Comment 1 for bug 1696504
Revision history for this message
| Sven Anderson (ansiwen) wrote Re: Containerize polkitd | #1 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
35a32c5
(Get the code!)
I had a conversation with the main Polkit developer, and the outcome was clearly that Polkit doesn't give much value in a server environment, in a container environment even more. If there are no interactive user sessions, all that Polkit gets from libvirtd to check the access is the numeric UID, which it then evaluates against it's configs and the /etc/passwd and /etc/group files. This is something libvirt can perfectly do by its own. Polkit was meant to authenticate access from interactive user sessions, in order to ask for the root password for example (like in a libvirt-UI running with user credentials). I think we should really get rid of Polkit in the container context. Anyway a UID check across container boundaries, which is happening if a user of container A connects to a unix socket shared with container B, is barely making sense. Adding Polkit doesn't help here.
So, can we reduce complexity instead and not use Polkit/D-Bus and reconfigure libvirtd to check the UID itself?