nfs mount not permitted in lxc-openstack aa profile

Opened by BjoernT on 2014-11-06 17:20:05+00:00 at https://github.com/rcbops/ansible-lxc-rpc/issues/487

------------------------------------------------------------

The lxc-openstack profile does not allow nfs mounts, that prevents cinder-volume from mounting as NFS storage backend

Tags: in progress, Pending Backport Merge, prio:1

====================== COMMENTS ============================

Comment created by cloudnull on 2014-11-06 21:28:42+00:00

To use NFS you will need to change the profile to "unconfined". This is not a default setup though is totally configurable. This can be modified using the RPC user config in the cinder section under the container vars area.

------------------------------------------------------------

Comment created by BjoernT on 2014-11-06 23:53:32+00:00

I have already a commit to add

mount fstype=nfs* -> /var/lib/cinder/mnt/**,

in the profile. I make a pull request

------------------------------------------------------------

Comment created by cloudnull on 2014-11-20 19:38:37+00:00

We need to revisit this PR and modify the allowable NFS mounts to anything from within the container. IE: potentially glance would be using NFS. From a supportability standpoint we need

``` bash
mount fstype=nfs* -> /var/lib/cinder/mnt/**,
```

To be
``` bash
mount fstype=nfs* -> /**,
```

------------------------------------------------------------

Comment created by BjoernT on 2014-11-20 19:40:08+00:00

@cloudnull
Glance most likely would be a bind mount from a host mounted NFS ? What do you think

------------------------------------------------------------

Comment created by cloudnull on 2014-11-22 21:25:07+00:00

@BjoernT - I think the user should be able to have the option to either bind mount the path into the container and then modifying the mounts in lxc config to make it persistent, or have the option to be able to simply perform an NFS mount in the container. At present I know of at least 1 deployment where the container profile was changed to "unconfined" to allow for NFS to be used within the glance / cinder containers and it would be better to have a little more liberal NFS policy in containers than to simply set them as unconfined.

------------------------------------------------------------

Comment created by cloudnull on 2014-11-22 21:49:12+00:00

Related review from QE when backporting: https://github.com/rcbops/ansible-lxc-rpc/pull/557/files

------------------------------------------------------------

Comment created by BjoernT on 2014-11-24 14:37:52+00:00

Yes we can add /var/lib/glance/images in the profile. I personally would keep the profiles as precise as possible.

------------------------------------------------------------

Comment created by mancdaz on 2014-11-25 13:16:29+00:00

@cloudnull @BjoernT so we need a new PR that adds /var/lib/glance/images/** to the profile, rather than /**, since we want to be as controlled as possible?

------------------------------------------------------------

Comment created by cloudnull on 2014-11-25 14:24:03+00:00

That sounds like a plan to me.

------------------------------------------------------------

Comment created by BjoernT on 2014-11-25 14:41:49+00:00

I just added this directory with a pull request