[libvirt] [libvirt-users] Libvirtd running as root tries to access oneadmin (OpenNebula) NFS mount but throws: error: can’t canonicalize path

TomK tk at mdevsys.com
Tue Apr 12 22:09:22 UTC 2016


On 4/12/2016 4:36 PM, Martin Kletzander wrote:
> On Tue, Apr 12, 2016 at 10:29:29PM +0200, Martin Kletzander wrote:
>> On Tue, Apr 12, 2016 at 03:55:45PM -0400, TomK wrote:
>>> On 4/12/2016 3:40 PM, Martin Kletzander wrote:
>>>> [ I would be way easier to reply if you didn't top-post ]
>>>>
>>>> On Tue, Apr 12, 2016 at 12:07:50PM -0400, TomK wrote:
>>>>> On 4/12/2016 11:45 AM, John Ferlan wrote:
>>>>>> What got my attention was the error message "initializing FS storage
>>>>>> file" with the "file:" prefix to the name and 9869:9869 as the 
>>>>>> uid:gid
>>>>>> trying to access the file (I assume that's oneadmin:oneadmin on your
>>>>>> system).
>>>>>>
>>>>
>>>> I totally missed this.  So the only thing that popped on my mind 
>>>> now was
>>>> checking the whole path:
>>>>
>>>>  ls -ld /var{,/lib{,/one{,/datastores{,/0{,/38{,/disk.1}}}}}}
>>>>
>>>> You can also run it as root and oneadmin, however after reading 
>>>> through
>>>> all the info again, I don't think that'll help.
>>>>
>>> I top post by default in thunderbird and we have same setup at work 
>>> with
>>> M$ LookOut.  Old habits are to blame I guess.  I'll try to reply  like
>>> this instead.  But yeah it's terrible for mailing lists to top post.
>>> Here's the output and thanks again:
>>>
>>> [oneadmin at mdskvm-p01 ~]$ ls -ld
>>> /var{,/lib{,/one{,/datastores{,/0{,/38{,/disk.1}}}}}}
>>> drwxr-xr-x. 21 root     root       4096 Apr 11 07:10 /var
>>> drwxr-xr-x. 45 root     root       4096 Apr 12 07:58 /var/lib
>>> drwxr-x---  12 oneadmin oneadmin   4096 Apr 12 15:50 /var/lib/one
>>
>> Look ^^, maybe for a quick workaround you could try doing:
>>
>>  chmod o+rx /var/lib/one
>>
>
> Actually, o+x ought to be enough.
>
>> Let me know if that does the trick (at least for now).
>>
>>> drwxrwxr-x   6 oneadmin oneadmin     46 Mar 31 02:44 
>>> /var/lib/one/datastores
>>> drwxrwxr-x   6 oneadmin oneadmin     42 Apr  5 00:20
>>> /var/lib/one/datastores/0
>>> drwxrwxr-x   2 oneadmin oneadmin     68 Apr  5 00:20
>>> /var/lib/one/datastores/0/38
>>> -rw-r--r--   1 oneadmin oneadmin 372736 Apr  5 00:20
>>> /var/lib/one/datastores/0/38/disk.1
>>> [oneadmin at mdskvm-p01 ~]$
>>>
>>> That's the default setting but I think I see what you're getting at 
>>> that
>>> permissions get inherited?
>>>
>>
>> No, I just think you need eXecute on all parent directories. That
>> shouldn't hinder your security and could help.
>>
>>> Cheers,
>>> Tom K.
>>> ------------------------------------------------------------------------------------- 
>>>
>>>
>>>
>>> Living on earth is expensive, but it includes a free trip around the 
>>> sun.
>>>
>
>
>
>> -- 
>> libvir-list mailing list
>> libvir-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/libvir-list
>
>
> _______________________________________________
> libvirt-users mailing list
> libvirt-users at redhat.com
> https://www.redhat.com/mailman/listinfo/libvirt-users

The execute permissions did the trick to allow creation.  So that's 
good.  There's still the write and I'm thinking you intend this as a 
workaround since oneadmin should be able to write in there with other 
being --- .  The auto deployment of cloud virtuals would still fail then 
when writes are attempted.

[oneadmin at mdskvm-p01 ~]$ virsh -d 1 --connect qemu:///system create 
/var/lib/one//datastores/0/38/deployment.0
create: file(optdata): /var/lib/one//datastores/0/38/deployment.0
Domain one-38 created from /var/lib/one//datastores/0/38/deployment.0
[oneadmin at mdskvm-p01 ~]$

Now should this work without any permissions on other for the 
unprivileged user oneadmin?  Thinking Yes per John Forlan's reply?

[oneadmin at mdskvm-p01 0]$ virsh -d 1 --connect qemu:///system create 
/var/lib/one//datastores/0/24/deployment.0
create: file(optdata): /var/lib/one//datastores/0/24/deployment.0
error: Failed to create domain from 
/var/lib/one//datastores/0/24/deployment.0
error: can't canonicalize path '/var/lib/one//datastores/0/24/disk.1': 
Permission denied
[oneadmin at mdskvm-p01 0]$


Cheers,
Tom K.
------------------------------------------------------------------------------------- 

Living on earth is expensive, but it includes a free trip around the sun.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20160412/009af9f5/attachment-0001.htm>


More information about the libvir-list mailing list