[Yahoo-eng-team] [Bug 1609298] Re: libvirt should not require dynamic_ownership off for secure Cinder/Quobyte settings

Sat, 23 Sep 2017 21:32:22 -0700 

[Expired for OpenStack Compute (nova) because there has been no activity
for 60 days.]

** Changed in: nova
       Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1609298

Title:
  libvirt should not require dynamic_ownership off for secure
  Cinder/Quobyte settings

Status in OpenStack Compute (nova):
  Expired

Bug description:
  tl;dr
  When running Quobyte Cinder storage with nas_secure_file_* settings set to 
true libvirt is currently required to be configured with dynamic_ownership=0 
(off). This is not recommended with Nova.

  Expected results: secure settings in Cinder should work with Nova and 
unmodified dynamic_ownership in libvirt config
  Actual results: The option in libvirt is required

  
  More detailed:
  When run with dynamic_ownership=1 libvirt changes file ownership on guest 
files to root:root at some point. Running Cinder with the Quobyte driver in 
nas_secure_file_ownership / nas_secure_file_permissions = true conflicts with 
this: In secure mode image files belong to the nova/cinder service users (both 
in a common group) and file permissions are 660 (instead of running 
root:root/666 as is the insecure mode for these cinder options). When libvirt 
changes the files ownership to root:root nova/cinder cannot access those files 
any longer, hurting e.g. snapshots and the like.

  A correction proposal was made by Daniel Berrange at 
https://bugs.launchpad.net/nova/+bug/1597644/comments/22 :
  "[..]If so, a much better approach is to enhance nova so that it can set a 
<seclabel> element against *just* the quobyte backed disks, that tells libvirt 
to skip ownership changes for those disks. That way operation of libvirt / QEMU 
in general will not be affect, thus avoiding nasty side-effects such as this 
console.log problem.[..]"

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1609298/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to