Re: [libvirt-users] virsh snapshot-create-as: change umask on snapshots

2019-03-22 Thread Mircea Husz 

>On Friday, March 22, 2019, 12:36:16 PM CDT, Peter Krempa  
>wrote: 
>
>On Wed, Mar 20, 2019 at 15:48:43 -0500, Eric Blake wrote:
>
>> On 3/20/19 1:50 PM, Mircea Husz wrote:
>> > I scripted the creation of snapshots and it works fine. Now I'd like to 
>> > run the script as non-root.
>> > 
>> > virsh snapshot-create-as --domain hq-live-v01 \
>> >      --name snappy \
>> >      --diskspec 
>> > vda,file=/var/lib/libvirt/images/hq-live-v01.snappy,snapshot=external \
>> >      --diskspec 
>> > vdb,file=/var/lib/libvirt/images/hq-live-storage.snappy,snapshot=external \
>> >      --disk-only --quiesce --atomic
>> > 
>> > This fragment creates the snapshots, but get created with mode 0600:
>> > -rw---  1 qemu qemu     393216 Mar 19 17:08 hq-live-storage.snappy
>> > -rw---  1 qemu qemu    1048576 Mar 19 17:08 hq-live-v01.snappy
>> > 
>> > The user account is in the libvirt group and has permissions to do 
>> > everything except delete the files created by the snapshot, all I need is 
>> > to get the snapshots created with 0660 mode.
>> > 
>> > This is on a Centos 7.6 installation.  What knobs do I need to turn to 
>> > control the umask?
>> 
>> I'm not sure if you can force libvirt to create the files with a
>> different mask, but perhaps a workaround would be to pre-create the
>> files yourself with desired permissions, then tell virsh to
>> --reuse-external (so that libvirt no longer has to try and create the
>> files, and thus doesn't mess with permissions).
>
>
>--reuse-external is good only for using a custom-formatted image.
>Libvirt will chown the image to qemu:qemu if you don't disable
>relabelling. This is possible to do via the  even in a
>snapshot  definition.

I created an image as the non-root user and it worked well.
qemu-img create -f qcow2 /path/to/file 1k

>Note that it's not documented yet and also does not conform to the
>schema, but the parser happily parses it and the code uses the correct
> then. I have a not-sufficiently-tested patch that adds the
>schema (and IIRC also docs) which I planned to send after testing.

Yes, I noticed that the snapshot changed the owner back to qemu. 
I just added the user to the qemu group. Good thing it didn't change the mask.

Also, selinux is disabled on this installation.

Thank you for the helpful information.
-Mike

___
libvirt-users mailing list
libvirt-users@redhat.com
https://www.redhat.com/mailman/listinfo/libvirt-users

Re: [libvirt-users] virsh snapshot-create-as: change umask on snapshots

2019-03-22 Thread Peter Krempa 
On Wed, Mar 20, 2019 at 15:48:43 -0500, Eric Blake wrote:
> On 3/20/19 1:50 PM, Mircea Husz wrote:
> > I scripted the creation of snapshots and it works fine. Now I'd like to run 
> > the script as non-root.
> > 
> > virsh snapshot-create-as --domain hq-live-v01 \
> >      --name snappy \
> >      --diskspec 
> > vda,file=/var/lib/libvirt/images/hq-live-v01.snappy,snapshot=external \
> >      --diskspec 
> > vdb,file=/var/lib/libvirt/images/hq-live-storage.snappy,snapshot=external \
> >      --disk-only --quiesce --atomic
> > 
> > This fragment creates the snapshots, but get created with mode 0600:
> > -rw---  1 qemu qemu     393216 Mar 19 17:08 hq-live-storage.snappy
> > -rw---  1 qemu qemu    1048576 Mar 19 17:08 hq-live-v01.snappy
> > 
> > The user account is in the libvirt group and has permissions to do 
> > everything except delete the files created by the snapshot, all I need is 
> > to get the snapshots created with 0660 mode.
> > 
> > This is on a Centos 7.6 installation.  What knobs do I need to turn to 
> > control the umask?
> 
> I'm not sure if you can force libvirt to create the files with a
> different mask, but perhaps a workaround would be to pre-create the
> files yourself with desired permissions, then tell virsh to
> --reuse-external (so that libvirt no longer has to try and create the
> files, and thus doesn't mess with permissions).

--reuse-external is good only for using a custom-formatted image.
Libvirt will chown the image to qemu:qemu if you don't disable
relabelling. This is possible to do via the  even in a
snapshot  definition.

Note that it's not documented yet and also does not conform to the
schema, but the parser happily parses it and the code uses the correct
 then. I have a not-sufficiently-tested patch that adds the
schema (and IIRC also docs) which I planned to send after testing.


signature.asc
Description: PGP signature
___
libvirt-users mailing list
libvirt-users@redhat.com
https://www.redhat.com/mailman/listinfo/libvirt-users