Comment 8 for bug 1129748

I don't see a clear solution for this problem in nova and I think this could be better handled in the packaging.

When changing the mode of the instances' directory to 0760 we are also preventing the user 'qemu' to access the images and other files we store there (See nova-compute logs @ 2013-06-07 15:35:00.955 [1]).

From libvirt's documentation [2]:

"The directories /var/run/libvirt/qemu/, /var/lib/libvirt/qemu/ and /var/cache/libvirt/qemu/ must all have their ownership set to match the user / group ID that QEMU guests will be run as. If the vendor has set a non-root user/group for the QEMU driver at build time, the permissions should be set automatically at install time. If a host administrator customizes user/group in /etc/libvirt/qemu.conf, they will need to manually set the ownership on these directories."

In Fedora and RedHat the QEMU guests run as qemu (group qemu) while in debian and ubuntu they runs as libvirt-qemu (group kvm).

An easy solution would be to just change the group of the instances directory to the one qemu is going to use (either qemu or kvm) while still changing the permissions on that directory to 0760. And I'd definitely do this on the packaging level.

Because, besides libvirt, is there any other virt driver storing images in the instances directory?

[1] http://logs.openstack.org/32146/2/check/gate-tempest-devstack-vm-full/21468/logs/screen-n-cpu.txt.gz
[2] http://libvirt.org/drvqemu.html#securitydriver