[Bug 1947351] [NEW] chown not in rootwrap when only installing cinder-backup

Arif Ali 1947351 at bugs.launchpad.net
Fri Oct 15 10:36:25 UTC 2021 

Public bug reported:

series: bionic
openstack: queens

We have an issue with a user, where the cinder-backup and services are
installed, and separated from cinder-volume nodes.

As part of the cinder-backup, it is required to grab iscsi devices, and
hence the likes of /dev/sd* would be there to be consumed.

As part of this process we can see that cinder-rootwrap is being run,
similar to the command below

sudo cinder-rootwrap /etc/cinder/rootwrap.conf chown 64061 /dev/sda

By default, this then gives permission denied, and does not move forward

We then added the excerpt below following into a new file in
/etc/cinder/rootwrap.d/backup.filters, borrowed from
/etc/cinder/rootwrap.d/volume.filters (which is typically from cinder-
volume package in bionic)

[Filters]
chown: CommandFilter, chown, root

This then moved things along for the user.

After further analysis, we found that post bionic, i.e. cosmic and
beyond, the volume.filters file is now located in cinder-common package
rather than the cinder-volume

My request is, can we do the same for queens, such that this file is in
cinder-common?

** Affects: cinder (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: cinder (Ubuntu Bionic)
     Importance: Undecided
         Status: New

** Also affects: cinder (Ubuntu Bionic)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to cinder in Ubuntu.
https://bugs.launchpad.net/bugs/1947351

Title:
  chown not in rootwrap when only installing cinder-backup

Status in cinder package in Ubuntu:
  New
Status in cinder source package in Bionic:
  New

Bug description:
  series: bionic
  openstack: queens

  We have an issue with a user, where the cinder-backup and services are
  installed, and separated from cinder-volume nodes.

  As part of the cinder-backup, it is required to grab iscsi devices,
  and hence the likes of /dev/sd* would be there to be consumed.

  As part of this process we can see that cinder-rootwrap is being run,
  similar to the command below

  sudo cinder-rootwrap /etc/cinder/rootwrap.conf chown 64061 /dev/sda

  By default, this then gives permission denied, and does not move
  forward

  We then added the excerpt below following into a new file in
  /etc/cinder/rootwrap.d/backup.filters, borrowed from
  /etc/cinder/rootwrap.d/volume.filters (which is typically from cinder-
  volume package in bionic)

  [Filters]
  chown: CommandFilter, chown, root

  This then moved things along for the user.

  After further analysis, we found that post bionic, i.e. cosmic and
  beyond, the volume.filters file is now located in cinder-common
  package rather than the cinder-volume

  My request is, can we do the same for queens, such that this file is
  in cinder-common?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cinder/+bug/1947351/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list