Permission issues with NFS-backed volumes and/or backups

Bug #1807760 reported by Alan Bishop
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Cinder
Fix Released
Undecided
Alan Bishop

Bug Description

I encountered some minor but irritating bugs when testing NFS-backed storage.

1) Creating a snapshot can fail because RemoteFSSnapDriverBase._write_info_file() doesn't follow the RemoteFSDriver's model of creating files as root, followed by _set_rw_permissions(). Creating the info file will fail unless cinder has regular (non-root) write permission on the NFS share.

2) Deleting a snapshot can fail because RemoteFSSnapDriverBase._delete_snapshot() calls _ensure_share_writable(), which will fail unless cinder has regular (non-root) write permission on the NFS share. The call is completely unnecessary, and appears to be obsolete code that should have already been cleaned up.

3) Deleting or restoring a backup can fail if cinder's group ID changes, which can happen when migrating from bare metal to a containerized service. The backup service assumes all the files it creates has "g+w", and NFSBackupDriver._init_backup_repo_path() tries to ensure this using 'chgrp' and 'chmod'. Unfortunately, it only does this on the top-level directory, and previously created backup files may be inaccessible if cinder's group ID changes.

Changed in cinder:
assignee: nobody → Alan Bishop (alan-bishop)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cinder (master)

Fix proposed to branch: master
Review: https://review.openstack.org/624193

Changed in cinder:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (master)

Reviewed: https://review.openstack.org/624193
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=1fb342cba89e63d15dde9db2136bdf34b549e559
Submitter: Zuul
Branch: master

commit 1fb342cba89e63d15dde9db2136bdf34b549e559
Author: Alan Bishop <email address hidden>
Date: Mon Dec 10 15:18:56 2018 -0500

    Fix permissions with NFS-backed snapshots and backups

    Fix snapshot issues that occur if cinder does not have regular (non-root)
    write permission on an NFS share. This is done by following the volume
    driver's model of creating files as root, followed by calling
    _set_rw_permissions().

    Fix backup issues that occur if cinder's group ID changes, which can
    happen when migrating from bare metal to a containerized service. If the
    share's group ownership and permission needs to be modified, then do it
    recursively so that previously made backups remain accessible.

    Closes-Bug: #1807760
    Change-Id: I6c20c4825af0a365b6a20fb633c810c2f2fe48b0

Changed in cinder:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cinder (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.openstack.org/631856

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (stable/rocky)

Reviewed: https://review.openstack.org/631856
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=95f30ea6edc093d9d29a2197c79a7e0b7427728b
Submitter: Zuul
Branch: stable/rocky

commit 95f30ea6edc093d9d29a2197c79a7e0b7427728b
Author: Alan Bishop <email address hidden>
Date: Mon Dec 10 15:18:56 2018 -0500

    Fix permissions with NFS-backed snapshots and backups

    Fix snapshot issues that occur if cinder does not have regular (non-root)
    write permission on an NFS share. This is done by following the volume
    driver's model of creating files as root, followed by calling
    _set_rw_permissions().

    Fix backup issues that occur if cinder's group ID changes, which can
    happen when migrating from bare metal to a containerized service. If the
    share's group ownership and permission needs to be modified, then do it
    recursively so that previously made backups remain accessible.

    Closes-Bug: #1807760
    Change-Id: I6c20c4825af0a365b6a20fb633c810c2f2fe48b0
    (cherry picked from commit 1fb342cba89e63d15dde9db2136bdf34b549e559)

tags: added: in-stable-rocky
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cinder (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/634045

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/cinder 13.0.3

This issue was fixed in the openstack/cinder 13.0.3 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (stable/queens)

Reviewed: https://review.openstack.org/634045
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=33c504888d655fb661895e30568da1fa150f7b26
Submitter: Zuul
Branch: stable/queens

commit 33c504888d655fb661895e30568da1fa150f7b26
Author: Alan Bishop <email address hidden>
Date: Mon Dec 10 15:18:56 2018 -0500

    Fix permissions with NFS-backed snapshots and backups

    Fix snapshot issues that occur if cinder does not have regular (non-root)
    write permission on an NFS share. This is done by following the volume
    driver's model of creating files as root, followed by calling
    _set_rw_permissions().

    Fix backup issues that occur if cinder's group ID changes, which can
    happen when migrating from bare metal to a containerized service. If the
    share's group ownership and permission needs to be modified, then do it
    recursively so that previously made backups remain accessible.

    Closes-Bug: #1807760
    Change-Id: I6c20c4825af0a365b6a20fb633c810c2f2fe48b0
    (cherry picked from commit 1fb342cba89e63d15dde9db2136bdf34b549e559)
    (cherry picked from commit 95f30ea6edc093d9d29a2197c79a7e0b7427728b)
    Conflicts:
     cinder/tests/unit/volume/drivers/test_remotefs.py

tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cinder (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/644949

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/cinder 14.0.0.0rc1

This issue was fixed in the openstack/cinder 14.0.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/cinder 12.0.6

This issue was fixed in the openstack/cinder 12.0.6 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (stable/pike)

Reviewed: https://review.openstack.org/644949
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=cef58020bf597a038e6b4573d93e15379aaa19fb
Submitter: Zuul
Branch: stable/pike

commit cef58020bf597a038e6b4573d93e15379aaa19fb
Author: Alan Bishop <email address hidden>
Date: Mon Dec 10 15:18:56 2018 -0500

    Fix permissions with NFS-backed snapshots and backups

    Fix snapshot issues that occur if cinder does not have regular (non-root)
    write permission on an NFS share. This is done by following the volume
    driver's model of creating files as root, followed by calling
    _set_rw_permissions().

    Fix backup issues that occur if cinder's group ID changes, which can
    happen when migrating from bare metal to a containerized service. If the
    share's group ownership and permission needs to be modified, then do it
    recursively so that previously made backups remain accessible.

    Closes-Bug: #1807760
    Change-Id: I6c20c4825af0a365b6a20fb633c810c2f2fe48b0
    (cherry picked from commit 1fb342cba89e63d15dde9db2136bdf34b549e559)
    (cherry picked from commit 95f30ea6edc093d9d29a2197c79a7e0b7427728b)
    Conflicts:
     cinder/tests/unit/volume/drivers/test_remotefs.py
    (cherry picked from commit 33c504888d655fb661895e30568da1fa150f7b26)

tags: added: in-stable-pike
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/cinder 11.2.2

This issue was fixed in the openstack/cinder 11.2.2 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.