Fuel for OpenStack

libguestfs doesn't work on Ubuntu without root permissions

Bug #1467579 reported by Pavel Kholkin on 2015-06-22

This bug affects 10 people

	Status	Importance	Assigned to	Milestone
Fuel for OpenStack	Invalid	Medium	Alexei Sheplyakov	Fuel for OpenStack 10.0
8.0.x	Won't Fix	Medium	MOS Ceph	Fuel for OpenStack 8.0
Mitaka	Won't Fix	Medium	Unassigned	Fuel for OpenStack 10.0

Bug Description

Environment: rc1 6.1, ubuntu, 1 compute, 1 controller, neutron, cinder, qemu.

Steps to reproduce:

1) Install extra packages on compute:

root@node-2:~# dpkg --list | grep guestfs
ii libguestfs-perl 1:1.24.5-1 amd64
ii libguestfs-tools 1:1.24.5-1 amd64
ii libguestfs0:amd64 1:1.24.5-1 amd64
ii python-guestfs 1:1.24.5-1 amd64

2) execute:

update-guestfs-appliance

3) start nova-compute as root user and boot vm

http://xsnippet.org/360774/raw/

4) start nova-compute as nova user and boot vm

http://xsnippet.org/360775/raw/

Expected result:

In cases 3 and 4: correct boot with mounted filesystem

Actual result:

In case 3: correct boot with mounted filesystem
In case 4: incorrect boot with unmounted filesystem with this error:

/usr/bin/supermin-helper: open: /boot/vmlinuz-3.13.0-55-generic: Permission denied
libguestfs: command: run: rm
libguestfs: command: run: \ -rf /var/tmp/guestfs.oe27yI
libguestfs: trace: launch = -1 (error)
2015-06-22 14:09:39.693 12311 DEBUG nova.virt.disk.api [-] Unable to mount image /var/lib/nova/instances/ddbf39b0-1fec-4750-aeef-bbd7bd32da2b/disk with error libguestfs installed but not usable (/usr/bin/supermin-helper exited with error status 1, see debug messages above). Cannot resize. is_image_partitionless /usr/lib/python2.7/dist-packages/nova/virt/disk/api.py:218

Related bug: "The kernel is no longer readable by non-root users"

Ubuntu
We don't have a full time Ubuntu maintainer, and the packages supplied by Canonical (which are outside our control) are sometimes broken.

Canonical decided to change the permissions on the kernel so that it's not readable except by root.

http://manpages.ubuntu.com/manpages/trusty/man1/guestfs-faq.1.html

See original description

Tags:

Pavel Kholkin (pkholkin) on 2015-06-22

Changed in fuel:
assignee:	nobody → MOS Linux (mos-linux)
importance:	Undecided → Medium
description:	updated

Roman Podoliaka (rpodolyaka) on 2015-06-22

summary:

- Libguestfs doesn't work on ubuntu without root rights
+ libguestfs doesn't work on Ubuntu without root permissions

Revision history for this message

Alexei Sheplyakov (asheplyakov) wrote on 2015-06-22:

> /usr/bin/supermin-helper: open: /boot/vmlinuz-3.13.0-55-generic: Permission denied

That's a feature

$ ls -la /boot/vmlinuz-3.13.0-55-generic
-rw------- 1 root root 5821888 Jun 14 22:28 /boot/vmlinuz-3.13.0-55-generic

Unreadable kernel image blocks the class of attacks carried out by script kiddies and automated systems that expect
to be able to look up symbols locally and make exploits totally portable to all kernel versions.

Revision history for this message

Roman Podoliaka (rpodolyaka) wrote on 2015-06-23:

@Alexei, could you please give any advice on how to use libguestfs in this case?

I'm totally fine with giving up on file injection support, but libguestfs can still be useful for e.g. resize operations. Recently, we ran into a weird problem with resize done on a compute node, which kept the node unavailable for like 15 minutes - http://paste.openstack.org/show/298978/

Revision history for this message

Richard Jones (rjones-redhat) wrote on 2015-06-23:

Comment 1 is bogus. The same kernel is available on multiple Ubuntu mirrors worldwide.

http://packages.ubuntu.com/precise/linux-image-3.13.0-55-generic

It only protects you against a script kiddie who is unable to use a web browser.

Revision history for this message

Aleksander Mogylchenko (amogylchenko) wrote on 2015-06-25:

I agree that it is bogus, but it was an upstream's decision unfortunately.

We will think of some workaround.

Changed in fuel:
status:	New → Confirmed
milestone:	none → 7.0

Revision history for this message

narasimha18sv (narasimha18sv) wrote on 2015-08-12:

I have installed openstack manually getting the same issue unable boot a vm.

Michael Semenov (msemenov) on 2015-08-13

Changed in fuel:
assignee:	MOS Linux (mos-linux) → Alexei Sheplyakov (asheplyakov)

Revision history for this message

Salman (salman-toor-d) wrote on 2015-08-13:

Hi,

While googling I end-up on this thread. Not sure but it seems like I have similar problem but on CentOS 7.1

Advance apologies if shouldn't post my stuff here ....

I have upgraded my system from Juno to Kilo but Nova-Compute refuses to start instances

OS = CentOS Linux release 7.1.1503 (Core)
Kernel = 3.10.0-229.7.2.el7.x86_64
Nova nova = 2.23.0

[root@sm2: ~] # rpm -qa|grep libguestfs
libguestfs-tools-1.28.1-1.18.el7.noarch
libguestfs-gobject-1.28.1-1.18.el7.x86_64
libguestfs-java-devel-1.28.1-1.18.el7.x86_64
libguestfs-rsync-1.28.1-1.18.el7.x86_64
libguestfs-gobject-devel-1.28.1-1.18.el7.x86_64
libguestfs-man-pages-uk-1.28.1-1.18.el7.noarch
libguestfs-1.28.1-1.18.el7.x86_64
libguestfs-tools-c-1.28.1-1.18.el7.x86_64
libguestfs-java-1.28.1-1.18.el7.x86_64
libguestfs-bash-completion-1.28.1-1.18.el7.noarch
libguestfs-man-pages-ja-1.28.1-1.18.el7.noarch
libguestfs-gobject-doc-1.28.1-1.18.el7.noarch
libguestfs-xfs-1.28.1-1.18.el7.x86_64
libguestfs-rescue-1.28.1-1.18.el7.x86_64
libguestfs-gfs2-1.28.1-1.18.el7.x86_64
python-libguestfs-1.28.1-1.18.el7.x86_64
libguestfs-javadoc-1.28.1-1.18.el7.noarch
libguestfs-devel-1.28.1-1.18.el7.x86_64
[root@sm2: ~] # rpm -qa|grep libguestfs-tools
libguestfs-tools-1.28.1-1.18.el7.noarch
libguestfs-tools-c-1.28.1-1.18.el7.x86_64

Error:
2015-08-13 23:00:27.141 1344 WARNING nova.virt.disk.api [req-109f4384-c948-472f-a541-3406ddec21c6 - - - - -] Unable to mount image /var/lib/nova/instances/438949ef-d434-43de-8a5e-290e06f85353/disk with error libguestfs installed but not usable (/usr/libexec/qemu-kvm exited with error status 1.

Instances just stuck in SPAWNING.

Any suggestion how to proceed further?

Regards..
Salman.

Revision history for this message

Richard Jones (rjones-redhat) wrote on 2015-08-13:

http://libguestfs.org/guestfs-faq.1.html#debugging-libguestfs

Igor Shishkin (teran) on 2015-10-08

Changed in fuel:
milestone:	7.0 → 8.0

Dmitry Pyzhov (dpyzhov) on 2015-10-21

tags:

added: mos-linux

Dmitry Pyzhov (dpyzhov) on 2015-10-27

tags:

added: area-mos

Revision history for this message

Roman Podoliaka (rpodolyaka) wrote on 2016-01-27:

We no longer fix Medium bugs in 8.0, closing as Won't Fix

tags:

added: area-linux
removed: area-mos mos-linux

Revision history for this message

Alexei Sheplyakov (asheplyakov) wrote on 2016-04-06:

Making the kernel image world-readable is a matter of a simple command:

# dpkg-statoverride --update --add root root 0644 /boot/vmlinuz-`uname -r`

Also one can drop the following shell script into /etc/kernel/postinst.d so the above command will be automatically
invoked for every linux-image-* package after the installation:

#/bin/sh
set -e
version="$1"
if [ -z "$version" ]; then
exit 0
fi
exec dpkg-statoverride --update --add root root 0644 "/boot/vmlinuz-${version}"

However making the kernel image world readable by default is not such a nice idea for it defeats the hardening
(against silly/simple exploits) implemented by distro.

Last but not least the bug does not affect the product (MOS), hence I'm marking it as Invalid

Changed in fuel:
status:	Confirmed → Invalid

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-27: Related fix proposed to fuel-library (master)

#10

Related fix proposed to branch: master
Review: https://review.openstack.org/322132

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-28: Related fix proposed to fuel-library (stable/mitaka)

#11

Related fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/322434

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-30: Related fix merged to fuel-library (master)

#12

Reviewed: https://review.openstack.org/322132
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=c50f169c7514f9d1cc51b3605d90b33a3ceb6abd
Submitter: Jenkins
Branch: master

commit c50f169c7514f9d1cc51b3605d90b33a3ceb6abd
Author: Roman Podoliaka <email address hidden>
Date: Fri May 27 12:35:50 2016 +0300

nova: configure file injection by the means of config drive

    We've seen a number of problems with qemu-nbd (from files not being
    injected randomly to kernel panics), and while libguestfs is a
    better solution here it does not work out of box on Ubuntu. Neither
    of these can be used for file injection when instance ephemeral
    drives are stored in Ceph.

    Disabling of file injection in Nova libvirt drive allows us to unify
    the settings for Ubuntu vs CentOS and file vs Ceph-based ephemerals.
    In this case file injection ban still be performed by the means of
    config drive + cloud-init within images.

Upstream Nova / Devstack explicitly disabled file injection in favor
of using config drives in:

9ce99a44cf85e431227536e2251ef05b52e61524

and

I2388ef0df12a6289b619bfaf30cb952fcc48ef41

    Closes-Bug: #1467860
    Closes-Bug: #1556819
    Related-Bug: #1467579
    Related-Bug: #1493767

Change-Id: Ie46aa3f48d62b7500a7e326348b35573b3262641

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-31: Related fix merged to fuel-library (stable/mitaka)

#13

Reviewed: https://review.openstack.org/322434
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=4418fba67d370cc5be7f40bd77776cde2d69828b
Submitter: Jenkins
Branch: stable/mitaka

commit 4418fba67d370cc5be7f40bd77776cde2d69828b
Author: Roman Podoliaka <email address hidden>
Date: Fri May 27 12:35:50 2016 +0300

nova: configure file injection by the means of config drive

    Disabling of file injection in Nova libvirt drive allows us to unify
    the settings for Ubuntu vs CentOS and file vs Ceph-based ephemerals.
    In this case file injection can still be performed by the means of
    config drive + cloud-init within images.

Upstream Nova / Devstack explicitly disabled file injection in favor
of using config drives in:

9ce99a44cf85e431227536e2251ef05b52e61524

and

I2388ef0df12a6289b619bfaf30cb952fcc48ef41

DocImpact

    File injection is no longer performed on the compute node because it's
    slow and error-prone. Instead files to be injected are placed on a
    config drive, which is automatically created for every instance. It's up
    to cloud-init or a similar mechanism within the image itself to perform
    injection on instance boot.

    Closes-Bug: #1467860
    Closes-Bug: #1556819
    Related-Bug: #1467579
    Related-Bug: #1493767

Change-Id: Ie46aa3f48d62b7500a7e326348b35573b3262641

tags:

added: in-stable-mitaka

Revision history for this message

xujunjie (xujunjielxx) wrote on 2017-04-12:

#14

the same question happen to me,I run "chmod 755 /boot/vmlinuz*" to solve it;

Revision history for this message

Thiago Martins (martinx) wrote on 2019-10-10:

#15

Ubuntu MUST fix BUG: 759725! Damn...

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers