Containerized libvirt auth (disable polkitd)

Bug #1696504 reported by Oliver Walsh on 2017-06-07
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
tripleo
High
Emilien Macchi

Bug Description

Access to the libvirtd socket is controlled by polkit. Currently polkitd is running on the host, which fails as the nova uid on the host does not match the uid in the nova docker image (and may not even exist in future).

For now I've proposed a workaround in https://review.openstack.org/471319. To resolve this properly in pike-3 the polkitd service needs to be containerized or an alternative auth method used.

Oliver Walsh (owalsh) on 2017-06-07
Changed in tripleo:
milestone: none → pike-3
importance: Undecided → High
status: New → Triaged
assignee: nobody → Oliver Walsh (owalsh)
tags: added: containers
Changed in tripleo:
importance: High → Wishlist
Sven Anderson (ansiwen) on 2017-07-03
Changed in tripleo:
assignee: Oliver Walsh (owalsh) → Sven Anderson (ansiwen)
Sven Anderson (ansiwen) wrote :

I had a conversation with the main Polkit developer, and the outcome was clearly that Polkit doesn't give much value in a server environment, in a container environment even more. If there are no interactive user sessions, all that Polkit gets from libvirtd to check the access is the numeric UID, which it then evaluates against it's configs and the /etc/passwd and /etc/group files. This is something libvirt can perfectly do by its own. Polkit was meant to authenticate access from interactive user sessions, in order to ask for the root password for example (like in a libvirt-UI running with user credentials). I think we should really get rid of Polkit in the container context. Anyway a UID check across container boundaries, which is happening if a user of container A connects to a unix socket shared with container B, is barely making sense. Adding Polkit doesn't help here.

So, can we reduce complexity instead and not use Polkit/D-Bus and reconfigure libvirtd to check the UID itself?

Changed in tripleo:
assignee: Sven Anderson (ansiwen) → Oliver Walsh (owalsh)
status: Triaged → In Progress
Oliver Walsh (owalsh) wrote :

Polkit allows fine grained API access control in libvirt: https://libvirt.org/aclpolkit.html However as we don't currently need ACLs I think it should be ok to use filesystem permissions, for both baremetal and containers.

Oliver Walsh (owalsh) wrote :

Hmm, odd, infra didn't include the review in it's comment: https://review.openstack.org/479816

Sven Anderson (ansiwen) wrote :

I think it only adds them after they merged?

Change abandoned by Oliver Walsh (<email address hidden>) on branch: master
Review: https://review.openstack.org/479816
Reason: Sven will propose an alternative patch

Sven Anderson (ansiwen) on 2017-07-25
Changed in tripleo:
assignee: Oliver Walsh (owalsh) → Sven Anderson (ansiwen)
status: In Progress → Fix Committed
Oliver Walsh (owalsh) on 2017-07-25
summary: - Containerize polkitd
+ Containerized libvirt auth (disable polkitd)

Reviewed: https://review.openstack.org/487229
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=75fbc084d7c55b4e1c4b6a74b40a1f17121205eb
Submitter: Jenkins
Branch: master

commit 75fbc084d7c55b4e1c4b6a74b40a1f17121205eb
Author: Oliver Walsh <email address hidden>
Date: Tue Jul 25 22:54:56 2017 +0100

    Enable libvirtd_config puppet tag in nova-libvirtd docker service

    Required now that https://review.openstack.org/480289 has merged

    Change-Id: I17f6c9b5a6e2120a53bae296042ece492210597a
    Related-Bug: #1696504

Changed in tripleo:
status: Fix Committed → Fix Released

Change abandoned by Oliver Walsh (<email address hidden>) on branch: master
Review: https://review.openstack.org/487412
Reason: Resolved in kolla https://review.openstack.org/#/c/487519/

Oliver Walsh (owalsh) wrote :

Raising priority due to https://bugzilla.redhat.com/1474444

Changed in tripleo:
status: Fix Released → In Progress
importance: Wishlist → High
milestone: pike-3 → pike-rc1
Changed in tripleo:
assignee: Sven Anderson (ansiwen) → Oliver Walsh (owalsh)
Changed in tripleo:
assignee: Oliver Walsh (owalsh) → Emilien Macchi (emilienm)

Reviewed: https://review.openstack.org/479816
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=1b82fe40fe53572703854fcdbeda72cdf148e9c1
Submitter: Jenkins
Branch: master

commit 1b82fe40fe53572703854fcdbeda72cdf148e9c1
Author: Oliver Walsh <email address hidden>
Date: Tue Jul 25 21:05:35 2017 +0100

    Use normal socket file permissions instead of polkit

    The default (on RHEL/CentOS) is to use polkit but this is only useful
    for GUI support or for fine grained API access control. As we don't
    require either we can achieve identical control using plain old unix
    filesystem permissions.

    I've merged Sven's changes from https://review.openstack.org/484979
    and https://review.openstack.org/487150.

    As we need to be careful with the libvirtd option quoting I think it's
    best to do this in puppet-tripleo instead of t-h-t yaml.

    The option to override the settings from t-h-t remains.

    Co-Authored-By: Sven Anderson <email address hidden>

    Reverts I91be1f1eacf8eed9017bbfef393ee2d66771e8d6

    Closes-bug: 1696504

    Change-Id: I507bdd8e3a461091562177403a2a55fcaf6694d2
    Depends-On: I17f6c9b5a6e2120a53bae296042ece492210597a

Changed in tripleo:
status: In Progress → Fix Released

This issue was fixed in the openstack/puppet-tripleo 7.3.0 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers