insufficient permissions on glance images for direct copy
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance |
Fix Released
|
High
|
Zhi Yan Liu |
Bug Description
I'm running Havana multinode. Instances and images are located on SAN attached shared disk (GPFS). Glance images need to be copied by "cp" instead of "curl" to nova's "_base" directory. Here is my configs:
** /etc/glance/
filesystem_
show_multiple_
filesystem_
** /etc/glance/
{
"id": "b2b3229e-
"mountpoint": "/gpfs"
}
** /etc/nova/nova.conf
allowed_
filesystems=gpfs
[image_
id=b2b3229e-
mountpoint=/gpfs
** Nova log on compute node
2013-12-25 17:29:15.512 10058 INFO nova.virt.
7-bef7-
2013-12-25 17:29:16.109 10058 ERROR nova.image.glance [req-af8fc341-
mand.
Command: cp /gpfs/images/
Exit code: 1
Stdout: ''
Stderr: "cp: cannot open `/gpfs/
2013-12-25 17:29:16.109 10058 TRACE nova.image.glance Traceback (most recent call last):
2013-12-25 17:29:16.109 10058 TRACE nova.image.glance File "/usr/lib/
2013-12-25 17:29:16.109 10058 TRACE nova.image.glance xfer_mod.
2013-12-25 17:29:16.109 10058 TRACE nova.image.glance File "/usr/lib/
2013-12-25 17:29:16.109 10058 TRACE nova.image.glance lv_utils.
2013-12-25 17:29:16.109 10058 TRACE nova.image.glance File "/usr/lib/
2013-12-25 17:29:16.109 10058 TRACE nova.image.glance execute('cp', src, dest)
2013-12-25 17:29:16.109 10058 TRACE nova.image.glance File "/usr/lib/
2013-12-25 17:29:16.109 10058 TRACE nova.image.glance return utils.execute(
2013-12-25 17:29:16.109 10058 TRACE nova.image.glance File "/usr/lib/
2013-12-25 17:29:16.109 10058 TRACE nova.image.glance return processutils.
2013-12-25 17:29:16.109 10058 TRACE nova.image.glance File "/usr/lib/
2013-12-25 17:29:16.109 10058 TRACE nova.image.glance cmd=' '.join(cmd))
2013-12-25 17:29:16.109 10058 TRACE nova.image.glance ProcessExecutio
2013-12-25 17:29:16.109 10058 TRACE nova.image.glance Command: cp /gpfs/images/
2013-12-25 17:29:16.109 10058 TRACE nova.image.glance Exit code: 1
2013-12-25 17:29:16.109 10058 TRACE nova.image.glance Stdout: ''
2013-12-25 17:29:16.109 10058 TRACE nova.image.glance Stderr: "cp: cannot open `/gpfs/
** File permissions on image
-rw-r-----. 1 glance glance 10718478336 Dec 23 19:21 /gpfs/images/
I assume that compute service was trying to copy image on behalf on "nova" user, that's why this operation was failed with "Permission denied".
tags: | added: glance |
summary: |
- insufficient permissions on glance images + insufficient permissions on glance images for direct copy |
Changed in glance: | |
importance: | Undecided → High |
Changed in glance: | |
status: | New → Confirmed |
Changed in glance: | |
assignee: | nobody → Nassim Babaci (nassim-babaci) |
Changed in glance: | |
assignee: | Nassim Babaci (nassim-babaci) → Zhi Yan Liu (lzy-dev) |
tags: |
added: backend removed: glance |
Changed in glance: | |
milestone: | none → juno-rc1 |
Changed in glance: | |
status: | Fix Committed → Fix Released |
Changed in glance: | |
milestone: | juno-rc1 → 2014.2 |
Yes, the nova components are running as the nova user. However, apart from becoming root they don't really have a mechanism to become the glance user. If you want to use filesystem stores like this I would recommend changing the group ownership of these files to one that contains both nova and glance.