Containerized libvirt auth (disable polkitd)

I had a conversation with the main Polkit developer, and the outcome was clearly that Polkit doesn't give much value in a server environment, in a container environment even more. If there are no interactive user sessions, all that Polkit gets from libvirtd to check the access is the numeric UID, which it then evaluates against it's configs and the /etc/passwd and /etc/group files. This is something libvirt can perfectly do by its own. Polkit was meant to authenticate access from interactive user sessions, in order to ask for the root password for example (like in a libvirt-UI running with user credentials). I think we should really get rid of Polkit in the container context. Anyway a UID check across container boundaries, which is happening if a user of container A connects to a unix socket shared with container B, is barely making sense. Adding Polkit doesn't help here.

So, can we reduce complexity instead and not use Polkit/D-Bus and reconfigure libvirtd to check the UID itself?

Polkit allows fine grained API access control in libvirt: https://libvirt.org/aclpolkit.html However as we don't currently need ACLs I think it should be ok to use filesystem permissions, for both baremetal and containers.

Hmm, odd, infra didn't include the review in it's comment: https://review.openstack.org/479816

I think it only adds them after they merged?

Change abandoned by Oliver Walsh (<email address hidden>) on branch: master
Review: https://review.openstack.org/479816
Reason: Sven will propose an alternative patch

https://review.openstack.org/#/c/484979

Related fix proposed to branch: master
Review: https://review.openstack.org/487229

Fix proposed to branch: master
Review: https://review.openstack.org/487412

Reviewed: https://review.openstack.org/487229
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=75fbc084d7c55b4e1c4b6a74b40a1f17121205eb
Submitter: Jenkins
Branch: master

commit 75fbc084d7c55b4e1c4b6a74b40a1f17121205eb
Author: Oliver Walsh <email address hidden>
Date: Tue Jul 25 22:54:56 2017 +0100

    Enable libvirtd_config puppet tag in nova-libvirtd docker service

    Required now that https://review.openstack.org/480289 has merged

    Change-Id: I17f6c9b5a6e2120a53bae296042ece492210597a
    Related-Bug: #1696504

Change abandoned by Oliver Walsh (<email address hidden>) on branch: master
Review: https://review.openstack.org/487412
Reason: Resolved in kolla https://review.openstack.org/#/c/487519/

Raising priority due to https://bugzilla.redhat.com/1474444

Reviewed: https://review.openstack.org/479816
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=1b82fe40fe53572703854fcdbeda72cdf148e9c1
Submitter: Jenkins
Branch: master

commit 1b82fe40fe53572703854fcdbeda72cdf148e9c1
Author: Oliver Walsh <email address hidden>
Date: Tue Jul 25 21:05:35 2017 +0100

    Use normal socket file permissions instead of polkit

    The default (on RHEL/CentOS) is to use polkit but this is only useful
    for GUI support or for fine grained API access control. As we don't
    require either we can achieve identical control using plain old unix
    filesystem permissions.

    I've merged Sven's changes from https://review.openstack.org/484979
    and https://review.openstack.org/487150.

    As we need to be careful with the libvirtd option quoting I think it's
    best to do this in puppet-tripleo instead of t-h-t yaml.

    The option to override the settings from t-h-t remains.

    Co-Authored-By: Sven Anderson <email address hidden>

    Reverts I91be1f1eacf8eed9017bbfef393ee2d66771e8d6

    Closes-bug: 1696504

    Change-Id: I507bdd8e3a461091562177403a2a55fcaf6694d2
    Depends-On: I17f6c9b5a6e2120a53bae296042ece492210597a

This issue was fixed in the openstack/puppet-tripleo 7.3.0 release.