libguestfs doesn't work on Ubuntu without root permissions
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| Fuel for OpenStack |
Medium
|
Alexei Sheplyakov | ||
| 8.0.x |
Medium
|
MOS Ceph | ||
| Mitaka |
Medium
|
Unassigned |
Bug Description
Environment: rc1 6.1, ubuntu, 1 compute, 1 controller, neutron, cinder, qemu.
Steps to reproduce:
1) Install extra packages on compute:
root@node-2:~# dpkg --list | grep guestfs
ii libguestfs-perl 1:1.24.5-1 amd64
ii libguestfs-tools 1:1.24.5-1 amd64
ii libguestfs0:amd64 1:1.24.5-1 amd64
ii python-guestfs 1:1.24.5-1 amd64
2) execute:
update-
3) start nova-compute as root user and boot vm
http://
4) start nova-compute as nova user and boot vm
http://
Expected result:
In cases 3 and 4: correct boot with mounted filesystem
Actual result:
In case 3: correct boot with mounted filesystem
In case 4: incorrect boot with unmounted filesystem with this error:
/usr/bin/
libguestfs: command: run: rm
libguestfs: command: run: \ -rf /var/tmp/
libguestfs: trace: launch = -1 (error)
2015-06-22 14:09:39.693 12311 DEBUG nova.virt.disk.api [-] Unable to mount image /var/lib/
Related bug: "The kernel is no longer readable by non-root users"
Ubuntu
We don't have a full time Ubuntu maintainer, and the packages supplied by Canonical (which are outside our control) are sometimes broken.
Canonical decided to change the permissions on the kernel so that it's not readable except by root.
http://
Changed in fuel: | |
assignee: | nobody → MOS Linux (mos-linux) |
importance: | Undecided → Medium |
description: | updated |
summary: |
- Libguestfs doesn't work on ubuntu without root rights + libguestfs doesn't work on Ubuntu without root permissions |
Alexei Sheplyakov (asheplyakov) wrote : | #1 |
Roman Podoliaka (rpodolyaka) wrote : | #2 |
@Alexei, could you please give any advice on how to use libguestfs in this case?
I'm totally fine with giving up on file injection support, but libguestfs can still be useful for e.g. resize operations. Recently, we ran into a weird problem with resize done on a compute node, which kept the node unavailable for like 15 minutes - http://
Richard Jones (rjones-redhat) wrote : | #3 |
Comment 1 is bogus. The same kernel is available on multiple Ubuntu mirrors worldwide.
http://
It only protects you against a script kiddie who is unable to use a web browser.
I agree that it is bogus, but it was an upstream's decision unfortunately.
We will think of some workaround.
Changed in fuel: | |
status: | New → Confirmed |
milestone: | none → 7.0 |
narasimha18sv (narasimha18sv) wrote : | #5 |
I have installed openstack manually getting the same issue unable boot a vm.
Changed in fuel: | |
assignee: | MOS Linux (mos-linux) → Alexei Sheplyakov (asheplyakov) |
Salman (salman-toor-d) wrote : | #6 |
Hi,
While googling I end-up on this thread. Not sure but it seems like I have similar problem but on CentOS 7.1
Advance apologies if shouldn't post my stuff here ....
I have upgraded my system from Juno to Kilo but Nova-Compute refuses to start instances
OS = CentOS Linux release 7.1.1503 (Core)
Kernel = 3.10.0-
Nova nova = 2.23.0
[root@sm2: ~] # rpm -qa|grep libguestfs
libguestfs-
libguestfs-
libguestfs-
libguestfs-
libguestfs-
libguestfs-
libguestfs-
libguestfs-
libguestfs-
libguestfs-
libguestfs-
libguestfs-
libguestfs-
libguestfs-
libguestfs-
python-
libguestfs-
libguestfs-
[root@sm2: ~] # rpm -qa|grep libguestfs-tools
libguestfs-
libguestfs-
Error:
2015-08-13 23:00:27.141 1344 WARNING nova.virt.disk.api [req-109f4384-
Instances just stuck in SPAWNING.
Any suggestion how to proceed further?
Regards..
Salman.
Richard Jones (rjones-redhat) wrote : | #7 |
Changed in fuel: | |
milestone: | 7.0 → 8.0 |
tags: | added: mos-linux |
tags: | added: area-mos |
Roman Podoliaka (rpodolyaka) wrote : | #8 |
We no longer fix Medium bugs in 8.0, closing as Won't Fix
tags: |
added: area-linux removed: area-mos mos-linux |
Alexei Sheplyakov (asheplyakov) wrote : | #9 |
Making the kernel image world-readable is a matter of a simple command:
# dpkg-statoverride --update --add root root 0644 /boot/vmlinuz-
Also one can drop the following shell script into /etc/kernel/
invoked for every linux-image-* package after the installation:
#/bin/sh
set -e
version="$1"
if [ -z "$version" ]; then
exit 0
fi
exec dpkg-statoverride --update --add root root 0644 "/boot/
However making the kernel image world readable by default is not such a nice idea for it defeats the hardening
(against silly/simple exploits) implemented by distro.
Last but not least the bug does not affect the product (MOS), hence I'm marking it as Invalid
Changed in fuel: | |
status: | Confirmed → Invalid |
Related fix proposed to branch: master
Review: https:/
Related fix proposed to branch: stable/mitaka
Review: https:/
Reviewed: https:/
Committed: https:/
Submitter: Jenkins
Branch: master
commit c50f169c7514f9d
Author: Roman Podoliaka <email address hidden>
Date: Fri May 27 12:35:50 2016 +0300
nova: configure file injection by the means of config drive
We've seen a number of problems with qemu-nbd (from files not being
injected randomly to kernel panics), and while libguestfs is a
better solution here it does not work out of box on Ubuntu. Neither
of these can be used for file injection when instance ephemeral
drives are stored in Ceph.
Disabling of file injection in Nova libvirt drive allows us to unify
the settings for Ubuntu vs CentOS and file vs Ceph-based ephemerals.
In this case file injection ban still be performed by the means of
config drive + cloud-init within images.
Upstream Nova / Devstack explicitly disabled file injection in favor
of using config drives in:
9ce99a44cf8
and
I2388ef0df1
Closes-Bug: #1467860
Closes-Bug: #1556819
Related-Bug: #1467579
Related-Bug: #1493767
Change-Id: Ie46aa3f48d62b7
Reviewed: https:/
Committed: https:/
Submitter: Jenkins
Branch: stable/mitaka
commit 4418fba67d370cc
Author: Roman Podoliaka <email address hidden>
Date: Fri May 27 12:35:50 2016 +0300
nova: configure file injection by the means of config drive
We've seen a number of problems with qemu-nbd (from files not being
injected randomly to kernel panics), and while libguestfs is a
better solution here it does not work out of box on Ubuntu. Neither
of these can be used for file injection when instance ephemeral
drives are stored in Ceph.
Disabling of file injection in Nova libvirt drive allows us to unify
the settings for Ubuntu vs CentOS and file vs Ceph-based ephemerals.
In this case file injection can still be performed by the means of
config drive + cloud-init within images.
Upstream Nova / Devstack explicitly disabled file injection in favor
of using config drives in:
9ce99a44cf8
and
I2388ef0df1
DocImpact
File injection is no longer performed on the compute node because it's
slow and error-prone. Instead files to be injected are placed on a
config drive, which is automatically created for every instance. It's up
to cloud-init or a similar mechanism within the image itself to perform
injection on instance boot.
Closes-Bug: #1467860
Closes-Bug: #1556819
Related-Bug: #1467579
Related-Bug: #1493767
Change-Id: Ie46aa3f48d62b7
tags: | added: in-stable-mitaka |
xujunjie (xujunjielxx) wrote : | #14 |
the same question happen to me,I run "chmod 755 /boot/vmlinuz*" to solve it;
Thiago Martins (martinx) wrote : | #15 |
Ubuntu MUST fix BUG: 759725! Damn...
> /usr/bin/ supermin- helper: open: /boot/vmlinuz- 3.13.0- 55-generic: Permission denied
That's a feature
$ ls -la /boot/vmlinuz- 3.13.0- 55-generic 3.13.0- 55-generic
-rw------- 1 root root 5821888 Jun 14 22:28 /boot/vmlinuz-
Unreadable kernel image blocks the class of attacks carried out by script kiddies and automated systems that expect
to be able to look up symbols locally and make exploits totally portable to all kernel versions.