tripleo

nova-compute container should not run as root

Bug #1693844 reported by Oliver Walsh on 2017-05-26

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	High	Oliver Walsh	tripleo pike-3 "pike-3"

Bug Description

The nova compute container currently runs as root. It should run as nova.

Oliver Walsh (owalsh) on 2017-05-26

Changed in tripleo:
status:	New → In Progress
assignee:	nobody → Oliver Walsh (owalsh)
milestone:	none → pike-2

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-05-26: Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.openstack.org/468466

Emilien Macchi (emilienm) on 2017-05-29

Changed in tripleo:
importance:	Undecided → High

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-06-06: Related fix proposed to puppet-tripleo (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/471319

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-06-08: Related fix merged to puppet-tripleo (master)

Reviewed: https://review.openstack.org/471319
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=016cef3ea729e1e3aed948ff3d07d650a5d92884
Submitter: Jenkins
Branch: master

commit 016cef3ea729e1e3aed948ff3d07d650a5d92884
Author: Oliver Walsh <email address hidden>
Date: Tue Jun 6 12:12:43 2017 +0100

Add polkit rule to allow kolla nova user access to libvirtd socket on docker host

    The polkit rules are currently evaluated in the context of the docker host.
    As a result the check fails for the kolla nova compute user, as the uids are not
    consistent with the host uids (in fact we probably can't assume a nova user exists
    on the docker host).

As a short-term workaround a 'docker_nova' user group is created on the docker host
and the polkit rule is updated to grant this user access to the libvirtd socket.

Longer term solution probably requires running polkitd in a container too.

Change-Id: I91be1f1eacf8eed9017bbfef393ee2d66771e8d6
Related-bug: #1693844

Emilien Macchi (emilienm) on 2017-06-08

Changed in tripleo:
milestone:	pike-2 → pike-3

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-06-09: Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/468466
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=2a138df93016aa36e6c9ac76831d22af394ea2c8
Submitter: Jenkins
Branch: master

commit 2a138df93016aa36e6c9ac76831d22af394ea2c8
Author: Oliver Walsh <email address hidden>
Date: Fri May 26 17:27:11 2017 +0100

Run the nova-compute container as the nova user

    Change-Id: Ie6469d2fd2119952669f5c9fdaa41fb273185973
    Depends-On: I91be1f1eacf8eed9017bbfef393ee2d66771e8d6
    Closes-bug: #1693844

Changed in tripleo:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-07-27: Fix included in openstack/tripleo-heat-templates 7.0.0.0b3

This issue was fixed in the openstack/tripleo-heat-templates 7.0.0.0b3 development milestone.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.