From 1b82fe40fe53572703854fcdbeda72cdf148e9c1 Mon Sep 17 00:00:00 2001
From: Oliver Walsh <owalsh@redhat.com>
Date: Tue, 25 Jul 2017 21:05:35 +0100
Subject: Use normal socket file permissions instead of polkit

The default (on RHEL/CentOS) is to use polkit but this is only useful
for GUI support or for fine grained API access control.  As we don't
require either we can achieve identical control using plain old unix
filesystem permissions.

I've merged Sven's changes from https://review.openstack.org/484979
and https://review.openstack.org/487150.

As we need to be careful with the libvirtd option quoting I think it's
best to do this in puppet-tripleo instead of t-h-t yaml.

The option to override the settings from t-h-t remains.

Co-Authored-By: Sven Anderson <sven@redhat.com>

Reverts I91be1f1eacf8eed9017bbfef393ee2d66771e8d6

Closes-bug: 1696504

Change-Id: I507bdd8e3a461091562177403a2a55fcaf6694d2
Depends-On: I17f6c9b5a6e2120a53bae296042ece492210597a
---
 manifests/profile/base/nova/libvirt.pp | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

(limited to 'manifests/profile/base/nova')

diff --git a/manifests/profile/base/nova/libvirt.pp b/manifests/profile/base/nova/libvirt.pp
index 83f0c38..6c865dc 100644
--- a/manifests/profile/base/nova/libvirt.pp
+++ b/manifests/profile/base/nova/libvirt.pp
@@ -23,8 +23,13 @@
 #   for more details.
 #   Defaults to hiera('step')
 #
+# [*libvirtd_config*]
+#   (Optional) Overrides for libvirtd config options
+#   Default to {}
+#
 class tripleo::profile::base::nova::libvirt (
   $step = Integer(hiera('step')),
+  $libvirtd_config = {},
 ) {
   include ::tripleo::profile::base::nova::compute_libvirt_shared
 
@@ -33,6 +38,18 @@ class tripleo::profile::base::nova::libvirt (
     include ::tripleo::profile::base::nova::migration::client
     include ::nova::compute::libvirt::services
 
+    $libvirtd_config_default = {
+      unix_sock_group    => {value => '"libvirt"'},
+      auth_unix_ro       => {value => '"none"'},
+      auth_unix_rw       => {value => '"none"'},
+      unix_sock_ro_perms => {value => '"0777"'},
+      unix_sock_rw_perms => {value => '"0770"'}
+    }
+
+    class { '::nova::compute::libvirt::config':
+      libvirtd_config => merge($libvirtd_config_default, $libvirtd_config)
+    }
+
     file { ['/etc/libvirt/qemu/networks/autostart/default.xml',
       '/etc/libvirt/qemu/networks/default.xml']:
       ensure => absent,
-- 
cgit 1.2.3-korg