2115153 – [virt-clone] cloned qcow2 images don't inherit ACLs according to the default ACLs

This bug has been migrated to another issue tracking site. It has been closed here and may no longer be being monitored.

If you would like to get updates for this issue, or to participate in it, you may do so at Red Hat Issue Tracker .

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2115153 - [virt-clone] cloned qcow2 images don't inherit ACLs according to the default ACLs

Summary: [virt-clone] cloned qcow2 images don't inherit ACLs according to the default ...

Keywords:
Status:	CLOSED MIGRATED
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	virt-manager
Sub Component:
Version:	9.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Virtualization Maintenance
QA Contact:	virt QE bot
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-08-04 00:29 UTC by janfishergg
Modified:	2023-09-22 13:31 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-09-22 13:31:56 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHEL-7124	0	None	Migrated	None	2023-09-22 13:31:48 UTC
Red Hat Issue Tracker	RHELPLAN-130245	0	None	None	None	2022-08-04 01:17:28 UTC

Description janfishergg 2022-08-04 00:29:59 UTC

Description of problem:
Using virt-clone to clone a virtual machine disk image leaves the cloned image with "empty" effective ACLs.

Version-Release number of selected component (if applicable):
Linux myhost1 5.14.0-70.13.1.el9_0.x86_64 #1 SMP PREEMPT Thu Apr 14 12:42:38 EDT 2022 x86_64 x86_64 x86_64 GNU/Linux

Red Hat Enterprise Linux release 9.0 (Plow)

acl.x86_64                                       2.3.1-3.el9
libacl.x86_64                                    2.3.1-3.el9


How reproducible:
Fully

Steps to Reproduce:
[root@myhost1 images]# setfacl -m d:johnd:rwx /var/lib/libvirt/images/
[johnd@myhost1 ~]$ virt-clone --connect qemu:///system --original base --auto-clone --name clone1
[root@myhost1 images]# getfacl clone1.qcow2 

Actual results:
[root@myhost1 images]# getfacl clone1.qcow2 
# file: clone1.qcow2
# owner: root
# group: root
user::rw-
user:johnd:rwx			#effective:---
group::--x			#effective:---
mask::---
other::---


Expected results:
[root@myhost1 images]# getfacl clone1.qcow2 
# file: clone1.qcow2
# owner: root
# group: root
user::rw-
user:johnd:rwx
group::--x
mask::---
other::---

Comment 1 Lukáš Zaoral 2022-08-08 11:00:42 UTC

Hello,
could please provide the output of `getfacl /var/lib/libvirt/images`?  I can't verify the (in)correctness of the ACL on the copied file without the knowledge of default ACL set on its parent directory.  Also, I would like to stress that I'm a maintainer of libacl and not of virt-install (package that contains virt-clone) so it's possible that virt-clone does some ACL magic on its own that is out of my reach.

Additionally, the only difference between the actual and expected results in your report are the two lines with `#effective:---`.  That is correct (at least in relation to the ACL entries themselves) because the `mask::---` restricts both permissions of named users/groups and permissions of the owning group.  If you want to suppress the output of effective rights, you can pass `-E` to `getfacl`.

Comment 2 janfishergg 2022-08-08 14:41:45 UTC

Hello,

the mask and default mask should not restrict anything as they're "rwx" [1]. I don't know if virt-clone does any ACL magic on its own but it doesn't look like it. When I just use virt-clone there are no ACLs on /var/lib/libvirt/images/ or on any files in that directory. All ACLs are a result of me applying them with setfacl AFAIK.

I agree that the correct behavior of "---" mask is to restrict both permissions of named users/groups and permissions of the owning group. However I don't understand why the clone1.qcow2 file has that mask set to begin with. The parent directory has a default mask of "rwx" so I'm expecting for it to be inherited by clone1.qcow2's mask.

Btw I only really care for the "rw-" permissions to be applied, I included "x" as a result of sloppiness. I want the "rw-" permissions to be applied on all files created in /var/lib/libvirt/images/ but for some reason that doesn't happen for files created by virt-clone.



[1]
[root@myhost1 ~]# getfacl /var/lib/libvirt/images/
getfacl: Removing leading '/' from absolute path names
# file: var/lib/libvirt/images/
# owner: root
# group: root
user::rwx
group::--x
group:johnd:rwx
mask::rwx
other::--x
default:user::rwx
default:user:johnd:rwx
default:group::--x
default:group:johnd:rwx
default:mask::rwx
default:other::--x

Comment 3 Lukáš Zaoral 2022-08-09 11:58:31 UTC

Thank you for the information!

I tried the reproducer and got the same results.  Upon further inspection, I found out that libvirt's default mode for storage volumes is 0600 [1] and this mode also seems to be (re)set during cloning.  When the ACL mask entry is present it corresponds to the permissions of the owning group for the ACL unaware tools.  Thus, cloning the mode sets the following ACL entries which correspond to the results you've provided: user::rw-, mask::---, other::---

This behaviour is correct from the point of ACL.  Therefore, I'm going to reassign this bug to the virt-manager component (which contains virt-clone) for further inspection.

[1] https://github.com/libvirt/libvirt/blob/3d5245e3ebd1e143ea858c8535474b681bc21a38/src/storage/storage_util.h#L152

Comment 4 Cole Robinson 2022-08-21 20:40:49 UTC

virt-clone largely uses libvirt APIs for storage duplication, so libvirt would need new support here, so reassigning.

These days the libvirt storage code does not see much new development these days though, so I don't expect this to be fixed any time soon, if ever

Comment 7 Martin Kletzander 2023-09-01 20:31:30 UTC

Fix proposed upstream: https://github.com/virt-manager/virt-manager/pull/564

Comment 8 RHEL Program Management 2023-09-22 13:30:50 UTC

Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.

Comment 9 RHEL Program Management 2023-09-22 13:31:56 UTC

This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there.

Due to differences in account names between systems, some fields were not replicated.  Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information.

To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer.  You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like:

"Bugzilla Bug" = 1234567

In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information.

Note You need to log in before you can comment on or make changes to this bug.