Description of problem: ======================= nova _base images permissions shouldn are world readable. I'd expect more strict Version-Release number of selected component (if applicable): ============================================================= Folsom. How reproducible: ================= 100% Steps to Reproduce: =================== 1. Run few instances and check the files created at /var/lib/nova/instances/_base 2. 3. Actual results: =============== nova _base images permissions are world readable. -rw-r--r--. 1 nova nova 241M Dec 31 12:16 f7e6702d38be6ef3a5a66812d56615252a7f1e04.part -rw-r--r--. 1 qemu qemu 9.8G Dec 31 12:17 f7e6702d38be6ef3a5a66812d56615252a7f1e04 -rw-r--r--. 1 qemu qemu 20G Dec 31 12:30 f7e6702d38be6ef3a5a66812d56615252a7f1e04_20 -rw-r--r--. 1 qemu qemu 40G Dec 31 12:37 f7e6702d38be6ef3a5a66812d56615252a7f1e04_40 -rw-r--r--. 1 nova nova 20G Dec 31 15:56 ephemeral_0_20_None -rw-r--r--. 1 qemu qemu 20G Dec 31 15:57 ephemeral_0_20_None_20 -rw-r--r--. 1 qemu qemu 160G Jan 1 11:28 f7e6702d38be6ef3a5a66812d56615252a7f1e04_160 -rw-r--r--. 1 nova nova 241M Jan 3 12:40 b7b22e1d8a012c9b53c28777f6669459e5524557.part -rw-r--r--. 1 nova nova 9.8G Jan 3 12:40 b7b22e1d8a012c9b53c28777f6669459e5524557 -rw-r--r--. 1 nova nova 0 Jan 3 12:40 b7b22e1d8a012c9b53c28777f6669459e5524557_20 -rw-r--r--. 1 nova nova 241M Jan 6 15:52 af7ca6734c34f038c8f65cd9c61cbcbb08bc6644.part -rw-r--r--. 1 nova nova 9.8G Jan 6 15:52 af7ca6734c34f038c8f65cd9c61cbcbb08bc6644 -rw-r--r--. 1 qemu qemu 20G Jan 6 15:53 af7ca6734c34f038c8f65cd9c61cbcbb08bc6644_20 Expected results: ================= nova _base images should be more strict
I proposed this patch upstream at https://review.openstack.org/#/c/22278/ If it gets in, great. If it does not, we can patch downstream.
This is upstream bug https://bugs.launchpad.net/nova/+bug/1129748 It may be marked private for now, but it'll probably be made public soon, since this Bugzilla bug is public, as is my review above.
The upstream patch has been held up because it's failing tests in the devstack-gate. That's because devstack-gate is running as the stack user, and /opt/stack/data is owned by root. That's a problem in devstack, which is https://review.openstack.org/#/c/23298/
*** Bug 972912 has been marked as a duplicate of this bug. ***
I've updated the upstream bug (https://bugs.launchpad.net/nova/+bug/1129748) with my thoughts about the issue. In short, the qemu instance runs as user qemu who after the permissions change with dripton's patch cannot access the instances directory. The solution I propose is to change the ownership and permissions of the instances directory from the nova package so that only qemu and nova users can access it.
*** This bug has been marked as a duplicate of bug 980590 ***