I've done some successful testing (and will do some more) with all of the following changes in place:
(1) Set initial file permissions under /var/lib/nova to 640 and directory permissions to 0750. This would be handled in debian/nova-common.postinst.
(2) Add libvirt-qemu user back to the nova group. This would be handled in nova-compute-libvirt.postinst.
(3) Add nova user to kvm group. This would be handled in nova-compute.kvm.postinst. This will allow nova to access files in /var/lib/nova owned by the kvm group. For example:
root@juju-ed722c-mojo-17:/var/lib/nova/instances/499b7f90-4e5e-4eb9-b29b-2befe835cbe7# ll
total 184924
drwxr-x--- 2 nova nova 4096 Jun 26 10:39 ./
drwxr-x--- 5 nova nova 4096 Jun 26 10:38 ../
-rw------- 1 root root 8039 Jun 26 10:39 console.log
-rw-r----- 1 libvirt-qemu kvm 189399040 Jun 26 10:39 disk
-rw-r----- 1 nova nova 79 Jun 25 17:46 disk.info
(4) Again, this is summarized in more detail at: https://bugs.launchpad.net/charm-nova-compute/+bug/1896617/comments/64
To fix this, we will carry a patch in the ubuntu package that changes the tempdir permissions from 0o701 to 0o710. This will allow the libvirt-qemu user to access files in the tempdir. For example:
For example:
$ sudo ls -al /var/lib/nova/instances/snapshots/tmpkajuir8o
total 204
drwx-----x 2 nova nova 4096 Sep 23 19:12 . # <--- change to 0o710 will give libvirt-qemu user access
drwxr-x--- 3 nova nova 4096 Sep 23 19:12 ..
-rw-r--r-- 1 nova nova 197248 Sep 23 19:12 0ece1fb912104f2c849ea4bd6036712c.delta
(5) Leave this as-is and ensure that we don't regress it with any new changes.
(6) This will be solved by (2) where we add the libvirt-qemu user to the nova group. For example, on a hardened system this will allow libvirt-qemu to get read access to the disk file:
ubuntu@juju-da8cbf-zaza-41517351cce1-28:~$ sudo ls -al /var/lib/nova/instances/ed133a88-4f6e-4585-b208-2133c348ff35
total 20816
drwxrwx--- 2 nova nova 4096 Aug 31 16:58 .
drwxr-xr-x 6 nova nova 4096 Aug 31 16:58 ..
-rw------- 1 root root 0 Aug 31 16:58 console.log
-rw-r----- 1 nova nova 21299520 Aug 31 16:58 disk
-rw-r----- 1 nova nova 79 Aug 31 16:58 disk.info
Assuming final tests check out, I would like to fix this all in the Zed version of nova via the current bug that we're looking at.
I've done some successful testing (and will do some more) with all of the following changes in place:
(1) Set initial file permissions under /var/lib/nova to 640 and directory permissions to 0750. This would be handled in debian/ nova-common. postinst.
(2) Add libvirt-qemu user back to the nova group. This would be handled in nova-compute- libvirt. postinst.
(3) Add nova user to kvm group. This would be handled in nova-compute. kvm.postinst. This will allow nova to access files in /var/lib/nova owned by the kvm group. For example: ed722c- mojo-17: /var/lib/ nova/instances/ 499b7f90- 4e5e-4eb9- b29b-2befe835cb e7# ll
root@juju-
total 184924
drwxr-x--- 2 nova nova 4096 Jun 26 10:39 ./
drwxr-x--- 5 nova nova 4096 Jun 26 10:38 ../
-rw------- 1 root root 8039 Jun 26 10:39 console.log
-rw-r----- 1 libvirt-qemu kvm 189399040 Jun 26 10:39 disk
-rw-r----- 1 nova nova 79 Jun 25 17:46 disk.info
(4) Again, this is summarized in more detail at: https:/ /bugs.launchpad .net/charm- nova-compute/ +bug/1896617/ comments/ 64 nova/instances/ snapshots/ tmpkajuir8o c849ea4bd603671 2c.delta
To fix this, we will carry a patch in the ubuntu package that changes the tempdir permissions from 0o701 to 0o710. This will allow the libvirt-qemu user to access files in the tempdir. For example:
For example:
$ sudo ls -al /var/lib/
total 204
drwx-----x 2 nova nova 4096 Sep 23 19:12 . # <--- change to 0o710 will give libvirt-qemu user access
drwxr-x--- 3 nova nova 4096 Sep 23 19:12 ..
-rw-r--r-- 1 nova nova 197248 Sep 23 19:12 0ece1fb912104f2
(5) Leave this as-is and ensure that we don't regress it with any new changes.
(6) This will be solved by (2) where we add the libvirt-qemu user to the nova group. For example, on a hardened system this will allow libvirt-qemu to get read access to the disk file: juju-da8cbf- zaza-41517351cc e1-28:~ $ sudo ls -al /var/lib/ nova/instances/ ed133a88- 4f6e-4585- b208-2133c348ff 35
ubuntu@
total 20816
drwxrwx--- 2 nova nova 4096 Aug 31 16:58 .
drwxr-xr-x 6 nova nova 4096 Aug 31 16:58 ..
-rw------- 1 root root 0 Aug 31 16:58 console.log
-rw-r----- 1 nova nova 21299520 Aug 31 16:58 disk
-rw-r----- 1 nova nova 79 Aug 31 16:58 disk.info
Assuming final tests check out, I would like to fix this all in the Zed version of nova via the current bug that we're looking at.