libvirt_polkit == undef {
-    $configure_libvirt_polkit_real = 'nova_compute' in $services_enabled
-  } else {
-    $configure_libvirt_polkit_real = $configure_libvirt_polkit
-  }
-
   if $step >= 1 {
     package {'docker':
       ensure => installed,
@@ -176,41 +155,4 @@ class tripleo::profile::base::docker (
     }
 
   }
-  if ($step >= 4 and $configure_libvirt_polkit_real) {
-    # Workaround for polkit authorization for libvirtd socket on host
-    #
-    # This creates a local user with the kolla nova uid, and sets the polkit rule to
-    # allow both it and the nova user from the nova rpms, should it exist (uid 162).
-
-    group { 'docker_nova_group':
-      name => 'docker_nova',
-      gid  => $docker_nova_uid
-    }
-    -> user { 'docker_nova_user':
-      name    => 'docker_nova',
-      uid     => $docker_nova_uid,
-      gid     => $docker_nova_uid,
-      shell   => '/sbin/nologin',
-      comment => 'OpenStack Nova Daemons',
-      groups  => ['nobody']
-    }
-
-    # Similar to the polkit rule in the openstack-nova rpm spec
-    # but allow both the 'docker_nova' and 'nova' user
-    $docker_nova_polkit_rule = '// openstack-nova libvirt management permissions
-polkit.addRule(function(action, subject) {
-    if (action.id == "org.libvirt.unix.manage" &&
-        /^(docker_)?nova$/.test(subject.user)) {
-        return polkit.Result.YES;
-    }
-});
-'
-    package {'polkit':
-      ensure => installed,
-    }
-    -> file {'/etc/polkit-1/rules.d/50-nova.rules':
-      content => $docker_nova_polkit_rule,
-      mode    => '0644'
-    }
-  }
 }
diff --git a/manifests/profile/base/nova/libvirt.pp b/manifests/profile/base/nova/libvirt.pp
index 83f0c38..6c865dc 100644
--- a/manifests/profile/base/nova/libvirt.pp
+++ b/manifests/profile/base/nova/libvirt.pp
@@ -23,8 +23,13 @@
 #   for more details.
 #   Defaults to hiera('step')
 #
+# [*libvirtd_config*]
+#   (Optional) Overrides for libvirtd config options
+#   Default to {}
+#
 class tripleo::profile::base::nova::libvirt (
   $step = Integer(hiera('step')),
+  $libvirtd_config = {},
 ) {
   include ::tripleo::profile::base::nova::compute_libvirt_shared
 
@@ -33,6 +38,18 @@ class tripleo::profile::base::nova::libvirt (
     include ::tripleo::profile::base::nova::migration::client
     include ::nova::compute::libvirt::services
 
+    $libvirtd_config_default = {
+      unix_sock_group    => {value => '"libvirt"'},
+      auth_unix_ro       => {value => '"none"'},
+      auth_unix_rw       => {value => '"none"'},
+      unix_sock_ro_perms => {value => '"0777"'},
+      unix_sock_rw_perms => {value => '"0770"'}
+    }
+
+    class { '::nova::compute::libvirt::config':
+      libvirtd_config => merge($libvirtd_config_default, $libvirtd_config)
+    }
+
     file { ['/etc/libvirt/qemu/networks/autostart/default.xml',
       '/etc/libvirt/qemu/networks/default.xml']:
       ensure => absent,
diff --git a/spec/classes/tripleo_profile_base_docker_spec.rb b/spec/classes/tripleo_profile_base_docker_spec.rb
index dc5efa7..e0947dc 100644
--- a/spec/classes/tripleo_profile_base_docker_spec.rb
+++ b/spec/classes/tripleo_profile_base_docker_spec.rb
@@ -121,85 +121,6 @@ describe 'tripleo::profile::base::docker' do
       }
     end
 
-    context 'with step 4 and configure_libvirt_polkit disabled' do
-      let(:params) { {
-          :step                    => 4,
-          :configure_libvirt_polkit => false
-      } }
-      it {
-        is_expected.to_not contain_group('docker_nova_group')
-        is_expected.to_not contain_user('docker_nova_user')
-        is_expected.to_not contain_package('polkit')
-        is_expected.to_not contain_file('/etc/polkit-1/rules.d/50-nova.rules')
-      }
-    end
-
-    context 'with step 4 and configure_libvirt_polkit enabled' do
-      let(:params) { {
-          :step                    => 4,
-          :configure_libvirt_polkit => true
-      } }
-      it {
-        is_expected.to contain_group('docker_nova_group').with(
-          :name => 'docker_nova',
-          :gid  => 42436
-        )
-        is_expected.to contain_user('docker_nova_user').with(
-          :name => 'docker_nova',
-          :uid  => 42436,
-          :gid  => 42436,
-          :shell => '/sbin/nologin',
-          :groups => ['nobody']
-        )
-        is_expected.to contain_package('polkit')
-        is_expected.to contain_file('/etc/polkit-1/rules.d/50-nova.rules')
-      }
-    end
-
-    context 'with step 4 and nova_compute service installed' do
-      let(:params) { {
-          :step          => 4,
-          :services_enabled => ['docker', 'nova_compute']
-      } }
-      it {
-        is_expected.to contain_group('docker_nova_group').with(
-          :name => 'docker_nova',
-          :gid  => 42436
-        )
-        is_expected.to contain_user('docker_nova_user').with(
-          :name => 'docker_nova',
-          :uid  => 42436,
-          :gid  => 42436,
-          :shell => '/sbin/nologin',
-          :groups => ['nobody']
-        )
-        is_expected.to contain_package('polkit')
-        is_expected.to contain_file('/etc/polkit-1/rules.d/50-nova.rules')
-      }
-    end
-
-    context 'with step 4 and configure_libvirt_polkit enabled and docker_nova uid' do
-      let(:params) { {
-          :step                    => 4,
-          :configure_libvirt_polkit => true,
-          :docker_nova_uid         => 12345
-      } }
-      it {
-        is_expected.to contain_group('docker_nova_group').with(
-          :name => 'docker_nova',
-          :gid  => 12345
-        )
-        is_expected.to contain_user('docker_nova_user').with(
-          :name => 'docker_nova',
-          :uid  => 12345,
-          :gid  => 12345,
-          :shell => '/sbin/nologin',
-          :groups => ['nobody']
-        )
-        is_expected.to contain_package('polkit')
-        is_expected.to contain_file('/etc/polkit-1/rules.d/50-nova.rules')
-      }
-    end
   end
 
   on_supported_os.each do |os, facts|
diff --git a/spec/classes/tripleo_profile_base_nova_libvirt_spec.rb b/spec/classes/tripleo_profile_base_nova_libvirt_spec.rb
index 0734a0f..65aa8c1 100644
--- a/spec/classes/tripleo_profile_base_nova_libvirt_spec.rb
+++ b/spec/classes/tripleo_profile_base_nova_libvirt_spec.rb
@@ -69,6 +69,51 @@ eos
         is_expected.to contain_file('/etc/libvirt/qemu/networks/autostart/default.xml').with_ensure('absent')
         is_expected.to contain_file('/etc/libvirt/qemu/networks/default.xml').with_ensure('absent')
         is_expected.to contain_exec('libvirt-default-net-destroy')
+        is_expected.to contain_class('nova::compute::libvirt::config').with_libvirtd_config({
+          "unix_sock_group"    => {"value" => '"libvirt"'},
+          "auth_unix_ro"       => {"value" => '"none"'},
+          "auth_unix_rw"       => {"value" => '"none"'},
+          "unix_sock_ro_perms" => {"value" => '"0777"'},
+          "unix_sock_rw_perms" => {"value" => '"0770"'}
+        })
+      }
+    end
+
+    context 'with step 4 and libvirtd_config' do
+      let(:pre_condition) do
+        <<-eos
+        class { '::tripleo::profile::base::nova':
+          step => #{params[:step]},
+          oslomsg_rpc_hosts => [ '127.0.0.1' ],
+        }
+        class { '::tripleo::profile::base::nova::migration':
+          step => #{params[:step]}
+        }
+        class { '::tripleo::profile::base::nova::migration::client':
+          step => #{params[:step]}
+        }
+        class { '::tripleo::profile::base::nova::compute_libvirt_shared':
+          step => #{params[:step]}
+        }
+eos
+      end
+
+      let(:params) { { :step => 4, :libvirtd_config => { "unix_sock_group" => {"value" => '"foobar"'}} } }
+
+      it {
+        is_expected.to contain_class('tripleo::profile::base::nova::libvirt')
+        is_expected.to contain_class('tripleo::profile::base::nova')
+        is_expected.to contain_class('nova::compute::libvirt::services')
+        is_expected.to contain_file('/etc/libvirt/qemu/networks/autostart/default.xml').with_ensure('absent')
+        is_expected.to contain_file('/etc/libvirt/qemu/networks/default.xml').with_ensure('absent')
+        is_expected.to contain_exec('libvirt-default-net-destroy')
+        is_expected.to contain_class('nova::compute::libvirt::config').with_libvirtd_config({
+          "unix_sock_group"    => {"value" => '"foobar"'},
+          "auth_unix_ro"       => {"value" => '"none"'},
+          "auth_unix_rw"       => {"value" => '"none"'},
+          "unix_sock_ro_perms" => {"value" => '"0777"'},
+          "unix_sock_rw_perms" => {"value" => '"0770"'}
+        })
       }
     end
   end