Use normal socket file permissions instead of polkit

The default (on RHEL/CentOS) is to use polkit but this is only useful
for GUI support or for fine grained API access control.  As we don't
require either we can achieve identical control using plain old unix
filesystem permissions.

I've merged Sven's changes from https://review.openstack.org/484979
and https://review.openstack.org/487150.

As we need to be careful with the libvirtd option quoting I think it's
best to do this in puppet-tripleo instead of t-h-t yaml.

The option to override the settings from t-h-t remains.

Co-Authored-By: Sven Anderson <sven@redhat.com>

Reverts I91be1f1eacf8eed9017bbfef393ee2d66771e8d6

Closes-bug: 1696504

Change-Id: I507bdd8e3a461091562177403a2a55fcaf6694d2
Depends-On: I17f6c9b5a6e2120a53bae296042ece492210597a

manifests/profile/base/docker.pp

@@ -43,18 +43,6 @@
 # [*step*]
 #   step defaults to hiera('step')
 #
-# [*configure_libvirt_polkit*]
-#   Configures libvirt polkit to grant the kolla nova user access to the libvirtd unix domain socket on the host.
-#   Defaults to true when nova_compute service is enabled, false when nova_compute is disabled
-#
-# [*docker_nova_uid*]
-#   When configure_libvirt_polkit = true, the uid/gid of the nova user within the docker container.
-#   Defaults to 42436
-#
-# [*services_enabled*]
-#   List of TripleO services enabled on the role.
-#   Defaults to hiera('services_names')
-#
 # DEPRECATED PARAMETERS
 #
 # [*docker_namespace*]
@@ -73,20 +61,11 @@ class tripleo::profile::base::docker (
   $configure_storage = true,
   $storage_options = '-s overlay2',
   $step = Integer(hiera('step')),
-  $configure_libvirt_polkit = undef,
-  $docker_nova_uid = 42436,
-  $services_enabled = hiera('service_names', []),
   # DEPRECATED PARAMETERS
   $docker_namespace = undef,
   $insecure_registry = false,
 ) {
 
-  if $configure_libvirt_polkit == undef {
-    $configure_libvirt_polkit_real = 'nova_compute' in $services_enabled
-  } else {
-    $configure_libvirt_polkit_real = $configure_libvirt_polkit
-  }
-
   if $step >= 1 {
     package {'docker':
       ensure => installed,
@@ -176,41 +155,4 @@ class tripleo::profile::base::docker (
     }
 
   }
-  if ($step >= 4 and $configure_libvirt_polkit_real) {
-    # Workaround for polkit authorization for libvirtd socket on host
-    #
-    # This creates a local user with the kolla nova uid, and sets the polkit rule to
-    # allow both it and the nova user from the nova rpms, should it exist (uid 162).
-
-    group { 'docker_nova_group':
-      name => 'docker_nova',
-      gid  => $docker_nova_uid
-    }
-    -> user { 'docker_nova_user':
-      name    => 'docker_nova',
-      uid     => $docker_nova_uid,
-      gid     => $docker_nova_uid,
-      shell   => '/sbin/nologin',
-      comment => 'OpenStack Nova Daemons',
-      groups  => ['nobody']
-    }
-
-    # Similar to the polkit rule in the openstack-nova rpm spec
-    # but allow both the 'docker_nova' and 'nova' user
-    $docker_nova_polkit_rule = '// openstack-nova libvirt management permissions
-polkit.addRule(function(action, subject) {
-    if (action.id == "org.libvirt.unix.manage" &&
-        /^(docker_)?nova$/.test(subject.user)) {
-        return polkit.Result.YES;
-    }
-});
-'
-    package {'polkit':
-      ensure => installed,
-    }
-    -> file {'/etc/polkit-1/rules.d/50-nova.rules':
-      content => $docker_nova_polkit_rule,
-      mode    => '0644'
-    }
-  }
 }

manifests/profile/base/nova/libvirt.pp

@@ -23,8 +23,13 @@
 #   for more details.
 #   Defaults to hiera('step')
 #
+# [*libvirtd_config*]
+#   (Optional) Overrides for libvirtd config options
+#   Default to {}
+#
 class tripleo::profile::base::nova::libvirt (
   $step = Integer(hiera('step')),
+  $libvirtd_config = {},
 ) {
   include ::tripleo::profile::base::nova::compute_libvirt_shared
 
@@ -33,6 +38,18 @@ class tripleo::profile::base::nova::libvirt (
     include ::tripleo::profile::base::nova::migration::client
     include ::nova::compute::libvirt::services
 
+    $libvirtd_config_default = {
+      unix_sock_group    => {value => '"libvirt"'},
+      auth_unix_ro       => {value => '"none"'},
+      auth_unix_rw       => {value => '"none"'},
+      unix_sock_ro_perms => {value => '"0777"'},
+      unix_sock_rw_perms => {value => '"0770"'}
+    }
+
+    class { '::nova::compute::libvirt::config':
+      libvirtd_config => merge($libvirtd_config_default, $libvirtd_config)
+    }
+
     file { ['/etc/libvirt/qemu/networks/autostart/default.xml',
       '/etc/libvirt/qemu/networks/default.xml']:
       ensure => absent,

spec/classes/tripleo_profile_base_docker_spec.rb

@@ -121,85 +121,6 @@ describe 'tripleo::profile::base::docker' do
       }
     end
 
-    context 'with step 4 and configure_libvirt_polkit disabled' do
-      let(:params) { {
-          :step                    => 4,
-          :configure_libvirt_polkit => false
-      } }
-      it {
-        is_expected.to_not contain_group('docker_nova_group')
-        is_expected.to_not contain_user('docker_nova_user')
-        is_expected.to_not contain_package('polkit')
-        is_expected.to_not contain_file('/etc/polkit-1/rules.d/50-nova.rules')
-      }
-    end
-
-    context 'with step 4 and configure_libvirt_polkit enabled' do
-      let(:params) { {
-          :step                    => 4,
-          :configure_libvirt_polkit => true
-      } }
-      it {
-        is_expected.to contain_group('docker_nova_group').with(
-          :name => 'docker_nova',
-          :gid  => 42436
-        )
-        is_expected.to contain_user('docker_nova_user').with(
-          :name => 'docker_nova',
-          :uid  => 42436,
-          :gid  => 42436,
-          :shell => '/sbin/nologin',
-          :groups => ['nobody']
-        )
-        is_expected.to contain_package('polkit')
-        is_expected.to contain_file('/etc/polkit-1/rules.d/50-nova.rules')
-      }
-    end
-
-    context 'with step 4 and nova_compute service installed' do
-      let(:params) { {
-          :step          => 4,
-          :services_enabled => ['docker', 'nova_compute']
-      } }
-      it {
-        is_expected.to contain_group('docker_nova_group').with(
-          :name => 'docker_nova',
-          :gid  => 42436
-        )
-        is_expected.to contain_user('docker_nova_user').with(
-          :name => 'docker_nova',
-          :uid  => 42436,
-          :gid  => 42436,
-          :shell => '/sbin/nologin',
-          :groups => ['nobody']
-        )
-        is_expected.to contain_package('polkit')
-        is_expected.to contain_file('/etc/polkit-1/rules.d/50-nova.rules')
-      }
-    end
-
-    context 'with step 4 and configure_libvirt_polkit enabled and docker_nova uid' do
-      let(:params) { {
-          :step                    => 4,
-          :configure_libvirt_polkit => true,
-          :docker_nova_uid         => 12345
-      } }
-      it {
-        is_expected.to contain_group('docker_nova_group').with(
-          :name => 'docker_nova',
-          :gid  => 12345
-        )
-        is_expected.to contain_user('docker_nova_user').with(
-          :name => 'docker_nova',
-          :uid  => 12345,
-          :gid  => 12345,
-          :shell => '/sbin/nologin',
-          :groups => ['nobody']
-        )
-        is_expected.to contain_package('polkit')
-        is_expected.to contain_file('/etc/polkit-1/rules.d/50-nova.rules')
-      }
-    end
   end
 
   on_supported_os.each do |os, facts|

spec/classes/tripleo_profile_base_nova_libvirt_spec.rb

@@ -69,6 +69,51 @@ eos
         is_expected.to contain_file('/etc/libvirt/qemu/networks/autostart/default.xml').with_ensure('absent')
         is_expected.to contain_file('/etc/libvirt/qemu/networks/default.xml').with_ensure('absent')
         is_expected.to contain_exec('libvirt-default-net-destroy')
+        is_expected.to contain_class('nova::compute::libvirt::config').with_libvirtd_config({
+          "unix_sock_group"    => {"value" => '"libvirt"'},
+          "auth_unix_ro"       => {"value" => '"none"'},
+          "auth_unix_rw"       => {"value" => '"none"'},
+          "unix_sock_ro_perms" => {"value" => '"0777"'},
+          "unix_sock_rw_perms" => {"value" => '"0770"'}
+        })
+      }
+    end
+
+    context 'with step 4 and libvirtd_config' do
+      let(:pre_condition) do
+        <<-eos
+        class { '::tripleo::profile::base::nova':
+          step => #{params[:step]},
+          oslomsg_rpc_hosts => [ '127.0.0.1' ],
+        }
+        class { '::tripleo::profile::base::nova::migration':
+          step => #{params[:step]}
+        }
+        class { '::tripleo::profile::base::nova::migration::client':
+          step => #{params[:step]}
+        }
+        class { '::tripleo::profile::base::nova::compute_libvirt_shared':
+          step => #{params[:step]}
+        }
+eos
+      end
+
+      let(:params) { { :step => 4, :libvirtd_config => { "unix_sock_group" => {"value" => '"foobar"'}} } }
+
+      it {
+        is_expected.to contain_class('tripleo::profile::base::nova::libvirt')
+        is_expected.to contain_class('tripleo::profile::base::nova')
+        is_expected.to contain_class('nova::compute::libvirt::services')
+        is_expected.to contain_file('/etc/libvirt/qemu/networks/autostart/default.xml').with_ensure('absent')
+        is_expected.to contain_file('/etc/libvirt/qemu/networks/default.xml').with_ensure('absent')
+        is_expected.to contain_exec('libvirt-default-net-destroy')
+        is_expected.to contain_class('nova::compute::libvirt::config').with_libvirtd_config({
+          "unix_sock_group"    => {"value" => '"foobar"'},
+          "auth_unix_ro"       => {"value" => '"none"'},
+          "auth_unix_rw"       => {"value" => '"none"'},
+          "unix_sock_ro_perms" => {"value" => '"0777"'},
+          "unix_sock_rw_perms" => {"value" => '"0770"'}
+        })
       }
     end
   end