Hi all,

I am using ovirt with an nfs server that enforces sec=krb5p. To do so, I have created a service account of a sort for ovirt to use when accessing the kerberized nfs server. Things seem to work pretty well except for the the ISO storage domain. After adding an ISO image, it does not show in the storage domain. The problem is the following check when searching for iso files within the nfs mount:

    def validateQemuReadable(self, targetPath):
        """
        Validate that qemu process can read file
        """
        gids = (grp.getgrnam(constants.DISKIMAGE_GROUP).gr_gid,
                grp.getgrnam(constants.METADATA_GROUP).gr_gid)
        st = _IOProcessOs(self._iop).stat(targetPath)
        if not (st.st_gid in gids and st.st_mode & stat.S_IRGRP or
                st.st_mode & stat.S_IROTH):
            raise OSError(errno.EACCES, os.strerror(errno.EACCES))

Although my vdsm and qemu user can read and write to the iso file, this check fails as the file is not group owned by either, but by my service account:

-bash-4.2$ whoami
vdsm
-bash-4.2$ sha256sum Fedora-Workstation-netinst-x86_64-27-1.6.iso
18ef4a6f9f470b40bd0cdf21e6c8f5c43c28e3a2200dcc8578ec9da25a6b376b  Fedora-Workstation-netinst-x86_64-27-1.6.iso
-bash-4.2$ touch Fedora-Workstation-netinst-x86_64-27-1.6.iso
-bash-4.2$ ls -alh Fedora-Workstation-netinst-x86_64-27-1.6.iso
-rw-r-----. 1 autovirt autovirt 508M Apr 22 20:31 Fedora-Workstation-netinst-x86_64-27-1.6.iso
-bash-4.2$ klist
Ticket cache: KEYRING:persistent:36:36
Default principal: autovirt@SOMEDOMAIN.NET

Valid starting       Expires              Service principal
04/22/2018 20:03:57  04/23/2018 20:03:57  krbtgt/SOMEDOMAIN.NET@SOMEDOMAIN.NET

After modifying the validateQemuReadable functions (fileUtils.py and outOfProcess.py) to be a noop return True, the ISO file showed up and I was able to use it in a VM.

Would a patch be considered to remove this validateQemuReadable check? As shown above, the current implementation causes more harm than good. I'd rather for non readable ISO files to show up in the list and get a failure during VM runtime anyways.

Thanks,
Andrew