Missing Configuration to Support Secure NAS with NFS Cinder backends

Issue

When using an NFS driver as the Cinder backend, the nas_secure_file_permissions and nas_secure_file_operations settings in the /etc/cinder.cinder.conf are set to auto. This is a sane default, but required supporting configuration options are not set to allow this to correctly function.

By default with the install, if the NFS export allows setuid and isn't squashing root, one can successfully create cinder volumes and cinder snapshots. However one cannot perform any operations on the Cinder volumes once they have been attached to an instance as they are then owned by qemu:qemu and with the NFS security enhancements enabled the changes attempt to run as the Cinder process owner (cinder user) and fail as they have no access to the volumes.

Environment

-Red Hat OpenStack Platform 11.0
-Red Hat OpenStack Platform 10.0
- Red Hat OpenStack Platform 9.0
- Red Hat OpenStack Platform 8.0

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Select Your Language

Missing Configuration to Support Secure NAS with NFS Cinder backends

Issue

Environment

Subscriber exclusive content

Current Customers and Partners

New to Red Hat?

Using a Red Hat product through a public cloud?

Quick Links

Help

Site Info

Related Sites

About

Red Hat legal and privacy links

Red Hat legal and privacy links

Issue

Environment

Subscriber exclusive content

Current Customers and Partners

New to Red Hat?

Using a Red Hat product through a public cloud?

Quick Links

Help

Site Info

Related Sites

Systems Status

About

Red Hat legal and privacy links

Red Hat legal and privacy links