Hi all,
I am using ovirt with an nfs server that enforces sec=krb5p. To do so, I
have created a service account of a sort for ovirt to use when accessing
the kerberized nfs server. Things seem to work pretty well except for the
the ISO storage domain. After adding an ISO image, it does not show in the
storage domain. The problem is the following check when searching for iso
files within the nfs mount:
def validateQemuReadable(self, targetPath):
"""
Validate that qemu process can read file
"""
gids = (grp.getgrnam(constants.DISKIMAGE_GROUP).gr_gid,
grp.getgrnam(constants.METADATA_GROUP).gr_gid)
st = _IOProcessOs(self._iop).stat(targetPath)
if not (st.st_gid in gids and st.st_mode & stat.S_IRGRP or
st.st_mode & stat.S_IROTH):
raise OSError(errno.EACCES, os.strerror(errno.EACCES))
Although my vdsm and qemu user can read and write to the iso file, this
check fails as the file is not group owned by either, but by my service
account:
-bash-4.2$ whoami
vdsm
-bash-4.2$ sha256sum Fedora-Workstation-netinst-x86_64-27-1.6.iso
18ef4a6f9f470b40bd0cdf21e6c8f5c43c28e3a2200dcc8578ec9da25a6b376b
Fedora-Workstation-netinst-x86_64-27-1.6.iso
-bash-4.2$ touch Fedora-Workstation-netinst-x86_64-27-1.6.iso
-bash-4.2$ ls -alh Fedora-Workstation-netinst-x86_64-27-1.6.iso
-rw-r-----. 1 autovirt autovirt 508M Apr 22 20:31
Fedora-Workstation-netinst-x86_64-27-1.6.iso
-bash-4.2$ klist
Ticket cache: KEYRING:persistent:36:36
Default principal: autovirt(a)SOMEDOMAIN.NET
Valid starting Expires Service principal
04/22/2018 20:03:57 04/23/2018 20:03:57 krbtgt/
SOMEDOMAIN.NET(a)SOMEDOMAIN.NET
After modifying the validateQemuReadable functions (fileUtils.py and
outOfProcess.py) to be a noop return True, the ISO file showed up and I was
able to use it in a VM.
Would a patch be considered to remove this validateQemuReadable check? As
shown above, the current implementation causes more harm than good. I'd
rather for non readable ISO files to show up in the list and get a failure
during VM runtime anyways.
Thanks,
Andrew
Show replies by date