* cephx execute permissions for RBD operations
@ 2013-01-30 16:21 Wido den Hollander
2013-01-30 21:20 ` Josh Durgin
0 siblings, 1 reply; 2+ messages in thread
From: Wido den Hollander @ 2013-01-30 16:21 UTC (permalink / raw)
To: ceph-devel@vger.kernel.org
Hi,
Yesterday I ran into a weird situation where my libvirt RBD pool
just wouldn't work.
Turned out the credentials I was using only had rw permissions for OSDs
instead of rwx or *.
This caused rbd_open to fail, looking at librbd itself I understand why
execute permissions are required to do so (locks, watches).
What is however the best way to detect if you don't have the required
permissions?
This piece of code:
http://libvirt.org/git/?p=libvirt.git;a=blob;f=src/storage/storage_backend_rbd.c;h=8a0e517502c482f23f01bc63e95f1dc210d711cd;hb=master#l215
I simply check if the open fails, but just "failed to open the RBD
image" wasn't really that clear.
I'd like to give a more useful error instead of that, but what error
codes can I expect?
Wido
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: cephx execute permissions for RBD operations
2013-01-30 16:21 cephx execute permissions for RBD operations Wido den Hollander
@ 2013-01-30 21:20 ` Josh Durgin
0 siblings, 0 replies; 2+ messages in thread
From: Josh Durgin @ 2013-01-30 21:20 UTC (permalink / raw)
To: Wido den Hollander; +Cc: ceph-devel@vger.kernel.org
On 01/30/2013 08:21 AM, Wido den Hollander wrote:
> Hi,
>
> Yesterday I ran into a weird situation where my libvirt RBD pool
> just wouldn't work.
>
> Turned out the credentials I was using only had rw permissions for OSDs
> instead of rwx or *.
>
> This caused rbd_open to fail, looking at librbd itself I understand why
> execute permissions are required to do so (locks, watches).
It's actually not the watches, but the general metadata stored in the
header object (snapshots, locks, and for format 2 images everything
else).
> What is however the best way to detect if you don't have the required
> permissions?
rbd_open() should return -EPERM. From the cli, doing 'rbd info' will do
this and tell you. The one case where you need more permissions
(allow class-read object_prefix rbd_children) is when unprotecting a
snapshot, which will fail with -EPERM when it is attempted. That only
matters for format 2 images though.
> This piece of code:
> http://libvirt.org/git/?p=libvirt.git;a=blob;f=src/storage/storage_backend_rbd.c;h=8a0e517502c482f23f01bc63e95f1dc210d711cd;hb=master#l215
>
>
> I simply check if the open fails, but just "failed to open the RBD
> image" wasn't really that clear.
>
> I'd like to give a more useful error instead of that, but what error
> codes can I expect?
-EPERM for this case, others could be -EIO, -ENOSPC (since a watch is a
write), -ENOENT, -ENOSYS (trying to open an image that librbd or the
osds don't support), and possibly others I'm forgetting.
Josh
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2013-01-30 21:20 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-01-30 16:21 cephx execute permissions for RBD operations Wido den Hollander
2013-01-30 21:20 ` Josh Durgin
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.