Comment 4 for bug 2004173

To summarise:
1) /var/lib/cinder/conversion/ is created
drwxr-xr-x 2 cinder cinder 4096 Jan 30 19:22 /var/lib/cinder/conversion/

2) When root has a umask of 027 a temporary file is created in the above directory:
-rw-r----- 1 root root 119508992 Jan 31 10:43 tmpfzmu4__r

3) An "rbd import" is then run to import the above temporary file. This import command is run as cinder and fails as it is unable to read the temporary file.

This can be fixed on a hardened system without changing roots umask by setting the setgid bit on /var/lib/cinder/conversion. Also worth noting that the directory used for conversions is configurable via the cinder configuration option image_conversion_dir.

1) This could be set in the charm. The charm knows what image_conversion_dir is set to and could set the setgid bit on the directory.

2) The permissions could be set via a postinst package script. However the issue would reoccur if the user where to set image_conversion_dir to a non-default location.

3) Patch cinder to set the permissions of the temporary file. I don't know how practical this is since I think it would involve exposing chgrp via rootwrap.

*1 https://docs.openstack.org/cinder/zed/configuration/block-storage/samples/cinder.conf.html