[Bug 1967956] Re: Permission denied when trying to resize images

Vikas Krishnan Radhakrishnan 1967956 at bugs.launchpad.net
Wed Feb 26 20:13:48 UTC 2025 

The workaround suggested in comment #19 only works if nova-compute is
configured to use "rbd" as the libvirt-image-backend.

On a CIS-hardened deployment with the default backend ("qcow2"), tempest
passes the two resize_ tests, however, as a side-effect, tempest fails
both tests under the
tempest.api.compute.images.test_images_oneserver.ImagesOneServerTestJSON
test group. Errors seen are exactly as described in this issue:
https://bugs.launchpad.net/charm-nova-compute/+bug/1896617 and there are
no workarounds for that issue on yoga.

I've tried adding/changing/removing user-group settings for
nova/kvm/libvirt-qemu, but none of those resolve it because libvirtd-
qemu doesn't have access to the the snapshots directory within nova.

If libvirt-image-backend is unset or set to "qemu", the only workaround
to get tempest to pass both resize image and the image snapshot test
groups is to loosen the unmask to 022 as suggested in
https://bugs.launchpad.net/charm-nova-compute/+bug/1967956/comments/17.

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to nova in Ubuntu.
https://bugs.launchpad.net/bugs/1967956

Title:
  Permission denied when trying to resize images

Status in OpenStack Nova Compute Charm:
  Invalid
Status in Ubuntu Cloud Archive:
  Invalid
Status in Ubuntu Cloud Archive yoga series:
  New
Status in nova package in Ubuntu:
  Fix Released
Status in nova source package in Jammy:
  Confirmed

Bug description:
  On a deployment of Focal Ussuri which was CIS hardened SQA had two
  tempest tests which failed to resize a server, and then revert the
  resize.

  the two tests which failed were:
  tempest.api.compute.servers.test_server_actions.ServerActionsTestJSON.test_resize_server_confirm
  and
  tempest.api.compute.servers.test_server_actions.ServerActionsTestJSON.test_resize_server_revert

  The nova compute logs show:
  : libvirt.libvirtError: Cannot access storage file '/var/lib/nova/instances/b3247fa2-fdef-4608-b661-0677fd68f96a/disk' (as uid:64055, gid:108): Permission denied
  2022-04-03 03:18:09.648 653208 ERROR nova.virt.libvirt.driver [req-b7c2648b-b61c-47b0-b965-015a39eb60a2 da22df534509496fba235127688ca2af c35da82188de4fba8f79f2d59119c4fa - f23c501bf80845fda352e6ca6e0e5bbe f23c501bf80845fda352e6ca6e0e5bbe] [instance: b3247fa2-fdef-4608-b661-0677fd68f96a] Failed to start libvirt guest: libvirt.libvirtError: Cannot access storage file '/var/lib/nova/instances/b3247fa2-fdef-4608-b661-0677fd68f96a/disk' (as uid:64055, gid:108): Permission denied
  2022-04-03 03:18:09.697 653208 INFO os_vif [req-b7c2648b-b61c-47b0-b965-015a39eb60a2 da22df534509496fba235127688ca2af c35da82188de4fba8f79f2d59119c4fa - f23c501bf80845fda352e6ca6e0e5bbe f23c501bf80845fda352e6ca6e0e5bbe] Successfully unplugged vif VIFOpenVSwitch(active=False,address=fa:16:3e:14:5f:7c,bridge_name='br-int',has_traffic_filtering=True,id=c6c15dff-9201-49e9-9d86-4ce684138f53,network=Network(611f2961-05f5-4361-a30f-bcf384865f6f),plugin='ovs',port_profile=VIFPortProfileOpenVSwitch,preserve_on_delete=False,vif_name='tapc6c15dff-92')
  2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [req-b7c2648b-b61c-47b0-b965-015a39eb60a2 da22df534509496fba235127688ca2af c35da82188de4fba8f79f2d59119c4fa - f23c501bf80845fda352e6ca6e0e5bbe f23c501bf80845fda352e6ca6e0e5bbe] [instance: b3247fa2-fdef-4608-b661-0677fd68f96a] Setting instance vm_state to ERROR: libvirt.libvirtError: Cannot access storage file '/var/lib/nova/instances/b3247fa2-fdef-4608-b661-0677fd68f96a/disk' (as uid:64055, gid:108): Permission denied
  2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a] Traceback (most recent call last):
  2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a]   File "/usr/lib/python3/dist-packages/nova/compute/manager.py", line 10047, in _error_out_instance_on_exception
  2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a]     yield
  2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a]   File "/usr/lib/python3/dist-packages/nova/compute/manager.py", line 5904, in _finish_resize_helper
  2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a]     network_info = self._finish_resize(context, instance, migration,
  2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a]   File "/usr/lib/python3/dist-packages/nova/compute/manager.py", line 5842, in _finish_resize
  2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a]     self._set_instance_info(instance, old_flavor)
  2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a]   File "/usr/lib/python3/dist-packages/oslo_utils/excutils.py", line 220, in __exit__
  2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a]     self.force_reraise()
  2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a]   File "/usr/lib/python3/dist-packages/oslo_utils/excutils.py", line 196, in force_reraise
  2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a]     six.reraise(self.type_, self.value, self.tb)
  2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a]   File "/usr/lib/python3/dist-packages/six.py", line 703, in reraise
  2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a]     raise value
  2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a]   File "/usr/lib/python3/dist-packages/nova/compute/manager.py", line 5825, in _finish_resize
  2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a]     self.driver.finish_migration(context, migration, instance,
  2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a]   File "/usr/lib/python3/dist-packages/nova/virt/libvirt/driver.py", line 10410, in finish_migration
  2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a]     guest = self._create_domain_and_network(context, xml, instance,
  ...
  2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a] libvirt.libvirtError: Cannot access storage file '/var/lib/nova/instances/b3247fa2-fdef-4608-b661-0677fd68f96a/disk' (as uid:64055, gid:108): Permission denied
  2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a]

  for both tests.

  our CIS rule set is

  RULESET1="1.1.1.1 1.1.1.2 1.1.1.3 1.1.1.4 1.1.1.5 1.1.1.6 1.1.2 1.1.3 1.1.4 1.1.5 1.1.6 1.1.7 1.1.8 1.1.9 1.1.12 1.1.13 1.1.14 1.1.18 1.1.19 1.1.20 1.1.21 1.1.22 1.1.23 1.1.24 1.2.1 1.2.2 1.3.1 1.3.2 1.3.3 1.4.1 1.4.2 1.5.1 1.5.2 1.5.3 1.6.1 1.6.2 1.6.3 1.6.4 1.7.1.1 1.7.1.2 1.7.1.3 1.8.1.1 1.8.1.2 1.8.1.3 1.8.1.4 1.8.1.5 1.8.1.6 1.9 1.10"
  RULESET2="2.1.1 2.1.2 2.2.1.1 2.2.1.2 2.2.1.3 2.2.1.4 2.2.2 2.2.3 2.2.4 2.2.5 2.2.6 2.2.7 2.2.8 2.2.9 2.2.10 2.2.11 2.2.12 2.2.13 2.2.14 2.2.15 2.2.17 2.3.1 2.3.2 2.3.3 2.3.4 2.3.5 2.3.6 2.4"
  RULESET3="3.1.2 3.2.1 3.2.2 3.3.1 3.3.2 3.3.3 3.3.4 3.3.5 3.3.6 3.3.7 3.3.8 3.3.9 3.5.1.1 3.5.1.2 3.5.1.3 3.5.1.4 3.5.1.5 3.5.1.6 3.5.1.7 3.5.2.1 3.5.2.2 3.5.2.3 3.5.2.4 3.5.2.5 3.5.2.6 3.5.2.7 3.5.2.8 3.5.2.9 3.5.2.10 3.5.3.1.1 3.5.3.1.2 3.5.3.2.1 3.5.3.2.2 3.5.3.2.3 3.5.3.2.4 3.5.3.3.1 3.5.3.3.2 3.5.3.3.3 3.5.3.3.4"
  RULESET4="4.2.1.1 4.2.1.2 4.2.1.3 4.2.1.4 4.2.1.5 4.2.1.6 4.2.2.1 4.2.2.2 4.2.2.3 4.2.3 4.3 4.4"
  RULESET5="5.1.1 5.1.2 5.1.3 5.1.4 5.1.5 5.1.6 5.1.7 5.1.8 5.1.9 5.2.1 5.2.2 5.2.3 5.2.4 5.2.6 5.2.7 5.2.8 5.2.9 5.2.10 5.2.11 5.2.12 5.2.13 5.2.14 5.2.15 5.2.16 5.2.17 5.2.18 5.2.19 5.2.21 5.2.22 5.3.1 5.3.2 5.3.3 5.3.4 5.4.1.1 5.4.1.2 5.4.1.3 5.4.1.4 5.4.1.5 5.4.2 5.4.3 5.4.4 5.4.5 5.5 5.6"
  RULESET6="6.1.2 6.1.3 6.1.4 6.1.5 6.1.6 6.1.7 6.1.8 6.1.9 6.1.10 6.1.11 6.1.126.1.13 6.1.14 6.2.1 6.2.2 6.2.3 6.2.4 6.2.5 6.2.6 6.2.7 6.2.8 6.2.9 6.2.10 6.2.11 6.2.12 6.2.13 6.2.14 6.2.15 6.2.16 6.2.17"

  metal systems get the additional rules:
  "4.1.1.1 4.1.1.2 4.1.1.3 4.1.1.4 4.1.2.1 4.1.2.2 4.1.2.3 4.1.3 4.1.4 4.1.5 4.1.6 4.1.7 4.1.8 4.1.6 4.1.7 4.1.8 4.1.9 4.1.10 4.1.11 4.1.12 4.1.13 4.1.14 4.1.15 4.1.16 4.1.17

  crashdump can be found at:
  https://oil-jenkins.canonical.com/artifacts/3daa548d-79fb-4efe-84a1-7063397290a6/generated/generated/openstack/juju-crashdump-openstack-2022-04-03-03.39.08.tar.gz
  with testrun at:
  https://solutions.qa.canonical.com/testruns/testRun/3daa548d-79fb-4efe-84a1-7063397290a6
  and bundle at:
  https://oil-jenkins.canonical.com/artifacts/3daa548d-79fb-4efe-84a1-7063397290a6/generated/generated/openstack/bundle.yaml
  All instances of this bug can be found at:
  https://solutions.qa.canonical.com/bugs/bugs/bug/1967956

To manage notifications about this bug go to:
https://bugs.launchpad.net/charm-nova-compute/+bug/1967956/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list