nfs mount not permitted in lxc-openstack aa profile
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack-Ansible |
Fix Released
|
Medium
|
Dolph Mathews | ||
Juno |
Fix Released
|
Medium
|
Jesse Pretorius | ||
Trunk |
Fix Released
|
Medium
|
Dolph Mathews |
Bug Description
Opened by BjoernT on 2014-11-06 17:20:05+00:00 at https:/
-------
The lxc-openstack profile does not allow nfs mounts, that prevents cinder-volume from mounting as NFS storage backend
Tags: in progress, Pending Backport Merge, prio:1
=======
Comment created by cloudnull on 2014-11-06 21:28:42+00:00
To use NFS you will need to change the profile to "unconfined". This is not a default setup though is totally configurable. This can be modified using the RPC user config in the cinder section under the container vars area.
-------
Comment created by BjoernT on 2014-11-06 23:53:32+00:00
I have already a commit to add
mount fstype=nfs* -> /var/lib/
in the profile. I make a pull request
-------
Comment created by cloudnull on 2014-11-20 19:38:37+00:00
We need to revisit this PR and modify the allowable NFS mounts to anything from within the container. IE: potentially glance would be using NFS. From a supportability standpoint we need
``` bash
mount fstype=nfs* -> /var/lib/
```
To be
``` bash
mount fstype=nfs* -> /**,
```
-------
Comment created by BjoernT on 2014-11-20 19:40:08+00:00
@cloudnull
Glance most likely would be a bind mount from a host mounted NFS ? What do you think
-------
Comment created by cloudnull on 2014-11-22 21:25:07+00:00
@BjoernT - I think the user should be able to have the option to either bind mount the path into the container and then modifying the mounts in lxc config to make it persistent, or have the option to be able to simply perform an NFS mount in the container. At present I know of at least 1 deployment where the container profile was changed to "unconfined" to allow for NFS to be used within the glance / cinder containers and it would be better to have a little more liberal NFS policy in containers than to simply set them as unconfined.
-------
Comment created by cloudnull on 2014-11-22 21:49:12+00:00
Related review from QE when backporting: https:/
-------
Comment created by BjoernT on 2014-11-24 14:37:52+00:00
Yes we can add /var/lib/
-------
Comment created by mancdaz on 2014-11-25 13:16:29+00:00
@cloudnull @BjoernT so we need a new PR that adds /var/lib/
-------
Comment created by cloudnull on 2014-11-25 14:24:03+00:00
That sounds like a plan to me.
-------
Comment created by BjoernT on 2014-11-25 14:41:49+00:00
I just added this directory with a pull request
Changed in openstack-ansible: | |
status: | New → Confirmed |
importance: | Undecided → Medium |
milestone: | none → 10.1.0 |
Changed in openstack-ansible: | |
status: | Confirmed → Fix Committed |
Changed in openstack-ansible: | |
milestone: | 10.1.0 → 10.1.2 |
Fixed in master in https:/ /review. openstack. org/#/c/ 139244/, this will probably need backporting to icehouse/juno branches.