Re: [Users] Unable to add ISOs to default ISO storage domain
On 02/06/2012 02:07 PM, Adam Litke wrote:
On Fri, Feb 03, 2012 at 11:34:15AM -0500, Keith Robertson wrote:
> > Can you pin your NFS export to a particular ID (below)? If you do it
> > this way it won't matter what ID the client connects as because the
> > NFS server will just override it with the one in the exports file.
> >
> > /virt/iso
> > 192.168.122.11(rw,sync,all_squash,anonuid=107,anongid=107)
Thanks for this suggestion Keith. We're planning to try this and I think it
will be a reasonable workaround. In the name of improved usability I would like
to consider relaxing this restriction in vdsm as danken has suggested. Security
of the data on the mountpoint is really the job of the NFS server and its
configuration.
You're welcome.
VDSMD appears to be using NFS in the proper manner and any "relaxation"
of permissions would need to occur on the NFS server not on the client
(i.e. VDSMD), IMHO. NFS's security model (or lack thereof) is based on
both UID/GID mapping and control statements in /etc/exports. Assuming
the server isn't "squashing", the NFS client must have a UID/GID that
allows it to r/w the exported files and directories in accordance with
the normal *nix permission set. I'm not sure how you expect to relax
this on the VDSMD side unless you're going to have it seteuid/egid to an
ID of your choice prior to r/w.
Cheers,
Keith