Mircea Husz
2019-Mar-20 18:50 UTC
[libvirt-users] virsh snapshot-create-as: change umask on snapshots
I scripted the creation of snapshots and it works fine. Now I'd like to run the script as non-root. virsh snapshot-create-as --domain hq-live-v01 \ --name snappy \ --diskspec vda,file=/var/lib/libvirt/images/hq-live-v01.snappy,snapshot=external \ --diskspec vdb,file=/var/lib/libvirt/images/hq-live-storage.snappy,snapshot=external \ --disk-only --quiesce --atomic This fragment creates the snapshots, but get created with mode 0600: -rw------- 1 qemu qemu 393216 Mar 19 17:08 hq-live-storage.snappy -rw------- 1 qemu qemu 1048576 Mar 19 17:08 hq-live-v01.snappy The user account is in the libvirt group and has permissions to do everything except delete the files created by the snapshot, all I need is to get the snapshots created with 0660 mode. This is on a Centos 7.6 installation. What knobs do I need to turn to control the umask? Thanks, -Mike
Eric Blake
2019-Mar-20 20:48 UTC
Re: [libvirt-users] virsh snapshot-create-as: change umask on snapshots
On 3/20/19 1:50 PM, Mircea Husz wrote:> I scripted the creation of snapshots and it works fine. Now I'd like to run the script as non-root. > > virsh snapshot-create-as --domain hq-live-v01 \ > --name snappy \ > --diskspec vda,file=/var/lib/libvirt/images/hq-live-v01.snappy,snapshot=external \ > --diskspec vdb,file=/var/lib/libvirt/images/hq-live-storage.snappy,snapshot=external \ > --disk-only --quiesce --atomic > > This fragment creates the snapshots, but get created with mode 0600: > -rw------- 1 qemu qemu 393216 Mar 19 17:08 hq-live-storage.snappy > -rw------- 1 qemu qemu 1048576 Mar 19 17:08 hq-live-v01.snappy > > The user account is in the libvirt group and has permissions to do everything except delete the files created by the snapshot, all I need is to get the snapshots created with 0660 mode. > > This is on a Centos 7.6 installation. What knobs do I need to turn to control the umask?I'm not sure if you can force libvirt to create the files with a different mask, but perhaps a workaround would be to pre-create the files yourself with desired permissions, then tell virsh to --reuse-external (so that libvirt no longer has to try and create the files, and thus doesn't mess with permissions). -- Eric Blake, Principal Software Engineer Red Hat, Inc. +1-919-301-3226 Virtualization: qemu.org | libvirt.org
Peter Krempa
2019-Mar-22 17:36 UTC
Re: [libvirt-users] virsh snapshot-create-as: change umask on snapshots
On Wed, Mar 20, 2019 at 15:48:43 -0500, Eric Blake wrote:> On 3/20/19 1:50 PM, Mircea Husz wrote: > > I scripted the creation of snapshots and it works fine. Now I'd like to run the script as non-root. > > > > virsh snapshot-create-as --domain hq-live-v01 \ > > --name snappy \ > > --diskspec vda,file=/var/lib/libvirt/images/hq-live-v01.snappy,snapshot=external \ > > --diskspec vdb,file=/var/lib/libvirt/images/hq-live-storage.snappy,snapshot=external \ > > --disk-only --quiesce --atomic > > > > This fragment creates the snapshots, but get created with mode 0600: > > -rw------- 1 qemu qemu 393216 Mar 19 17:08 hq-live-storage.snappy > > -rw------- 1 qemu qemu 1048576 Mar 19 17:08 hq-live-v01.snappy > > > > The user account is in the libvirt group and has permissions to do everything except delete the files created by the snapshot, all I need is to get the snapshots created with 0660 mode. > > > > This is on a Centos 7.6 installation. What knobs do I need to turn to control the umask? > > I'm not sure if you can force libvirt to create the files with a > different mask, but perhaps a workaround would be to pre-create the > files yourself with desired permissions, then tell virsh to > --reuse-external (so that libvirt no longer has to try and create the > files, and thus doesn't mess with permissions).--reuse-external is good only for using a custom-formatted image. Libvirt will chown the image to qemu:qemu if you don't disable relabelling. This is possible to do via the <seclabel> even in a snapshot <disk> definition. Note that it's not documented yet and also does not conform to the schema, but the parser happily parses it and the code uses the correct <seclabel> then. I have a not-sufficiently-tested patch that adds the schema (and IIRC also docs) which I planned to send after testing.