[Users] Unable to add ISOs to default ISO storage domain
Keith Robertson
kroberts at redhat.com
Mon Feb 6 20:37:50 UTC 2012
On 02/06/2012 02:07 PM, Adam Litke wrote:
> On Fri, Feb 03, 2012 at 11:34:15AM -0500, Keith Robertson wrote:
>> > Can you pin your NFS export to a particular ID (below)? If you do it
>> > this way it won't matter what ID the client connects as because the
>> > NFS server will just override it with the one in the exports file.
>> >
>> > /virt/iso
>> > 192.168.122.11(rw,sync,all_squash,anonuid=107,anongid=107)
> Thanks for this suggestion Keith. We're planning to try this and I think it
> will be a reasonable workaround. In the name of improved usability I would like
> to consider relaxing this restriction in vdsm as danken has suggested. Security
> of the data on the mountpoint is really the job of the NFS server and its
> configuration.
>
You're welcome.
VDSMD appears to be using NFS in the proper manner and any "relaxation"
of permissions would need to occur on the NFS server not on the client
(i.e. VDSMD), IMHO. NFS's security model (or lack thereof) is based on
both UID/GID mapping and control statements in /etc/exports. Assuming
the server isn't "squashing", the NFS client must have a UID/GID that
allows it to r/w the exported files and directories in accordance with
the normal *nix permission set. I'm not sure how you expect to relax
this on the VDSMD side unless you're going to have it seteuid/egid to an
ID of your choice prior to r/w.
Cheers,
Keith
More information about the Users
mailing list