3 files changed, 18 insertions, 58 deletions
diff --git a/manifests/profile/base/certmonger_user.pp b/manifests/profile/base/certmonger_user.pp
index 7a6559e..231a1d0 100644
--- a/manifests/profile/base/certmonger_user.pp
+++ b/manifests/profile/base/certmonger_user.pp
@@ -98,6 +98,7 @@ class tripleo::profile::base::certmonger_user (
     ensure_resources('tripleo::certmonger::libvirt', $libvirt_certificates_specs)
   }
   unless empty($haproxy_certificates_specs) {
+    include ::tripleo::certmonger::haproxy_dirs
     ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs)
     # The haproxy fronends (or listen resources) depend on the certificate
     # existing and need to be refreshed if it changed.
diff --git a/manifests/profile/base/docker.pp b/manifests/profile/base/docker.pp
index 95d7098..d230366 100644
--- a/manifests/profile/base/docker.pp
+++ b/manifests/profile/base/docker.pp
@@ -43,18 +43,6 @@
 # [*step*]
 #   step defaults to hiera('step')
 #
-# [*configure_libvirt_polkit*]
-#   Configures libvirt polkit to grant the kolla nova user access to the libvirtd unix domain socket on the host.
-#   Defaults to true when nova_compute service is enabled, false when nova_compute is disabled
-#
-# [*docker_nova_uid*]
-#   When configure_libvirt_polkit = true, the uid/gid of the nova user within the docker container.
-#   Defaults to 42436
-#
-# [*services_enabled*]
-#   List of TripleO services enabled on the role.
-#   Defaults to hiera('services_names')
-#
 # DEPRECATED PARAMETERS
 #
 # [*docker_namespace*]
@@ -73,20 +61,11 @@ class tripleo::profile::base::docker (
   $configure_storage = true,
   $storage_options = '-s overlay2',
   $step = Integer(hiera('step')),
-  $configure_libvirt_polkit = undef,
-  $docker_nova_uid = 42436,
-  $services_enabled = hiera('service_names', []),
   # DEPRECATED PARAMETERS
   $docker_namespace = undef,
   $insecure_registry = false,
 ) {
 
-  if $configure_libvirt_polkit == undef {
-    $configure_libvirt_polkit_real = 'nova_compute' in $services_enabled
-  } else {
-    $configure_libvirt_polkit_real = $configure_libvirt_polkit
-  }
-
   if $step >= 1 {
     package {'docker':
       ensure => installed,
@@ -176,41 +155,4 @@ class tripleo::profile::base::docker (
     }
 
   }
-  if ($step >= 4 and $configure_libvirt_polkit_real) {
-    # Workaround for polkit authorization for libvirtd socket on host
-    #
-    # This creates a local user with the kolla nova uid, and sets the polkit rule to
-    # allow both it and the nova user from the nova rpms, should it exist (uid 162).
-
-    group { 'docker_nova_group':
-      name => 'docker_nova',
-      gid  => $docker_nova_uid
-    }
-    -> user { 'docker_nova_user':
-      name    => 'docker_nova',
-      uid     => $docker_nova_uid,
-      gid     => $docker_nova_uid,
-      shell   => '/sbin/nologin',
-      comment => 'OpenStack Nova Daemons',
-      groups  => ['nobody']
-    }
-
-    # Similar to the polkit rule in the openstack-nova rpm spec
-    # but allow both the 'docker_nova' and 'nova' user
-    $docker_nova_polkit_rule = '// openstack-nova libvirt management permissions
-polkit.addRule(function(action, subject) {
-    if (action.id == "org.libvirt.unix.manage" &&
-        /^(docker_)?nova$/.test(subject.user)) {
-        return polkit.Result.YES;
-    }
-});
-'
-    package {'polkit':
-      ensure => installed,
-    }
-    -> file {'/etc/polkit-1/rules.d/50-nova.rules':
-      content => $docker_nova_polkit_rule,
-      mode    => '0644'
-    }
-  }
 }
diff --git a/manifests/profile/base/nova/libvirt.pp b/manifests/profile/base/nova/libvirt.pp
index 83f0c38..6c865dc 100644
--- a/manifests/profile/base/nova/libvirt.pp
+++ b/manifests/profile/base/nova/libvirt.pp
@@ -23,8 +23,13 @@
 #   for more details.
 #   Defaults to hiera('step')
 #
+# [*libvirtd_config*]
+#   (Optional) Overrides for libvirtd config options
+#   Default to {}
+#
 class tripleo::profile::base::nova::libvirt (
   $step = Integer(hiera('step')),
+  $libvirtd_config = {},
 ) {
   include ::tripleo::profile::base::nova::compute_libvirt_shared
 
@@ -33,6 +38,18 @@ class tripleo::profile::base::nova::libvirt (
     include ::tripleo::profile::base::nova::migration::client
     include ::nova::compute::libvirt::services
 
+    $libvirtd_config_default = {
+      unix_sock_group    => {value => '"libvirt"'},
+      auth_unix_ro       => {value => '"none"'},
+      auth_unix_rw       => {value => '"none"'},
+      unix_sock_ro_perms => {value => '"0777"'},
+      unix_sock_rw_perms => {value => '"0770"'}
+    }
+
+    class { '::nova::compute::libvirt::config':
+      libvirtd_config => merge($libvirtd_config_default, $libvirtd_config)
+    }
+
     file { ['/etc/libvirt/qemu/networks/autostart/default.xml',
       '/etc/libvirt/qemu/networks/default.xml']:
       ensure => absent,