Description of problem: When using an NFS driver as the Cinder backend, the nas_secure_file_permissions and nas_secure_file_operations settings in the cinder.conf are set to auto. This is a sane default, but required supporting configuration options are not set to allow this to correctly function. By default with the OSP install, if your NFS export allows setuid and isn't squashing root, you can succesfully create cinder volumes and cinder snapshots. You CANNOT however perform any operations on the Cinder volumes once they have been attached to an instance as they are then owned by qemu:qemu and with the NFS security enhancements enabled the changes attempt to run as the Cinder process owner (cinder user) and fail as they have no access to the volumes. The configuration changes that should be implemented when using an NFS driver as the Cinder backend are: - Nova user belongs to the Cinder group on all compute nodes - the /etc/libvirt/qemu.conf file has the following options configured: user = "nova" group = "cinder" dynamic_ownership = 0 Version-Release number of selected component (if applicable): OSP How reproducible: 100% Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Temporary workaround to this issue is to set these settings to false, until the larger secure NAS epic is complete.
We understand this one better, but it is going to take additional work to fix the intended use of this setting and the feature as people have noted is not really correct. At the time it's not clear we can backport the change, but can evaluate that as we get closer.