move to privsep broke nas_secure_file_* options for Quobyte driver

Bug #1818504 reported by Silvan Kaiser on 2019-03-04
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Cinder
Undecided
Silvan Kaiser

Bug Description

In change [1] file operations in the remotefs driver were moved to privsep, slightly changing the behaviour in the image and info file creation process.
Prior to the change the files were created through the driver by the user specified by the current driver config (run_as_root=self._execute_as_root). After the change all files are created by root.
The issue arises when the driver creates a new image or info file as user root (privsep) and afterwards tries to run a chmod command to set the permissions. The chmod command is run by the configured service user (e.g. 'cinder' if nas_secure_file_operations is set to true). This results in a permission denied error, example:

Mar 04 09:22:37 manualcinderci cinder-volume[7677]: Command: chmod 660 /opt/stack/data/cinder/mnt/a1e3635ffba9fce1b854369f1a255d7b/volume-9e0a9832-0aed-4122-b1b2-75cb8b63d192.info
Mar 04 09:22:37 manualcinderci cinder-volume[7677]: Exit code: 1
Mar 04 09:22:37 manualcinderci cinder-volume[7677]: Stdout: u''
Mar 04 09:22:37 manualcinderci cinder-volume[7677]: Stderr: u"chmod: changing permissions of '/opt/stack/data/cinder/mnt/a1e3635ffba9fce1b854369f1a255d7b/volume-9e0a9832-0aed-4122-b1b2-75cb8b63d192.info': Operation not permitted\n"
Mar 04 09:22:37 manualcinderci cinder-volume[7677]: ERROR oslo_messaging.rpc.server Traceback (most recent call last):
Mar 04 09:22:37 manualcinderci cinder-volume[7677]: ERROR oslo_messaging.rpc.server File "/usr/local/lib/python2.7/dist-packages/oslo_messaging/rpc/server.py", line 166, in _process_incoming
Mar 04 09:22:37 manualcinderci cinder-volume[7677]: ERROR oslo_messaging.rpc.server res = self.dispatcher.dispatch(message)
Mar 04 09:22:37 manualcinderci cinder-volume[7677]: ERROR oslo_messaging.rpc.server File "/usr/local/lib/python2.7/dist-packages/oslo_messaging/rpc/dispatcher.py", line 265, in dispatch
Mar 04 09:22:37 manualcinderci cinder-volume[7677]: ERROR oslo_messaging.rpc.server return self._do_dispatch(endpoint, method, ctxt, args)
Mar 04 09:22:37 manualcinderci cinder-volume[7677]: ERROR oslo_messaging.rpc.server File "/usr/local/lib/python2.7/dist-packages/oslo_messaging/rpc/dispatcher.py", line 194, in _do_dispatch
Mar 04 09:22:37 manualcinderci cinder-volume[7677]: ERROR oslo_messaging.rpc.server result = func(ctxt, **new_args)
Mar 04 09:22:37 manualcinderci cinder-volume[7677]: ERROR oslo_messaging.rpc.server File "</usr/local/lib/python2.7/dist-packages/decorator.pyc:decorator-gen-677>", line 2, in create_snapshot
Mar 04 09:22:37 manualcinderci cinder-volume[7677]: ERROR oslo_messaging.rpc.server File "/opt/stack/cinder/cinder/objects/cleanable.py", line 208, in wrapper
Mar 04 09:22:37 manualcinderci cinder-volume[7677]: ERROR oslo_messaging.rpc.server result = f(*args, **kwargs)
Mar 04 09:22:37 manualcinderci cinder-volume[7677]: ERROR oslo_messaging.rpc.server File "/opt/stack/cinder/cinder/volume/manager.py", line 1155, in create_snapshot
Mar 04 09:22:37 manualcinderci cinder-volume[7677]: ERROR oslo_messaging.rpc.server snapshot.save()
Mar 04 09:22:37 manualcinderci cinder-volume[7677]: ERROR oslo_messaging.rpc.server File "/usr/local/lib/python2.7/dist-packages/oslo_utils/excutils.py", line 220, in __exit__
Mar 04 09:22:37 manualcinderci cinder-volume[7677]: ERROR oslo_messaging.rpc.server self.force_reraise()
Mar 04 09:22:37 manualcinderci cinder-volume[7677]: ERROR oslo_messaging.rpc.server File "/usr/local/lib/python2.7/dist-packages/oslo_utils/excutils.py", line 196, in force_reraise
Mar 04 09:22:37 manualcinderci cinder-volume[7677]: ERROR oslo_messaging.rpc.server six.reraise(self.type_, self.value, self.tb)
Mar 04 09:22:37 manualcinderci cinder-volume[7677]: ERROR oslo_messaging.rpc.server File "/opt/stack/cinder/cinder/volume/manager.py", line 1147, in create_snapshot
Mar 04 09:22:37 manualcinderci cinder-volume[7677]: ERROR oslo_messaging.rpc.server model_update = self.driver.create_snapshot(snapshot)
Mar 04 09:22:37 manualcinderci cinder-volume[7677]: ERROR oslo_messaging.rpc.server File "/usr/local/lib/python2.7/dist-packages/oslo_concurrency/lockutils.py", line 328, in inner
Mar 04 09:22:37 manualcinderci cinder-volume[7677]: ERROR oslo_messaging.rpc.server return f(*args, **kwargs)
Mar 04 09:22:37 manualcinderci cinder-volume[7677]: ERROR oslo_messaging.rpc.server File "/opt/stack/cinder/cinder/volume/drivers/quobyte.py", line 488, in create_snapshot
Mar 04 09:22:37 manualcinderci cinder-volume[7677]: ERROR oslo_messaging.rpc.server return self._create_snapshot(snapshot)
Mar 04 09:22:37 manualcinderci cinder-volume[7677]: ERROR oslo_messaging.rpc.server File "/opt/stack/cinder/cinder/volume/drivers/remotefs.py", line 1457, in _create_snapshot
Mar 04 09:22:37 manualcinderci cinder-volume[7677]: ERROR oslo_messaging.rpc.server self._write_info_file(info_path, snap_info)
Mar 04 09:22:37 manualcinderci cinder-volume[7677]: ERROR oslo_messaging.rpc.server File "/opt/stack/cinder/cinder/volume/drivers/remotefs.py", line 757, in _write_info_file
Mar 04 09:22:37 manualcinderci cinder-volume[7677]: ERROR oslo_messaging.rpc.server self._set_rw_permissions(info_path)
Mar 04 09:22:37 manualcinderci cinder-volume[7677]: ERROR oslo_messaging.rpc.server File "/opt/stack/cinder/cinder/volume/drivers/remotefs.py", line 424, in _set_rw_permissions
Mar 04 09:22:37 manualcinderci cinder-volume[7677]: ERROR oslo_messaging.rpc.server run_as_root=self._execute_as_root)
Mar 04 09:22:37 manualcinderci cinder-volume[7677]: ERROR oslo_messaging.rpc.server File "/opt/stack/cinder/cinder/utils.py", line 128, in execute
Mar 04 09:22:37 manualcinderci cinder-volume[7677]: ERROR oslo_messaging.rpc.server return processutils.execute(*cmd, **kwargs)
Mar 04 09:22:37 manualcinderci cinder-volume[7677]: ERROR oslo_messaging.rpc.server File "/usr/local/lib/python2.7/dist-packages/oslo_concurrency/processutils.py", line 424, in execute
Mar 04 09:22:37 manualcinderci cinder-volume[7677]: ERROR oslo_messaging.rpc.server cmd=sanitized_cmd)
Mar 04 09:22:37 manualcinderci cinder-volume[7677]: ERROR oslo_messaging.rpc.server ProcessExecutionError: Unexpected error while running command.
Mar 04 09:22:37 manualcinderci cinder-volume[7677]: ERROR oslo_messaging.rpc.server Command: chmod 660 /opt/stack/data/cinder/mnt/a1e3635ffba9fce1b854369f1a255d7b/volume-9e0a9832-0aed-4122-b1b2-75cb8b63d192.info
Mar 04 09:22:37 manualcinderci cinder-volume[7677]: ERROR oslo_messaging.rpc.server Exit code: 1
Mar 04 09:22:37 manualcinderci cinder-volume[7677]: ERROR oslo_messaging.rpc.server Stdout: u''
Mar 04 09:22:37 manualcinderci cinder-volume[7677]: ERROR oslo_messaging.rpc.server Stderr: u"chmod: changing permissions of '/opt/stack/data/cinder/mnt/a1e3635ffba9fce1b854369f1a255d7b/volume-9e0a9832-0aed-4122-b1b2-75cb8b63d192.info': O
Mar 04 09:22:37 manualcinderci cinder-volume[7677]: ERROR oslo_messaging.rpc.server

We need to ensure that the file is set the required owner and permissions without running into permission denied issues.

[1] https://review.openstack.org/#/c/630244/

Silvan Kaiser (2-silvan) on 2019-03-04
Changed in cinder:
assignee: nobody → Silvan Kaiser (2-silvan)

Fix proposed to branch: master
Review: https://review.openstack.org/641277

Changed in cinder:
status: New → In Progress

Related fix proposed to branch: master
Review: https://review.openstack.org/641414

Change abandoned by Silvan Kaiser (<email address hidden>) on branch: master
Review: https://review.openstack.org/641277
Reason: @Eric: Reverts are fine with me, thanks for the reverts

Reviewed: https://review.openstack.org/641413
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=f5a733c084dfb3d5db2f8184ad8692b67f3f5092
Submitter: Zuul
Branch: master

commit f5a733c084dfb3d5db2f8184ad8692b67f3f5092
Author: Eric Harney <email address hidden>
Date: Wed Mar 6 10:07:04 2019 -0500

    Revert "Use native python truncate for privsep"

    This reverts commit 2e292ddeb4148e12b8972fa0a25c03ab4c5e61a8.

    Related-Bug: #1818504
    Change-Id: I3df664d16ed8af4471619904c8af9e3427891ac4

Reviewed: https://review.openstack.org/641414
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=ade7d89c2e9eb317f93c128a0b7bf09fd945c960
Submitter: Zuul
Branch: master

commit ade7d89c2e9eb317f93c128a0b7bf09fd945c960
Author: Eric Harney <email address hidden>
Date: Wed Mar 6 10:07:16 2019 -0500

    Revert "Remove truncate from rootwrap filters"

    This reverts commit a62c9dfdd41ab0be8bedd99ca39b82701d73ef4f.

    This did not account for cases where truncate is
    called w/o elevated privileges.

    Related-Bug: #1818504
    Change-Id: I3cb85be854e68fda525cfebe254ce7c85d8e3d37

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers