[ovirt-users] gluster VM disk permissions

Bill James bill.james at j2.com
Fri May 20 20:48:58 UTC 2016


I had added user = "root" because we use the import-to-ovirt.pl to move 
Vms from our old virtual platform to ovirt.
My understanding was that was required for the to work.
Is that not true or is the import script not worth the headaches caused?
(https://rwmj.wordpress.com/2015/09/18/importing-kvm-guests-to-ovirt-or-rhev/)


[root at ovirt3 prod 4c4bfdf7-bc70-41b2-ab58-710ff8e850bf]# grep ^user 
/etc/libvirt/qemu.conf
user = "root"

I'm assuming that's what sets the qemu user.



When I first tried using that script without setting "user = root" it 
didn't work.



On 5/20/16 1:16 PM, Nir Soffer wrote:
> On Fri, May 20, 2016 at 10:41 PM, Bill James <bill.james at j2.com> wrote:
>> attached output from one host. others look similar.
> Your qemu runs as *root*:
>
>      root root root root qemu qemu qemu qemu /usr/libexec/qemu-kvm
>
> Here is the output from normal installation:
>
>      qemu     qemu     qemu     qemu     qemu     qemu     qemu
> qemu     /usr/libexec/qemu-kvm
>
> I guess that gluster is configure with "option root-squashing on" so you
> practically run as "nobody", and you are not in the kvm group.
>
> Running qemu as root is also a security risk, if there is a security bug in qemu
> a vm can use it to compromise your host or other vms.
>
> Maybe you can configure gluster to treat root as vdsm using
>
>      option translate-uid 0=36
>
> See http://www.gluster.org/community/documentation/index.php/Translators/features
>
> But a better solution is to run qemu as qemu.
>
> Adding Sahina to advise about gluster configuration.
>
> Nir
>
>>
>>
>>
>> On 5/20/16 11:47 AM, Nir Soffer wrote:
>>
>> On Fri, May 20, 2016 at 9:25 PM, Bill James <bill.james at j2.com> wrote:
>>> yes
>>>
>>> [root at ovirt2 prod .shard]# sestatus
>>> SELinux status:                 disabled
>>>
>>> [root at ovirt3 prod ~]# sestatus
>>> SELinux status:                 disabled
>>
>> Can  you share output of:
>>
>> ps -e -o euser,user,suser,fuser,egroup,rgroup,sgroup,fgroup,cmd | egrep 'qemu|libvirt'
>> ps auxe | egrep 'qemu|libvirt'
>>
>>>
>>>
>>>
>>>
>>> On 5/20/16 11:13 AM, Nir Soffer wrote:
>>>
>>> On Fri, May 20, 2016 at 9:02 PM, Bill James <bill.james at j2.com> wrote:
>>>> [root at ovirt1 prod ~]# sestatus
>>>> SELinux status:                 disabled
>>>
>>> Same on ovirt2?
>>>
>>>>
>>>>
>>>>
>>>>
>>>> On 5/20/16 10:49 AM, Nir Soffer wrote:
>>>>
>>>> This smells like selinux issues, did yoi try with permissive mode?
>>>>
>>>> בתאריך 20 במאי 2016 7:59 אחה״צ,‏ "Bill James" <bill.james at j2.com> כתב:
>>>>> Nobody has any ideas or thoughts on how to troubleshoot?
>>>>>
>>>>> why does qemu group work but not kvm when qemu is part of kvm group?
>>>>>
>>>>> [root at ovirt1 prod vdsm]# grep qemu /etc/group
>>>>> cdrom:x:11:qemu
>>>>> kvm:x:36:qemu,sanlock
>>>>> qemu:x:107:vdsm,sanlock
>>>>>
>>>>>
>>>>> On 5/18/16 3:47 PM, Bill James wrote:
>>>>>> another data point.
>>>>>> Changing just owner to qemu doesn't help.
>>>>>> Changing just group to qemu does. VM starts fine after that.
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 05/18/2016 11:49 AM, Bill James wrote:
>>>>>>> Some added info. This issue seems to be just like this bug:
>>>>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1052114
>>>>>>>
>>>>>>> I have verified that chown qemu:qemu of disk image also fixes the startup issue.
>>>>>>> I'm using raw, not qcow images.
>>>>>>>
>>>>>>>
>>>>>>> [root at ovirt2 prod a7af2477-4a19-4f01-9de1-c939c99e53ad]# qemu-img info 253f9615-f111-45ca-bdce-cbc9e70406df
>>>>>>> image: 253f9615-f111-45ca-bdce-cbc9e70406df
>>>>>>> file format: raw
>>>>>>> virtual size: 20G (21474836480 bytes)
>>>>>>> disk size: 1.9G
>>>>>>> [root at ovirt2 prod a7af2477-4a19-4f01-9de1-c939c99e53ad]# ls -l 253f9615-f111-45ca-bdce-cbc9e70406df
>>>>>>> -rw-rw---- 1 qemu qemu 21474836480 May 18 11:38 253f9615-f111-45ca-bdce-cbc9e70406df
>>>>>>>
>>>>>>> (default perms = vdsm:kvm)
>>>>>>>
>>>>>>> qemu-img-ev-2.3.0-31.el7_2.4.1.x86_64
>>>>>>> qemu-kvm-ev-2.3.0-31.el7_2.4.1.x86_64
>>>>>>> libvirt-daemon-1.2.17-13.el7_2.4.x86_64
>>>>>>>
>>>>>>>
>>>>>>> Ideas??
>>>>>>>
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at ovirt.org
>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>
>>>> This email, its contents and attachments contain information from j2 Global, Inc. and/or its affiliates which may be privileged, confidential or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is prohibited. If you have received this email in error please notify the sender by reply e-mail and delete the original message and any copies. © 2015 j2 Global, Inc. All rights reserved. eFax ®, eVoice ®, Campaigner ®, FuseMail ®, KeepItSafe ® and Onebox ® are ! registere d trademarks of j2 Global, Inc. and its affiliates.
>>>
>>>
>>> This email, its contents and attachments contain information from j2 Global, Inc. and/or its affiliates which may be privileged, confidential or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is prohibited. If you have received this email in error please notify the sender by reply e-mail and delete the original message and any copies. © 2015 j2 Global, Inc. All rights reserved. eFax ®, eVoice ®, Campaigner ®, FuseMail ®, KeepItSafe ® and Onebox ® are ! registere d trademarks of j2 Global, Inc. and its affiliates.
>>
>>
>> This email, its contents and attachments contain information from j2 Global, Inc. and/or its affiliates which may be privileged, confidential or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is prohibited. If you have received this email in error please notify the sender by reply e-mail and delete the original message and any copies. © 2015 j2 Global, Inc. All rights reserved. eFax ®, eVoice ®, Campaigner ®, FuseMail ®, KeepItSafe ® and Onebox ® are ! registere d trademarks of j2 Global, Inc. and its affiliates.




More information about the Users mailing list