[ovirt-users] gluster VM disk permissions
Nir Soffer
nsoffer at redhat.com
Fri May 20 22:16:32 UTC 2016
On Sat, May 21, 2016 at 12:53 AM, Bill James <bill.james at j2.com> wrote:
> maybe the other doc is old but it says:
> "And a feature I intentionally removed in RHEL 7 was importing KVM → KVM"
> which is what I am doing. raw disk KVM to ovirt.
>
> Yes I can copy the disk image over the top of a ovirt disk image, but the
> import script seemed cleaner.
>
> Does virt-v2v try to convert the KVM image to KVM image or does it just
> import it?
ovirt-4.0 beta released 2 days ago support this.
One issue, a new package is needed which is not required yet by vdsm,
you will have to install it manually from here:
https://github.com/oVirt/ovirt-imageio/archive/master.zip
To install the package, do:
cd ovirt-imageio/common
make rpm
yum install dist/ovirt-imageio-common-0.1-1.noarch.rpm
This issue will be resolved soon.
Nir
>
>
>
>
>
> On 5/20/16 2:44 PM, Nir Soffer wrote:
>>
>> On Fri, May 20, 2016 at 11:48 PM, Bill James <bill.james at j2.com> wrote:
>>>
>>> I had added user = "root" because we use the import-to-ovirt.pl to move
>>> Vms
>>> from our old virtual platform to ovirt.
>>> My understanding was that was required for the to work.
>>> Is that not true or is the import script not worth the headaches caused?
>>>
>>> (https://rwmj.wordpress.com/2015/09/18/importing-kvm-guests-to-ovirt-or-rhev/)
>>
>> I don't know anything about this solution, adding Richard to add more
>> info.
>>
>> If you run 3.6, you can use v2v to import from other systems.
>> Adding Shahar to add into on v2v.
>>
>> Nir
>>
>>> [root at ovirt3 prod 4c4bfdf7-bc70-41b2-ab58-710ff8e850bf]# grep ^user
>>> /etc/libvirt/qemu.conf
>>> user = "root"
>>>
>>> I'm assuming that's what sets the qemu user.
>>>
>>>
>>>
>>> When I first tried using that script without setting "user = root" it
>>> didn't
>>> work.
>>>
>>>
>>>
>>>
>>> On 5/20/16 1:16 PM, Nir Soffer wrote:
>>>>
>>>> On Fri, May 20, 2016 at 10:41 PM, Bill James <bill.james at j2.com> wrote:
>>>>>
>>>>> attached output from one host. others look similar.
>>>>
>>>> Your qemu runs as *root*:
>>>>
>>>> root root root root qemu qemu qemu qemu /usr/libexec/qemu-kvm
>>>>
>>>> Here is the output from normal installation:
>>>>
>>>> qemu qemu qemu qemu qemu qemu qemu
>>>> qemu /usr/libexec/qemu-kvm
>>>>
>>>> I guess that gluster is configure with "option root-squashing on" so you
>>>> practically run as "nobody", and you are not in the kvm group.
>>>>
>>>> Running qemu as root is also a security risk, if there is a security bug
>>>> in qemu
>>>> a vm can use it to compromise your host or other vms.
>>>>
>>>> Maybe you can configure gluster to treat root as vdsm using
>>>>
>>>> option translate-uid 0=36
>>>>
>>>> See
>>>>
>>>> http://www.gluster.org/community/documentation/index.php/Translators/features
>>>>
>>>> But a better solution is to run qemu as qemu.
>>>>
>>>> Adding Sahina to advise about gluster configuration.
>>>>
>>>> Nir
>>>>
>>>>>
>>>>>
>>>>> On 5/20/16 11:47 AM, Nir Soffer wrote:
>>>>>
>>>>> On Fri, May 20, 2016 at 9:25 PM, Bill James <bill.james at j2.com> wrote:
>>>>>>
>>>>>> yes
>>>>>>
>>>>>> [root at ovirt2 prod .shard]# sestatus
>>>>>> SELinux status: disabled
>>>>>>
>>>>>> [root at ovirt3 prod ~]# sestatus
>>>>>> SELinux status: disabled
>>>>>
>>>>>
>>>>> Can you share output of:
>>>>>
>>>>> ps -e -o euser,user,suser,fuser,egroup,rgroup,sgroup,fgroup,cmd | egrep
>>>>> 'qemu|libvirt'
>>>>> ps auxe | egrep 'qemu|libvirt'
>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 5/20/16 11:13 AM, Nir Soffer wrote:
>>>>>>
>>>>>> On Fri, May 20, 2016 at 9:02 PM, Bill James <bill.james at j2.com> wrote:
>>>>>>>
>>>>>>> [root at ovirt1 prod ~]# sestatus
>>>>>>> SELinux status: disabled
>>>>>>
>>>>>>
>>>>>> Same on ovirt2?
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 5/20/16 10:49 AM, Nir Soffer wrote:
>>>>>>>
>>>>>>> This smells like selinux issues, did yoi try with permissive mode?
>>>>>>>
>>>>>>> בתאריך 20 במאי 2016 7:59 אחה״צ, "Bill James" <bill.james at j2.com>
>>>>>>> כתב:
>>>>>>>>
>>>>>>>> Nobody has any ideas or thoughts on how to troubleshoot?
>>>>>>>>
>>>>>>>> why does qemu group work but not kvm when qemu is part of kvm group?
>>>>>>>>
>>>>>>>> [root at ovirt1 prod vdsm]# grep qemu /etc/group
>>>>>>>> cdrom:x:11:qemu
>>>>>>>> kvm:x:36:qemu,sanlock
>>>>>>>> qemu:x:107:vdsm,sanlock
>>>>>>>>
>>>>>>>>
>>>>>>>> On 5/18/16 3:47 PM, Bill James wrote:
>>>>>>>>>
>>>>>>>>> another data point.
>>>>>>>>> Changing just owner to qemu doesn't help.
>>>>>>>>> Changing just group to qemu does. VM starts fine after that.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 05/18/2016 11:49 AM, Bill James wrote:
>>>>>>>>>>
>>>>>>>>>> Some added info. This issue seems to be just like this bug:
>>>>>>>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1052114
>>>>>>>>>>
>>>>>>>>>> I have verified that chown qemu:qemu of disk image also fixes the
>>>>>>>>>> startup issue.
>>>>>>>>>> I'm using raw, not qcow images.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> [root at ovirt2 prod a7af2477-4a19-4f01-9de1-c939c99e53ad]# qemu-img
>>>>>>>>>> info 253f9615-f111-45ca-bdce-cbc9e70406df
>>>>>>>>>> image: 253f9615-f111-45ca-bdce-cbc9e70406df
>>>>>>>>>> file format: raw
>>>>>>>>>> virtual size: 20G (21474836480 bytes)
>>>>>>>>>> disk size: 1.9G
>>>>>>>>>> [root at ovirt2 prod a7af2477-4a19-4f01-9de1-c939c99e53ad]# ls -l
>>>>>>>>>> 253f9615-f111-45ca-bdce-cbc9e70406df
>>>>>>>>>> -rw-rw---- 1 qemu qemu 21474836480 May 18 11:38
>>>>>>>>>> 253f9615-f111-45ca-bdce-cbc9e70406df
>>>>>>>>>>
>>>>>>>>>> (default perms = vdsm:kvm)
>>>>>>>>>>
>>>>>>>>>> qemu-img-ev-2.3.0-31.el7_2.4.1.x86_64
>>>>>>>>>> qemu-kvm-ev-2.3.0-31.el7_2.4.1.x86_64
>>>>>>>>>> libvirt-daemon-1.2.17-13.el7_2.4.x86_64
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Ideas??
>>>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Users mailing list
>>>>>>>> Users at ovirt.org
>>>>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>>>
>>>>>>>
>>>>>>> This email, its contents and attachments contain information from j2
>>>>>>> Global, Inc. and/or its affiliates which may be privileged,
>>>>>>> confidential or
>>>>>>> otherwise protected from disclosure. The information is intended to
>>>>>>> be for
>>>>>>> the addressee(s) only. If you are not an addressee, any disclosure,
>>>>>>> copy,
>>>>>>> distribution, or use of the contents of this message is prohibited.
>>>>>>> If you
>>>>>>> have received this email in error please notify the sender by reply
>>>>>>> e-mail
>>>>>>> and delete the original message and any copies. © 2015 j2 Global,
>>>>>>> Inc. All
>>>>>>> rights reserved. eFax ®, eVoice ®, Campaigner ®, FuseMail ®,
>>>>>>> KeepItSafe ®
>>>>>>> and Onebox ® are ! registere d trademarks of j2 Global, Inc. and its
>>>>>>> affiliates.
>>>>>>
>>>>>>
>>>>>>
>>>>>> This email, its contents and attachments contain information from j2
>>>>>> Global, Inc. and/or its affiliates which may be privileged,
>>>>>> confidential or
>>>>>> otherwise protected from disclosure. The information is intended to be
>>>>>> for
>>>>>> the addressee(s) only. If you are not an addressee, any disclosure,
>>>>>> copy,
>>>>>> distribution, or use of the contents of this message is prohibited. If
>>>>>> you
>>>>>> have received this email in error please notify the sender by reply
>>>>>> e-mail
>>>>>> and delete the original message and any copies. © 2015 j2 Global, Inc.
>>>>>> All
>>>>>> rights reserved. eFax ®, eVoice ®, Campaigner ®, FuseMail ®,
>>>>>> KeepItSafe ®
>>>>>> and Onebox ® are ! registere d trademarks of j2 Global, Inc. and its
>>>>>> affiliates.
>>>>>
>>>>>
>>>>>
>>>>> This email, its contents and attachments contain information from j2
>>>>> Global, Inc. and/or its affiliates which may be privileged,
>>>>> confidential or
>>>>> otherwise protected from disclosure. The information is intended to be
>>>>> for
>>>>> the addressee(s) only. If you are not an addressee, any disclosure,
>>>>> copy,
>>>>> distribution, or use of the contents of this message is prohibited. If
>>>>> you
>>>>> have received this email in error please notify the sender by reply
>>>>> e-mail
>>>>> and delete the original message and any copies. © 2015 j2 Global, Inc.
>>>>> All
>>>>> rights reserved. eFax ®, eVoice ®, Campaigner ®, FuseMail ®, KeepItSafe
>>>>> ®
>>>>> and Onebox ® are ! registere d trademarks of j2 Global, Inc. and its
>>>>> affiliates.
>>>
>>>
>
More information about the Users
mailing list