Loading...

XML

Word

Printable

Type: Story
Resolution: Not a Bug
Priority: Undefined
Fix Version/s: None
Affects Version/s: None
Component/s: libvirt
Labels:
- QA_WhiteBoard:Virtual_Disks

Pool Team:

sst_virtualization
Sub-System Group:

ssg_virtualization

Story Points:
5
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Sprint:
None

Preliminary Testing:
None
Test Coverage:
None

Experience:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

Goal

In an OpenStack deployment using Libvirt's dynamic ownership feature, prevent instance disk files from being world-readable. World-readable instance disk files can be a security concern if an unauthorized actor gets access to the compute host (there are obviously many other security concerns in this scenario, but at least instance disk files won't be trivially accessible).

The current umask when libvirt applies dynamic ownership to instance disk files is unconfigurable, and results in world-readable files. Nova would like a libvirt knob (either in config or directly in the XML) to specificy a custom umask.

Acceptance Criteria

An instance created by Nova does not have a world-readable disk.

is depended on by

OSPRH-203 allow file mode and owner/group to be managed by nova for instance files.

Backlog

Assignee:: Michal Privoznik

Reporter:: Artom Lifshitz

Developer:: virt-maint

QA Contact:: Meina Li

Votes:: 0 Vote for this issue

Watchers:: 12 Start watching this issue

Created:: 2024/05/08 4:07 PM

Updated:: 2024/05/16 6:37 AM

Resolved:: 2024/05/16 6:37 AM

Details

Description

Goal

Acceptance Criteria

Attachments

Issue Links

Activity

People

Dates