Permission denied when trying to resize images

Bug #1967956 reported by Alexander Balderson
24
This bug affects 4 people
Affects Status Importance Assigned to Milestone
OpenStack Nova Compute Charm
Invalid
Undecided
Unassigned
Ubuntu Cloud Archive
Invalid
Undecided
Unassigned
Yoga
New
Undecided
Unassigned
nova (Ubuntu)
Fix Released
Medium
Corey Bryant
Jammy
Confirmed
Undecided
Unassigned

Bug Description

On a deployment of Focal Ussuri which was CIS hardened SQA had two tempest tests which failed to resize a server, and then revert the resize.

the two tests which failed were:
tempest.api.compute.servers.test_server_actions.ServerActionsTestJSON.test_resize_server_confirm
and
tempest.api.compute.servers.test_server_actions.ServerActionsTestJSON.test_resize_server_revert

The nova compute logs show:
: libvirt.libvirtError: Cannot access storage file '/var/lib/nova/instances/b3247fa2-fdef-4608-b661-0677fd68f96a/disk' (as uid:64055, gid:108): Permission denied
2022-04-03 03:18:09.648 653208 ERROR nova.virt.libvirt.driver [req-b7c2648b-b61c-47b0-b965-015a39eb60a2 da22df534509496fba235127688ca2af c35da82188de4fba8f79f2d59119c4fa - f23c501bf80845fda352e6ca6e0e5bbe f23c501bf80845fda352e6ca6e0e5bbe] [instance: b3247fa2-fdef-4608-b661-0677fd68f96a] Failed to start libvirt guest: libvirt.libvirtError: Cannot access storage file '/var/lib/nova/instances/b3247fa2-fdef-4608-b661-0677fd68f96a/disk' (as uid:64055, gid:108): Permission denied
2022-04-03 03:18:09.697 653208 INFO os_vif [req-b7c2648b-b61c-47b0-b965-015a39eb60a2 da22df534509496fba235127688ca2af c35da82188de4fba8f79f2d59119c4fa - f23c501bf80845fda352e6ca6e0e5bbe f23c501bf80845fda352e6ca6e0e5bbe] Successfully unplugged vif VIFOpenVSwitch(active=False,address=fa:16:3e:14:5f:7c,bridge_name='br-int',has_traffic_filtering=True,id=c6c15dff-9201-49e9-9d86-4ce684138f53,network=Network(611f2961-05f5-4361-a30f-bcf384865f6f),plugin='ovs',port_profile=VIFPortProfileOpenVSwitch,preserve_on_delete=False,vif_name='tapc6c15dff-92')
2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [req-b7c2648b-b61c-47b0-b965-015a39eb60a2 da22df534509496fba235127688ca2af c35da82188de4fba8f79f2d59119c4fa - f23c501bf80845fda352e6ca6e0e5bbe f23c501bf80845fda352e6ca6e0e5bbe] [instance: b3247fa2-fdef-4608-b661-0677fd68f96a] Setting instance vm_state to ERROR: libvirt.libvirtError: Cannot access storage file '/var/lib/nova/instances/b3247fa2-fdef-4608-b661-0677fd68f96a/disk' (as uid:64055, gid:108): Permission denied
2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a] Traceback (most recent call last):
2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a] File "/usr/lib/python3/dist-packages/nova/compute/manager.py", line 10047, in _error_out_instance_on_exception
2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a] yield
2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a] File "/usr/lib/python3/dist-packages/nova/compute/manager.py", line 5904, in _finish_resize_helper
2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a] network_info = self._finish_resize(context, instance, migration,
2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a] File "/usr/lib/python3/dist-packages/nova/compute/manager.py", line 5842, in _finish_resize
2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a] self._set_instance_info(instance, old_flavor)
2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a] File "/usr/lib/python3/dist-packages/oslo_utils/excutils.py", line 220, in __exit__
2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a] self.force_reraise()
2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a] File "/usr/lib/python3/dist-packages/oslo_utils/excutils.py", line 196, in force_reraise
2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a] six.reraise(self.type_, self.value, self.tb)
2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a] File "/usr/lib/python3/dist-packages/six.py", line 703, in reraise
2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a] raise value
2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a] File "/usr/lib/python3/dist-packages/nova/compute/manager.py", line 5825, in _finish_resize
2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a] self.driver.finish_migration(context, migration, instance,
2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a] File "/usr/lib/python3/dist-packages/nova/virt/libvirt/driver.py", line 10410, in finish_migration
2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a] guest = self._create_domain_and_network(context, xml, instance,
...
2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a] libvirt.libvirtError: Cannot access storage file '/var/lib/nova/instances/b3247fa2-fdef-4608-b661-0677fd68f96a/disk' (as uid:64055, gid:108): Permission denied
2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a]

for both tests.

our CIS rule set is

RULESET1="1.1.1.1 1.1.1.2 1.1.1.3 1.1.1.4 1.1.1.5 1.1.1.6 1.1.2 1.1.3 1.1.4 1.1.5 1.1.6 1.1.7 1.1.8 1.1.9 1.1.12 1.1.13 1.1.14 1.1.18 1.1.19 1.1.20 1.1.21 1.1.22 1.1.23 1.1.24 1.2.1 1.2.2 1.3.1 1.3.2 1.3.3 1.4.1 1.4.2 1.5.1 1.5.2 1.5.3 1.6.1 1.6.2 1.6.3 1.6.4 1.7.1.1 1.7.1.2 1.7.1.3 1.8.1.1 1.8.1.2 1.8.1.3 1.8.1.4 1.8.1.5 1.8.1.6 1.9 1.10"
RULESET2="2.1.1 2.1.2 2.2.1.1 2.2.1.2 2.2.1.3 2.2.1.4 2.2.2 2.2.3 2.2.4 2.2.5 2.2.6 2.2.7 2.2.8 2.2.9 2.2.10 2.2.11 2.2.12 2.2.13 2.2.14 2.2.15 2.2.17 2.3.1 2.3.2 2.3.3 2.3.4 2.3.5 2.3.6 2.4"
RULESET3="3.1.2 3.2.1 3.2.2 3.3.1 3.3.2 3.3.3 3.3.4 3.3.5 3.3.6 3.3.7 3.3.8 3.3.9 3.5.1.1 3.5.1.2 3.5.1.3 3.5.1.4 3.5.1.5 3.5.1.6 3.5.1.7 3.5.2.1 3.5.2.2 3.5.2.3 3.5.2.4 3.5.2.5 3.5.2.6 3.5.2.7 3.5.2.8 3.5.2.9 3.5.2.10 3.5.3.1.1 3.5.3.1.2 3.5.3.2.1 3.5.3.2.2 3.5.3.2.3 3.5.3.2.4 3.5.3.3.1 3.5.3.3.2 3.5.3.3.3 3.5.3.3.4"
RULESET4="4.2.1.1 4.2.1.2 4.2.1.3 4.2.1.4 4.2.1.5 4.2.1.6 4.2.2.1 4.2.2.2 4.2.2.3 4.2.3 4.3 4.4"
RULESET5="5.1.1 5.1.2 5.1.3 5.1.4 5.1.5 5.1.6 5.1.7 5.1.8 5.1.9 5.2.1 5.2.2 5.2.3 5.2.4 5.2.6 5.2.7 5.2.8 5.2.9 5.2.10 5.2.11 5.2.12 5.2.13 5.2.14 5.2.15 5.2.16 5.2.17 5.2.18 5.2.19 5.2.21 5.2.22 5.3.1 5.3.2 5.3.3 5.3.4 5.4.1.1 5.4.1.2 5.4.1.3 5.4.1.4 5.4.1.5 5.4.2 5.4.3 5.4.4 5.4.5 5.5 5.6"
RULESET6="6.1.2 6.1.3 6.1.4 6.1.5 6.1.6 6.1.7 6.1.8 6.1.9 6.1.10 6.1.11 6.1.126.1.13 6.1.14 6.2.1 6.2.2 6.2.3 6.2.4 6.2.5 6.2.6 6.2.7 6.2.8 6.2.9 6.2.10 6.2.11 6.2.12 6.2.13 6.2.14 6.2.15 6.2.16 6.2.17"

metal systems get the additional rules:
"4.1.1.1 4.1.1.2 4.1.1.3 4.1.1.4 4.1.2.1 4.1.2.2 4.1.2.3 4.1.3 4.1.4 4.1.5 4.1.6 4.1.7 4.1.8 4.1.6 4.1.7 4.1.8 4.1.9 4.1.10 4.1.11 4.1.12 4.1.13 4.1.14 4.1.15 4.1.16 4.1.17

crashdump can be found at:
https://oil-jenkins.canonical.com/artifacts/3daa548d-79fb-4efe-84a1-7063397290a6/generated/generated/openstack/juju-crashdump-openstack-2022-04-03-03.39.08.tar.gz
with testrun at:
https://solutions.qa.canonical.com/testruns/testRun/3daa548d-79fb-4efe-84a1-7063397290a6
and bundle at:
https://oil-jenkins.canonical.com/artifacts/3daa548d-79fb-4efe-84a1-7063397290a6/generated/generated/openstack/bundle.yaml
All instances of this bug can be found at:
https://solutions.qa.canonical.com/bugs/bugs/bug/1967956

Related branches

description: updated
description: updated
Revision history for this message
Marian Gasparovic (marosg) wrote :

We are hitting it 100% of times also in Yoga-Focal

tags: added: cdo-tempest
Revision history for this message
Marcelo Subtil Marcal (msmarcal) wrote (last edit ):

We are hitting it on a yoga-focal customer cloud also:

```
  : libvirt.libvirtError: Cannot access storage file '/var/lib/nova/instances/0ad7a673-f7b8-46e6-be52-4cbde42de918/disk' (as uid:64055, gid:108): Permission denied
    2022-08-26 19:06:55.948 430983 ERROR nova.virt.libvirt.guest libvirt.libvirtError: Cannot access storage file '/var/lib/nova/instances/0ad7a673-f7b8-46e6-be52-4cbde42de918/disk' (as uid:64055, gid:108)
: Permission denied
    2022-08-26 19:06:55.950 430983 ERROR nova.virt.libvirt.driver [req-7b5583ca-63e1-4abd-a53c-f336829c65bb 6f072e73354f46aab5f3bc07d3f7bf0f 6078a05d207a4bdfb271add10119d7ca - 8e2b894c611a4a4e8c787169d353b
44b 8e2b894c611a4a4e8c787169d353b44b] [instance: 0ad7a673-f7b8-46e6-be52-4cbde42de918] Failed to start libvirt guest: libvirt.libvirtError: Cannot access storage file '/var/lib/nova/instances/0ad7a673-f7b8
-46e6-be52-4cbde42de918/disk' (as uid:64055, gid:108): Permission denied
    2022-08-26 19:06:55.956 430983 ERROR nova.compute.manager [req-7b5583ca-63e1-4abd-a53c-f336829c65bb 6f072e73354f46aab5f3bc07d3f7bf0f 6078a05d207a4bdfb271add10119d7ca - 8e2b894c611a4a4e8c787169d353b44b
8e2b894c611a4a4e8c787169d353b44b] [instance: 0ad7a673-f7b8-46e6-be52-4cbde42de918] Setting instance vm_state to ERROR: libvirt.libvirtError: Cannot access storage file '/var/lib/nova/instances/0ad7a673-f7b
8-46e6-be52-4cbde42de918/disk' (as uid:64055, gid:108): Permission denied
```

Revision history for this message
Billy Olsen (billy-olsen) wrote :

So my initial thought was that this was an apparmor enforcement issue, and that does not appear to be the case. It clearly looks like its a problem with the uid ( I believe 64055 in this case is libvirt-qemu) and gid ( ??? ). However, our data capture does not collect this (grrrr...).

I suspect that this is due to some restrictions of permissions on directories somewhere. Will need to recreate it in order to walk through it and see what this issue is. If there is the possibility of providing the permissions on the directory and fail (as well as the information to confirm the uid/gid - i.e. which uid and gid this is) it would help narrow it down. Until then, a recreate is necessary.

Revision history for this message
Billy Olsen (billy-olsen) wrote :

With multiple reports, I will however move this bug to the confirmed state while we continue to triage this.

Changed in charm-nova-compute:
status: New → Confirmed
Revision history for this message
Marcelo Subtil Marcal (msmarcal) wrote (last edit ):

Subscribing field-crit as it is being encountered on a customer deployment

Changed in charm-nova-compute:
assignee: nobody → Corey Bryant (corey.bryant)
Revision history for this message
Corey Bryant (corey.bryant) wrote :

I was able to recreate this using the exact rules for hardening compute nodes as the bug reporter used.

$ openstack server create c1 --image cirros --flavor m1.tiny # this is successful

On the compute node where that server lands:

ubuntu@juju-da8cbf-zaza-41517351cce1-27:~$ sudo ls -al /var/lib/nova/instances/ed133a88-4f6e-4585-b208-2133c348ff35
total 20724
drwxr-xr-x 2 nova nova 4096 Aug 31 16:52 .
drwxr-xr-x 7 nova nova 4096 Aug 31 16:52 ..
-rw------- 1 root root 28411 Aug 31 16:52 console.log
-rw-r--r-- 1 libvirt-qemu kvm 21233664 Aug 31 16:53 disk
-rw-r--r-- 1 nova nova 79 Aug 31 16:52 disk.info

$ openstack server resize --flavor 2 c1

This results in server going into ERROR state and destination nova-compute.log contains:
libvirt.libvirtError: Cannot access storage file '/var/lib/nova/instances/ed133a88-4f6e-4585-b208-2133c348ff35/disk' (as uid:64055, gid:108): Permission denied

On the source compute node there's a slight change in ownership which is probably fine, but might as well document that here:

ubuntu@juju-da8cbf-zaza-41517351cce1-27:~$ ls -al /var/lib/nova/instances/ed133a88-4f6e-4585-b208-2133c348ff35_resize
total 20784
drwxr-xr-x 2 nova nova 4096 Aug 31 16:52 .
drwxr-xr-x 7 nova nova 4096 Aug 31 16:58 ..
-rw------- 1 root root 28571 Aug 31 16:58 console.log
-rw-r--r-- 1 nova nova 21299200 Aug 31 16:58 disk
-rw-r--r-- 1 nova nova 79 Aug 31 16:52 disk.info

On the compute node where the resized instance lands, we see the following:

ubuntu@juju-da8cbf-zaza-41517351cce1-28:~$ sudo ls -al /var/lib/nova/instances/ed133a88-4f6e-4585-b208-2133c348ff35
total 20816
drwxrwx--- 2 nova nova 4096 Aug 31 16:58 .
drwxr-xr-x 6 nova nova 4096 Aug 31 16:58 ..
-rw------- 1 root root 0 Aug 31 16:58 console.log
-rw-r----- 1 nova nova 21299520 Aug 31 16:58 disk
-rw-r----- 1 nova nova 79 Aug 31 16:58 disk.info

The file permissions look like they may have been created with a new default umask as they have 640 mode set instead of 644. This is likely cause of the access denial because libvirt-qemu no longer has read access.

Revision history for this message
Corey Bryant (corey.bryant) wrote :

Looking at umask on a non-hardened unit:

ubuntu@juju-da8cbf-zaza-41517351cce1-24:~$ umask
0002
ubuntu@juju-da8cbf-zaza-41517351cce1-24:~$ touch /tmp/hello
ubuntu@juju-da8cbf-zaza-41517351cce1-24:~$ ls -al /tmp/hello
-rw-rw-r-- 1 ubuntu ubuntu 0 Aug 31 17:20 /tmp/hello

And on a hardened compute node:

ubuntu@juju-da8cbf-zaza-41517351cce1-26:~$ umask
0027
ubuntu@juju-da8cbf-zaza-41517351cce1-26:~$ touch /tmp/hello
ubuntu@juju-da8cbf-zaza-41517351cce1-26:~$ ls -al /tmp/hello
-rw-r----- 1 ubuntu ubuntu 0 Aug 31 17:20 /tmp/hello

Revision history for this message
Corey Bryant (corey.bryant) wrote :

The umask is set to 0027 by rule 5.4.5:

Ensure default user umask is 027 or more restrictive
Execute rule 5.4.5

Revision history for this message
Corey Bryant (corey.bryant) wrote (last edit ):
Download full text (3.2 KiB)

There's a long history of bugs related to attempts to limit access to files/dirs in /var/lib/nova. Considering that this is the most recent bug opened that is related to this topic, I will leave a history summary here in case we need it in the future.

= (1) April 2020: change permissions of /var/lib/nova to 640 and 750 ==

In the focal development cycle we set file permissions under /var/lib/nova to 640 and directory permissions to 0750. That was done as part of an effort across all the openstack packages via LP: #1859422
For nova, that was handled in the following commit: https://git.launchpad.net/~ubuntu-openstack-dev/ubuntu/+source/nova/commit/?id=6acf39faa09ff7cfae799513a05fefbefa568abf

= (2) April 2020: add libvirt-qemu to nova group =

As a result of the previous change, the following bug was opened because the libvirt-qemu user needed access to /var/lib/nova/instances/_base: LP: #1870415
To fix that, we added the libvirt-qemu user to the nova group, since /var/lib/nova is owned by nova:nova.
That was handled in the following commit: https://git.launchpad.net/~ubuntu-openstack-dev/ubuntu/+source/nova/commit/?id=a6eb3638389bb0818db6ebd3386eb8fe500487c6

= (3) June 2020: change permissions of /var/lib/nova to 644 and 755 =

The previous changes turned out to cause access issues and the following bug was opened: "unable to start and stop an instance post ugprade": LP: #1885269
As a result we reset file permissions under /var/lib/nova to 644 and directory permissions to 0755.
That was handled in the following commit: https://git.launchpad.net/~ubuntu-openstack-dev/ubuntu/+source/nova/commit/?id=327e37428a25df3b96f5dfb9d08d3bc02caaff4f

= (4) Sept 2020: drop libvirt-qemu from nova group =

The following bug was opened due to instance snapshots being broken: LP: #1896617
Removing the libvirt-qemu user from the nova group fixed this.
This was handled in the following commits:
https://git.launchpad.net/~ubuntu-openstack-dev/ubuntu/+source/nova/commit/?id=864aa4e744e9f7495caa353ba24efd2c4f7306cc
https://git.launchpad.net/~ubuntu-openstack-dev/ubuntu/+source/nova/commit/?id=5e120a021d2d4440fff2f6f25ac7bd6955a5e0d0

= (5) March 2022: don't change permissions of /var/lib/nova/.ssh/id_rsa =

We then had a bug opened as the 0644 permissions for '/var/lib/nova/.ssh/id_rsa' were too open: LP: #1904580
That was handled in the following commit: https://git.launchpad.net/~ubuntu-openstack-dev/ubuntu/+source/nova/commit/?id=655b04243c5fd7e6dc32bb722b0242c4efbb65e7

= (6) April 2022: Permission denied when trying to resize instance after CIS hardening =

And finally, the current bug we're looking at was opened due to instance resizing failing on a CIS hardened machine.
As part of hardening the umask is set to 0027. Therefore, new file permissions get 640 mode set instead of 644. This causes an access denial for the libvirt-qemu user as it no longer has read access to the disk. For example:

ubuntu@juju-da8cbf-zaza-41517351cce1-28:~$ sudo ls -al /var/lib/nova/instances/ed133a88-4f6e-4585-b208-2133c348ff35
total 20816
drwxrwx--- 2 nova nova 4096 Aug 31 16:58 .
drwxr-xr-x 6 nova nova 4096 Aug 31 16:58 ..
-rw------- 1 root root 0 Aug 31 16:58 console.log
-rw...

Read more...

Revision history for this message
Corey Bryant (corey.bryant) wrote :

I've done some successful testing (and will do some more) with all of the following changes in place:

(1) Set initial file permissions under /var/lib/nova to 640 and directory permissions to 0750. This would be handled in debian/nova-common.postinst.

(2) Add libvirt-qemu user back to the nova group. This would be handled in nova-compute-libvirt.postinst.

(3) Add nova user to kvm group. This would be handled in nova-compute.kvm.postinst. This will allow nova to access files in /var/lib/nova owned by the kvm group. For example:
root@juju-ed722c-mojo-17:/var/lib/nova/instances/499b7f90-4e5e-4eb9-b29b-2befe835cbe7# ll
total 184924
drwxr-x--- 2 nova nova 4096 Jun 26 10:39 ./
drwxr-x--- 5 nova nova 4096 Jun 26 10:38 ../
-rw------- 1 root root 8039 Jun 26 10:39 console.log
-rw-r----- 1 libvirt-qemu kvm 189399040 Jun 26 10:39 disk
-rw-r----- 1 nova nova 79 Jun 25 17:46 disk.info

(4) Again, this is summarized in more detail at: https://bugs.launchpad.net/charm-nova-compute/+bug/1896617/comments/64
To fix this, we will carry a patch in the ubuntu package that changes the tempdir permissions from 0o701 to 0o710. This will allow the libvirt-qemu user to access files in the tempdir. For example:
For example:
$ sudo ls -al /var/lib/nova/instances/snapshots/tmpkajuir8o
total 204
drwx-----x 2 nova nova 4096 Sep 23 19:12 . # <--- change to 0o710 will give libvirt-qemu user access
drwxr-x--- 3 nova nova 4096 Sep 23 19:12 ..
-rw-r--r-- 1 nova nova 197248 Sep 23 19:12 0ece1fb912104f2c849ea4bd6036712c.delta

(5) Leave this as-is and ensure that we don't regress it with any new changes.

(6) This will be solved by (2) where we add the libvirt-qemu user to the nova group. For example, on a hardened system this will allow libvirt-qemu to get read access to the disk file:
ubuntu@juju-da8cbf-zaza-41517351cce1-28:~$ sudo ls -al /var/lib/nova/instances/ed133a88-4f6e-4585-b208-2133c348ff35
total 20816
drwxrwx--- 2 nova nova 4096 Aug 31 16:58 .
drwxr-xr-x 6 nova nova 4096 Aug 31 16:58 ..
-rw------- 1 root root 0 Aug 31 16:58 console.log
-rw-r----- 1 nova nova 21299520 Aug 31 16:58 disk
-rw-r----- 1 nova nova 79 Aug 31 16:58 disk.info

Assuming final tests check out, I would like to fix this all in the Zed version of nova via the current bug that we're looking at.

Changed in charm-nova-compute:
status: Confirmed → Triaged
importance: Undecided → Medium
Revision history for this message
Corey Bryant (corey.bryant) wrote (last edit ):

These are the tests that I've run to verify these fixes:

== tempest regression ==

This is our standard deployment of openstack regression testing with tempest to ensure there is no regression in the tests that get executed.

== server resize ==

Ensure the following is successful:

openstack server create c1 --image cirros --flavor m1.tiny --key-name nova-key --security-group 8faf8920-eaad-42ea-a91f-dc78f13a6d36 --nic net-id=036e1cc8-9a40-494b-944d-a0386fe874d7
openstack server resize --flavor 2 c1
openstack server resize confirm c1

Also ensure resize is successful on CIS hardened system.

== instance snapshot ==

Ensure the following is successful:

openstack server image create --name c1-image c1

== CIS hardening test ==

Repeat the image snapshot after CIS hardening on nova-computes, using the rules listed in this bug description.

Revision history for this message
Corey Bryant (corey.bryant) wrote :

This is fix released in the kinetic nova package version 3:25.0.1+git2022091213.11cb31258f-0ubuntu1.

Changed in nova (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
assignee: nobody → Corey Bryant (corey.bryant)
Changed in charm-nova-compute:
assignee: Corey Bryant (corey.bryant) → nobody
importance: Medium → Undecided
status: Triaged → Invalid
Changed in nova (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
Edward Hope-Morley (hopem) wrote :
Revision history for this message
Edward Hope-Morley (hopem) wrote :

(although not released yet)

Revision history for this message
Corey Bryant (corey.bryant) wrote :

This hasn't been backported to yoga yet.

Felipe Reyes (freyes)
Changed in cloud-archive:
status: New → Invalid
Revision history for this message
Corey Bryant (corey.bryant) wrote (last edit ):

I'm hesitant to backport this to jammy (yoga). As noted above this has been a delicate area and there are several fixes to consider backporting as a whole to ensure correct access in place. Fixes would also have to be approved by the Ubuntu SRU team (https://wiki.ubuntu.com/StableReleaseUpdates).

Revision history for this message
Calvin Hartwell (calvinh) wrote :

Olivier in our team pointed out there is a potential workaround from a previous project:

As a workaround for the bug "Permission denied when trying to resize images", set back to 022 the default umask on the nova-compute units:

juju run --application nova-compute -- \
  "sudo sed -i 's/^UMASK.*027/UMASK 022/' /etc/login.defs"

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in nova (Ubuntu Jammy):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.