Open Stack

I guess the question then is, is OpenStack requiring specific users and
groups to exist on the OS to ensure that this works?

We'll need to know the name of the qemu user and the openstack user (
defined in conf is fine ), but we'll also need to avoid conflicting
existing users that could lead to hazards.

We'll also need a shared group for folks accessing this directory path.
What should that group be called?  Again this falls into does this
become a requirement of running openstack?

Might be a question relevant to defcore...  but either way, while I
agree it would be VERY nice to have this handled in openstack, I fear
the potential for conflicting existing distribution decisions in name
space.

Compromise Approach:

We allow for conf based definitions of qemu user, openstack user, and
new _base access group.  But we verify what we can to ensure we don't
conflict existing groups and users.  ( this may be difficul in the case
of the qemu user ).

Thoughts?

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1129748

Title:
  image files in _base should not be world-readable

Status in OpenStack Compute (Nova):
  New

Bug description:
  Already public in https://bugzilla.redhat.com/show_bug.cgi?id=896085 ,
  so probably no point making this private.  But I checked the security
  vulnerability box anyway so someone else can decide.

  We create image files in /var/lib/nova/instances/_base with default
  permissions, usually 644.  It would be better to not make the image
  files world-readable, in case they contain private data.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1129748/+subscriptions