yahoo-eng-team team mailing list archive

[Silvan Kaiser <silvan@xxxxxxxxxxx>]

Public bug reported:

tl;dr
When running Quobyte Cinder storage with nas_secure_file_* settings set to true libvirt is currently required to be configured with dynamic_ownership=0 (off). This is not recommended with Nova.

Expected results: secure settings in Cinder should work with Nova and unmodified dynamic_ownership in libvirt config
Actual results: The option in libvirt is required


More detailed:
When run with dynamic_ownership=1 libvirt changes file ownership on guest files to root:root at some point. Running Cinder with the Quobyte driver in nas_secure_file_ownership / nas_secure_file_permissions = true conflicts with this: In secure mode image files belong to the nova/cinder service users (both in a common group) and file permissions are 660 (instead of running root:root/666 as is the insecure mode for these cinder options). When libvirt changes the files ownership to root:root nova/cinder cannot access those files any longer, hurting e.g. snapshots and the like.

A correction proposal was made by Daniel Berrange at https://bugs.launchpad.net/nova/+bug/1597644/comments/22 :
"[..]If so, a much better approach is to enhance nova so that it can set a <seclabel> element against *just* the quobyte backed disks, that tells libvirt to skip ownership changes for those disks. That way operation of libvirt / QEMU in general will not be affect, thus avoiding nasty side-effects such as this console.log problem.[..]"

** Affects: nova
     Importance: Undecided
         Status: New


** Tags: libvirt quobyte

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1609298

Title:
  libvirt should not require dynamic_ownership off for secure
  Cinder/Quobyte settings

Status in OpenStack Compute (nova):
  New

Bug description:
  tl;dr
  When running Quobyte Cinder storage with nas_secure_file_* settings set to true libvirt is currently required to be configured with dynamic_ownership=0 (off). This is not recommended with Nova.

  Expected results: secure settings in Cinder should work with Nova and unmodified dynamic_ownership in libvirt config
  Actual results: The option in libvirt is required

  
  More detailed:
  When run with dynamic_ownership=1 libvirt changes file ownership on guest files to root:root at some point. Running Cinder with the Quobyte driver in nas_secure_file_ownership / nas_secure_file_permissions = true conflicts with this: In secure mode image files belong to the nova/cinder service users (both in a common group) and file permissions are 660 (instead of running root:root/666 as is the insecure mode for these cinder options). When libvirt changes the files ownership to root:root nova/cinder cannot access those files any longer, hurting e.g. snapshots and the like.

  A correction proposal was made by Daniel Berrange at https://bugs.launchpad.net/nova/+bug/1597644/comments/22 :
  "[..]If so, a much better approach is to enhance nova so that it can set a <seclabel> element against *just* the quobyte backed disks, that tells libvirt to skip ownership changes for those disks. That way operation of libvirt / QEMU in general will not be affect, thus avoiding nasty side-effects such as this console.log problem.[..]"

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1609298/+subscriptions