[ovirt-users] gluster VM disk permissions

Bill James bill.james at j2.com
Fri May 20 21:53:02 UTC 2016 

maybe the other doc is old but it says:
"And a feature I intentionally removed in RHEL 7 was importing KVM → KVM"
which is what I am doing. raw disk KVM to ovirt.

Yes I can copy the disk image over the top of a ovirt disk image, but 
the import script seemed cleaner.

Does virt-v2v try to convert the KVM image to KVM image or does it just 
import it?




On 5/20/16 2:44 PM, Nir Soffer wrote:
> On Fri, May 20, 2016 at 11:48 PM, Bill James <bill.james at j2.com> wrote:
>> I had added user = "root" because we use the import-to-ovirt.pl to move Vms
>> from our old virtual platform to ovirt.
>> My understanding was that was required for the to work.
>> Is that not true or is the import script not worth the headaches caused?
>> (https://rwmj.wordpress.com/2015/09/18/importing-kvm-guests-to-ovirt-or-rhev/)
> I don't know anything about this solution, adding Richard to add more info.
>
> If you run 3.6, you can use v2v to import from other systems.
> Adding Shahar to add into on v2v.
>
> Nir
>
>> [root at ovirt3 prod 4c4bfdf7-bc70-41b2-ab58-710ff8e850bf]# grep ^user
>> /etc/libvirt/qemu.conf
>> user = "root"
>>
>> I'm assuming that's what sets the qemu user.
>>
>>
>>
>> When I first tried using that script without setting "user = root" it didn't
>> work.
>>
>>
>>
>>
>> On 5/20/16 1:16 PM, Nir Soffer wrote:
>>> On Fri, May 20, 2016 at 10:41 PM, Bill James <bill.james at j2.com> wrote:
>>>> attached output from one host. others look similar.
>>> Your qemu runs as *root*:
>>>
>>>       root root root root qemu qemu qemu qemu /usr/libexec/qemu-kvm
>>>
>>> Here is the output from normal installation:
>>>
>>>       qemu     qemu     qemu     qemu     qemu     qemu     qemu
>>> qemu     /usr/libexec/qemu-kvm
>>>
>>> I guess that gluster is configure with "option root-squashing on" so you
>>> practically run as "nobody", and you are not in the kvm group.
>>>
>>> Running qemu as root is also a security risk, if there is a security bug
>>> in qemu
>>> a vm can use it to compromise your host or other vms.
>>>
>>> Maybe you can configure gluster to treat root as vdsm using
>>>
>>>       option translate-uid 0=36
>>>
>>> See
>>> http://www.gluster.org/community/documentation/index.php/Translators/features
>>>
>>> But a better solution is to run qemu as qemu.
>>>
>>> Adding Sahina to advise about gluster configuration.
>>>
>>> Nir
>>>
>>>>
>>>>
>>>> On 5/20/16 11:47 AM, Nir Soffer wrote:
>>>>
>>>> On Fri, May 20, 2016 at 9:25 PM, Bill James <bill.james at j2.com> wrote:
>>>>> yes
>>>>>
>>>>> [root at ovirt2 prod .shard]# sestatus
>>>>> SELinux status:                 disabled
>>>>>
>>>>> [root at ovirt3 prod ~]# sestatus
>>>>> SELinux status:                 disabled
>>>>
>>>> Can  you share output of:
>>>>
>>>> ps -e -o euser,user,suser,fuser,egroup,rgroup,sgroup,fgroup,cmd | egrep
>>>> 'qemu|libvirt'
>>>> ps auxe | egrep 'qemu|libvirt'
>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 5/20/16 11:13 AM, Nir Soffer wrote:
>>>>>
>>>>> On Fri, May 20, 2016 at 9:02 PM, Bill James <bill.james at j2.com> wrote:
>>>>>> [root at ovirt1 prod ~]# sestatus
>>>>>> SELinux status:                 disabled
>>>>>
>>>>> Same on ovirt2?
>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 5/20/16 10:49 AM, Nir Soffer wrote:
>>>>>>
>>>>>> This smells like selinux issues, did yoi try with permissive mode?
>>>>>>
>>>>>> בתאריך 20 במאי 2016 7:59 אחה״צ,‏ "Bill James" <bill.james at j2.com> כתב:
>>>>>>> Nobody has any ideas or thoughts on how to troubleshoot?
>>>>>>>
>>>>>>> why does qemu group work but not kvm when qemu is part of kvm group?
>>>>>>>
>>>>>>> [root at ovirt1 prod vdsm]# grep qemu /etc/group
>>>>>>> cdrom:x:11:qemu
>>>>>>> kvm:x:36:qemu,sanlock
>>>>>>> qemu:x:107:vdsm,sanlock
>>>>>>>
>>>>>>>
>>>>>>> On 5/18/16 3:47 PM, Bill James wrote:
>>>>>>>> another data point.
>>>>>>>> Changing just owner to qemu doesn't help.
>>>>>>>> Changing just group to qemu does. VM starts fine after that.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On 05/18/2016 11:49 AM, Bill James wrote:
>>>>>>>>> Some added info. This issue seems to be just like this bug:
>>>>>>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1052114
>>>>>>>>>
>>>>>>>>> I have verified that chown qemu:qemu of disk image also fixes the
>>>>>>>>> startup issue.
>>>>>>>>> I'm using raw, not qcow images.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> [root at ovirt2 prod a7af2477-4a19-4f01-9de1-c939c99e53ad]# qemu-img
>>>>>>>>> info 253f9615-f111-45ca-bdce-cbc9e70406df
>>>>>>>>> image: 253f9615-f111-45ca-bdce-cbc9e70406df
>>>>>>>>> file format: raw
>>>>>>>>> virtual size: 20G (21474836480 bytes)
>>>>>>>>> disk size: 1.9G
>>>>>>>>> [root at ovirt2 prod a7af2477-4a19-4f01-9de1-c939c99e53ad]# ls -l
>>>>>>>>> 253f9615-f111-45ca-bdce-cbc9e70406df
>>>>>>>>> -rw-rw---- 1 qemu qemu 21474836480 May 18 11:38
>>>>>>>>> 253f9615-f111-45ca-bdce-cbc9e70406df
>>>>>>>>>
>>>>>>>>> (default perms = vdsm:kvm)
>>>>>>>>>
>>>>>>>>> qemu-img-ev-2.3.0-31.el7_2.4.1.x86_64
>>>>>>>>> qemu-kvm-ev-2.3.0-31.el7_2.4.1.x86_64
>>>>>>>>> libvirt-daemon-1.2.17-13.el7_2.4.x86_64
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Ideas??
>>>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Users mailing list
>>>>>>> Users at ovirt.org
>>>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>>
>>>>>> This email, its contents and attachments contain information from j2
>>>>>> Global, Inc. and/or its affiliates which may be privileged, confidential or
>>>>>> otherwise protected from disclosure. The information is intended to be for
>>>>>> the addressee(s) only. If you are not an addressee, any disclosure, copy,
>>>>>> distribution, or use of the contents of this message is prohibited. If you
>>>>>> have received this email in error please notify the sender by reply e-mail
>>>>>> and delete the original message and any copies. © 2015 j2 Global, Inc. All
>>>>>> rights reserved. eFax ®, eVoice ®, Campaigner ®, FuseMail ®, KeepItSafe ®
>>>>>> and Onebox ® are ! registere d trademarks of j2 Global, Inc. and its
>>>>>> affiliates.
>>>>>
>>>>>
>>>>> This email, its contents and attachments contain information from j2
>>>>> Global, Inc. and/or its affiliates which may be privileged, confidential or
>>>>> otherwise protected from disclosure. The information is intended to be for
>>>>> the addressee(s) only. If you are not an addressee, any disclosure, copy,
>>>>> distribution, or use of the contents of this message is prohibited. If you
>>>>> have received this email in error please notify the sender by reply e-mail
>>>>> and delete the original message and any copies. © 2015 j2 Global, Inc. All
>>>>> rights reserved. eFax ®, eVoice ®, Campaigner ®, FuseMail ®, KeepItSafe ®
>>>>> and Onebox ® are ! registere d trademarks of j2 Global, Inc. and its
>>>>> affiliates.
>>>>
>>>>
>>>> This email, its contents and attachments contain information from j2
>>>> Global, Inc. and/or its affiliates which may be privileged, confidential or
>>>> otherwise protected from disclosure. The information is intended to be for
>>>> the addressee(s) only. If you are not an addressee, any disclosure, copy,
>>>> distribution, or use of the contents of this message is prohibited. If you
>>>> have received this email in error please notify the sender by reply e-mail
>>>> and delete the original message and any copies. © 2015 j2 Global, Inc. All
>>>> rights reserved. eFax ®, eVoice ®, Campaigner ®, FuseMail ®, KeepItSafe ®
>>>> and Onebox ® are ! registere d trademarks of j2 Global, Inc. and its
>>>> affiliates.
>>

More information about the Users mailing list