Add patches
Cole Robinson
parent
b59373e03c
commit
0831c388ec
|
|
@ -0,0 +1,126 @@
|
||||||
|
From: Cole Robinson <crobinso@redhat.com>
|
||||||
|
Date: Tue, 28 Apr 2015 17:38:00 -0400
|
||||||
|
Subject: [PATCH] polkit: Allow password-less access for 'libvirt' group
|
||||||
|
|
||||||
|
Many users, who admin their own machines, want to be able to access
|
||||||
|
system libvirtd via tools like virt-manager without having to enter
|
||||||
|
a root password. Just google 'virt-manager without password' and
|
||||||
|
you'll find many hits. I've read at least 5 blog posts over the years
|
||||||
|
describing slightly different ways of achieving this goal.
|
||||||
|
|
||||||
|
Let's finally add official support for this.
|
||||||
|
|
||||||
|
Install a polkit-1 rules file granting password-less auth for any user
|
||||||
|
in the new 'libvirt' group. Create the group on RPM install
|
||||||
|
|
||||||
|
https://bugzilla.redhat.com/show_bug.cgi?id=957300
|
||||||
|
(cherry picked from commit e94979e901517af9fdde358d7b7c92cc055dd50c)
|
||||||
|
---
|
||||||
|
daemon/Makefile.am | 13 +++++++++++++
|
||||||
|
daemon/libvirt.rules | 9 +++++++++
|
||||||
|
libvirt.spec.in | 15 +++++++++++++--
|
||||||
|
3 files changed, 35 insertions(+), 2 deletions(-)
|
||||||
|
create mode 100644 daemon/libvirt.rules
|
||||||
|
|
||||||
|
diff --git a/daemon/Makefile.am b/daemon/Makefile.am
|
||||||
|
index b95a79d..9c5ea37 100644
|
||||||
|
--- a/daemon/Makefile.am
|
||||||
|
+++ b/daemon/Makefile.am
|
||||||
|
@@ -53,6 +53,7 @@ EXTRA_DIST = \
|
||||||
|
libvirtd.init.in \
|
||||||
|
libvirtd.upstart \
|
||||||
|
libvirtd.policy.in \
|
||||||
|
+ libvirt.rules \
|
||||||
|
libvirtd.sasl \
|
||||||
|
libvirtd.service.in \
|
||||||
|
libvirtd.socket.in \
|
||||||
|
@@ -233,6 +234,8 @@ policyauth = auth_admin_keep_session
|
||||||
|
else ! WITH_POLKIT0
|
||||||
|
policydir = $(datadir)/polkit-1/actions
|
||||||
|
policyauth = auth_admin_keep
|
||||||
|
+rulesdir = $(datadir)/polkit-1/rules.d
|
||||||
|
+rulesfile = libvirt.rules
|
||||||
|
endif ! WITH_POLKIT0
|
||||||
|
endif WITH_POLKIT
|
||||||
|
|
||||||
|
@@ -263,9 +266,19 @@ if WITH_POLKIT
|
||||||
|
install-data-polkit::
|
||||||
|
$(MKDIR_P) $(DESTDIR)$(policydir)
|
||||||
|
$(INSTALL_DATA) libvirtd.policy $(DESTDIR)$(policydir)/org.libvirt.unix.policy
|
||||||
|
+if ! WITH_POLKIT0
|
||||||
|
+ $(MKDIR_P) $(DESTDIR)$(rulesdir)
|
||||||
|
+ $(INSTALL_DATA) $(srcdir)/$(rulesfile) $(DESTDIR)$(rulesdir)/50-libvirt.rules
|
||||||
|
+endif ! WITH_POLKIT0
|
||||||
|
+
|
||||||
|
uninstall-data-polkit::
|
||||||
|
rm -f $(DESTDIR)$(policydir)/org.libvirt.unix.policy
|
||||||
|
rmdir $(DESTDIR)$(policydir) || :
|
||||||
|
+if ! WITH_POLKIT0
|
||||||
|
+ rm -f $(DESTDIR)$(rulesdir)/50-libvirt.rules
|
||||||
|
+ rmdir $(DESTDIR)$(rulesdir) || :
|
||||||
|
+endif ! WITH_POLKIT0
|
||||||
|
+
|
||||||
|
else ! WITH_POLKIT
|
||||||
|
install-data-polkit::
|
||||||
|
uninstall-data-polkit::
|
||||||
|
diff --git a/daemon/libvirt.rules b/daemon/libvirt.rules
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..01a15fa
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/daemon/libvirt.rules
|
||||||
|
@@ -0,0 +1,9 @@
|
||||||
|
+// Allow any user in the 'libvirt' group to connect to system libvirtd
|
||||||
|
+// without entering a password.
|
||||||
|
+
|
||||||
|
+polkit.addRule(function(action, subject) {
|
||||||
|
+ if (action.id == "org.libvirt.unix.manage" &&
|
||||||
|
+ subject.isInGroup("libvirt")) {
|
||||||
|
+ return polkit.Result.YES;
|
||||||
|
+ }
|
||||||
|
+});
|
||||||
|
diff --git a/libvirt.spec.in b/libvirt.spec.in
|
||||||
|
index a84b19d..5de085b 100644
|
||||||
|
--- a/libvirt.spec.in
|
||||||
|
+++ b/libvirt.spec.in
|
||||||
|
@@ -1583,9 +1583,9 @@ then
|
||||||
|
fi
|
||||||
|
|
||||||
|
%if %{with_libvirtd}
|
||||||
|
+%pre daemon
|
||||||
|
%if ! %{with_driver_modules}
|
||||||
|
%if %{with_qemu}
|
||||||
|
-%pre daemon
|
||||||
|
%if 0%{?fedora} || 0%{?rhel} >= 6
|
||||||
|
# We want soft static allocation of well-known ids, as disk images
|
||||||
|
# are commonly shared across NFS mounts by id rather than name; see
|
||||||
|
@@ -1599,11 +1599,21 @@ if ! getent passwd qemu >/dev/null; then
|
||||||
|
useradd -r -g qemu -G kvm -d / -s /sbin/nologin -c "qemu user" qemu
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
-exit 0
|
||||||
|
%endif
|
||||||
|
%endif
|
||||||
|
%endif
|
||||||
|
|
||||||
|
+ %if %{with_polkit}
|
||||||
|
+ %if 0%{?fedora} || 0%{?rhel} >= 6
|
||||||
|
+# 'libvirt' group is just to allow password-less polkit access to
|
||||||
|
+# libvirtd. The uid number is irrelevant, so we use dynamic allocation
|
||||||
|
+# described at the above link.
|
||||||
|
+getent group libvirt >/dev/null || groupadd -r libvirt
|
||||||
|
+ %endif
|
||||||
|
+ %endif
|
||||||
|
+
|
||||||
|
+exit 0
|
||||||
|
+
|
||||||
|
%post daemon
|
||||||
|
|
||||||
|
%if %{with_network}
|
||||||
|
@@ -1919,6 +1929,7 @@ exit 0
|
||||||
|
%if 0%{?fedora} || 0%{?rhel} >= 6
|
||||||
|
%{_datadir}/polkit-1/actions/org.libvirt.unix.policy
|
||||||
|
%{_datadir}/polkit-1/actions/org.libvirt.api.policy
|
||||||
|
+%{_datadir}/polkit-1/rules.d/50-libvirt.rules
|
||||||
|
%else
|
||||||
|
%{_datadir}/PolicyKit/policy/org.libvirt.unix.policy
|
||||||
|
%endif
|
||||||
Loading…
Reference in New Issue