On 04/29/2015 11:36 AM, Daniel P. Berrange wrote: > On Wed, Apr 29, 2015 at 11:35:35AM -0400, Cole Robinson wrote: >> On 04/29/2015 11:28 AM, Daniel P. Berrange wrote: >>> On Wed, Apr 29, 2015 at 11:04:42AM -0400, Cole Robinson wrote: >>>> Many users, who admin their own machines, want to be able to access >>>> system libvirtd via tools like virt-manager without having to enter >>>> a root password. Just google 'virt-manager without password' and >>>> you'll find many hits. I've read at least 5 blog posts over the years >>>> describing slightly different ways of achieving this goal. >>>> >>>> Let's finally add official support for this. >>>> >>>> Install a polkit-1 rules file granting password-less auth for any user >>>> in the new 'libvirtadm' group. Create the group on RPM install >>>> >>>> https://bugzilla.redhat.com/show_bug.cgi?id=957300 >>>> --- >>>> v2: >>>> - Name the group libvirtadm (danpb) >>>> - Name the source file libvirt.rules and rename on install (eblake) >>>> >>>> daemon/Makefile.am | 13 +++++++++++++ >>>> daemon/libvirt.rules | 9 +++++++++ >>>> libvirt.spec.in | 15 +++++++++++++-- >>>> 3 files changed, 35 insertions(+), 2 deletions(-) >>>> create mode 100644 daemon/libvirt.rules >>>> >>>> diff --git a/daemon/Makefile.am b/daemon/Makefile.am >>>> index 300b9a5..974feed 100644 >>>> --- a/daemon/Makefile.am >>>> +++ b/daemon/Makefile.am >>>> @@ -53,6 +53,7 @@ EXTRA_DIST = \ >>>> libvirtd.init.in \ >>>> libvirtd.upstart \ >>>> libvirtd.policy.in \ >>>> + libvirt.rules \ >>>> libvirtd.sasl \ >>>> libvirtd.service.in \ >>>> libvirtd.socket.in \ >>>> @@ -233,6 +234,8 @@ policyauth = auth_admin_keep_session >>>> else ! WITH_POLKIT0 >>>> policydir = $(datadir)/polkit-1/actions >>>> policyauth = auth_admin_keep >>>> +rulesdir = $(datadir)/polkit-1/rules.d >>>> +rulesfile = libvirt.rules >>>> endif ! WITH_POLKIT0 >>>> endif WITH_POLKIT >>>> >>>> @@ -263,9 +266,19 @@ if WITH_POLKIT >>>> install-data-polkit:: >>>> $(MKDIR_P) $(DESTDIR)$(policydir) >>>> $(INSTALL_DATA) libvirtd.policy $(DESTDIR)$(policydir)/org.libvirt.unix.policy >>>> +if ! WITH_POLKIT0 >>>> + $(MKDIR_P) $(DESTDIR)$(rulesdir) >>>> + $(INSTALL_DATA) $(srcdir)/$(rulesfile) $(DESTDIR)$(rulesdir)/50-libvirt.rules >>>> +endif ! WITH_POLKIT0 >>>> + >>>> uninstall-data-polkit:: >>>> rm -f $(DESTDIR)$(policydir)/org.libvirt.unix.policy >>>> rmdir $(DESTDIR)$(policydir) || : >>>> +if ! WITH_POLKIT0 >>>> + rm -f $(DESTDIR)$(rulesdir)/50-libvirt.rules >>>> + rmdir $(DESTDIR)$(rulesdir) || : >>>> +endif ! WITH_POLKIT0 >>>> + >>>> else ! WITH_POLKIT >>>> install-data-polkit:: >>>> uninstall-data-polkit:: >>>> diff --git a/daemon/libvirt.rules b/daemon/libvirt.rules >>>> new file mode 100644 >>>> index 0000000..e70c09b >>>> --- /dev/null >>>> +++ b/daemon/libvirt.rules >>>> @@ -0,0 +1,9 @@ >>>> +// Allow any user in the 'libvirtadm' group to connect to system libvirtd >>>> +// without entering a password. >>>> + >>>> +polkit.addRule(function(action, subject) { >>>> + if (action.id == "org.libvirt.unix.manage" && >>>> + subject.isInGroup("libvirtadm")) { >>>> + return polkit.Result.YES; >>>> + } >>>> +}); >>>> diff --git a/libvirt.spec.in b/libvirt.spec.in >>>> index 20af502..10a28a2 100644 >>>> --- a/libvirt.spec.in >>>> +++ b/libvirt.spec.in >>>> @@ -1645,9 +1645,9 @@ then >>>> fi >>>> >>>> %if %{with_libvirtd} >>>> +%pre daemon >>>> %if ! %{with_driver_modules} >>>> %if %{with_qemu} >>>> -%pre daemon >>>> %if 0%{?fedora} || 0%{?rhel} >= 6 >>>> # We want soft static allocation of well-known ids, as disk images >>>> # are commonly shared across NFS mounts by id rather than name; see >>>> @@ -1661,11 +1661,21 @@ if ! getent passwd qemu >/dev/null; then >>>> useradd -r -g qemu -G kvm -d / -s /sbin/nologin -c "qemu user" qemu >>>> fi >>>> fi >>>> -exit 0 >>>> %endif >>>> %endif >>>> %endif >>>> >>>> + %if %{with_polkit} >>>> + %if 0%{?fedora} || 0%{?rhel} >= 6 >>>> +# 'libvirtadm' group is just to allow password-less polkit access to >>>> +# libvirtd. The uid number is irrelevant, so we use dynamic allocation >>>> +# described at the above link. >>>> +getent group libvirtadm >/dev/null || groupadd -r libvirtadm >>> >>> Hmm, you know I think we should probably file a bug against the >>> 'setup' RPM in Fedora to request allocation of a group ID value >>> for this, so we can default to using a fixed group ID, as we do >>> for other users/groups we create >>> >> >> The recommendations don't seem to suggest that: >> >> https://fedoraproject.org/wiki/Packaging:UsersAndGroups?rd=Packaging/UsersAndGroups#Allocation_Strategies >> >> Quote: Soft static allocation is only appropriate for packages where the UID >> or GID values are shared between computers >> >> I can't think of a good case when we would need that for libvirtadm... >> cetainly no files need to be owned by it > > Ah, ok then. ACK > Thanks, I'll push after the release - Cole -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list