Containerized libvirt auth (disable polkitd)
Bug #1696504 reported by
Oliver Walsh
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Fix Released
|
High
|
Emilien Macchi |
Bug Description
Access to the libvirtd socket is controlled by polkit. Currently polkitd is running on the host, which fails as the nova uid on the host does not match the uid in the nova docker image (and may not even exist in future).
For now I've proposed a workaround in https:/
Changed in tripleo: | |
milestone: | none → pike-3 |
importance: | Undecided → High |
status: | New → Triaged |
assignee: | nobody → Oliver Walsh (owalsh) |
tags: | added: containers |
Changed in tripleo: | |
importance: | High → Wishlist |
Changed in tripleo: | |
assignee: | Oliver Walsh (owalsh) → Sven Anderson (ansiwen) |
Changed in tripleo: | |
assignee: | Sven Anderson (ansiwen) → Oliver Walsh (owalsh) |
status: | Triaged → In Progress |
Changed in tripleo: | |
assignee: | Oliver Walsh (owalsh) → Sven Anderson (ansiwen) |
status: | In Progress → Fix Committed |
summary: |
- Containerize polkitd + Containerized libvirt auth (disable polkitd) |
Changed in tripleo: | |
status: | Fix Committed → Fix Released |
Changed in tripleo: | |
assignee: | Sven Anderson (ansiwen) → Oliver Walsh (owalsh) |
Changed in tripleo: | |
assignee: | Oliver Walsh (owalsh) → Emilien Macchi (emilienm) |
To post a comment you must log in.
I had a conversation with the main Polkit developer, and the outcome was clearly that Polkit doesn't give much value in a server environment, in a container environment even more. If there are no interactive user sessions, all that Polkit gets from libvirtd to check the access is the numeric UID, which it then evaluates against it's configs and the /etc/passwd and /etc/group files. This is something libvirt can perfectly do by its own. Polkit was meant to authenticate access from interactive user sessions, in order to ask for the root password for example (like in a libvirt-UI running with user credentials). I think we should really get rid of Polkit in the container context. Anyway a UID check across container boundaries, which is happening if a user of container A connects to a unix socket shared with container B, is barely making sense. Adding Polkit doesn't help here.
So, can we reduce complexity instead and not use Polkit/D-Bus and reconfigure libvirtd to check the UID itself?