Comment 64 for bug 1896617

I'm opening this bug back up for upstream nova awareness.

To summarize the issue, I'll recap comment #27 above and add some more details as to what the issue is.

In nova/virt/libvirt/driver.py there is a chmod on a tempdir that is made with the assumption that libvirt is evaluated by the "other users" mode bits.

# NOTE(xqueralt): libvirt needs o+x in the tempdir
os.chmod(tmpdir, 0o701)

In the case of Ubuntu, we need to ensure the nova package remains functional on hardened systems. A big part of the hardening results in zeroing out "other users" mode bits in /var/lib/nova. As a result, we added the libvirt-qemu user to the nova group as it needs access to files/dirs in /var/lib/nova (most files/dirs in /var/lib/nova are owned by nova:nova). The result of adding libvirt-qemu to the nova group is that access to files/dirs by libvirt-qemu are often evaluated by it's membership in the nova group. Thefore the 0o701 permissions of the tempdir will deny access to libvirt-qemu.

For example:
$ sudo ls -al /var/lib/nova/instances/snapshots/tmpkajuir8o
total 204
drwx-----x 2 nova nova 4096 Sep 23 19:12 . # <--- libvirt-qemu denied access as it is in nova group
drwxr-x--- 3 nova nova 4096 Sep 23 19:12 ..
-rw-r--r-- 1 nova nova 197248 Sep 23 19:12 0ece1fb912104f2c849ea4bd6036712c.delta

To fix this in ubuntu, I'm looking to carry the following patch:

+- # NOTE(xqueralt): libvirt needs o+x in the tempdir
+- os.chmod(tmpdir, 0o701)
++ # NOTE(coreycb): libvirt needs g+x in the tempdir
++ st = os.stat(tmpdir)
++ os.chmod(tmpdir, st.st_mode | stat.S_IXGRP)

I don't know what the right answer is upstream. I don't know that a chmod 0o711 makes sense either. If 0x710 made sense for all users/distros we could move to that, but that's hard to assess. For now I'll patch in ubuntu. I'm planning to do this work in LP: #1967956 to consolidate with similar work.