The Hosted Engine upgrade tool now drops root privileges when accessing storage, preventing a failure in cases where the root_squash option is enabled.
Description of problem:
If the NFS storage for hosted engine is exported with root_squash , the hosted-engine --upgrade-appliance will fail when injecting the backup file to the image. The root_squash is the default settings for almost all NAS storage and even RHEL NFS server.
The upgrade will fail when it inject the backup file to the HE image using guestfish.
2017-06-29 14:59:28 DEBUG otopi.context context._executeMethod:142 method exception
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/otopi/context.py", line 132, in _executeMethod
method['method']()
File "/usr/share/ovirt-hosted-engine-setup/scripts/../plugins/gr-he-common/vm/boot_disk.py", line 716, in _misc
ohostedcons.Upgrade.BACKUP_FILE
File "/usr/lib/python2.7/site-packages/otopi/transaction.py", line 156, in __exit__
self.commit()
File "/usr/lib/python2.7/site-packages/otopi/transaction.py", line 148, in commit
element.commit()
File "/usr/share/ovirt-hosted-engine-setup/scripts/../plugins/gr-he-common/vm/boot_disk.py", line 219, in commit
self._injectBackup()
File "/usr/share/ovirt-hosted-engine-setup/scripts/../plugins/gr-he-common/vm/boot_disk.py", line 154, in _injectBackup
g.add_drive_opts(filename=destination, format='raw', readonly=0)
File "/usr/lib64/python2.7/site-packages/guestfs.py", line 559, in add_drive
r = libguestfsmod.add_drive (self._o, filename, readonly, format, iface, name, label, protocol, server, username, secret, cachemode, discard, copyonread)
RuntimeError: /rhev/data-center/mnt/10.65.209.210:_data_nfs/c65acd3e-2ed8-46b6-8be9-a6d472c35441/images/1554afb0-1b74-497b-9d23-de7eed355595/c29d4ad0-ccf7-4863-a504-0bef62e6988c: Permission denied
We are using LIBGUESTFS_BACKEND as direct which means the guestfish will be executed as root user as hosted-engine-setup will be executed with root.
g = guestfs.GuestFS(python_return_dict=True)
g.set_backend('direct')
g.add_drive_opts(filename=destination, format='raw', readonly=0)
Manually executing with root
===
export LIBGUESTFS_BACKEND=direct
guestfish -a /rhev/data-center/mnt/10.65.209.210:_data_nfs/c65acd3e-2ed8-46b6-8be9-a6d472c35441/images/1554afb0-1b74-497b-9d23-de7eed355595/c29d4ad0-ccf7-4863-a504-0bef62e6988c
/rhev/data-center/mnt/10.65.209.210:_data_nfs/c65acd3e-2ed8-46b6-8be9-a6d472c35441/images/1554afb0-1b74-497b-9d23-de7eed355595/c29d4ad0-ccf7-4863-a504-0bef62e6988c: Permission denied
===
With vdsm user
===
su vdsm -s /bin/bash -c 'guestfish -a /rhev/data-center/mnt/10.65.209.210:_data_nfs/c65acd3e-2ed8-46b6-8be9-a6d472c35441/images/1554afb0-1b74-497b-9d23-de7eed355595/c29d4ad0-ccf7-4863-a504-0bef62e6988c'
Welcome to guestfish, the guest filesystem shell for
editing virtual machine filesystems and disk images.
Type: 'help' for help on commands
'man' to read the manual
'quit' to quit the shell
><fs>
Welcome to guestfish, the guest filesystem shell for
editing virtual machine filesystems and disk images.
Type: 'help' for help on commands
'man' to read the manual
'quit' to quit the shell
><fs>
====
Version-Release number of selected component (if applicable):
ovirt-hosted-engine-setup-2.0.4.3-3.el7ev.noarch
How reproducible:
100%
Steps to Reproduce:
1. Create a NFS share with root_squash and use it for HE deployment .
2. Upgrade using hosted-engine --upgrade-appliance
Actual results:
hosted-engine --upgrade-appliance is not working.
Expected results:
hosted-engine --upgrade-appliance should work fine with a NFS exported with root_squash as this is default setting for many NAS servers.
Additional info:
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2018:1471
Description of problem: If the NFS storage for hosted engine is exported with root_squash , the hosted-engine --upgrade-appliance will fail when injecting the backup file to the image. The root_squash is the default settings for almost all NAS storage and even RHEL NFS server. The upgrade will fail when it inject the backup file to the HE image using guestfish. 2017-06-29 14:59:28 DEBUG otopi.context context._executeMethod:142 method exception Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/otopi/context.py", line 132, in _executeMethod method['method']() File "/usr/share/ovirt-hosted-engine-setup/scripts/../plugins/gr-he-common/vm/boot_disk.py", line 716, in _misc ohostedcons.Upgrade.BACKUP_FILE File "/usr/lib/python2.7/site-packages/otopi/transaction.py", line 156, in __exit__ self.commit() File "/usr/lib/python2.7/site-packages/otopi/transaction.py", line 148, in commit element.commit() File "/usr/share/ovirt-hosted-engine-setup/scripts/../plugins/gr-he-common/vm/boot_disk.py", line 219, in commit self._injectBackup() File "/usr/share/ovirt-hosted-engine-setup/scripts/../plugins/gr-he-common/vm/boot_disk.py", line 154, in _injectBackup g.add_drive_opts(filename=destination, format='raw', readonly=0) File "/usr/lib64/python2.7/site-packages/guestfs.py", line 559, in add_drive r = libguestfsmod.add_drive (self._o, filename, readonly, format, iface, name, label, protocol, server, username, secret, cachemode, discard, copyonread) RuntimeError: /rhev/data-center/mnt/10.65.209.210:_data_nfs/c65acd3e-2ed8-46b6-8be9-a6d472c35441/images/1554afb0-1b74-497b-9d23-de7eed355595/c29d4ad0-ccf7-4863-a504-0bef62e6988c: Permission denied We are using LIBGUESTFS_BACKEND as direct which means the guestfish will be executed as root user as hosted-engine-setup will be executed with root. g = guestfs.GuestFS(python_return_dict=True) g.set_backend('direct') g.add_drive_opts(filename=destination, format='raw', readonly=0) Manually executing with root === export LIBGUESTFS_BACKEND=direct guestfish -a /rhev/data-center/mnt/10.65.209.210:_data_nfs/c65acd3e-2ed8-46b6-8be9-a6d472c35441/images/1554afb0-1b74-497b-9d23-de7eed355595/c29d4ad0-ccf7-4863-a504-0bef62e6988c /rhev/data-center/mnt/10.65.209.210:_data_nfs/c65acd3e-2ed8-46b6-8be9-a6d472c35441/images/1554afb0-1b74-497b-9d23-de7eed355595/c29d4ad0-ccf7-4863-a504-0bef62e6988c: Permission denied === With vdsm user === su vdsm -s /bin/bash -c 'guestfish -a /rhev/data-center/mnt/10.65.209.210:_data_nfs/c65acd3e-2ed8-46b6-8be9-a6d472c35441/images/1554afb0-1b74-497b-9d23-de7eed355595/c29d4ad0-ccf7-4863-a504-0bef62e6988c' Welcome to guestfish, the guest filesystem shell for editing virtual machine filesystems and disk images. Type: 'help' for help on commands 'man' to read the manual 'quit' to quit the shell ><fs> Welcome to guestfish, the guest filesystem shell for editing virtual machine filesystems and disk images. Type: 'help' for help on commands 'man' to read the manual 'quit' to quit the shell ><fs> ==== Version-Release number of selected component (if applicable): ovirt-hosted-engine-setup-2.0.4.3-3.el7ev.noarch How reproducible: 100% Steps to Reproduce: 1. Create a NFS share with root_squash and use it for HE deployment . 2. Upgrade using hosted-engine --upgrade-appliance Actual results: hosted-engine --upgrade-appliance is not working. Expected results: hosted-engine --upgrade-appliance should work fine with a NFS exported with root_squash as this is default setting for many NAS servers. Additional info: