On 4/13/2016 1:33 AM, Martin Kletzander wrote:
On
Tue, Apr 12, 2016 at 06:24:16PM -0400, TomK wrote:
On 4/12/2016 5:08 PM, John Ferlan wrote:
Having/using a root squash via an NFS
pool is "easy" (famous last words)
Create some pool XML (taking the example I have)
% cat nfs.xml
<pool type='netfs'>
<name>rootsquash</name>
<source>
<host name='localhost'/>
<dir path='/home/bzs/rootsquash/nfs'/>
<format type='nfs'/>
</source>
<target>
<path>/tmp/netfs-rootsquash-pool</path>
<permissions>
<mode>0755</mode>
<owner>107</owner>
<group>107</group>
</permissions>
</target>
</pool>
In this case 107:107 is qemu:qemu and I used 'localhost' as
the
hostname, but that can be a fqdn or ip-addr to the NFS server.
You've already seen my /etc/exports
virsh pool-define nfs.xml
virsh pool-build rootsquash
virsh pool-start rootsquash
virsh vol-list rootsquash
Now instead of
<disk type='file' device='disk'>
<source
file='/var/lib/one//datastores/0/38/disk.0'/>
<target dev='hda'/>
<driver name='qemu' type='qcow2' cache='none'/>
</disk>
Something like:
<disk type='volume' device='disk'>
<driver name='qemu' type='qemu' cache='none'/>
<source pool='rootsquash' volume='disk.0'/>
<target dev='hda'/>
</disk>
The volume name may be off, but it's perhaps close. I forget
how to do
the readonly bit for a pool (again, my focus is elsewhere).
Of course you'd have to adjust the nfs.xml above to suit your
environment and see what you see/get. The privileges for the
pool and
volumes in the pool become the key to how libvirt decides to
"request
access" to the volume. "disk.1" having read access is
probably not an
issue since you seem to be using it as a CDROM; however,
"disk.0" is
going to be used for read/write - thus would have to be
appropriately
configured...
Thanks John! Appreciated again.
No worries, handle what's on the plate now and earmark this for
checking
once you have some free cycles. I can temporarily hop on one
leg by
using Martin Kletzander's workaround (It's a POC at the moment).
I'll have a look at your instructions further but wanted to find
out if
that config nfs.xml is a one time thing correct? I'm spinning
these up
at will via the OpenNebula GUI and if I have update for each VM,
that
breaks the Cloud provisioning. I'll go over your notes again.
I'm
optimistic. :)
The more I'm thinking about it, the more I am convinced that the
workaround is actually not a workaround. The only thing you need
to do
is having execute for others (precisely for 'nobody' on the nfs
share)
in the whole path on all directories. Without that even the pool
won't
be usable from libvirt. However it does not pose any security
issue as
it only allows others to check the path. When qemu is launched,
it has
the proper "label", meaning uid:gid to access the file so it will
be
able to read/write or whatever permissions you set there. It's
just
that libvirt does some checks that the path exists for example.
Hope that's understandable and it will resolve your issue
permanently.
Have a nice day,
Martin
_______________________________________________
libvirt-users mailing list
libvirt-users@redhat.com
https://www.redhat.com/mailman/listinfo/libvirt-users
The only reason I said that this might be a 'workaround' is due to
John Farlan commenting that he'll look at this later on. Ideally
the opennebula community keeps the other permissions to nill and
presumably they work on NFSv3 per the forum topic I included earlier
from them. But if setting the permissions on nobody to allow for
the functionality, I would be comfortable with that.
Cheers,
Tom K.
-------------------------------------------------------------------------------------
Living on earth is expensive, but it includes a free trip around
the sun.