Uploaded image for project: 'Red Hat OpenStack Services on OpenShift'
  1. Red Hat OpenStack Services on OpenShift
  2. OSPRH-203

allow file mode and owner/group to be managed by nova for instance files.

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Won't Do
    • Icon: Normal Normal
    • None
    • None
    • openstack-nova
    • None
    •  limits rights on /var/lib/nova/instances
    • False
    • Hide

      None

      Show
      None
    • False
    • OSPRH-11659DFG:Compute Wishlist
    • Proposed
    • Proposed
    • To Do
    • OSPRH-11659 - DFG:Compute Wishlist
    • Proposed
    • Proposed

      nova currntly relys on libvirt dynmic ownwershp feature to enable qemu to access the
      instance files (disk,console, config drive,...)

      libvirt does not allow the file mode to be modified for these files and as a result makes them world readblae.

      in some environments, this is not desirable.
      while our security model assumes you prevent any access to the host files system we can harden this slightly by developing a feature in nova and or libvirt to restrict sharing to the user and group.

      note that we tried to workaround this previously using umask and that broke several important features so we should not take that approach and do this properly in nova/libvirt as a feature.
      https://bugzilla.redhat.com/show_bug.cgi?id=2127456

              Unassigned Unassigned
              smooney@redhat.com Sean Mooney
              rhos-dfg-compute
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: