yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #68874
[Bug 1609298] Re: libvirt should not require dynamic_ownership off for secure Cinder/Quobyte settings
** Changed in: nova
Status: Expired => New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1609298
Title:
libvirt should not require dynamic_ownership off for secure
Cinder/Quobyte settings
Status in OpenStack Compute (nova):
New
Bug description:
tl;dr
When running Quobyte Cinder storage with nas_secure_file_* settings set to true libvirt is currently required to be configured with dynamic_ownership=0 (off). This is not recommended with Nova.
Expected results: secure settings in Cinder should work with Nova and unmodified dynamic_ownership in libvirt config
Actual results: The option in libvirt is required
More detailed:
When run with dynamic_ownership=1 libvirt changes file ownership on guest files to root:root at some point. Running Cinder with the Quobyte driver in nas_secure_file_ownership / nas_secure_file_permissions = true conflicts with this: In secure mode image files belong to the nova/cinder service users (both in a common group) and file permissions are 660 (instead of running root:root/666 as is the insecure mode for these cinder options). When libvirt changes the files ownership to root:root nova/cinder cannot access those files any longer, hurting e.g. snapshots and the like.
A correction proposal was made by Daniel Berrange at https://bugs.launchpad.net/nova/+bug/1597644/comments/22 :
"[..]If so, a much better approach is to enhance nova so that it can set a <seclabel> element against *just* the quobyte backed disks, that tells libvirt to skip ownership changes for those disks. That way operation of libvirt / QEMU in general will not be affect, thus avoiding nasty side-effects such as this console.log problem.[..]"
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1609298/+subscriptions
References