[libvirt] [libvirt-users] Libvirtd running as root tries to access oneadmin (OpenNebula) NFS mount but throws: error: can’t canonicalize path
TomK
tk at mdevsys.com
Tue Apr 12 19:55:45 UTC 2016
On 4/12/2016 3:40 PM, Martin Kletzander wrote:
> [ I would be way easier to reply if you didn't top-post ]
>
> On Tue, Apr 12, 2016 at 12:07:50PM -0400, TomK wrote:
>> Hey John,
>>
>> Hehe, I got the right guy then. Very nice! And very good ideas but I
>> may need more time to reread and try them out later tonight. I'm fully
>> in agreement about providing more details. Can't be accurate in a
>> diagnosis if there isn't much data to go on. This pool option is new to
>> me. Please tell me more on it. Can't find it in the file below but
>> maybe it's elsewhere?
>>
>> ( <pool type="fs"> ) perhaps rather than the "NFS" pool ( e.g. <pool
>> type="netfs"> )
>>
>>
>> Allright, here's the details:
>>
>> [root at mdskvm-p01 ~]# rpm -aq|grep -i libvir
>> libvirt-daemon-driver-secret-1.2.17-13.el7_2.4.x86_64
>> libvirt-1.2.17-13.el7_2.4.x86_64
>> libvirt-daemon-driver-network-1.2.17-13.el7_2.4.x86_64
>> libvirt-daemon-driver-lxc-1.2.17-13.el7_2.4.x86_64
>> libvirt-daemon-driver-nwfilter-1.2.17-13.el7_2.4.x86_64
>> libvirt-daemon-driver-interface-1.2.17-13.el7_2.4.x86_64
>> libvirt-daemon-config-network-1.2.17-13.el7_2.4.x86_64
>> libvirt-client-1.2.17-13.el7_2.4.x86_64
>> libvirt-daemon-driver-qemu-1.2.17-13.el7_2.4.x86_64
>> libvirt-daemon-driver-storage-1.2.17-13.el7_2.4.x86_64
>> libvirt-python-1.2.17-2.el7.x86_64
>> libvirt-glib-0.1.9-1.el7.x86_64
>> libvirt-daemon-1.2.17-13.el7_2.4.x86_64
>> libvirt-daemon-config-nwfilter-1.2.17-13.el7_2.4.x86_64
>> libvirt-daemon-driver-nodedev-1.2.17-13.el7_2.4.x86_64
>> libvirt-daemon-kvm-1.2.17-13.el7_2.4.x86_64
>> [root at mdskvm-p01 ~]# cat /etc/release
>> cat: /etc/release: No such file or directory
>> [root at mdskvm-p01 ~]# cat /etc/*release*
>> NAME="Scientific Linux"
>> VERSION="7.2 (Nitrogen)"
>> ID="rhel"
>> ID_LIKE="fedora"
>> VERSION_ID="7.2"
>> PRETTY_NAME="Scientific Linux 7.2 (Nitrogen)"
>> ANSI_COLOR="0;31"
>> CPE_NAME="cpe:/o:scientificlinux:scientificlinux:7.2:GA"
>> HOME_URL="http://www.scientificlinux.org//"
>> BUG_REPORT_URL="mailto:scientific-linux-devel at listserv.fnal.gov"
>>
>> REDHAT_BUGZILLA_PRODUCT="Scientific Linux 7"
>> REDHAT_BUGZILLA_PRODUCT_VERSION=7.2
>> REDHAT_SUPPORT_PRODUCT="Scientific Linux"
>> REDHAT_SUPPORT_PRODUCT_VERSION="7.2"
>> Scientific Linux release 7.2 (Nitrogen)
>> Scientific Linux release 7.2 (Nitrogen)
>> Scientific Linux release 7.2 (Nitrogen)
>> cpe:/o:scientificlinux:scientificlinux:7.2:ga
>> [root at mdskvm-p01 ~]#
>>
>> [root at mdskvm-p01 ~]# mount /var/lib/one
>> [root at mdskvm-p01 ~]# su - oneadmin
>> Last login: Sat Apr 9 10:39:25 EDT 2016 on pts/0
>> Last failed login: Tue Apr 12 12:00:57 EDT 2016 from opennebula01 on
>> ssh:notty
>> There were 9584 failed login attempts since the last successful login.
>> i[oneadmin at mdskvm-p01 ~]$ id oneadmin
>> uid=9869(oneadmin) gid=9869(oneadmin)
>> groups=9869(oneadmin),992(libvirt),36(kvm)
>> [oneadmin at mdskvm-p01 ~]$ pwd
>> /var/lib/one
>> [oneadmin at mdskvm-p01 ~]$ ls -altriR|grep -i root
>> 134320262 drwxr-xr-x. 45 root root 4096 Apr 12 07:58 ..
>> [oneadmin at mdskvm-p01 ~]$
>>
>>
>>
>> [oneadmin at mdskvm-p01 ~]$ cat /var/lib/one//datastores/0/38/deployment.0
>> <domain type='kvm'
>> xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'>
>> <name>one-38</name>
>> <vcpu>1</vcpu>
>> <cputune>
>> <shares>1024</shares>
>> </cputune>
>> <memory>524288</memory>
>> <os>
>> <type arch='x86_64'>hvm</type>
>> <boot dev='hd'/>
>> </os>
>> <devices>
>> <emulator>/usr/libexec/qemu-kvm</emulator>
>> <disk type='file' device='disk'>
>> <source
>> file='/var/lib/one//datastores/0/38/disk.0'/>
>> <target dev='hda'/>
>> <driver name='qemu' type='qcow2' cache='none'/>
>> </disk>
>> <disk type='file' device='cdrom'>
>> <source
>> file='/var/lib/one//datastores/0/38/disk.1'/>
>> <target dev='hdb'/>
>> <readonly/>
>> <driver name='qemu' type='raw'/>
>> </disk>
>> <interface type='bridge'>
>> <source bridge='br0'/>
>> <mac address='02:00:c0:a8:00:64'/>
>> </interface>
>> <graphics type='vnc' listen='0.0.0.0' port='5938'/>
>> </devices>
>> <features>
>> <acpi/>
>> </features>
>> </domain>
>>
>> [oneadmin at mdskvm-p01 ~]$ cat
>> /var/lib/one//datastores/0/38/deployment.0|grep -i nfs
>> [oneadmin at mdskvm-p01 ~]$
>>
>>
>>
>> Cheers,
>> Tom K.
>> -------------------------------------------------------------------------------------
>>
>>
>> Living on earth is expensive, but it includes a free trip around the
>> sun.
>>
>> On 4/12/2016 11:45 AM, John Ferlan wrote:
>>>
>>> On 04/12/2016 10:58 AM, TomK wrote:
>>>> Hey Martin,
>>>>
>>>> Thanks very much. Appreciate you jumping in on this thread.
>>> Can you provide some more details with respect to which libvirt version
>>> you have installed. I know I've made changes in this space in more
>>> recent versions (not the most recent). I'm no root_squash expert, but I
>>> was the last to change things in the space so that makes me partially
>>> fluent ;-) in NFS/root_squash speak.
>>>
>
> I'm always lost in how do we handle *all* the corner cases that are not
> even used anywhere at all, but care about the conditions we have in the
> code. Especially when it's constantly changing. So thanks for jumping
> in. I only replied because nobody else did and I had only the tiniest
> clue as to what could happen.
>
>>> Using root_squash is very "finicky" (to say the least)... It wasn't
>>> really clear from what you posted how you are attempting to reference
>>> things. Does the "/var/lib/one//datastores/0/38/deployment.0" XML file
>>> use a direct path to the NFS volume or does it use a pool? If a pool,
>>> then what type of pool? It is beneficial to provide as many details as
>>> possible about the configuration because (so to speak) those that are
>>> helping you won't know your environment (I've never used OpenNebula)
>>> nor
>>> do I have a 'oneadmin' uid:gid.
>>>
>>> What got my attention was the error message "initializing FS storage
>>> file" with the "file:" prefix to the name and 9869:9869 as the uid:gid
>>> trying to access the file (I assume that's oneadmin:oneadmin on your
>>> system).
>>>
>
> I totally missed this. So the only thing that popped on my mind now was
> checking the whole path:
>
> ls -ld /var{,/lib{,/one{,/datastores{,/0{,/38{,/disk.1}}}}}}
>
> You can also run it as root and oneadmin, however after reading through
> all the info again, I don't think that'll help.
>
>
> --
> libvir-list mailing list
> libvir-list at redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list
I top post by default in thunderbird and we have same setup at work with
M$ LookOut. Old habits are to blame I guess. I'll try to reply like
this instead. But yeah it's terrible for mailing lists to top post.
Here's the output and thanks again:
[oneadmin at mdskvm-p01 ~]$ ls -ld
/var{,/lib{,/one{,/datastores{,/0{,/38{,/disk.1}}}}}}
drwxr-xr-x. 21 root root 4096 Apr 11 07:10 /var
drwxr-xr-x. 45 root root 4096 Apr 12 07:58 /var/lib
drwxr-x--- 12 oneadmin oneadmin 4096 Apr 12 15:50 /var/lib/one
drwxrwxr-x 6 oneadmin oneadmin 46 Mar 31 02:44 /var/lib/one/datastores
drwxrwxr-x 6 oneadmin oneadmin 42 Apr 5 00:20
/var/lib/one/datastores/0
drwxrwxr-x 2 oneadmin oneadmin 68 Apr 5 00:20
/var/lib/one/datastores/0/38
-rw-r--r-- 1 oneadmin oneadmin 372736 Apr 5 00:20
/var/lib/one/datastores/0/38/disk.1
[oneadmin at mdskvm-p01 ~]$
That's the default setting but I think I see what you're getting at that
permissions get inherited?
Cheers,
Tom K.
-------------------------------------------------------------------------------------
Living on earth is expensive, but it includes a free trip around the sun.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20160412/4544eb85/attachment-0001.htm>
More information about the libvir-list
mailing list