← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1609298] Re: libvirt should not require dynamic_ownership off for secure Cinder/Quobyte settings

 

** Changed in: nova
       Status: Expired => New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1609298

Title:
  libvirt should not require dynamic_ownership off for secure
  Cinder/Quobyte settings

Status in OpenStack Compute (nova):
  New

Bug description:
  tl;dr
  When running Quobyte Cinder storage with nas_secure_file_* settings set to true libvirt is currently required to be configured with dynamic_ownership=0 (off). This is not recommended with Nova.

  Expected results: secure settings in Cinder should work with Nova and unmodified dynamic_ownership in libvirt config
  Actual results: The option in libvirt is required

  
  More detailed:
  When run with dynamic_ownership=1 libvirt changes file ownership on guest files to root:root at some point. Running Cinder with the Quobyte driver in nas_secure_file_ownership / nas_secure_file_permissions = true conflicts with this: In secure mode image files belong to the nova/cinder service users (both in a common group) and file permissions are 660 (instead of running root:root/666 as is the insecure mode for these cinder options). When libvirt changes the files ownership to root:root nova/cinder cannot access those files any longer, hurting e.g. snapshots and the like.

  A correction proposal was made by Daniel Berrange at https://bugs.launchpad.net/nova/+bug/1597644/comments/22 :
  "[..]If so, a much better approach is to enhance nova so that it can set a <seclabel> element against *just* the quobyte backed disks, that tells libvirt to skip ownership changes for those disks. That way operation of libvirt / QEMU in general will not be affect, thus avoiding nasty side-effects such as this console.log problem.[..]"

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1609298/+subscriptions


References