Cinder

nas_secure_file_permissions not followed for NFS snapshots

Bug #1882603 reported by Marc Methot on 2020-06-08

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Cinder	In Progress	Undecided	Marc Methot

Bug Description

NFS snapshots copy forces permissions '666'.

When creating a snapshot the permissions are applied adequately, however this is not the case when creating an instance from snapshot.

This is due to the use of `_set_rw_permissions_for_all`

~~~
./cinder/volume/drivers/nfs.py
~~~
def _copy_volume_from_snapshot(self, snapshot, volume, volume_size):
"""Copy data from snapshot to destination volume.

        This is done with a qemu-img convert to raw/qcow2 from the snapshot
        qcow2.
        """

        LOG.debug("Copying snapshot: %(snap)s -> volume: %(vol)s, "
                  "volume_size: %(size)s GB",
                  {'snap': snapshot.id,
                   'vol': volume.id,
                   'size': volume_size})

        info_path = self._local_path_volume_info(snapshot.volume)
        snap_info = self._read_info_file(info_path)
        vol_path = self._local_volume_dir(snapshot.volume)
        forward_file = snap_info[snapshot.id]
        forward_path = os.path.join(vol_path, forward_file)

        # Find the file which backs this file, which represents the point
        # when this snapshot was created.
        img_info = self._qemu_img_info(forward_path, snapshot.volume.name)
        path_to_snap_img = os.path.join(vol_path, img_info.backing_file)

path_to_new_vol = self._local_path_volume(volume)

LOG.debug("will copy from snapshot at %s", path_to_snap_img)

        if self.configuration.nfs_qcow2_volumes:
            out_format = 'qcow2'
        else:
            out_format = 'raw'

        image_utils.convert_image(path_to_snap_img,
                                  path_to_new_vol,
                                  out_format,
                                  run_as_root=self._execute_as_root)

self._set_rw_permissions_for_all(path_to_new_vol)
~~~

This function:
~~~
    def _set_rw_permissions_for_all(self, path):
        """Sets 666 permissions for the path."""
        self._execute('chmod', 'ugo+rw', path,
                      run_as_root=self._execute_as_root)
~~~

Marc Methot (mb-methot) on 2020-06-08

Changed in cinder:
assignee:	nobody → Marc Methot (mb-methot)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-06-08: Fix proposed to cinder (master)

Fix proposed to branch: master
Review: https://review.opendev.org/734343

Changed in cinder:
status:	New → In Progress

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.