sureshanaparti commented on issue #10029: URL: https://github.com/apache/cloudstack/issues/10029#issuecomment-2639406425
During system vm template registration, currently mount and unmount store is done with sudo. https://github.com/apache/cloudstack/blob/df99a294832692cd90dc2f408b83f76390bf0729/engine/schema/src/main/java/com/cloud/upgrade/SystemVmTemplateRegistration.java#L150 https://github.com/apache/cloudstack/blob/df99a294832692cd90dc2f408b83f76390bf0729/engine/schema/src/main/java/com/cloud/upgrade/SystemVmTemplateRegistration.java#L89 Without sudo, mount fails with error `error: [mount: only root can use "--types" option]` (to fix this, appropriate permissions to be set for the cloud user). so, in security hardened system (where umask set to 0027), when a dir created with sudo in setup-sysvm-tmplt script, other cmds (_find, ls , df -P, qemu-img_) on it without sudo fails. ``` [cloud@mgmt1 ~]$ umask 0027 [cloud@mgmt1 ~]$ sudo mkdir -p /tmp/test/template/tmpl/1/8 [cloud@mgmt1 ~]$ ls -lrt /tmp/test/template/tmpl/1/8 ls: cannot access '/tmp/test/template/tmpl/1/8': Permission denied [cloud@mgmt1 ~]$ find /tmp/test/template/tmpl/1/8/ -name '*.ova' find: '/tmp/test/template/tmpl/1/8/': Permission denied [cloud@mgmt1 ~]$ df -P /tmp/test/template/tmpl/1/8/ df: /tmp/test/template/tmpl/1/8/: Permission denied [cloud@mgmt1 ~]$ sudo touch /tmp/test/template/tmpl/1/8/test-template.ova [cloud@mgmt1 ~]$ qemu-img info /tmp/test/template/tmpl/1/8/test-template.ova qemu-img: Could not open '/tmp/test/template/tmpl/1/8/test-template.ova': Could not open '/tmp/test/template/tmpl/1/8/test-template.ova': Permission denied ``` Either these cmds have to be run with sudo in the script, or add the cloudstack service user ('cloud') to sudoers list. What is best fix here, any other idea/thoughts @rajujith @andrijapanicsb @NuxRo @DaanHoogland @rohityadavcloud & others. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
