Missing Configuration to Support Secure NAS with NFS Cinder backends

Solution Verified - Updated -


When using an NFS driver as the Cinder backend, the nas_secure_file_permissions and nas_secure_file_operations settings in the /etc/cinder.cinder.conf are set to auto. This is a sane default, but required supporting configuration options are not set to allow this to correctly function.

By default with the install, if the NFS export allows setuid and isn't squashing root, one can successfully create cinder volumes and cinder snapshots. However one cannot perform any operations on the Cinder volumes once they have been attached to an instance as they are then owned by qemu:qemu and with the NFS security enhancements enabled the changes attempt to run as the Cinder process owner (cinder user) and fail as they have no access to the volumes.


-Red Hat OpenStack Platform 11.0
-Red Hat OpenStack Platform 10.0
- Red Hat OpenStack Platform 9.0
- Red Hat OpenStack Platform 8.0

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content