openstack/openstack-ansible-os_nova
Code Issues Proposed changes
6682ea094c
openstack-ansible-os_nova/files
History
cmart 2bd15db036 nova user can read kernel for libguestfs on Ubuntu 
Problem: libvirt password/key injection uses libguestfs to mount the
guest filesystem. libguestfs uses a supermin appliance, and in order to
create this appliance, libguestfs (running as nova user) must read the
host's kernel. Unfortunately, Ubuntu sets file permissions which make
compressed kernels non-readable to non-root users, and this breaks
libvirt password/key injection on compute hosts running Ubuntu.

Solution: When compute hosts are running Ubuntu AND the deployer has
enabled libvirt password or SSH key injection, do the following:
- Run `dpkg-statoverride` to set file permissions on compressed
  kernel (/boot/vmlinuz-*), readable to group 'nova'
- Install a script which does same for each new kernel installed via
  system updates in the future

Related-Bug: #1507915
Change-Id: Ic96b69bb80ce11001b2ee5d63324a12b0f68456d
2017-03-31 10:25:06 -07:00
..
rootwrap.d Update paste, policy and rootwrap configurations 2017-02-02 2017-02-02 15:18:00 +00:00
nova_kernel_permissions.sh nova user can read kernel for libguestfs on Ubuntu 2017-03-31 10:25:06 -07:00
smt.conf Disable SMT for ppc64 hypervisor and set VNC 2016-11-02 14:47:23 +00:00
smt.service Disable SMT for ppc64 hypervisor and set VNC 2016-11-02 14:47:23 +00:00
ssh_config Convert existing roles into galaxy roles 2015-02-18 10:56:25 +00:00