Ubuntu
nova package

ussuri libvirt missing access to /var/lib/nova/instances/

Bug #1864922 reported by Corey Bryant
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nova (Ubuntu)
Fix Released
Undecided
Corey Bryant

Bug Description

focal/ussuri has an updated pkgos-gen-systemd-unit (openstack-pkg-tools) which sets the UMask to 0027, preventing other users from any access to files created by the service. In this case, the nova-compute service creates instance files at run-time that libvirt needs access to.

ussuri:
drwxr-x--- 2 nova nova /var/lib/nova/instances/1726e122-2d91-44c1-939b-dd4638df06ed

train:
drwxr-xr-x 2 nova nova /var/lib/nova/instances/da355106-e7f0-4d23-8b4c-91defbfdd696

It seems like the best solution is to use the default UMask of 0022 for the nova-compute systemd unit file.

Note that nova-common.postinst already sets /var/log/nova permissions to 0750, preventing other users from reading logs, which was the original intent of having pkgos-gen-systemd-unit set UMask to 0027.

Revision history for this message
Corey Bryant (corey.bryant) wrote :

Fixed in nova 2:21.0.0~b2~git2020021008.1fcd74730d-0ubuntu3

Changed in nova (Ubuntu):
assignee: nobody → Corey Bryant (corey.bryant)
Corey Bryant (corey.bryant)
Changed in nova (Ubuntu):
status: New → Fix Released
Revision history for this message
Corey Bryant (corey.bryant) wrote :

Access is denied within a tmp dir created during the snapshot attempt:

$ sudo ls -al /var/lib/nova/instances/snapshots/tmpkajuir8o
total 204
drwx-----x 2 nova nova 4096 Sep 23 19:12 .
drwxr-x--- 3 nova nova 4096 Sep 23 19:12 ..
-rw-r--r-- 1 nova nova 197248 Sep 23 19:12 0ece1fb912104f2c849ea4bd6036712c.delta

If I chmod /var/lib/nova/instances/snapshots/tmpkajuir8o to 777 the snapshot is successful.

In that case the user/group of the delta file changes from nova:nova to libvirt-qemu:kvm. So it appears that libvirt-qemu needs access to the tmp directory.

The tmp directory is created at run-time and I'm not yet sure how the permissions are determined. The --x for other seems odd.

Revision history for this message
Corey Bryant (corey.bryant) wrote :

The o+x can be explained by nova/virt/libvirt/driver.py:

 2384 with utils.tempdir(dir=snapshot_directory) as tmpdir:
 2385 try:
 2386 out_path = os.path.join(tmpdir, snapshot_name)
 2387 if live_snapshot:
 2388 # NOTE(xqueralt): libvirt needs o+x in the tempdir
 2389 os.chmod(tmpdir, 0o701)
 2390 self._live_snapshot(context, instance, guest,
 2391 disk_path, out_path, source_format,
 2392 image_format, instance.image_meta)
 2393 else:
 2394 root_disk.snapshot_extract(out_path, image_format)
 2395 LOG.info("Snapshot extracted, beginning image upload",
 2396 instance=instance)

Revision history for this message
Corey Bryant (corey.bryant) wrote :

This might already be fixed by https://bugs.launchpad.net/ubuntu/+source/nova/+bug/1885269

Revision history for this message
Corey Bryant (corey.bryant) wrote :

I was updating the wrong bug, please ignore comments #2-#4.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.