From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 51A121F8755
	for <kdevops@lists.linux.dev>; Sat, 18 Oct 2025 02:31:57 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.137.202.133
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1760754719; cv=none; b=WRg9LEOsbHNyR80Mv0i2NV/yX9sbcCjh7wcf80UXh6yDPMX465t3Ow7G15VOfi5H1TVCnKvpTKlPhbHMDo+ka1KyM7soQhZ/4T9qU5uDtm0NQd6BJ9sMdPODC/AJAkkNq6NNjKKi1UxqcxMmHnMPzBJ9mTPPDkM7ooYimNicdLE=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1760754719; c=relaxed/simple;
	bh=emW+G44ElexUpUKjsliVKZp2Ng5J+IWZAXl/MC9dduk=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version; b=jFik+yPpMTGeu0AmQHVDRdxUPiUC+Gf6Smaq4inE4arG+gMEh1crU/gsITgKuCrISW1l9uI/Z/fJdcfj2TR4hS+UYNveshwIGXdrjkWqVmM5UI5klFBdlAm0RIsHpiRSeQPUUKdSpaa1/x0XgCb+KYLs99Th8q/X0BQ0h5haeEY=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=kernel.org; spf=none smtp.mailfrom=infradead.org; dkim=pass (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b=xDTjfTok; arc=none smtp.client-ip=198.137.202.133
Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=kernel.org
Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=infradead.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b="xDTjfTok"
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=infradead.org; s=bombadil.20210309; h=Sender:Content-Transfer-Encoding:
	MIME-Version:References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From:
	Reply-To:Content-Type:Content-ID:Content-Description;
	bh=FS+sZdnPl9yv14SzffWWmZacnMpCghis0QHzoVcCFvk=; b=xDTjfTok9OCAwYMyn0NWBs1MPi
	dxhWWIAfQvYFKN5qNIYH1KQiQCRNd/eoI7MAfdMr2Qc1QhZNmS9xMSX7tQjXhiDSUz3dNHj5Uk8yL
	fzshj6v8O4hGpELMaecG9ZoPXbI41niyCRmqoW3W5VDfyBYvnbioW2foMurROQzC39XiSfPWq9+cV
	kYX5JE7lj56a4eBkP3829DiTZ4kqv9KRWwl/H+zo3ecbEvUwdcpb8Xd9iSG1pEvLAZECormlpCJVh
	86gBjhd05tt7MzIcLwO5XkmPmM6HWplDMZGNf7vG2yIJbPM2Ut3pWQ8uwD3XblaL5zuW3EfGYNzd1
	HsDRoGyA==;
Received: from mcgrof by bombadil.infradead.org with local (Exim 4.98.2 #2 (Red Hat Linux))
	id 1v9wjd-00000009Oed-06oL;
	Sat, 18 Oct 2025 02:31:57 +0000
From: Luis Chamberlain <mcgrof@kernel.org>
To: Chuck Lever <cel@kernel.org>,
	Daniel Gomez <da.gomez@kruces.com>,
	kdevops@lists.linux.dev
Cc: Luis Chamberlain <mcgrof@kernel.org>
Subject: [PATCH 5/8] base_image: relax base image permissions
Date: Fri, 17 Oct 2025 19:31:50 -0700
Message-ID: <20251018023154.2239688-6-mcgrof@kernel.org>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <20251018023154.2239688-1-mcgrof@kernel.org>
References: <20251018023154.2239688-1-mcgrof@kernel.org>
Precedence: bulk
X-Mailing-List: kdevops@lists.linux.dev
List-Id: <kdevops.lists.linux.dev>
List-Subscribe: <mailto:kdevops+subscribe@lists.linux.dev>
List-Unsubscribe: <mailto:kdevops+unsubscribe@lists.linux.dev>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: Luis Chamberlain <mcgrof@infradead.org>

Base images created by virt-builder have default root:root 600
permissions which prevent the systemd services from reading them.
We want to let others and systemd services be able to read these
base images.

Generated-by: Claude AI
Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
---
 .../roles/base_image/tasks/base-image.yml      | 18 ++++++++++++++++++
 .../roles/base_image/tasks/custom-image.yml    |  6 ++++--
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/playbooks/roles/base_image/tasks/base-image.yml b/playbooks/roles/base_image/tasks/base-image.yml
index d1f99a77..fc022649 100644
--- a/playbooks/roles/base_image/tasks/base-image.yml
+++ b/playbooks/roles/base_image/tasks/base-image.yml
@@ -72,6 +72,24 @@
   when:
     - not libvirt_uri_system|bool
 
+- name: Set proper ownership on base image for rcloud access (system libvirt)
+  become: true
+  become_method: ansible.builtin.sudo
+  ansible.builtin.file:
+    path: "{{ base_image_pathname }}"
+    owner: root
+    group: "{{ libvirt_qemu_group | default('libvirt-qemu') }}"
+    mode: "0640"
+  when:
+    - libvirt_uri_system|bool
+
+- name: Set proper permissions on base image (user libvirt)
+  ansible.builtin.file:
+    path: "{{ base_image_pathname }}"
+    mode: "0644"
+  when:
+    - not libvirt_uri_system|bool
+
 - name: Clean up the virt-builder command file
   ansible.builtin.file:
     path: "{{ command_file.path }}"
diff --git a/playbooks/roles/base_image/tasks/custom-image.yml b/playbooks/roles/base_image/tasks/custom-image.yml
index 121fa112..75c48e8f 100644
--- a/playbooks/roles/base_image/tasks/custom-image.yml
+++ b/playbooks/roles/base_image/tasks/custom-image.yml
@@ -347,11 +347,13 @@
     - custom_image_stat.stat.exists or custom_image_download is changed
     - custom_image != base_image_pathname
 
-- name: Set proper permissions on base image
+- name: Set proper ownership on base image for rcloud access
   become: true
   become_method: ansible.builtin.sudo
   ansible.builtin.file:
     path: "{{ base_image_pathname }}"
-    mode: "u=rw,g=r,o=r"
+    owner: root
+    group: "{{ libvirt_qemu_group | default('libvirt-qemu') }}"
+    mode: "0640"
   when:
     - custom_image_stat.stat.exists or custom_image_download is changed
-- 
2.51.0