On 04/30/2015 05:21 AM, Daniel P. Berrange wrote: > On Wed, Apr 29, 2015 at 03:44:46PM -0400, Cole Robinson wrote: >> On 04/29/2015 03:42 PM, Guido Günther wrote: >>> On Tue, Apr 28, 2015 at 07:51:11PM -0400, Cole Robinson wrote: >>>> Many users, who admin their own machines, want to be able to access >>>> system libvirtd via tools like virt-manager without having to enter >>>> a root password. Just google 'virt-manager without password' and >>>> you'll find many hits. I've read at least 5 blog posts over the years >>>> describing slightly different ways of achieving this goal. >>>> >>>> Let's finally add official support for this. >>>> >>>> Install a polkit-1 rules file granting password-less auth for any user >>>> in the new 'libvirt' group. Create the group on RPM install >>>> >>>> https://bugzilla.redhat.com/show_bug.cgi?id=957300 >>>> --- >>>> daemon/50-libvirt.rules | 9 +++++++++ >>>> daemon/Makefile.am | 13 +++++++++++++ >>>> libvirt.spec.in | 15 +++++++++++++-- >>>> 3 files changed, 35 insertions(+), 2 deletions(-) >>>> create mode 100644 daemon/50-libvirt.rules >>>> >>>> diff --git a/daemon/50-libvirt.rules b/daemon/50-libvirt.rules >>>> new file mode 100644 >>>> index 0000000..01a15fa >>>> --- /dev/null >>>> +++ b/daemon/50-libvirt.rules >>>> @@ -0,0 +1,9 @@ >>>> +// Allow any user in the 'libvirt' group to connect to system libvirtd >>>> +// without entering a password. >>>> + >>>> +polkit.addRule(function(action, subject) { >>>> + if (action.id == "org.libvirt.unix.manage" && >>>> + subject.isInGroup("libvirt")) { >>>> + return polkit.Result.YES; >>>> + } >>>> +}); >>> >>> That's what we're shipping in Debian since quiet some time: >>> >>> https://anonscm.debian.org/cgit/pkg-libvirt/libvirt.git/tree/debian/polkit/60-libvirt.rules >>> >>> even with the same group name (which came from the group that owns the >>> socket for socket based permissions). Would be great to be consistent >>> across distros. >>> >> >> Latest version of the patch uses libvirtadm at Dan's suggestion... but if >> there's already precedent with what debian is shipping we might want to stick >> with plain 'libvirt'. >> >> Dan, thoughts? > > Yeah, since both Suse and Debian have shipped this aready with a group > name of 'libvirt', we should use that for consistency > > Regards, > Daniel > Okay, sent v3 with group=libvirt. If there's no objections I'll push after the release is out Thanks, Cole -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list