1447799 – Add qemu user to gluster group

Bug 1447799 - Add qemu user to gluster group

Summary: Add qemu user to gluster group

Keywords:
Status:	CLOSED DEFERRED
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	qemu
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Fedora Virtualization Maintainers
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:	http://lists.ovirt.org/pipermail/deve...
Whiteboard:
Depends On:
Blocks:	1447694
TreeView+	depends on / blocked

Reported:	2017-05-03 21:01 UTC by Niels de Vos
Modified:	2017-07-12 20:32 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-07-12 20:32:35 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1447694	1	None	None	None	2021-01-20 06:05:38 UTC

Internal Links: 1447694

Description Niels de Vos 2017-05-03 21:01:37 UTC

QEMU is unable to store Gluster specific debugging logs under /var/run/gluster/... This is because QEMU runs as user "qemu" and does not have write permissions there. This debugging (called 'statedump') can be triggered from the Gluster CLI which sends an event to QEMU (when libgfapi is used).

When the glusterfs packages make sure that a group "gluster" has write permissions to /var/run/gluster/, could the qemu(-kvm-rhev) package be adjusted to have the "qemu" user in the "gluster" group? This would allow more debugging options that help with potential issues when QEMU runs with disk-images over libgfapi.so.


From Cole in a reply (not archived in the list yet) to this email from Ademar about splitting the qemu package in sub-packages per block-backend:

http://lists.ovirt.org/pipermail/devel/2017-April/030276.html

> Since that work is already in fedora, it actually makes things easier there
> for us, we can add the 'usermod -a -G gluster qemu' in the qemu-block-gluster
> subpackage %pre, which will guarantee that qemu-common (which creates the
> qemu user) and gluster packages (which create the gluster group) are already
> on disk.
> 
> OP please file a fedora qemu bug about this and we can go from there
> 
> Thanks,
> Cole

Comment 1 Daniel Berrangé 2017-05-03 21:07:13 UTC

(In reply to Niels de Vos from comment #0)
> QEMU is unable to store Gluster specific debugging logs under
> /var/run/gluster/... This is because QEMU runs as user "qemu" and does not
> have write permissions there. This debugging (called 'statedump') can be
> triggered from the Gluster CLI which sends an event to QEMU (when libgfapi
> is used).
> 
> When the glusterfs packages make sure that a group "gluster" has write
> permissions to /var/run/gluster/, could the qemu(-kvm-rhev) package be
> adjusted to have the "qemu" user in the "gluster" group? This would allow
> more debugging options that help with potential issues when QEMU runs with
> disk-images over libgfapi.so.

This feels like a pretty bad idea to me. If the /var/run/gluster directory is used for things not related to the "statedump", then you're giving QEMU access to them. Similarly if there are other files elsewhere (/etc, /var/lib, $whereever) that are access controlled based on the gluster group, then you'd again be giving QEMU access.

Comment 2 Niels de Vos 2017-05-03 21:18:01 UTC

(In reply to Daniel Berrange from comment #1)
> (In reply to Niels de Vos from comment #0)
..
> This feels like a pretty bad idea to me. If the /var/run/gluster directory
> is used for things not related to the "statedump", then you're giving QEMU
> access to them. Similarly if there are other files elsewhere (/etc,
> /var/lib, $whereever) that are access controlled based on the gluster group,
> then you'd again be giving QEMU access.

Currently the "gluster" group only has write permissions for /var/run/gluster. There are some other files (.pid) for processes in case the system is also used as a Gluster Storage Server, and not merely a Gluster client. Those other services are running as root, and therefore the files (.pid and some sockets) are only writable by root too.

In the future we will have a function in libgfapi.so that makes it possible to configure a different path for statedumps on a per application basis. I am not sure yet how QEMU (+through libvirt) will be able to pass a "path for dumping debug files", and if this path needs to be Gluster specific. That is something I'll be asking on the QEMU devel list when libgfapi.so offers this functionality.

Comment 3 Richard W.M. Jones 2017-05-04 07:49:20 UTC

(In reply to Niels de Vos from comment #2)
> In the future we will have a function in libgfapi.so that makes it possible
> to configure a different path for statedumps on a per application basis.

This seems like a better idea.  What are "statedumps" and under
what circumstances do they need to be written?

Comment 4 Niels de Vos 2017-05-04 08:36:52 UTC

(In reply to Richard W.M. Jones from comment #3)
> ....  What are "statedumps" and under what circumstances do they need to be
> written?

Statedumps contain details about the operations that are in progress, status if
inodes and memory allocations that are done by different translators (a
translator is a layer implementing a certain functionality for the Gluster
volume, like distribution, replication, cache, ...). A few more details about
these files are written on
https://github.com/gluster/glusterfs/blob/master/doc/debugging/statedump.md

To get a statedump from an application that uses libgfapi.so, a request needs
to be sent over the management connection from a storage server to the client.
Executing the 'gluster' command with some parameters on a storage server is the
normal way to do that.

It is only used for debugging purposes when it is suspected that the Gluster
client (here libgfapi.so with a set of translators) is misbehaving.

Comment 5 Daniel Berrangé 2017-05-04 09:09:25 UTC

(In reply to Richard W.M. Jones from comment #3)
> (In reply to Niels de Vos from comment #2)
> > In the future we will have a function in libgfapi.so that makes it possible
> > to configure a different path for statedumps on a per application basis.
> 
> This seems like a better idea.  What are "statedumps" and under
> what circumstances do they need to be written?

Agreed, that is the only viable approach from a security POV. Adding QEMU to the gluster group is just asking for trouble 6-12+ months down the line when some other critical file is access controlled based on the gluster group membership.
So my suggestion is WONTFIX on this request.

Comment 6 Paolo Bonzini 2017-05-05 08:24:28 UTC

It's possible to add a gluster-specific option for the path to QEMU's libgfapi driver.

Comment 7 Niels de Vos 2017-05-05 08:54:25 UTC

(In reply to Paolo Bonzini from comment #6)
> It's possible to add a gluster-specific option for the path to QEMU's
> libgfapi driver.

Yes, we would extend <qemu>/block/gluster.c to do have that, or use a more generic option that QEMU already has (like a working directory of some kind?). And then, we might need to teach libvirt and other projects to pass the option in case Gluster is used a block-driver.

I aim to add the libgfapi.so configurable options to GlusterFS 3.12, which is at least 3 months out. Once the functionality is there, I'll get in touch on the qemu-devel list about the most suitable directory that can be used as default.

Comment 8 Cole Robinson 2017-07-12 20:32:35 UTC

Seems like the idea of this bug (add qemu to gluster group) was abandoned, so closing. Please reopen if I misunderstood

Note You need to log in before you can comment on or make changes to this bug.