<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hey Martin,<br>
<br>
Thanks very much. Appreciate you jumping in on this thread.<br>
<br>
You see, that's just it. I've configured libvirt .conf files to run
as oneadmin.oneadmin (non previlidged) for that NFS share and I can
access all the files on that share as oneadmin without error,
including the one you listed. But libvirtd, by default, always
starts as root. So it's doing something as root, despite being
configured to access the share as oneadmin. As oneadmin I can
access that file no problem. Here's how I read the file off the
node on which the NFS share is mounted on:<br>
<br>
<p style="color: rgb(34, 34, 34); font-family: Helvetica, Arial,
sans-serif; font-size: 14px; font-style: normal; font-variant:
normal; font-weight: normal; letter-spacing: normal; line-height:
19px; orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: 1;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);">[oneadmin@mdskvm-p01 ~]$ ls
-altri /var/lib/one//datastores/0/38/disk.1<br>
34642274 -rw-r--r-- 1 oneadmin oneadmin 372736 Apr 5 00:20
/var/lib/one//datastores/0/38/disk.1<br>
[oneadmin@mdskvm-p01 ~]$ file /var/lib/one//datastores/0/38/disk.1<br>
/var/lib/one//datastores/0/38/disk.1: # ISO 9660 CD-ROM filesystem
data 'CONTEXT'<br>
[oneadmin@mdskvm-p01 ~]$ strings
/var/lib/one//datastores/0/38/disk.1|head<br>
CD001<br>
LINUX CONTEXT<br>
GENISOIMAGE ISO 9660/HFS FILESYSTEM CREATOR (C) 1993 E.YOUNGDALE
(C) 1997-2006 J.PEARSON/J.SCHILLING (C) 2006-2007 CDRKIT TEAM
2016040500205600<br>
2016040500205600<br>
0000000000000000<br>
2016040500205600</p>
<p style="color: rgb(34, 34, 34); font-family: Helvetica, Arial,
sans-serif; font-size: 14px; font-style: normal; font-variant:
normal; font-weight: normal; letter-spacing: normal; line-height:
19px; orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: 1;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);">CD001<br>
2016040500205600<br>
2016040500205600<br>
[oneadmin@mdskvm-p01 ~]$</p>
My NFS mount looks as follows ( I have to use root_squash for
security reasons. I'm sure it will work using no_root_squash but
that option is not an option here.):<br>
<br>
[root@mdskvm-p01 ~]# grep nfs /etc/fstab<br>
# 192.168.0.70:/var/lib/one/ /var/lib/one/ nfs
context=system_u:object_r:nfs_t:s0,soft,intr,rsize=8192,wsize=8192,noauto<br>
192.168.0.70:/var/lib/one/ /var/lib/one/ nfs
soft,intr,rsize=8192,wsize=8192,noauto<br>
[root@mdskvm-p01 ~]#<br>
<br>
[root@opennebula01 ~]# cat /etc/exports<br>
/var/lib/one/ *(rw,sync,no_subtree_check,root_squash)<br>
[root@opennebula01 ~]#<br>
<br>
<br>
So I dug deeper and see that there is a possibility libvirtd is
trying to access that NFS mount as root as some level because as
root I also get a permission denied to the NFS share above. Rightly
so since I have root_squash that I need to keep. But libvirtd
should be able to access the file as oneadmin as I have above. It's
not and this is what I read on it:<br>
<br>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/archives/libvir-list/2014-May/msg00194.html">https://www.redhat.com/archives/libvir-list/2014-May/msg00194.html</a>
<br>
<br>
Comment is: "The current implementation works for local
<br>
storage only and returns the canonical path of the volume."
<br>
<br>
But it seems the logic is applied to NFS mounts. Perhaps it
shouldn't
<br>
be? Anyway to get around this problem? This is CentOS 7 .
<br>
<br>
My post with OpenNebula is here from which this conversation
originates:
<a class="moz-txt-link-freetext" href="https://forum.opennebula.org/t/libvirtd-running-as-root-tries-to-access-oneadmin-nfs-mount-error-cant-canonicalize-path/2054/7">https://forum.opennebula.org/t/libvirtd-running-as-root-tries-to-access-oneadmin-nfs-mount-error-cant-canonicalize-path/2054/7</a><br>
<br>
<div class="moz-signature">Cheers,<br>
Tom K.<br>
-------------------------------------------------------------------------------------
<br>
Living on earth is expensive, but it includes a free trip around
the sun.<br>
<br>
</div>
<div class="moz-cite-prefix">On 4/12/2016 10:03 AM, Martin
Kletzander wrote:<br>
</div>
<blockquote cite="mid:20160412140351.GD4472@wheatley" type="cite">On
Mon, Apr 11, 2016 at 08:02:04PM -0400, TomK wrote:
<br>
<blockquote type="cite">Hey All,
<br>
<br>
Wondering if anyone had any suggestions on this topic?
<br>
<br>
</blockquote>
<br>
The only thing I can come up with is:
<br>
'/var/lib/one//datastores/0/38/disk.1': Permission denied
<br>
<br>
... that don't have access to that file. Could you elaborate on
that?
<br>
<br>
I think it's either:
<br>
<br>
a) you are running the domain as root or
<br>
<br>
b) we don't use the domain's uid/gid to canonicalize the path.
<br>
<br>
But if read access is enough for canonicalizing that path, I think
the
<br>
problem is purely with permissions.
<br>
<br>
<blockquote type="cite">Cheers,
<br>
Tom K.
<br>
-------------------------------------------------------------------------------------
<br>
<br>
Living on earth is expensive, but it includes a free trip around
the sun.
<br>
<br>
On 4/9/2016 11:08 AM, TomK wrote:
<br>
<blockquote type="cite">Adding in libvir-list.
<br>
<br>
Cheers,
<br>
Tom K.
<br>
-------------------------------------------------------------------------------------
<br>
<br>
Living on earth is expensive, but it includes a free trip
around the sun.
<br>
<br>
On 4/7/2016 7:32 PM, TomK wrote:
<br>
<blockquote type="cite">Hey All,
<br>
<br>
I've an issue where libvirtd tries to access an NFS mount
but errors
<br>
out with: can't canonicalize path
'/var/lib/one//datastores/0 . The
<br>
unprevilidged user is able to read/write fine to the share.
<br>
root_squash is used and for security reasons no_root_squash
cannot be
<br>
used.
<br>
<br>
On the controller and node SELinux is disabled.
<br>
<br>
[oneadmin@mdskvm-p01 ~]$ virsh -d 1 --connect qemu:///system
create
<br>
/var/lib/one//datastores/0/38/deployment.0
<br>
create: file(optdata):
/var/lib/one//datastores/0/38/deployment.0
<br>
error: Failed to create domain from
<br>
/var/lib/one//datastores/0/38/deployment.0
<br>
error: can't canonicalize path
<br>
'/var/lib/one//datastores/0/38/disk.1': Permission denied
<br>
<br>
I added some debug flags to get more info and added -x to
the deploy
<br>
script. Closest I get to more details is this:
<br>
<br>
2016-04-06 04:15:35.945+0000: 14072: debug :
<br>
virStorageFileBackendFileInit:1441 : initializing FS storage
file
<br>
0x7f6aa4009000
(<a class="moz-txt-link-freetext" href="file:/var/lib/one//datastores/0/38/disk.1">file:/var/lib/one//datastores/0/38/disk.1</a>)[9869:9869]
<br>
2016-04-06 04:15:35.954+0000: 14072: error :
<br>
virStorageFileBackendFileGetUniqueIdentifier:1523 : can't
<br>
canonicalize path '/var/lib/one//datastores/0/38/disk.1':
<br>
<br>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/archives/libvir-list/2014-May/msg00194.html">https://www.redhat.com/archives/libvir-list/2014-May/msg00194.html</a>
<br>
<br>
Comment is: "The current implementation works for local
<br>
storage only and returns the canonical path of the volume."
<br>
<br>
But it seems the logic is applied to NFS mounts. Perhaps it
shouldn't
<br>
be? Anyway to get around this problem? This is CentOS 7 .
<br>
<br>
Cheers,
<br>
Tom K.
<br>
-------------------------------------------------------------------------------------
<br>
<br>
Living on earth is expensive, but it includes a free trip
around the
<br>
sun.
<br>
<br>
_______________________________________________
<br>
libvirt-users mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:libvirt-users@redhat.com">libvirt-users@redhat.com</a>
<br>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/libvirt-users">https://www.redhat.com/mailman/listinfo/libvirt-users</a>
<br>
</blockquote>
<br>
--
<br>
libvir-list mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:libvir-list@redhat.com">libvir-list@redhat.com</a>
<br>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/libvir-list">https://www.redhat.com/mailman/listinfo/libvir-list</a>
<br>
</blockquote>
<br>
--
<br>
libvir-list mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:libvir-list@redhat.com">libvir-list@redhat.com</a>
<br>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/libvir-list">https://www.redhat.com/mailman/listinfo/libvir-list</a>
<br>
</blockquote>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
libvirt-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:libvirt-users@redhat.com">libvirt-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/libvirt-users">https://www.redhat.com/mailman/listinfo/libvirt-users</a></pre>
</blockquote>
<br>
</body>
</html>