OpenStack-Ansible

re-running os-glance with NFS mount breaks

Bug #1680233 reported by Bryce Nordgren on 2017-04-05

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack-Ansible	Fix Released	High	Andy McCrae

Bug Description

Re-running the deployment scripts (os-glance-install.yml) on a running system when the /var/lib/glance/images directory is NFS mounted causes an error. The script blindly tries to chmod the mountpoint to mode 777. If the permissions are wrong and the directory is mounted, it needs to error out because there's nothing it can do to fix the problem. If the permissions are correct, it should skip this step.

TASK [os_glance : Create glance dir] *******************************************
...
failed: [control1_glance_container-76cda432] (item={u'path': u'/var/lib/glance/images/'}) => {"failed": true, "gid": 0, "group": "root", "item": {"path": "/var/lib/glance/images/"}, "mode": "0777", "msg": "chown failed", "owner": "root", "path": "/var/lib/glance/images/", "size": 4096, "state": "directory", "uid": 0}
failed: [control0_glance_container-765d7c1d] (item={u'path': u'/var/lib/glance/images/'}) => {"failed": true, "gid": 0, "group": "root", "item": {"path": "/var/lib/glance/images/"}, "mode": "0777", "msg": "chown failed", "owner": "root", "path": "/var/lib/glance/images/", "size": 4096, "state": "directory", "uid": 0}
failed: [control2_glance_container-4d9d50cf] (item={u'path': u'/var/lib/glance/images/'}) => {"failed": true, "gid": 0, "group": "root", "item": {"path": "/var/lib/glance/images/"}, "mode": "0777", "msg": "chown failed", "owner": "root", "path": "/var/lib/glance/images/", "size": 4096, "state": "directory", "uid": 0}

Revision history for this message

Bjoern (bjoern-t) wrote on 2017-04-06:

Hi Bryce,

I assume you have root squash enabled, in case you're running a DIY NFS server?
Do you have security concerns ?

It is not advisable to implement a ignore errors condition in Ansible, it actually has been shunned by the project. Ansible idempotency does not account for the situation that you only want to apply changes once and then never again.

Revision history for this message

Bryce Nordgren (bnordgren) wrote on 2017-04-06:

Root squash is enabled because:

* It's the default
* Only the glance user should be accessing this export.
* Providing root access where it is not needed violates the principle of least privilege...A principle which motivates creating an unprivileged account to run the glance service in the first place.

The suggestion was not "ignore errors" or "violate idempotency". The suggestion is to acknowledge that some configuration items (network configuration, NFS export for a glance share, permissions on a mountpoint, etc.) are outside of ansible and to behave accordingly.

The code violates idempotency as it is: success depends on the state of the system. If the share is not mounted yet (i.e., the first time thru), the code succeeds because it performs a useless chmod which will be hidden later. If the share is already mounted (i.e., the second time it is run) the code cannot perform the useless chmod and errors.

If the directory's not an NFS mount point, setting permissions is within the purvue of ansible. If it is, ansible can check that the permissions are workable and throw an error if not. This is not "set once, never again". Nor am I advocating throwing out the error.

Is there any particular reason the permissions on a directory for the exclusive use of the glance user are set to 777 after changing the owner to root? You do have special hooks to ensure that the glance uid/gid are created the same on all hosts.

Finally, I thought the project motto was "secure by default". Should I really have to be trying to talk you into this?

Jean-Philippe Evrard (jean-philippe-evrard) on 2017-04-11

Changed in openstack-ansible:
status:	New → Confirmed
importance:	Undecided → High

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-04-11: Fix proposed to openstack-ansible-os_glance (master)

Fix proposed to branch: master
Review: https://review.openstack.org/455776

Changed in openstack-ansible:
assignee:	nobody → Andy McCrae (andrew-mccrae)
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-04-15: Fix merged to openstack-ansible-os_glance (master)

Reviewed: https://review.openstack.org/455776
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-os_glance/commit/?id=fe6e32e3e31c5c98b10fad8d2d2ca1c5b817b884
Submitter: Jenkins
Branch: master

commit fe6e32e3e31c5c98b10fad8d2d2ca1c5b817b884
Author: Andy McCrae <email address hidden>
Date: Tue Apr 11 17:32:22 2017 +0100

Default to "omit" mode from directory creation

To avoid a situation where the mode is set on an NFS mount that has
different permissions to 755, we should omit the mode by default.

The default value on creation is 755 in anycase, so if the directory
does not exist it will be created with 755 as before.

Change-Id: I926f46ba2e8a8ce84b4f127dbeabb0daab0b3951
Closes-Bug: #1680233

Changed in openstack-ansible:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-06-07: Fix included in openstack/openstack-ansible-os_glance 16.0.0.0b2

This issue was fixed in the openstack/openstack-ansible-os_glance 16.0.0.0b2 development milestone.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.