Bug 1169792

Summary: [hosted-engine] Bad check of iso image permission
Product: Red Hat Enterprise Virtualization Manager Reporter: Simone Tiraboschi <stirabos>
Component: ovirt-hosted-engine-setupAssignee: Simone Tiraboschi <stirabos>
Status: CLOSED ERRATA QA Contact: Nikolai Sednev <nsednev>
Severity: high Docs Contact:
Priority: unspecified    
Version: 3.5.0CC: bmcclain, cpbills, gklein, istein, lsurette, nsoffer, sbonazzo, scohen, stirabos, ykaul
Target Milestone: ovirt-3.6.0-rcKeywords: Triaged, ZStream
Target Release: 3.6.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Previously, hosted-engine-setup was checking for the ISO image to be readable by the VDSM user, but it was the KVM user that needed to read it to work properly. If the ISO image was readable by the VDSM user without being readable by the KVM user, the check passed but the virtual machine was still unable to boot from the ISO. With this release, hosted-engine-setup has a coherent permission check. Now if the ISO image passes the check, it works.
 Story Points: ---
Clone Of:
: 1181585 (view as bug list) Environment:
Last Closed: 2016-03-09 19:07:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Integration RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1181585, 1234915    
Attachments:
Description Flags
logs_from_host none

Description Simone Tiraboschi 2014-12-02 13:12:50 UTC 
Description of problem:
hosted-engine-setup, deploying the engine VM from CDROM, checks the permission of the ISO image to alert the user preventing further errors.
That checks is made against vdsm:kvm while the engine VM will run as qemu and so it's not coherent.


Version-Release number of selected component (if applicable):
3.5.0 beta

How reproducible:
100%

Steps to Reproduce:
1. copy an iso image to the host
2. set the ownership of that file to vdsm:kvm and its permission to 600 
3. launch hosted-engine --deploy selecting that iso

Actual results:
No error about the iso file permission is reported to the user but VDSM is not able to start the VM.

Expected results:
An error about the ISO permission is reported to the user

Additional info:
Comment 1 Simone Tiraboschi 2014-12-10 09:58:01 UTC 
Now I'm just checking that qemu user can read the iso image and it seams to work correctly on the straight path.

Nir, do you know if also the VDSM user should be able to read the ISO image for any other purposes?
Comment 2 Nir Soffer 2014-12-16 16:04:27 UTC 
(In reply to Simone Tiraboschi from comment #1)
> Now I'm just checking that qemu user can read the iso image and it seams to
> work correctly on the straight path.
> 
> Nir, do you know if also the VDSM user should be able to read the ISO image
> for any other purposes?

I don't think that vdsm is trying to access the iso image, but it may have code that check permissions on the image that will fail and complain if the permissions are not expected.

Typically we use vdsm:qemu for vdsm images, so keeping the same permissions for files and devices accessed by vdsm or qemu would be the best way.
Comment 3 Simone Tiraboschi 2014-12-16 16:34:49 UTC 
(In reply to Nir Soffer from comment #2)
> I don't think that vdsm is trying to access the iso image, but it may have
> code that check permissions on the image that will fail and complain if the
> permissions are not expected.
> 
> Typically we use vdsm:qemu for vdsm images, so keeping the same permissions
> for files and devices accessed by vdsm or qemu would be the best way.

It's exactly what we did but it's not correct.
At least qemu user should be able to access the iso file otherwise it's not able to start that VM.

If the iso file is 600 and vdsm:kvm, qemu cannot read it but our previous test didn't detect it.

Now we are simply checking about qemu.
If needed we can check for both qemu and vdsm.
Comment 5 Sandro Bonazzola 2015-02-20 11:08:15 UTC 
Automated message: can you please update doctext or set it as not required?
Comment 7 Simone Tiraboschi 2015-08-10 10:33:46 UTC 
Entering the ISO path it's up to the user.
Choose CDRom and than when asked the path you prefer
Comment 8 Nikolai Sednev 2015-08-11 13:32:56 UTC 
(In reply to Simone Tiraboschi from comment #7)
> Entering the ISO path it's up to the user.
> Choose CDRom and than when asked the path you prefer

That's indeed, but I have to have ISO of the image to be booted from, so in this case I need an ISO of the engine. Where can I get one?
Comment 9 Simone Tiraboschi 2015-08-24 12:24:08 UTC 
On manual setup you are going to deploy the engine VM installing the OS and only after installing oVirt engine and then manually executing engine-setup.
So this one is just a RHEL/Centos/Fedora ISO from a supported release.
Comment 10 Nikolai Sednev 2015-08-25 15:58:38 UTC 
(In reply to Simone Tiraboschi from comment #9)
> On manual setup you are going to deploy the engine VM installing the OS and
> only after installing oVirt engine and then manually executing engine-setup.
> So this one is just a RHEL/Centos/Fedora ISO from a supported release.

Steps to Reproduce:
1. copy an iso image to the host
2. set the ownership of that file to vdsm:kvm and its permission to 600 
3. launch hosted-engine --deploy selecting that iso

1.Again, I need a link to relevant ISO for the installation.
2.chmod 600
3.launch hosted-engine --deploy selecting that iso by linking the installation via CDROM path to local directory in which image is located.

We're installing all images using PXE, so for this one I need and ISO file link.
Comment 11 Simone Tiraboschi 2015-08-25 17:02:50 UTC 
(In reply to Nikolai Sednev from comment #10)
> (In reply to Simone Tiraboschi from comment #9)
> > On manual setup you are going to deploy the engine VM installing the OS and
> > only after installing oVirt engine and then manually executing engine-setup.
> > So this one is just a RHEL/Centos/Fedora ISO from a supported release.
> 
> Steps to Reproduce:
> 1. copy an iso image to the host
> 2. set the ownership of that file to vdsm:kvm and its permission to 600 
> 3. launch hosted-engine --deploy selecting that iso
> 
> 1.Again, I need a link to relevant ISO for the installation.

http://it.centos.contactlab.it/7/isos/x86_64/CentOS-7-x86_64-DVD-1503-01.iso

> 2.chmod 600
> 3.launch hosted-engine --deploy selecting that iso by linking the
> installation via CDROM path to local directory in which image is located.
> 
> We're installing all images using PXE, so for this one I need and ISO file
> link.
Comment 12 Nikolai Sednev 2015-08-27 12:09:24 UTC 
Tested on these components:
ovirt-hosted-engine-setup-1.3.0-0.4.beta.git42eb801.el7ev.noarch
mom-0.5.0-1.el7ev.noarch
vdsm-4.17.3-1.el7ev.noarch
libvirt-client-1.2.17-6.el7.x86_64
qemu-kvm-rhev-2.3.0-19.el7.x86_64
sanlock-3.2.4-1.el7.x86_64
Red Hat Enterprise Linux Server release 7.2 Beta (Maipo)

Got this error:
[ ERROR ] The specified installation media is not valid or not readable. Please ensure that /tmp is valid and could be read by qemu user or kvm group or specify another installation media.

Logs from deployment attached.




wget http://it.centos.contactlab.it/7/isos/x86_64/CentOS-7-x86_64-DVD-1503-01.iso
# id vdsm
uid=36(vdsm) gid=36(kvm) groups=36(kvm),179(sanlock),107(qemu)
# chown -R vdsm:kvm CentOS-7-x86_64-DVD-1503-01.iso
# chmod 600 CentOS-7-x86_64-DVD-1503-01.iso
# ls -ld /tmp/CentOS-7-x86_64-DVD-1503-01.iso
-rw-------. 1 vdsm kvm 4310695936 Aug 27 14:51 /tmp/CentOS-7-x86_64-DVD-1503-01.iso
Comment 13 Nikolai Sednev 2015-08-27 12:15:57 UTC 
Created attachment 1067717 [details]
logs_from_host
Comment 14 Simone Tiraboschi 2015-08-27 12:47:36 UTC 
(In reply to Nikolai Sednev from comment #12)
> Tested on these components:
> ovirt-hosted-engine-setup-1.3.0-0.4.beta.git42eb801.el7ev.noarch
> mom-0.5.0-1.el7ev.noarch
> vdsm-4.17.3-1.el7ev.noarch
> libvirt-client-1.2.17-6.el7.x86_64
> qemu-kvm-rhev-2.3.0-19.el7.x86_64
> sanlock-3.2.4-1.el7.x86_64
> Red Hat Enterprise Linux Server release 7.2 Beta (Maipo)
> 
> Got this error:
> [ ERROR ] The specified installation media is not valid or not readable.
> Please ensure that /tmp is valid and could be read by qemu user or kvm group
> or specify another installation media.

Expected results:
An error about the ISO permission is reported to the user

It was the expected result: in order to start the the VM from the iso image, qemu user or kvm group should be able to read the CDROM otherwise it will fail. In the past we where checking for vdsm user which was wrong.
Comment 15 Simone Tiraboschi 2015-08-27 12:49:43 UTC 
(In reply to Simone Tiraboschi from comment #14)
> Expected results:
> An error about the ISO permission is reported to the user
> 
> It was the expected result: in order to start the the VM from the iso image,
> qemu user or kvm group should be able to read the CDROM otherwise it will
> fail. In the past we where checking for vdsm user which was wrong.

Please retry also the positive flow having its owner to qemu:kvm and its permission to 600 and it should pass the test and than work
Comment 16 Nikolai Sednev 2015-08-30 13:35:54 UTC 
(In reply to Simone Tiraboschi from comment #15)
> (In reply to Simone Tiraboschi from comment #14)
> > Expected results:
> > An error about the ISO permission is reported to the user
> > 
> > It was the expected result: in order to start the the VM from the iso image,
> > qemu user or kvm group should be able to read the CDROM otherwise it will
> > fail. In the past we where checking for vdsm user which was wrong.
> 
> Please retry also the positive flow having its owner to qemu:kvm and its
> permission to 600 and it should pass the test and than work

Works for me on these components:
mom-0.5.0-1.el7ev.noarch
ovirt-host-deploy-1.4.0-0.0.4.master.el7ev.noarch
vdsm-4.17.3-1.el7ev.noarch
ovirt-setup-lib-1.0.0-0.1.master.git6a54bc0.el7ev.noarch
libvirt-client-1.2.17-6.el7.x86_64
qemu-kvm-rhev-2.3.0-19.el7.x86_64
ovirt-vmconsole-1.0.0-0.0.master.el7ev.noarch
ovirt-vmconsole-host-1.0.0-0.0.master.el7ev.noarch
sanlock-3.2.4-1.el7.x86_64
ovirt-hosted-engine-ha-1.3.0-0.3.beta.git183a4ff.el7ev.noarch
ovirt-hosted-engine-setup-1.3.0-0.4.beta.git42eb801.el7ev.noarch
Red Hat Enterprise Linux Server release 7.2 Beta (Maipo)


Setup was able to successfully continue to next steps after receiving CDROM path with following access restrictions:
chown qemu:kvm /tmp/CentOS-7-x86_64-DVD-1503-01.iso
chmod 600 CentOS-7-x86_64-DVD-1503-01.iso
# ls -ld /tmp/CentOS-7-x86_64-DVD-1503-01.iso
-rw-------. 1 qemu kvm 4310695936 Aug 27 14:51 /tmp/CentOS-7-x86_64-DVD-1503-01.iso
# id qemu
uid=107(qemu) gid=107(qemu) groups=107(qemu),11(cdrom),36(kvm)
Comment 18 errata-xmlrpc 2016-03-09 19:07:11 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-0375.html
Comment 19 cpb 2016-04-13 21:50:50 UTC 
I wanted to point this out, since I ran into this issue and came searching for the answer, and resolved the issue when I realized that the user 'vdsm' and group 'kvm' do not have read access to /root which is where I was downloading the ISO.

Perhaps the initial reporter had the same issue.