Bug 853986

Summary: ISO uploader uploads files with bad owner / permissions
Product: Red Hat Enterprise Virtualization Manager Reporter: Barak Dagan <bdagan>
Component: ovirt-engine-iso-uploaderAssignee: Keith Robertson <kroberts>
Status: CLOSED NOTABUG QA Contact: Barak Dagan <bdagan>
Severity: high Docs Contact:
Priority: unspecified    
Version: 3.1.0CC: dyasny, hateya, iheim, jmoran, kroberts, mgoldboi, oramraz, pstehlik, Rhev-m-bugs, ykaul
Target Milestone: ---Flags: bdagan: needinfo+
bdagan: needinfo+
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: integration
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-09-06 12:37:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 1 Barak Dagan 2012-09-03 13:50:07 UTC 
(In reply to comment #0) - fixes to the comment
> Description of problem:
> After files are uploaded using the iso-uploader tool, they are not seen by
> the RHEV-M webadmin console.
> seems that the uploaded files belongs to user nobody with permissions u+rw,
> g+r, o+r. 
> 
> ownership to vdsm is impossible, workaround: add a+w permission, using vdsm
> shell.
> 
> log's single line 
> ( /var/log/ovirt-engine/rhevm-iso-uploader.log):
> 2012-09-02 18:11:52::WARNING::rhevm-iso-uploader::661::root:: failed to
> refresh the list of files available in the fire-NFS-ISO ISO storage domain.
> Please refresh the list manually using the 'Refresh' button in the RHEV-M
> Webadmin console.
> 
> note: this bug is similar to 847833, the difference is that in this case the
> storage was made manually using the Storage Device webadmin console.
> 
> Version-Release number of selected component (if applicable):
> 
> 
> How reproducible:
> 
> 
> Steps to Reproduce:
> 1.
> 2.
> 3.
>   
> Actual results:
> 
> 
> Expected results:
> 
> 
> Additional info:
Comment 2 Keith Robertson 2012-09-03 20:46:10 UTC 
Please run the same test with verbose logging (i.e. -v) and post the output.  Also, please...
1- mount the NFS export domain
2- su - vdsm
3- tree -pug /path/to/export
Comment 3 Barak Dagan 2012-09-04 15:06:24 UTC 
(In reply to comment #2)
> Please run the same test with verbose logging (i.e. -v) and post the output.
> Also, please...
> 1- mount the NFS export domain
> 2- su - vdsm
> 3- tree -pug /path/to/export

-------------------------------------

[root@fire-vdc ~]# rhevm-iso-uploader -v -i fire-NFS-ISO upload /usr/share/rhev-guest-tools-iso/rhev-tools-setup.iso 
Please provide the REST API password for the admin@internal RHEV-M user (CTRL+D to abort): 
DEBUG: API Vendor(Red Hat)	API Version(3.1.0)
DEBUG: id=66daa2c4-61b9-4dc7-b983-c78032e00cee address=wolf.qa.lab.tlv.redhat.com path=/volumes/wolf/fire-vdc_fire_0_nfs_20120830143719465893
DEBUG: local NFS mount point is /tmp/tmp0KVK42
DEBUG: NFS mount command (/bin/mount -t nfs -o rw,sync,soft wolf.qa.lab.tlv.redhat.com:/volumes/wolf/fire-vdc_fire_0_nfs_20120830143719465893 /tmp/tmp0KVK42)
DEBUG: /bin/mount -t nfs -o rw,sync,soft wolf.qa.lab.tlv.redhat.com:/volumes/wolf/fire-vdc_fire_0_nfs_20120830143719465893 /tmp/tmp0KVK42
DEBUG: _cmds(['/bin/mount', '-t', 'nfs', '-o', 'rw,sync,soft', 'wolf.qa.lab.tlv.redhat.com:/volumes/wolf/fire-vdc_fire_0_nfs_20120830143719465893', '/tmp/tmp0KVK42'])
DEBUG: returncode(0)
DEBUG: STDOUT()
DEBUG: STDERR()
DEBUG: Size of /usr/share/rhev-guest-tools-iso/rhev-tools-setup.iso:	222666752 bytes	217448.0 1K-blocks	212.0 MB
DEBUG: Available space in /tmp/tmp0KVK42/66daa2c4-61b9-4dc7-b983-c78032e00cee/images/11111111-1111-1111-1111-111111111111:	7169320681472 bytes	7001289728.0 1K-blocks	6837197.0 MB
DEBUG: euid(0) egid(0)
DEBUG: euid(0) egid(0)
WARNING: failed to refresh the list of files available in the fire-NFS-ISO ISO storage domain. Please refresh the list manually using the 'Refresh' button in the RHEV-M Webadmin console.
DEBUG: 
status: 400
reason: Bad Request
detail: Error connecting to the Storage Pool Manager service.
Possible reasons:
 - Storage Pool Manager service is in non-active state.
 - No Active Host in the Data Center.
DEBUG: /bin/umount -t nfs -f  /tmp/tmp0KVK42
DEBUG: /bin/umount -t nfs -f  /tmp/tmp0KVK42
DEBUG: _cmds(['/bin/umount', '-t', 'nfs', '-f', '/tmp/tmp0KVK42'])
DEBUG: returncode(0)
DEBUG: STDOUT()
DEBUG: STDERR()

-------------------------------------

[root@puma31 11111111-1111-1111-1111-111111111111]# su - vdsm
-bash-4.1$ tree -pug  /rhev/data-center/be2f412a-f28f-11e1-9cdc-001a4a169798/66daa2c4-61b9-4dc7-b983-c78032e00cee/images/11111111-1111-1111-1111-111111111111/
/rhev/data-center/be2f412a-f28f-11e1-9cdc-001a4a169798/66daa2c4-61b9-4dc7-b983-c78032e00cee/images/11111111-1111-1111-1111-111111111111/
├── [-rw-rw-rw- nobody   nobody  ]  en_windows_7_enterprise_x64.iso
├── [-rw-r----- nobody   nobody  ]  rhev-tools-setup.iso
└── [-rw-rw-rw- nobody   nobody  ]  virtio-win-1.4.0.vfd

0 directories, 3 files
-bash-4.1$ 

Note: we can see en_windows_... and virtio-win.... but can't see rhev-tools.
****************************************************************************

-------------------------------------
Comment 4 Keith Robertson 2012-09-04 15:21:45 UTC 
The tool is correctly setting the permissions to 640.  It is a *bad* idea to set r/w for world on an NFS export domain.  This is a serious security risk. 

I think that the problem is with the NFS server and not with the tool.  Have you tried the suggestions listed in [1] for configuring your NFS server.

[1] http://wiki.ovirt.org/wiki/Troubleshooting_NFS_Storage_Issues#RHEL6_based_distro
Comment 5 Barak Dagan 2012-09-05 08:02:28 UTC 
(In reply to comment #4)
> The tool is correctly setting the permissions to 640.  It is a *bad* idea to
> set r/w for world on an NFS export domain.  This is a serious security risk. 
> 
> I think that the problem is with the NFS server and not with the tool.  Have
> you tried the suggestions listed in [1] for configuring your NFS server.
> 
> [1]
> http://wiki.ovirt.org/wiki/
> Troubleshooting_NFS_Storage_Issues#RHEL6_based_distro

as for the user and group: are alreadu sets:
[root@fire-vdc ~]# egrep -i "^kvm" /etc/group
kvm:x:36:

[root@fire-vdc ~]# egrep -i "^vdsm" /etc/passwd
vdsm:x:36:36:Node Virtualization Manager:/var/lib/vdsm:/sbin/nologin

as for the storgae directory, it doesn't exist, but the files are saved in 
/rhev/data-center/be2f412a-f28f-11e1-9cdc-001a4a169798/66daa2c4-61b9-4dc7-b983-c78032e00cee/images/11111111-1111-1111-1111-111111111111/
which has problematic permissions:
[root@puma31 images]# ls -l
drwxr-xr-x 2 nobody nobody 5 Sep  4 17:44 11111111-1111-1111-1111-111111111111
Comment 6 Keith Robertson 2012-09-05 13:31:19 UTC 
(In reply to comment #5)

> [root@puma31 images]# ls -l
> drwxr-xr-x 2 nobody nobody 5 Sep  4 17:44
> 11111111-1111-1111-1111-111111111111

The problem is right that you are logged in as *root* and browsing your NFS export.  To verify that VDSM could actually see the files you need to *be* the VDSM user when walking around the NFS export.  To do this you must:

1) Mount the NFS export as root.  Only root can issue 'mount'
2) su - vdsm <--- Critically important.
3) cd /mount/.../be2f412a-f28f-11e1-9cdc-001a4a169798/66daa2c4-61b9-4dc7-b983-c78032e00cee/images/11111111-1111-1111-1111-111111111111/
4) Look for files as the user VDSM


If you cannot see the files... the problem is with your permissions on your NFS server.
Comment 7 Keith Robertson 2012-09-06 12:31:19 UTC 
Barak,
You need to verify that as a user with UID=36 and GID=36 that you could actually see the files on the NFS export.  Mounting the NFS export as root and browsing around as root is not a valid test.  You must mount as root 'su - vdsm' and browse around.  The easiest way to do this is via a hypervisor.

Keith
Comment 8 Haim 2012-09-06 12:37:16 UTC 
closing as not a bug since its a configuration problem with Nexenta and NFSv4.