[Bug 1864922] [NEW] ussuri libvirt missing access to /var/lib/nova/instances/

Corey Bryant corey.bryant at canonical.com
Wed Feb 26 21:03:34 UTC 2020 

Public bug reported:

focal/ussuri has an updated pkgos-gen-systemd-unit (openstack-pkg-tools)
which sets the UMask to 0027, preventing other users from any access to
files created by the service. In this case, the nova-compute service
creates instance files at run-time that libvirt needs access to.

ussuri:
drwxr-x---  2 nova nova  /var/lib/nova/instances/1726e122-2d91-44c1-939b-dd4638df06ed

train:
drwxr-xr-x  2 nova nova  /var/lib/nova/instances/da355106-e7f0-4d23-8b4c-91defbfdd696

It seems like the best solution is to use the default UMask of 0022 for
the nova-compute systemd unit file.

Note that nova-common.postinst already sets /var/log/nova permissions to
0750, preventing other users from reading logs, which was the original
intent of having pkgos-gen-systemd-unit set UMask to 0027.

** Affects: nova (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to nova in Ubuntu.
https://bugs.launchpad.net/bugs/1864922

Title:
  ussuri libvirt missing access to /var/lib/nova/instances/

Status in nova package in Ubuntu:
  New

Bug description:
  focal/ussuri has an updated pkgos-gen-systemd-unit (openstack-pkg-
  tools) which sets the UMask to 0027, preventing other users from any
  access to files created by the service. In this case, the nova-compute
  service creates instance files at run-time that libvirt needs access
  to.

  ussuri:
  drwxr-x---  2 nova nova  /var/lib/nova/instances/1726e122-2d91-44c1-939b-dd4638df06ed

  train:
  drwxr-xr-x  2 nova nova  /var/lib/nova/instances/da355106-e7f0-4d23-8b4c-91defbfdd696

  It seems like the best solution is to use the default UMask of 0022
  for the nova-compute systemd unit file.

  Note that nova-common.postinst already sets /var/log/nova permissions
  to 0750, preventing other users from reading logs, which was the
  original intent of having pkgos-gen-systemd-unit set UMask to 0027.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nova/+bug/1864922/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list