Uploaded image for project: 'Red Hat OpenStack Services on OpenShift'
  1. Red Hat OpenStack Services on OpenShift
  2. OSPRH-203

allow file mode and owner/group to be managed by nova for instance files.

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • None
    • openstack-nova
    • None
    •  limits rights on /var/lib/nova/instances
    • False
    • Hide

      None

      Show
      None
    • False
    • OSPRH-120Compute Engineering Backlog
    • Proposed
    • Proposed
    • To Do
    • OSPRH-120 - Compute Engineering Backlog
    • Proposed
    • Proposed
    • Compute

      nova currntly relys on libvirt dynmic ownwershp feature to enable qemu to access the
      instance files (disk,console, config drive,...)

      libvirt does not allow the file mode to be modified for these files and as a result makes them world readblae.

      in some environments, this is not desirable.
      while our security model assumes you prevent any access to the host files system we can harden this slightly by developing a feature in nova and or libvirt to restrict sharing to the user and group.

      note that we tried to workaround this previously using umask and that broke several important features so we should not take that approach and do this properly in nova/libvirt as a feature.
      https://bugzilla.redhat.com/show_bug.cgi?id=2127456

            Unassigned Unassigned
            smooney@redhat.com Sean Mooney
            rhos-dfg-compute
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: