Fix polkit configuration to allow usage of libvirt on openSUSE
There is a buggy limitation with pkla files on openSUSE, that blocks
using 'unix-group:libvirtd' from working. A pkla with such a matching
identity will be overruled by the pkla generated by polkit-default-privs
containing 'unix-group:*' (which will match the other groups the user
belongs to, likely after matching libvirtd).
To work around this, explicitly allow the user instead.
Also, move the creation of the libvirtd group a bit later, to clarify
the code.
Change-Id: Ia3e4ae982accfc247a744eaa6d6aa4935e4f404c
diff --git a/lib/nova b/lib/nova
index 86db561..9530df4 100644
--- a/lib/nova
+++ b/lib/nova
@@ -231,10 +231,13 @@
if is_ubuntu; then
LIBVIRT_DAEMON=libvirt-bin
else
- # http://wiki.libvirt.org/page/SSHPolicyKitSetup
- if ! getent group libvirtd >/dev/null; then
- sudo groupadd libvirtd
- fi
+ LIBVIRT_DAEMON=libvirtd
+ fi
+
+ # For distributions using polkit to authorize access to libvirt,
+ # configure polkit accordingly.
+ # Based on http://wiki.libvirt.org/page/SSHPolicyKitSetup
+ if is_fedora; then
sudo bash -c 'cat <<EOF >/etc/polkit-1/localauthority/50-local.d/50-libvirt-remote-access.pkla
[libvirt Management Access]
Identity=unix-group:libvirtd
@@ -243,11 +246,24 @@
ResultInactive=yes
ResultActive=yes
EOF'
- LIBVIRT_DAEMON=libvirtd
+ elif is_suse; then
+ # Work around the fact that polkit-default-privs overrules pklas
+ # with 'unix-group:$group'.
+ sudo bash -c "cat <<EOF >/etc/polkit-1/localauthority/50-local.d/50-libvirt-remote-access.pkla
+[libvirt Management Access]
+Identity=unix-user:$USER
+Action=org.libvirt.unix.manage
+ResultAny=yes
+ResultInactive=yes
+ResultActive=yes
+EOF"
fi
# The user that nova runs as needs to be member of **libvirtd** group otherwise
# nova-compute will be unable to use libvirt.
+ if ! getent group libvirtd >/dev/null; then
+ sudo groupadd libvirtd
+ fi
add_user_to_group `whoami` libvirtd
# libvirt detects various settings on startup, as we potentially changed