On Wed, Jun 6, 2018 at 4:48 PM, Wladimir Mutel <mwg@xxxxxxxxx> wrote: > Jason Dillaman wrote: > >>>> The caps for those users looks correct for Luminous and later >>>> clusters. Any chance you are using data pools with the images? It's >>>> just odd that you have enough permissions to open the RBD image but >>>> cannot read its data objects. > > >>> Yes, I use erasure-pool as data-pool for these images >>> (to save on replication overhead). >>> Should I add it to the [osd] profile list ? > > >> Indeed, that's the problem since the libvirt and/or iso user doesn't >> have access to the data-pool. > > > This really helped, thanks ! > > client.iso > key: AQBp...gA== > caps: [mon] profile rbd > caps: [osd] profile rbd pool=iso, profile rbd pool=jerasure21 > client.libvirt > key: AQBt...IA== > caps: [mon] profile rbd > caps: [osd] profile rbd pool=libvirt, profile rbd pool=jerasure21 > > Now I can boot the VM from the .iso image and install Windows. > > One more question, how should I set profile 'rbd-read-only' properly > ? I tried to set is for 'client.iso' on both 'iso' and 'jerasure21' pools, > and this did not work. Set profile on both pools to 'rbd', it worked. But I > don't want my iso imaged to be accidentally modified by virtual guests. Can > this be solved with Ceph auth, or in some other way ? (in fact, I look for > Ceph equivalent of 'chattr +i') > > _______________________________________________ > ceph-users mailing list > ceph-users@xxxxxxxxxxxxxx > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com QEMU doesn't currently handle the case for opening RBD images in read-only mode, so if you attempt to use 'profile rbd-read-only', I suspect attempting to open the image will fail. You could perhaps take a middle ground and just apply 'profile rbd-read-only pool=jerasure21' to protect the contents of the image. -- Jason _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com