Hi, On Wed, Sep 11, 2013 at 1:06 PM, Gerry O'Brien <ge...@scss.tcd.ie> wrote:
> Hi Carlos, > > I appreciate the security issues. I'm just wondering why > /var/lib/one/datastores is not a safe directory by default given it is the > default location for datastores? > Oneadmin's home /var/lib/one is restricted by default, because it contains the one_auth file, the database one.db... And /var/lib/one/datastores must also be restricted, because a user should not be able to copy another registered image in there. I hope this makes sense. Cheers -- Join us at OpenNebulaConf2013 <http://opennebulaconf.com/> in Berlin, 24-26 September, 2013 -- Carlos Martín, MSc Project Engineer OpenNebula - The Open-source Solution for Data Center Virtualization www.OpenNebula.org <http://www.opennebula.org/> | cmar...@opennebula.org | @OpenNebula <http://twitter.com/opennebula> <cmar...@opennebula.org> > Regards, > Gerry > > > > On 11/09/2013 11:51, Carlos Martín Sánchez wrote: > >> Hi, >> >> Tue Sep 10 14:32:48 2013 [ImM][E]: cp: Not allowed to copy images from >> >>> /var/lib/one/ /etc/one/ /var/lib/one/ >>> >> >> The dir /var/lib/one is a restricted dir, and OpenNebula won't allow you >> to >> copy images from there. Otherwise, you could copy the DB or other >> authentication files. That's why it works from /datastores. >> >> See [1] for more information. >> >> Best regards. >> >> [1] >> http://opennebula.org/**documentation:rel4.2:fs_ds#** >> configuring_the_filesystem_**datastores<http://opennebula.org/documentation:rel4.2:fs_ds#configuring_the_filesystem_datastores> >> >> >> -- >> Join us at OpenNebulaConf2013 <http://opennebulaconf.com> in Berlin, >> 24-26 >> >> September, 2013 >> -- >> Carlos Martín, MSc >> Project Engineer >> OpenNebula - The Open-source Solution for Data Center Virtualization >> www.OpenNebula.org | cmar...@opennebula.org | >> @OpenNebula<http://twitter.**com/opennebula<http://twitter.com/opennebula> >> ><cmartin@**opennebula.org <cmar...@opennebula.org>> >> >> >> >> On Tue, Sep 10, 2013 at 4:59 PM, Gerry O'Brien <ge...@scss.tcd.ie> wrote: >> >> Hi, >>> >>> This seems to be a general issue not specific to QCOW2. For the >>> moment >>> I've solved the issue by mounting the datastores (which are NFS exports >>> for >>> a filestore) on the root partition at /datastores and created a symlink >>> form /var/lib/one/datatstore to /datastores. >>> >>> Is this correct? >>> >>> Gerry >>> >>> >>> On 10/09/2013 14:38, Gerry O'Brien wrote: >>> >>> Hi, >>>> >>>> I get the following error when trying to create an image from a >>>> QCOW2 >>>> file: "Error copying image in the datastore: Not allowed to copy >>>> image >>>> file /var/lib/one/datastores/1/****DELETEME.qcow2" >>>> >>>> Below are the commands I use to create the QCOW2 file before trying >>>> to create the image named DELETEME using oneimage. The QCOW2 file is has >>>> been created with a backing file. >>>> >>>> This used to work in Opennebula 3. I have made sure the use >>>> oneadmin >>>> is also in the cloud group in case it is some kind of permissions file. >>>> >>>> Any ideas? >>>> >>>> Regards, >>>> Gerry >>>> >>>> >>>> >>>> qemu-img create -f qcow2 -o backing_file=/var/lib/one/**** >>>> datastores/1/** >>>> e1e1735dada84a7c6290001b9a244e****be /var/lib/one/datastores/1/**** >>>> DELETEME.qcow2 >>>> >>>> qemu-img info /var/lib/one/datastores/1/****DELETEME.qcow2 >>>> image: /var/lib/one/datastores/1/****DELETEME.qcow2 >>>> >>>> file format: qcow2 >>>> virtual size: 50G (53687091200 bytes) >>>> disk size: 12K >>>> cluster_size: 65536 >>>> backing file: /var/lib/one/datastores/1/**** >>>> e1e1735dada84a7c6290001b9a244e*** >>>> *be >>>> >>>> >>>> >>>> ls -la /var/lib/one/datastores/1/****DELETEME.qcow2 >>>> >>>> -rw-r--r-- 1 oneadmin oneadmin 197632 Sep 10 13:27 >>>> /var/lib/one/datastores/1/****DELETEME.qcow2 >>>> >>>> >>>> oneimage create -d default --name DELETEME --path >>>> /var/lib/one/datastores/1/****DELETEME.qcow2 --prefix hd --type OS >>>> >>>> --driver qcow2 --persistent >>>> >>>> >>>> >>>> >>>> >>>> >>>> Below is a similar error message when using the sunstone GUI >>>> >>>> >>>> Tue Sep 10 14:32:48 2013 [ImM][I]: Copying /var/lib/one/datastores/1/** >>>> **VlabC_1.qcow2 >>>> >>>> to repository for image 37 >>>> Tue Sep 10 14:32:48 2013 [ReM][D]: Req:7232 UID:0 ImageAllocate result >>>> SUCCESS, 37 >>>> Tue Sep 10 14:32:48 2013 [ReM][D]: Req:4064 UID:0 ImageInfo invoked, 37 >>>> Tue Sep 10 14:32:48 2013 [ReM][D]: Req:4064 UID:0 ImageInfo result >>>> SUCCESS, "<IMAGE><ID>37</ID><U..." >>>> Tue Sep 10 14:32:48 2013 [ImM][I]: Command execution fail: >>>> /var/lib/one/remotes/****datastore/fs/cp PERTX0RSSVZFUl9BQ1RJT05fREFUQT >>>> **** >>>> 48SU1BR0U+****PElEPjM3PC9JRD48VUlEPjA8L1VJRD** >>>> **48R0lEPjA8L0dJRD48VU5BTUU+** >>>> b25lYWRtaW48L1VOQU1FPjxHTkFNRT****5vbmVhZG1pbjwvR05BTUU+**PE5BTUU+** >>>> UUNPVzItRXhhbXBsZTwvTkFNRT48UE****VSTUlTU0lPTlM+PE9XTkVSX1U+** >>>> MTwvT1dORVJfVT48T1dORVJfTT4xPC******9PV05FUl9NPjxPV05FUl9BPjA8L09X**** >>>> TkVSX0E+PEdST1VQX1U+****MDwvR1JPVVBfVT48R1JPVVBfTT4wPC**** >>>> 9HUk9VUF9NPjxHUk9VUF9BPjA8L0dS****T1VQX0E+PE9USEVSX1U+** >>>> MDwvT1RIRVJfVT48T1RIRVJfTT4wPC******9PVEhFUl9NPjxPVEhFUl9BPjA8L09U** >>>> **SEVSX0E+* >>>> ***PC9QRVJNSVNTSU9OUz48VFlQRT4yPC****9UWVBFPjxESVNLX1RZUEU+** >>>> MDwvRElTS19UWVBFPjxQRVJTSVNURU****5UPjE8L1BFUlNJU1RFTlQ+**** >>>> PFJFR1RJTUU+** >>>> MTM3ODgxOTk2ODwvUkVHVElNRT48U0******9VUkNFPjwvU09VUkNFPjxQQVRIPi92**** >>>> YXIvbGliL29uZS9kYXRhc3RvcmVzLz******EvVmxhYkNfMS5xY293MjwvUEFUSD48**** >>>> RlNUWVBFPjwvRlNUWVBFPjxTSVpFPj****E8L1NJWkU+** >>>> PFNUQVRFPjQ8L1NUQVRFPjxSVU5OSU******5HX1ZNUz4wPC9SVU5OSU5HX1ZNUz48**** >>>> Q0xPTklOR19PUFM+****MDwvQ0xPTklOR19PUFM+****PENMT05JTkdfSUQ+** >>>> LTE8L0NMT05JTkdfSUQ+****PERBVEFTVE9SRV9JRD4xPC9EQVRBU1****RPUkVfSUQ+** >>>> PERBVEFTVE9SRT5kZWZhdWx0PC9EQV****RBU1RPUkU+** >>>> PFZNUz48L1ZNUz48Q0xPTkVTPjwvQ0******xPTkVTPjxURU1QTEFURT48REVWX1BS >>>> >>>> RU >>> >>> ZJWD48IVtDREFUQVtoZF1dPjwvREVW******X1BSRUZJWD48RFJJVkVSPjwhW0NEQV**** >>>> RBW3Fjb3cyXV0+PC9EUklWRVI+****PC9URU1QTEFURT48L0lNQUdFPjxEQV**** >>>> RBU1RPUkU+PElEPjE8L0lEPjxVSUQ+****MDwvVUlEPjxHSUQ+** >>>> MDwvR0lEPjxVTkFNRT5vbmVhZG1pbj****wvVU5BTUU+** >>>> PEdOQU1FPm9uZWFkbWluPC9HTkFNRT******48TkFNRT5kZWZhdWx0PC9OQU1FPjxQ**** >>>> RVJNSVNTSU9OUz48T1dORVJfVT4xPC******9PV05FUl9VPjxPV05FUl9NPjE8L09X**** >>>> TkVSX00+PE9XTkVSX0E+****MDwvT1dORVJfQT48R1JPVVBfVT4xPC**** >>>> 9HUk9VUF9VPjxHUk9VUF9NPjA8L0dS****T1VQX00+PEdST1VQX0E+** >>>> MDwvR1JPVVBfQT48T1RIRVJfVT4xPC******9PVEhFUl9VPjxPVEhFUl9NPjA8L09U**** >>>> SEVSX00+PE9USEVSX0E+****MDwvT1RIRVJfQT48L1BFUk1JU1NJT0** >>>> **5TPjxEU19NQUQ+** >>>> ZnM8L0RTX01BRD48VE1fTUFEPnNoYX******JlZDwvVE1fTUFEPjxCQVNFX1BBVEg+**** >>>> L3Zhci9saWIvb25lL2RhdGFzdG9yZX******MvMTwvQkFTRV9QQVRIPjxUWVBFPjA8** >>>> **L1RZUEU+* >>>> ***PERJU0tfVFlQRT4wPC9ESVNLX1RZUE****U+PENMVVNURVJfSUQ+**** >>>> LTE8L0NMVVNURVJfSUQ+ >>>> **PENMVVNURVI+****PC9DTFVTVEVSPjxUT1RBTF9NQj4yMj** >>>> **QwNzIzNjwvVE9UQUxfTUI+** >>>> PEZSRUVfTUI+****MjIzNjQ1MzI8L0ZSRUVfTUI+****PFVTRURfTUI+** >>>> NDI3MDc8L1VTRURfTUI+****PElNQUdFUz48SUQ+MDwvSUQ+** >>>> PElEPjE8L0lEPjxJRD4yPC9JRD48SU****Q+MzwvSUQ+**** >>>> PElEPjQ8L0lEPjxJRD4xNjwvSUQ+* >>>> *PElEPjIwPC9JRD48L0lNQU >>>> >>>> d >>> >>> FUz48VEVNUExBVEU+****PERTX01BRD48IVtDREFUQVtmc11dPj** >>>> **wvRFNfTUFEPjxUTV9NQUQ+ >>>> **PCFbQ0RBVEFbc2hhcmVkXV0+****PC9UTV9NQUQ+PFRZUEU+** >>>> PCFbQ0RBVEFbSU1BR0VfRFNdXT48L1****RZUEU+**** >>>> PC9URU1QTEFURT48L0RBVEFTVE9SRT**** >>>> 48L0RTX0RSSVZFUl9BQ1RJT05fREFU****QT4= 37 >>>> >>>> Tue Sep 10 14:32:48 2013 [ImM][E]: cp: Not allowed to copy images from >>>> /var/lib/one/ /etc/one/ /var/lib/one/ >>>> Tue Sep 10 14:32:48 2013 [ImM][E]: Not allowed to copy image file >>>> /var/lib/one/datastores/1/****VlabC_1.qcow2 >>>> >>>> Tue Sep 10 14:32:48 2013 [ImM][I]: ExitCode: 255 >>>> Tue Sep 10 14:32:48 2013 [ImM][E]: Error copying image in the datastore: >>>> Not allowed to copy image file /var/lib/one/datastores/1/**** >>>> VlabC_1.qcow2 >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> -- >>> Gerry O'Brien >>> >>> Systems Manager >>> School of Computer Science and Statistics >>> Trinity College Dublin >>> Dublin 2 >>> IRELAND >>> >>> 00 353 1 896 1341 >>> >>> >>> ______________________________****_________________ >>> Users mailing list >>> Users@lists.opennebula.org >>> http://lists.opennebula.org/****listinfo.cgi/users-opennebula.****org<http://lists.opennebula.org/**listinfo.cgi/users-opennebula.**org> >>> <http://lists.opennebula.**org/listinfo.cgi/users-**opennebula.org<http://lists.opennebula.org/listinfo.cgi/users-opennebula.org> >>> > >>> >>> > > -- > Gerry O'Brien > > Systems Manager > School of Computer Science and Statistics > Trinity College Dublin > Dublin 2 > IRELAND > > 00 353 1 896 1341 > > ______________________________**_________________ > Users mailing list > Users@lists.opennebula.org > http://lists.opennebula.org/**listinfo.cgi/users-opennebula.**org<http://lists.opennebula.org/listinfo.cgi/users-opennebula.org> >
_______________________________________________ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org