libguestfs doesn't work on Ubuntu without root permissions

Bug #1467579 reported by Pavel Kholkin on 2015-06-22
46
This bug affects 10 people
Affects Status Importance Assigned to Milestone
Fuel for OpenStack
Medium
Alexei Sheplyakov
8.0.x
Medium
MOS Ceph
Mitaka
Medium
Unassigned

Bug Description

Environment: rc1 6.1, ubuntu, 1 compute, 1 controller, neutron, cinder, qemu.

Steps to reproduce:

1) Install extra packages on compute:

root@node-2:~# dpkg --list | grep guestfs
ii libguestfs-perl 1:1.24.5-1 amd64
ii libguestfs-tools 1:1.24.5-1 amd64
ii libguestfs0:amd64 1:1.24.5-1 amd64
ii python-guestfs 1:1.24.5-1 amd64

2) execute:

update-guestfs-appliance

3) start nova-compute as root user and boot vm

http://xsnippet.org/360774/raw/

4) start nova-compute as nova user and boot vm

http://xsnippet.org/360775/raw/

Expected result:

In cases 3 and 4: correct boot with mounted filesystem

Actual result:

In case 3: correct boot with mounted filesystem
In case 4: incorrect boot with unmounted filesystem with this error:

/usr/bin/supermin-helper: open: /boot/vmlinuz-3.13.0-55-generic: Permission denied
libguestfs: command: run: rm
libguestfs: command: run: \ -rf /var/tmp/guestfs.oe27yI
libguestfs: trace: launch = -1 (error)
2015-06-22 14:09:39.693 12311 DEBUG nova.virt.disk.api [-] Unable to mount image /var/lib/nova/instances/ddbf39b0-1fec-4750-aeef-bbd7bd32da2b/disk with error libguestfs installed but not usable (/usr/bin/supermin-helper exited with error status 1, see debug messages above). Cannot resize. is_image_partitionless /usr/lib/python2.7/dist-packages/nova/virt/disk/api.py:218

Related bug: "The kernel is no longer readable by non-root users"

 Ubuntu
We don't have a full time Ubuntu maintainer, and the packages supplied by Canonical (which are outside our control) are sometimes broken.

Canonical decided to change the permissions on the kernel so that it's not readable except by root.

http://manpages.ubuntu.com/manpages/trusty/man1/guestfs-faq.1.html

Pavel Kholkin (pkholkin) on 2015-06-22
Changed in fuel:
assignee: nobody → MOS Linux (mos-linux)
importance: Undecided → Medium
description: updated
summary: - Libguestfs doesn't work on ubuntu without root rights
+ libguestfs doesn't work on Ubuntu without root permissions
Alexei Sheplyakov (asheplyakov) wrote :

> /usr/bin/supermin-helper: open: /boot/vmlinuz-3.13.0-55-generic: Permission denied

That's a feature

$ ls -la /boot/vmlinuz-3.13.0-55-generic
-rw------- 1 root root 5821888 Jun 14 22:28 /boot/vmlinuz-3.13.0-55-generic

Unreadable kernel image blocks the class of attacks carried out by script kiddies and automated systems that expect
to be able to look up symbols locally and make exploits totally portable to all kernel versions.

Roman Podoliaka (rpodolyaka) wrote :

@Alexei, could you please give any advice on how to use libguestfs in this case?

I'm totally fine with giving up on file injection support, but libguestfs can still be useful for e.g. resize operations. Recently, we ran into a weird problem with resize done on a compute node, which kept the node unavailable for like 15 minutes - http://paste.openstack.org/show/298978/

Richard Jones (rjones-redhat) wrote :

Comment 1 is bogus. The same kernel is available on multiple Ubuntu mirrors worldwide.

http://packages.ubuntu.com/precise/linux-image-3.13.0-55-generic

It only protects you against a script kiddie who is unable to use a web browser.

I agree that it is bogus, but it was an upstream's decision unfortunately.

We will think of some workaround.

Changed in fuel:
status: New → Confirmed
milestone: none → 7.0
narasimha18sv (narasimha18sv) wrote :

I have installed openstack manually getting the same issue unable boot a vm.

Changed in fuel:
assignee: MOS Linux (mos-linux) → Alexei Sheplyakov (asheplyakov)
Salman (salman-toor-d) wrote :

Hi,

While googling I end-up on this thread. Not sure but it seems like I have similar problem but on CentOS 7.1

Advance apologies if shouldn't post my stuff here ....

I have upgraded my system from Juno to Kilo but Nova-Compute refuses to start instances

OS = CentOS Linux release 7.1.1503 (Core)
Kernel = 3.10.0-229.7.2.el7.x86_64
Nova nova = 2.23.0

[root@sm2: ~] # rpm -qa|grep libguestfs
libguestfs-tools-1.28.1-1.18.el7.noarch
libguestfs-gobject-1.28.1-1.18.el7.x86_64
libguestfs-java-devel-1.28.1-1.18.el7.x86_64
libguestfs-rsync-1.28.1-1.18.el7.x86_64
libguestfs-gobject-devel-1.28.1-1.18.el7.x86_64
libguestfs-man-pages-uk-1.28.1-1.18.el7.noarch
libguestfs-1.28.1-1.18.el7.x86_64
libguestfs-tools-c-1.28.1-1.18.el7.x86_64
libguestfs-java-1.28.1-1.18.el7.x86_64
libguestfs-bash-completion-1.28.1-1.18.el7.noarch
libguestfs-man-pages-ja-1.28.1-1.18.el7.noarch
libguestfs-gobject-doc-1.28.1-1.18.el7.noarch
libguestfs-xfs-1.28.1-1.18.el7.x86_64
libguestfs-rescue-1.28.1-1.18.el7.x86_64
libguestfs-gfs2-1.28.1-1.18.el7.x86_64
python-libguestfs-1.28.1-1.18.el7.x86_64
libguestfs-javadoc-1.28.1-1.18.el7.noarch
libguestfs-devel-1.28.1-1.18.el7.x86_64
[root@sm2: ~] # rpm -qa|grep libguestfs-tools
libguestfs-tools-1.28.1-1.18.el7.noarch
libguestfs-tools-c-1.28.1-1.18.el7.x86_64

Error:
2015-08-13 23:00:27.141 1344 WARNING nova.virt.disk.api [req-109f4384-c948-472f-a541-3406ddec21c6 - - - - -] Unable to mount image /var/lib/nova/instances/438949ef-d434-43de-8a5e-290e06f85353/disk with error libguestfs installed but not usable (/usr/libexec/qemu-kvm exited with error status 1.

Instances just stuck in SPAWNING.

Any suggestion how to proceed further?

Regards..
Salman.

Igor Shishkin (teran) on 2015-10-08
Changed in fuel:
milestone: 7.0 → 8.0
Dmitry Pyzhov (dpyzhov) on 2015-10-21
tags: added: mos-linux
Dmitry Pyzhov (dpyzhov) on 2015-10-27
tags: added: area-mos
Roman Podoliaka (rpodolyaka) wrote :

We no longer fix Medium bugs in 8.0, closing as Won't Fix

tags: added: area-linux
removed: area-mos mos-linux
Alexei Sheplyakov (asheplyakov) wrote :

Making the kernel image world-readable is a matter of a simple command:

# dpkg-statoverride --update --add root root 0644 /boot/vmlinuz-`uname -r`

Also one can drop the following shell script into /etc/kernel/postinst.d so the above command will be automatically
invoked for every linux-image-* package after the installation:

#/bin/sh
set -e
version="$1"
if [ -z "$version" ]; then
    exit 0
fi
exec dpkg-statoverride --update --add root root 0644 "/boot/vmlinuz-${version}"

However making the kernel image world readable by default is not such a nice idea for it defeats the hardening
(against silly/simple exploits) implemented by distro.

Last but not least the bug does not affect the product (MOS), hence I'm marking it as Invalid

Changed in fuel:
status: Confirmed → Invalid

Reviewed: https://review.openstack.org/322132
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=c50f169c7514f9d1cc51b3605d90b33a3ceb6abd
Submitter: Jenkins
Branch: master

commit c50f169c7514f9d1cc51b3605d90b33a3ceb6abd
Author: Roman Podoliaka <email address hidden>
Date: Fri May 27 12:35:50 2016 +0300

    nova: configure file injection by the means of config drive

    We've seen a number of problems with qemu-nbd (from files not being
    injected randomly to kernel panics), and while libguestfs is a
    better solution here it does not work out of box on Ubuntu. Neither
    of these can be used for file injection when instance ephemeral
    drives are stored in Ceph.

    Disabling of file injection in Nova libvirt drive allows us to unify
    the settings for Ubuntu vs CentOS and file vs Ceph-based ephemerals.
    In this case file injection ban still be performed by the means of
    config drive + cloud-init within images.

    Upstream Nova / Devstack explicitly disabled file injection in favor
    of using config drives in:

    9ce99a44cf85e431227536e2251ef05b52e61524

    and

    I2388ef0df12a6289b619bfaf30cb952fcc48ef41

    Closes-Bug: #1467860
    Closes-Bug: #1556819
    Related-Bug: #1467579
    Related-Bug: #1493767

    Change-Id: Ie46aa3f48d62b7500a7e326348b35573b3262641

Reviewed: https://review.openstack.org/322434
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=4418fba67d370cc5be7f40bd77776cde2d69828b
Submitter: Jenkins
Branch: stable/mitaka

commit 4418fba67d370cc5be7f40bd77776cde2d69828b
Author: Roman Podoliaka <email address hidden>
Date: Fri May 27 12:35:50 2016 +0300

    nova: configure file injection by the means of config drive

    We've seen a number of problems with qemu-nbd (from files not being
    injected randomly to kernel panics), and while libguestfs is a
    better solution here it does not work out of box on Ubuntu. Neither
    of these can be used for file injection when instance ephemeral
    drives are stored in Ceph.

    Disabling of file injection in Nova libvirt drive allows us to unify
    the settings for Ubuntu vs CentOS and file vs Ceph-based ephemerals.
    In this case file injection can still be performed by the means of
    config drive + cloud-init within images.

    Upstream Nova / Devstack explicitly disabled file injection in favor
    of using config drives in:

    9ce99a44cf85e431227536e2251ef05b52e61524

    and

    I2388ef0df12a6289b619bfaf30cb952fcc48ef41

    DocImpact

    File injection is no longer performed on the compute node because it's
    slow and error-prone. Instead files to be injected are placed on a
    config drive, which is automatically created for every instance. It's up
    to cloud-init or a similar mechanism within the image itself to perform
    injection on instance boot.

    Closes-Bug: #1467860
    Closes-Bug: #1556819
    Related-Bug: #1467579
    Related-Bug: #1493767

    Change-Id: Ie46aa3f48d62b7500a7e326348b35573b3262641

tags: added: in-stable-mitaka
xujunjie (xujunjielxx) wrote :

the same question happen to me,I run "chmod 755 /boot/vmlinuz*" to solve it;

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers