© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
I've done some successful testing (and will do some more) with all of the following changes in place:
(1) Set initial file permissions under /var/lib/nova to 640 and directory permissions to 0750. This would be handled in debian/
(2) Add libvirt-qemu user back to the nova group. This would be handled in nova-compute-
(3) Add nova user to kvm group. This would be handled in nova-compute.
root@juju-
total 184924
drwxr-x--- 2 nova nova 4096 Jun 26 10:39 ./
drwxr-x--- 5 nova nova 4096 Jun 26 10:38 ../
-rw------- 1 root root 8039 Jun 26 10:39 console.log
-rw-r----- 1 libvirt-qemu kvm 189399040 Jun 26 10:39 disk
-rw-r----- 1 nova nova 79 Jun 25 17:46 disk.info
(4) Again, this is summarized in more detail at: https:/
To fix this, we will carry a patch in the ubuntu package that changes the tempdir permissions from 0o701 to 0o710. This will allow the libvirt-qemu user to access files in the tempdir. For example:
For example:
$ sudo ls -al /var/lib/
total 204
drwx-----x 2 nova nova 4096 Sep 23 19:12 . # <--- change to 0o710 will give libvirt-qemu user access
drwxr-x--- 3 nova nova 4096 Sep 23 19:12 ..
-rw-r--r-- 1 nova nova 197248 Sep 23 19:12 0ece1fb912104f2
(5) Leave this as-is and ensure that we don't regress it with any new changes.
(6) This will be solved by (2) where we add the libvirt-qemu user to the nova group. For example, on a hardened system this will allow libvirt-qemu to get read access to the disk file:
ubuntu@
total 20816
drwxrwx--- 2 nova nova 4096 Aug 31 16:58 .
drwxr-xr-x 6 nova nova 4096 Aug 31 16:58 ..
-rw------- 1 root root 0 Aug 31 16:58 console.log
-rw-r----- 1 nova nova 21299520 Aug 31 16:58 disk
-rw-r----- 1 nova nova 79 Aug 31 16:58 disk.info
Assuming final tests check out, I would like to fix this all in the Zed version of nova via the current bug that we're looking at.