[one-users] oneimage QCOW2 problem: Error copying image in the datastore: Not allowed to copy image file
Carlos Martín Sánchez
cmartin at opennebula.org
Wed Sep 11 08:56:04 PDT 2013
Well, yes. If I register a new image with the path
/datastores/0/<vmid>/deployment.0 I could get your vnc password, for
example. Or if I point it to the context cdrom image, I could get some
variables that may contain important information. And, of course, I could
copy one of your images or running VM disks.
Cheers
--
Join us at OpenNebulaConf2013 <http://opennebulaconf.com> in Berlin, 24-26
September, 2013
--
Carlos Martín, MSc
Project Engineer
OpenNebula - The Open-source Solution for Data Center Virtualization
www.OpenNebula.org | cmartin at opennebula.org |
@OpenNebula<http://twitter.com/opennebula><cmartin at opennebula.org>
On Wed, Sep 11, 2013 at 2:05 PM, Gerry O'Brien <gerry at scss.tcd.ie> wrote:
> Hi,
>
> By using /datastores instead of /var/lib/one/datastores, have I opened
> a security hole?
>
>
>
> On 11/09/2013 12:51, Carlos Martín Sánchez wrote:
>
>> Hi,
>>
>> On Wed, Sep 11, 2013 at 1:06 PM, Gerry O'Brien <gerry at scss.tcd.ie> wrote:
>>
>> Hi Carlos,
>>>
>>> I appreciate the security issues. I'm just wondering why
>>> /var/lib/one/datastores is not a safe directory by default given it is
>>> the
>>> default location for datastores?
>>>
>>> Oneadmin's home /var/lib/one is restricted by default, because it
>> contains
>> the one_auth file, the database one.db... And /var/lib/one/datastores must
>> also be restricted, because a user should not be able to copy another
>> registered image in there. I hope this makes sense.
>>
>> Cheers
>> --
>> Join us at OpenNebulaConf2013 <http://opennebulaconf.com/> in Berlin,
>> 24-26
>>
>> September, 2013
>> --
>> Carlos Martín, MSc
>> Project Engineer
>> OpenNebula - The Open-source Solution for Data Center Virtualization
>> www.OpenNebula.org <http://www.opennebula.org/> | cmartin at opennebula.org|
>> @OpenNebula <http://twitter.com/opennebula**> <cmartin at opennebula.org>
>>
>>
>>
>> Regards,
>>> Gerry
>>>
>>>
>>>
>>> On 11/09/2013 11:51, Carlos Martín Sánchez wrote:
>>>
>>> Hi,
>>>>
>>>> Tue Sep 10 14:32:48 2013 [ImM][E]: cp: Not allowed to copy images from
>>>>
>>>> /var/lib/one/ /etc/one/ /var/lib/one/
>>>>>
>>>>> The dir /var/lib/one is a restricted dir, and OpenNebula won't allow
>>>> you
>>>> to
>>>> copy images from there. Otherwise, you could copy the DB or other
>>>> authentication files. That's why it works from /datastores.
>>>>
>>>> See [1] for more information.
>>>>
>>>> Best regards.
>>>>
>>>> [1]
>>>> http://opennebula.org/****documentation:rel4.2:fs_ds#**<http://opennebula.org/**documentation:rel4.2:fs_ds#**>
>>>> configuring_the_filesystem_****datastores<http://opennebula.**
>>>> org/documentation:rel4.2:fs_**ds#configuring_the_filesystem_**
>>>> datastores<http://opennebula.org/documentation:rel4.2:fs_ds#configuring_the_filesystem_datastores>
>>>> >
>>>>
>>>>
>>>>
>>>> --
>>>> Join us at OpenNebulaConf2013 <http://opennebulaconf.com> in Berlin,
>>>> 24-26
>>>>
>>>> September, 2013
>>>> --
>>>> Carlos Martín, MSc
>>>> Project Engineer
>>>> OpenNebula - The Open-source Solution for Data Center Virtualization
>>>> www.OpenNebula.org | cmartin at opennebula.org |
>>>> @OpenNebula<http://twitter.****com/opennebula<http://twitter.**
>>>> com/opennebula <http://twitter.com/opennebula>>
>>>>
>>>>> <cmartin@**opennebula.org <cmartin at opennebula.org>>
>>>>>
>>>>
>>>>
>>>> On Tue, Sep 10, 2013 at 4:59 PM, Gerry O'Brien <gerry at scss.tcd.ie>
>>>> wrote:
>>>>
>>>> Hi,
>>>>
>>>>> This seems to be a general issue not specific to QCOW2. For the
>>>>> moment
>>>>> I've solved the issue by mounting the datastores (which are NFS exports
>>>>> for
>>>>> a filestore) on the root partition at /datastores and created a symlink
>>>>> form /var/lib/one/datatstore to /datastores.
>>>>>
>>>>> Is this correct?
>>>>>
>>>>> Gerry
>>>>>
>>>>>
>>>>> On 10/09/2013 14:38, Gerry O'Brien wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>>> I get the following error when trying to create an image from a
>>>>>> QCOW2
>>>>>> file: "Error copying image in the datastore: Not allowed to copy
>>>>>> image
>>>>>> file /var/lib/one/datastores/1/******DELETEME.qcow2"
>>>>>>
>>>>>>
>>>>>> Below are the commands I use to create the QCOW2 file before
>>>>>> trying
>>>>>> to create the image named DELETEME using oneimage. The QCOW2 file is
>>>>>> has
>>>>>> been created with a backing file.
>>>>>>
>>>>>> This used to work in Opennebula 3. I have made sure the use
>>>>>> oneadmin
>>>>>> is also in the cloud group in case it is some kind of permissions
>>>>>> file.
>>>>>>
>>>>>> Any ideas?
>>>>>>
>>>>>> Regards,
>>>>>> Gerry
>>>>>>
>>>>>>
>>>>>>
>>>>>> qemu-img create -f qcow2 -o backing_file=/var/lib/one/****
>>>>>> datastores/1/**
>>>>>> e1e1735dada84a7c6290001b9a244e******be /var/lib/one/datastores/1/****
>>>>>> DELETEME.qcow2
>>>>>>
>>>>>> qemu-img info /var/lib/one/datastores/1/******DELETEME.qcow2
>>>>>> image: /var/lib/one/datastores/1/******DELETEME.qcow2
>>>>>>
>>>>>>
>>>>>> file format: qcow2
>>>>>> virtual size: 50G (53687091200 bytes)
>>>>>> disk size: 12K
>>>>>> cluster_size: 65536
>>>>>> backing file: /var/lib/one/datastores/1/****
>>>>>> e1e1735dada84a7c6290001b9a244e*****
>>>>>> *be
>>>>>>
>>>>>>
>>>>>>
>>>>>> ls -la /var/lib/one/datastores/1/******DELETEME.qcow2
>>>>>>
>>>>>>
>>>>>> -rw-r--r-- 1 oneadmin oneadmin 197632 Sep 10 13:27
>>>>>> /var/lib/one/datastores/1/******DELETEME.qcow2
>>>>>>
>>>>>>
>>>>>>
>>>>>> oneimage create -d default --name DELETEME --path
>>>>>> /var/lib/one/datastores/1/******DELETEME.qcow2 --prefix hd --type OS
>>>>>>
>>>>>>
>>>>>> --driver qcow2 --persistent
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Below is a similar error message when using the sunstone GUI
>>>>>>
>>>>>>
>>>>>> Tue Sep 10 14:32:48 2013 [ImM][I]: Copying
>>>>>> /var/lib/one/datastores/1/**
>>>>>> **VlabC_1.qcow2
>>>>>>
>>>>>> to repository for image 37
>>>>>> Tue Sep 10 14:32:48 2013 [ReM][D]: Req:7232 UID:0 ImageAllocate result
>>>>>> SUCCESS, 37
>>>>>> Tue Sep 10 14:32:48 2013 [ReM][D]: Req:4064 UID:0 ImageInfo invoked,
>>>>>> 37
>>>>>> Tue Sep 10 14:32:48 2013 [ReM][D]: Req:4064 UID:0 ImageInfo result
>>>>>> SUCCESS, "<IMAGE><ID>37</ID><U..."
>>>>>> Tue Sep 10 14:32:48 2013 [ImM][I]: Command execution fail:
>>>>>> /var/lib/one/remotes/******datastore/fs/cp
>>>>>> PERTX0RSSVZFUl9BQ1RJT05fREFUQT
>>>>>> ****
>>>>>> 48SU1BR0U+******PElEPjM3PC9JRD48VUlEPjA8L1VJRD****
>>>>>> **48R0lEPjA8L0dJRD48VU5BTUU+**
>>>>>> b25lYWRtaW48L1VOQU1FPjxHTkFNRT******5vbmVhZG1pbjwvR05BTUU+****
>>>>>> PE5BTUU+**
>>>>>> UUNPVzItRXhhbXBsZTwvTkFNRT48UE******VSTUlTU0lPTlM+PE9XTkVSX1U+****
>>>>>> MTwvT1dORVJfVT48T1dORVJfTT4xPC**********
>>>>>> 9PV05FUl9NPjxPV05FUl9BPjA8L09X******
>>>>>> TkVSX0E+PEdST1VQX1U+******MDwvR1JPVVBfVT48R1JPVVBfTT4wPC******
>>>>>> 9HUk9VUF9NPjxHUk9VUF9BPjA8L0dS******T1VQX0E+PE9USEVSX1U+**
>>>>>> MDwvT1RIRVJfVT48T1RIRVJfTT4wPC**********
>>>>>> 9PVEhFUl9NPjxPVEhFUl9BPjA8L09U****
>>>>>> **SEVSX0E+*
>>>>>> *****PC9QRVJNSVNTSU9OUz48VFlQRT4yPC******9UWVBFPjxESVNLX1RZUEU+**
>>>>>> MDwvRElTS19UWVBFPjxQRVJTSVNURU******5UPjE8L1BFUlNJU1RFTlQ+****
>>>>>> PFJFR1RJTUU+**
>>>>>> MTM3ODgxOTk2ODwvUkVHVElNRT48U0**********
>>>>>> 9VUkNFPjwvU09VUkNFPjxQQVRIPi92******
>>>>>> YXIvbGliL29uZS9kYXRhc3RvcmVzLz**********
>>>>>> EvVmxhYkNfMS5xY293MjwvUEFUSD48******
>>>>>> RlNUWVBFPjwvRlNUWVBFPjxTSVpFPj******E8L1NJWkU+**
>>>>>> PFNUQVRFPjQ8L1NUQVRFPjxSVU5OSU**********
>>>>>> 5HX1ZNUz4wPC9SVU5OSU5HX1ZNUz48******
>>>>>> Q0xPTklOR19PUFM+******MDwvQ0xPTklOR19PUFM+******PENMT05JTkdfSUQ+**
>>>>>> LTE8L0NMT05JTkdfSUQ+******PERBVEFTVE9SRV9JRD4xPC9EQVRBU1**
>>>>>> ****RPUkVfSUQ+**
>>>>>> PERBVEFTVE9SRT5kZWZhdWx0PC9EQV******RBU1RPUkU+**
>>>>>> PFZNUz48L1ZNUz48Q0xPTkVTPjwvQ0**********
>>>>>> xPTkVTPjxURU1QTEFURT48REVWX1BS
>>>>>>
>>>>>> RU
>>>>>>
>>>>> ZJWD48IVtDREFUQVtoZF1dPjwvREVW**********
>>>>> X1BSRUZJWD48RFJJVkVSPjwhW0NEQV******
>>>>>
>>>>>> RBW3Fjb3cyXV0+PC9EUklWRVI+******PC9URU1QTEFURT48L0lNQUdFPjxEQV******
>>>>>> RBU1RPUkU+PElEPjE8L0lEPjxVSUQ+******MDwvVUlEPjxHSUQ+**
>>>>>> MDwvR0lEPjxVTkFNRT5vbmVhZG1pbj******wvVU5BTUU+**
>>>>>> PEdOQU1FPm9uZWFkbWluPC9HTkFNRT**********
>>>>>> 48TkFNRT5kZWZhdWx0PC9OQU1FPjxQ******
>>>>>> RVJNSVNTSU9OUz48T1dORVJfVT4xPC**********
>>>>>> 9PV05FUl9VPjxPV05FUl9NPjE8L09X******
>>>>>> TkVSX00+PE9XTkVSX0E+******MDwvT1dORVJfQT48R1JPVVBfVT4xPC******
>>>>>> 9HUk9VUF9VPjxHUk9VUF9NPjA8L0dS******T1VQX00+PEdST1VQX0E+**
>>>>>> MDwvR1JPVVBfQT48T1RIRVJfVT4xPC**********
>>>>>> 9PVEhFUl9VPjxPVEhFUl9NPjA8L09U******
>>>>>> SEVSX00+PE9USEVSX0E+******MDwvT1RIRVJfQT48L1BFUk1JU1NJT0****
>>>>>> **5TPjxEU19NQUQ+**
>>>>>> ZnM8L0RTX01BRD48VE1fTUFEPnNoYX**********
>>>>>> JlZDwvVE1fTUFEPjxCQVNFX1BBVEg+******
>>>>>> L3Zhci9saWIvb25lL2RhdGFzdG9yZX**********
>>>>>> MvMTwvQkFTRV9QQVRIPjxUWVBFPjA8****
>>>>>> **L1RZUEU+*
>>>>>> *****PERJU0tfVFlQRT4wPC9ESVNLX1RZUE******U+PENMVVNURVJfSUQ+****
>>>>>> LTE8L0NMVVNURVJfSUQ+
>>>>>> **PENMVVNURVI+******PC9DTFVTVEVSPjxUT1RBTF9NQj4yMj****
>>>>>> **QwNzIzNjwvVE9UQUxfTUI+**
>>>>>> PEZSRUVfTUI+******MjIzNjQ1MzI8L0ZSRUVfTUI+******PFVTRURfTUI+**
>>>>>> NDI3MDc8L1VTRURfTUI+******PElNQUdFUz48SUQ+MDwvSUQ+**
>>>>>> PElEPjE8L0lEPjxJRD4yPC9JRD48SU******Q+MzwvSUQ+****
>>>>>> PElEPjQ8L0lEPjxJRD4xNjwvSUQ+*
>>>>>> *PElEPjIwPC9JRD48L0lNQU
>>>>>>
>>>>>> d
>>>>>>
>>>>> FUz48VEVNUExBVEU+******PERTX01BRD48IVtDREFUQVtmc11dPj****
>>>>>
>>>>>> **wvRFNfTUFEPjxUTV9NQUQ+
>>>>>> **PCFbQ0RBVEFbc2hhcmVkXV0+******PC9UTV9NQUQ+PFRZUEU+**
>>>>>> PCFbQ0RBVEFbSU1BR0VfRFNdXT48L1******RZUEU+****
>>>>>> PC9URU1QTEFURT48L0RBVEFTVE9SRT******
>>>>>> 48L0RTX0RSSVZFUl9BQ1RJT05fREFU******QT4= 37
>>>>>>
>>>>>>
>>>>>> Tue Sep 10 14:32:48 2013 [ImM][E]: cp: Not allowed to copy images from
>>>>>> /var/lib/one/ /etc/one/ /var/lib/one/
>>>>>> Tue Sep 10 14:32:48 2013 [ImM][E]: Not allowed to copy image file
>>>>>> /var/lib/one/datastores/1/******VlabC_1.qcow2
>>>>>>
>>>>>>
>>>>>> Tue Sep 10 14:32:48 2013 [ImM][I]: ExitCode: 255
>>>>>> Tue Sep 10 14:32:48 2013 [ImM][E]: Error copying image in the
>>>>>> datastore:
>>>>>> Not allowed to copy image file /var/lib/one/datastores/1/****
>>>>>> VlabC_1.qcow2
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>>
>>>>> Gerry O'Brien
>>>>>
>>>>> Systems Manager
>>>>> School of Computer Science and Statistics
>>>>> Trinity College Dublin
>>>>> Dublin 2
>>>>> IRELAND
>>>>>
>>>>> 00 353 1 896 1341
>>>>>
>>>>>
>>>>> ______________________________******_________________
>>>>> Users mailing list
>>>>> Users at lists.opennebula.org
>>>>> http://lists.opennebula.org/******listinfo.cgi/users-**
>>>>> opennebula.****org<http://lists.opennebula.org/****listinfo.cgi/users-opennebula.****org>
>>>>> <http://**lists.opennebula.org/****listinfo.cgi/users-opennebula.**
>>>>> **org<http://lists.opennebula.org/**listinfo.cgi/users-opennebula.**org>
>>>>> >
>>>>> <http://lists.opennebula.****org/listinfo.cgi/users-**openn**ebula.org<http://opennebula.org>
>>>>> <http://lists.**opennebula.org/listinfo.cgi/**users-opennebula.org<http://lists.opennebula.org/listinfo.cgi/users-opennebula.org>
>>>>> >
>>>>>
>>>>> --
>>> Gerry O'Brien
>>>
>>> Systems Manager
>>> School of Computer Science and Statistics
>>> Trinity College Dublin
>>> Dublin 2
>>> IRELAND
>>>
>>> 00 353 1 896 1341
>>>
>>> ______________________________****_________________
>>> Users mailing list
>>> Users at lists.opennebula.org
>>> http://lists.opennebula.org/****listinfo.cgi/users-opennebula.****org<http://lists.opennebula.org/**listinfo.cgi/users-opennebula.**org>
>>> <http://lists.opennebula.**org/listinfo.cgi/users-**opennebula.org<http://lists.opennebula.org/listinfo.cgi/users-opennebula.org>
>>> >
>>>
>>>
>
> --
> Gerry O'Brien
>
> Systems Manager
> School of Computer Science and Statistics
> Trinity College Dublin
> Dublin 2
> IRELAND
>
> 00 353 1 896 1341
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20130911/8fd73a61/attachment-0002.htm>
More information about the Users
mailing list