Host is missing polkit definitions for libvirt

Bug #1930545 reported by Piotr Parczewski
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kolla
Confirmed
Medium
Unassigned

Bug Description

Libvirt deamon from nova_libvirt container consults polkit service running on the host. Since libvirt daemon is installed in container's image, the following files are to be found in the image but not on the host:

/usr/share/polkit-1/actions/org.libvirt.api.policy
/usr/share/polkit-1/actions/org.libvirt.unix.policy
/usr/share/polkit-1/rules.d/50-libvirt.rules

This causes polkit service to be unaware of any libvirt related actions and policies, which makes it difficult/impossible to enable a secure access to libvirt's socket for a third-party.

Revision history for this message
Piotr Parczewski (parczewski) wrote :

Victoria release, CentOS source installation.

Revision history for this message
Radosław Piliszek (yoctozepto) wrote :

Considering the fragility of this component (libvirtd), should we actually focus on working with the host one instead of trying to containerise?

Revision history for this message
Piotr Parczewski (parczewski) wrote :

That probably makes sense the most - I did not consider creating polkit inside a container. One obvious workaround / feature could be allowing users for disabling polkit support in libvirt and control socket access using regular filesystem permissions.

Also, I did not check the behaviour on Ubuntu yet.

Revision history for this message
Radosław Piliszek (yoctozepto) wrote :

Last time I played with libvirtd to get Debian Bullseye rolling, I had some crazy ideas. Sharing one: https://review.opendev.org/c/openstack/kolla-ansible/+/794262
Perhaps that would help as well. Though no idea if it breaks or kills any kitties. Let's see.

Revision history for this message
Radosław Piliszek (yoctozepto) wrote :

It seems to be generally passing, waiting for all results.
So, isolating containerised libvirtd from host's systemd and dbus (and thus polkit), seems to still pass our tests. Does it solve your issue?

Mark Goddard (mgoddard)
Changed in kolla:
importance: Undecided → Medium
Revision history for this message
Pierre Riteau (priteau) wrote :

We can also disable polkit entirely for the read-only socket:

/etc/kolla/nova-libvirt/libvirtd.conf:
auth_unix_ro = "none"

Revision history for this message
Pierre Riteau (priteau) wrote :

We already have this configuration option enabled by a flag:

{% if enable_neutron_mlnx | bool %}
# Enable read-only access to libvirt socket
auth_unix_ro = "none"
{% endif %}

Changed in kolla:
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.