[cinder] qemu-img info is called as root even if nas_secure_file_operations is set to true
Jonas Schäfer
jonas.schaefer at cloudandheat.com
Tue Oct 27 11:51:23 UTC 2020
Hi list,
We’ve got a curious issue here. We’re trying to configure Cinder for use with
NetApp NFS. The NetApp has been configured to disallow superuser access and
cinder has been set up with nas_secure_file_operations set to true.
While operations like creating volumes work, attaching a volume to an instance
fails with the following traceback:
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/cinder/volume/manager.py", line 4369,
in _connection_create
conn_info = self.driver.initialize_connection(volume, connector)
File "/usr/lib/python2.7/dist-packages/cinder/volume/drivers/nfs.py", line
134, in initialize_connection
volume['name'])
File "/usr/lib/python2.7/dist-packages/cinder/volume/drivers/nfs.py", line
543, in _qemu_img_info
run_as_root=True)
File "/usr/lib/python2.7/dist-packages/cinder/volume/drivers/remotefs.py",
line 765, in _qemu_img_info_base
run_as_root=run_as_root)
File "/usr/lib/python2.7/dist-packages/cinder/image/image_utils.py", line
111, in qemu_img_info
prlimit=QEMU_IMG_LIMITS)
File "/usr/lib/python2.7/dist-packages/cinder/utils.py", line 126, in
execute
return processutils.execute(*cmd, **kwargs)
File "/usr/lib/python2.7/dist-packages/oslo_concurrency/processutils.py",
line 425, in execute
cmd=sanitized_cmd)
ProcessExecutionError: Unexpected error while running command.
Command: /usr/bin/python -m oslo_concurrency.prlimit --as=1073741824 --cpu=30
-- sudo cinder-rootwrap /etc/cinder/rootwrap.conf env LC_ALL=C qemu-img info
--force-share /var/lib/cinder/mnt/1be0f17801f5c315c80d99a59518e26e/volume-
ae4bba9b-2ab3-4234-8f86-352f1a20e086
Exit code: 1
Stdout: u''
Stderr: u"qemu-img: Could not open '/var/lib/cinder/mnt/
1be0f17801f5c315c80d99a59518e26e/volume-ae4bba9b-2ab3-4234-8f86-352f1a20e086':
Could not open '/var/lib/cinder/mnt/1be0f17801f5c315c80d99a59518e26e/volume-
ae4bba9b-2ab3-4234-8f86-352f1a20e086': Permission denied\n"
It seems as if cinder executes qemu-img as root. This is confirmed by looking
at the code [3]. Looking at the superclass [4], we see that the superclass
would’ve decided based on the setting of nas_secure_file_operations if [3]
would not pass execute_as_root as True.
To us, it makes no sense whatsoever. While [1] mentions something about
incorrect permissions on volumes, it does not seem to consider the case of
running with NFS Security enabled at all.
However, it also seems as if this change went through completely uncontested.
Hence, we assume that we are in the wrong here and wanted to ask on the
mailing list instead of filing a bug.
Does anyone have insight on what we’re doing wrong / missing here?
kind regards,
Jonas
[1]: https://review.opendev.org/#/c/461134/
[2]: https://github.com/openstack/cinder/commit/dbc9c7ca
[3]: https://github.com/openstack/cinder/blob/stable/queens/cinder/volume/
drivers/nfs.py#L537-L543
[4]: https://github.com/openstack/cinder/blob/stable/queens/cinder/volume/
drivers/remotefs.py#L753-L761
[5]: https://github.com/openstack/cinder/blob/stable/queens/cinder/volume/
drivers/nfs.py#L431-L432
--
Jonas Schäfer
DevOps Engineer
Cloud&Heat Technologies GmbH
Königsbrücker Straße 96 | 01099 Dresden
+49 351 479 367 37
jonas.schaefer at cloudandheat.com | www.cloudandheat.com
New Service:
Managed Kubernetes designed for AI & ML
https://managed-kubernetes.cloudandheat.com/
Commercial Register: District Court Dresden
Register Number: HRB 30549
VAT ID No.: DE281093504
Managing Director: Nicolas Röhrs
Authorized signatory: Dr. Marius Feldmann
Authorized signatory: Kristina Rübenkamp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20201027/63d0e88a/attachment.sig>
More information about the openstack-discuss
mailing list