yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1650465] [NEW] Permission Issue during Migration and resize when we have privacy umask

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Prabhuraj K <1650465@xxxxxxxxxxxxxxxxxx>
Date: Fri, 16 Dec 2016 07:19:36 -0000
Reply-to: Bug 1650465 <1650465@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

Scenario:
Normally Universal umask(022) is used in testing environment , i was using privacy umask(027) as it is  production environment. 

In this scenario root have 022 umask in provisioning stage and other
users in will get 027 as umask in deployment stage,

So, umask is handled by pam umask so 027 become 007

So nova user in compute have 007 umask and directory which will create
by nova user have 770 permission

During Migration / Resize to other host it having permission issue as
instance directory need to be access by libvirt-qemu which have 770
permission.


Consideration:
1. privacy umask for openstack users 
2. compute01 have VM to migrate/resize 
3. VM will get migrate from compute01 to compute02
4. Hypervisor : KVM
5. Openstack version: KILO, MITAKA, NEWTON


Steps to reproduce:
1. Install ubuntu 14.04 and after installation change the pam umask value from 022 to 027(which needed for production).
2. Deploy the openstack components , here for compute nova user and libvirt-qemu will be created with pam umask of 007.

root@compute01:/var/lib/nova/instances# umask
0002
nova@compute01:/var/lib/nova$ umask
0007

3. Create a host aggregate and include compute01 & compute02 to it.
4. Spin a VM in compute01 , here VM is is -> 09aab3a8-3df8-474c-a8a9-a4f666f851a0
root@compute01:/var/lib/nova/instances# ls -l
total 12
drwxr-xr-x 2 nova nova  111 Dec  12 21:33 09aab3a8-3df8-474c-a8a9-a4f666f851a0
drwxr-xr-x 2 nova nova 4096 Dec  12 01:48 _base
-rw-r--r-- 1 nova nova   52 Dec  15 13:16 compute_nodes
drwxr-xr-x 2 nova nova 4096 Dec  12 01:48 locks

5. Test the umask for nova in compute01 and compute02
nova@compute01:/tmp$ mkdir nova_umask_test
nova@compute01:/tmp$ ls -ld  nova_umask_test
drwxr-x--- 2 nova nova     4096 Dec  12 13:55 nova_umask_test

nova@compute02:/tmp$ mkdir nova_umask_test
nova@compute02:/tmp$ ls -ld  nova_umask_test
drwxr-x--- 2 nova nova     4096 Dec  12 13:58 nova_umask_test

6. Validate the permission of VM directory in compute01 
root@compute01:/var/lib/nova/instances# ls -l 09aab3a8-3df8-474c-a8a9-a4f666f851a0
total 172944
-rw-rw---- 1 libvirt-qemu libvirt-qemu     26280 Dec 12 21:35 console.log
-rw-r--r-- 1 libvirt-qemu libvirt-qemu 176488448 Dec 12 16:57 disk
-rw-r--r-- 1 libvirt-qemu libvirt-qemu    432128 Dec 12 21:33 disk.config
-rw-r--r-- 1 nova         nova               162 Dec 12 21:33 disk.info

7. Do the resize from m1.small  to m1.medium  and end up with following error.
Error message : Error: Failed to perform requested operation on instance "test", the instance has an error status: Please try again later
[Error: Cannot access storage file '/var/lib/nova/instances/09aab3a8-3df8-474c-a8a9-a4f666f851a0/disk' (as uid:108, gid:117): Permission denied].


Actual result:
Permission issue occurred during migrate/resize to different host.

Expected result:
Resize/migrate will be successful.

Note : With universal umask migration/resize works good in the same
environment.

** Affects: nova
     Importance: Undecided
     Assignee: Prabhuraj K (prabhuraj)
         Status: New

** Changed in: nova
     Assignee: (unassigned) => Prabhuraj K (prabhuraj)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1650465

Title:
  Permission Issue during Migration and resize when we have privacy
  umask

Status in OpenStack Compute (nova):
  New

Bug description:
  Scenario:
  Normally Universal umask(022) is used in testing environment , i was using privacy umask(027) as it is  production environment. 

  In this scenario root have 022 umask in provisioning stage and other
  users in will get 027 as umask in deployment stage,

  So, umask is handled by pam umask so 027 become 007

  So nova user in compute have 007 umask and directory which will create
  by nova user have 770 permission

  During Migration / Resize to other host it having permission issue as
  instance directory need to be access by libvirt-qemu which have 770
  permission.

  
  Consideration:
  1. privacy umask for openstack users 
  2. compute01 have VM to migrate/resize 
  3. VM will get migrate from compute01 to compute02
  4. Hypervisor : KVM
  5. Openstack version: KILO, MITAKA, NEWTON

  
  Steps to reproduce:
  1. Install ubuntu 14.04 and after installation change the pam umask value from 022 to 027(which needed for production).
  2. Deploy the openstack components , here for compute nova user and libvirt-qemu will be created with pam umask of 007.

  root@compute01:/var/lib/nova/instances# umask
  0002
  nova@compute01:/var/lib/nova$ umask
  0007

  3. Create a host aggregate and include compute01 & compute02 to it.
  4. Spin a VM in compute01 , here VM is is -> 09aab3a8-3df8-474c-a8a9-a4f666f851a0
  root@compute01:/var/lib/nova/instances# ls -l
  total 12
  drwxr-xr-x 2 nova nova  111 Dec  12 21:33 09aab3a8-3df8-474c-a8a9-a4f666f851a0
  drwxr-xr-x 2 nova nova 4096 Dec  12 01:48 _base
  -rw-r--r-- 1 nova nova   52 Dec  15 13:16 compute_nodes
  drwxr-xr-x 2 nova nova 4096 Dec  12 01:48 locks

  5. Test the umask for nova in compute01 and compute02
  nova@compute01:/tmp$ mkdir nova_umask_test
  nova@compute01:/tmp$ ls -ld  nova_umask_test
  drwxr-x--- 2 nova nova     4096 Dec  12 13:55 nova_umask_test

  nova@compute02:/tmp$ mkdir nova_umask_test
  nova@compute02:/tmp$ ls -ld  nova_umask_test
  drwxr-x--- 2 nova nova     4096 Dec  12 13:58 nova_umask_test

  6. Validate the permission of VM directory in compute01 
  root@compute01:/var/lib/nova/instances# ls -l 09aab3a8-3df8-474c-a8a9-a4f666f851a0
  total 172944
  -rw-rw---- 1 libvirt-qemu libvirt-qemu     26280 Dec 12 21:35 console.log
  -rw-r--r-- 1 libvirt-qemu libvirt-qemu 176488448 Dec 12 16:57 disk
  -rw-r--r-- 1 libvirt-qemu libvirt-qemu    432128 Dec 12 21:33 disk.config
  -rw-r--r-- 1 nova         nova               162 Dec 12 21:33 disk.info

  7. Do the resize from m1.small  to m1.medium  and end up with following error.
  Error message : Error: Failed to perform requested operation on instance "test", the instance has an error status: Please try again later
  [Error: Cannot access storage file '/var/lib/nova/instances/09aab3a8-3df8-474c-a8a9-a4f666f851a0/disk' (as uid:108, gid:117): Permission denied].

  
  Actual result:
  Permission issue occurred during migrate/resize to different host.

  Expected result:
  Resize/migrate will be successful.

  Note : With universal umask migration/resize works good in the same
  environment.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1650465/+subscriptions
Follow ups

[Bug 1650465] Re: Permission Issue during Migration and resize when we have privacy umask
From: Sean Dague, 2017-01-05