
3 Apr
2014
3 Apr
'14
5:22 a.m.
On 2014年04月03日 03:40, Aline Manera wrote: > On 04/01/2014 03:24 AM, Royce Lv wrote: >> On 2014年03月29日 05:20, Christy Perez wrote: >>> selinux has a special boolean to make it easier for disk images >>> to be stored on a remote NFS server. Set this to true when a user >>> adds an NFS storage pool. >>> >>> Most virtualzation documentation recommends that this be set >>> to true. For example: >>> http://www.ovirt.org/Troubleshooting_NFS_Storage_Issues >>> http://fedoraproject.org/wiki/How_to_debug_Virtualization_problems >>> >>> This will leave it set to true, even if >>> the user removes NFS storage pools. It is not a security risk, and >>> we should not set it to False in case it had already been set by the >>> user for another non-kimchi use. >>> >>> Signed-off-by: Christy Perez <christy@linux.vnet.ibm.com> >>> --- >>> src/kimchi/i18n.py | 2 ++ >>> src/kimchi/model/storagepools.py | 5 +++++ >>> 2 files changed, 7 insertions(+) >>> >>> diff --git a/src/kimchi/i18n.py b/src/kimchi/i18n.py >>> index d45f607..8ade7d7 100644 >>> --- a/src/kimchi/i18n.py >>> +++ b/src/kimchi/i18n.py >>> @@ -144,6 +144,8 @@ messages = { >>> "KCHPOOL0034E": _("Unable to deactivate pool %(name)s as it is >>> associated with some templates"), >>> "KCHPOOL0035E": _("Unable to delete pool %(name)s as it is >>> associated with some templates"), >>> "KCHPOOL0036E": _("A volume group named '%(name)s' already >>> exists. Please, choose another name to create the logical pool."), >>> + "KCHPOOL0037E": _("Unable to set selinux bool virt_use_nfs for >>> NFS pool usage. Depending on \ >>> + your NFS config, this may prevent the pool >>> from being used."), >>> >>> "KCHVOL0001E": _("Storage volume %(name)s already exists"), >>> "KCHVOL0002E": _("Storage volume %(name)s does not exist in >>> storage pool %(pool)s"), >>> diff --git a/src/kimchi/model/storagepools.py >>> b/src/kimchi/model/storagepools.py >>> index 92b2496..d279ffa 100644 >>> --- a/src/kimchi/model/storagepools.py >>> +++ b/src/kimchi/model/storagepools.py >>> @@ -126,6 +126,11 @@ class StoragePoolsModel(object): >>> kimchi_log.error("Problem creating Storage Pool: %s", e) >>> raise OperationFailed("KCHPOOL0007E", >>> {'name': name, 'err': >>> e.get_error_message()}) >>> + if params['type'] == 'netfs': >>> + output, error, returncode = run_command(['setsebool', >>> '-P', >>> + 'virt_use_nfs=1']) >> 1. what about turn this on when start kimchi? Cause we just need to >> enable this for the first time. > > I don't think it is good. > If we modify it only on Kimchi startup and user or other application > revert our changes - the user will not be able to create the NFS pool Well, then what if other users change the firewall configuration? We still cannot access kimchi through browser. And I can't find a reason why user will intensionally toggle this off. I can accept this if you think this is safer, still we need to handle versions despite fedora/rhel. > >> 2. For Debian using apparmor, it does not have setsebool, I think >> this need to be handled too. >>> + if error or returncode: >>> + kimchi_log.error('KCHPOOL0037E') >>> return name >>> >>> def _clean_scan(self, pool_name): >> >> _______________________________________________ >> Kimchi-devel mailing list >> Kimchi-devel@ovirt.org >> http://lists.ovirt.org/mailman/listinfo/kimchi-devel >