Fixes nova-compute failing to start on Fedora 18

Fixes bug #1086784 Adds a rule to the policy-kit allowing the stack user to manage libvirt Change-Id: I6e9c0106c932f5f5f5c5c18ff79ac81a050c4599
openstack · Jan 21, 2013 · a534e0b · a534e0b
1 parent e575b6f
commit a534e0b
Showing 1 changed file with 19 additions and 4 deletions.
diff --git a/lib/nova b/lib/nova
@@ -247,18 +247,33 @@ EOF
             LIBVIRT_DAEMON=libvirtd
         fi
 
-        # For distributions using polkit to authorize access to libvirt,
-        # configure polkit accordingly.
-        # Based on http://wiki.libvirt.org/page/SSHPolicyKitSetup
+
+
         if is_fedora; then
-            sudo bash -c 'cat <<EOF >/etc/polkit-1/localauthority/50-local.d/50-libvirt-remote-access.pkla
+            # Starting with fedora 18 enable stack-user to virsh -c qemu:///system
+            # by creating a policy-kit rule for stack-user
+            if [[ "$os_RELEASE" -ge "18" ]]; then
+                rules_dir=/etc/polkit-1/rules.d
+                sudo mkdir -p $rules_dir
+                sudo bash -c "cat <<EOF > $rules_dir/50-libvirt-$STACK_USER.rules
+polkit.addRule(function(action, subject) {
+     if (action.id == 'org.libvirt.unix.manage' &&
+         subject.user == '"$STACK_USER"') {
+         return polkit.Result.YES;
+     }
+});
+EOF"
+                unset rules_dir
+            else
+                sudo bash -c 'cat <<EOF >/etc/polkit-1/localauthority/50-local.d/50-libvirt-remote-access.pkla
 [libvirt Management Access]
 Identity=unix-group:libvirtd
 Action=org.libvirt.unix.manage
 ResultAny=yes
 ResultInactive=yes
 ResultActive=yes
 EOF'
+            fi
         elif is_suse; then
             # Work around the fact that polkit-default-privs overrules pklas
             # with 'unix-group:$group'.