[Bug 1864922] Re: ussuri libvirt missing access to /var/lib/nova/instances/

[Corey Bryant]

Access is denied within a tmp dir created during the snapshot attempt:

$ sudo ls -al /var/lib/nova/instances/snapshots/tmpkajuir8o
total 204
drwx-----x 2 nova nova   4096 Sep 23 19:12 .
drwxr-x--- 3 nova nova   4096 Sep 23 19:12 ..
-rw-r--r-- 1 nova nova 197248 Sep 23 19:12 0ece1fb912104f2c849ea4bd6036712c.delta

If I chmod /var/lib/nova/instances/snapshots/tmpkajuir8o to 777 the snapshot is successful.
 
In that case the user/group of the delta file changes from nova:nova to libvirt-qemu:kvm. So it appears that libvirt-qemu needs access to the tmp directory.

The tmp directory is created at run-time and I'm not yet sure how the
permissions are determined. The --x for other seems odd.

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to nova in Ubuntu.
https://bugs.launchpad.net/bugs/1864922

Title:
  ussuri libvirt missing access to /var/lib/nova/instances/

Status in nova package in Ubuntu:
  Fix Released

Bug description:
  focal/ussuri has an updated pkgos-gen-systemd-unit (openstack-pkg-
  tools) which sets the UMask to 0027, preventing other users from any
  access to files created by the service. In this case, the nova-compute
  service creates instance files at run-time that libvirt needs access
  to.

  ussuri:
  drwxr-x---  2 nova nova  /var/lib/nova/instances/1726e122-2d91-44c1-939b-dd4638df06ed

  train:
  drwxr-xr-x  2 nova nova  /var/lib/nova/instances/da355106-e7f0-4d23-8b4c-91defbfdd696

  It seems like the best solution is to use the default UMask of 0022
  for the nova-compute systemd unit file.

  Note that nova-common.postinst already sets /var/log/nova permissions
  to 0750, preventing other users from reading logs, which was the
  original intent of having pkgos-gen-systemd-unit set UMask to 0027.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nova/+bug/1864922/+subscriptions